tpm2_import(1)

1tpm2_import(1)              General Commands Manual             tpm2_import(1)
2
3
4

6       tpm2_import(1)  - Imports an external key into the tpm as a TPM managed
7       key object.
8

10       tpm2_import [OPTIONS]
11

13       tpm2_import(1) - Imports an external generated key as TPM  managed  key
14       object.  It requires that the parent key object be a RSA key.  Can also
15       import a TPM managed key object created by the tpm2_duplicate tool.
16

18       These options control the key importation process:
19
20       · -G, --key-algorithm=ALGORITHM:
21         The algorithm used by the key to be imported.  Supports:
22
23         · aes - AES 128, 192 or 256 key.
24
25         · rsa - RSA 1024 or 2048 key.
26
27         · ecc - ECC NIST P192, P224, P256, P384 or P521  public  and  private
28           key.
29
30       · -g, --hash-algorithm=ALGORITHM:
31
32         The hash algorithm for generating the objects name.  This is optional
33         and defaults to sha256 when not specified.  Algorithms should  follow
34         the  "formatting standards", see section "Algorithm Specifiers".  Al‐
35         so, see section "Supported Hash Algorithms" for a list  of  supported
36         hash algorithms.
37
38       · -i, --input=FILE:
39
40         Specifies the filename of the key to be imported.  For AES keys, this
41         file is the raw key bytes.  For assymetric keys in PEM or DER format.
42         A typical file is generated with openssl genrsa.
43
44       · -C, --parent-context=OBJECT:
45
46         The parent key object.
47
48       · -U, --parent-public=FILE:
49
50         Optional.  Specifies the parent key public data file input.  This can
51         be read with tpm2_readpublic(1) tool.  If not specified, the tool in‐
52         vokes a tpm2_readpublic on the parent object.
53
54       · -k, --encryption-key=FILE:
55
56         Optional.   Specifies the file containing the symmetric algorithm key
57         that was used for the inner wrapper.  If the file  is  specified  the
58         tool assumes the algorithm is AES 128 in CFB mode otherwise none.
59
60       · -r, --private=FILE:
61
62         Specifies  the  file path required to save the encrypted private por‐
63         tion of the object imported as key.
64
65         When importing a duplicated object this  option  specifies  the  file
66         containing the private portion of the object to be imported.
67
68       · -u, --public=FILE:
69
70         Specifies  the  file  path required to save the public portion of the
71         object imported as key
72
73         When importing a duplicated object this  option  specifies  the  file
74         containing the public portion of the object to be imported.
75
76       · -a, --attributes=ATTRIBUTES:
77
78         The object attributes, optional.
79
80       · -P, --parent-auth=AUTH:
81
82         The authorization value for using the parent key specified with -C.
83
84       · -p, --key-auth=AUTH:
85
86         The authorization value for the imported key, optional.
87
88       · -L, --policy=POLICY_FILE:
89
90         The policy file.
91
92       · -s, --seed=FILE:
93
94         Specifies  the  file  containing the encrypted seed of the duplicated
95         object.
96
97       · --passin=OSSL_PEM_FILE_PASSWORD
98
99         An optional password for an Open SSL (OSSL) provided input file.   It
100         mirrors  the -passin option of OSSL and is known to support the pass,
101         file, env, fd and plain password formats  of  openssl.   (see  man(1)
102         openssl) for more.
103
104       · --cphash=FILE
105
106         File path to record the hash of the command parameters.  This is com‐
107         monly termed as cpHash.  NOTE: When this option is selected, The tool
108         will not actually execute the command, it simply returns a cpHash.
109
110   References

112       The  type  of a context object, whether it is a handle or file name, is
113       determined according to the following logic in-order:
114
115       · If the argument is a file path, then the file is loaded as a restored
116         TPM transient object.
117
118       · If the argument is a prefix match on one of:
119
120         · owner: the owner hierarchy
121
122         · platform: the platform hierarchy
123
124         · endorsement: the endorsement hierarchy
125
126         · lockout: the lockout control persistent object
127
128       · If  the  argument argument can be loaded as a number it will be treat
129         as a handle, e.g.  0x81010013 and used directly.OBJECT.
130

132       Authorization for use of an object in TPM2.0 can come  in  3  different
133       forms: 1.  Password 2.  HMAC 3.  Sessions
134
135       NOTE:  "Authorizations  default  to  the EMPTY PASSWORD when not speci‐
136       fied".
137
138   Passwords
139       Passwords are interpreted in the following  forms  below  using  prefix
140       identifiers.
141
142       Note:  By  default  passwords are assumed to be in the string form when
143       they do not have a prefix.
144
145   String
146       A string password, specified by prefix  "str:"  or  it's  absence  (raw
147       string without prefix) is not interpreted, and is directly used for au‐
148       thorization.
149
150   Examples
151              foobar
152              str:foobar
153
154   Hex-string
155       A hex-string password, specified by prefix "hex:" is converted  from  a
156       hexidecimal  form  into a byte array form, thus allowing passwords with
157       non-printable and/or terminal un-friendly characters.
158
159   Example
160              hex:0x1122334455667788
161
162   File
163       A file based password, specified be prefix "file:" should be  the  path
164       of  a  file  containing the password to be read by the tool or a "-" to
165       use stdin.  Storing passwords in files  prevents  information  leakage,
166       passwords passed as options can be read from the process list or common
167       shell history features.
168
169   Examples
170              # to use stdin and be prompted
171              file:-
172
173              # to use a file from a path
174              file:path/to/password/file
175
176              # to echo a password via stdin:
177              echo foobar | tpm2_tool -p file:-
178
179              # to use a bash here-string via stdin:
180
181              tpm2_tool -p file:- <<< foobar
182
183   Sessions
184       When using a policy session to authorize the use of an  object,  prefix
185       the  option argument with the session keyword.  Then indicate a path to
186       a session file that was created with tpm2_startauthsession(1).  Option‐
187       ally, if the session requires an auth value to be sent with the session
188       handle (eg policy password), then append a + and a string as  described
189       in the Passwords section.
190
191   Examples
192       To use a session context file called session.ctx.
193
194              session:session.ctx
195
196       To use a session context file called session.ctx AND send the authvalue
197       mypassword.
198
199              session:session.ctx+mypassword
200
201       To use a session context file called session.ctx AND send the HEX auth‐
202       value 0x11223344.
203
204              session:session.ctx+hex:11223344
205
206   PCR Authorizations
207       You  can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
208       language.      The     PCR     minilanguage     is     as      follows:
209       <pcr-spec>=<raw-pcr-file>
210
211       The PCR spec is documented in in the section "PCR bank specifiers".
212
213       The  raw-pcr-file  is an optional the output of the raw PCR contents as
214       returned by tpm2_pcrread(1).
215
216       PCR bank specifiers (common/pcr.md)
217
218   Examples
219       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
220       er of:
221
222              pcr:sha256:0,1,2,3
223
224       specifying AUTH.
225

227       Options that take algorithms support "nice-names".
228
229       There  are two major algorithm specification string classes, simple and
230       complex.  Only certain algorithms will be accepted by the TPM, based on
231       usage and conditions.
232
233   Simple specifiers
234       These are strings with no additional specification data.  When creating
235       objects, non-specified portions of an object are assumed  to  defaults.
236       You can find the list of known "Simple Specifiers Below".
237
238   Asymmetric
239       · rsa
240
241       · ecc
242
243   Symmetric
244       · aes
245
246       · camellia
247
248   Hashing Algorithms
249       · sha1
250
251       · sha256
252
253       · sha384
254
255       · sha512
256
257       · sm3_256
258
259       · sha3_256
260
261       · sha3_384
262
263       · sha3_512
264
265   Keyed Hash
266       · hmac
267
268       · xor
269
270   Signing Schemes
271       · rsassa
272
273       · rsapss
274
275       · ecdsa
276
277       · ecdaa
278
279       · ecschnorr
280
281   Asymmetric Encryption Schemes
282       · oaep
283
284       · rsaes
285
286       · ecdh
287
288   Modes
289       · ctr
290
291       · ofb
292
293       · cbc
294
295       · cfb
296
297       · ecb
298
299   Misc
300       · null
301
302   Complex Specifiers
303       Objects,  when  specified  for creation by the TPM, have numerous algo‐
304       rithms to populate in the public data.  Things like  type,  scheme  and
305       asymmetric  details,  key  size,  etc.  Below is the general format for
306       specifying this data: <type>:<scheme>:<symmetric-details>
307
308   Type Specifiers
309       This portion of the complex algorithm specifier is required.   The  re‐
310       maining  scheme  and  symmetric  details will default based on the type
311       specified and the type of the object being created.
312
313       · aes - Default AES: aes128
314
315       · aes128<mode> - 128 bit AES with optional mode  (ctr|ofb|cbc|cfb|ecb).
316         If mode is not specified, defaults to null.
317
318       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
319
320       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
321
322       · ecc - Elliptical Curve, defaults to ecc256.
323
324       · ecc192 - 192 bit ECC
325
326       · ecc224 - 224 bit ECC
327
328       · ecc256 - 256 bit ECC
329
330       · ecc384 - 384 bit ECC
331
332       · ecc521 - 521 bit ECC
333
334       · rsa - Default RSA: rsa2048
335
336       · rsa1024 - RSA with 1024 bit keysize.
337
338       · rsa2048 - RSA with 2048 bit keysize.
339
340       · rsa4096 - RSA with 4096 bit keysize.
341
342   Scheme Specifiers
343       Next, is an optional field, it can be skipped.
344
345       Schemes  are  usually Signing Schemes or Asymmetric Encryption Schemes.
346       Most signing schemes take a hash algorithm directly following the sign‐
347       ing  scheme.   If the hash algorithm is missing, it defaults to sha256.
348       Some take no arguments, and some take multiple arguments.
349
350   Hash Optional Scheme Specifiers
351       These scheme specifiers are followed by a dash and a valid  hash  algo‐
352       rithm, For example: oaep-sha256.
353
354       · oaep
355
356       · ecdh
357
358       · rsassa
359
360       · rsapss
361
362       · ecdsa
363
364       · ecschnorr
365
366   Multiple Option Scheme Specifiers
367       This  scheme  specifier  is  followed by a count (max size UINT16) then
368       folloed by a dash(-) and a valid hash algorithm.  * ecdaa For  example,
369       ecdaa4-sha256.  If no count is specified, it defaults to 4.
370
371   No Option Scheme Specifiers
372       This scheme specifier takes NO arguments.  * rsaes
373
374   Symmetric Details Specifiers
375       This  field is optional, and defaults based on the type of object being
376       created and it's attributes.  Generally, any valid Symmetric  specifier
377       from  the Type Specifiers list should work.  If not specified, an asym‐
378       metric objects symmetric details defaults to aes128cfb.
379
380   Examples
381   Create an rsa2048 key with an rsaes asymmetric encryption scheme
382       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
383
384   Create an ecc256 key with an ecdaa signing scheme with a count of 4
385       and sha384 hash
386
387       /tpm2_create -C parent.ctx -G ecc256:ec‐
388       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
389

391       Object Attributes are used to control various properties of created ob‐
392       jects.  When specified as an option, either the raw  bitfield  mask  or
393       "nice-names"  may  be used.  The values can be found in Table 31 Part 2
394       of the TPM2.0 specification, which can be found here:
395
396       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
397       Rev-2.0-Part-2-Structures-01.38.pdf>
398
399       Nice  names are calculated by taking the name field of table 31 and re‐
400       moving the prefix TPMA_OBJECT_ and lowercasing the result.   Thus,  TP‐
401       MA_OBJECT_FIXEDTPM  becomes  fixedtpm.   Nice names can be joined using
402       the bitwise or "|" symbol.
403
404       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
405       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
406
407       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
408

410       This  collection of options are common to many programs and provide in‐
411       formation that many users may expect.
412
413       · -h, --help=[man|no-man]: Display the tools manpage.  By  default,  it
414         attempts  to  invoke  the  manpager for the tool, however, on failure
415         will output a short tool summary.  This is the same behavior  if  the
416         "man"  option argument is specified, however if explicit "man" is re‐
417         quested, the tool will provide errors from man  on  stderr.   If  the
418         "no-man"  option  if  specified, or the manpager fails, the short op‐
419         tions will be output to stdout.
420
421         To successfully use the manpages feature requires the manpages to  be
422         installed or on MANPATH, See man(1) for more details.
423
424       · -v,  --version:  Display version information for this tool, supported
425         tctis and exit.
426
427       · -V, --verbose: Increase the information that the tool prints  to  the
428         console  during  its  execution.  When using this option the file and
429         line number are printed.
430
431       · -Q, --quiet: Silence normal tool output to stdout.
432
433       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
434         if  an  errata fixup needs to be applied to commands sent to the TPM.
435         Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.   in‐
436         formation many users may expect.
437

439       The  TCTI  or  "Transmission  Interface" is the communication mechanism
440       with the TPM.  TCTIs can be changed for communication with TPMs  across
441       different mediums.
442
443       To control the TCTI, the tools respect:
444
445       1. The command line option -T or --tcti
446
447       2. The environment variable: TPM2TOOLS_TCTI.
448
449       Note:  The  command  line option always overrides the environment vari‐
450       able.
451
452       The current known TCTIs are:
453
454       · tabrmd     -     The     resource     manager,     called      tabrmd
455         (https://github.com/tpm2-software/tpm2-abrmd).   Note that tabrmd and
456         abrmd as a tcti name are synonymous.
457
458       · mssim - Typically used for communicating to the TPM software  simula‐
459         tor.
460
461       · device - Used when talking directly to a TPM device file.
462
463       · none  - Do not initalize a connection with the TPM.  Some tools allow
464         for off-tpm options and thus support not using a TCTI.  Tools that do
465         not  support  it  will error when attempted to be used without a TCTI
466         connection.  Does not support ANY options and MUST  BE  presented  as
467         the exact text of "none".
468
469       The  arguments  to  either  the  command line option or the environment
470       variable are in the form:
471
472       <tcti-name>:<tcti-option-config>
473
474       Specifying an empty string for  either  the  <tcti-name>  or  <tcti-op‐
475       tion-config> results in the default being used for that portion respec‐
476       tively.
477
478   TCTI Defaults
479       When a TCTI is not specified, the default TCTI is  searched  for  using
480       dlopen(3)  semantics.   The  tools  will  search for tabrmd, device and
481       mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND.  You  can  query
482       what TCTI will be chosen as the default by using the -v option to print
483       the version information.  The "default-tcti" key-value pair will  indi‐
484       cate which of the aforementioned TCTIs is the default.
485
486   Custom TCTIs
487       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
488       tools internally use dlopen(3), and the raw tcti-name value is used for
489       the lookup.  Thus, this could be a path to the shared library, or a li‐
490       brary name as understood by dlopen(3) semantics.
491

493       This collection of options are used to configure the various known TCTI
494       modules available:
495
496       · device: For the device TCTI, the TPM character device file for use by
497         the device TCTI can be specified.  The default is /dev/tpm0.
498
499         Example:   -T   device:/dev/tpm0   or   export    TPM2TOOLS_TCTI="de‐
500         vice:/dev/tpm0"
501
502       · mssim:  For  the  mssim  TCTI, the domain name or IP address and port
503         number used by the simulator  can  be  specified.   The  default  are
504         127.0.0.1 and 2321.
505
506         Example:  -T  mssim:host=localhost,port=2321  or export TPM2TOOLS_TC‐
507         TI="mssim:host=localhost,port=2321"
508
509       · abrmd: For the abrmd TCTI, the configuration string format is  a  se‐
510         ries  of  simple  key value pairs separated by a ',' character.  Each
511         key and value string are separated by a '=' character.
512
513         · TCTI abrmd supports two keys:
514
515           1. 'bus_name' : The name of  the  tabrmd  service  on  the  bus  (a
516              string).
517
518           2. 'bus_type' : The type of the dbus instance (a string) limited to
519              'session' and 'system'.
520
521         Specify the tabrmd tcti name and a config string of  bus_name=com.ex‐
522         ample.FooBar:
523
524         \--tcti=tabrmd:bus_name=com.example.FooBar
525
526         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
527         sion:
528
529         \--tcti:bus_type=session
530
531         NOTE: abrmd and tabrmd are synonymous.  the various known  TCTI  mod‐
532         ules.
533

535   To import a key, one needs to have a parent key
536              tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
537
538       Create your key and and import it.  If you already have a key, just use
539       that and skip creating it.
540
541   Import an AES 128 key
542              dd if=/dev/urandom of=sym.key bs=1 count=16
543
544              tpm2_import -C parent.ctx -i sym.key -u key.pub -r key.priv
545
546   Import an RSA key
547              openssl genrsa -out private.pem 2048
548
549              tpm2_import -C parent.ctx -G rsa -i private.pem -u key.pub -r key.priv
550
551   Import an ECC key
552              openssl ecparam -name prime256v1 -genkey -noout -out private.ecc.pem
553
554              tpm2_import -C parent.ctx -G ecc -i private.ecc.pem -u key.pub -r key.priv
555
556   Import a duplicated key
557              tpm2_import -C parent.ctx -i key.dup -u key.pub -r key.priv -L policy.dat
558

560       · The TPM requires that the name algorithm of the child be smaller than
561         the parent.
562

564       Tools can return any of the following codes:
565
566       · 0 - Success.
567
568       · 1 - General non-specific error.
569
570       · 2 - Options handling error.
571
572       · 3 - Authentication error.
573
574       · 4 - TCTI related error.
575
576       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
577

579       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
580

582       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
583
584
585
586tpm2-tools                                                      tpm2_import(1)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

Context Object Format

Authorization Formatting

Algorithm Specifiers

Object Attributes

COMMON OPTIONS

TCTI Configuration

TCTI OPTIONS

EXAMPLES

LIMITATIONS

Returns

BUGS

HELP