Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.3-STABLE FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.3 FreeBSD Ports 14.3.quarterly FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.1.0 Debian 12.11.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.0 macOS 15.7 macOS 14.8 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.0 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.0 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

swtpm(8)							      swtpm(8)

NAME
       swtpm - TPM Emulator for	TPM 1.2	and 2.0

SYNOPSIS
       swtpm socket [OPTIONS]

       swtpm chardev [OPTIONS]

       swtpm cuse [OPTIONS]

DESCRIPTION
       swtpm implements	a TPM software emulator	built on libtpms.  It provides
       access to TPM functionality over	a TCP/IP socket	interface or it	can
       listend for commands on a character device, or create a CUSE (character
       device in userspace) interface for receiving of TPM commands.

       Unless corresponding command line parameters are	used, the swtpm	socket
       version requires	that the environment variable TPM_PORT be set to the
       TCP/IP port the process is supposed to listen on	for TPM	request
       messages.

       Similarly, the environment variable TPM_PATH can	be set and contain the
       name of a directory where the TPM can store its persistent state	into.

       The swtpm process can be	gracefully terminated by sending a SIGTERM
       signal to it.

       The swtpm cuse version requires root rights to start the	TPM.

Options	for socket interface
       The following options are supported if the socket interface is chosen:

       -p|--port <port>
	   Use	the  given  port  rather  than	using the environment variable
	   TPM_PORT.

       -t|--terminate
	   Terminate the TPM after the client  has  closed  the	 data  channel
	   connection (TCP only).

       --server	[type=tcp][,port=<port>[,bindaddr=<address>
       [,ifname=<ifname>]]][,fd=<fd>][,disconnect]
	   Expect TCP connections on the given port; if	a port is not provided
	   a  file  descriptor	must  be  passed with the fd parameter and the
	   commands are	read from this file descriptor then.   If  a  port  is
	   provided  the  bind	address	on which to listen for TCP connections
	   can be provided as well; the	default	bind address is	127.0.0.1.  If
	   a link local	IPv6 address is	provided, the name of the interface to
	   bind	to must	be provided with ifname.

	   This	 parameter  enables  a persistent connection by	default	unless
	   the disconnect option is  given.  This  parameter  should  be  used
	   rather than the -p and --fd options.

       --server	type=unixio[,path=<path>][,fd=<fd>]
       [,mode=<0...>][,uid=<uid>][,gid=<gid>]
	   Expect  UnixIO  connections	on  the	 given	path.  If  no  path is
	   provided, a file  descriptor	 must  be  passed  instead.  The  mode
	   parameter  allows  a	 user  to set the file mode bits of the	UnixIO
	   path. The mode bits value must be given as an octal number starting
	   with	a '0'.	The default  value  is	0770.  uid  and	 gid  set  the
	   ownership  of  the  UnixIO  socket's	path.  This operation requires
	   root	privileges.

Options	for character device interface
       The following options are supported if the chardev interface is chosen:

       -c|--chardev <device path>
	   Use the given device	to listen for TPM commands and	send  response
	   on.

       --vtpm-proxy
	   Create  a  Linux  vTPM  proxy device	instance and read TPM commands
	   from	its backend device.

Options	for the	CUSE interface
       The following options are supported if the cuse interface is chosen:

       -n|--name <NAME>
	   The TPM will	use a device with the given name. A  device  with  the
	   given name will be created in /dev. This is a mandatory option.

       -M|--maj	<MAJOR>
	   Create the device with the given major number.

       -m|--min	<MINOR>
	   Create the device with the given minor number.

Options	for socket and character device	interfaces:
       The  following options are supported by the socket and character	device
       interfaces:

       -f|--fd <fd>
	   Use the given socket	 file  descriptor  or  character  device  file
	   descriptor  for  receiving TPM commands and sending responses.  For
	   the socket interface, this option automatically assumes -t.

       -d|--daemon
	   Daemonize the process.

       --ctrl type=[unixio|tcp][,path=<path>]
       [,port=<port>[,bindaddr=<address>[,ifname=<ifname>]]]
       [,fd=<filedescriptor>|clientfd=<filedescriptor>]
       [,mode=<0...>][,uid=<uid>][,gid=<gid>][,terminate]
	   This	option adds a control channel to the TPM. The control  channel
	   can	either use a UnixIO socket with	a given	path or	filedescriptor
	   or it can use a TCP socket on the given port	or filedescriptor.  If
	   a port is provided the bind address on  which  to  listen  for  TCP
	   connections	can  be	 provided as well; the default bind address is
	   127.0.0.1. If a link	local IPv6 address is provided,	 the  name  of
	   the interface to bind to must be provided with ifname.

	   The	mode  parameter	allows a user to set the file mode bits	of the
	   UnixIO path.	 The mode bits value must be given as an octal	number
	   starting  with  a  '0'.  The	default	value is 0770. uid and gid set
	   the ownership of the	UnixIO socket's	path.  This operation requires
	   root	privileges.

	   The terminate parameter enables the automatic termination of	 swtpm
	   when	 the  control channel connection has been lost.	This is	useful
	   in  scenarios  where	 the  control  channel	connection   is	  held
	   permanently,	 such  as  by  QEMU,  and  swtpm should	terminate upon
	   abnormal  termination  of  the  client  that	 could	not   send   a
	   CMD_SHUTDOWN	via the	control	channel	anymore.

	   The control channel enables out-of-band control of the TPM, such as
	   resetting the TPM.

Options	for all	interfaces
       The following options are support by all	interfaces:

       --tpmstate dir=<dir>[,mode=<0...>]|backend-uri=<uri>
	   Use	the  given  path  rather  than	using the environment variable
	   TPM_PATH.

	   If dir is specified,	the TPM	state files will be written to the dir
	   with	the given file mode bits. This value must be given as an octal
	   number starting with	a '0'.	The default value is 0640.

	   If backend-uri is specified,	the TPM	state data will	be  stored  to
	   the	  URI.	   Currently	backend-uri=dir://<path_to_dir>	   and
	   backend-uri=file://<path_to_dir> are	available. For	'dir://',  the
	   URI	should	specify	 the  path  to	the  directory where files are
	   stored.  If	path_to_dir  starts  with  a  '/'  then	 the  path  is
	   interpreted as an absolute path, otherwise it is a path relative to
	   the	current	 directory.   For  'file://', the URI should specify a
	   single file or block	device where  TPM  state  will	be  stored.  A
	   blockdevice	must  exist  already  and  be  big enough to store all
	   state. (since v0.7)

       --tpm2
	   Choose TPM 2	functionality; by default a TPM	1.2 is chosen.

       --log [fd=<fd>|file=<path>][,level=<n>] [,prefix=<prefix>][,truncate]
	   Enable logging to a file given its file descriptor or its path. Use
	   '-' for path	to suppress the	logging.

	   The level parameter allows a	user to	choose the level  of  logging.
	   Starting at log level 5, libtpms debug logging is activated.

	   All logged lines will be prefixed with prefix. By default no	prefix
	   is prepended.

	   If truncate is passed, the log file will be truncated.

       --locality reject-locality-4[,allow-set-locality]
	   The reject-locality-4 parameter will	cause TPM error	messages to be
	   returned for	requests to set	the TPM	into locality 4.

	   The	allow-set-locality  parameter  allows  the  swtpm  to  receive
	   TPM/TPM2_SetLocality	commands. This is parameter is useful  if  the
	   Linux  VTPM	proxy  driver  access  is  enabled  by file descriptor
	   passing.  This option is implied by	the  --vtpm-proxy  option  and
	   therefore  need  not	be explicitly set if this option is passed. In
	   all other cases care	should	be  taken  as  to  who	can  send  the
	   TPM/TPM2_SetLocality	command.

       --key file=<keyfile>|fd=<fd>
       [,format=<hex|binary>][,mode=aes-cbc|aes-256-cbc],
       [remove[=true|false]]
	   Enable  encryption  of the state files of the TPM. The keyfile must
	   contain an AES key of supported size; 128 bit (16  bytes)  and  256
	   bit (32 bytes) keys are supported.

	   The	key  may be in binary format, in which case the	file size must
	   be 16 or 32 bytes. If the key is in hex format (default),  the  key
	   may consist of 32 or	64 hex digits starting with an optional	'0x'.

	   The	mode  parameter	 indicates  which block	chaining mode is to be
	   used.   Currently  aes-cbc  (aes-128-cbc)   and   aes-256-cbc   are
	   supported.	 The  encrypted	 data  is  integrity  protected	 using
	   encrypt-then-mac.

	   The remove parameter	will attempt to	remove the given keyfile  once
	   the key has been read.

       --key pwdfile=<passphrase file>|pwdfd=<fd>
       [,mode=aes-cbc|aes-256-cbc][remove[=true|false]][,kdf=sha512|pbkdf2]
	   This	 variant  of  the  key	parameter  allows  a user to provide a
	   passphrase in a file.  The file is read and a key is	 derived  from
	   it using either a SHA512 hash or PBKDF2. By default PBKDF2 is used.

       --migration-key file=<keyfile>|fd=<fd>
       [,format=<hex|binary>][,mode=aes-cbc|aes-256-cbc]
       [,remove[=true|false]]
	   The	availability  of a migration key ensures that the state	of the
	   TPM will not	be revealed in unencrypted form	 when  the  TPM	 state
	   blobs are retrieved through the ioctl interface.  The migration key
	   is not used for encrypting TPM state	written	to files, this is what
	   the --key parameter is used for.

	   The	migration  key	and  the key used for encrypting the TPM state
	   files may be	the same.

	   While the key for the TPM state files  needs	 to  stay  with	 those
	   files  it  encrypts,	 the  migration	key needs to stay with the TPM
	   state blobs.	If for example	the  state  of	the  TPM  is  migrated
	   between  hosts in a data center, then the TPM migration key must be
	   available at	all the	destinations, so in effect it may have to be a
	   key shared across all machines in the datacenter.  In  contrast  to
	   that,  the  key  used  for  encrypting  the	TPM state files	can be
	   different for each TPM and need only	be available on	the host where
	   the TPM state resides.

	   The migration key enables the encryption of the  TPM	 state	blobs.
	   The	keyfile	must contain an	AES key	of supported size; 128 bit (16
	   bytes) and 256 bit (32 bytes) keys are supported.

	   The key may be in binary format, in which case the file  size  must
	   be  16  or 32 bytes.	If the key is in hex format (default), the key
	   may consist of 32 or	64 hex digits starting with an optional	'0x'.

	   The mode parameter indicates	which block chaining  mode  is	to  be
	   used.    Currently	aes-cbc	  (aes-128-cbc)	 and  aes-256-cbc  are
	   supported.	The  encrypted	data  is  integrity  protected	 using
	   encrypt-then-mac.

	   The	remove parameter will attempt to remove	the given keyfile once
	   the key has been read.

       --migration-key pwdfile=<passphrase file>|pwdfd=<fd>
       [,mode=aes-cbc|aes-256-cbc][,remove[=true|false]][,pdf=sha512|pbkdf2]
	   This	variant	of the key  parameter  allows  a  user	to  provide  a
	   passphrase  in  a file.  The	file is	read and a key is derived from
	   it using either a SHA512 hash or PBKDF2. By default PBKDF2 is used.

       --pid file=<pidfile>|fd=<filedescriptor>
	   This	options	allows a user to  set  the  name  of  file  where  the
	   process  ID	(pid)  of  the	TPM  will  be written into. It is also
	   possible to pass a file descriptor to a file	that has  been	opened
	   for writing.

       -r|--runas <owner>
	   Switch  to  the given user. This option can only be used when swtpm
	   is started as root.

       -R|--chroot <path<gt>
	   Chroot to the given directory at startup. This option can  only  be
	   used	when swtpm is started as root.

       --seccomp action=none|log|kill (since v0.2)
	   This	 option	 allows	 a  user  to  select the action	to take	by the
	   seccomp profile when	a syscall is executed that is not allowed. The
	   default is kill. To disable the seccomp profile, choose  none.  The
	   log	action	logs  offending	 syscalls.   The  log  action  is only
	   available if	libseccomp supports logging.

	   This	option is only available  on  Linux  and  only	if  swtpm  was
	   compiled with libseccomp support.

       --flags
       [not-need-init][,startup-clear|startup-state|startup-deactivated|startup-none][,disable-auto-shutdown]
	   The not-need-init flag enables the TPM to accept TPM	commands right
	   after  start	without	requiring an INIT to be	sent to	it through the
	   command channel (see	the '-i' option	of swtpm_ioctl).

	   The startup options cause a TPM_Startup or TPM2_Startup command  to
	   automatically be sent. The startup-deactivated option is only valid
	   for	a  TPM	1.2. These options imply not-need-init,	except for the
	   startup-none	option,	which results in no command being sent.

	   If --vtpm-proxy is used, startup-clear is automatically chosen  but
	   this	can be changed with this option.

	   The	disable-auto-shutdown  flag  prevents swtpm from automatically
	   sending a TPM2_Shutdown() before the	reset of a TPM 2 or before the
	   swtpm process is terminated.	When this flag is  not	provide	 swtpm
	   will	 send  this  command to	avoid increasing the dictionary	attack
	   (DA)	lockout	counter	and ulimately a	DA lockout by the TPM 2	due to
	   omission of sending a required TPM2_Shutdown() before TPM  2	 reset
	   or swtpm process termination.

       --print-capabilities (since v0.2)
	   Print  capabilities that were added to swtpm	after version 0.1. The
	   output may contain the following:

	       {
		 "type": "swtpm",
		 "features": [
		   "tpm-1.2",
		   "tpm-2.0",
		   "cmdarg-seccomp",
		   "cmdarg-key-fd",
		   "cmdarg-pwd-fd",
		   "cmdarg-print-states",
		   "cmdarg-chroot",
		   "cmdarg-migration",
		   "nvram-backend-dir",
		   "nvram-backend-file",
		   "tpm-send-command-header",
		   "flags-opt-startup",
		   "flags-opt-disable-auto-shutdown",
		   "rsa-keysize-1024",
		   "rsa-keysize-2048",
		   "rsa-keysize-3072"
		 ],
		 "version": "0.7.0"
	       }

	   The version field is	available since	v0.7.

	   The meaning of the feature verbs is as follows:

	   tpm-1.2 (since v0.7)
	       TPM 1.2 emulation is supported (libtpms is  compiled  with  1.2
	       support).

	   tpm-2.0 (since v0.7)
	       TPM  2  emulation  is  supported	 (libtpms is compiled with 2.0
	       support).

	       (the --tpm2 option is supported)

	   cmdarg-seccomp (since v0.2)
	       The --seccomp option is supported.

	   cmdarg-key-fd (since	v0.2)
	       The --key option	supports the fd= parameter.

	   cmdarg-pwd-fd (since	v0.2)
	       The --key option	supports the pwdfd= parameter.

	   cmdarg-print-states (since v0.7)
	       The --print-states option is supported.

	   cmdarg-chroot (since	v0.8)
	       The --chroot option is supported.

	   cmdarg-migration (since v0.8)
	       The --migration option is supported.

	   nvram-backend-dir (since v0.7)
	       The  --tpmstate	option	supports   the	 backend-uri=dir://...
	       parameter.

	   nvram-backend-file (since v0.7)
	       The   --tpmstate	 option	 supports  the	backend-uri=file://...
	       parameter.

	   tpm-send-command-header (since v0.2)
	       The TPM 2 commands may be prefixed by a header that  carries  a
	       4-byte  command,	 1 byte	for locality, and 4-byte TPM 2 command
	       length indicator.  The TPM 2  will  respond  by	preprending  a
	       4-byte  response	 indicator  and	 a 4-byte trailer. All data is
	       sent in big endian format.

	   flags-opt-startup (since v0.3)
	       The --flags option supports the startup-... options.

	   flags-opt-disable-auto-shutdown (since v0.8)
	       The --flags option supports the disable-auto-shutdown flag.

	   rsa-keysize-2048 (since v0.4)
	       The TPM 2 supports the shown RSA	key sizes. If none of the rsa-
	       keysize verbs  is  shown	 then  only  RSA  2048	bit  keys  are
	       supported.

       --print-states (since v0.7)
	   This	 option	 allows	 to print out the TPM 1.2 or TPM 2 state blobs
	   that	are  currently	stored	in  a  storage	backend.  This	option
	   requires that the storage backend be	specified using	the --tpmstate
	   option  and	if  TPM	 2  state  blobs are supposed to be shown, the
	   --tpm2 option must be passed.

	   The following shows the JSON	output of this	option.	 It  indicates
	   that	the 'permall' and 'volatile' states are	available.

	       {
		 "type": "swtpm",
		 "states": [
		   {
		     "name": "permall",
		     "size": 6013
		   }, {
		     "name": "volatile",
		     "size": 1087
		   }
		 ]
	       }

       --migration [incoming][,release-lock-outgoing]
	   This	 option	allows to control the locking of the NVRAM storage for
	   the purpose of supporting migration between hosts that have	shared
	   storage  setup  for	the  swtpm's state directory and if locking is
	   supported by	the storage backend. The directory storage backend for
	   example supports locking  and  therefore  requires  usage  of  this
	   option  in  case  of	 shared	 storage.  When	providing the incoming
	   option parameter swtpm defers the locking of	the  NVRAM  until  the
	   state  blobs	 are  received	or  until  the	first  TPM  command is
	   processed if	no  state  blobs  were	received.   The	 release-lock-
	   outgoing  option  parameter	causes swtpm to	release	any NVRAM lock
	   once	the TPM's 'savestate' blob is received from  swtpm.  To	 avoid
	   releasing  the  lock	too early the 'permanent' and 'volatile' state
	   blobs must be received before the 'savestate' blob.

       -h|--help
	   Display usage info.

NOTES
       If a TPM	 2  is	used,  the  user  is  typically	 required  to  send  a
       TPM2_Shutdown()	command	 to  a	TPM 2 to avoid possibly	increasing the
       TPM_PT_LOCKOUT_COUNTER that  may	 lead  to  a  dictionary  attack  (DA)
       lockout	upon  next  startup (TPM2_Startup()) of	the TPM	2. Whether the
       TPM_PT_LOCKOUT_COUNTER is increased depends on previous	commands  sent
       to  the	TPM 2 as well as internal state	of the TPM 2. One example that
       will trigger the	counter	to increase is the omission of a password when
       trying to access	a password-protected object or NVRAM location that has
       the DA attribute	set, followed by termination of	swtpm without  sending
       TPM2_Shutdown().	 To  avoid  a DA lockout swtpm will make a best-effort
       and send	a TPM2_Shutdown(SU_STATE) or TPM2_Shutdown(SU_CLEAR) if	 found
       necessary.

SEE ALSO
       swtpm_bios, swtpm_cuse

swtpm				  2024-06-17			      swtpm(8)

---

NAME | SYNOPSIS | DESCRIPTION | Options for socket interface | Options for character device interface | Options for the CUSE interface | Options for socket and character device interfaces: | Options for all interfaces | NOTES | SEE ALSO

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=swtpm_cuse&sektion=8&manpath=FreeBSD+Ports+14.3.quarterly>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact