TPM
1. Set the TPM associated password
tpm2_takeownership -o ownerpass -e endorsepass -l lockpass
ownership: authority to operate the TPM owner, ownerpass is the password for the operator to operate the TPM device, endorsepass using TPM endorsement / signature password, lockpass TPM is locked
2. Modify the TPM associated password
tpm2_takeownership -o ownerpassnew -e endorsepassnew -l lockpassnew -O ownerpass -E endorsepass -L lockpass
3. Clear ownership, resources, and its owner relationship will be released
tpm2_takeownership -c [-L lockpass]
4. Set the NV store, such as the start index from 0x1500001, 32bytes size, attribute 0x2000A, authorization
-a -s 0x40000001 0x1500001 the -X-tpm2_nvdefine -t 0x2000A -P ownerpass 32
4.1 NV write data to, such as: the data is written nv.data index for the location 0x1500001 of
tpm2_nvwrite -x 0x1500001 -a 0x40000001 -f nv. -P ownerpass data
4.2 NV read data from, for example: the index is 0x1500001 position, offset 0, 32bytes read, the authorization
tpm2_nvread the -X-0x40000001 0x1500001 -a -o -s 0 -P 32 ownerpass
4.3 release NV memory, such as the release of the index of the NV store 0x1500001
tpm2_nvrelease -x 0x1500001 -a 0x40000001 -P ownerpass
5. Create the main object, use objectpass (password main object), RSA keys (-G parameter) and SHA256 (-g parameters) hashing algorithm, the object content stored in po.ctx
tpm2_createprimary -A e -K objectpass -g 0x000b -G 0x0001 -C po.ctx
附:Supported Hash Algorithms
· 0x4 or sha1 for TPM_ALG_SHA1 (default)
· 0xB or sha256 for TPM_ALG_SHA256
· 0xC or sha384 for TPM_ALG_SHA384
· 0xD or sha512 for TPM_ALG_SHA512
· 0x12 or sm3_256 for TPM_ALG_SM3_256
附:Supported Public Object Algorithms
· 0x1 or rsa for TPM_ALG_RSA (default).
· 0x8 or keyedhash for TPM_ALG_KEYEDHASH.
· 0x23 or ecc for TPM_ALG_ECC.
· 0x25 or symcipher for TPM_ALG_SYMCIPHER.
6. step on the main object is created using RSA public / private key, subobjectpass (RSA private key password), SHA256 hashing, public key stored in key.pub, the private key is stored in key.priv
tpm2_create -c po.ctx -P objectpass -K subobjectpass -g 0x000b -G 0x0001 -o key.pub -O key.priv
7. After loading the RSA private key generation, RSA public key and a private key loaded, you can use the encryption service
tpm2_load -c po.ctx -P objectpass -u key.pub -r key.priv -n key.name -C obj.ctx
8.1 using RSA encryption operation
tpm2_rsaencrypt -c obj.ctx -I data.in -o data.encrypted
8.2 Use RSA decryption operation
tpm2_rsadecrypt -c obj.ctx -P subobjectpass -I data.encrypted -o data.out
9.1 Use RSA signature
tpm2_sign -c obj.ctx -P subobjectpass -g 0x000b -m msg.in -s sig.out
9.2 verify signatures
tpm2_verifysignature -c obj.ctx -g 0x000b -m msg.in -s sig.out -t tk.sig