1tpm2_import(1) General Commands Manual tpm2_import(1)
2
3
4
6 tpm2_import(1) - Imports an external key into the tpm as a TPM managed
7 key object.
8
10 tpm2_import [OPTIONS]
11
13 tpm2_import(1) - Imports an external generated key as TPM managed key
14 object. It requires that the parent key object be a RSA key. Can also
15 import a TPM managed key object created by the tpm2_duplicate tool.
16
18 These options control the key importation process:
19
20 · -G, --key-algorithm=ALGORITHM:
21 The algorithm used by the key to be imported. Supports:
22
23 · aes - AES 128, 192 or 256 key.
24
25 · rsa - RSA 1024 or 2048 key.
26
27 · ecc - ECC NIST P192, P224, P256, P384 or P521 public and private
28 key.
29
30 · -g, --hash-algorithm=ALGORITHM:
31
32 The hash algorithm for generating the objects name. This is optional
33 and defaults to sha256 when not specified. Algorithms should follow
34 the "formatting standards", see section "Algorithm Specifiers". Al‐
35 so, see section "Supported Hash Algorithms" for a list of supported
36 hash algorithms.
37
38 · -i, --input=FILE:
39
40 Specifies the filename of the key to be imported. For AES keys, this
41 file is the raw key bytes. For assymetric keys in PEM or DER format.
42 A typical file is generated with openssl genrsa.
43
44 · -C, --parent-context=OBJECT:
45
46 The parent key object.
47
48 · -U, --parent-public=FILE:
49
50 Optional. Specifies the parent key public data file input. This can
51 be read with tpm2_readpublic(1) tool. If not specified, the tool in‐
52 vokes a tpm2_readpublic on the parent object.
53
54 · -k, --encryption-key=FILE:
55
56 Optional. Specifies the file containing the symmetric algorithm key
57 that was used for the inner wrapper. If the file is specified the
58 tool assumes the algorithm is AES 128 in CFB mode otherwise none.
59
60 · -r, --private=FILE:
61
62 Specifies the file path required to save the encrypted private por‐
63 tion of the object imported as key.
64
65 When importing a duplicated object this option specifies the file
66 containing the private portion of the object to be imported.
67
68 · -u, --public=FILE:
69
70 Specifies the file path required to save the public portion of the
71 object imported as key
72
73 When importing a duplicated object this option specifies the file
74 containing the public portion of the object to be imported.
75
76 · -a, --attributes=ATTRIBUTES:
77
78 The object attributes, optional.
79
80 · -P, --parent-auth=AUTH:
81
82 The authorization value for using the parent key specified with -C.
83
84 · -p, --key-auth=AUTH:
85
86 The authorization value for the imported key, optional.
87
88 · -L, --policy=POLICY_FILE:
89
90 The policy file.
91
92 · -s, --seed=FILE:
93
94 Specifies the file containing the encrypted seed of the duplicated
95 object.
96
97 · --passin=OSSL_PEM_FILE_PASSWORD
98
99 An optional password for an Open SSL (OSSL) provided input file. It
100 mirrors the -passin option of OSSL and is known to support the pass,
101 file, env, fd and plain password formats of openssl. (see man(1)
102 openssl) for more.
103
104 References
106 The type of a context object, whether it is a handle or file name, is
107 determined according to the following logic in-order:
108
109 · If the argument is a file path, then the file is loaded as a restored
110 TPM transient object.
111
112 · If the argument is a prefix match on one of:
113
114 · owner: the owner hierarchy
115
116 · platform: the platform hierarchy
117
118 · endorsement: the endorsement hierarchy
119
120 · lockout: the lockout control persistent object
121
122 · If the argument argument can be loaded as a number it will be treat
123 as a handle, e.g. 0x81010013 and used directly.OBJECT.
124
126 Authorization for use of an object in TPM2.0 can come in 3 different
127 forms: 1. Password 2. HMAC 3. Sessions
128
129 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
130 fied".
131
132 Passwords
133 Passwords are interpreted in the following forms below using prefix
134 identifiers.
135
136 Note: By default passwords are assumed to be in the string form when
137 they do not have a prefix.
138
139 String
140 A string password, specified by prefix "str:" or it's absence (raw
141 string without prefix) is not interpreted, and is directly used for au‐
142 thorization.
143
144 Examples
145 foobar
146 str:foobar
147
148 Hex-string
149 A hex-string password, specified by prefix "hex:" is converted from a
150 hexidecimal form into a byte array form, thus allowing passwords with
151 non-printable and/or terminal un-friendly characters.
152
153 Example
154 hex:0x1122334455667788
155
156 File
157 A file based password, specified be prefix "file:" should be the path
158 of a file containing the password to be read by the tool or a "-" to
159 use stdin. Storing passwords in files prevents information leakage,
160 passwords passed as options can be read from the process list or common
161 shell history features.
162
163 Examples
164 # to use stdin and be prompted
165 file:-
166
167 # to use a file from a path
168 file:path/to/password/file
169
170 # to echo a password via stdin:
171 echo foobar | tpm2_tool -p file:-
172
173 # to use a bash here-string via stdin:
174
175 tpm2_tool -p file:- <<< foobar
176
177 Sessions
178 When using a policy session to authorize the use of an object, prefix
179 the option argument with the session keyword. Then indicate a path to
180 a session file that was created with tpm2_startauthsession(1). Option‐
181 ally, if the session requires an auth value to be sent with the session
182 handle (eg policy password), then append a + and a string as described
183 in the Passwords section.
184
185 Examples
186 To use a session context file called session.ctx.
187
188 session:session.ctx
189
190 To use a session context file called session.ctx AND send the authvalue
191 mypassword.
192
193 session:session.ctx+mypassword
194
195 To use a session context file called session.ctx AND send the HEX auth‐
196 value 0x11223344.
197
198 session:session.ctx+hex:11223344
199
200 PCR Authorizations
201 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
202 language. The PCR minilanguage is as follows:
203 <pcr-spec>=<raw-pcr-file>
204
205 The PCR spec is documented in in the section "PCR bank specifiers".
206
207 The raw-pcr-file is an optional the output of the raw PCR contents as
208 returned by tpm2_pcrread(1).
209
210 PCR bank specifiers (common/pcr.md)
211
212 Examples
213 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
214 er of:
215
216 pcr:sha256:0,1,2,3
217
218 specifying AUTH.
219
221 Options that take algorithms support "nice-names".
222
223 There are two major algorithm specification string classes, simple and
224 complex. Only certain algorithms will be accepted by the TPM, based on
225 usage and conditions.
226
227 Simple specifiers
228 These are strings with no additional specification data. When creating
229 objects, non-specified portions of an object are assumed to defaults.
230 You can find the list of known "Simple Specifiers Below".
231
232 Asymmetric
233 · rsa
234
235 · ecc
236
237 Symmetric
238 · aes
239
240 · camellia
241
242 Hashing Algorithms
243 · sha1
244
245 · sha256
246
247 · sha384
248
249 · sha512
250
251 · sm3_256
252
253 · sha3_256
254
255 · sha3_384
256
257 · sha3_512
258
259 Keyed Hash
260 · hmac
261
262 · xor
263
264 Signing Schemes
265 · rsassa
266
267 · rsapss
268
269 · ecdsa
270
271 · ecdaa
272
273 · ecschnorr
274
275 Asymmetric Encryption Schemes
276 · oaep
277
278 · rsaes
279
280 · ecdh
281
282 Modes
283 · ctr
284
285 · ofb
286
287 · cbc
288
289 · cfb
290
291 · ecb
292
293 Misc
294 · null
295
296 Complex Specifiers
297 Objects, when specified for creation by the TPM, have numerous algo‐
298 rithms to populate in the public data. Things like type, scheme and
299 asymmetric details, key size, etc. Below is the general format for
300 specifying this data: <type>:<scheme>:<symmetric-details>
301
302 Type Specifiers
303 This portion of the complex algorithm specifier is required. The re‐
304 maining scheme and symmetric details will default based on the type
305 specified and the type of the object being created.
306
307 · aes - Default AES: aes128
308
309 · aes128<mode> - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
310 If mode is not specified, defaults to null.
311
312 · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
313
314 · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
315
316 · ecc - Elliptical Curve, defaults to ecc256.
317
318 · ecc192 - 192 bit ECC
319
320 · ecc224 - 224 bit ECC
321
322 · ecc256 - 256 bit ECC
323
324 · ecc384 - 384 bit ECC
325
326 · ecc521 - 521 bit ECC
327
328 · rsa - Default RSA: rsa2048
329
330 · rsa1024 - RSA with 1024 bit keysize.
331
332 · rsa2048 - RSA with 2048 bit keysize.
333
334 · rsa4096 - RSA with 4096 bit keysize.
335
336 Scheme Specifiers
337 Next, is an optional field, it can be skipped.
338
339 Schemes are usually Signing Schemes or Asymmetric Encryption Schemes.
340 Most signing schemes take a hash algorithm directly following the sign‐
341 ing scheme. If the hash algorithm is missing, it defaults to sha256.
342 Some take no arguments, and some take multiple arguments.
343
344 Hash Optional Scheme Specifiers
345 These scheme specifiers are followed by a dash and a valid hash algo‐
346 rithm, For example: oaep-sha256.
347
348 · oaep
349
350 · ecdh
351
352 · rsassa
353
354 · rsapss
355
356 · ecdsa
357
358 · ecschnorr
359
360 Multiple Option Scheme Specifiers
361 This scheme specifier is followed by a count (max size UINT16) then
362 folloed by a dash(-) and a valid hash algorithm. * ecdaa For example,
363 ecdaa4-sha256. If no count is specified, it defaults to 4.
364
365 No Option Scheme Specifiers
366 This scheme specifier takes NO arguments. * rsaes
367
368 Symmetric Details Specifiers
369 This field is optional, and defaults based on the type of object being
370 created and it's attributes. Generally, any valid Symmetric specifier
371 from the Type Specifiers list should work. If not specified, an asym‐
372 metric objects symmetric details defaults to aes128cfb.
373
374 Examples
375 Create an rsa2048 key with an rsaes asymmetric encryption scheme
376 tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
377
378 Create an ecc256 key with an ecdaa signing scheme with a count of 4
379 and sha384 hash
380
381 /tpm2_create -C parent.ctx -G ecc256:ec‐
382 daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
383
385 Object Attributes are used to control various properties of created ob‐
386 jects. When specified as an option, either the raw bitfield mask or
387 "nice-names" may be used. The values can be found in Table 31 Part 2
388 of the TPM2.0 specification, which can be found here:
389
390 <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
391 Rev-2.0-Part-2-Structures-01.38.pdf>
392
393 Nice names are calculated by taking the name field of table 31 and re‐
394 moving the prefix TPMA_OBJECT_ and lowercasing the result. Thus, TP‐
395 MA_OBJECT_FIXEDTPM becomes fixedtpm. Nice names can be joined using
396 the bitwise or "|" symbol.
397
398 For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
399 and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
400
401 fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
402
404 This collection of options are common to many programs and provide in‐
405 formation that many users may expect.
406
407 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
408 attempts to invoke the manpager for the tool, however, on failure
409 will output a short tool summary. This is the same behavior if the
410 "man" option argument is specified, however if explicit "man" is re‐
411 quested, the tool will provide errors from man on stderr. If the
412 "no-man" option if specified, or the manpager fails, the short op‐
413 tions will be output to stdout.
414
415 To successfully use the manpages feature requires the manpages to be
416 installed or on MANPATH, See man(1) for more details.
417
418 · -v, --version: Display version information for this tool, supported
419 tctis and exit.
420
421 · -V, --verbose: Increase the information that the tool prints to the
422 console during its execution. When using this option the file and
423 line number are printed.
424
425 · -Q, --quiet: Silence normal tool output to stdout.
426
427 · -Z, --enable-errata: Enable the application of errata fixups. Useful
428 if an errata fixup needs to be applied to commands sent to the TPM.
429 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
430 formation many users may expect.
431
433 The TCTI or "Transmission Interface" is the communication mechanism
434 with the TPM. TCTIs can be changed for communication with TPMs across
435 different mediums.
436
437 To control the TCTI, the tools respect:
438
439 1. The command line option -T or --tcti
440
441 2. The environment variable: TPM2TOOLS_TCTI.
442
443 Note: The command line option always overrides the environment vari‐
444 able.
445
446 The current known TCTIs are:
447
448 · tabrmd - The resource manager, called tabrmd
449 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
450 abrmd as a tcti name are synonymous.
451
452 · mssim - Typically used for communicating to the TPM software simula‐
453 tor.
454
455 · device - Used when talking directly to a TPM device file.
456
457 · none - Do not initalize a connection with the TPM. Some tools allow
458 for off-tpm options and thus support not using a TCTI. Tools that do
459 not support it will error when attempted to be used without a TCTI
460 connection. Does not support ANY options and MUST BE presented as
461 the exact text of "none".
462
463 The arguments to either the command line option or the environment
464 variable are in the form:
465
466 <tcti-name>:<tcti-option-config>
467
468 Specifying an empty string for either the <tcti-name> or <tcti-op‐
469 tion-config> results in the default being used for that portion respec‐
470 tively.
471
472 TCTI Defaults
473 When a TCTI is not specified, the default TCTI is searched for using
474 dlopen(3) semantics. The tools will search for tabrmd, device and
475 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
476 what TCTI will be chosen as the default by using the -v option to print
477 the version information. The "default-tcti" key-value pair will indi‐
478 cate which of the aforementioned TCTIs is the default.
479
480 Custom TCTIs
481 Any TCTI that implements the dynamic TCTI interface can be loaded. The
482 tools internally use dlopen(3), and the raw tcti-name value is used for
483 the lookup. Thus, this could be a path to the shared library, or a li‐
484 brary name as understood by dlopen(3) semantics.
485
487 This collection of options are used to configure the various known TCTI
488 modules available:
489
490 · device: For the device TCTI, the TPM character device file for use by
491 the device TCTI can be specified. The default is /dev/tpm0.
492
493 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
494 vice:/dev/tpm0"
495
496 · mssim: For the mssim TCTI, the domain name or IP address and port
497 number used by the simulator can be specified. The default are
498 127.0.0.1 and 2321.
499
500 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
501 TI="mssim:host=localhost,port=2321"
502
503 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
504 ries of simple key value pairs separated by a ',' character. Each
505 key and value string are separated by a '=' character.
506
507 · TCTI abrmd supports two keys:
508
509 1. 'bus_name' : The name of the tabrmd service on the bus (a
510 string).
511
512 2. 'bus_type' : The type of the dbus instance (a string) limited to
513 'session' and 'system'.
514
515 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
516 ample.FooBar:
517
518 \--tcti=tabrmd:bus_name=com.example.FooBar
519
520 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
521 sion:
522
523 \--tcti:bus_type=session
524
525 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
526 ules.
527
529 To import a key, one needs to have a parent key
530 tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
531
532 Create your key and and import it. If you already have a key, just use
533 that and skip creating it.
534
535 Import an AES 128 key
536 dd if=/dev/urandom of=sym.key bs=1 count=16
537
538 tpm2_import -C parent.ctx -i sym.key -u key.pub -r key.priv
539
540 Import an RSA key
541 openssl genrsa -out private.pem 2048
542
543 tpm2_import -C parent.ctx -G rsa -i private.pem -u key.pub -r key.priv
544
545 Import an ECC key
546 openssl ecparam -name prime256v1 -genkey -noout -out private.ecc.pem
547
548 tpm2_import -C parent.ctx -G ecc -i private.ecc.pem -u key.pub -r key.priv
549
550 Import a duplicated key
551 tpm2_import -C parent.ctx -i key.dup -u key.pub -r key.priv -L policy.dat
552
554 · The TPM requires that the name algorithm of the child be smaller than
555 the parent.
556
558 Tools can return any of the following codes:
559
560 · 0 - Success.
561
562 · 1 - General non-specific error.
563
564 · 2 - Options handling error.
565
566 · 3 - Authentication error.
567
568 · 4 - TCTI related error.
569
570 · 5 - Non supported scheme. Applicable to tpm2_testparams.
571
573 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
574
576 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
577
578
579
580tpm2-tools tpm2_import(1)