tpm2_duplicate(1)

1tpm2_duplicate(1)           General Commands Manual          tpm2_duplicate(1)
2
3
4

6       tpm2_duplicate(1)  -  Duplicates a loaded object so that it may be used
7       in a different hierarchy.
8

10       tpm2_duplicate [OPTIONS]
11

13       tpm2_duplicate(1) - This tool duplicates a loaded object so that it may
14       be used in a different hierarchy.  The new parent key for the duplicate
15       may be on the same or different TPM or TPM_RH_NULL.
16

18       These options control the key importation process:
19
20       · -G, --wrapper-algorithm=ALGORITHM:
21         The symmetric algorithm to be used for the inner wrapper.  Supports:
22
23         · aes - AES 128 in CFB mode.
24
25         · null - none
26
27       · -i, --encryptionkey-in=FILE:
28
29         Specifies the filename of the symmetric key (128 bit data) to be used
30         for the inner wrapper.  Valid only when specified symmetric algorithm
31         is not null
32
33       · -o, --encryptionkey-out=FILE:
34
35         Specifies the filename to store the symmetric key (128 bit data) that
36         was  used for the inner wrapper.  Valid only when specified symmetric
37         algorithm is not null and --input-key-file is not specified.  The TPM
38         generates the key in this case.
39
40       · -C, --parent-context=OBJECT:
41
42         The parent key object.
43
44       · -r, --private=FILE:
45
46         Specifies the file path to save the private portion of the duplicated
47         object.
48
49       · -s, --encrypted-seed=FILE:
50
51         The file to save the encrypted seed of the duplicated object.
52
53       · -p, --auth=AUTH:
54
55         The authorization value for the key, optional.
56
57       · -c, --key-context=OBJECT:
58
59         The object to be duplicated.
60
61   References

63       The type of a context object, whether it is a handle or file  name,  is
64       determined according to the following logic in-order:
65
66       · If the argument is a file path, then the file is loaded as a restored
67         TPM transient object.
68
69       · If the argument is a prefix match on one of:
70
71         · owner: the owner hierarchy
72
73         · platform: the platform hierarchy
74
75         · endorsement: the endorsement hierarchy
76
77         · lockout: the lockout control persistent object
78
79       · If the argument argument can be loaded as a number it will  be  treat
80         as a handle, e.g.  0x81010013 and used directly.OBJECT.
81

83       Authorization  for  use  of an object in TPM2.0 can come in 3 different
84       forms: 1.  Password 2.  HMAC 3.  Sessions
85
86       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
87       fied".
88
89   Passwords
90       Passwords  are  interpreted  in  the following forms below using prefix
91       identifiers.
92
93       Note: By default passwords are assumed to be in the  string  form  when
94       they do not have a prefix.
95
96   String
97       A  string  password,  specified  by  prefix "str:" or it's absence (raw
98       string without prefix) is not interpreted, and is directly used for au‐
99       thorization.
100
101   Examples
102              foobar
103              str:foobar
104
105   Hex-string
106       A  hex-string  password, specified by prefix "hex:" is converted from a
107       hexidecimal form into a byte array form, thus allowing  passwords  with
108       non-printable and/or terminal un-friendly characters.
109
110   Example
111              hex:0x1122334455667788
112
113   File
114       A  file  based password, specified be prefix "file:" should be the path
115       of a file containing the password to be read by the tool or  a  "-"  to
116       use  stdin.   Storing  passwords in files prevents information leakage,
117       passwords passed as options can be read from the process list or common
118       shell history features.
119
120   Examples
121              # to use stdin and be prompted
122              file:-
123
124              # to use a file from a path
125              file:path/to/password/file
126
127              # to echo a password via stdin:
128              echo foobar | tpm2_tool -p file:-
129
130              # to use a bash here-string via stdin:
131
132              tpm2_tool -p file:- <<< foobar
133
134   Sessions
135       When  using  a policy session to authorize the use of an object, prefix
136       the option argument with the session keyword.  Then indicate a path  to
137       a session file that was created with tpm2_startauthsession(1).  Option‐
138       ally, if the session requires an auth value to be sent with the session
139       handle  (eg policy password), then append a + and a string as described
140       in the Passwords section.
141
142   Examples
143       To use a session context file called session.ctx.
144
145              session:session.ctx
146
147       To use a session context file called session.ctx AND send the authvalue
148       mypassword.
149
150              session:session.ctx+mypassword
151
152       To use a session context file called session.ctx AND send the HEX auth‐
153       value 0x11223344.
154
155              session:session.ctx+hex:11223344
156
157   PCR Authorizations
158       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
159       language.       The     PCR     minilanguage     is     as     follows:
160       <pcr-spec>=<raw-pcr-file>
161
162       The PCR spec is documented in in the section "PCR bank specifiers".
163
164       The raw-pcr-file is an optional the output of the raw PCR  contents  as
165       returned by tpm2_pcrread(1).
166
167       PCR bank specifiers (common/pcr.md)
168
169   Examples
170       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
171       er of:
172
173              pcr:sha256:0,1,2,3
174
175       specifying AUTH.
176

178       Options that take algorithms support "nice-names".
179
180       There are two major algorithm specification string classes, simple  and
181       complex.  Only certain algorithms will be accepted by the TPM, based on
182       usage and conditions.
183
184   Simple specifiers
185       These are strings with no additional specification data.  When creating
186       objects,  non-specified  portions of an object are assumed to defaults.
187       You can find the list of known "Simple Specifiers Below".
188
189   Asymmetric
190       · rsa
191
192       · ecc
193
194   Symmetric
195       · aes
196
197       · camellia
198
199   Hashing Algorithms
200       · sha1
201
202       · sha256
203
204       · sha384
205
206       · sha512
207
208       · sm3_256
209
210       · sha3_256
211
212       · sha3_384
213
214       · sha3_512
215
216   Keyed Hash
217       · hmac
218
219       · xor
220
221   Signing Schemes
222       · rsassa
223
224       · rsapss
225
226       · ecdsa
227
228       · ecdaa
229
230       · ecschnorr
231
232   Asymmetric Encryption Schemes
233       · oaep
234
235       · rsaes
236
237       · ecdh
238
239   Modes
240       · ctr
241
242       · ofb
243
244       · cbc
245
246       · cfb
247
248       · ecb
249
250   Misc
251       · null
252
253   Complex Specifiers
254       Objects, when specified for creation by the TPM,  have  numerous  algo‐
255       rithms  to  populate  in the public data.  Things like type, scheme and
256       asymmetric details, key size, etc.  Below is  the  general  format  for
257       specifying this data: <type>:<scheme>:<symmetric-details>
258
259   Type Specifiers
260       This  portion  of the complex algorithm specifier is required.  The re‐
261       maining scheme and symmetric details will default  based  on  the  type
262       specified and the type of the object being created.
263
264       · aes - Default AES: aes128
265
266       · aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
267         If mode is not specified, defaults to null.
268
269       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
270
271       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
272
273       · ecc - Elliptical Curve, defaults to ecc256.
274
275       · ecc192 - 192 bit ECC
276
277       · ecc224 - 224 bit ECC
278
279       · ecc256 - 256 bit ECC
280
281       · ecc384 - 384 bit ECC
282
283       · ecc521 - 521 bit ECC
284
285       · rsa - Default RSA: rsa2048
286
287       · rsa1024 - RSA with 1024 bit keysize.
288
289       · rsa2048 - RSA with 2048 bit keysize.
290
291       · rsa4096 - RSA with 4096 bit keysize.
292
293   Scheme Specifiers
294       Next, is an optional field, it can be skipped.
295
296       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
297       Most signing schemes take a hash algorithm directly following the sign‐
298       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
299       Some take no arguments, and some take multiple arguments.
300
301   Hash Optional Scheme Specifiers
302       These  scheme  specifiers are followed by a dash and a valid hash algo‐
303       rithm, For example: oaep-sha256.
304
305       · oaep
306
307       · ecdh
308
309       · rsassa
310
311       · rsapss
312
313       · ecdsa
314
315       · ecschnorr
316
317   Multiple Option Scheme Specifiers
318       This scheme specifier is followed by a count  (max  size  UINT16)  then
319       folloed  by a dash(-) and a valid hash algorithm.  * ecdaa For example,
320       ecdaa4-sha256.  If no count is specified, it defaults to 4.
321
322   No Option Scheme Specifiers
323       This scheme specifier takes NO arguments.  * rsaes
324
325   Symmetric Details Specifiers
326       This field is optional, and defaults based on the type of object  being
327       created  and it's attributes.  Generally, any valid Symmetric specifier
328       from the Type Specifiers list should work.  If not specified, an  asym‐
329       metric objects symmetric details defaults to aes128cfb.
330
331   Examples
332   Create an rsa2048 key with an rsaes asymmetric encryption scheme
333       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
334
335   Create an ecc256 key with an ecdaa signing scheme with a count of 4
336       and sha384 hash
337
338       /tpm2_create -C parent.ctx -G ecc256:ec‐
339       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
340

342       This collection of options are common to many programs and provide  in‐
343       formation that many users may expect.
344
345       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
346         attempts to invoke the manpager for the  tool,  however,  on  failure
347         will  output  a short tool summary.  This is the same behavior if the
348         "man" option argument is specified, however if explicit "man" is  re‐
349         quested,  the  tool  will  provide errors from man on stderr.  If the
350         "no-man" option if specified, or the manpager fails,  the  short  op‐
351         tions will be output to stdout.
352
353         To  successfully use the manpages feature requires the manpages to be
354         installed or on MANPATH, See man(1) for more details.
355
356       · -v, --version: Display version information for this  tool,  supported
357         tctis and exit.
358
359       · -V,  --verbose:  Increase the information that the tool prints to the
360         console during its execution.  When using this option  the  file  and
361         line number are printed.
362
363       · -Q, --quiet: Silence normal tool output to stdout.
364
365       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
366         if an errata fixup needs to be applied to commands sent to  the  TPM.
367         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
368         formation many users may expect.
369

371       The TCTI or "Transmission Interface"  is  the  communication  mechanism
372       with  the TPM.  TCTIs can be changed for communication with TPMs across
373       different mediums.
374
375       To control the TCTI, the tools respect:
376
377       1. The command line option -T or --tcti
378
379       2. The environment variable: TPM2TOOLS_TCTI.
380
381       Note: The command line option always overrides  the  environment  vari‐
382       able.
383
384       The current known TCTIs are:
385
386       · tabrmd      -     The     resource     manager,     called     tabrmd
387         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
388         abrmd as a tcti name are synonymous.
389
390       · mssim  - Typically used for communicating to the TPM software simula‐
391         tor.
392
393       · device - Used when talking directly to a TPM device file.
394
395       · none - Do not initalize a connection with the TPM.  Some tools  allow
396         for off-tpm options and thus support not using a TCTI.  Tools that do
397         not support it will error when attempted to be used  without  a  TCTI
398         connection.   Does  not  support ANY options and MUST BE presented as
399         the exact text of "none".
400
401       The arguments to either the command  line  option  or  the  environment
402       variable are in the form:
403
404       <tcti-name>:<tcti-option-config>
405
406       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
407       tion-config> results in the default being used for that portion respec‐
408       tively.
409
410   TCTI Defaults
411       When  a  TCTI  is not specified, the default TCTI is searched for using
412       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
413       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
414       what TCTI will be chosen as the default by using the -v option to print
415       the  version information.  The "default-tcti" key-value pair will indi‐
416       cate which of the aforementioned TCTIs is the default.
417
418   Custom TCTIs
419       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
420       tools internally use dlopen(3), and the raw tcti-name value is used for
421       the lookup.  Thus, this could be a path to the shared library, or a li‐
422       brary name as understood by dlopen(3) semantics.
423

425       This collection of options are used to configure the various known TCTI
426       modules available:
427
428       · device: For the device TCTI, the TPM character device file for use by
429         the device TCTI can be specified.  The default is /dev/tpm0.
430
431         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
432         vice:/dev/tpm0"
433
434       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
435         number  used  by  the  simulator  can  be specified.  The default are
436         127.0.0.1 and 2321.
437
438         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
439         TI="mssim:host=localhost,port=2321"
440
441       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
442         ries of simple key value pairs separated by a  ','  character.   Each
443         key and value string are separated by a '=' character.
444
445         · TCTI abrmd supports two keys:
446
447           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
448              string).
449
450           2. 'bus_type' : The type of the dbus instance (a string) limited to
451              'session' and 'system'.
452
453         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
454         ample.FooBar:
455
456         \--tcti=tabrmd:bus_name=com.example.FooBar
457
458         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
459         sion:
460
461         \--tcti:bus_type=session
462
463         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
464         ules.
465

467       To duplicate a key, one needs the key to duplicate, created with a pol‐
468       icy that
469       allows duplication and a new parent:
470
471              tpm2_startauthsession -S session.dat
472              tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Duplicate
473              tpm2_flushcontext session.dat
474
475              tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctxt
476              tpm2_create -C primary.ctxt -g sha256 -G rsa -r key.prv -u key.pub \
477              -L policy.dat -a "sensitivedataorigin"
478
479              tpm2_loadexternal -C o -u new_parent.pub -c new_parent.ctxt
480
481              tpm2_startauthsession \--policy-session -S session.dat
482              tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Duplicate
483              tpm2_duplicate -C new_parent.ctxt -c key.ctxt -G null -p "session:session.dat" \
484              -r duprv.bin -s seed.dat
485              tpm2_flushcontext session.dat
486

488       Tools can return any of the following codes:
489
490       · 0 - Success.
491
492       · 1 - General non-specific error.
493
494       · 2 - Options handling error.
495
496       · 3 - Authentication error.
497
498       · 4 - TCTI related error.
499
500       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
501

503       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
504

506       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
507
508
509
510tpm2-tools                                                   tpm2_duplicate(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

Returns

BUGS

HELP