% tpm2_certifycreation(1) tpm2-tools | General Commands Manual

NAME

tpm2_certifycreation(1) - Attest the association between a loaded public area and the provided hash of the creation data.

SYNOPSIS

tpm2_certifycreation [OPTIONS]

DESCRIPTION

tpm2_certifycreation(1) - Attest the association between a loaded public area and the provided hash of the creation data. The creation data and the creation ticket is produced when creating the object. The object itself is created with either TPM2_CreatePrimary or TPM2_Create commands.

OPTIONS

  • -C, --signingkey-context=OBJECT:

    Context object pointing to the key used that signs the attestation.

  • -P, --signingkey-authAUTH:

    Optional authorization value to use for the key specified by -C.

  • -c, --certifiedkey-context=OBJECT:

    Context object pointing to the key that has to be certified.

  • -g, --hash-algorithm=ALGORITHM:

    The hash algorithm used to digest the creation data.

  • -s, --scheme=ALGORITHM:

    The signing scheme used to sign the attestation data.

  • -d, --creation-hash=FILE

    File containing the digest of the creation data.

  • -t, --ticket=FILE:

    The ticket file to validate that the creation data was produced by the TPM.

  • -o, --signature=FILE:

    File containing the signature of the attestation data for the certified key.

  • -f, --format=FORMAT:

    Output signature format selection.

  • --attestation=FILE:

    The attestation data of the type TPM2_CREATION_INFO signed with signing key.

  • -q, --qualification=FILE_OR_HEX:

    Optional, the policy qualifier data that the signer can choose to include in the signature. Can either be a path or hex string.

  • --cphash=FILE

    File path to record the hash of the command parameters. This is commonly termed as cpHash. NOTE: When this option is selected, The tool will not actually execute the command, it simply returns a cpHash, unless rphash is also required.

  • --rphash=FILE

    File path to record the hash of the response parameters. This is commonly termed as rpHash.

  • -S, --session=FILE:

    The session created using tpm2_startauthsession. This can be used to specify an auxiliary session for auditing and or encryption/decryption of the parameters.

References

context object format details the methods for specifying OBJECT.

authorization formatting details the methods for specifying AUTH.

algorithm specifiers details the options for specifying cryptographic algorithms ALGORITHM.

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules. signature format specifiers

EXAMPLES

Certify creation data of a primary key.

tpm2_createprimary -C o -c prim.ctx --creation-data create.dat \
-d create.dig -t create.ticket

tpm2_create -G rsa -u rsa.pub -r rsa.priv -C prim.ctx -c signing_key.ctx

tpm2_certifycreation -C signing_key.ctx -c prim.ctx -d create.dig \
-t create.ticket -g sha256 -o sig.nature --attestation attestat.ion -f plain \
-s rsassa

returns

footer