Hello community,
here is the log from the commit of package tpm2.0-tools for openSUSE:Factory
checked in at 2018-08-22 14:22:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tpm2.0-tools (Old)
and /work/SRC/openSUSE:Factory/.tpm2.0-tools.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tpm2.0-tools"
Wed Aug 22 14:22:37 2018 rev:15 rq:630849 version:3.1.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/tpm2.0-tools/tpm2.0-tools.changes
2018-07-06 10:41:22.275299313 +0200
+++ /work/SRC/openSUSE:Factory/.tpm2.0-tools.new/tpm2.0-tools.changes
2018-08-22 14:22:39.842680036 +0200
@@ -1,0 +2,6 @@
+Wed Aug 22 09:05:14 UTC 2018 - matthias.gerst...@suse.com
+
+- update to minor version 3.1.1:
+ - Allow man page installation without pandoc being available
+
+-------------------------------------------------------------------
Old:
----
tpm2-tools-3.1.0.tar.gz
New:
----
tpm2-tools-3.1.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tpm2.0-tools.spec ++++++
--- /var/tmp/diff_new_pack.6NOmxk/_old 2018-08-22 14:22:40.202680889 +0200
+++ /var/tmp/diff_new_pack.6NOmxk/_new 2018-08-22 14:22:40.206680899 +0200
@@ -17,7 +17,7 @@
Name: tpm2.0-tools
-Version: 3.1.0
+Version: 3.1.1
Release: 0
Summary: Trusted Platform Module (TPM) 2.0 administration tools
License: BSD-3-Clause
@@ -72,12 +72,6 @@
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
find %{buildroot} -type f -name "*.la" -delete -print
-%if ! 0%{?is_opensuse}
-# install man pages explicitly, until upstream fixes their installation
-# setup in autotools, see commit 72a28f36151db9bfa59a460ae0114dcece218862
-mkdir -p %{buildroot}/%{_mandir}/man1/
-cp %{_builddir}/tpm2-tools-%{version}/man/man1/* %{buildroot}/%{_mandir}/man1/
-%endif
%files
%defattr(-,root,root)
++++++ tpm2-tools-3.1.0.tar.gz -> tpm2-tools-3.1.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/CHANGELOG.md
new/tpm2-tools-3.1.1/CHANGELOG.md
--- old/tpm2-tools-3.1.0/CHANGELOG.md 2018-06-21 22:52:46.000000000 +0200
+++ new/tpm2-tools-3.1.1/CHANGELOG.md 2018-07-09 22:46:20.000000000 +0200
@@ -1,4 +1,7 @@
## Changelog
+### 3.1.1 - 2018-07-09
+ * Allow man page installation without pandoc being available
+
### 3.1.0 - 2018-06-21
* Update to use TSS version 2.0
* When user supplies nv attributes use those exclusively, not in addition to
the defaults
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/Makefile.am
new/tpm2-tools-3.1.1/Makefile.am
--- old/tpm2-tools-3.1.0/Makefile.am 2018-06-21 22:41:51.000000000 +0200
+++ new/tpm2-tools-3.1.1/Makefile.am 2018-07-09 22:45:32.000000000 +0200
@@ -241,8 +241,7 @@
README.md \
RELEASE.md \
test/system
-
-if HAVE_PANDOC
+if HAVE_MAN_PAGES
man1_MANS := \
man/man1/tpm2_activatecredential.1 \
man/man1/tpm2_certify.1 \
@@ -283,7 +282,9 @@
man/man1/tpm2_takeownership.1 \
man/man1/tpm2_unseal.1 \
man/man1/tpm2_verifysignature.1
+endif
+if HAVE_PANDOC
# If pandoc is enabled, we want to generate the manpages for the dist tarball
EXTRA_DIST += $(man1_MANS)
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/Makefile.in
new/tpm2-tools-3.1.1/Makefile.in
--- old/tpm2-tools-3.1.0/Makefile.in 2018-06-21 22:55:18.000000000 +0200
+++ new/tpm2-tools-3.1.1/Makefile.in 2018-07-09 22:53:26.000000000 +0200
@@ -1151,46 +1151,46 @@
EXTRA_DIST = $(top_srcdir)/man AUTHORS.md CHANGELOG.md CONTRIBUTING.md \
INSTALL.md LICENSE MAINTAINERS.md README.md RELEASE.md \
test/system $(am__append_1)
-@HAVE_PANDOC_TRUE@man1_MANS := \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_activatecredential.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_certify.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_create.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_createpolicy.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_createprimary.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_dictionarylockout.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_getcap.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_encryptdecrypt.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_evictcontrol.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_getmanufec.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_getpubak.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_getpubek.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_getrandom.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_hash.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_hmac.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_listpersistent.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_load.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_loadexternal.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_makecredential.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_nvdefine.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_nvlist.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_nvread.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_nvreadlock.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_nvrelease.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_nvwrite.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_pcrevent.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_pcrextend.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_pcrlist.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_quote.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_rc_decode.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_readpublic.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_rsadecrypt.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_rsaencrypt.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_send.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_sign.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_startup.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_takeownership.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_unseal.1 \
-@HAVE_PANDOC_TRUE@ man/man1/tpm2_verifysignature.1
+@HAVE_MAN_PAGES_TRUE@man1_MANS := \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_activatecredential.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_certify.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_create.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_createpolicy.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_createprimary.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_dictionarylockout.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_getcap.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_encryptdecrypt.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_evictcontrol.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_getmanufec.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_getpubak.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_getpubek.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_getrandom.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_hash.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_hmac.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_listpersistent.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_load.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_loadexternal.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_makecredential.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_nvdefine.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_nvlist.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_nvread.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_nvreadlock.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_nvrelease.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_nvwrite.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_pcrevent.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_pcrextend.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_pcrlist.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_quote.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_rc_decode.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_readpublic.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_rsadecrypt.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_rsaencrypt.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_send.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_sign.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_startup.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_takeownership.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_unseal.1 \
+@HAVE_MAN_PAGES_TRUE@ man/man1/tpm2_verifysignature.1
MARKDOWN_COMMON_DEPS = \
man/common/alg.md \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/configure
new/tpm2-tools-3.1.1/configure
--- old/tpm2-tools-3.1.0/configure 2018-06-21 22:55:17.000000000 +0200
+++ new/tpm2-tools-3.1.1/configure 2018-07-09 22:53:26.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tpm2-tools 3.1.0.
+# Generated by GNU Autoconf 2.69 for tpm2-tools 3.1.1.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='tpm2-tools'
PACKAGE_TARNAME='tpm2-tools'
-PACKAGE_VERSION='3.1.0'
-PACKAGE_STRING='tpm2-tools 3.1.0'
+PACKAGE_VERSION='3.1.1'
+PACKAGE_STRING='tpm2-tools 3.1.1'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -649,6 +649,8 @@
PKG_CONFIG_LIBDIR
PKG_CONFIG_PATH
PKG_CONFIG
+HAVE_MAN_PAGES_FALSE
+HAVE_MAN_PAGES_TRUE
HAVE_PANDOC_FALSE
HAVE_PANDOC_TRUE
PANDOC
@@ -1356,7 +1358,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures tpm2-tools 3.1.0 to adapt to many kinds of systems.
+\`configure' configures tpm2-tools 3.1.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1426,7 +1428,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of tpm2-tools 3.1.0:";;
+ short | recursive ) echo "Configuration of tpm2-tools 3.1.1:";;
esac
cat <<\_ACEOF
@@ -1556,7 +1558,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-tpm2-tools configure 3.1.0
+tpm2-tools configure 3.1.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1834,7 +1836,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by tpm2-tools $as_me 3.1.0, which was
+It was created by tpm2-tools $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -11681,7 +11683,7 @@
# Define the identity of the package.
PACKAGE='tpm2-tools'
- VERSION='3.1.0'
+ VERSION='3.1.1'
cat >>confdefs.h <<_ACEOF
@@ -12365,6 +12367,14 @@
HAVE_PANDOC_FALSE=
fi
+ if test -d "${srcdir}/man/man1" -o "x${PANDOC}" = "xyes"; then
+ HAVE_MAN_PAGES_TRUE=
+ HAVE_MAN_PAGES_FALSE='#'
+else
+ HAVE_MAN_PAGES_TRUE='#'
+ HAVE_MAN_PAGES_FALSE=
+fi
+
@@ -14012,6 +14022,10 @@
as_fn_error $? "conditional \"HAVE_PANDOC\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${HAVE_MAN_PAGES_TRUE}" && test -z "${HAVE_MAN_PAGES_FALSE}"; then
+ as_fn_error $? "conditional \"HAVE_MAN_PAGES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${UNIT_TRUE}" && test -z "${UNIT_FALSE}"; then
as_fn_error $? "conditional \"UNIT\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -14413,7 +14427,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by tpm2-tools $as_me 3.1.0, which was
+This file was extended by tpm2-tools $as_me 3.1.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14470,7 +14484,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-tpm2-tools config.status 3.1.0
+tpm2-tools config.status 3.1.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/configure.ac
new/tpm2-tools-3.1.1/configure.ac
--- old/tpm2-tools-3.1.0/configure.ac 2018-06-21 22:41:51.000000000 +0200
+++ new/tpm2-tools-3.1.1/configure.ac 2018-07-09 22:45:32.000000000 +0200
@@ -15,6 +15,9 @@
[],
[AC_MSG_WARN([Required executable pandoc not found, man pages will not be
built])])
AM_CONDITIONAL([HAVE_PANDOC],[test "x${PANDOC}" = "xyes"])
+AM_CONDITIONAL(
+ [HAVE_MAN_PAGES],
+ [test -d "${srcdir}/man/man1" -o "x${PANDOC}" = "xyes"])
PKG_CHECK_MODULES([SAPI],[tss2-sys >= 2.0 tss2-sys < 3.0])
PKG_CHECK_MODULES([SAPI],[tss2-mu >= 2.0 tss2-sys < 3.0])
PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_changeauth.1
new/tpm2-tools-3.1.1/man/man1/tpm2_changeauth.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_changeauth.1 2018-06-20
16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_changeauth.1 2018-07-09
12:48:22.000000000 +0200
@@ -71,9 +71,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
@@ -222,20 +233,108 @@
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
.IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
Useful for escaping a password that starts with the \[lq]hex:\[rq]
prefix.
.IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
.SS HMAC
.PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\
\-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
.SS Sessions
.PP
When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
You then indicate a path to a session file that was created with
tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
.SH EXAMPLES
.PP
Set owner, endorsement and lockout authorizations to a new value:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_clear.1
new/tpm2-tools-3.1.1/man/man1/tpm2_clear.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_clear.1 2018-06-20 16:40:41.000000000
+0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_clear.1 2018-07-09 12:48:22.000000000
+0200
@@ -31,9 +31,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
@@ -182,20 +193,108 @@
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
.IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
Useful for escaping a password that starts with the \[lq]hex:\[rq]
prefix.
.IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
.SS HMAC
.PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\
\-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
.SS Sessions
.PP
When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
You then indicate a path to a session file that was created with
tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
.SH EXAMPLES
.PP
Set owner, endorsement and lockout authorizations to an empty auth
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_clearlock.1
new/tpm2-tools-3.1.1/man/man1/tpm2_clearlock.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_clearlock.1 2018-06-20
16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_clearlock.1 2018-07-09
12:48:22.000000000 +0200
@@ -36,9 +36,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
@@ -187,20 +198,108 @@
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
.IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
Useful for escaping a password that starts with the \[lq]hex:\[rq]
prefix.
.IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
.SS HMAC
.PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\
\-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
.SS Sessions
.PP
When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
You then indicate a path to a session file that was created with
tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
.SH EXAMPLES
.PP
Enable the clear command on the platform hierarchy.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_createak.1
new/tpm2-tools-3.1.1/man/man1/tpm2_createak.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_createak.1 2018-06-20
16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_createak.1 2018-07-09
12:48:22.000000000 +0200
@@ -32,7 +32,7 @@
.fi
.SH OPTIONS
.IP \[bu] 2
-\f[B]\-E\f[], \f[B]\[en]auth\-endorse\f[]=\f[I]ENDORSE_AUTH\f[]:
+\f[B]\-e\f[], \f[B]\[en]auth\-endorse\f[]=\f[I]ENDORSE_AUTH\f[]:
Specifies current endorsement authorization.
Authorizations should follow the \[lq]authorization formatting
standards\[rq], see section \[lq]Authorization Formatting\[rq].
@@ -63,15 +63,20 @@
\f[B]\-p\f[] option, the AK can be restored via a call to
tpm2_loadexternal(1).
.IP \[bu] 2
-\f[B]\-g\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: Specifies the
+\f[B]\-G\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: Specifies the
algorithm type of AK.
-Algorithms should follow the \[lq]formatting standards\[rq], see section
-\[lq]Algorithm Specifiers\[rq].
-See section \[lq]Supported Public Object Algorithms\[rq] for a list of
-supported object algorithms.
+Supports:
+.RS 2
+.IP \[bu] 2
+ecc \- An P256 key.
+.IP \[bu] 2
+rsa \- An RSA2048 key.
+.IP \[bu] 2
+keyedhash \- hmac key.
+.RE
.IP \[bu] 2
\f[B]\-D\f[], \f[B]\[en]digest\-alg\f[]=\f[I]HASH_ALGORITHM\f[]: Like
-\-g, but specifies the digest algorithm.
+\-g, but specifies the digest algorithm used for signing.
Algorithms should follow the \[lq]formatting standards\[rq], see section
\[lq]Algorithm Specifiers\[rq].
See section \[lq]Supported Hash Algorithms\[rq] for a list of supported
@@ -113,9 +118,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
@@ -264,20 +280,108 @@
By default passwords are assumed to be in the string form.
Password form is specified with special prefix values, they are:
.IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
Useful for escaping a password that starts with the \[lq]hex:\[rq]
prefix.
.IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
.SS HMAC
.PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\
\-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
.SS Sessions
.PP
When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
You then indicate a path to a session file that was created with
tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
.SH Context Object Format
.PP
The type of a context object, whether it is a handle or file name, is
@@ -313,15 +417,134 @@
.SH Supported Public Object Algorithms
.PP
Supported public object algorithms are:
+.SS Symmetric
+.SS AES
+.PP
+The AES cipher has a bitsize and a mode.
+When the mode is not specified, ie a \[lq]NULL\[rq] mode, the TPM will
+allow any mode usages on subsequent key uses.
+If the mode is specified during object creation, only that mode is
+allowed in subsequent use cases.
+.IP \[bu] 2
+\f[B]aes\f[] \- Default AES selection.
+The default AES Selection is AES 256 with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256]\f[] \- AES with a key size of 128, 192 and 256
+respectively with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256][cbc|ocb|cfb|ecb]\f[] \- AES with a key size of
+128, 192 and 256 and a mode of cbc, ocb, cfb and ecb respectively.
+.SS Examples
+.IP \[bu] 2
+aes256cbc \- AES with a key bitsize of 256 and a mode of cbc.
+.IP \[bu] 2
+aes192cfb \- AES with a bitsize of 192 and mode of cfb.
+.IP \[bu] 2
+aes128 \- AES with a bitsize of 128 and NULL mode.
+.SS Asymmetric
+.SS RSA
+.PP
+The RSA cipher has a bitsize, and the TPM (optionally) supports
+associating a symmetric key along with the RSA algorithm.
+The AES key will be used for encryption modes that rely on an RSA
+scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]rsa\f[] \- Default RSA algorithm.
+The default bitsize is 2048.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
.IP \[bu] 2
-\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
-(\f[B]default\f[]).
+restricted object \- scheme of null and a NULL symmetric algorithm.
.IP \[bu] 2
-\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
+.IP \[bu] 2
+\f[B]rsa[1024|2048]\f[] \- Similar to \f[B]rsa\f[] option, but provides
+control over the key size to either 1024 or 2048 respectively.
+.IP \[bu] 2
+\f[B]rsa[1024|2048|4096]:[oaep|rsaes]\f[] \- Similar to
+\f[B]rsa[1024|2048|4096]\f[] option, but provides the ability to control
+the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]rsa[1024|2048]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]rsa[1024|2048]:[oaep|rsaes]\f[] option, but provides full control
+over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+rsa1024 \- Creates an RSA 1024 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+rsa:oeap:aes \- Creates an RSA 2048 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+rsa1024:null:aes128cbc \- Creates an RSA 1024 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS ECC
+.PP
+The ECC cipher has a size, and the TPM (optionally) supports associating
+a symmetric key along with the ECC algorithm.
+The AES key will be used for encryption modes that rely on an asymmetric
+encryption scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]ecc\f[] \- Default ECC algorithm.
+The default curve size is 256.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
+.IP \[bu] 2
+restricted object \- scheme of null and a NULL symmetric algorithm.
+.IP \[bu] 2
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]\f[] \- Similar to \f[B]ecc\f[] option, but
+provides control over the curve size to either 224,256,384 or 521
+respectively.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] \- Similar to
+\f[B]ecc[224|256|384|521]\f[] option, but provides the ability to
+control the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] option, but provides full
+control over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+ecc224 \- Creates an ECC 224 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+ecc:oeap:aes \- Creates an ECC 256 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+ecc384:null:aes128cbc \- Creates an ECC 384 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS KeyedHash
+.PP
+The keyedhash algorithms are hmac and xor.
+.SS HMAC
+.PP
+The HMAC algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
.IP \[bu] 2
-\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+\f[B]hmac:[sha256|sha384|sha512]\f[] \- Generate an HMAC key valid for
+the associated hash algorithm, defaults to sha256 if not specified.
+.SS XOR
+.PP
+The XOR algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
+The XOR scheme should be used where confidentiality of the objects is
+desired, but secrecy is not mandatory.
+The algorithm is lightweight and quick.
.IP \[bu] 2
-\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+\f[B]xor:[sha256|sha384|sha512]\f[] \- Generate an XOR key valid for the
+associated hash algorithm, defaults to sha256 if not specified.
.PP
\f[B]NOTE\f[]: Your TPM may not support all algorithms.
.SH Supported Hash Algorithms
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_createek.1
new/tpm2-tools-3.1.1/man/man1/tpm2_createek.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_createek.1 2018-06-20
16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_createek.1 2018-07-09
12:48:22.000000000 +0200
@@ -48,12 +48,17 @@
tpm2_loadexternal(1).
.RE
.IP \[bu] 2
-\f[B]\-g\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: specifies the
+\f[B]\-G\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: specifies the
algorithm type of EK.
-See section \[lq]Supported Public Object Algorithms\[rq] for a list of
-supported object algorithms.
-See section \[lq]Algorithm Specifiers\[rq] on how to specify an
-algorithm argument.
+Supports:
+.RS 2
+.IP \[bu] 2
+ecc \- An P256 key.
+.IP \[bu] 2
+rsa \- An RSA2048 key.
+.IP \[bu] 2
+keyedhash \- hmac key.
+.RE
.IP \[bu] 2
\f[B]\-p\f[], \f[B]\[en]file\f[]=\f[I]FILE\f[]: Optional: specifies the
file used to save the public portion of EK.
@@ -83,9 +88,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
@@ -227,15 +243,134 @@
.SH Supported Public Object Algorithms
.PP
Supported public object algorithms are:
+.SS Symmetric
+.SS AES
+.PP
+The AES cipher has a bitsize and a mode.
+When the mode is not specified, ie a \[lq]NULL\[rq] mode, the TPM will
+allow any mode usages on subsequent key uses.
+If the mode is specified during object creation, only that mode is
+allowed in subsequent use cases.
+.IP \[bu] 2
+\f[B]aes\f[] \- Default AES selection.
+The default AES Selection is AES 256 with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256]\f[] \- AES with a key size of 128, 192 and 256
+respectively with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256][cbc|ocb|cfb|ecb]\f[] \- AES with a key size of
+128, 192 and 256 and a mode of cbc, ocb, cfb and ecb respectively.
+.SS Examples
+.IP \[bu] 2
+aes256cbc \- AES with a key bitsize of 256 and a mode of cbc.
+.IP \[bu] 2
+aes192cfb \- AES with a bitsize of 192 and mode of cfb.
+.IP \[bu] 2
+aes128 \- AES with a bitsize of 128 and NULL mode.
+.SS Asymmetric
+.SS RSA
+.PP
+The RSA cipher has a bitsize, and the TPM (optionally) supports
+associating a symmetric key along with the RSA algorithm.
+The AES key will be used for encryption modes that rely on an RSA
+scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]rsa\f[] \- Default RSA algorithm.
+The default bitsize is 2048.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
+.IP \[bu] 2
+restricted object \- scheme of null and a NULL symmetric algorithm.
+.IP \[bu] 2
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
.IP \[bu] 2
-\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
-(\f[B]default\f[]).
+\f[B]rsa[1024|2048]\f[] \- Similar to \f[B]rsa\f[] option, but provides
+control over the key size to either 1024 or 2048 respectively.
.IP \[bu] 2
-\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+\f[B]rsa[1024|2048|4096]:[oaep|rsaes]\f[] \- Similar to
+\f[B]rsa[1024|2048|4096]\f[] option, but provides the ability to control
+the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]rsa[1024|2048]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]rsa[1024|2048]:[oaep|rsaes]\f[] option, but provides full control
+over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+rsa1024 \- Creates an RSA 1024 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+rsa:oeap:aes \- Creates an RSA 2048 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+rsa1024:null:aes128cbc \- Creates an RSA 1024 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS ECC
+.PP
+The ECC cipher has a size, and the TPM (optionally) supports associating
+a symmetric key along with the ECC algorithm.
+The AES key will be used for encryption modes that rely on an asymmetric
+encryption scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]ecc\f[] \- Default ECC algorithm.
+The default curve size is 256.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
+.IP \[bu] 2
+restricted object \- scheme of null and a NULL symmetric algorithm.
+.IP \[bu] 2
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
.IP \[bu] 2
-\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+\f[B]ecc[224|256|384|521]\f[] \- Similar to \f[B]ecc\f[] option, but
+provides control over the curve size to either 224,256,384 or 521
+respectively.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] \- Similar to
+\f[B]ecc[224|256|384|521]\f[] option, but provides the ability to
+control the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] option, but provides full
+control over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+ecc224 \- Creates an ECC 224 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+ecc:oeap:aes \- Creates an ECC 256 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+ecc384:null:aes128cbc \- Creates an ECC 384 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS KeyedHash
+.PP
+The keyedhash algorithms are hmac and xor.
+.SS HMAC
+.PP
+The HMAC algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
+.IP \[bu] 2
+\f[B]hmac:[sha256|sha384|sha512]\f[] \- Generate an HMAC key valid for
+the associated hash algorithm, defaults to sha256 if not specified.
+.SS XOR
+.PP
+The XOR algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
+The XOR scheme should be used where confidentiality of the objects is
+desired, but secrecy is not mandatory.
+The algorithm is lightweight and quick.
.IP \[bu] 2
-\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+\f[B]xor:[sha256|sha384|sha512]\f[] \- Generate an XOR key valid for the
+associated hash algorithm, defaults to sha256 if not specified.
.PP
\f[B]NOTE\f[]: Your TPM may not support all algorithms.
.SH Algorithm Specifiers
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_flushcontext.1
new/tpm2-tools-3.1.1/man/man1/tpm2_flushcontext.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_flushcontext.1 2018-06-20
16:40:43.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_flushcontext.1 2018-07-09
12:48:24.000000000 +0200
@@ -41,9 +41,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_import.1
new/tpm2-tools-3.1.1/man/man1/tpm2_import.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_import.1 2018-06-20 16:40:43.000000000
+0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_import.1 2018-07-09 12:48:25.000000000
+0200
@@ -21,10 +21,14 @@
These options control the key importation process:
.IP \[bu] 2
\f[B]\-G\f[], \f[B]\[en]import\-key\-alg\f[]=\f[I]ALGORITHM\f[]: The
-algorithm used by the key to be imported, AES and RSA keys are
-supported.
-Algorithms should follow the \[lq]formatting standards\[rq], see section
-\[lq]Algorithm Specifiers\[rq].
+algorithm used by the key to be imported.
+Supports:
+.RS 2
+.IP \[bu] 2
+aes \- AES 128 key.
+.IP \[bu] 2
+rsa \- RSA 2048 key.
+.RE
.IP \[bu] 2
\f[B]\-k\f[], \f[B]\[en]input\-key\-file\f[]=\f[I]FILE\f[]: Specifies
the filename of symmetric key (128 bit data) to be imported.
@@ -58,9 +62,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_policypcr.1
new/tpm2-tools-3.1.1/man/man1/tpm2_policypcr.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_policypcr.1 2018-06-20
16:40:46.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_policypcr.1 2018-07-09
12:48:27.000000000 +0200
@@ -37,9 +37,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_policyrestart.1
new/tpm2-tools-3.1.1/man/man1/tpm2_policyrestart.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_policyrestart.1 2018-06-20
16:40:45.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_policyrestart.1 2018-07-09
12:48:27.000000000 +0200
@@ -35,9 +35,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_startauthsession.1
new/tpm2-tools-3.1.1/man/man1/tpm2_startauthsession.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_startauthsession.1 2018-06-20
16:40:47.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_startauthsession.1 2018-07-09
12:48:29.000000000 +0200
@@ -54,9 +54,20 @@
This collection of options are common to many programs and provide
information that many users may expect.
.IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
.IP \[bu] 2
\f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
this tool, supported tctis and exit.
