tpm2.0-tools Manual
===================
1. Common steps before running any tools from tpm2.0-tools

First of all, clone TPM2.0-TSS and follow the build process to install it.

Then follow below steps for tpm2.0-tools.

Build:
$ ./bootstrap
$ ./configure
$ make

Install:
$ sudo make install

Launch resourcemgr daemon:
$ resourcemgr
or
$ resourcemgr -sim -tpmhost <ip>

The resourcemgr can connect to either physical tpm or remote MS/IBM simulator,
refer to the help of resourcemgr for details.

2. running tools
All tool executables are built under ./tools/. So once resourcemgr is up:
$ cd ./tools
$ ./tpm2_xxx -x...

Or if the tools are installed:
$ tpm2_xxx -x...

3. tool usages
common options
This collection of options are common to many programs and provide information that many users may expect.
-h, --help     Display a manual describing the tool and its usage.
-v, --version  Display version information for this tool.
-V, --verbose  Increase the information that the tool prints to the console during its execution.

tcti options (depends on configure time options for tcti's.)
This collection of options are used to configure the varous TCTI modules available.
-T, --tcti           Select the TCTI used for communication with the next component down the TSS stack.
                     In most configurations this will be the TPM but it could be a simulator or proxy.
                     Supported TCTIs are or “device” or “socket” .
-d, --device-file    Specify the TPM device file for use by the device TCTI. The default is /dev/tpm0.
-R, --socket-address Specify the domain name or IP address used by the socket TCTI. The default is 127.0.0.1.
-p, --socket-port    Specify the port number used by the socket TCTI. The default is 2321.

Subset 1: NV tools
------------------
* tpm2_nvdefine
Define NV index with given auth value, if passwd not given, assume NULL

Usage:
tpm2_nvdefine [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
              [-s/--size <size>] [-t/--attribute <attributeDWord>]
              [-P/--handlePasswd <string>] [-I/--indexPasswd <string>]
              [-X/--passwdInHex]

where:
  -x/--index <nvIdx>              specifies the index of the NV area.
  -a/--authHandle <hexHandle>     specifies the handle used to authorize:
                                    0x40000001 (TPM_RH_OWNER)
                                    0x4000000C (TPM_RH_PLATFORM)
  -s/--size <size>                specifies the size of data area.
  -t/--attribute <attributeDWord> specifies the value of attribute in
                                  publicInfo struct (need calculate outside).
  -P/--handlePasswd <string>      specifies the password of authHandle.
  -I/--indexPasswd <string>       specifies the password of NV Index when
                                  created.
  -X/--passwdInHex                passwords given by any options are hex format

example:
    tpm2_nvdefine -x 0x1500016 -a 0x40000001 -s 32 -t 0x2000A
    tpm2_nvdefine -x 0x1500016 -a 0x40000001 -s 32 -t 0x2000A -I 1a1b1c -X

* tpm2_nvrelease
release NV index, if any passwd option is missing, assume NULL.

Usage:
tpm2_nvrelease [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
               [-P/--handlePasswd <string>]
               [-X/--passwdInHex]

where:
  -x/--index <nvIdx>              specifies the index of the NV area.
  -a/--authHandle <hexHandle>     specifies the handle used to authorize:
                                    0x40000001 (TPM_RH_OWNER)
                                    0x4000000C (TPM_RH_PLATFORM)
  -P/--handlePasswd <string>      specifies the password of authHandle.
  -X/--passwdInHex                passwords given by any options are hex format
 
example:
    tpm2_nvrelease -x 0x1500016 -a 0x40000001 -P passwd
    tpm2_nvrelease -x 0x1500016 -a 0x40000001 -P 1a1b1c -X

* tpm2_nvread
read content from NV index, if any passwd option is missing, assume NULL.

Usage:
tpm2_nvread [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
            [-P/--handlePasswd <string>] [-s/--size <size>]
            [-o/--offset <offset>]
            [-X/--passwdInHex]

where:
  -x/--index <nvIdx>              specifies the index of the NV area.
  -a/--authHandle <hexHandle>     specifies the handle used to authorize:
                                    0x40000001 (TPM_RH_OWNER)
                                    0x4000000C (TPM_RH_PLATFORM)
                                    {NV_INDEX_FIRST:NV_INDEX_LAST}
  -P/--handlePasswd <string>      specifies the password of authHandle.
  -s/--size <size>                specifies the number of octets to read.
  -o/--offset <offset>            specifies octet offset into the area
                                  This value shall be less than or equal to the
                                  size of the nvIndex data.
  -X/--passwdInHex                passwords given by any options are hex format

example:
    tpm2_nvread -x 0x1500016 -a 0x40000001 -P passwd -s 32 -o 0
    tpm2_nvread -x 0x1500016 -a 0x40000001 -P 1a1b1c -s 32 -o 0 -X

* tpm2_nvreadlock
lock the NV index for further reads until the machine is restarted

Usage:
tpm2_nvreadlock [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>]
                [-P/--handlePasswd <string>]
                [-X/--passwdInHex]

where:
  -x/--index <nvIdx>              specifies the index of the NV area.
  -a/--authHandle <hexHandle>     specifies the handle used to authorize:
                                    0x40000001 (TPM_RH_OWNER)
                                    0x4000000C (TPM_RH_PLATFORM)
                                    {NV_INDEX_FIRST:NV_INDEX_LAST}
  -P/--handlePasswd <string>      specifies the password of authHandle.
  -X/--passwdInHex                passwords given by any options are hex format

example:
    tpm2_nvreadlock -x 0x1500016 -a 0x40000001 -P passwd
    tpm2_nvreadlock -x 0x1500016 -a 0x40000001 -P 1a1b1c -X

* tpm2_nvwrite
write content from a file to a specified index, if any passwd option is
missing, assume NULL.

Usage:
tpm2_nvwrite [-x/--index <nvIdx>] [-a/--authHandle <hexHandle>] 
             [-P/--handlePasswd <string>] [-f/--file <filename>]
             [-X/--passwdInHex]

where:
  -x/--index <nvIdx>              specifies the index of the NV area.
  -a/--authHandle <hexHandle>     specifies the handle used to authorize:
                                    0x40000001 (TPM_RH_OWNER)
                                    0x4000000C (TPM_RH_PLATFORM)
                                    {NV_INDEX_FIRST:NV_INDEX_LAST}
  -P/--handlePasswd <string>      specifies the password of authHandle.
  -f/--file <filename>            specifies the nv data file.
  -X/--passwdInHex                passwords given by any options are hex format

example:
    tpm2_nvwrite -x 0x1500016 -a 0x40000001 -P passwd -f nv.data
    tpm2_nvwrite -x 0x1500016 -a 0x40000001 -P 1a1b1c -X -f nv.data

* tpm2_nvlist
display all defined NV indices.

Usage:
tpm2_nvlist

example:
    tpm2_nvlist


Subset 2: Attestation tools
---------------------------
* tpm2_takeownership
Inserting authorization values for the ownerAuth, endorsementAuth, and
lockoutAuth, if any passwd option is missing, assume NULL.

Usage:
tpm2_takeownership [-e/--endorsePasswd <password>]
                   [-o/--ownerPasswd <password>]
                   [-l/--lockPasswd <password>]
                   [-E/--oldEndorsePasswd <password>] 
                   [-O/--oldOwnerPasswd <password>]
                   [-L/--oldLockPasswd <password>]
                   [-X/--passwdInHex]

where:
  -o/--ownerPasswd <password>      new Owner authorization value (string,
                                   optional, default:NULL).
  -e/--endorsePasswd <password>    new Endorsement authorization value (string,
                                   optional, default:NULL).
  -l/--lockPasswd <password>       new Lockout authorization value (string,
                                   optional, default:NULL).
  -O/--oldOwnerPasswd <password>   old Owner authorization (string, optional, 
                                   default:NULL).
  -E/--oldEndorsePasswd <password> old Endorsement authorization (string,
                                   optional, default:NULL).
  -L/--oldLockPasswd <password>    old Lockout authorization (string, optional,
                                   default:NULL).
  -X/--passwdInHex                 passwords given by any options are hex format
  -c/--clear [-L <password> [-X]]  clears the 3 authorizations values with
                                   lockout auth.

example:
Set ownerAuth, endorsementAuth and lockoutAuth to emptyAuth: 
    tpm2_takeownership -c -L old
Set ownerAuth, endorsementAuth and lockoutAuth to a newAuth: 
    tpm2_takeownership -o new -e new -l new -O old -E old -L old
    tpm2_takeownership -o 2a2b2c -e 2a2b2c -l 2a2b2c -O 1a1b1c -E 1a1b1c -L 1a1b1c -X

* tpm2_getpubek
Generate TCG profile compliant endorsement key(endorsement hierarchy primary
object), make it persistent with give ek handle, and return public EK, if any
passwd option is missing, assume NULL, default type/alg is 0x1(RSA)
Refer to:
http://www.trustedcomputinggroup.org/files/static_page_files/7CAA5687-1A4B-B294-D04080D058E86C5F/Credential_Profile_EK_V2.0_R14_published.pdf

Usage:
tpm2_getpubek [-e/--endorsePasswd <password>] [-o/--ownerPasswd <password>] 
              [-P/--ekPasswd <password>] [-H/--handle <hexHandle>] 
              [-g/--alg <hexAlg>] [-f/--file <outputFile>]
              [-X/--passwdInHex]

where:
  -e/--endorsePasswd <password>   specifies current endorse password (string,
                                  optional, default:NULL).
  -o/--ownerPasswd   <password>   specifies current owner password (string,
                                  optional, default:NULL).
  -P/--ekPasswd      <password>   specifies the EK password when created
                                  (string, optional, default:NULL).
  -H/--handle        <hexHandle>  specifies the handle used to make EK
                                  persistent (hex).
  -g/--alg           <hexAlg>     specifies the algorithm type of EK
                                  (default:0x01/TPM_ALG_RSA).
                                    TPM_ALG_RSA             0x0001
                                    TPM_ALG_KEYEDHASH       0x0008
                                    TPM_ALG_ECC             0x0023
                                    TPM_ALG_SYMCIPHER       0x0025
  -f/--file          <outputFile> specifies the file used to save the public
                                  portion of EK.
  -X/--passwdInHex                passwords given by any options are hex format

example:
    tpm2_getpubek -e abc123 -o abc123 -P passwd -H 0x81010001 -g 0x01 -f ek.pub
    tpm2_getpubek -e 1a1b1c -o 1a1b1c -P 123abc -X -H 0x81010001 -g 0x01 -f ek.pub

* tpm2_getmanufec
Retrieve the Endorsement Credential Certificate for the TPM endorsement key from the TPM manufacturer's endorsement certificate hosting server

Usage:
tpm2_getmanufec [-e/--endorsePasswd <password>] [-o/--ownerPasswd <password>]
                [-P/--ekPasswd <password>] [-H/--handle <hexHandle>]
                [-g/--alg <hexAlg>] [-f/--file <outputFile>]
                [-S/--EKserverAddr <EKserverAddr>]
                [-E/--ECcertFile <ECcertFile>]
                [-X/--passwdInHex]

where:
  -e/--endorsePasswd <password>     specifies current endorse password (string,
                                    optional,default:NULL).
  -o/--ownerPasswd   <password>     specifies current owner password (string,
                                    optional,default:NULL).
  -P/--ekPasswd      <password>     specifies the EK password when created
                                    (string,optional,default:NULL).
  -H/--handle        <hexHandle>    specifies the handle used to make EK
                                    persistent (hex).
  -g/--alg           <hexAlg>       specifies the algorithm type of EK
                                    (default:0x01/TPM_ALG_RSA).
  -f/--file          <outputFile>   specifies the file used to save the public
                                    portion of EK.
  -N/--NonPersistent                specifies to readout the EK public without
                                    making it persistent
  -O/--OfflineProv                  specifies that the file specifier from '-f'
                                    is an EK retrieved from offline platform
                                    that needs to be provisioned
  -E/--ECcertFile    <ECcertFile>   specifies the file used to save the
                                    Endorsement Credentials retrieved from
                                    the TPM manufacturer provisioning server
  -S/--EKserverAddr  <EKserverAddr> specifies to attempt retrieving the
                                    Endorsement Credentials from the specified
                                    TPM manufacturer provisioning server
  -U/--SSL_NO_VERIFY                specifies to attempt connecting with the
                                    TPM manufacturer provisioning server with
                                    SSL_NO_VERIFY option
  -X/--passwdInHex                  passwords given by any options are hex
                                    format

example:
    tpm2_getmanufec -e abc123 -o abc123 -P passwd -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/ 
    tpm2_getmanufec -e 1a1b1c -o 1a1b1c -P 123abc -X -H 0x81010001-g 0x01 -O -N -U -E ECcert.bin -f ek.bin -S https://tpm.manufacturer.com/ekcertserver/ 

* tpm2_getpubak
Generate attestation key with given algorithm under endorsement hierarchy,
make it persistent with given ak handle, and return pub AK and AK name,
if any passwd option is missing, assume NULL, default type/alg is 0x1(RSA),
default digestAlg is 0xb(SHA256), default signAlg is 0x14(RSASSA) for RSA,
0x18(ECDSA) for ECC

Usage:
tpm2_getpubak [-e/--endorsePasswd <password>] [-P/--akPasswd <password>] 
              [-o/--ownerPasswd <password>] [-E/--ekHandle <hexHandle>]
              [-k/--akHandle <hexHandle>] [-g/--alg <hexAlg>] 
              [-D/--digestAlg <hexAlg>] [-s/--signAlg <hexAlg>] 
              [-f/--file <outputFile>] [-n/--akName <aknameFile>]   
              [-X/--passwdInHex]

where:
  -e/--endorsePasswd <password>   specifies current endorsement password
                                  (string,optional,default:NULL).
  -P/--akPasswd    <password>     specifies the AK password when created
                                  (string,optional,default:NULL).
  -o/--ownerPasswd <password>     specifies current owner password
                                  (string,optional,default:NULL).
  -E/--ekHandle    <hexHandle>    specifies the handle of EK (hex).
  -k/--akHandle    <hexHandle>    specifies the handle used to make AK
                                  persistent (hex).
  -g/--alg         <hexAlg>       specifies the algorithm type of AK
                                  (default:0x01/TPM_ALG_RSA):
                                    TPM_ALG_RSA             0x0001
                                    TPM_ALG_KEYEDHASH       0x0008
                                    TPM_ALG_ECC             0x0023
  -D/--digestAlg  <hexAlg>        specifies the algorithm of digest.
                                      0x0004  TPM_ALG_SHA1
                                      0x000B  TPM_ALG_SHA256
                                      0x000C  TPM_ALG_SHA384
                                      0x000D  TPM_ALG_SHA512
                                      0x0012  TPM_ALG_SM3_256
  -s/--signAlg    <hexAlg>        specifies the algorithm of sign.
                                      0x0005  TPM_ALG_HMAC
                                      0x0014  TPM_ALG_RSASSA
                                      0x0016  TPM_ALG_RSAPSS
                                      0x0018  TPM_ALG_ECDSA
                                      0x001A  TPM_ALG_ECDAA
                                      0x001B  TPM_ALG_SM2
                                      0x001C  TPM_ALG_ECSCHNORR
  -f/--file       <outputFile>    specifies the file used to save the public
                                  portion of AK.
  -n/--akName     <aknameFile>    specifies the file used to save the ak name.
  -X/--passwdInHex                passwords given by any options are hex format.

example:
    tpm2_getpubak -e abc123 -P abc123 -o passwd -E 0x81010001 -k 0x81010002 -f ./ak.pub -n ./ak.name
    tpm2_getpubak -e 1a1b1c -P 123abc -o 1a1b1c -X -E 0x81010001 -k 0x81010002 -f ./ak.pub -n ./ak.name

* tpm2_akparse
parse the algorithm and key values in TPM2B_PUBLIC struct which input via
file inputFile, and output the key into file akKeyFile.

Usage:
tpm2_akparse [-f inputFile][-k akKeyFile]

where:
  -f    Specifies the file used to be parsed.
  -k    Specifies the file used to save ak key.

example:
    tpm2_akparse -f ./ak.data -k ./ak.key

* tpm2_makecredential
Use the given tpm public key to protect the given secret which are used to
encrypt the AK cert.

Usage:
  -e, --encKey <keyFile>   A tpm Public Key which was used to wrap the seed
  -s, --sec   <secFile>    The secret which will be protected by the key
                           derived from the random seed
  -n, --name  <hexString>  The name of the key for which certificate is to be
                           created
  -o, --outFile<filePath>  output file path, recording the two structures
                           output by tpm2_makecredential function

example:
    tpm2_makecredential -e <keyFile> -s <secFile> -n <hexString> -o <outFile>

* tpm2_activatecredential
Verify that the given content is protected with given keyHandle for given
handle, and then decrypt and return the secret, if any passwd option is
missing, assume NULL. Currently only support using TCG profile compliant EK as
the keyHandle.

Usage:
  -H, --handle   <hexHandle>   Handle of the object associated with the created
                               certificate by CA
  -c, --context   <filename>   filename for handle context
  -k, --keyHandle <hexHandle>  Loaded key used to decrypt the the random seed
  -C, --keyContext <filename>  filename for keyHandle context
  -P, --Password    <string>   the handle's password, optional
  -e, --endorsePasswd <string> the endorsement password, optional
  -f, --inFile   <filePath>    Input file path, containing the two structures
                               needed by tpm2_activatecredential function
  -o, --outFile  <filePath>    Output file path, record the secret to decrypt
                               the certificate
  -X, --passwdInHex            passwords given by any options are hex format.

example:
    tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P abc123 -e abc123 -f <filePath> -o <filePath>
    tpm2_activatecredential -c ak.context -C ek.context -P abc123 -e abc123 -f <filePath> -o <filePath>
    tpm2_activatecredential -H 0x81010002 -k 0x81010001 -P 123abc -e 1a1b1c -X -f <filePath> -o <filePath>

* tpm2_listpcrs
display all PCR values in given algorithm with -g, display given PCR values
in given algorithms with -L, or if no algorithm is given, output all algs.
Output file just contains all returned PCR values in binary format and in
0~23 order and in the requested order if multiple algs were requested. Assume
the caller know the pcr value length corresponding to the given bank/algorithm.

Usage:
  -g, --algorithim <hexAlg>     The algorithm id, optional
                                  0x0004  TPM_ALG_SHA1
                                  0x000B  TPM_ALG_SHA256
                                  0x000C  TPM_ALG_SHA384
                                  0x000D  TPM_ALG_SHA512
                                  0x0012  TPM_ALG_SM3_256
  -o, --output  <filename>      The file to hold the PCR values in binary
                                format, optional
  -L, --selList <hexAlg1:num1,...,numN+hexAlg2:num2_1,...,num2_M+...>
                                The list of pcr banks and selected PCRs' ids
                                (0~23) for each bank
  -s, --algs                    Show the supported algs in the PCR banks

example:
    display all PCR values:  
        tpm2_listpcrs
    display the PCR values with specified bank:
        tpm2_listpcrs -g 0x04
    display the PCR values with specified banks and store in a file:
        tpm2_listpcrs -L 0x04:16,17,18+0x0b:16,17,18 -o pcrs
    display the supported algs in the PCR banks:
        tpm2_listpcrs -s

* tpm2_quote
Provide quote and signature for given list of PCRs in given algorithm/banks.

Usage:
  -k, --akHandle <hexHandle>    Handle of existing AK
  -c, --akContext <filename>    filename for the existing AK's context
  -P, --akPassword <akPassword> AK handle's Password
  -l, --idList  <num1,...,numN> The list of selected PCRs' ids, 0~23
  -g, --algorithm <hexAlg>      The algorithm id
  -L, --selList <hexAlg1:num1,...,numN+hexAlg2:num2_1,...,num2_M+...>
                                The list of pcr banks and selected PCRs' ids
                                (0~23) for each bank
  -o, --outFile<filePath>       output file path, recording the two structures
                                output by tpm2_quote function
  -X, --passwdInHex             passwords given by any options are hex format.
  -q, --qualifyData <hexData>   Data given as a Hex string to qualify the
                                quote, optional.

Note:
-L option & -g/-l options are mutually exclusive. -g/-l can be used to specify
PCRs in one bank, and -L can be used to specify PCRs in any number of existing
banks.

example:
    tpm2_quote -k 0x81010002 -P abc123 -g 0x4 -l 16,17,18 -o outFile001
    tpm2_quote -c ak.context -P abc123 -g 0x4 -l 16,17,18 -o outFile001
    tpm2_quote -k 0x81010002 -g 0x4 -l 16,17,18 -o outFile001
    tpm2_quote -c ak.context -g 0x4 -l 16,17,18 -o outFile001
    tpm2_quote -k 0x81010002 -P 123abc -X -L 0x4:16,17,18+0xb:16,17,18 -o outFile001 -q 11aa22bb


* tpm2_listpersistent
display all defined persistent objects.

Usage:
tpm2_listpersistent

example:
    tpm2_listpersistent


Subset 3: Key management tools
------------------------------
* tpm2_createprimary
create a Primary Object under one of the Primary Seeds or a Temporary Object
under TPM_RH_NULL.

Usage:
  -A, --auth <o | p |...>  the authorization used to authorize thecommands
                             o  TPM_RH_OWNER
                             p  TPM_RH_PLATFORM
                             e  TPM_RH_ENDORSEMENT
                             n  TPM_RH_NULL
  -P, --pwdp <string>      password for hierarchy, optional
  -K, --pwdk <string>      password for key, optional
  -g, --halg <sha1,...>    algorithm used for computing the Name of the object
                             0x0004  TPM_ALG_SHA1
                             0x000B  TPM_ALG_SHA256
                             0x000C  TPM_ALG_SHA384
                             0x000D  TPM_ALG_SHA512
                             0x0012  TPM_ALG_SM3_256
  -G, --kalg <rsa,...>     algorithm associated with this object
                             0x0001  TPM_ALG_RSA
                             0x0008  TPM_ALG_KEYEDHASH
                             0x0023  TPM_ALG_ECC
                             0x0025  TPM_ALG_SYMCIPHER
  -C, --context <filename> The file to save the object context, optional
  -X, --passwdInHex        passwords given by any options are hex format.

example:
    tpm2_createprimary -A e -P abc123 -K def456 -g 0x000B -G 0x0008
    tpm2_createprimary -A e -P abc123 -K def456 -g 0x000B -G 0x0008 -C ek.context
    tpm2_createprimary -A e -P 1a2b3c -K 456def -X -g 0x000B -G 0x0008

* tpm2_create
create an object that can be loaded into a TPM using tpm2_load. The object
will need to be loaded before it may be used.

Usage:
  -H, --parent <handle>          parent handle
  -c, --contextParent <filename> filename for parent context
  -P, --pwdp   <string>          password for parent key, optional
  -K, --pwdk   <string>          password for key, optional
  -g, --halg   <hexAlg>          algorithm used for computing the Name of the
                                 object
                                   0x0004  TPM_ALG_SHA1
                                   0x000B  TPM_ALG_SHA256
                                   0x000C  TPM_ALG_SHA384
                                   0x000D  TPM_ALG_SHA512
                                   0x0012  TPM_ALG_SM3_256
  -G, --kalg   <hexAlg>          algorithm associated with this object
                                   0x0001  TPM_ALG_RSA
                                   0x0008  TPM_ALG_KEYEDHASH
                                   0x0023  TPM_ALG_ECC
                                   0x0025  TPM_ALG_SYMCIPHER
  -A, --objectAttribute <hexDWord>  object attributes, optional
  -I, --inFile <dataFileToBeSealed> data file to be sealed, optional
  -L, --pol <policyFile>         the input policy file, optional
  -o, --opu <publicKeyFileName>  the output file which contains the public key,
                                 optional
  -O, --opr <privateKeyFileName> the output file which contains the private key,
                                 optional
  -X, --passwdInHex              passwords given by any options are hex format.

example:
    tpm2_create -H 0x81010001 -P abc123 -K def456 -g 0x000B -G 0x0008 -I data.File -o opu.File
    tpm2_create -c parent.context -P abc123 -K def456 -g 0x000B -G 0x0008 -I data.File -o opu.File
    tpm2_create -H 0x81010001 -P 123abc -K 456def -X -g 0x000B -G 0x0008 -I data.File -o opu.File

* tpm2_evictcontrol
allows a transient object to be made persistent or a persistent object to
be evicted.

Usage:
  -A, --auth <o | p>                  the authorization used to authorize the
                                      commands
                                        o  TPM_RH_OWNER
                                        p  TPM_RH_PLATFORM
  -H, --handle <objectHandle>         the handle of a loaded object
  -c, --context <filename>            filename for object context
  -S, --persistent <persistentHandle> the persistent handle for objectHandle
  -P, --pwda <authorizationPassword>  authrization password, optional
  -X, --passwdInHex                   passwords given by any options are hex
                                      format.

example:
    tpm2_evictcontrol -A o -c object.context -S 0x81010002 -P abc123
    tpm2_evictcontrol -A o -H 0x81010002 -S 0x81010002 -P abc123
    tpm2_evictcontrol -A o -H 0x81010002 -S 0x81010002 -P 123abc -X

* tpm2_load
load objects into the TPM, both pub/priv portion are needed.

Usage:
  -H, --parent    <parentHandle>        parent handle
  -c, --contextParent <filename>        filename for parent context
  -P, --pwdp      <parentKeyPassword>   parent key password, optional
  -u, --pubfile   <publicKeyFileName>   The public portion of the object
  -r, --privfile  <privateKeyFileName>  The sensitive portion of the object
  -n, --name      <outPutFilename>      Output file name, containing the name
                                        structure
  -C, --context <filename>              The file to save the object context,
                                        optional
  -X, --passwdInHex                     passwords given by any options are hex
                                        format.

example:
    tpm2_load  -H 0x80000000 -P abc123 -u <pubKeyFileName> -r <privKeyFileName> -n <outPutFileName>
    tpm2_load  -c parent.context -P abc123 -u <pubKeyFileName> -r <privKeyFileName> -n <outPutFileName> -C object.context
    tpm2_load  -H 0x80000000 -P 123abc -X -u <pubKeyFileName> -r <privKeyFileName> -n <outPutFileName>

* tpm2_loadexternal
load an object that is not a Protected Object into the TPM. The command allows
loading of a public area or both a public and a sensitive area.

Usage:
  -H, --hierarchy <e|o|p|n>           Hierarchy with which the object area is
                                      associated
                                        e  TPM_RH_ENDORSEMENT
                                        o  TPM_RH_OWNER
                                        p  TPM_RH_PLATFORM
                                        n  TPM_RH_NULL
  -u, --pubfile  <publicKeyFileName>  The public portion of the object
  -r, --privfile <privateKeyFileName> The sensitive portion of the object,
                                      optional
  -C, --context <filename>            The file to save the object context,
                                      optional

example:
Load a public area generated by tpm2_create, tpm2_readpublic or manually
    tpm2_loadexternal -H <e|o|p|n> -u <pubKeyFileName> -C object.context
Load a key with sensitive area. Both the public & the senstive areas shall
be generated externally. *DON'T* use the areas generated by tpm2_create.
    tpm2_loadexternal -H n -u <pubKeyFileName> -r <privKeyFileName> -C object.context


Subset 4: Encryption tools
--------------------------
* tpm2_encryptdecrypt
performs symmetric encryption or decryption. keyHandle shall reference a
symmetric cipher object.

Usage:
  -k, --keyHandle<hexHandle>   the symmetric key used for the operation
                               (encryption/decryption)
  -c, --keyContext <filename>  filename of the key context used for the
                               operation
  -P, --pwdk     <password>    the password of key, optional
  -D, --decrypt  <YES | NO>    the operation type, default NO, optional
                                 YES     the operation is decryption
                                 NO      the operation is encryption
  -I, --inFile   <filePath>    Input file path, containing the data to be
                               operated
  -o, --outFile  <filePath>    Output file path, record the operated data
  -X, --passwdInHex            passwords given by any options are hex format.

example:
    tpm2_encryptdecrypt -k 0x81010001 -P abc123 -D NO -I <filePath> -o <filePath>
    tpm2_encryptdecrypt -c key.context -P abc123 -D NO -I <filePath> -o <filePath>
    tpm2_encryptdecrypt -k 0x81010001 -P 123abca -X -D NO -I <filePath> -o <filePath>

* tpm2_rsaencrypt
performs RSA encryption using the indicated padding scheme according to
IETF RFC 3447. The scheme of keyHandle should not be TPM_ALG_NULL. The key
referenced by keyHandle is required to be an RSA key (TPM_RC_KEY) with the
decrypt attribute SET (TPM_RC_ATTRIBUTES).

Usage:
  -k, --keyHandle <hexHandle> the public portion of RSA key to use for
                              encryption
  -c, --keyContext <filename> filename of the key context used for the operation
  -I, --inFile   <filePath>   Input file path, containing the data to be
                              encrypted
  -o, --outFile  <filePath>   Output file path, record the encrypted data

example:
    tpm2_rsaencrypt -k 0x81010001 -I <filePath> -o <filePath>
    tpm2_rsaencrypt -c key.context -I <filePath> -o <filePath>

* tpm2_rsadecrypt
performs RSA decryption using the indicated padding scheme according to
IETF RFC 3447 (PKCS#1). The scheme of keyHandle should not be TPM_ALG_NULL.
The key referenced by keyHandle is required to be an RSA key (TPM_RC_KEY)
with the decrypt attribute SET (TPM_RC_ATTRIBUTES).

Usage:
  -k, --keyHandle<hexHandle>  the public portion of RSA key to use for
                              decryption
  -c, --keyContext <filename> filename of the key context used for the operation
  -P, --pwdk     <password>   the password of key, optional
  -I, --inFile   <filePath>   Input file path, containing the data to be
                              decrypted
  -o, --outFile  <filePath>   Output file path, record the decrypted data
  -X, --passwdInHex           passwords given by any options are hex format.

example:
    tpm2_rsadecrypt -k 0x81010001 -I <filePath> -o <filePath>
    tpm2_rsadecrypt -k 0x81010001 -P 123abc -X -I <filePath> -o <filePath>

* tpm2_unseal
returns the data in a loaded Sealed Data Object.

Usage:
  -H, --item    <itemHandle>     item handle, handle of a loaded data object
  -c, --itemContext <filename>   filename for item context
  -P, --pwdi    <itemPassword>   item handle password, optional
  -o, --outfile <outPutFilename> Output file name, containing the unsealed data
  -X, --passwdInHex              passwords given by any options are hex format.

example:
    tpm2_unseal -H 0x81010001 -P abc123 -o <outPutFileName>
    tpm2_unseal -c item.context -P abc123 -o <outPutFileName>
    tpm2_unseal -H 0x81010001 -P 123abc -X -o <outPutFileName>


Subset 5: Signing tools
-----------------------
* tpm2_sign
sign an externally provided hash with the specified symmetric or asymmetric
signing key. If keyHandle references a restricted signing key, then validation
shall be provided, indicating that the TPM performed the hash of the data and
validation shall indicate that hashed data did not start with
TPM_GENERATED_VALUE. The scheme of keyHandle should not be TPM_ALG_NULL.

Usage:
  -k, --keyHandle<hexHandle>  Handle of key that will perform signing
  -c, --keyContext <filename> filename of the key context used for the operation
  -P, --pwdk     <password>   the password of key, optional
  -g, --halg     <hexAlg>     the hash algorithm used to digest the message
                                0x0004  TPM_ALG_SHA1
                                0x000B  TPM_ALG_SHA256
                                0x000C  TPM_ALG_SHA384
                                0x000D  TPM_ALG_SHA512
                                0x0012  TPM_ALG_SM3_256
  -m, --msg      <filePath>   the message file, containning the content to be
                              digested
  -t, --ticket   <filePath>   the ticket file, containning the validation
                              structure, optional
  -s, --sig      <filePath>   the signature file, record the signature structure
  -X, --passwdInHex           passwords given by any options are hex format.

example:
    tpm2_sign -k 0x81010001 -P abc123 -g 0x000B -m <filePath> -s <filePath> -t <filePath>
    tpm2_sign -c key.context - abc123 -g 0x000B -m <filePath> -s <filePath> -t <filePath>
    tpm2_sign -k 0x81010001 -P 123abc -X -g 0x000B -m <filePath> -s <filePath> -t <filePath>

* tpm2_verifysignature
uses loaded keys to validate a signature on a message with the message digest
passed to the TPM. If the signature check succeeds, then the TPM will produce
a TPMT_TK_VERIFIED. Otherwise, the TPM shall return TPM_RC_SIGNATURE. If
keyHandle references an asymmetric key, only the public portion of the key
needs to be loaded. If keyHandle references a symmetric key, both the public
and private portions need to be loaded.

Usage:
  -k, --keyHandle<hexHandle>  handle of public key that will be used in the
                              validation
  -c, --keyContext <filename> filename of the key context used for the operation
  -g, --halg     <hexAlg>     the hash algorithm used to digest the message
                                0x0004  TPM_ALG_SHA1
                                0x000B  TPM_ALG_SHA256
                                0x000C  TPM_ALG_SHA384
                                0x000D  TPM_ALG_SHA512
                                0x0012  TPM_ALG_SM3_256
  -m, --msg      <filePath>   the input message file, containning the content
                              to be digested
  -D, --digest   <filePath>   the input hash file, containning the hash of the
                              message. If this argument been chosed, the
                              argument '-m(--msg)' and '-g(--halg)' is no need
  -s, --sig      <filePath>   the input signature file, containning the
                              signature to be tested
  -r, --raw                   set the input signature file to raw type, default 
                              TPMT_SIGNATURE, optional
  -t, --ticket   <filePath>   the ticket file, record the validation structure

example:
    tpm2_verifysignature -k 0x81010001 -g 0x000B -m <filePath> -s <filePath> -t <filePath>
    tpm2_verifysignature -k 0x81010001 -D <filePath> -s <filePath> -t <filePath>
    tpm2_verifysignature -c key.context -g 0x000B -m <filePath> -s <filePath> -t <filePath>

* tpm2_certify
prove that an object with a specific Name is loaded in the TPM. By certifying
that the object is loaded, the TPM warrants that a public area with a given
Name is self-consistent and associated with a valid sensitive area. If a
relying party has a public area that has the same Name as a Name certified
with this command, then the values in that public area are correct. The object
may be any object that is loaded with TPM2_Load() or TPM2_CreatePrimary().
An object that only has its public area loaded cannot be certified.

Usage:
  -H, --objHandle <hexHandle> handle of the object to be certified
  -C, --objContext <filename> filename of the object context to be certified
  -k, --keyHandle <hexHandle> handle of the key used to sign the attestation
                              structure
  -c, --keyContext <filename> filename of the key context used to sign the
                              attestation structure
  -P, --pwdo         <string> the object handle's password, optional
  -K, --pwdk         <string> the keyHandle's password, optional
  -g, --halg         <hexAlg> the hash algorithm used to digest the message
                                0x0004  TPM_ALG_SHA1
                                0x000B  TPM_ALG_SHA256
                                0x000C  TPM_ALG_SHA384
                                0x000D  TPM_ALG_SHA512
                                0x0012  TPM_ALG_SM3_256
  -a, --attestFile <fileName> output file name, record the attestation structure
  -s, --sigFile    <fileName> output file name, record the signature structure
  -X, --passwdInHex           passwords given by any options are hex format.

example:
    tpm2_certify -H 0x81010002 -k 0x81010001 -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
    tpm2_certify -C obj.context -c key.context -P 0x0011 -K 0x00FF -g 0x00B -a <fileName> -s <fileName>
    tpm2_certify -H 0x81010002 -k 0x81010001 -P 0011 -K 00FF -X -g 0x00B -a <fileName> -s <fileName>


Subset 6: utilities
-------------------
* tpm2_getrandom
returns the next bytesRequested octets from the random number generator.

Usage:
    tpm2_getrandom  [-s/--size <bytesRequested>] [-o/--of <outfilename>]

where:
  -s/--size <bytesRequested>      specifies the size of the bytesRequested.
  -o/--of <outfilename>           specifies the filename of output.

example:
    tpm2_getrandom -s 20 -o random.out

* tpm2_hash
performs a hash operation on a data buffer and returns the results. If the
results of the hash will be used in a signing operation that uses a restricted
signing key, then the ticket returned by this command can indicate that the
hash is safe to sign.

Usage:
  -H, --hierarchy <e|o|p|n>     hierarchy to use for the ticket
                                  e  TPM_RH_ENDORSEMENT
                                  o  TPM_RH_OWNER
                                  p  TPM_RH_PLATFORM
                                  n  TPM_RH_NULL
  -g, --halg      <hexAlg>      algorithm for the hash being computed
                                  0x0004  TPM_ALG_SHA1
                                  0x000B  TPM_ALG_SHA256
                                  0x000C  TPM_ALG_SHA384
                                  0x000D  TPM_ALG_SHA512
                                  0x0012  TPM_ALG_SM3_256
  -I, --infile <inputFilename>  file containning the data to be hashed
  -o, --outfile <hashFilename>  file record the hash result
  -t, --ticket <ticketFilename> file record the ticket

example:
    tpm2_hash -H <e|o|p|n> -g 0x004 -I <inputFilename> -o <hashFilename> -t <ticketFilename>

* tpm2_hmac
performs an HMAC on the supplied data using the indicated hash algorithm. The
caller shall provide proper authorization for use of handle.

Usage:
  -k, --keyHandle <hexHandle>   handle for the symmetric signing key providing
                                the HMAC key
  -c, --keyContext <filename>   filename of the key context used for the
                                operation
  -P, --pwdk      <string>      the keyHandle's password, optional
  -g, --halg      <hexAlg>      algorithm for the hash being computed
                                  0x0004  TPM_ALG_SHA1
                                  0x000B  TPM_ALG_SHA256
                                  0x000C  TPM_ALG_SHA384
                                  0x000D  TPM_ALG_SHA512
                                  0x0012  TPM_ALG_SM3_256
  -I, --infile <inputFilename>  file containning the data to be HMACed
  -o, --outfile <hmacFilename>  file record the HMAC result
  -X, --passwdInHex             passwords given by any options are hex format.

example:
    tpm2_hmac  -k 0x81010002 -P abc123 -g 0x004 -I <inputFilename> -o <hmacFilename>
    tpm2_hmac  -c key.context -P abc123 -g 0x004 -I <inputFilename> -o <hmacFilename>
    tpm2_hmac  -k 0x81010002 -P 123abc -X -g 0x004 -I <inputFilename> -o <hmacFilename>

* tpm2_readpublic
Access to the public area of a loaded object.

Usage:
  -H, --object <objectHandle>    The loaded object handle
  -c, --contextObject <filename> filename for object context
  -o, --opu <publicKeyFileName>  The output file path, recording the public
                                 portion of the object

example:
    tpm2_readpublic -H 0x81010002 --opu <pubKeyFileName>
    tpm2_readpublic -c obj.context --opu <pubKeyFileName>
