fapi-profile - Man Page

See Also



FAPI Cryptographic Profile

Cryptographic profiles determine the cryptographic algorithms and parameters for all keys and operations of a specific TPM interaction. The values affected by these profiles are:

Two exemplary profiles for RSA and ECC are installed with the TSS. By default, the RSA cryptographic profile is activated. The user is free to create own cryptographic profiles according to his needs.

Specific profiles are activated in the FAPI configuration file. If not otherwise specified during TSS installation, the default location for the exemplary profiles is /etc/tpm2-tss/profiles/ and /etc/tpm2-tss/ for the FAPI configuration file.

The parameters of the profile are:


The following JSON encoded example shows the standard profile for ECC keys:

    "type": "TPM2_ALG_ECC",
    "srk_template": "system,restricted,decrypt,0x81000001",
    "srk_description": "Storage root key SRK",
    "ek_template":  "system,restricted,decrypt",
    "ek_description": "Endorsement key EK",
    "ecc_signing_scheme": {
    "sym_parameters": {
    "sym_block_size": 16,
    "pcr_selection": [
       { "hash": "TPM2_ALG_SHA1",
         "pcrSelect": [ ],
       { "hash": "TPM2_ALG_SHA256",
         "pcrSelect": [ 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 ]
    "curveID": "TPM2_ECC_NIST_P256",
    "ek_policy": {
        "description": "Endorsement hierarchy used for policy secret.",
                "objectName": "4000000b",

Beside the cryptographic parameters descriptions for the storage root key and the endorsement key can be set. For the endorsement hierarchy the policy "ek_policy" is set according to the TCG Credential profile EK 2.0. The values of the constants are the same as the constants defined in the TSS header files, where the prefix TPM2_ can be omitted.

The key type of the storage root key and the endorsement key is defined by the JSON fields srk_template and ek_template. The type consists of a list of comma and/or space separated keywords. If a keyword is not present the inverse of the reference TPM attribute bits SHALL be set or cleared. The keywords are:

The RSA profile has specific values for the signing scheme and the decrypt scheme:

      "rsa_signing_scheme": {

    "rsa_decrypt_scheme": {

Possible values for the signing schemes are:

Possible modes for symmetric encryption are:

Possible modes for the RSA decrypt scheme are:

The following curve ids can be used:


This page is part of release 3.0.3 of Open Source implementation of the TCG TPM2 Software Stack (TSS2). A description of the project, information about reporting bugs, and the latest version of this page can be found at https://github.com/tpm2-software/tpm2-tss/.

Referenced By

fapi-config(5), tss2_authorizepolicy(1), tss2_changeauth(1), tss2_createkey(1), tss2_createnv(1), tss2_createseal(1), tss2_decrypt(1), tss2_delete(1), tss2_encrypt(1), tss2_exportkey(1), tss2_exportpolicy(1), tss2_getappdata(1), tss2_getcertificate(1), tss2_getdescription(1), tss2_getinfo(1), tss2_getplatformcertificates(1), tss2_getrandom(1), tss2_gettpmblobs(1), tss2_import(1), tss2_list(1), tss2_nvextend(1), tss2_nvincrement(1), tss2_nvread(1), tss2_nvsetbits(1), tss2_nvwrite(1), tss2_pcrextend(1), tss2_pcrread(1), tss2_provision(1), tss2_quote(1), tss2_setappdata(1), tss2_setcertificate(1), tss2_setdescription(1), tss2_sign(1), tss2_unseal(1), tss2_verifyquote(1), tss2_verifysignature(1).

JULI 2020 TPM2 Software Stack