1tpm2_loadexternal(1)        General Commands Manual       tpm2_loadexternal(1)
2
3
4

NAME

6       tpm2_loadexternal(1) - Load an external object into the TPM.
7

SYNOPSIS

9       tpm2_loadexternal [OPTIONS]
10

DESCRIPTION

12       tpm2_loadexternal(1)  -  This command loads an external object into the
13       TPM, forgoing TPM protections.  Ie, the key material is  not  protected
14       by  the  parent  object's seed.  The command allows loading of just the
15       public portion of an object or both the public and private portions  of
16       an object.
17
18       The  tool  outputs  the  name of the loaded object in a YAML dictionary
19       format with the key name where the value for that key is  the  name  of
20       the object in hex format, for example:
21
22              name: 000bac25cb8743111c8e1f52f2ee7279d05d3902a18dd1af694db5d1afa7adf1c8b3
23
24       It also saves a context file for future interactions with the object.
25

OPTIONS

27       · -C, --hierarchy=OBJECT:
28         Hierarchy  to  use  for  the  ticket, optional.  Defaults to n, null.
29         Supported options are:
30
31         · o for the owner hierarchy.
32
33         · p for the platform hierarchy.
34
35         · e for the endorsement hierarchy.
36
37         · n for the null hierarchy.
38
39       · -G, --key-algorithm=ALGORITHM:
40         The algorithm used by the key to be imported.  Supports:
41
42         · aes - AES 128,192 or 256 key.
43
44         · rsa - RSA 1024 or 2048 key.
45
46         · ecc - ECC NIST P192, P224, P256, P384 or P521  public  and  private
47           key.
48
49       · -u, --public=FILE:
50         The  public  portion  of the object, this can be one of the following
51         file formats:
52
53         · TSS - The TSS/TPM format.  For example from option  -u  of  command
54           tpm2_create(1).
55
56         · RSA  -  OSSL  PEM formats.  For example public.pem from the command
57           openssl rsa -in private.pem -out public.pem -pubout
58
59         · ECC - OSSL PEM formats.  For example public.pem  from  the  command
60           openssl ec -in private.ecc.pem -out public.ecc.pem -pubout
61
62       · -r, --private=FILE:
63         The  sensitive portion of the object, optional.  If one wishes to use
64         the private portion of a key, this must be  specified.   Like  option
65         -u, this command takes files in the following format:
66
67         · RSA  -  OSSL PEM formats.  For example private.pem from the command
68           openssl genrsa -out private.pem 2048 Since an RSA public key can be
69           derived  from  the private PEM file, their is no need to specify -u
70           for the public portion.
71
72         Note: The private portion does not respect TSS formats as it's impos‐
73         sible to get a TPM2B_SENSITIVE output from a previous command.
74
75       · -p, --auth=AUTH:
76
77         The authorization value for the key, optional.
78
79       · -L, --policy=POLICY_FILE:
80
81         The  input  policy  file,  optional.  A file containing the hash of a
82         policy derived from tpm2_createpolicy.
83
84       · -g, --hash-algorithm=ALGORITHM:
85
86         The hash algorithm for generating the objects name.  This is optional
87         and  defaults  to  sha256 when not specified.  However, load external
88         supports having a null name algorithm.  In this case, no cryptograph‐
89         ic  binding  checks  between the public and private portions are per‐
90         formed.
91
92       · -a, --attributes=ATTRIBUTES:
93
94         The object attributes, optional.  The default for created objects is:
95         TPMA_OBJECT_SIGN_ENCRYPT|TPMA_OBJECT_DECRYPT.   Optionally,  if -p is
96         specified or no -p or -L is specified  then  TPMA_OBJECT_USERWITHAUTH
97         is added to the default attribute set.
98
99         Note:  If  specifying  attributes,  the  TPM  will reject certain at‐
100         tributes like TPMA_OBJECT_FIXEDTPM, as  those  guarantees  cannot  be
101         made.
102
103       · -c, --key-context=FILE
104
105         The file name to save the object context, required.
106
107       · -n, --name=FILE:
108
109         An  optional  file to save the object name, which is in a binary hash
110         format.  The size of the hash is based on name algorithm  or  the  -g
111         option.
112
113       · --passin=OSSL_PEM_FILE_PASSWORD
114
115         An  optional password for an Open SSL (OSSL) provided input file.  It
116         mirrors the -passin option of OSSL and is known to support the  pass,
117         file,  env,  fd  and  plain password formats of openssl.  (see man(1)
118         openssl) for more.
119
120   References

Context Object Format

122       The type of a context object, whether it is a handle or file  name,  is
123       determined according to the following logic in-order:
124
125       · If the argument is a file path, then the file is loaded as a restored
126         TPM transient object.
127
128       · If the argument is a prefix match on one of:
129
130         · owner: the owner hierarchy
131
132         · platform: the platform hierarchy
133
134         · endorsement: the endorsement hierarchy
135
136         · lockout: the lockout control persistent object
137
138       · If the argument argument can be loaded as a number it will  be  treat
139         as a handle, e.g.  0x81010013 and used directly.OBJECT.
140

Authorization Formatting

142       Authorization  for  use  of an object in TPM2.0 can come in 3 different
143       forms: 1.  Password 2.  HMAC 3.  Sessions
144
145       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
146       fied".
147
148   Passwords
149       Passwords  are  interpreted  in  the following forms below using prefix
150       identifiers.
151
152       Note: By default passwords are assumed to be in the  string  form  when
153       they do not have a prefix.
154
155   String
156       A  string  password,  specified  by  prefix "str:" or it's absence (raw
157       string without prefix) is not interpreted, and is directly used for au‐
158       thorization.
159
160   Examples
161              foobar
162              str:foobar
163
164   Hex-string
165       A  hex-string  password, specified by prefix "hex:" is converted from a
166       hexidecimal form into a byte array form, thus allowing  passwords  with
167       non-printable and/or terminal un-friendly characters.
168
169   Example
170              hex:0x1122334455667788
171
172   File
173       A  file  based password, specified be prefix "file:" should be the path
174       of a file containing the password to be read by the tool or  a  "-"  to
175       use  stdin.   Storing  passwords in files prevents information leakage,
176       passwords passed as options can be read from the process list or common
177       shell history features.
178
179   Examples
180              # to use stdin and be prompted
181              file:-
182
183              # to use a file from a path
184              file:path/to/password/file
185
186              # to echo a password via stdin:
187              echo foobar | tpm2_tool -p file:-
188
189              # to use a bash here-string via stdin:
190
191              tpm2_tool -p file:- <<< foobar
192
193   Sessions
194       When  using  a policy session to authorize the use of an object, prefix
195       the option argument with the session keyword.  Then indicate a path  to
196       a session file that was created with tpm2_startauthsession(1).  Option‐
197       ally, if the session requires an auth value to be sent with the session
198       handle  (eg policy password), then append a + and a string as described
199       in the Passwords section.
200
201   Examples
202       To use a session context file called session.ctx.
203
204              session:session.ctx
205
206       To use a session context file called session.ctx AND send the authvalue
207       mypassword.
208
209              session:session.ctx+mypassword
210
211       To use a session context file called session.ctx AND send the HEX auth‐
212       value 0x11223344.
213
214              session:session.ctx+hex:11223344
215
216   PCR Authorizations
217       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
218       language.       The     PCR     minilanguage     is     as     follows:
219       <pcr-spec>=<raw-pcr-file>
220
221       The PCR spec is documented in in the section "PCR bank specifiers".
222
223       The raw-pcr-file is an optional the output of the raw PCR  contents  as
224       returned by tpm2_pcrread(1).
225
226       PCR bank specifiers (common/pcr.md)
227
228   Examples
229       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
230       er of:
231
232              pcr:sha256:0,1,2,3
233
234       specifying AUTH.
235

Algorithm Specifiers

237       Options that take algorithms support "nice-names".
238
239       There are two major algorithm specification string classes, simple  and
240       complex.  Only certain algorithms will be accepted by the TPM, based on
241       usage and conditions.
242
243   Simple specifiers
244       These are strings with no additional specification data.  When creating
245       objects,  non-specified  portions of an object are assumed to defaults.
246       You can find the list of known "Simple Specifiers Below".
247
248   Asymmetric
249       · rsa
250
251       · ecc
252
253   Symmetric
254       · aes
255
256       · camellia
257
258   Hashing Algorithms
259       · sha1
260
261       · sha256
262
263       · sha384
264
265       · sha512
266
267       · sm3_256
268
269       · sha3_256
270
271       · sha3_384
272
273       · sha3_512
274
275   Keyed Hash
276       · hmac
277
278       · xor
279
280   Signing Schemes
281       · rsassa
282
283       · rsapss
284
285       · ecdsa
286
287       · ecdaa
288
289       · ecschnorr
290
291   Asymmetric Encryption Schemes
292       · oaep
293
294       · rsaes
295
296       · ecdh
297
298   Modes
299       · ctr
300
301       · ofb
302
303       · cbc
304
305       · cfb
306
307       · ecb
308
309   Misc
310       · null
311
312   Complex Specifiers
313       Objects, when specified for creation by the TPM,  have  numerous  algo‐
314       rithms  to  populate  in the public data.  Things like type, scheme and
315       asymmetric details, key size, etc.  Below is  the  general  format  for
316       specifying this data: <type>:<scheme>:<symmetric-details>
317
318   Type Specifiers
319       This  portion  of the complex algorithm specifier is required.  The re‐
320       maining scheme and symmetric details will default  based  on  the  type
321       specified and the type of the object being created.
322
323       · aes - Default AES: aes128
324
325       · aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
326         If mode is not specified, defaults to null.
327
328       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
329
330       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
331
332       · ecc - Elliptical Curve, defaults to ecc256.
333
334       · ecc192 - 192 bit ECC
335
336       · ecc224 - 224 bit ECC
337
338       · ecc256 - 256 bit ECC
339
340       · ecc384 - 384 bit ECC
341
342       · ecc521 - 521 bit ECC
343
344       · rsa - Default RSA: rsa2048
345
346       · rsa1024 - RSA with 1024 bit keysize.
347
348       · rsa2048 - RSA with 2048 bit keysize.
349
350       · rsa4096 - RSA with 4096 bit keysize.
351
352   Scheme Specifiers
353       Next, is an optional field, it can be skipped.
354
355       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
356       Most signing schemes take a hash algorithm directly following the sign‐
357       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
358       Some take no arguments, and some take multiple arguments.
359
360   Hash Optional Scheme Specifiers
361       These  scheme  specifiers are followed by a dash and a valid hash algo‐
362       rithm, For example: oaep-sha256.
363
364       · oaep
365
366       · ecdh
367
368       · rsassa
369
370       · rsapss
371
372       · ecdsa
373
374       · ecschnorr
375
376   Multiple Option Scheme Specifiers
377       This scheme specifier is followed by a count  (max  size  UINT16)  then
378       folloed  by a dash(-) and a valid hash algorithm.  * ecdaa For example,
379       ecdaa4-sha256.  If no count is specified, it defaults to 4.
380
381   No Option Scheme Specifiers
382       This scheme specifier takes NO arguments.  * rsaes
383
384   Symmetric Details Specifiers
385       This field is optional, and defaults based on the type of object  being
386       created  and it's attributes.  Generally, any valid Symmetric specifier
387       from the Type Specifiers list should work.  If not specified, an  asym‐
388       metric objects symmetric details defaults to aes128cfb.
389
390   Examples
391   Create an rsa2048 key with an rsaes asymmetric encryption scheme
392       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
393
394   Create an ecc256 key with an ecdaa signing scheme with a count of 4
395       and sha384 hash
396
397       /tpm2_create -C parent.ctx -G ecc256:ec‐
398       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
399

Object Attributes

401       Object Attributes are used to control various properties of created ob‐
402       jects.   When  specified  as an option, either the raw bitfield mask or
403       "nice-names" may be used.  The values can be found in Table 31  Part  2
404       of the TPM2.0 specification, which can be found here:
405
406       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
407       Rev-2.0-Part-2-Structures-01.38.pdf>
408
409       Nice names are calculated by taking the name field of table 31 and  re‐
410       moving  the  prefix TPMA_OBJECT_ and lowercasing the result.  Thus, TP‐
411       MA_OBJECT_FIXEDTPM becomes fixedtpm.  Nice names can  be  joined  using
412       the bitwise or "|" symbol.
413
414       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
415       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
416
417       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
418

COMMON OPTIONS

420       This collection of options are common to many programs and provide  in‐
421       formation that many users may expect.
422
423       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
424         attempts to invoke the manpager for the  tool,  however,  on  failure
425         will  output  a short tool summary.  This is the same behavior if the
426         "man" option argument is specified, however if explicit "man" is  re‐
427         quested,  the  tool  will  provide errors from man on stderr.  If the
428         "no-man" option if specified, or the manpager fails,  the  short  op‐
429         tions will be output to stdout.
430
431         To  successfully use the manpages feature requires the manpages to be
432         installed or on MANPATH, See man(1) for more details.
433
434       · -v, --version: Display version information for this  tool,  supported
435         tctis and exit.
436
437       · -V,  --verbose:  Increase the information that the tool prints to the
438         console during its execution.  When using this option  the  file  and
439         line number are printed.
440
441       · -Q, --quiet: Silence normal tool output to stdout.
442
443       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
444         if an errata fixup needs to be applied to commands sent to  the  TPM.
445         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
446         formation many users may expect.
447

TCTI Configuration

449       The TCTI or "Transmission Interface"  is  the  communication  mechanism
450       with  the TPM.  TCTIs can be changed for communication with TPMs across
451       different mediums.
452
453       To control the TCTI, the tools respect:
454
455       1. The command line option -T or --tcti
456
457       2. The environment variable: TPM2TOOLS_TCTI.
458
459       Note: The command line option always overrides  the  environment  vari‐
460       able.
461
462       The current known TCTIs are:
463
464       · tabrmd      -     The     resource     manager,     called     tabrmd
465         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
466         abrmd as a tcti name are synonymous.
467
468       · mssim  - Typically used for communicating to the TPM software simula‐
469         tor.
470
471       · device - Used when talking directly to a TPM device file.
472
473       · none - Do not initalize a connection with the TPM.  Some tools  allow
474         for off-tpm options and thus support not using a TCTI.  Tools that do
475         not support it will error when attempted to be used  without  a  TCTI
476         connection.   Does  not  support ANY options and MUST BE presented as
477         the exact text of "none".
478
479       The arguments to either the command  line  option  or  the  environment
480       variable are in the form:
481
482       <tcti-name>:<tcti-option-config>
483
484       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
485       tion-config> results in the default being used for that portion respec‐
486       tively.
487
488   TCTI Defaults
489       When  a  TCTI  is not specified, the default TCTI is searched for using
490       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
491       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
492       what TCTI will be chosen as the default by using the -v option to print
493       the  version information.  The "default-tcti" key-value pair will indi‐
494       cate which of the aforementioned TCTIs is the default.
495
496   Custom TCTIs
497       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
498       tools internally use dlopen(3), and the raw tcti-name value is used for
499       the lookup.  Thus, this could be a path to the shared library, or a li‐
500       brary name as understood by dlopen(3) semantics.
501

TCTI OPTIONS

503       This collection of options are used to configure the various known TCTI
504       modules available:
505
506       · device: For the device TCTI, the TPM character device file for use by
507         the device TCTI can be specified.  The default is /dev/tpm0.
508
509         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
510         vice:/dev/tpm0"
511
512       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
513         number  used  by  the  simulator  can  be specified.  The default are
514         127.0.0.1 and 2321.
515
516         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
517         TI="mssim:host=localhost,port=2321"
518
519       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
520         ries of simple key value pairs separated by a  ','  character.   Each
521         key and value string are separated by a '=' character.
522
523         · TCTI abrmd supports two keys:
524
525           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
526              string).
527
528           2. 'bus_type' : The type of the dbus instance (a string) limited to
529              'session' and 'system'.
530
531         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
532         ample.FooBar:
533
534         \--tcti=tabrmd:bus_name=com.example.FooBar
535
536         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
537         sion:
538
539         \--tcti:bus_type=session
540
541         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
542         ules.
543

NOTES

545       · If the hierarchy is null or the name hashing algorithm is null, tick‐
546         ets produced using the object will be NULL.
547
548       · If  the private portion of an object is specified, the hierarchy must
549         be null or the TPM will reject loading it.
550

EXAMPLES

552   Load a TPM generated public key into the owner hierarchy
553              tpm2_createprimary -c primary.ctx
554
555              tpm2_create -C primary.ctx -u pub.dat -r priv.dat
556
557              tpm2_loadexternal -C o -u pub.dat -c pub.ctx
558              name: 000b9be4d7c6193a57e1bfc86a42a6b03856a91d2f9e77c6cbdb796a783d52d4b3b9
559
560   Load an RSA public key into the owner hierarchy
561              openssl genrsa -out private.pem 2048
562
563              openssl rsa -in private.pem -out public.pem -outform PEM -pubout
564
565              tpm2_loadexternal -C o -Grsa -u public.pem -c key.ctx
566              name: 000b7b91d304d16995d42792b57d0fb25df7abe5fdd8afe9950730e00dc5b934ddbc
567
568   Load an RSA key-pair into the null hierarchy
569              openssl genrsa -out private.pem 2048
570
571              tpm2_loadexternal -C n -Grsa -r private.pem -c key.ctx
572              name: 000b635ea220b6c62ec1d02343859dd203c8ac5dad82ebc5b124e407d2502f88691f
573
574   Load an AES key into the null hierarchy
575              dd if=/dev/urandom of=sym.key bs=1 count=16
576
577              tpm2_loadexternal -C n -Gaes -r sym.key -c key.ctx
578              name: 000bfc4d8dd7e4f921bcc9dca4b04f49564243cd9def129a3740002bfd4b9e966d34
579

Returns

581       Tools can return any of the following codes:
582
583       · 0 - Success.
584
585       · 1 - General non-specific error.
586
587       · 2 - Options handling error.
588
589       · 3 - Authentication error.
590
591       · 4 - TCTI related error.
592
593       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
594

BUGS

596       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
597

HELP

599       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
600
601
602
603tpm2-tools                                                tpm2_loadexternal(1)
Impressum