commit tpm2.0-tools for openSUSE:Factory

22 Aug 2018

Hello community,

here is the log from the commit of package tpm2.0-tools for openSUSE:Factory checked in at 2018-08-22 14:22:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tpm2.0-tools (Old)
 and      /work/SRC/openSUSE:Factory/.tpm2.0-tools.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tpm2.0-tools"

Wed Aug 22 14:22:37 2018 rev:15 rq:630849 version:3.1.1

Changes:
--------

--- /work/SRC/openSUSE:Factory/tpm2.0-tools/tpm2.0-tools.changes	2018-07-06 10:41:22.275299313 +0200
+++ /work/SRC/openSUSE:Factory/.tpm2.0-tools.new/tpm2.0-tools.changes	2018-08-22 14:22:39.842680036 +0200
@@ -1,0 +2,6 @@
+Wed Aug 22 09:05:14 UTC 2018 - matthias.gerstner@suse.com
+
+- update to minor version 3.1.1:
+  - Allow man page installation without pandoc being available
+
+-------------------------------------------------------------------

Old:
----
  tpm2-tools-3.1.0.tar.gz

New:
----
  tpm2-tools-3.1.1.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tpm2.0-tools.spec ++++++
--- /var/tmp/diff_new_pack.6NOmxk/_old	2018-08-22 14:22:40.202680889 +0200
+++ /var/tmp/diff_new_pack.6NOmxk/_new	2018-08-22 14:22:40.206680899 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           tpm2.0-tools
-Version:        3.1.0
+Version:        3.1.1
 Release:        0
 Summary:        Trusted Platform Module (TPM) 2.0 administration tools
 License:        BSD-3-Clause
@@ -72,12 +72,6 @@
 %install
 make DESTDIR=%{buildroot} install %{?_smp_mflags}
 find %{buildroot} -type f -name "*.la" -delete -print
-%if ! 0%{?is_opensuse}
-# install man pages explicitly, until upstream fixes their installation
-# setup in autotools, see commit 72a28f36151db9bfa59a460ae0114dcece218862
-mkdir -p %{buildroot}/%{_mandir}/man1/
-cp %{_builddir}/tpm2-tools-%{version}/man/man1/* %{buildroot}/%{_mandir}/man1/
-%endif
 
 %files
 %defattr(-,root,root)

++++++ tpm2-tools-3.1.0.tar.gz -> tpm2-tools-3.1.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/CHANGELOG.md new/tpm2-tools-3.1.1/CHANGELOG.md
--- old/tpm2-tools-3.1.0/CHANGELOG.md	2018-06-21 22:52:46.000000000 +0200
+++ new/tpm2-tools-3.1.1/CHANGELOG.md	2018-07-09 22:46:20.000000000 +0200
@@ -1,4 +1,7 @@
 ## Changelog
+### 3.1.1 - 2018-07-09
+  * Allow man page installation without pandoc being available
+
 ### 3.1.0 - 2018-06-21
   * Update to use TSS version 2.0
   * When user supplies nv attributes use those exclusively, not in addition to the defaults
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/Makefile.am new/tpm2-tools-3.1.1/Makefile.am
--- old/tpm2-tools-3.1.0/Makefile.am	2018-06-21 22:41:51.000000000 +0200
+++ new/tpm2-tools-3.1.1/Makefile.am	2018-07-09 22:45:32.000000000 +0200
@@ -241,8 +241,7 @@
 	     README.md \
 	     RELEASE.md \
 	     test/system
-
-if HAVE_PANDOC
+if HAVE_MAN_PAGES
     man1_MANS := \
     man/man1/tpm2_activatecredential.1 \
     man/man1/tpm2_certify.1 \
@@ -283,7 +282,9 @@
     man/man1/tpm2_takeownership.1 \
     man/man1/tpm2_unseal.1 \
     man/man1/tpm2_verifysignature.1
+endif
 
+if HAVE_PANDOC
 # If pandoc is enabled, we want to generate the manpages for the dist tarball
 EXTRA_DIST += $(man1_MANS)
 else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/Makefile.in new/tpm2-tools-3.1.1/Makefile.in
--- old/tpm2-tools-3.1.0/Makefile.in	2018-06-21 22:55:18.000000000 +0200
+++ new/tpm2-tools-3.1.1/Makefile.in	2018-07-09 22:53:26.000000000 +0200
@@ -1151,46 +1151,46 @@
 EXTRA_DIST = $(top_srcdir)/man AUTHORS.md CHANGELOG.md CONTRIBUTING.md \
 	INSTALL.md LICENSE MAINTAINERS.md README.md RELEASE.md \
 	test/system $(am__append_1)
-@HAVE_PANDOC_TRUE@man1_MANS := \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_activatecredential.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_certify.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_create.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_createpolicy.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_createprimary.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_dictionarylockout.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_getcap.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_encryptdecrypt.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_evictcontrol.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_getmanufec.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_getpubak.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_getpubek.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_getrandom.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_hash.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_hmac.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_listpersistent.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_load.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_loadexternal.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_makecredential.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_nvdefine.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_nvlist.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_nvread.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_nvreadlock.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_nvrelease.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_nvwrite.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_pcrevent.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_pcrextend.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_pcrlist.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_quote.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_rc_decode.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_readpublic.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_rsadecrypt.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_rsaencrypt.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_send.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_sign.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_startup.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_takeownership.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_unseal.1 \
-@HAVE_PANDOC_TRUE@    man/man1/tpm2_verifysignature.1
+@HAVE_MAN_PAGES_TRUE@man1_MANS := \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_activatecredential.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_certify.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_create.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_createpolicy.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_createprimary.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_dictionarylockout.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_getcap.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_encryptdecrypt.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_evictcontrol.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_getmanufec.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_getpubak.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_getpubek.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_getrandom.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_hash.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_hmac.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_listpersistent.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_load.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_loadexternal.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_makecredential.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_nvdefine.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_nvlist.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_nvread.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_nvreadlock.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_nvrelease.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_nvwrite.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_pcrevent.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_pcrextend.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_pcrlist.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_quote.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_rc_decode.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_readpublic.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_rsadecrypt.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_rsaencrypt.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_send.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_sign.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_startup.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_takeownership.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_unseal.1 \
+@HAVE_MAN_PAGES_TRUE@    man/man1/tpm2_verifysignature.1
 
 MARKDOWN_COMMON_DEPS = \
 	man/common/alg.md \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/configure new/tpm2-tools-3.1.1/configure
--- old/tpm2-tools-3.1.0/configure	2018-06-21 22:55:17.000000000 +0200
+++ new/tpm2-tools-3.1.1/configure	2018-07-09 22:53:26.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tpm2-tools 3.1.0.
+# Generated by GNU Autoconf 2.69 for tpm2-tools 3.1.1.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
 # Identity of this package.
 PACKAGE_NAME='tpm2-tools'
 PACKAGE_TARNAME='tpm2-tools'
-PACKAGE_VERSION='3.1.0'
-PACKAGE_STRING='tpm2-tools 3.1.0'
+PACKAGE_VERSION='3.1.1'
+PACKAGE_STRING='tpm2-tools 3.1.1'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -649,6 +649,8 @@
 PKG_CONFIG_LIBDIR
 PKG_CONFIG_PATH
 PKG_CONFIG
+HAVE_MAN_PAGES_FALSE
+HAVE_MAN_PAGES_TRUE
 HAVE_PANDOC_FALSE
 HAVE_PANDOC_TRUE
 PANDOC
@@ -1356,7 +1358,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures tpm2-tools 3.1.0 to adapt to many kinds of systems.
+\`configure' configures tpm2-tools 3.1.1 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1426,7 +1428,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of tpm2-tools 3.1.0:";;
+     short | recursive ) echo "Configuration of tpm2-tools 3.1.1:";;
    esac
   cat <<\_ACEOF
 
@@ -1556,7 +1558,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-tpm2-tools configure 3.1.0
+tpm2-tools configure 3.1.1
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1834,7 +1836,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by tpm2-tools $as_me 3.1.0, which was
+It was created by tpm2-tools $as_me 3.1.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -11681,7 +11683,7 @@
 
 # Define the identity of the package.
  PACKAGE='tpm2-tools'
- VERSION='3.1.0'
+ VERSION='3.1.1'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -12365,6 +12367,14 @@
   HAVE_PANDOC_FALSE=
 fi
 
+ if test -d "${srcdir}/man/man1" -o "x${PANDOC}" = "xyes"; then
+  HAVE_MAN_PAGES_TRUE=
+  HAVE_MAN_PAGES_FALSE='#'
+else
+  HAVE_MAN_PAGES_TRUE='#'
+  HAVE_MAN_PAGES_FALSE=
+fi
+
 
 
 
@@ -14012,6 +14022,10 @@
   as_fn_error $? "conditional \"HAVE_PANDOC\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${HAVE_MAN_PAGES_TRUE}" && test -z "${HAVE_MAN_PAGES_FALSE}"; then
+  as_fn_error $? "conditional \"HAVE_MAN_PAGES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${UNIT_TRUE}" && test -z "${UNIT_FALSE}"; then
   as_fn_error $? "conditional \"UNIT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -14413,7 +14427,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by tpm2-tools $as_me 3.1.0, which was
+This file was extended by tpm2-tools $as_me 3.1.1, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -14470,7 +14484,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-tpm2-tools config.status 3.1.0
+tpm2-tools config.status 3.1.1
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/configure.ac new/tpm2-tools-3.1.1/configure.ac
--- old/tpm2-tools-3.1.0/configure.ac	2018-06-21 22:41:51.000000000 +0200
+++ new/tpm2-tools-3.1.1/configure.ac	2018-07-09 22:45:32.000000000 +0200
@@ -15,6 +15,9 @@
     [],
     [AC_MSG_WARN([Required executable pandoc not found, man pages will not be built])])
 AM_CONDITIONAL([HAVE_PANDOC],[test "x${PANDOC}" = "xyes"])
+AM_CONDITIONAL(
+    [HAVE_MAN_PAGES],
+    [test -d "${srcdir}/man/man1" -o "x${PANDOC}" = "xyes"])
 PKG_CHECK_MODULES([SAPI],[tss2-sys >= 2.0 tss2-sys < 3.0])
 PKG_CHECK_MODULES([SAPI],[tss2-mu >= 2.0 tss2-sys < 3.0])
 PKG_CHECK_MODULES([CRYPTO], [libcrypto >= 1.0.2g])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_changeauth.1 new/tpm2-tools-3.1.1/man/man1/tpm2_changeauth.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_changeauth.1	2018-06-20 16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_changeauth.1	2018-07-09 12:48:22.000000000 +0200
@@ -71,9 +71,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
@@ -222,20 +233,108 @@
 By default passwords are assumed to be in the string form.
 Password form is specified with special prefix values, they are:
 .IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
 Useful for escaping a password that starts with the \[lq]hex:\[rq]
 prefix.
 .IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
 .SS HMAC
 .PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\ \-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
 .SS Sessions
 .PP
 When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
 You then indicate a path to a session file that was created with
 tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
 .SH EXAMPLES
 .PP
 Set owner, endorsement and lockout authorizations to a new value:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_clear.1 new/tpm2-tools-3.1.1/man/man1/tpm2_clear.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_clear.1	2018-06-20 16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_clear.1	2018-07-09 12:48:22.000000000 +0200
@@ -31,9 +31,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
@@ -182,20 +193,108 @@
 By default passwords are assumed to be in the string form.
 Password form is specified with special prefix values, they are:
 .IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
 Useful for escaping a password that starts with the \[lq]hex:\[rq]
 prefix.
 .IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
 .SS HMAC
 .PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\ \-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
 .SS Sessions
 .PP
 When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
 You then indicate a path to a session file that was created with
 tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
 .SH EXAMPLES
 .PP
 Set owner, endorsement and lockout authorizations to an empty auth
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_clearlock.1 new/tpm2-tools-3.1.1/man/man1/tpm2_clearlock.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_clearlock.1	2018-06-20 16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_clearlock.1	2018-07-09 12:48:22.000000000 +0200
@@ -36,9 +36,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
@@ -187,20 +198,108 @@
 By default passwords are assumed to be in the string form.
 Password form is specified with special prefix values, they are:
 .IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
 Useful for escaping a password that starts with the \[lq]hex:\[rq]
 prefix.
 .IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
 .SS HMAC
 .PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\ \-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
 .SS Sessions
 .PP
 When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
 You then indicate a path to a session file that was created with
 tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
 .SH EXAMPLES
 .PP
 Enable the clear command on the platform hierarchy.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_createak.1 new/tpm2-tools-3.1.1/man/man1/tpm2_createak.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_createak.1	2018-06-20 16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_createak.1	2018-07-09 12:48:22.000000000 +0200
@@ -32,7 +32,7 @@
 .fi
 .SH OPTIONS
 .IP \[bu] 2
-\f[B]\-E\f[], \f[B]\[en]auth\-endorse\f[]=\f[I]ENDORSE_AUTH\f[]:
+\f[B]\-e\f[], \f[B]\[en]auth\-endorse\f[]=\f[I]ENDORSE_AUTH\f[]:
 Specifies current endorsement authorization.
 Authorizations should follow the \[lq]authorization formatting
 standards\[rq], see section \[lq]Authorization Formatting\[rq].
@@ -63,15 +63,20 @@
 \f[B]\-p\f[] option, the AK can be restored via a call to
 tpm2_loadexternal(1).
 .IP \[bu] 2
-\f[B]\-g\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: Specifies the
+\f[B]\-G\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: Specifies the
 algorithm type of AK.
-Algorithms should follow the \[lq]formatting standards\[rq], see section
-\[lq]Algorithm Specifiers\[rq].
-See section \[lq]Supported Public Object Algorithms\[rq] for a list of
-supported object algorithms.
+Supports:
+.RS 2
+.IP \[bu] 2
+ecc \- An P256 key.
+.IP \[bu] 2
+rsa \- An RSA2048 key.
+.IP \[bu] 2
+keyedhash \- hmac key.
+.RE
 .IP \[bu] 2
 \f[B]\-D\f[], \f[B]\[en]digest\-alg\f[]=\f[I]HASH_ALGORITHM\f[]: Like
-\-g, but specifies the digest algorithm.
+\-g, but specifies the digest algorithm used for signing.
 Algorithms should follow the \[lq]formatting standards\[rq], see section
 \[lq]Algorithm Specifiers\[rq].
 See section \[lq]Supported Hash Algorithms\[rq] for a list of supported
@@ -113,9 +118,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
@@ -264,20 +280,108 @@
 By default passwords are assumed to be in the string form.
 Password form is specified with special prefix values, they are:
 .IP \[bu] 2
-str: \- Used to indicate it is a raw string.
+\f[B]str\f[]: Used to indicate it is a raw string.
 Useful for escaping a password that starts with the \[lq]hex:\[rq]
 prefix.
 .IP \[bu] 2
-hex: \- Used when specifying a password in hex string format.
+\f[B]hmac\f[]: Use to indicate, the subsequent string specified be used
+in calculating the command buffer HMAC to prevent presenting clear text
+passwords on the TPM interfaces.
+See CVE\-2017\-7524 for details.
+.IP \[bu] 2
+\f[B]hex\f[]: Used when specifying a password in hex string format.
+.IP \[bu] 2
+\f[B]session\f[]: A file containing session metadata about a previously
+started session.
+.IP \[bu] 2
+\f[B]pcr\f[]: A PCR specification for authenticating against a PCR
+policy.
 .SS HMAC
 .PP
-HMAC tickets can be presented as hex escaped passwords.
+Generate an HMAC ticket for authorization.
+Useful for preventing a clear text password being sent to the tpm.
+.SS Example
+.IP
+.nf
+\f[C]
+tpm2_nvwrite\ \-x\ 0x1500018\ \-a\ 0x1500018\ \-P\ "hmac:hmacpass"\ test.nv
+\f[]
+.fi
+.SS PCR Policy
+.PP
+To authenticate with a PCR policy, prefix the option argument with the
+\f[I]pcr\f[] keyword, followed by colon, and a \f[I]pcr spec\f[].
+A pcr spec consists of a \f[C]<bank\ specifier>=<pcr\ file>\f[], where
+\f[C]<bank\-spec>\f[] is mandatory and \f[C]=<pcr\-file>\f[] is
+optional.
+.SS PCR Bank Specifiers \f[C]<bank\-spec>\f[]
+.PP
+PCR Bank Specifier follow the below specification:
+.IP
+.nf
+\f[C]
+<BANK>:<PCR>[,<PCR>]
+\f[]
+.fi
+.PP
+multiple banks may be separated by `+'.
+.PP
+For example:
+.IP
+.nf
+\f[C]
+sha:3,4+sha256:5,6
+\f[]
+.fi
+.PP
+will select PCRs 3 and 4 from the SHA bank and PCRs 5 and 6 from the
+SHA256 bank.
+.PP
+\f[B]Note\f[]: PCR Selections allow for up to 5 hash to pcr selection
+mappings.
+This is a limitaion in design in the single call to the tpm to get the
+pcr values.
+.SS PCR File \f[C]<pcr\-file>\f[]
+.PP
+This is a computed file that matches the specifier that contains the PCR
+values.
+This prevents a PCR read.
+This file can be generated via \f[B]tpm2_pcrlist\f[] as in the below
+example:
+.IP
+.nf
+\f[C]
+tpm2_pcrlist\ \-Q\ \-L\ sha1:0,1,2,3\ \-o\ pcr.dat
+\f[]
+.fi
+.SS Example
+.IP
+.nf
+\f[C]
+echo\ \-n\ "policy\ locked"\ |\ tpm2_nvwrite\ \-x\ 0x1500016\ \-a\ 0x1500016\ \-P"pcr:sha1:0,1,2,3=pcr.dat"
+\f[]
+.fi
 .SS Sessions
 .PP
 When using a policy session to authorize the use of an object, one
-prefixes the option argument with the \f[I]session\f[] keyword.
+prefixes the option argument with the \f[I]session\f[] keyword followed
+by a colon.
 You then indicate a path to a session file that was created with
 tpm2_startauthsession(1).
+.SS Example
+.IP
+.nf
+\f[C]
+#\ Start\ a\ session
+tpm2_startauthsession\ \-a\ \-S\ s.dat
+
+#\ Do\ some\ policy\ event,\ in\ this\ case\ we\ will\ satisfy\ a\ PCR\ policy
+tpm2_policypcr\ \-S\ s.dat\ \-L\ sha1:0,1,2,3\ \-F\ pcr.dat\ \-f\ policy.dat
+
+#\ Use\ that\ session\ for\ authorization
+tpm2_unseal\ \-P"session:s.dat"\ \-c\ key.ctx
+\f[]
+.fi
 .SH Context Object Format
 .PP
 The type of a context object, whether it is a handle or file name, is
@@ -313,15 +417,134 @@
 .SH Supported Public Object Algorithms
 .PP
 Supported public object algorithms are:
+.SS Symmetric
+.SS AES
+.PP
+The AES cipher has a bitsize and a mode.
+When the mode is not specified, ie a \[lq]NULL\[rq] mode, the TPM will
+allow any mode usages on subsequent key uses.
+If the mode is specified during object creation, only that mode is
+allowed in subsequent use cases.
+.IP \[bu] 2
+\f[B]aes\f[] \- Default AES selection.
+The default AES Selection is AES 256 with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256]\f[] \- AES with a key size of 128, 192 and 256
+respectively with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256][cbc|ocb|cfb|ecb]\f[] \- AES with a key size of
+128, 192 and 256 and a mode of cbc, ocb, cfb and ecb respectively.
+.SS Examples
+.IP \[bu] 2
+aes256cbc \- AES with a key bitsize of 256 and a mode of cbc.
+.IP \[bu] 2
+aes192cfb \- AES with a bitsize of 192 and mode of cfb.
+.IP \[bu] 2
+aes128 \- AES with a bitsize of 128 and NULL mode.
+.SS Asymmetric
+.SS RSA
+.PP
+The RSA cipher has a bitsize, and the TPM (optionally) supports
+associating a symmetric key along with the RSA algorithm.
+The AES key will be used for encryption modes that rely on an RSA
+scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]rsa\f[] \- Default RSA algorithm.
+The default bitsize is 2048.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
 .IP \[bu] 2
-\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
-(\f[B]default\f[]).
+restricted object \- scheme of null and a NULL symmetric algorithm.
 .IP \[bu] 2
-\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
+.IP \[bu] 2
+\f[B]rsa[1024|2048]\f[] \- Similar to \f[B]rsa\f[] option, but provides
+control over the key size to either 1024 or 2048 respectively.
+.IP \[bu] 2
+\f[B]rsa[1024|2048|4096]:[oaep|rsaes]\f[] \- Similar to
+\f[B]rsa[1024|2048|4096]\f[] option, but provides the ability to control
+the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]rsa[1024|2048]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]rsa[1024|2048]:[oaep|rsaes]\f[] option, but provides full control
+over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+rsa1024 \- Creates an RSA 1024 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+rsa:oeap:aes \- Creates an RSA 2048 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+rsa1024:null:aes128cbc \- Creates an RSA 1024 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS ECC
+.PP
+The ECC cipher has a size, and the TPM (optionally) supports associating
+a symmetric key along with the ECC algorithm.
+The AES key will be used for encryption modes that rely on an asymmetric
+encryption scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]ecc\f[] \- Default ECC algorithm.
+The default curve size is 256.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
+.IP \[bu] 2
+restricted object \- scheme of null and a NULL symmetric algorithm.
+.IP \[bu] 2
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]\f[] \- Similar to \f[B]ecc\f[] option, but
+provides control over the curve size to either 224,256,384 or 521
+respectively.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] \- Similar to
+\f[B]ecc[224|256|384|521]\f[] option, but provides the ability to
+control the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] option, but provides full
+control over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+ecc224 \- Creates an ECC 224 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+ecc:oeap:aes \- Creates an ECC 256 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+ecc384:null:aes128cbc \- Creates an ECC 384 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS KeyedHash
+.PP
+The keyedhash algorithms are hmac and xor.
+.SS HMAC
+.PP
+The HMAC algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
 .IP \[bu] 2
-\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+\f[B]hmac:[sha256|sha384|sha512]\f[] \- Generate an HMAC key valid for
+the associated hash algorithm, defaults to sha256 if not specified.
+.SS XOR
+.PP
+The XOR algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
+The XOR scheme should be used where confidentiality of the objects is
+desired, but secrecy is not mandatory.
+The algorithm is lightweight and quick.
 .IP \[bu] 2
-\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+\f[B]xor:[sha256|sha384|sha512]\f[] \- Generate an XOR key valid for the
+associated hash algorithm, defaults to sha256 if not specified.
 .PP
 \f[B]NOTE\f[]: Your TPM may not support all algorithms.
 .SH Supported Hash Algorithms
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_createek.1 new/tpm2-tools-3.1.1/man/man1/tpm2_createek.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_createek.1	2018-06-20 16:40:41.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_createek.1	2018-07-09 12:48:22.000000000 +0200
@@ -48,12 +48,17 @@
 tpm2_loadexternal(1).
 .RE
 .IP \[bu] 2
-\f[B]\-g\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: specifies the
+\f[B]\-G\f[], \f[B]\[en]algorithm\f[]=\f[I]ALGORITHM\f[]: specifies the
 algorithm type of EK.
-See section \[lq]Supported Public Object Algorithms\[rq] for a list of
-supported object algorithms.
-See section \[lq]Algorithm Specifiers\[rq] on how to specify an
-algorithm argument.
+Supports:
+.RS 2
+.IP \[bu] 2
+ecc \- An P256 key.
+.IP \[bu] 2
+rsa \- An RSA2048 key.
+.IP \[bu] 2
+keyedhash \- hmac key.
+.RE
 .IP \[bu] 2
 \f[B]\-p\f[], \f[B]\[en]file\f[]=\f[I]FILE\f[]: Optional: specifies the
 file used to save the public portion of EK.
@@ -83,9 +88,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
@@ -227,15 +243,134 @@
 .SH Supported Public Object Algorithms
 .PP
 Supported public object algorithms are:
+.SS Symmetric
+.SS AES
+.PP
+The AES cipher has a bitsize and a mode.
+When the mode is not specified, ie a \[lq]NULL\[rq] mode, the TPM will
+allow any mode usages on subsequent key uses.
+If the mode is specified during object creation, only that mode is
+allowed in subsequent use cases.
+.IP \[bu] 2
+\f[B]aes\f[] \- Default AES selection.
+The default AES Selection is AES 256 with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256]\f[] \- AES with a key size of 128, 192 and 256
+respectively with a NULL mode.
+.IP \[bu] 2
+\f[B]aes[128|192|256][cbc|ocb|cfb|ecb]\f[] \- AES with a key size of
+128, 192 and 256 and a mode of cbc, ocb, cfb and ecb respectively.
+.SS Examples
+.IP \[bu] 2
+aes256cbc \- AES with a key bitsize of 256 and a mode of cbc.
+.IP \[bu] 2
+aes192cfb \- AES with a bitsize of 192 and mode of cfb.
+.IP \[bu] 2
+aes128 \- AES with a bitsize of 128 and NULL mode.
+.SS Asymmetric
+.SS RSA
+.PP
+The RSA cipher has a bitsize, and the TPM (optionally) supports
+associating a symmetric key along with the RSA algorithm.
+The AES key will be used for encryption modes that rely on an RSA
+scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]rsa\f[] \- Default RSA algorithm.
+The default bitsize is 2048.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
+.IP \[bu] 2
+restricted object \- scheme of null and a NULL symmetric algorithm.
+.IP \[bu] 2
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
 .IP \[bu] 2
-\f[B]0x1\f[] or \f[B]rsa\f[] for \f[B]TPM_ALG_RSA\f[]
-(\f[B]default\f[]).
+\f[B]rsa[1024|2048]\f[] \- Similar to \f[B]rsa\f[] option, but provides
+control over the key size to either 1024 or 2048 respectively.
 .IP \[bu] 2
-\f[B]0x8\f[] or \f[B]keyedhash\f[] for \f[B]TPM_ALG_KEYEDHASH\f[].
+\f[B]rsa[1024|2048|4096]:[oaep|rsaes]\f[] \- Similar to
+\f[B]rsa[1024|2048|4096]\f[] option, but provides the ability to control
+the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]rsa[1024|2048]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]rsa[1024|2048]:[oaep|rsaes]\f[] option, but provides full control
+over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+rsa1024 \- Creates an RSA 1024 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+rsa:oeap:aes \- Creates an RSA 2048 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+rsa1024:null:aes128cbc \- Creates an RSA 1024 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS ECC
+.PP
+The ECC cipher has a size, and the TPM (optionally) supports associating
+a symmetric key along with the ECC algorithm.
+The AES key will be used for encryption modes that rely on an asymmetric
+encryption scheme, like RSAES_OAEP.
+.IP \[bu] 2
+\f[B]ecc\f[] \- Default ECC algorithm.
+The default curve size is 256.
+Depending on if the object is a restricted object (aka a parent object),
+the algorithms encryption options will default to:
+.RS 2
+.IP \[bu] 2
+restricted object \- scheme of null and a NULL symmetric algorithm.
+.IP \[bu] 2
+non\-restricted object \- scheme of null and an aes256cfb symmetric
+algorithm.
+.RE
 .IP \[bu] 2
-\f[B]0x23\f[] or \f[B]ecc\f[] for \f[B]TPM_ALG_ECC\f[].
+\f[B]ecc[224|256|384|521]\f[] \- Similar to \f[B]ecc\f[] option, but
+provides control over the curve size to either 224,256,384 or 521
+respectively.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] \- Similar to
+\f[B]ecc[224|256|384|521]\f[] option, but provides the ability to
+control the scheme.
+The algorithms encryption options will default to: aes256cfb.
+.IP \[bu] 2
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]:aes\f[] Similar to
+\f[B]ecc[224|256|384|521]:[oaep|rsaes]\f[] option, but provides full
+control over the aes key options.
+See the section \f[B]AES\f[] for details of these AES strings.
+.SS Examples
+.IP \[bu] 2
+ecc224 \- Creates an ECC 224 key with a scheme and symmetric algorithm
+dependent on the restricted attribute.
+.IP \[bu] 2
+ecc:oeap:aes \- Creates an ECC 256 key with an AES\-OEAP scheme and an
+AES default key based on attributes.
+.IP \[bu] 2
+ecc384:null:aes128cbc \- Creates an ECC 384 key with a NULL encryption
+scheme and an AES key of 128 for use ONLY with CBC.
+.SS KeyedHash
+.PP
+The keyedhash algorithms are hmac and xor.
+.SS HMAC
+.PP
+The HMAC algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
+.IP \[bu] 2
+\f[B]hmac:[sha256|sha384|sha512]\f[] \- Generate an HMAC key valid for
+the associated hash algorithm, defaults to sha256 if not specified.
+.SS XOR
+.PP
+The XOR algorithm needs a hashing algorithm and nothing more.
+It defaults to sha256 if not specified.
+The XOR scheme should be used where confidentiality of the objects is
+desired, but secrecy is not mandatory.
+The algorithm is lightweight and quick.
 .IP \[bu] 2
-\f[B]0x25\f[] or \f[B]symcipher\f[] for \f[B]TPM_ALG_SYMCIPHER\f[].
+\f[B]xor:[sha256|sha384|sha512]\f[] \- Generate an XOR key valid for the
+associated hash algorithm, defaults to sha256 if not specified.
 .PP
 \f[B]NOTE\f[]: Your TPM may not support all algorithms.
 .SH Algorithm Specifiers
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_flushcontext.1 new/tpm2-tools-3.1.1/man/man1/tpm2_flushcontext.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_flushcontext.1	2018-06-20 16:40:43.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_flushcontext.1	2018-07-09 12:48:24.000000000 +0200
@@ -41,9 +41,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_import.1 new/tpm2-tools-3.1.1/man/man1/tpm2_import.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_import.1	2018-06-20 16:40:43.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_import.1	2018-07-09 12:48:25.000000000 +0200
@@ -21,10 +21,14 @@
 These options control the key importation process:
 .IP \[bu] 2
 \f[B]\-G\f[], \f[B]\[en]import\-key\-alg\f[]=\f[I]ALGORITHM\f[]: The
-algorithm used by the key to be imported, AES and RSA keys are
-supported.
-Algorithms should follow the \[lq]formatting standards\[rq], see section
-\[lq]Algorithm Specifiers\[rq].
+algorithm used by the key to be imported.
+Supports:
+.RS 2
+.IP \[bu] 2
+aes \- AES 128 key.
+.IP \[bu] 2
+rsa \- RSA 2048 key.
+.RE
 .IP \[bu] 2
 \f[B]\-k\f[], \f[B]\[en]input\-key\-file\f[]=\f[I]FILE\f[]: Specifies
 the filename of symmetric key (128 bit data) to be imported.
@@ -58,9 +62,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_policypcr.1 new/tpm2-tools-3.1.1/man/man1/tpm2_policypcr.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_policypcr.1	2018-06-20 16:40:46.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_policypcr.1	2018-07-09 12:48:27.000000000 +0200
@@ -37,9 +37,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_policyrestart.1 new/tpm2-tools-3.1.1/man/man1/tpm2_policyrestart.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_policyrestart.1	2018-06-20 16:40:45.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_policyrestart.1	2018-07-09 12:48:27.000000000 +0200
@@ -35,9 +35,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tpm2-tools-3.1.0/man/man1/tpm2_startauthsession.1 new/tpm2-tools-3.1.1/man/man1/tpm2_startauthsession.1
--- old/tpm2-tools-3.1.0/man/man1/tpm2_startauthsession.1	2018-06-20 16:40:47.000000000 +0200
+++ new/tpm2-tools-3.1.1/man/man1/tpm2_startauthsession.1	2018-07-09 12:48:29.000000000 +0200
@@ -54,9 +54,20 @@
 This collection of options are common to many programs and provide
 information that many users may expect.
 .IP \[bu] 2
-\f[B]\-h\f[], \f[B]\[en]help\f[]: Display the tools manpage.
-This requires the manpages to be installed or on \f[I]MANPATH\f[], See
-man(1) for more details.
+\f[B]\-h\f[], \f[B]\[en]help=[man|no\-man]\f[]: Display the tools
+manpage.
+By default, it attempts to invoke the manpager for the tool, however, on
+failure will output a short tool summary.
+This is the same behavior if the \[lq]man\[rq] option argument is
+specified, however if explicit \[lq]man\[rq] is requested, the tool will
+provide errors from man on stderr.
+If the \[lq]no\-man\[rq] option if specified, or the manpager fails, the
+short options will be output to stdout.
+.RS 2
+.PP
+To successfully use the manpages feature requires the manpages to be
+installed or on \f[I]MANPATH\f[], See man(1) for more details.
+.RE
 .IP \[bu] 2
 \f[B]\-v\f[], \f[B]\[en]version\f[]: Display version information for
 this tool, supported tctis and exit.

    