tpm_restrictpubek Command
Purpose
Restricts the ability to display the public part of the endorsement key to the owner.
Syntax
tpm_restrictpubek [ -h ] [ -l [ none | error | info | debug ] ] [ -r ] [ -s ] [ -v ]
Description
The tpm_restrictpubek command reports the status of who can display the public part of the endorsement key. This is the default behavior, and it is also available with the -s (or --status) option. This operation remains in effect until the owner is cleared and it prompts for the owner password. With the -r (or --restrict) option, the ability to display the public part of the endorsement key is restricted to the owner (through the TPM_DisablePubekRead API). The command prompts for the owner password to complete the operation. The --status and --restrict options are mutually exclusive, and the last option on the command line is carried out.
Flags
| Item | Description |
|---|---|
| -h (or --help) | Displays the command usage information. |
| -l (or --log) [ none | error | info | debug ] | Sets the logging level to none, error, info, or debug as specified. |
| -r (or --restrict) | Restricts the owner to see the public part of the endorsement key. |
| -s (or --status) | Displays the status of who can see the public part of the endorsement key to the owner. |
| -u (or --unicode) | Uses the Trusted Computing Group Software Stack (TSS) UNICODE encoding for the passwords to comply with the applications that are using the TSS popup boxes. |
| -v (or --version) | Displays the command version information. |
| -z (or --well-known) | Changes the password to a new one when the current owner password is a secret of all zeros (20 bytes of zeros). It must be specified which password (owner, storage root key, or both) needs to be changed. |