Contents

TC commands· 1

certificate destroy· 1

certificate subject 1

common-name· 2

country· 3

devid-additional-information· 3

display tcsm certificate list 4

display tcsm certificate name· 5

display tcsm key list 7

display tcsm key name· 8

display tcsm key-template· 9

display tcsm pcr 11

display tcsm trusted-computing-chip· 12

key create· 13

key destroy· 15

key load· 15

organization· 16

organization-unit 17

state· 18

tcsm·· 18

PTS commands· 20

display pts integrity measurement-log· 20

display pts integrity selfverify· 21

integrity periodic-selfverify enable· 22

integrity periodic-selfverify interval 23

integrity report attestation-key· 23

integrity selfverify· 24

pts· 25

 

TC commands

certificate destroy

Use certificate destroy to destroy a TCSM certificate.

Syntax

certificate destroy name certificate-name slot slot-number

Views

TCSM view

Predefined user roles

network-admin

Parameters

name certificate-name: Specifies a TCSM certificate by its name, a case-insensitive string of 1 to 31 characters.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

A TCSM certificate can be destroyed only by an administrator or its creator. A system-defined TCSM certificate cannot be destroyed.

Examples

# Destroy TCSM certificate cert-abc on a slot.

<Sysname> system

[Sysname] tcsm

[Sysname-tcsm] certificate destroy name cert-abc slot 1

Related commands

display tcsm certificate list

display tcsm certificate name

certificate subject

Use certificate subject to create a TCSM certificate subject and enter the view of the TCSM certificate subject, or enter the view of an existing TCSM certificate subject.

Use undo certificate subject to delete a TCSM certificate subject.

Syntax

certificate subject subject-name

undo certificate subject subject-name

Default

No TCSM certificate subjects exist.

Views

TCSM view

Predefined user roles

network-admin

Parameters

subject-name: Specifies the subject name, a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`).

Usage guidelines

The current software version supports only one TCSM certificate subject. To change the name of the created TCSM certificate subject, you must delete the subject and then re-create the subject by using the new name.

Examples

# Create TCSM certificate subject entry1 and enter its view.

<Sysname> system-view

[Sysname] tcsm

[Sysname-tcsm] certificate subject entry1

[Sysname-tcsm-cert-subject-entry1]

common-name

Use common-name to set the common name for a TCSM certificate subject.

Use undo common-name to restore the default.

Syntax

common-name string

undo common-name

Default

A TCSM certificate subject does not have a common name.

Views

TCSM certificate subject view

Predefined user roles

network-admin

Parameters

string: Specifies the common name, a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`).

Usage guidelines

To use a TCSM certificate subject to sign a certificate, you must specify a common name for the subject.

Examples

# Set the common name to device for TCSM certificate subject entry1.

<Sysname> system-view

[Sysname] tcsm

[Sysname-tcsm] certificate subject entry1

[Sysname-tcsm-cert-subject-entry1] common-name device

country

Use country to set the country code for a TCSM certificate subject.

Use undo country to restore the default.

Syntax

country string

undo country

Default

A TCSM certificate subject does not have a country code.

Views

TCSM certificate subject view

Predefined user roles

network-admin

Parameters

string: Specifies a country code, case sensitive.

Usage guidelines

A country code is a standard two-character string. For example, CN is the country code for China, and US is the country code for the United States of America.

Examples

# Set the country code to CN for TCSM certificate subject entry1.

<Sysname> system-view

[Sysname] tcsm

[Sysname-tcsm] certificate subject entry1

[Sysname-tcsm-cert-subject-entry1] country CN

devid-additional-information

Use devid-additional-information to set the additional information for a DevID certificate subject.

Use undo devid-additional-information to restore the default.

Syntax

devid-additional-information string

undo devid-additional-information

Default

A DevID certificate subject does not have additional information.

Views

TCSM certificate subject view

Predefined user roles

network-admin

Parameters

string: Specifies the additional information, a case-sensitive string of 1 to 63 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`).

Usage guidelines

You can use this command to add additional information to a DevID certificate subject.

Examples

# Set the additional information to x00 for DevID certificate subject entry1.

<Sysname> system-view

[Sysname] tcsm

[Sysname-tcsm] certificate subject entry1

[Sysname-tcsm-cert-subject-entry1] devid-additional-information x00

display tcsm certificate list

Use display tcsm certificate list to display the TCSM certificate list.

Syntax

display tcsm certificate list [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command displays TCSM certificates of all member devices.

Usage guidelines

This command displays both system-defined TCSM certificates and user-defined TCSM certificate.

Examples

# List the TCSM certificates on all slots.

<Sysname> display tcsm certificate list

Slot 1:

  System-defined certificates:

    default-rsa-akcert:  For attestation key

    default-ecc-akcert:  For attestation key

    rsa-idevid-cert:  For DevID

    ecc-idevid-cert:  For DevID

    default_rsa_ekcert:  For endorsement key

    default_ecc_ekcert:  For endorsement key

  User-defined certificates:

    test_ak_cert:  For attestation key

display tcsm certificate name

Use display tcsm certificate name to display detailed information about a TCSM certificate.

Syntax

display tcsm certificate name certificate-name slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

certificate-name: Specifies a TCSM certificate by its name, a case-insensitive string.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

You can use this command to identify the validity of a TCSM certificate.

Examples

# Display detailed information about a TCSM certificate on a slot.

<Sysname> display tcsm certificate name default_rsa_ekcert slot 1

Status:  Enabled

Key name:  default_rsa_ek

User name: 

Usage:  EK

Certificate:

    Data:

        Version:  3 (0x2)

        Serial Number:

            89: 0e: cf: 1f: e2: 78: 10: 5d: 31: 80: 4f: e2: b8: c2: b1: 33: e9: 6b: 01: 9f

        Signature Algorithm:  ecdsa-with-SHA256

        Issuer:  C=CN, O=Nationz Technologies Inc, OU=Nationz TPM Device, CN=Nationz TPM Manufacturing CA 001

        Validity

            Not Before:  Jul 25 00: 00: 00 2018 GMT

            Not After :  Jul 25 00: 00: 00 2033 GMT

        Subject: 

        Subject Public Key Info:

            Public Key Algorithm:  rsaEncryption

                Public-Key:  (2048 bit)

                Modulus:

                    00: c0: 22: ff: 61: e0: e2: e4: fe: cf: df: c0: 23: 32: 4b:

                    58: 7b: 25: b5: b3: da: 0c: cf: bc: ae: 81: 0c: 8f: 98: 32:

                    67: 43: 4a: 6b: 93: 68: a5: 1d: 59: 36: 65: 50: c0: d7: 61:

                    55: dc: 22: 6f: 17: da: f0: 9a: 97: 6a: 7b: a9: b0: e3: 1a:

                    58: 15: 18: 37: 1b: c5: 49: 7a: 30: f2: bc: 84: 1b: fb: 67:

                    77: ed: a4: 66: cc: df: 24: 3a: 83: a7: d6: b5: c7: 66: 61:

                    aa: f6: 41: 94: 99: 92: cf: a7: 2d: 85: 57: 88: 63: 13: bf:

                    b4: b1: 74: 23: a6: 77: 40: f7: ed: a8: 12: 92: d0: d9: 9d:

                    3d: b2: 33: f3: 55: 91: 7f: 89: 7c: 93: ce: 0c: 19: 23: 47:

                    59: ec: 08: 7b: 74: 27: 26: 4f: 43: 24: 3b: 1f: 51: 9d: 9f:

                    0e: 4f: 49: 18: 48: f6: d2: 0a: e9: 02: b9: 35: 93: 9a: 32:

                    af: 6a: e3: 47: d6: 95: aa: b6: 5d: 56: 01: c0: 13: db: 23:

                    c4: 60: 2a: 4b: 9a: c6: f3: b8: ae: a0: 6b: 49: 59: c5: bd:

                    d8: 9a: 61: 8d: 67: c7: 58: cd: 95: ca: 6e: ea: e6: 36: 8c:

                    e4: 29: 25: 86: d3: 21: c0: fb: 14: ba: 35: 47: 3e: 3f: bd:

                    c7: 94: 3f: 37: 7d: 83: 4f: d3: 62: 2b: 6a: db: 9a: 27: 11:

                    bd: 56: 0e: 97: bb: bc: 11: 09: e8: 0f: f6: df: c0: 8a: 2d:

                    39: ad

                Exponent:  65537 (0x10001)

        X509v3 extensions:

            Authority Information Access: 

                CA Issuers - URI: http: //pki.nationz.com.cn/EkMfrCA001/EkMfrCA001.crt

 

            X509v3 CRL Distribution Points: 

 

                Full Name:

                  URI: http: //pki.nationz.com.cn/EkMfrCA001/EkMfrCA001.crl

               

            X509v3 Authority Key Identifier: 

                keyid: 02: 2C: BE: ED: 5D: 77: 06: 0F: 28: 33: E9: D5: 37: 6B: A8: BC: 30: 8C: D9: BA

 

            X509v3 Certificate Policies: 

                Policy:  1.2.156.100001.1.5.1

 

            X509v3 Extended Key Usage: 

                2.23.133.8.1

            X509v3 Subject Directory Attributes: 

0...2.0.....t   0.0...g....1

            X509v3 Key Usage:  critical

                Key Encipherment

            X509v3 Subject Alternative Name:  critical

                DirName: /2.23.133.2.1=id: 4E545A00/2.23.133.2.2=Z32H330TC/2.23.133.2.3=id: 0726

            X509v3 Basic Constraints:  critical

                CA: FALSE

Table 1 Command output

Field	Description
Status	TCSM certificate status: Enabled—The certificate is active.
User name	Username entered when adding the device on the H3C TPMM.
Usage	Certificate usage: ·     AK—Attestation key. ·     DevID—Device ID. ·     EK—Endorsement key.

 

display tcsm key list

Use display tcsm key list to display the TCSM key list.

Syntax

display tcsm key list [ endorsement | storage ] [ loaded ] [ ak | devid ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

endorsement: Specifies TCSM keys in the endorsement hierarchy.

storage: Specifies TCSM keys in the storage hierarchy.

loaded: Specifies loaded TCSM keys. If you do not specify this keyword, the command displays both loaded and unloaded TCSM keys.

ak: Specifies TCSM keys used as AKs.

devid: Specifies TCSM keys used as DevID keys.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command displays TCSM keys of all member devices.

Usage guidelines

If you do not specify the endorsement keyword or storage keyword, this command displays TCSM keys in all hierarchies.

If you do not specify the ak keyword or devid keyword, this command displays TCSM keys used for all purposes, including EKs and ordinary keys.

Examples

# List the TCSM keys on all slots.

<System> display tcsm key list

Slot 1:

  Endorsement hierarchy:

    default_rsa_ek:  Primary key

    default_ecc_ek:  Primary key

    default-rsa-sk:  Primary key

    default-ecc-sk:  Primary key

    rsa-idevid-key:  Primary key

    ecc-idevid-key:  Primary key

    default-rsa-ak:  Primary key

    default-ecc-ak:  Primary key

    test_ak:  Primary key

  Storage  hierarchy:

    test_ak10:  Primary key

display tcsm key name

Use display tcsm key name to display detailed information about a TCSM key.

Syntax

display tcsm key name key-name slot slot-number

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

key-name: Specifies the name of an existing key, a case-insensitive string.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

You can use this command to display the attributes of a key and the certificate signed for the key.

Examples

# Display detailed information about TCSM key default-rsa-ak on a slot.

<System> display tcsm key name default-rsa-ak slot 1

Key name:  default-rsa-ak

Certificate name:  default-rsa-akcert

Usage:  AK

Parent key name:  N/A

Hierarchy:  endorsement

User name:  xcf

Status:  Loaded/Enabled

Type:  RSA

Name algorithm:  SHA256

Key attribute:  fixedTPM, fixedParent, restricted, sign

RSA parameters:

  Scheme:  RSASSA

  Digest algorithm:  SHA256

  KeyBits:  2048

  Exponent:  65537

  Modulus:  b0 5b 80 78 29 1c 2c 18 2c e0 5e 81 e5 d4 dc 94

           27 b0 d6 24 ea 55 87 55 5e f1 e0 dc ce c1 64 7a

           69 a6 58 11 ef 8d ac 1f 21 d1 b5 cd a8 34 9f a7

           67 5a c9 df 57 b0 08 43 49 d3 c3 88 46 a9 31 e6

           35 15 bf 43 4e c2 f3 ca c5 24 6b 32 c3 cf 0f 40

           f3 ab c7 10 cd 27 f6 7b ac d7 93 c6 b7 36 22 64

           c0 fb 5f a0 ed a4 76 ed 53 d0 55 87 fa 0e e3 c0

           7a 09 e0 39 49 32 7d 46 89 84 e4 00 67 c0 1e b9

           72 7c 10 bb cd f5 5b bc 45 fd 0f ae 3c cb 23 50

           e0 14 0f bf 5e b2 09 19 92 23 00 9c 3d fb 13 ad

           a5 f7 e3 3b f2 3d 6c 48 63 f2 0e f9 77 10 5a 34

           70 f8 27 52 17 83 18 b7 96 a9 70 5f b7 99 48 f7

           c0 69 e1 cd 8b 6d 4d d2 34 9d a7 a7 f8 94 33 c3

           23 0c ea 3a 40 82 d8 52 53 fc 42 57 c4 3c 1d e6

           35 f3 ee bf 19 2d 7d d8 2e 1a e3 aa de 9c a3 99

           5c 89 fb b7 90 39 78 28 50 e3 15 10 e1 80 89 57

Table 2 Command output

Field	Description
Certificate name	Name of the certificate signed for the key. If no certificate is signed for the key, this field displays N/A.
Usage	Key usage: ·     AK—Attestation key. ·     DevID—Device ID. ·     EK—Endorsement key. ·     General—Ordinary key.
Parent key name	Name of the parent key. If the key does not have a parent key, this field displays N/A.
User name	Username entered when adding the device on the H3C TPMM.
Status	Key status: ·     Loaded—The key is loaded. ·     Unloaded—The key is not loaded. ·     Enabled—The key is enabled. ·     Disabled—The key is disabled.
Scheme	Scheme for encryption or signing. If no scheme is specified, this field displays Null.

 

display tcsm key-template

Use display tcsm key-template to display TCSM key template information.

Syntax

display tcsm key-template [ { preset | user } template-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

preset: Specifies a system-defined key template.

user: Specifies a user-defined key template, which is a global key template received from the manager.

template-name: Specifies the name of an existing TCSM key template on the device, a case-insensitive string.

Usage guidelines

If you do not specify an option, this command displays summary information about all TCSM key templates.

Examples

# Display summary information about all TCSM key templates.

<System> display tcsm key-template

System-defined key template files:

    default-rsa-sk:  rsa storage key

    default-rsa-devid:  rsa signature key

    default-rsa-ak:  rsa attestation key

    default-ecc-sk:  ecc storage key

    default-ecc-devid:  ecc signature key

    default-ecc-ak:  ecc attestation key

User-defined key template files:

  Directory:  /mnt/flash: /safeinfo/template/

    template22:  this key template may be used to create aka storage key

# Display detailed information about system-defined TCSM key template default-rsa-ak.

<System> display tcsm key-template preset default-rsa-ak

Version:  1.0.0

Description:  rsa attestation key

Type:  RSA

Name algorithm:  SHA256

Key attribute:  fixedTPM, fixedParent, restricted, sign

RSA parameters:

  Scheme:  RSASSA

  Digest algorithm:  SHA256

  Exponent:  65537

  KeyBits:  2048

Table 3 Command output

Field	Description
Key attribute	Key attributes: ·     fixedParent and fixedTPM—Duplication attributes. ¡     If both attributes are present, the key is protected by the parent key and can be used only in the TPM. The key cannot be duplicated. ¡     If both attributes are absent, the key and its child keys can be duplicated. ¡     If only fixedParent is present, the key can be duplicated together with its parent key but cannot be duplicated separately. ·     decrypt—The key can be used for encryption and decryption. A storage key must have this attribute. ·     sign—The key can be used for signing and signature authentication. An AK or DevID key must have this attribute. ·     restricted—The function of the key is restricted. For example, only data generated by a TPM can be used for signing. AKs and storage keys must have this attribute.
Symmetric mode	Symmetric encryption mode: ·     CFB—Cipher feedback mode. ·     CBC—Cipher block chaining mode. ·     CTR—Counter mode. ·     OFB—Output feedback mode. ·     ECB—Electronic codebook mode.

 

display tcsm pcr

Use display tcsm pcr to display PCR values.

Syntax

display tcsm pcr [ algorithm algorithm ] [ index index ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

algorithm algorithm: Specifies a hash algorithm, a case insensitive string. To view the available hash algorithms, execute the display tcsm trusted-computing-chip command and view the value of the Active PCR bank field. If you do not specify this option, the command displays the PCR values of all hash algorithms.

index index: Specifies a PCR index value, in the range of 0 to 23. If you do not specify this option, the command displays the PCR values of all index values.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command displays the PCR values on all member devices.

Usage guidelines

If you do not specify an option, this command displays PCR values of all hash algorithms and all index values.

Examples

# Display all PCR values on the TC chip in a slot.

<Sysname> display tcsm pcr slot 1

  PCR information:

    SHA1 (index  0):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    SHA1 (index  1):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    SHA1 (index  2):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

...

    SHA1 (index 23):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    SHA256 (index  0):  a8 c0 ee a2 32 27 73 bb 92 7d f2 b2 95 c0 7c de 8a 0c 9d 9a 11 cf 56 1d 07 68 98 ac ea a0 ff 28

    SHA256 (index  1):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    SHA256 (index  2):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

...

    SHA256 (index 23):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

# Display the values of the PCR with an index value of 0 on all TC chips.

<Sysname> display tcsm pcr index 0

Slot 1:

  PCR information:

    SHA1 (index  0):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    SHA256 (index  0):  a8 c0 ee a2 32 27 73 bb 92 7d f2 b2 95 c0 7c de 8a 0c 9d 9a 11 cf 56 1d 07 68 98 ac ea a0 ff 28

Table 4 Command output

Field	Description
algorithm (index pcr-index): value	algorithm: Hash algorithm of the PCR. pcr-index: Index value of the PCR. value: PCR values.

 

Related commands

display tcsm trusted-computing-chip

display tcsm trusted-computing-chip

Use display tcsm trusted-computing-chip to display TC chip information.

Syntax

display tcsm trusted-computing-chip [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command displays information about TC chips on all member devices.

Usage guidelines

This command displays TC chip information only on devices that have TC chips.

Examples

# Display information about the TC chip on a slot.

<Sysname> display tcsm trusted-computing-chip slot 1

Chip information:

    Specifications version:      Family: 2.0 Level: 00 Revision: 01.16

    Firmware version:            7.26

    Current mode:                TPM2.0

    Supported modes:             TPM2.0 TCM

    Supported algorithms:        RSA, SHA1, HMAC, AES, MGF1, KEYEDHASH, XOR,

                                SHA256, RSASSA, RSAES, RSAPSS, OAEP, ECDSA,

                                ECDH, ECDAA, ECSCHNORR, KDF1-SP800-56A,

                                KDF1-SP800-108, ECC, SYMCIPHER, CBC, CFB,

                                ECB

    Available PCR bank:          SHA1, SHA256

    Owner state:                 No

Chip configuration:

    Chip status:                 Enabled

    Active PCR bank:             SHA1, SHA256

    Measurement algorithm:       SHA256

    Endorsement hierarchy:       Enabled

    Storage hierarchy:           Enabled

    Clear operation:             Disabled

Table 5 Command output

Field	Description
Available PCR bank	Available PCR banks. All PCRs that use the same hash algorithm form a PCR bank.
Owner state	Whether the chip has an owner. This field is not supported in the current software version. Its value is fixed at No.
Chip status	Status of the chip, Enabled or Disabled.
Active PCR bank	Active PCR banks.
Endorsement hierarchy	Status of the endorsement hierarchy, Enabled or Disabled.
Storage hierarchy	Status of the storage hierarchy, Enabled or Disabled.
Clear operation	Status of the clear operation: ·     Enabled—You can perform a clear operation. ·     Disabled—You cannot perform a clear operation.

 

key create

Use key create to create a TCSM key.

Syntax

 

key create name key-name [ authorization authorization-string ] { endorsement | storage | parent-key parent-name [ parent-authorization parent-authorization ] } { preset-template | user-template } template-name [ ak | devid ] slot slot-number

Views

TCSM view

Predefined user roles

network-admin

Parameters

name key-name: Specifies a key name, a case-insensitive string of 1 to 31 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), commas (,), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`).

authorization authorization-string: Specifies the key authorization data, a case-sensitive string of 1 to 31 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), commas (,), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`). If you do not specify this option, the key authorization data is null.

endorsement: Uses the key as a primary key of the endorsement hierarchy.

storage: Uses the key as a primary key of the storage hierarchy.

parent-key parent-name: Specifies the parent key for the key. The parent key must already exist. The parent key name is case insensitive.

parent-authorization parent-authorization: Specifies the key authorization data of the parent, a case-sensitive string. If the parent key authorization data is null, do not specify this option.

preset-template template-name: Specifies the system-defined key template to be used to create the key. The template name is a case-insensitive string of 1 to 31 characters.

user-template template-name: Specifies the user-defined key template to be used to create the key. The template name is a case-insensitive string of 1 to 31 characters.

ak: Uses the key as the AK.

devid: Uses the key as the DevID key.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

If you do not specify the ak keyword or devid keyword, the command creates an ordinary key.

A primary key can have a maximum of four levels of child keys.

Before creating a child key, make sure you have use the key load command to load the parent key to the TC chip.

Examples

# Use system-defined key template default-rsa-ak to create a primary AK named pk1 for the endorsement hierarchy. Set the key authorization data to pk1.

<Sysname> system-view

[Sysname] tcsm

[System-tcsm] key create name pk1 authorization pk1 endorsement preset-template default-rsa-ak ak slot 1

Related commands

display tcsm key list

display tcsm key name

key destroy

key load

key destroy

Use key destroy to destroy a TCSM key.

Syntax

key destroy name key-name slot slot-number

Views

TCSM view

Predefined user roles

network-admin

Parameters

name key-name: Specifies the name of an existing key, a case-insensitive string.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

You can destroy a key successfully only if the following conditions are met:

·     You are an administrator or the key creator.

·     The key is not loaded to the TC chip.

To unload a key, use the undo key load command.

·     The key does not have a child key.

If the key has a child key, you must destroy the child key first.

To identify whether the key has child keys, use the display tcsm key list command.

Examples

# Destroy key pKey of a slot.

<Sysname> system-view

[Sysname] tcsm

[System-tcsm] key destroy name pKey slot 1

Related commands

display tcsm key list

display tcsm key name

key create

key load

key load

Use key load to load a TCSM key to the TC chip.

Use undo key load to unload a TCSM key from the TC chip.

Syntax

key load name key-name [ parent-authorization { cipher | simple } parent-authorization ] slot slot-number

undo key load name key-name slot slot-number

Default

Created TCSM keys are not loaded to the TC chip.

Views

TCSM view

Predefined user roles

network-admin

Parameters

name key-name: Specifies the name of an existing key, a case-insensitive string.

parent-authorization: Specifies the parent key authorization data. If the parent key authorization data is null, do not specify this keyword. This keyword is not supported if you are loading a primary key.

cipher: Specifies the parent key authorization data in encrypted form.

simple: Specifies the parent key authorization data in plaintext form. For security purposes, the data specified in plaintext form will be stored in encrypted form.

parent-authorization: Specifies the parent key authorization data. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

You can load only a TCSM key that is created by using the key create command. If the key has a parent key, you must load the parent key first.

To unload a TCSM key that has child keys, you must unload all the child keys first.

Examples

# Load key default_rsa_ek to the TC chip in a slot.

<Sysname> system-view

[Sysname] tcsm

[System-tcsm] key load name default_rsa_ek slot 1

Related commands

display tcsm key list

display tcsm key name

key create

organization

Use organization to set the organization name for a TCSM certificate subject.

Use undo organization to restore the default.

Syntax

organization string

undo organization

Default

A TCSM certificate subject does not have an organization name.

Views

TCSM certificate subject view

Predefined user roles

network-admin

Parameters

string: Specifies the organization name, a case-sensitive string of 1 to 63 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`).

Usage guidelines

Setting the organization name helps you identify the organization to which a TCSM subject certificate belongs.

Examples

# Set the organization name to abc for TCSM certificate subject entry1.

<Sysname> system-view

[Sysname] tcsm

[Sysname-tcsm] certificate subject entry1

[Sysname-tcsm-cert-subject-entry1] organization abc

organization-unit

Use organization-unit to set the organization unit name for a TCSM certificate subject.

Use undo organization-unit to restore the default.

Syntax

organization-unit string

undo organization-unit

Default

A TCSM certificate subject does not have an organization unit name.

Views

TCSM certificate subject view

Predefined user roles

network-admin

Parameters

string: Specifies the organization unit name, a case-sensitive string of 1 to 63 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`).

Usage guidelines

This command enables units in the same organization to have their respective TCSM certificate subjects.

Examples

# Set the organization unit name to rd for TCSM certificate subject entry1.

<Sysname> system-view

[Sysname] tcsm

[Sysname-tcsm] certificate subject entry1

[Sysname-tcsm-cert-subject-entry1] organization-unit rd

state

Use state to set the state or province name for a TCSM certificate subject.

Use undo state to restore the default.

Syntax

state string

undo state

Default

A TCSM certificate subject does not have a state or province name.

Views

TCSM certificate subject view

Predefined user roles

network-admin

Parameters

string: Specifies the state or province name, a case-sensitive string of 1 to 63 characters. Valid characters include letters, digits, and the following special characters: underscores (_), hyphens (-), at signs (@), pound signs (#), percent signs (%), dollar signs ($), plus signs (+), dots (.), left parenthesis, right parenthesis, ampersand signs (&), left braces ({), right braces (}) colons (:), semicolons (;), exclamation points (!), equal signs (=), tilde signs (~), and apostrophes (`).

Usage guidelines

Setting the state or province name helps you identify the state or province to which a TCSM subject certificate belongs.

Examples

# Set the state or province name to StateA for TCSM certificate subject entry1.

<Sysname> system-view

[Sysname] tcsm

[Sysname-tcsm] certificate subject entry1

[Sysname-tcsm-cert-subject-entry1] state StateA

tcsm

Use tcsm to enter TCSM view.

Use undo tcsm to delete all settings in TCSM view.

Syntax

tcsm

undo tcsm

Views

System view

Predefined user roles

network-admin

Usage guidelines

In TCSM view, you can manage TCSM keys, TCSM certificates, and TC chips.

Examples

# Enter TCSM view.

<Sysname> system-view

[Sysname] tcsm

[System-tcsm]

PTS commands

display pts integrity measurement-log

Use display pts integrity measurement-log to display IML information.

Syntax

display pts integrity measurement-log [ bootware | runtime | package ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

bootware: Displays the BootWare IMLs.

runtime: Displays the runtime IML.

package: Displays the Comware image IML.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command displays IML information about all member devices.

Usage guidelines

This command displays IML information only on devices that have TC chips and have the PTS service enabled.

If you do not specify the bootware, runtime, or package keyword, this command display information about all types of IMLs.

Examples

# Display information about all types of IMLs on slot 1.

<Sysname> display pts integrity measurement-log slot 1

BootWare:

Total IMLs:  9

 

  Object file:  !/Bootware/Basic/Version

  RM file:  BOOTWARE_BASIC_2F00.rm

  Measurement time (seconds.nanoseconds):  12.32000000

  PCR index:  0

  Template hash algorithm:  SHA256

  Template hash value:  927908c6a5e93d221afa93d7f936631166addcabf48f7b0719bcefde2b691695

  File hash algorithm:  SHA256

  File hash value:  1e80e1e3912c9d30fb9db697be3f2fe5128fccc97672412556868cef723f8813

 

  Object file:  !/Bootware/Basic/Code

  RM file:  BOOTWARE_BASIC_2F00.rm

  Measurement time (seconds.nanoseconds):  12.42000000

  PCR index:  0

  Template hash algorithm:  SHA256

  Template hash value:  06c89f99da10c12864ab23ecd0a8760a5a87092d969ed7ebfab8b81b3eb0db4f

  File hash algorithm:  SHA256

  File hash value:  847d6e8b9ce157d7a3569b1bbd473ecdb4c52b6dcf5926d2fa94282c107c9fac

...

Table 6 Command output

Field	Description
BootWare	BootWare IMLs.
Runtime	Runtime IMLs.
Package	Comware image IMLs.
Object file	File that is measured.
RM file	Name of the file that contains the integrity measurement reference hash values.
PCR index	PCR index, 0, 4, 8, 10, or 12.

 

Related commands

pts

display pts integrity selfverify

Use display pts integrity selfverify to display integrity self-verification information.

Syntax

display pts integrity selfverify [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command displays integrity self-verification information about all member devices.

Usage guidelines

This command displays integrity self-verification information only on devices that have TC chips and have the PTS service enabled.

If periodic integrity self-verification is enabled, this command displays information only about the most recent integrity self-verification.

Examples

# Display integrity self-verification information.

<Sysname> display pts integrity selfverify

Slot 1:

  Latest self-verification:  2019-07-01 10: 55: 16

  Integrity self-verification passed.

Table 7 Command output

Field	Description
Latest self-verification	Time when the most recent integrity self-verification is performed. If no integrity self-verifications have been performed, this field displays a hyphen (-).
Object file hash value in IML is different from that in RM file.	The hash value of a file in the IML is different from the integrity measurement reference hash value of the file.
Object file hash value in RM file	Integrity measurement reference hash value.
TPM PCR	Hash values stored in the PCRs of the TPM.
Calculated PCR	Hash values calculated by the PTS process.

 

Related commands

integrity periodic-selfverify enable

integrity selfverify

integrity periodic-selfverify enable

Use integrity periodic-selfverify enable to enable periodic integrity self-verification.

Use undo integrity periodic-selfverify enable to disable periodic integrity self-verification.

Syntax

integrity periodic-selfverify enable

undo integrity periodic-selfverify enable

Default

Periodic integrity self-verification is disabled.

Views

PTS view

Predefined user roles

network-admin

Usage guidelines

Integrity self-verification is supported only on devices that have TC chips.

When you enable periodic integrity self-verification, the device immediately performs an integrity self-verification. Then, the device performs integrity self-verifications at intervals.

Examples

# Enable periodic integrity self-verification.

<Sysname> system-view

[Sysname] pts

[Sysname-pts] integrity periodic-selfverify enable

Related commands

integrity periodic-selfverify interval

integrity periodic-selfverify interval

Use integrity periodic-selfverify interval to set the integrity self-verification interval.

Use undo integrity periodic-selfverify interval to restore the default.

Syntax

integrity periodic-selfverify interval interval

undo integrity periodic-selfverify interval

Default

The integrity self-verification interval is 7 days.

Views

PTS view

Predefined user roles

network-admin

Parameters

interval: Specifies the integrity self-verification interval in days. The value range is 1 to 30.

Usage guidelines

The integrity periodic-selfverify enable command starts the integrity self-verification timer. If the specified integrity self-verification interval is equal to or shorter than the time that has elapsed, the device immediately performs an integrity self-verification.

Examples

# Set the integrity self-verification interval to 15 days.

<Sysname> system-view

[Sysname] pts

[Sysname-pts] integrity periodic-selfverify interval 15

Related commands

integrity periodic-selfverify enable

integrity report attestation-key

Use integrity report attestation-key to specify the AK for integrity reporting.

Use undo integrity report attestation-key to restore the default.

Syntax

integrity report attestation-key key-name [ authorization { cipher | simple } authorization-string ] slot slot-number

Default

No AK is specified for integrity reporting.

Views

PTS view

Predefined user roles

network-admin

Parameters

key-name: Specifies the name of an existing AK, a case-insensitive string of 1 to 31 characters.

authorization: Specifies the key authorization data. If the key authorization data is null, do not specify this keyword.

cipher: Specifies the key authorization data in encrypted form.

simple: Specifies the key authorization data in plaintext form. For security purposes, the data specified in plaintext form will be stored in encrypted form.

authorization-string: Specifies the authorization data. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.

slot slot-number: Specifies an IRF member device by its member ID.

Usage guidelines

The key authorization data specified for this command must be the same as the key authorization data used to create the AK.

The specified key must meet the following requirements:

·     It already exists and is an AK.

You can create a key by using the key create command.

·     It is already loaded to the TC chip.

You can load a key to a TC chip by using the key load command.

·     It is used by a certificate.

You can verify whether a key is used by a certificate by using the display tcsm key name command.

Examples

# Specify key h3c.dat as the AK for integrity reporting on slot 1 and specify the key authorization data in plaintext form.

<Sysname> system-view

[Sysname] pts

[Sysname-pts] integrity report attestation-key h3c.dat authorization simple 123456 slot 1

Related commands

display tcsm key name

key create

key load

integrity selfverify

Use integrity selfverify to perform an integrity self-verification.

Syntax

integrity selfverify [ slot slot-number ]

Views

PTS view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify this option, the command performs integrity self-verification on all member devices.

Usage guidelines

Integrity self-verification is supported only on devices that have TC chips.

Examples

# Perform an integrity self-verification.

<Sysname> system-view

[Sysname] pts

[Sysname-pts] integrity selfverify

pts

Use pts to enable the PTS service and enter PTS view.

Use undo pts to disable the PTS service and delete all settings in PTS view.

Syntax

pts

undo pts

Default

The PTS service is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you enable the PTS service on the device, the device can provide IMLs and integrity measurement reference hash values for the manager.

Examples

# Enable the PTS service and enter PTS view.

<Sysname> system

[Sysname] pts

[Sysname-pts]