mkfm
Synopsis
mkfm -f <filename> -k <key> -o <filename> [-c][-b][-e <PED> | -p <password>] [-u <user>]
Description
The mkfm utility is used to time-stamp, hash, and sign an FM binary image.
NOTE At time of initial release for use with Luna HSMs, MKFM supports only RSA private keys that reside on a Luna token. The signing mechanism uses RSA-SHA512.
Options
The following options are supported:
| Parameter | Shortcut | Description |
|---|---|---|
| --input-file=<filename> | -f<filename> | Specifies the relative, or full, path to the FM binary image. |
| --signer-key=<key> | -k<key> | This is the name of the private key that is going to be used to sign the FM image. The format of the key is <TokenName (PIN) /KeyName>, or <TokenName/KeyName>. TokenName is the label of the token or you can use SLOTID=x, where x is the slot id number. |
| --output-file=<filename> | -o<filename> | This specifies the relative or full path to the loadable FM image. |
| --password=<Password> | -p<password> | Optional parameter to specify user password when performing ctfm operations in batch mode. |
| --user=<user> | -u <user> |
Optional parameter to specify which user role to login as default CO User : slot user role name. Default is USER Role: •'ad' on Admin partition •'co' on User partition
•'cu' (specify slot number in key spec and use -u? to get a list) |
| --no-banner | -b | Do not show program banner during startup |
| --ped=<PED> | -e<PED> | Remote PED ID. Default is 0 (zero). Check lunacm to find the value (usually 100) to insert here. |
| --compat | -c | Compatibility mode – inhibit the use of Luna custom extension functions that would stop the tool from working with a standard Cryptoki provider. If the tool displays error messages referring to missing functions then these may be suppressed by adding FunctionBindLevel=2 to the misc section of /etc/Chrystoki.conf |
NOTE The long forms require two leading dashes for each option. The short forms take a single leading dash, and an optional space.
