Skip to main content

moctpm tools

moctpm2_takeownership

This tool takes ownership of a TPM 2.0 module. If the --c or --force option is specified, the TPM is cleared; otherwise, ownership is taken. Taking ownership requires setting the hierarchy passwords and optionally DA lockout parameters. The TPM is first cleared using the old lockout hierarchy password before the new values are set.

Note

This tool is not applicable to Windows platforms.

Syntax

moctpm2_takeownership [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--sm=[security module]

(Mandatory) Specify the Security Module; uselocalhostfor the TPM emulator or module path for the hardware TPM (e.g., /dev/tpm0).

--ep=[server port]

Specify the port number for the TPM emulator (applicable only for --sm=localhost).

--ahpwd=[password]

Specify a password that must be used for all hierarchies; may be individually overridden with the --ehpwd, --shpwd, and --lhpwdoptions. If no password is specified, the well-known password is used.

--ehpwd=[password]

Specify the new Endorsement Hierarchy password. This option overrides the password specified with --ahpwd for the Endorsement Hierarchy only. If no password is specified, the well-known password is used. Mandatory where --ahpwdis not specified.

--shpwd=[password]

Specify the new Storage Hierarchy password. This option overrides the password specified with --ahpwd for the Storage Hierarchy only. If no password is specified, the well-known password is used. Mandatory where --ahpwdis not specified.

--olhpwd=[password]

Specify the old Lockout Hierarchy password. This option is needed for taking ownership of a configured TPM device.

--lhpwd=[password]

Specify the new Lockout Hierarchy password. This option overrides password specified with --ahpwd for Lockout Hierarchy only. If no password is specified, the well-known password is used. Mandatory where --ahpwdis not specified.

--authfail=[count]

(Optional) Specify the number of authorization failures (from 3 to 256) before a lockout is imposed. The default value is 5.

--rcytime=[seconds]

(Optional) Specify the time in seconds before the count of authorization failures is automatically decremented. A value of zero indicates that DA protection is disabled. The default value is 1000 seconds.

--lorcy=[seconds]

(Optional) Specify the time in seconds after a lockout authentication failure before use of lockout authentication is allowed. A value of zero indicates that a reboot is required. The default value is 1000 seconds.

--c

Clear the TPM without clearing hierarchy passwords.

--force

Clears the TPM including all hierarchy passwords using the default Platform Hierarchy password.

--nocredfile

Disable generation and use of the credentials file. The required credentials must be specified as command line arguments or environment variables.

--credfile=[credential file]

Specify the credentials file that is comprised of encoded passwords required to use the TPM.

--ftpm

(Optional) Indicates a firmware-based TPM (e.g., Intel fTPM), wherein TPM ownership is taken by the system with well-known passwords for the lockout, storage, and endorsement hierarchies. The credential file is generated for use with moctpm2_provision.

moctpm2_provision

This tool creates the Endorsement Key (EK) and the Storage Root Key (SRK). The EK is created with either the endorsement hierarchy password provided with the --ekpwd option or with the password provided with the --ehpwd option (if the --ekpwd option is not specified). The SRK is created with the password provided with the --srkpwd option or the password provided with the --shpwd option (if the --srkpwd option is not specified).

Note

This tool is not applicable to Windows platforms.

Syntax

moctpm2_provision [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--sm=[security module]

(Mandatory) Specify the security module; uselocalhostfor the TPM emulator or module path for hardware TPM (e.g., /dev/tpm0).

--ep=[server port]

Specify the port number for the TPM emulator (applicable only for --sm=localhost).

--ehpwd=[password]

(Mandatory) Specify password for the endorsement hierarchy. If --ekpwdis not specified, this password is used for the endorsement key. If no password is specified, then the well-known password is used.

--shpwd=[password]

(Mandatory) Specify password for the storage hierarchy. If no password is specified, the well-known password is used.

--ekpwd=[password]

Specify the Endorsement Key (EK) password. If this option is specified, the provided password is used for the EK. If no password is specified, the endorsement hierarchy password is used.

--ekalg=[key algorithm]

(Mandatory) Specify the algorithm (RSA or ECC) to create the EK.

--srkpwd=[password]

Specify the Storage Root Key (SRK) password. If this option is specified, the provided password is used for the SRK. If no password is specified, the Storage Hierarchy password is used.

--srkalg=[key algorithm]

(Mandatory) Specify the algorithm (RSA or ECC) to create the SRK.

--credfile=[credentials file]

Specify the credentials file that contains the encoded passwords required to use the TPM.

--nocredfile

Disables generation and use of the credentials file. Specify the credentials with command line arguments (--ehpwd, --shpwd, --ekpwd, --srkpwd) or environment variables (MOCANA_TPM2_EK_PASSWORD, MOCANA_TPM2_ENDORSEMENT_HIERARCHY_PASSWORD, MOCANA_TPM2_SRK_PASSWORD, MOCANA_TPM2_STORAGE_HIERARCHY_PASSWORD) instead of the credentials file.

moctpm2_version

This tool reports the TPM 2.0 firmware version and manufacturer information.

Syntax

moctpm2_version [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

moctpm2_createasymkey

This tool creates an RSA or ECC key pair. The key pair is created with the built-in SRK as the parent.

Syntax

moctpm2_createasymkey [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to TPM 2.0 module configuration file.

--kalg=[key algorithm]

(Mandatory) Specify the algorithm (RSA or ECC) to create the key.

--ktype=[key type]

(Mandatory) Specify the type of key (sign, storage, general, or attest) to create.

--ksize=[key size]

Key size (2048 or 4096) for RSA keys; mandatory for RSA keys.

--kpwd=[key password]

Specify the password of the key to create. If no key password is specified, the key is created without a password.

--ss=[key signing scheme]

(Mandatory) Specify the signing scheme (PKCS1, pkcs1_sha256, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) to create the signing key.

--es=[key encryption scheme]

Specify the encryption scheme (pkcs1, oaepsha1, oaepsha256, oaepsha384, or oaepsha51) to use to create the storage key.

--c=[ECC curve identifier]

Specify the curve identifier (n192, n224, n256, n384, or n521) for ECC key.

--pub=[output public key file]

Specify the output file that contains the public key.

--pri=[output private key file]

Specify the output file that contains the private key.

--enablecmk=[enable CMK]

Enables duplication of the key to another TPM. By default, the key is created with CMK disabled.

moctpm2_createsymkey

This tool creates a symmetric key for Encrypt/Decrypt or Sign/Verify operations.

Syntax

moctpm2_createsymkey [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--ktype=[key type]

(Mandatory) Specify the type of key (decrypt or sign) to create.

--ksize=[key size]

(Mandatory) Specify the key size (128 or 192 or 256) in bits.

--kpwd=[key password]

Specify the password of the key to be created. If no key password is specified, the key is created without a password.

--halg=[hash algorithm]

Specify the hash algorithm (sha1 or sha256) for key creation.

--kmode=[key mode]

Specify the key mode (CFB, CTR, OFB, or CBC) for key creation.

--pri=[output key file]

Specify theoutput file that contains the created key.

--enablecmk=[enable CMK]

Enables duplication of the key to another TPM. By default, the key is created with CMK disabled.

moctpm2_encrypt

This tool encrypts an input file using an asymmetric key.

Syntax

moctpm2_encrypt [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kpwd=[key password]

(Optional) Specify the password of the key to be loaded.

--kmode=[key mode]

(Optional) Specify the symmetric cipher mode (CFB, CTR, OFB, or CBC) for symmetric key encryption.

--es=[encryption scheme]

(Optional) Specify the encryption scheme (pkcs1, oaepsha1, oaepsha256, oaepsh384, or oaepsha512) for asymmetric key encryption.

--pri=[input private key file]

(Mandatory) Specify the input file that contains the private key.

--idf=[input data file]

(Mandatory) Specify the input file that contains the data to be encrypted.

--odf=[output data file]

(Mandatory) Specify the output file that contains the encrypted data.

moctpm2_decrypt

This tool decrypts a previously encrypted file using an input asymmetric key.

Syntax

moctpm2_decrypt [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kpwd=[key password]

Specify the password of the key to be loaded.

--kmode=[key mode]

(Optional) Specify the symmetric cipher mode for symmetric key encryption.

--es=[encryption scheme]

(Optional) Specify the encryption scheme (PKCS1, OAEPSHA1 or OAEPSHA256) for asymmetric key encryption.

--pri=[input private key file]

(Mandatory) Specify the input file that contains the private key.

--idf=[input data file]

(Mandatory) Specify the input file that contains the encrypted data.

--odf=[output data file]

(Mandatory) Specify the output file that contains the decrypted data.

moctpm2_sign

This tool generates a signature from hash of the input file using an asymmetric key.

Syntax

moctpm2_sign [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kpwd=[key password]

(Optional) Specify the password of the key to be loaded.

--halg=[hash algorithm]

(Mandatory) Specify the hash algorithm (sha1, sha256, sha384, or sha512) to hash the data in the input file. Defaults to sha256.

--ss=[key signing scheme]

(Optional) Specify the signing scheme (pkcs1, pkcs1_sha256, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) used during key creation.

--pri=[input private key file]

(Mandatory) Specify the input file that contains the private key.

--idf=[input data file]

(Mandatory) Specify the input file that contains the data to be signed.

--osf=[output signature file]

(Mandatory) Specify the output file that contains the signature.

moctpm2_verify

This tool verifies the signature of the hash of data in an input file using an asymmetric key.

Syntax

moctpm2_verify [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kpwd=[key password]

(Optional) Specify the password of the key to be loaded.

--halg=[hash algorithm]

(Mandatory) Specify the hash algorithm (sha1, sha256, sha384, or sha512) to hash the data in the input file. Defaults to sha256.

--ss=[key signing scheme]

(Mandatory) Specify the signing scheme (pkcs1, pkcs1_sha256, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) used during key creation.

--pri=[input private key file]

(Mandatory) Specify the input file that contains the private key.

--idf=[input data file]

(Mandatory) Specify the input file that contains the data to be verified.

--isf=[input signature file]

(Mandatory) Specify the input file that contains the signature.

moctpm2_sealdata

This tool seals data with the TPM’s SRK, and optionally with the PCR configuration. The result can be unsealed with moctpm2_unsealdata.

Syntax

moctpm2_sealdata[options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--auth=[password]

Specify the authorization password to seal data. If no password is specified, the well-known password is used.

--tdidx=[PCR index]

Specify the PCR value to seal data. Multiple PCRs may be specified with a --tdidx= option for each PCR index.

--idf=[input data file]

(Mandatory) Specify the input file that contains the data to be sealed.

--odf=[output sealed data file]

(Mandatory) Specify the output file that contains the sealed data.

moctpm2_unsealdata

This tool unseals the sealed input data, previously sealed with moctpm2_sealdata.

Syntax

moctpm2_unsealdata [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--auth=[password]

Specify the authorization password to seal data. If no password is specified, the well-known password is used.

--tdidx=[PCR index]

Specify the PCR value to unseal data. Multiple PCRs may be specified with a --tdidx= option for each PRC index.

--idf=[input data file]

(Mandatory) Specify the input file that contains the previously sealed data to unseal.

--odf=[output data file]

(Mandatory) Specify the output file that contains the unsealed data.

moctpm2_selftest

This tool performs a full or incremental self-test.

Syntax

moctpm2_selftest [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--i [run incremental self-test]

Run an incremental self-test.

--r [return results only]

Return the last self-test results (does not rerun self-test)

moctpm2_readpubek

This tool displays the public portion of the Endorsement Key.

Syntax

moctpm2_readpubek [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--pub=[public key file]

(Mandatory) Specify the output file that contains the public key data.

moctpm2_getrandom

This tool generates random data using the TPM’s RNG.

Syntax

moctpm2_getrandom [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--rndsize=[random number size]

Specify the size of random number to generate.

--odf=[output data file]

(Mandatory) Specify the output file that contains the random number.

moctpm2_stirrandom

This tool adds entropy to the random bit generator.

Syntax

moctpm2_stirrandom [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--size=[number of bytes to stir]

Specify the number of bytes to use to stir the RNG.

--idf=[input data file]

(Mandatory) Specify the input file that contains the entropy.

moctpm2_gettrusteddata

This tool reads the TPM’s PCRs.

Syntax

moctpm2_gettrusteddata [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--tdtype=[data type]

Specify the type of trusted data (measurement, identifier, or report).

--tdsubtype=[subtype]

Specify the sub type of the trusted data. Set to 1 for TPM 2.0.

--tdidx=[PCR index]

(Optional) Specify the PCR index to read. Defaults to all PCRs.

--odf=[output data file]

(Mandatory) Specify the output file that contains the PCRs specified in --tdidx.

moctpm2_updatetrusteddata

This tool extends data to the specified PCR.

Syntax

moctpm2_updatetrusteddata [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--tdtype=[data type]

Specify the type of trusted data (measurement, identifier, or report).

--tdsubtype=[subtype]

Specify the sub type of trusted data. Set to 1 for TPM 2.0.

--tdidx=[PCR index]

Specify the PCR index to extend.

--idf=[input data file]

(Mandatory) Specify the input file that contains the value to extend with (20 or 32 bytes).

--odf=[output data file]

(Mandatory) Specify the output file that contains the updated (extended) trusted data.

moctpm2_getquote

This tool generates a TPM quote (a hash of all the PCRs, and a signature of the hash) using a nonce provided in an input file.

Syntax

moctpm2_getquote [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kpwd=[key password]

Specify the password of the key to load.

--halg=[hash algorithm]

Specify the hash algorithm (sha1, sha256, or sha512) to use to hash the PCR values. Mandatory for key type of General.

--tdidx=[PRC index]

Specify the PCR index to use. Multiple PCR indices can be specified by repeating this option.

--pri=[input private key file]

(Mandatory) Specify the input file that contains the private key.

--idf=[input data file]

(Mandatory) Specify the input file that contains the nonce (maximum of 32 bytes).

--odf=[output data file]

(Mandatory) Specify the output file to write the TPM quote to.

--osf=[output signature file]

Specify the output file that contain a signature of the TPM quote.

--raw [out signature in raw form]

Output signature in raw form

--otf=[output text file]

Output file to write the TPM quote to in readable text form

moctpm2_verifyquote

This tool verifies the signature of TPM quote.

Syntax

moctpm2_verifyquote [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kpwd=[key password]

(Optional) Specify the password of the key to load.

--halg=[hash algorithm]

Specify the hash algorithm (sha1, or sha256, or sha512) for the hash of the TPM quote.

--ss=[key signing scheme]

Specify the signing scheme (pkcs1, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384 or pss512) used to generate the signature of the quote.

--pri=[input private key file]

(Mandatory) Specify the input file that contains the private key.

--idf=[input data file]

(Mandatory) Specify the input file that contains the data to verify.

--isf=[input signature file]

(Mandatory) Specify the input file that contains the signature.

moctpm2_createpolicystorage

This tool configures the NVRAM format at the specified index in the TPM.

Syntax

moctpm2_createpolicystorage [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--pspwd=[policy storage password]

Specify the NVRAM access authorization password. If none is specified, the well-known password is used.

--psidx=[policy storage index]

(Mandatory) Specify the index of the NVRAM to be configured. Hex values must be prefixed with a 0x.

--pssize=[size of the policy storage index]

(Mandatory) Specify the size of data in bytes at the NVRAM index.

--pstype=[policy storage index type]

(Mandatory) Specify the type of the NVRAM index (ordinary, counter, bits, extend) to configure.

moctpm2_getpolicystorage

This tool reads the contents at the specified index of the NVRAM in the TPM.

Syntax

moctpm2_getpolicystorage [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--pspwd=[policy storage password]

Specify the NVRAM read password. If not specified, well-known password is used.

--psidx=[policy storage index]

(Mandatory) Specify the index of the NVRAM to read. Hex values must be prefixed with a 0x.

--odf=[output data file]

(Mandatory) Specify the output file that contains contents at the NVRAM index.

moctpm2_getpolicystoragelist

This tool lists the indices of NVRAM and persistent objects.

Syntax

moctpm2_getpolicystoragelist[options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

moctpm2_delpolicystorage

This tool deletes the NVRAM format at the specified index in the TPM.

Syntax

moctpm2_delpolicystorage [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--pspwd=[policy storage password]

Specify the NVRAM access authorization password. If none is specified, the well-known password is used.

--psidx=[policy storage index]

(Mandatory) Specify the index of the NVRAM to be configured. Hex values must be prefixed with a 0x.

--pssize=[size of the policy storage index]

(Mandatory) Specify the size of data in bytes of the NVRAM index.

--pstype=[policy storage index type]

(Mandatory) Specify the type of the NVRAM index (ordinary, counter, bits, extend) to configure.

moctpm2_setpolicystorage

This tool writes data to the specified index of the NVRAM in the TPM.

Syntax

moctpm2_setpolicystorage [options]

Options

Option

Description

--h [option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--pspwd=[policy storage password]

Specify the NVRAM write password. If not specified, the well-known password is used.

--psidx=[policy storage index]

(Mandatory) Specify the index of the NVRAM to write. Hex values must be prefixed with a 0x.

--idf=[input data file]

(Mandatory) Specify the input file containing data to write.

moctpm2_readpublickeyblob

This tool reads the public portion of the entity (SRK or EK) and writes to a file.

Syntax

moctpm2_readpublickeyblob [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--eid=[entity ID]

Specify the entity ID for the public key BLOB (e.g., 0x81000000 for SRK, or 0x81010000 for EK).

--pub=[public key file]

(Mandatory) Specify the o\Output file to store the public key BLOB.

moctpm2_duplicatekey

This tool generates a duplicate key for export into another TPM.

Syntax

moctpm2_duplicatekey [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kpwd=[key password]

Specify the password of the key to be duplicated.

--pri=[input private key file]

(Mandatory) Specify the input file that contains the private key to be duplicated.

--pub=[pubkey blob file]

(Mandatory) Specify the input file that contains the public key BLOB of the new parent.

--odf=[output duplicate key file]

(Mandatory) Specify the output file that contains the importable duplicated key BLOB.

moctpm2_importduplicatekey

This tool imports and creates an asymmetric key under the new parent on the destination device for the duplicate BLOB from the source device.

Syntax

moctpm2_importduplicatekey [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to the TPM 2.0 module configuration file.

--kalg=[key algorithm]

(Mandatory) Specify the algorithm (RSA or ECC) of the imported key.

--ktype=[key type]

(Mandatory) Specify the type of imported key (sign, storage, general, or attest.

--ksize=[key size]

(Mandatory) Specify the key size (2048 or 4096) in bits of the imported key.

--kpwd=[key password]

Specify the password of the imported key to be loaded.

--kmode=[key mode]

Specify the key mode (CFB, CTR, OFB, or CBC) for key creation.

--ss=[key signing scheme]

Specify the signing scheme (pkcs1, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) to create the signing key.

--es=[key encryption scheme]

Specify the encryption scheme (pkcs1, oaepsha1 or oaepsha256, oaepsha384, or oaepsha512) of the storage key to create the storage key.

--c=[ECC curve identifier]

Specify the curve identifier (n192, n224, n256, n384, or n521) for ECC key.

--dup=[input duplicate key file]

(Mandatory) Specify the input file that contains the duplicate key BLOB.

--pub=[output public key file]

(Mandatory) Specify the output file that contains the public key.

--pri=[output private key file]

(Mandatory) Specify the output file that contains the private key.

moctpm2_resetdalock

This tool clears a TPM 2.0 Dictionary Attack lockout.

Syntax

moctpm2_resetdalock [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--sm=[server name or module path]

(Mandatory) Specify the Security Module; uselocalhostfor the TPM emulator or module path for the hardware TPM (e.g., /dev/tpm0).

--ep=[server port]

Specify the port number for the TPM emulator (applicable only for --sm=localhost).

--credfile=[credentials file]

(Mandatory) Specify the credentials file that is comprised of encoded passwords required to use the TPM.

--z

Authenticate using the well-known password.

--nocredfile

Disable use of the credentials file. Specify the lockout credential with the command line argument(--lhpwd) or set the environment variable (MOCANA_TPM2_OLD_LOCKOUT_PASSWORD) instead of using the credentials file.

--lhpwd=[password]

Specify the old Lockout Hierarchy password.

moctpm2_getcapability

This tool returns the TPM 2.0 secure element capabilities information.

Syntax

moctpm2_getcapability [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to TPM 2.0 module configuration file.

--cap=[capability]

Specify the category of data to return:

  • 0 - TPM_CAP_ALGS

  • 1 - TPM_CAP_HANDLES

  • 2 - UNSUPPORTED

  • 3 - UNSUPPORTED

  • 4 - UNSUPPORTED

  • 5 - TPM_CAP_PCRS

  • 6 - TPM_CAP_TPM_PROPERTIES (default)

  • 7 - UNSUPPORTED

  • 8 - TPM_CAP_ECC_CURVE

--pr=[property]

Specify the first property of the selected capability to return (defaults to first available property). Hex values must be prefixed with 0x.

--pc=[property count]

Number of properties to return. The default setting returns all properties.

smp_tpm2_getidstr_bin

This tool generates a TPM 2.0 secure element module ID string for use in a module configuration file.

Syntax

smp_tpm2_getidstr_bin [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--c [full configuration file name path

Specify the full configuration filename path. The default path is /etc/mocana/tpm2.conf.

--d [display mismatches]

Display any mismatches between the configured and the device ID string.

--w [update configuration file]

Update the input configuration file with the device ID string if there are any mismatches between the configured and the device ID string.

moctpm2_persistkeyobject

This tool persists a previously created key to TPM memory at the specified key ID (index). Future key operations and APIs may use the key ID instead of the key file.

Syntax

moctpm2_persistkeyobject [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to TPM 2.0 module configuration file.

--obj=[Private key file name]

Specify the private key file to be persisted to TPM memory

--pid=[Persistent Key ID]

Specify the persistent key ID (index) where the key should be stored. The hex value must be the 0x81000000 - 0x81FFFFFF range.

moctpm2_evictkeyobject

This tool removes a previously persisted key from TPM memory.

Syntax

moctpm2_evictkeyobject [options]

Options

Option

Description

--h=[option(s)]

Display help for the specified option(s).

--conf=[TPM 2.0 configuration file]

Specify the path to TPM 2.0 module configuration file.

--pid=[Persistent Key ID]

Specify the persistent key ID (index) from where the key should be removed. The hex value must be in the 0x81000000 - 0x81FFFFFF range.