moctpm tools
moctpm2_takeownership
This tool takes ownership of a TPM 2.0 module. If the --c
or --force
option is specified, the TPM is cleared; otherwise, ownership is taken. Taking ownership requires setting the hierarchy passwords and optionally DA lockout parameters. The TPM is first cleared using the old lockout hierarchy password before the new values are set.
Note
This tool is not applicable to Windows platforms.
Syntax
moctpm2_takeownership [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| (Mandatory) Specify the Security Module; uselocalhostfor the TPM emulator or module path for the hardware TPM (e.g., |
| Specify the port number for the TPM emulator (applicable only for |
| Specify a password that must be used for all hierarchies; may be individually overridden with the |
| Specify the new Endorsement Hierarchy password. This option overrides the password specified with |
| Specify the new Storage Hierarchy password. This option overrides the password specified with |
| Specify the old Lockout Hierarchy password. This option is needed for taking ownership of a configured TPM device. |
| Specify the new Lockout Hierarchy password. This option overrides password specified with |
| (Optional) Specify the number of authorization failures (from 3 to 256) before a lockout is imposed. The default value is 5. |
| (Optional) Specify the time in seconds before the count of authorization failures is automatically decremented. A value of zero indicates that DA protection is disabled. The default value is 1000 seconds. |
| (Optional) Specify the time in seconds after a lockout authentication failure before use of lockout authentication is allowed. A value of zero indicates that a reboot is required. The default value is 1000 seconds. |
| Clear the TPM without clearing hierarchy passwords. |
| Clears the TPM including all hierarchy passwords using the default Platform Hierarchy password. |
| Disable generation and use of the credentials file. The required credentials must be specified as command line arguments or environment variables. |
| Specify the credentials file that is comprised of encoded passwords required to use the TPM. |
| (Optional) Indicates a firmware-based TPM (e.g., Intel fTPM), wherein TPM ownership is taken by the system with well-known passwords for the lockout, storage, and endorsement hierarchies. The credential file is generated for use with |
moctpm2_provision
This tool creates the Endorsement Key (EK) and the Storage Root Key (SRK). The EK is created with either the endorsement hierarchy password provided with the --ekpwd
option or with the password provided with the --ehpwd
option (if the --ekpwd
option is not specified). The SRK is created with the password provided with the --srkpwd
option or the password provided with the --shpwd
option (if the --srkpwd
option is not specified).
Note
This tool is not applicable to Windows platforms.
Syntax
moctpm2_provision [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| (Mandatory) Specify the security module; uselocalhostfor the TPM emulator or module path for hardware TPM (e.g., |
| Specify the port number for the TPM emulator (applicable only for |
| (Mandatory) Specify password for the endorsement hierarchy. If |
| (Mandatory) Specify password for the storage hierarchy. If no password is specified, the well-known password is used. |
| Specify the Endorsement Key (EK) password. If this option is specified, the provided password is used for the EK. If no password is specified, the endorsement hierarchy password is used. |
| (Mandatory) Specify the algorithm (RSA or ECC) to create the EK. |
| Specify the Storage Root Key (SRK) password. If this option is specified, the provided password is used for the SRK. If no password is specified, the Storage Hierarchy password is used. |
| (Mandatory) Specify the algorithm (RSA or ECC) to create the SRK. |
| Specify the credentials file that contains the encoded passwords required to use the TPM. |
| Disables generation and use of the credentials file. Specify the credentials with command line arguments ( |
moctpm2_version
This tool reports the TPM 2.0 firmware version and manufacturer information.
Syntax
moctpm2_version [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
moctpm2_createasymkey
This tool creates an RSA or ECC key pair. The key pair is created with the built-in SRK as the parent.
Syntax
moctpm2_createasymkey [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to TPM 2.0 module configuration file. |
| (Mandatory) Specify the algorithm (RSA or ECC) to create the key. |
| (Mandatory) Specify the type of key (sign, storage, general, or attest) to create. |
| Key size (2048 or 4096) for RSA keys; mandatory for RSA keys. |
| Specify the password of the key to create. If no key password is specified, the key is created without a password. |
| (Mandatory) Specify the signing scheme (PKCS1, pkcs1_sha256, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) to create the signing key. |
| Specify the encryption scheme (pkcs1, oaepsha1, oaepsha256, oaepsha384, or oaepsha51) to use to create the storage key. |
| Specify the curve identifier (n192, n224, n256, n384, or n521) for ECC key. |
| Specify the output file that contains the public key. |
| Specify the output file that contains the private key. |
| Enables duplication of the key to another TPM. By default, the key is created with CMK disabled. |
moctpm2_createsymkey
This tool creates a symmetric key for Encrypt/Decrypt or Sign/Verify operations.
Syntax
moctpm2_createsymkey [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| (Mandatory) Specify the type of key (decrypt or sign) to create. |
| (Mandatory) Specify the key size (128 or 192 or 256) in bits. |
| Specify the password of the key to be created. If no key password is specified, the key is created without a password. |
| Specify the hash algorithm (sha1 or sha256) for key creation. |
| Specify the key mode (CFB, CTR, OFB, or CBC) for key creation. |
| Specify theoutput file that contains the created key. |
| Enables duplication of the key to another TPM. By default, the key is created with CMK disabled. |
moctpm2_encrypt
This tool encrypts an input file using an asymmetric key.
Syntax
moctpm2_encrypt [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| (Optional) Specify the password of the key to be loaded. |
| (Optional) Specify the symmetric cipher mode (CFB, CTR, OFB, or CBC) for symmetric key encryption. |
| (Optional) Specify the encryption scheme (pkcs1, oaepsha1, oaepsha256, oaepsh384, or oaepsha512) for asymmetric key encryption. |
| (Mandatory) Specify the input file that contains the private key. |
| (Mandatory) Specify the input file that contains the data to be encrypted. |
| (Mandatory) Specify the output file that contains the encrypted data. |
moctpm2_decrypt
This tool decrypts a previously encrypted file using an input asymmetric key.
Syntax
moctpm2_decrypt [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the password of the key to be loaded. |
| (Optional) Specify the symmetric cipher mode for symmetric key encryption. |
| (Optional) Specify the encryption scheme (PKCS1, OAEPSHA1 or OAEPSHA256) for asymmetric key encryption. |
| (Mandatory) Specify the input file that contains the private key. |
| (Mandatory) Specify the input file that contains the encrypted data. |
| (Mandatory) Specify the output file that contains the decrypted data. |
moctpm2_sign
This tool generates a signature from hash of the input file using an asymmetric key.
Syntax
moctpm2_sign [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| (Optional) Specify the password of the key to be loaded. |
| (Mandatory) Specify the hash algorithm (sha1, sha256, sha384, or sha512) to hash the data in the input file. Defaults to sha256. |
| (Optional) Specify the signing scheme (pkcs1, pkcs1_sha256, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) used during key creation. |
| (Mandatory) Specify the input file that contains the private key. |
| (Mandatory) Specify the input file that contains the data to be signed. |
| (Mandatory) Specify the output file that contains the signature. |
moctpm2_verify
This tool verifies the signature of the hash of data in an input file using an asymmetric key.
Syntax
moctpm2_verify [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| (Optional) Specify the password of the key to be loaded. |
| (Mandatory) Specify the hash algorithm (sha1, sha256, sha384, or sha512) to hash the data in the input file. Defaults to sha256. |
| (Mandatory) Specify the signing scheme (pkcs1, pkcs1_sha256, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) used during key creation. |
| (Mandatory) Specify the input file that contains the private key. |
| (Mandatory) Specify the input file that contains the data to be verified. |
| (Mandatory) Specify the input file that contains the signature. |
moctpm2_sealdata
This tool seals data with the TPM’s SRK, and optionally with the PCR configuration. The result can be unsealed with moctpm2_unsealdata
.
Syntax
moctpm2_sealdata[options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the authorization password to seal data. If no password is specified, the well-known password is used. |
| Specify the PCR value to seal data. Multiple PCRs may be specified with a |
| (Mandatory) Specify the input file that contains the data to be sealed. |
| (Mandatory) Specify the output file that contains the sealed data. |
moctpm2_unsealdata
This tool unseals the sealed input data, previously sealed with moctpm2_sealdata
.
Syntax
moctpm2_unsealdata [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the authorization password to seal data. If no password is specified, the well-known password is used. |
| Specify the PCR value to unseal data. Multiple PCRs may be specified with a |
| (Mandatory) Specify the input file that contains the previously sealed data to unseal. |
| (Mandatory) Specify the output file that contains the unsealed data. |
moctpm2_selftest
This tool performs a full or incremental self-test.
Syntax
moctpm2_selftest [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Run an incremental self-test. |
| Return the last self-test results (does not rerun self-test) |
moctpm2_readpubek
This tool displays the public portion of the Endorsement Key.
Syntax
moctpm2_readpubek [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| (Mandatory) Specify the output file that contains the public key data. |
moctpm2_getrandom
This tool generates random data using the TPM’s RNG.
Syntax
moctpm2_getrandom [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the size of random number to generate. |
| (Mandatory) Specify the output file that contains the random number. |
moctpm2_stirrandom
This tool adds entropy to the random bit generator.
Syntax
moctpm2_stirrandom [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the number of bytes to use to stir the RNG. |
| (Mandatory) Specify the input file that contains the entropy. |
moctpm2_gettrusteddata
This tool reads the TPM’s PCRs.
Syntax
moctpm2_gettrusteddata [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the type of trusted data (measurement, identifier, or report). |
| Specify the sub type of the trusted data. Set to 1 for TPM 2.0. |
| (Optional) Specify the PCR index to read. Defaults to all PCRs. |
| (Mandatory) Specify the output file that contains the PCRs specified in --tdidx. |
moctpm2_updatetrusteddata
This tool extends data to the specified PCR.
Syntax
moctpm2_updatetrusteddata [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the type of trusted data (measurement, identifier, or report). |
| Specify the sub type of trusted data. Set to |
| Specify the PCR index to extend. |
| (Mandatory) Specify the input file that contains the value to extend with (20 or 32 bytes). |
| (Mandatory) Specify the output file that contains the updated (extended) trusted data. |
moctpm2_getquote
This tool generates a TPM quote (a hash of all the PCRs, and a signature of the hash) using a nonce provided in an input file.
Syntax
moctpm2_getquote [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the password of the key to load. |
| Specify the hash algorithm (sha1, sha256, or sha512) to use to hash the PCR values. Mandatory for key type of General. |
| Specify the PCR index to use. Multiple PCR indices can be specified by repeating this option. |
| (Mandatory) Specify the input file that contains the private key. |
| (Mandatory) Specify the input file that contains the nonce (maximum of 32 bytes). |
| (Mandatory) Specify the output file to write the TPM quote to. |
| Specify the output file that contain a signature of the TPM quote. |
| Output signature in raw form |
| Output file to write the TPM quote to in readable text form |
moctpm2_verifyquote
This tool verifies the signature of TPM quote.
Syntax
moctpm2_verifyquote [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| (Optional) Specify the password of the key to load. |
| Specify the hash algorithm (sha1, or sha256, or sha512) for the hash of the TPM quote. |
| Specify the signing scheme (pkcs1, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384 or pss512) used to generate the signature of the quote. |
| (Mandatory) Specify the input file that contains the private key. |
| (Mandatory) Specify the input file that contains the data to verify. |
| (Mandatory) Specify the input file that contains the signature. |
moctpm2_createpolicystorage
This tool configures the NVRAM format at the specified index in the TPM.
Syntax
moctpm2_createpolicystorage [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the NVRAM access authorization password. If none is specified, the well-known password is used. |
| (Mandatory) Specify the index of the NVRAM to be configured. Hex values must be prefixed with a |
| (Mandatory) Specify the size of data in bytes at the NVRAM index. |
| (Mandatory) Specify the type of the NVRAM index (ordinary, counter, bits, extend) to configure. |
moctpm2_getpolicystorage
This tool reads the contents at the specified index of the NVRAM in the TPM.
Syntax
moctpm2_getpolicystorage [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the NVRAM read password. If not specified, well-known password is used. |
| (Mandatory) Specify the index of the NVRAM to read. Hex values must be prefixed with a |
| (Mandatory) Specify the output file that contains contents at the NVRAM index. |
moctpm2_getpolicystoragelist
This tool lists the indices of NVRAM and persistent objects.
Syntax
moctpm2_getpolicystoragelist[options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
moctpm2_delpolicystorage
This tool deletes the NVRAM format at the specified index in the TPM.
Syntax
moctpm2_delpolicystorage [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the NVRAM access authorization password. If none is specified, the well-known password is used. |
| (Mandatory) Specify the index of the NVRAM to be configured. Hex values must be prefixed with a |
| (Mandatory) Specify the size of data in bytes of the NVRAM index. |
| (Mandatory) Specify the type of the NVRAM index (ordinary, counter, bits, extend) to configure. |
moctpm2_setpolicystorage
This tool writes data to the specified index of the NVRAM in the TPM.
Syntax
moctpm2_setpolicystorage [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the NVRAM write password. If not specified, the well-known password is used. |
| (Mandatory) Specify the index of the NVRAM to write. Hex values must be prefixed with a |
| (Mandatory) Specify the input file containing data to write. |
moctpm2_readpublickeyblob
This tool reads the public portion of the entity (SRK or EK) and writes to a file.
Syntax
moctpm2_readpublickeyblob [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the entity ID for the public key BLOB (e.g., |
| (Mandatory) Specify the o\Output file to store the public key BLOB. |
moctpm2_duplicatekey
This tool generates a duplicate key for export into another TPM.
Syntax
moctpm2_duplicatekey [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| Specify the password of the key to be duplicated. |
| (Mandatory) Specify the input file that contains the private key to be duplicated. |
| (Mandatory) Specify the input file that contains the public key BLOB of the new parent. |
| (Mandatory) Specify the output file that contains the importable duplicated key BLOB. |
moctpm2_importduplicatekey
This tool imports and creates an asymmetric key under the new parent on the destination device for the duplicate BLOB from the source device.
Syntax
moctpm2_importduplicatekey [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to the TPM 2.0 module configuration file. |
| (Mandatory) Specify the algorithm (RSA or ECC) of the imported key. |
| (Mandatory) Specify the type of imported key (sign, storage, general, or attest. |
| (Mandatory) Specify the key size (2048 or 4096) in bits of the imported key. |
| Specify the password of the imported key to be loaded. |
| Specify the key mode (CFB, CTR, OFB, or CBC) for key creation. |
| Specify the signing scheme (pkcs1, pkcs1_sha384, pkcs1_sha512, ecdsa1, ecdsa256, ecdsa384, ecdsa512, pss256, pss384, or pss512) to create the signing key. |
| Specify the encryption scheme (pkcs1, oaepsha1 or oaepsha256, oaepsha384, or oaepsha512) of the storage key to create the storage key. |
| Specify the curve identifier (n192, n224, n256, n384, or n521) for ECC key. |
| (Mandatory) Specify the input file that contains the duplicate key BLOB. |
| (Mandatory) Specify the output file that contains the public key. |
| (Mandatory) Specify the output file that contains the private key. |
moctpm2_resetdalock
This tool clears a TPM 2.0 Dictionary Attack lockout.
Syntax
moctpm2_resetdalock [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| (Mandatory) Specify the Security Module; uselocalhostfor the TPM emulator or module path for the hardware TPM (e.g., |
| Specify the port number for the TPM emulator (applicable only for |
| (Mandatory) Specify the credentials file that is comprised of encoded passwords required to use the TPM. |
| Authenticate using the well-known password. |
| Disable use of the credentials file. Specify the lockout credential with the command line argument( |
| Specify the old Lockout Hierarchy password. |
moctpm2_getcapability
This tool returns the TPM 2.0 secure element capabilities information.
Syntax
moctpm2_getcapability [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to TPM 2.0 module configuration file. |
| Specify the category of data to return:
|
| Specify the first property of the selected capability to return (defaults to first available property). Hex values must be prefixed with |
| Number of properties to return. The default setting returns all properties. |
smp_tpm2_getidstr_bin
This tool generates a TPM 2.0 secure element module ID string for use in a module configuration file.
Syntax
smp_tpm2_getidstr_bin [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the full configuration filename path. The default path is |
| Display any mismatches between the configured and the device ID string. |
| Update the input configuration file with the device ID string if there are any mismatches between the configured and the device ID string. |
moctpm2_persistkeyobject
This tool persists a previously created key to TPM memory at the specified key ID (index). Future key operations and APIs may use the key ID instead of the key file.
Syntax
moctpm2_persistkeyobject [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to TPM 2.0 module configuration file. |
| Specify the private key file to be persisted to TPM memory |
| Specify the persistent key ID (index) where the key should be stored. The hex value must be the 0x81000000 - 0x81FFFFFF range. |
moctpm2_evictkeyobject
This tool removes a previously persisted key from TPM memory.
Syntax
moctpm2_evictkeyobject [options]
Options
Option | Description |
---|---|
| Display help for the specified option(s). |
| Specify the path to TPM 2.0 module configuration file. |
| Specify the persistent key ID (index) from where the key should be removed. The hex value must be in the 0x81000000 - 0x81FFFFFF range. |