createkey.1

IBM开发的TPM的驱动, 有少量的例子可以供参考

.\" Copyright 2004 IBM (Jeff Kravitz)
.\"
.\" Written Feb 24 2004, Jeff Kravitz
.\"
.TH createkey 1  2004-04-07 "IBM" "TPM Utilities"
.SH NAME
createkey \- create a new TPM key
.SH SYNOPSIS

createkey [options] <keyname> <parent key handle> 
   
.SH DESCRIPTION
The \fBcreatekey\fP command will create and export
a new asymmetric key pair.
.SH ARGUMENTS
.TP 5
keyname
Is the name that will be given to the files containing the new key.
It should follow the usual POSIX file naming conventions.  The file
extensions \fB.key\fP and \fB.pem\fP will be appended to the name specified.
.TP 5
parent key handle
is an 8-hex-digit number that specifies the TPM handle assigned to the
key that is the parent key for the key being created.  It is either
40000000 if the parent key is the Storage Root Key, or some other number,
assigned by the TPM, and usually obtained from the \fBloadkey\fP utility
when the parent key was loaded into the TPM.
.SH OPTIONS
The following command line options are supported...
.TP 5                
-t
which specifies the key type.  The \fB-k\fP option must be followed by a
letter which must be one of...
.RS 5
.TP 5
s
for signing,
.TP 5
e 
for encryption or parent key
.TP 5
b 
for binding
.TP 5
l 
for legacy
.P
If the \fB-k\fP option is not used, a signing key will be created.
.RE
.TP 5
-k <keypass>
specifies the new key usage password,
which is any character string, up to 256 bytes long.
It specifies the password needed to use the key being created.
The actual "Authorization Data"
passed to the TPM is the 20 byte SHA1 hash of the user-specified password.
If omitted the new key will be created
with a flag that indicates that no password is required for its use, and with a
dummy password value of binary zeros.
.TP 5
-p <parpass>
specifies the parent key password,
which is any character string, up to 256 bytes long.
It specifies the password needed to use the key that is parent to the
key being created.
The actual "Authorization Data"
passed to the TPM is the 20 byte SHA1 hash of the user-specified password.
If omitted, it is assumed that the parent
key requires no password for its use.
.TP 5
-m <migpass>
to specify that the new key is migratable, and specifying the migration password,
which is any character string, up to 256 bytes long.
It specifies the password needed to migrate the
key being created.
The actual "Authorization Data"
passed to the TPM is the 20 byte SHA1 hash of the user-specified password.
If omitted, the new key will be flagged as non-migrateable.
.SH FILES
The command will also create two disk files. One called <keyname>.pem
is an OpenSSL PEM format public key, and contains the public
key portion of the new key. The other, called <keyname>.key, contains
the complete key object which can be loaded into the TPM using the
\fBloadkey\fP utility.
.SH "SEE ALSO"
loadkey(1)
.SH AUTHOR
Jeff Kravitz , IBM T. J. Watson Research Center