diff --git a/Cargo.lock b/Cargo.lock
index c8750c8..80755be 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -508,7 +508,7 @@ dependencies = [
 
 [[package]]
 name = "card-cli"
-version = "1.13.3"
+version = "1.13.4"
 dependencies = [
  "aes-gcm-stream",
  "authenticator 0.3.1",
@@ -3772,13 +3772,15 @@ checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
 
 [[package]]
 name = "swift-secure-enclave-tool-rs"
-version = "0.1.1"
+version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1de60ab30b0f344a083df555373a2f419a0682f1a5d76c9f845abe696230caba"
+checksum = "781e2858f6440fba7a8979be69cad4dfbfd6488052f782f84d66141ec3af56a8"
 dependencies = [
  "base64 0.22.1",
  "hex",
  "rust_util",
+ "serde",
+ "serde_json",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index d18ba69..059946b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.13.3"
+version = "1.13.4"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"
 
@@ -55,7 +55,7 @@ der-parser = "9.0"
 sshcerts = "0.13"
 regex = "1.4.6"
 aes-gcm-stream = "0.2"
-swift-secure-enclave-tool-rs = "0.1"
+swift-secure-enclave-tool-rs = "1.0"
 u2f-hatter-fork = "0.2"
 security-framework = { version = "3.0", features = ["OSX_10_15"] }
 rsa = "0.9.8"
diff --git a/src/cmd_se_generate.rs b/src/cmd_se_generate.rs
index 96f34f1..ada2391 100644
--- a/src/cmd_se_generate.rs
+++ b/src/cmd_se_generate.rs
@@ -1,12 +1,13 @@
+use crate::cmd_hmac_encrypt;
 use crate::pkiutil::bytes_to_pem;
-use crate::{cmdutil, seutil, util};
 use crate::util::base64_encode;
+use crate::{cmdutil, seutil, util};
 use clap::{App, Arg, ArgMatches, SubCommand};
 use p256::PublicKey;
 use rust_util::util_clap::{Command, CommandError};
 use spki::DecodePublicKey;
 use std::collections::BTreeMap;
-use crate::cmd_hmac_encrypt;
+use swift_secure_enclave_tool_rs::ControlFlag;
 
 pub struct CommandImpl;
 
@@ -33,9 +34,11 @@ impl Command for CommandImpl {
                     .help("Host name"),
             )
             .arg(
-                Arg::with_name("disable-bio")
-                    .long("disable-bio")
-                    .help("Disable bio"),
+                Arg::with_name("control-flag")
+                    .long("control-flag")
+                    .required(true)
+                    .takes_value(true)
+                    .help("Control flag, e.g. none, user-presence, device-passcode, biometry-any, biometry-current-set"),
             )
             .arg(cmdutil::build_with_hmac_encrypt_arg())
             .arg(cmdutil::build_with_pbe_encrypt_arg())
@@ -56,10 +59,18 @@ impl Command for CommandImpl {
             "key_agreement" | "ecdh" | "dh" => false,
             _ => return simple_error!("Invalid type: {}", ty),
         };
-        let require_bio = !sub_arg_matches.is_present("disable-bio");
+        let control_flag = sub_arg_matches.value_of("control-flag").unwrap();
+        let control_flag = match control_flag {
+            "none" => ControlFlag::None,
+            "user-presence" | "up" => ControlFlag::UserPresence,
+            "device-passcode" | "passcode" | "pass" => ControlFlag::DevicePasscode,
+            "biometry-any" | "bio-any" => ControlFlag::BiometryAny,
+            "biometry-current-set" | "bio-current" => ControlFlag::BiometryCurrentSet,
+            _ => return simple_error!("Invalid control flag: {}", control_flag),
+        };
 
         let (public_key_point, public_key_der, private_key) =
-            seutil::generate_secure_enclave_p256_keypair(sign, require_bio)?;
+            seutil::generate_secure_enclave_p256_keypair(sign, control_flag)?;
 
         let private_key = cmd_hmac_encrypt::do_encrypt(&private_key, &mut None, sub_arg_matches)?;
         let key_uri = format!(
diff --git a/src/seutil.rs b/src/seutil.rs
index 418164d..945bd03 100644
--- a/src/seutil.rs
+++ b/src/seutil.rs
@@ -1,7 +1,8 @@
+use crate::util::{base64_decode, base64_encode};
 use rust_util::XResult;
 use se_tool::KeyPurpose;
 use swift_secure_enclave_tool_rs as se_tool;
-use crate::util::{base64_decode, base64_encode};
+use swift_secure_enclave_tool_rs::ControlFlag;
 
 pub fn is_support_se() -> bool {
     se_tool::is_secure_enclave_supported().unwrap_or_else(|e| {
@@ -20,12 +21,12 @@ pub fn check_se_supported() -> XResult<()> {
 
 pub fn generate_secure_enclave_p256_keypair(
     sign: bool,
-    require_bio: bool,
+    control_flag: ControlFlag,
 ) -> XResult<(Vec<u8>, Vec<u8>, String)> {
     let key_material = if sign {
-        se_tool::generate_keypair(KeyPurpose::Signing, require_bio)?
+        se_tool::generate_keypair(KeyPurpose::Signing, control_flag)?
     } else {
-        se_tool::generate_keypair(KeyPurpose::KeyAgreement, require_bio)?
+        se_tool::generate_keypair(KeyPurpose::KeyAgreement, control_flag)?
     };
     Ok((
         key_material.public_key_point,