1tpm2_import(1)              General Commands Manual             tpm2_import(1)
2
3
4

NAME

6       tpm2_import(1)  - Imports an external key into the tpm as a TPM managed
7       key object.
8

SYNOPSIS

10       tpm2_import [OPTIONS]
11

DESCRIPTION

13       tpm2_import(1) - Imports an external generated key as TPM  managed  key
14       object.  It requires that the parent key object be a RSA key.  Can also
15       import a TPM managed key object created by the tpm2_duplicate tool.
16

OPTIONS

18       These options control the key importation process:
19
20       · -G, --key-algorithm=ALGORITHM:
21         The algorithm used by the key to be imported.  Supports:
22
23         · aes - AES 128, 192 or 256 key.
24
25         · rsa - RSA 1024 or 2048 key.
26
27         · ecc - ECC NIST P192, P224, P256, P384 or P521  public  and  private
28           key.
29
30       · -g, --hash-algorithm=ALGORITHM:
31
32         The hash algorithm for generating the objects name.  This is optional
33         and defaults to sha256 when not specified.  Algorithms should  follow
34         the  "formatting standards", see section "Algorithm Specifiers".  Al‐
35         so, see section "Supported Hash Algorithms" for a list  of  supported
36         hash algorithms.
37
38       · -i, --input=FILE:
39
40         Specifies the filename of the key to be imported.  For AES keys, this
41         file is the raw key bytes.  For assymetric keys in PEM or DER format.
42         A typical file is generated with openssl genrsa.
43
44       · -C, --parent-context=OBJECT:
45
46         The parent key object.
47
48       · -U, --parent-public=FILE:
49
50         Optional.  Specifies the parent key public data file input.  This can
51         be read with tpm2_readpublic(1) tool.  If not specified, the tool in‐
52         vokes a tpm2_readpublic on the parent object.
53
54       · -k, --encryption-key=FILE:
55
56         Optional.   Specifies the file containing the symmetric algorithm key
57         that was used for the inner wrapper.  If the file  is  specified  the
58         tool assumes the algorithm is AES 128 in CFB mode otherwise none.
59
60       · -r, --private=FILE:
61
62         Specifies  the  file path required to save the encrypted private por‐
63         tion of the object imported as key.
64
65         When importing a duplicated object this  option  specifies  the  file
66         containing the private portion of the object to be imported.
67
68       · -u, --public=FILE:
69
70         Specifies  the  file  path required to save the public portion of the
71         object imported as key
72
73         When importing a duplicated object this  option  specifies  the  file
74         containing the public portion of the object to be imported.
75
76       · -a, --attributes=ATTRIBUTES:
77
78         The object attributes, optional.
79
80       · -P, --parent-auth=AUTH:
81
82         The authorization value for using the parent key specified with -C.
83
84       · -p, --key-auth=AUTH:
85
86         The authorization value for the imported key, optional.
87
88       · -L, --policy=POLICY_FILE:
89
90         The policy file.
91
92       · -s, --seed=FILE:
93
94         Specifies  the  file  containing the encrypted seed of the duplicated
95         object.
96
97       · --passin=OSSL_PEM_FILE_PASSWORD
98
99         An optional password for an Open SSL (OSSL) provided input file.   It
100         mirrors  the -passin option of OSSL and is known to support the pass,
101         file, env, fd and plain password formats  of  openssl.   (see  man(1)
102         openssl) for more.
103
104   References

Context Object Format

106       The  type  of a context object, whether it is a handle or file name, is
107       determined according to the following logic in-order:
108
109       · If the argument is a file path, then the file is loaded as a restored
110         TPM transient object.
111
112       · If the argument is a prefix match on one of:
113
114         · owner: the owner hierarchy
115
116         · platform: the platform hierarchy
117
118         · endorsement: the endorsement hierarchy
119
120         · lockout: the lockout control persistent object
121
122       · If  the  argument argument can be loaded as a number it will be treat
123         as a handle, e.g.  0x81010013 and used directly.OBJECT.
124

Authorization Formatting

126       Authorization for use of an object in TPM2.0 can come  in  3  different
127       forms: 1.  Password 2.  HMAC 3.  Sessions
128
129       NOTE:  "Authorizations  default  to  the EMPTY PASSWORD when not speci‐
130       fied".
131
132   Passwords
133       Passwords are interpreted in the following  forms  below  using  prefix
134       identifiers.
135
136       Note:  By  default  passwords are assumed to be in the string form when
137       they do not have a prefix.
138
139   String
140       A string password, specified by prefix  "str:"  or  it's  absence  (raw
141       string without prefix) is not interpreted, and is directly used for au‐
142       thorization.
143
144   Examples
145              foobar
146              str:foobar
147
148   Hex-string
149       A hex-string password, specified by prefix "hex:" is converted  from  a
150       hexidecimal  form  into a byte array form, thus allowing passwords with
151       non-printable and/or terminal un-friendly characters.
152
153   Example
154              hex:0x1122334455667788
155
156   File
157       A file based password, specified be prefix "file:" should be  the  path
158       of  a  file  containing the password to be read by the tool or a "-" to
159       use stdin.  Storing passwords in files  prevents  information  leakage,
160       passwords passed as options can be read from the process list or common
161       shell history features.
162
163   Examples
164              # to use stdin and be prompted
165              file:-
166
167              # to use a file from a path
168              file:path/to/password/file
169
170              # to echo a password via stdin:
171              echo foobar | tpm2_tool -p file:-
172
173              # to use a bash here-string via stdin:
174
175              tpm2_tool -p file:- <<< foobar
176
177   Sessions
178       When using a policy session to authorize the use of an  object,  prefix
179       the  option argument with the session keyword.  Then indicate a path to
180       a session file that was created with tpm2_startauthsession(1).  Option‐
181       ally, if the session requires an auth value to be sent with the session
182       handle (eg policy password), then append a + and a string as  described
183       in the Passwords section.
184
185   Examples
186       To use a session context file called session.ctx.
187
188              session:session.ctx
189
190       To use a session context file called session.ctx AND send the authvalue
191       mypassword.
192
193              session:session.ctx+mypassword
194
195       To use a session context file called session.ctx AND send the HEX auth‐
196       value 0x11223344.
197
198              session:session.ctx+hex:11223344
199
200   PCR Authorizations
201       You  can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
202       language.      The     PCR     minilanguage     is     as      follows:
203       <pcr-spec>=<raw-pcr-file>
204
205       The PCR spec is documented in in the section "PCR bank specifiers".
206
207       The  raw-pcr-file  is an optional the output of the raw PCR contents as
208       returned by tpm2_pcrread(1).
209
210       PCR bank specifiers (common/pcr.md)
211
212   Examples
213       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
214       er of:
215
216              pcr:sha256:0,1,2,3
217
218       specifying AUTH.
219

Algorithm Specifiers

221       Options that take algorithms support "nice-names".
222
223       There  are two major algorithm specification string classes, simple and
224       complex.  Only certain algorithms will be accepted by the TPM, based on
225       usage and conditions.
226
227   Simple specifiers
228       These are strings with no additional specification data.  When creating
229       objects, non-specified portions of an object are assumed  to  defaults.
230       You can find the list of known "Simple Specifiers Below".
231
232   Asymmetric
233       · rsa
234
235       · ecc
236
237   Symmetric
238       · aes
239
240       · camellia
241
242   Hashing Algorithms
243       · sha1
244
245       · sha256
246
247       · sha384
248
249       · sha512
250
251       · sm3_256
252
253       · sha3_256
254
255       · sha3_384
256
257       · sha3_512
258
259   Keyed Hash
260       · hmac
261
262       · xor
263
264   Signing Schemes
265       · rsassa
266
267       · rsapss
268
269       · ecdsa
270
271       · ecdaa
272
273       · ecschnorr
274
275   Asymmetric Encryption Schemes
276       · oaep
277
278       · rsaes
279
280       · ecdh
281
282   Modes
283       · ctr
284
285       · ofb
286
287       · cbc
288
289       · cfb
290
291       · ecb
292
293   Misc
294       · null
295
296   Complex Specifiers
297       Objects,  when  specified  for creation by the TPM, have numerous algo‐
298       rithms to populate in the public data.  Things like  type,  scheme  and
299       asymmetric  details,  key  size,  etc.  Below is the general format for
300       specifying this data: <type>:<scheme>:<symmetric-details>
301
302   Type Specifiers
303       This portion of the complex algorithm specifier is required.   The  re‐
304       maining  scheme  and  symmetric  details will default based on the type
305       specified and the type of the object being created.
306
307       · aes - Default AES: aes128
308
309       · aes128<mode> - 128 bit AES with optional mode  (ctr|ofb|cbc|cfb|ecb).
310         If mode is not specified, defaults to null.
311
312       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
313
314       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
315
316       · ecc - Elliptical Curve, defaults to ecc256.
317
318       · ecc192 - 192 bit ECC
319
320       · ecc224 - 224 bit ECC
321
322       · ecc256 - 256 bit ECC
323
324       · ecc384 - 384 bit ECC
325
326       · ecc521 - 521 bit ECC
327
328       · rsa - Default RSA: rsa2048
329
330       · rsa1024 - RSA with 1024 bit keysize.
331
332       · rsa2048 - RSA with 2048 bit keysize.
333
334       · rsa4096 - RSA with 4096 bit keysize.
335
336   Scheme Specifiers
337       Next, is an optional field, it can be skipped.
338
339       Schemes  are  usually Signing Schemes or Asymmetric Encryption Schemes.
340       Most signing schemes take a hash algorithm directly following the sign‐
341       ing  scheme.   If the hash algorithm is missing, it defaults to sha256.
342       Some take no arguments, and some take multiple arguments.
343
344   Hash Optional Scheme Specifiers
345       These scheme specifiers are followed by a dash and a valid  hash  algo‐
346       rithm, For example: oaep-sha256.
347
348       · oaep
349
350       · ecdh
351
352       · rsassa
353
354       · rsapss
355
356       · ecdsa
357
358       · ecschnorr
359
360   Multiple Option Scheme Specifiers
361       This  scheme  specifier  is  followed by a count (max size UINT16) then
362       folloed by a dash(-) and a valid hash algorithm.  * ecdaa For  example,
363       ecdaa4-sha256.  If no count is specified, it defaults to 4.
364
365   No Option Scheme Specifiers
366       This scheme specifier takes NO arguments.  * rsaes
367
368   Symmetric Details Specifiers
369       This  field is optional, and defaults based on the type of object being
370       created and it's attributes.  Generally, any valid Symmetric  specifier
371       from  the Type Specifiers list should work.  If not specified, an asym‐
372       metric objects symmetric details defaults to aes128cfb.
373
374   Examples
375   Create an rsa2048 key with an rsaes asymmetric encryption scheme
376       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
377
378   Create an ecc256 key with an ecdaa signing scheme with a count of 4
379       and sha384 hash
380
381       /tpm2_create -C parent.ctx -G ecc256:ec‐
382       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
383

Object Attributes

385       Object Attributes are used to control various properties of created ob‐
386       jects.  When specified as an option, either the raw  bitfield  mask  or
387       "nice-names"  may  be used.  The values can be found in Table 31 Part 2
388       of the TPM2.0 specification, which can be found here:
389
390       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
391       Rev-2.0-Part-2-Structures-01.38.pdf>
392
393       Nice  names are calculated by taking the name field of table 31 and re‐
394       moving the prefix TPMA_OBJECT_ and lowercasing the result.   Thus,  TP‐
395       MA_OBJECT_FIXEDTPM  becomes  fixedtpm.   Nice names can be joined using
396       the bitwise or "|" symbol.
397
398       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
399       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
400
401       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
402

COMMON OPTIONS

404       This  collection of options are common to many programs and provide in‐
405       formation that many users may expect.
406
407       · -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
408         attempts  to  invoke  the  manpager for the tool, however, on failure
409         will output a short tool summary.  This is the same behavior  if  the
410         "man"  option argument is specified, however if explicit "man" is re‐
411         quested, the tool will provide errors from man  on  stderr.   If  the
412         "no-man"  option  if  specified, or the manpager fails, the short op‐
413         tions will be output to stdout.
414
415         To successfully use the manpages feature requires the manpages to  be
416         installed or on MANPATH, See man(1) for more details.
417
418       · -v,  --version:  Display version information for this tool, supported
419         tctis and exit.
420
421       · -V, --verbose: Increase the information that the tool prints  to  the
422         console  during  its  execution.  When using this option the file and
423         line number are printed.
424
425       · -Q, --quiet: Silence normal tool output to stdout.
426
427       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
428         if  an  errata fixup needs to be applied to commands sent to the TPM.
429         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
430         formation many users may expect.
431

TCTI Configuration

433       The  TCTI  or  "Transmission  Interface" is the communication mechanism
434       with the TPM.  TCTIs can be changed for communication with TPMs  across
435       different mediums.
436
437       To control the TCTI, the tools respect:
438
439       1. The command line option -T or --tcti
440
441       2. The environment variable: TPM2TOOLS_TCTI.
442
443       Note:  The  command  line option always overrides the environment vari‐
444       able.
445
446       The current known TCTIs are:
447
448       · tabrmd     -     The     resource     manager,     called      tabrmd
449         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
450         abrmd as a tcti name are synonymous.
451
452       · mssim - Typically used for communicating to the TPM software  simula‐
453         tor.
454
455       · device - Used when talking directly to a TPM device file.
456
457       · none  - Do not initalize a connection with the TPM.  Some tools allow
458         for off-tpm options and thus support not using a TCTI.  Tools that do
459         not  support  it  will error when attempted to be used without a TCTI
460         connection.  Does not support ANY options and MUST  BE  presented  as
461         the exact text of "none".
462
463       The  arguments  to  either  the  command line option or the environment
464       variable are in the form:
465
466       <tcti-name>:<tcti-option-config>
467
468       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
469       tion-config> results in the default being used for that portion respec‐
470       tively.
471
472   TCTI Defaults
473       When a TCTI is not specified, the default TCTI is  searched  for  using
474       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
475       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
476       what TCTI will be chosen as the default by using the -v option to print
477       the version information.  The "default-tcti" key-value pair will  indi‐
478       cate which of the aforementioned TCTIs is the default.
479
480   Custom TCTIs
481       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
482       tools internally use dlopen(3), and the raw tcti-name value is used for
483       the lookup.  Thus, this could be a path to the shared library, or a li‐
484       brary name as understood by dlopen(3) semantics.
485

TCTI OPTIONS

487       This collection of options are used to configure the various known TCTI
488       modules available:
489
490       · device: For the device TCTI, the TPM character device file for use by
491         the device TCTI can be specified.  The default is /dev/tpm0.
492
493         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI="de‐
494         vice:/dev/tpm0"
495
496       · mssim:  For  the  mssim  TCTI, the domain name or IP address and port
497         number used by the simulator  can  be  specified.   The  default  are
498         127.0.0.1 and 2321.
499
500         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
501         TI="mssim:host=localhost,port=2321"
502
503       · abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
504         ries  of  simple  key value pairs separated by a ',' character.  Each
505         key and value string are separated by a '=' character.
506
507         · TCTI abrmd supports two keys:
508
509           1. 'bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
510              string).
511
512           2. 'bus_type' : The type of the dbus instance (a string) limited to
513              'session' and 'system'.
514
515         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
516         ample.FooBar:
517
518         \--tcti=tabrmd:bus_name=com.example.FooBar
519
520         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
521         sion:
522
523         \--tcti:bus_type=session
524
525         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
526         ules.
527

EXAMPLES

529   To import a key, one needs to have a parent key
530              tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
531
532       Create your key and and import it.  If you already have a key, just use
533       that and skip creating it.
534
535   Import an AES 128 key
536              dd if=/dev/urandom of=sym.key bs=1 count=16
537
538              tpm2_import -C parent.ctx -i sym.key -u key.pub -r key.priv
539
540   Import an RSA key
541              openssl genrsa -out private.pem 2048
542
543              tpm2_import -C parent.ctx -G rsa -i private.pem -u key.pub -r key.priv
544
545   Import an ECC key
546              openssl ecparam -name prime256v1 -genkey -noout -out private.ecc.pem
547
548              tpm2_import -C parent.ctx -G ecc -i private.ecc.pem -u key.pub -r key.priv
549
550   Import a duplicated key
551              tpm2_import -C parent.ctx -i key.dup -u key.pub -r key.priv -L policy.dat
552

LIMITATIONS

554       · The TPM requires that the name algorithm of the child be smaller than
555         the parent.
556

Returns

558       Tools can return any of the following codes:
559
560       · 0 - Success.
561
562       · 1 - General non-specific error.
563
564       · 2 - Options handling error.
565
566       · 3 - Authentication error.
567
568       · 4 - TCTI related error.
569
570       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
571

BUGS

573       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
574

HELP

576       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
577
578
579
580tpm2-tools                                                      tpm2_import(1)
Impressum