NOTE: This is a work in progress, please see issue #957 to track status.
Current Conflicts as of a5d9f5
group: object:
tools: ['tpm2_load', 'tpm2_createprimary', 'tpm2_unseal', 'tpm2_loadexternal', 'tpm2_makecredential', 'tpm2_readpublic', 'tpm2_activatecredential', 'tpm2_create', 'tpm2_changeauth']
conflicts: set(['C', 'handle', 'H', 'object', 'P', 'sec', 'X', 'c', 'passwdInHex', 'item', 's', 'r', 'u', 'privfile', 'pubfile', 'Password'])
To fix:
- X/passwdInHex they get removed.
- r/u/pubfile/privfile are OK and thus added to the analyze.py tool to ignore
- s/sec, the long option changes to secret
- P/Password, P is fine but Password changes to auth-key.
On PR: tpm2-software/tpm2-tools#1008
What this leaves is:
- C, Handle, H, object, item. Which most of these will be fixed by:
group: symmetric:
tools: ['tpm2_hmac', 'tpm2_encryptdecrypt', 'tpm2_hash']
conflicts: set(['a', 'algorithm', 'hierarchy', 'decrypt', 't', 'halg', 'ticket', 'D'])
To Fix:
- algorithm/halg - algorithm goes to halg, which is inline with out of group options and the man page.
- D/decrypt - is fine, and added to analyze.py. This does conflict with D/digest, but it's out of group.
- a/hierarchy is fine, and added to analyze.py. This aligns with out-of-group tools.
- t/ticket is fine, and added to analyze.py. This aligns with out-of-group tools.
On PR: tpm2-software/tpm2-tools#1008
This closes group symmetric.
group: attestation:
tools: ['tpm2_certify', 'tpm2_quote']
conflicts: set(['s', 'halg', 'algorithm', 'signature', 'message', 'm'])
To Fix:
- algorithm - (BUG) Drop g/algorithm from tpm2_quote as it has been replaced via PCR selection list -L and was removed (partially) from the tool.
- g/halg - is fine, and added to analyze.py. This aligns with out-of-group tools.
- m/message - is fine, and added to analyze.py. This aligns with in-group tools (only one).
- s/signature - is fine, and added to analyze.py. This aligns with in-group tools (only one).
On PR: tpm2-software/tpm2-tools#1008
This closes group attestation.
group: signing:
tools: ['tpm2_sign', 'tpm2_verifysignature']
conflicts: set(['raw', 'r'])
To Fix:
- r/raw - remove, unused argument.
On PR: tpm2-software/tpm2-tools#1008
This closes group signing.
group: integrity:
tools: ['tpm2_pcrextend', 'tpm2_pcrlist', 'tpm2_pcrevent']
conflicts: set(['algorithm', 'g', 'format', 'algs', 'f', 's'])
To Fix:
- h/algorithm - algorithm goes to halg, which is inline with out of group options.
- f/format - is fine, and added to analyze.py. This aligns with out-of-group tools.
- s/algs - is fine, and added to analyze.py. This conflicts with out-of-group tools, but is fine in group.
The conflicts on f/format should be resolved in other tools, I added a check box to: tpm2-software/tpm2-tools#957
On PR: tpm2-software/tpm2-tools#1008
This closes group integrity.
group: ea:
tools: ['tpm2_policypcr', 'tpm2_createpolicy']
conflicts: set(['S', 'session'])
To Fix:
- S/session - exempt. This is inline for what we want it to be in this group.
On PR: tpm2-software/tpm2-tools#1008
This closes group ea.
group: hierarchy:
tools: ['tpm2_clear', 'tpm2_clearlock']
conflicts: set(['c', 'clear'])
To Fix:
- c/clear - exempt. This is inline for what we want it to be in this group.
On PR: tpm2-software/tpm2-tools#1008
This closes group hierarchy.
group: context:
tools: ['tpm2_evictcontrol', 'tpm2_flushcontext']
conflicts: set(['a', 'c', 'hierarchy', 'persistent', 'p', 'S', 'session', 'context'])
To Fix:
- S/session - exempt. This is inline wiht out-of-group tools.
- p/persistent - only used in one tool in group.
- a/hierarchy - used out-of-group for hierarchy specification.
On PR: tpm2-software/tpm2-tools#1008
This DOES NOT close group ea, c/context is left.
group: nv:
tools: ['tpm2_nvreadlock', 'tpm2_nvrelease', 'tpm2_nvdefine', 'tpm2_nvread', 'tpm2_nvwrite', 'tpm2_nvlist']
conflicts: set(['a', 'index', 'hierarchy', 'attribute', 'S', 'session', 't', 'x'])
To Fix:
- S/session - exempt. This is inline wiht out-of-group tools.
- x/index - This is inline with in-group tools.
- t/attribute - BUG: attribute should be attributes per man-page. This is consistent with out-of-group attribute specification
- a/hierarchy - exempt. This is inline with out of group tools.
On PR: tpm2-software/tpm2-tools#1008
This closes group nv.
group: custom:
tools: ['tpm2_createak', 'tpm2_send', 'tpm2_getmanufec', 'tpm2_createek', 'tpm2_listpersistent']
conflicts: set(['algorithm', 'kalg', 'O', 'G', 'r', 'privfile', 'halg', 'offline'])
Note: We don't care about group custom.
This table lists the options in use as of 60768ba.
| short form | long form | used by | argument type | canonical |
|---|---|---|---|---|
| -a | --attest-file | tpm2_certify | file path | |
| -a | --auth-policy-session | tpm2_createpolicy | TPM session policy | |
| -a | --auth-policy-session | tpm2_startauthsession | N/A | |
| -a | --auth-handle | tpm2_nvdefine, tpm2_nvread, tpm2_nvreadlock, tpm2_nvrelease, tpm2_nvwrite | char handle pretty name | |
| -a | --hierarchy | tpm2_createprimary, tpm2_evictcontrol, tpm2_hash, tpm2_loadexternal | hierarchy value | |
| -c | --context | tpm2_evictcontrol, tpm2_createek | file path | |
| -c | --ak-context | tpm2_quote, tpm2_readpublic | file path | |
| -c | --context-parent | tpm2_create, tpm2_load | file path | |
| -c | --key-context | tpm2_certify, tpm2_encryptdecrypt, tpm2_hmac, tpm2_rsadecrypt, tpm2_rsaencrypt, tpm2_sign, tpm2_verifysignature | file path | |
| -c | --item-context | tpm2_unseal | file path | |
| -c | --clear | tpm2_clearlock. tpm2_startup | N/A | |
| -c | --clear-lockout | tpm2_dictionarylockout | N/A | |
| -e | --auth-endorse | tpm2_getmanufec | auth value | |
| -e | --endorse-password | tpm2_activatecredential | password | |
| -e | --endorse-passwd | tpm2_changeauth, tpm2_createak | auth value | |
| -e | --auth-endorse | tpm2_createek | auth value | |
| -e | --enc-key | tpm2_makecredential | file path | |
| -f | --in-file | tpm2_activatecredential, tpm2_certify | file path | |
| -f | --policy-file | tpm2_createpolicy, tpm2_policypcr | file path | |
| -f | --format | tpm2_certify, tpm2_quote, tpm2_sign | signature format | |
| -f | --format | pubkey options | pub key format | |
| -f | --out-file | tpm2_getmanufec, tpm2_nvread | file path | |
| -f | --parent-key-public | tpm2_import | file path | |
| -f | --file | tpm2_print | file path | |
| -g | --halg | tpm2_create, tpm2_createprimary, tpm2_hash, tpm2_hmac, tpm2_listpersistent, tpm2_sign, tpm2_verifysignature | hash algorithm | |
| -g | --policy-digest-alg | tpm2_createpolicy, tpm2_startauthsession | hash algorithm | |
| -g | --algorithm | tpm2_getmanufec, tpm2_createak, tpm2_createek, tpm2_pcrlist | algorithm specifier | |
| -h | --help | common option | N/A | |
| -i | --pcr-index | tpm2_pcrevent | pcr index | |
| -i | --input | tpm2_send | file path | |
| -k | --key-handle | tpm2_activatecredential, tpm2_encryptdecrypt, tpm2_hmac, tpm2_rsadecrypt, tpm2_rsaencrypt, tpm2_sign, tpm2_verifysignature | hex handle id | |
| -k | --ak-handle | tpm2_createak, tpm2_quote | hex handle id | |
| -k | --input-key-file | tpm2_import | file path | |
| -l | --lockout-passwd | tpm2_clear | password | |
| -l | --loaded-session | tpm2_flushcontext | N/A | |
| -l | --list | tpm2_getcap | N/A | |
| -l | --id-list | tpm2_quote | (string) list of PCR IDs | |
| -m | --message | tpm2_quote, tpm2_sign, tpm2_verifysignature | file path | |
| -n | --name | tpm2_load | file path | |
| -n | --name | tpm2_makecredential | string | |
| -o | --out-file | tpm2_activatecredential, tpm2_getrandom, tpm2_hash, tpm2_hmac, tpm2_makecredential, tpm2_pcrlist, tpm2_readpublic, tpm2_rsadecrypt, tpm2_rsaencrypt, tpm2_send, tpm2_unseal | file path | |
| -o | --owner-passwd | tpm2_changeauth | auth value | |
| -o | --auth-owner | tpm2_createak, tpm2_createek, tpm2_getmanufec | auth value | |
| -o | --offset | tpm2_nvread, tpm2_nvwrite | offset within index | |
| -p | --persistent | tpm2_evictcontrol | hex handle id | |
| -p | --platform | tpm2_clear, tpm2_clearlock | N/A | |
| -p | --file | tpm2_createek | file path | |
| -q | --import-key-public | tpm2_import | file path | |
| -q | --qualify-data | tpm2_quote | hex string | |
| -r | --privfile | tpm2_create, tpm2_load, tpm2_loadexternal | file path | |
| -r | --import-key-private | tpm2_import | file path | |
| -r | --raw | tpm2_verifysignature | N/A | |
| -s | --saved-session | tpm2_flushcontext | N/A | |
| -s | --sig-file | tpm2_certify | file path | |
| -s | --signature | tpm2_quote | file path | |
| -s | --setup-parameters | tpm2_dictionarylockout | N/A | |
| -s | --sec | tpm2_makecredential | file path | |
| -s | --size | tpm2_nvdefine, tpm2_nvread, tpm2_nvrelease | size in bytes | |
| -s | --algs | tpm2_pcrlist | N/A | |
| -s | --sig | tpm2_sign, tpm2_verifysignature | file path | |
| -t | --transient-object | tpm2_flushcontext | N/A | |
| -t | --ticket | tpm2_hash, tpm2_sign, tpm2_verifysignature | file path | |
| -t | --attributes | tpm2_nvdefine | NV attributes | |
| -t | --type | tpm2_print | TPMS_ATTEST |
|
| -u | --pubfile | tpm2_create, tpm2_load, tpm2_loadexternal | file path | |
| -v | --version | common option | N/A | |
| -x | --pcr-index | |||
| -x | --nv-index | tpm2_nvdefine | index id | |
| -x | --index | tpm2_nvread, tpm2_nvreadlock, tpm2_nvrelease, tpm2_nvwrite | index id | |
| -A | --object-attributes | tpm2_create, tpm2_createprimary | object attributes | |
| -C | --key-context | tpm2_activatecredential | file path | |
| -C | --obj-context | tpm2_certify | file path | |
| -C | --context | tpm2_createprimary, tpm2_load, tpm2_loadexternal | file path | |
| -C | --capability | tpm2_getcap | capability name | |
| -D | --decrypt | tpm2_encryptdecrypt | N/A | |
| -D | --digest | tpm2_sign, tpm2_verifysignature | file path | |
| -E | --old-auth-endorse | tpm2_changeauth | auth value | |
| -E | --ec-cert | tpm2_getmanufec | file path | |
| -E | --ek-handle | tpm2_getcreateak | hex handle id | |
| -F | --pcr-input-file | tpm2_createpolicy, tpm2_nvread, tpm2_nvwrite, tpm2_policypcr, tpm2_unseal | file path | |
| -G | --kalg | tpm2_create, tpm2_createprimary, tpm2_listpersistent | key algorithm | |
| -G | --sig-hash-algorithm | tpm2_quote | hash algorithm | |
| -H | --handle | tpm2_evictcontrol, tpm2_activatecredential, tpm2_flushcontext, tpm2_getmanufec, tpm2_createek | hexadecimal handle id | |
| -H | --obj-handle | tpm2_certify | hex handle id | |
| -H | --object | tpm2_readpublic | hex handle id | |
| -H | --parent | tpm2_create, tpm2_load | hex handle id | |
| -H | --parent-key-handle | tpm2_import | hex handle id | |
| -H | --item | tpm2_unseal | hex handle id | |
| -I | --in-file | tpm2_create, tpm2_encryptdecrypt, tpm2_rsadecrypt | file path | |
| -I | --auth-index | tpm2_nvdefine | auth value | |
| -K | --auth-key | tpm2_create | auth value | |
| -K | --auth-object | tpm2_createprimary | auth value | |
| -K | --auth-key | tpm2_certify | auth value | |
| -L | --auth-lockout | tpm2_clear, tpm2_clearlock | auth value | |
| -L | --policy-file | tpm2_create, tpm2_createprimary, tpm2_nvdefine | file path | |
| -L | --old-auth-lockout | tpm2_changeauth | auth value | |
| -L | --set-list | tpm2_createpolicy, tpm2_nvread, tpm2_nvwrite, tpm2_policypcr, tpm2_unseal | (string) list of PCR IDs | |
| -L | --sel-list | tpm2_pcrlist, tpm2_quote | (string) list of PCR IDs | |
| -N | --non-persistent | tpm2_getmanufec | N/A | |
| -O | --old-auth-owner | tpm2_changeauth | auth value | |
| -O | --offline | tpm2_getmanufec | file path | |
| -P | --auth-XXX | |||
| -P | --auth-key | tpm2_rsadecrypt, tpm2_encryptdecrypt, tpm2_sign, tpm2_unseal, tpm2_hmac | auth value | Y |
| -P | --auth-ak | tpm2_quote, tpm2_createak | auth value | Y |
| -P | --auth-ek | tpm2_getmanufec | auth value | Y |
| -P | --auth-pcr | tpm2_pcrevent | auth value | Y |
| -P | --auth-object | tpm2_certify | auth value | |
| -P | --auth-parent | tpm2_create, tpm2_load | auth value | |
| -P | --auth-hierarchy | tpm2_createprimary, tpm2_evictcontrol, tpm2_nvdefine, tpm2_nvread, tpm2_nvwrite | auth value | |
| -P | --auth-lockout | tpm2_dictionarylockout | auth value | |
| -P | --pwda | tpm2_evictcontrol | password | |
| -P | --password | tpm2_activatecredential | password | |
| -P | --handle-passwd | tpm2_nvreadlock, tpm2_nvrelease | auth value | |
| -P | --pwdk | tpm2_rsaencrypt | auth value | |
| -P | --auth-ek | tpm2_createek | auth value | |
| -P | --policy-pcr | tpm2_createpolicy | N/A | |
| -Q | --quiet | common option | ||
| -S | --session | tpm2_evictcontrol, tpm2_create, tpm2_createprimary, tpm2_encryptdecrypt, tpm2_flushcontext, tpm2_getmanufec, tpm2_createek, tpm2_hmac, tpm2_load, tpm2_nvrelease, tpm2_nvwrite, tpm2_policypcr, tpm2_policyrestart, tpm2_quote, tpm2_rsadecrypt, tpm2_startauthsession | file path | |
| -S | --input-session-handle | tpm2_nvreadlock, tpm2_verifysignature | file path | |
| -T | --tcti | tcti options | option string | |
| -U | --SSL_NO_VERIFY | tpm2_getmanufec | N/A | |
| -V | --verbose | common option | N/A | |
| -Z | --enable-errata | common option | N/A |