1tpm2_import(1) General Commands Manual tpm2_import(1)
2
3
4
6 tpm2_import(1) - Imports an external key into the tpm as a TPM managed
7 key object.
8
10 tpm2_import [OPTIONS]
11
13 tpm2_import(1) - Imports an external generated key as TPM managed key
14 object. It requires that the parent key object be a RSA key. Can also
15 import a TPM managed key object created by the tpm2_duplicate tool.
16
18 These options control the key importation process:
19
20 · -G, --key-algorithm=ALGORITHM:
21 The algorithm used by the key to be imported. Supports:
22
23 · aes - AES 128, 192 or 256 key.
24
25 · rsa - RSA 1024 or 2048 key.
26
27 · ecc - ECC NIST P192, P224, P256, P384 or P521 public and private
28 key.
29
30 · -g, --hash-algorithm=ALGORITHM:
31
32 The hash algorithm for generating the objects name. This is optional
33 and defaults to sha256 when not specified. Algorithms should follow
34 the "formatting standards", see section "Algorithm Specifiers". Al‐
35 so, see section "Supported Hash Algorithms" for a list of supported
36 hash algorithms.
37
38 · -i, --input=FILE:
39
40 Specifies the filename of the key to be imported. For AES keys, this
41 file is the raw key bytes. For assymetric keys in PEM or DER format.
42 A typical file is generated with openssl genrsa.
43
44 · -C, --parent-context=OBJECT:
45
46 The parent key object.
47
48 · -U, --parent-public=FILE:
49
50 Optional. Specifies the parent key public data file input. This can
51 be read with tpm2_readpublic(1) tool. If not specified, the tool in‐
52 vokes a tpm2_readpublic on the parent object.
53
54 · -k, --encryption-key=FILE:
55
56 Optional. Specifies the file containing the symmetric algorithm key
57 that was used for the inner wrapper. If the file is specified the
58 tool assumes the algorithm is AES 128 in CFB mode otherwise none.
59
60 · -r, --private=FILE:
61
62 Specifies the file path required to save the encrypted private por‐
63 tion of the object imported as key.
64
65 When importing a duplicated object this option specifies the file
66 containing the private portion of the object to be imported.
67
68 · -u, --public=FILE:
69
70 Specifies the file path required to save the public portion of the
71 object imported as key
72
73 When importing a duplicated object this option specifies the file
74 containing the public portion of the object to be imported.
75
76 · -a, --attributes=ATTRIBUTES:
77
78 The object attributes, optional.
79
80 · -P, --parent-auth=AUTH:
81
82 The authorization value for using the parent key specified with -C.
83
84 · -p, --key-auth=AUTH:
85
86 The authorization value for the imported key, optional.
87
88 · -L, --policy=POLICY_FILE:
89
90 The policy file.
91
92 · -s, --seed=FILE:
93
94 Specifies the file containing the encrypted seed of the duplicated
95 object.
96
97 · --passin=OSSL_PEM_FILE_PASSWORD
98
99 An optional password for an Open SSL (OSSL) provided input file. It
100 mirrors the -passin option of OSSL and is known to support the pass,
101 file, env, fd and plain password formats of openssl. (see man(1)
102 openssl) for more.
103
104 · --cphash=FILE
105
106 File path to record the hash of the command parameters. This is com‐
107 monly termed as cpHash. NOTE: When this option is selected, The tool
108 will not actually execute the command, it simply returns a cpHash.
109
110 References
112 The type of a context object, whether it is a handle or file name, is
113 determined according to the following logic in-order:
114
115 · If the argument is a file path, then the file is loaded as a restored
116 TPM transient object.
117
118 · If the argument is a prefix match on one of:
119
120 · owner: the owner hierarchy
121
122 · platform: the platform hierarchy
123
124 · endorsement: the endorsement hierarchy
125
126 · lockout: the lockout control persistent object
127
128 · If the argument argument can be loaded as a number it will be treat
129 as a handle, e.g. 0x81010013 and used directly.OBJECT.
130
132 Authorization for use of an object in TPM2.0 can come in 3 different
133 forms: 1. Password 2. HMAC 3. Sessions
134
135 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
136 fied".
137
138 Passwords
139 Passwords are interpreted in the following forms below using prefix
140 identifiers.
141
142 Note: By default passwords are assumed to be in the string form when
143 they do not have a prefix.
144
145 String
146 A string password, specified by prefix "str:" or it's absence (raw
147 string without prefix) is not interpreted, and is directly used for au‐
148 thorization.
149
150 Examples
151 foobar
152 str:foobar
153
154 Hex-string
155 A hex-string password, specified by prefix "hex:" is converted from a
156 hexidecimal form into a byte array form, thus allowing passwords with
157 non-printable and/or terminal un-friendly characters.
158
159 Example
160 hex:0x1122334455667788
161
162 File
163 A file based password, specified be prefix "file:" should be the path
164 of a file containing the password to be read by the tool or a "-" to
165 use stdin. Storing passwords in files prevents information leakage,
166 passwords passed as options can be read from the process list or common
167 shell history features.
168
169 Examples
170 # to use stdin and be prompted
171 file:-
172
173 # to use a file from a path
174 file:path/to/password/file
175
176 # to echo a password via stdin:
177 echo foobar | tpm2_tool -p file:-
178
179 # to use a bash here-string via stdin:
180
181 tpm2_tool -p file:- <<< foobar
182
183 Sessions
184 When using a policy session to authorize the use of an object, prefix
185 the option argument with the session keyword. Then indicate a path to
186 a session file that was created with tpm2_startauthsession(1). Option‐
187 ally, if the session requires an auth value to be sent with the session
188 handle (eg policy password), then append a + and a string as described
189 in the Passwords section.
190
191 Examples
192 To use a session context file called session.ctx.
193
194 session:session.ctx
195
196 To use a session context file called session.ctx AND send the authvalue
197 mypassword.
198
199 session:session.ctx+mypassword
200
201 To use a session context file called session.ctx AND send the HEX auth‐
202 value 0x11223344.
203
204 session:session.ctx+hex:11223344
205
206 PCR Authorizations
207 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
208 language. The PCR minilanguage is as follows:
209 <pcr-spec>=<raw-pcr-file>
210
211 The PCR spec is documented in in the section "PCR bank specifiers".
212
213 The raw-pcr-file is an optional the output of the raw PCR contents as
214 returned by tpm2_pcrread(1).
215
216 PCR bank specifiers (common/pcr.md)
217
218 Examples
219 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
220 er of:
221
222 pcr:sha256:0,1,2,3
223
224 specifying AUTH.
225
227 Options that take algorithms support "nice-names".
228
229 There are two major algorithm specification string classes, simple and
230 complex. Only certain algorithms will be accepted by the TPM, based on
231 usage and conditions.
232
233 Simple specifiers
234 These are strings with no additional specification data. When creating
235 objects, non-specified portions of an object are assumed to defaults.
236 You can find the list of known "Simple Specifiers Below".
237
238 Asymmetric
239 · rsa
240
241 · ecc
242
243 Symmetric
244 · aes
245
246 · camellia
247
248 Hashing Algorithms
249 · sha1
250
251 · sha256
252
253 · sha384
254
255 · sha512
256
257 · sm3_256
258
259 · sha3_256
260
261 · sha3_384
262
263 · sha3_512
264
265 Keyed Hash
266 · hmac
267
268 · xor
269
270 Signing Schemes
271 · rsassa
272
273 · rsapss
274
275 · ecdsa
276
277 · ecdaa
278
279 · ecschnorr
280
281 Asymmetric Encryption Schemes
282 · oaep
283
284 · rsaes
285
286 · ecdh
287
288 Modes
289 · ctr
290
291 · ofb
292
293 · cbc
294
295 · cfb
296
297 · ecb
298
299 Misc
300 · null
301
302 Complex Specifiers
303 Objects, when specified for creation by the TPM, have numerous algo‐
304 rithms to populate in the public data. Things like type, scheme and
305 asymmetric details, key size, etc. Below is the general format for
306 specifying this data: <type>:<scheme>:<symmetric-details>
307
308 Type Specifiers
309 This portion of the complex algorithm specifier is required. The re‐
310 maining scheme and symmetric details will default based on the type
311 specified and the type of the object being created.
312
313 · aes - Default AES: aes128
314
315 · aes128<mode> - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
316 If mode is not specified, defaults to null.
317
318 · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
319
320 · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
321
322 · ecc - Elliptical Curve, defaults to ecc256.
323
324 · ecc192 - 192 bit ECC
325
326 · ecc224 - 224 bit ECC
327
328 · ecc256 - 256 bit ECC
329
330 · ecc384 - 384 bit ECC
331
332 · ecc521 - 521 bit ECC
333
334 · rsa - Default RSA: rsa2048
335
336 · rsa1024 - RSA with 1024 bit keysize.
337
338 · rsa2048 - RSA with 2048 bit keysize.
339
340 · rsa4096 - RSA with 4096 bit keysize.
341
342 Scheme Specifiers
343 Next, is an optional field, it can be skipped.
344
345 Schemes are usually Signing Schemes or Asymmetric Encryption Schemes.
346 Most signing schemes take a hash algorithm directly following the sign‐
347 ing scheme. If the hash algorithm is missing, it defaults to sha256.
348 Some take no arguments, and some take multiple arguments.
349
350 Hash Optional Scheme Specifiers
351 These scheme specifiers are followed by a dash and a valid hash algo‐
352 rithm, For example: oaep-sha256.
353
354 · oaep
355
356 · ecdh
357
358 · rsassa
359
360 · rsapss
361
362 · ecdsa
363
364 · ecschnorr
365
366 Multiple Option Scheme Specifiers
367 This scheme specifier is followed by a count (max size UINT16) then
368 folloed by a dash(-) and a valid hash algorithm. * ecdaa For example,
369 ecdaa4-sha256. If no count is specified, it defaults to 4.
370
371 No Option Scheme Specifiers
372 This scheme specifier takes NO arguments. * rsaes
373
374 Symmetric Details Specifiers
375 This field is optional, and defaults based on the type of object being
376 created and it's attributes. Generally, any valid Symmetric specifier
377 from the Type Specifiers list should work. If not specified, an asym‐
378 metric objects symmetric details defaults to aes128cfb.
379
380 Examples
381 Create an rsa2048 key with an rsaes asymmetric encryption scheme
382 tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
383
384 Create an ecc256 key with an ecdaa signing scheme with a count of 4
385 and sha384 hash
386
387 /tpm2_create -C parent.ctx -G ecc256:ec‐
388 daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
389
391 Object Attributes are used to control various properties of created ob‐
392 jects. When specified as an option, either the raw bitfield mask or
393 "nice-names" may be used. The values can be found in Table 31 Part 2
394 of the TPM2.0 specification, which can be found here:
395
396 <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
397 Rev-2.0-Part-2-Structures-01.38.pdf>
398
399 Nice names are calculated by taking the name field of table 31 and re‐
400 moving the prefix TPMA_OBJECT_ and lowercasing the result. Thus, TP‐
401 MA_OBJECT_FIXEDTPM becomes fixedtpm. Nice names can be joined using
402 the bitwise or "|" symbol.
403
404 For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
405 and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
406
407 fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
408
410 This collection of options are common to many programs and provide in‐
411 formation that many users may expect.
412
413 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
414 attempts to invoke the manpager for the tool, however, on failure
415 will output a short tool summary. This is the same behavior if the
416 "man" option argument is specified, however if explicit "man" is re‐
417 quested, the tool will provide errors from man on stderr. If the
418 "no-man" option if specified, or the manpager fails, the short op‐
419 tions will be output to stdout.
420
421 To successfully use the manpages feature requires the manpages to be
422 installed or on MANPATH, See man(1) for more details.
423
424 · -v, --version: Display version information for this tool, supported
425 tctis and exit.
426
427 · -V, --verbose: Increase the information that the tool prints to the
428 console during its execution. When using this option the file and
429 line number are printed.
430
431 · -Q, --quiet: Silence normal tool output to stdout.
432
433 · -Z, --enable-errata: Enable the application of errata fixups. Useful
434 if an errata fixup needs to be applied to commands sent to the TPM.
435 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
436 formation many users may expect.
437
439 The TCTI or "Transmission Interface" is the communication mechanism
440 with the TPM. TCTIs can be changed for communication with TPMs across
441 different mediums.
442
443 To control the TCTI, the tools respect:
444
445 1. The command line option -T or --tcti
446
447 2. The environment variable: TPM2TOOLS_TCTI.
448
449 Note: The command line option always overrides the environment vari‐
450 able.
451
452 The current known TCTIs are:
453
454 · tabrmd - The resource manager, called tabrmd
455 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
456 abrmd as a tcti name are synonymous.
457
458 · mssim - Typically used for communicating to the TPM software simula‐
459 tor.
460
461 · device - Used when talking directly to a TPM device file.
462
463 · none - Do not initalize a connection with the TPM. Some tools allow
464 for off-tpm options and thus support not using a TCTI. Tools that do
465 not support it will error when attempted to be used without a TCTI
466 connection. Does not support ANY options and MUST BE presented as
467 the exact text of "none".
468
469 The arguments to either the command line option or the environment
470 variable are in the form:
471
472 <tcti-name>:<tcti-option-config>
473
474 Specifying an empty string for either the <tcti-name> or <tcti-op‐
475 tion-config> results in the default being used for that portion respec‐
476 tively.
477
478 TCTI Defaults
479 When a TCTI is not specified, the default TCTI is searched for using
480 dlopen(3) semantics. The tools will search for tabrmd, device and
481 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
482 what TCTI will be chosen as the default by using the -v option to print
483 the version information. The "default-tcti" key-value pair will indi‐
484 cate which of the aforementioned TCTIs is the default.
485
486 Custom TCTIs
487 Any TCTI that implements the dynamic TCTI interface can be loaded. The
488 tools internally use dlopen(3), and the raw tcti-name value is used for
489 the lookup. Thus, this could be a path to the shared library, or a li‐
490 brary name as understood by dlopen(3) semantics.
491
493 This collection of options are used to configure the various known TCTI
494 modules available:
495
496 · device: For the device TCTI, the TPM character device file for use by
497 the device TCTI can be specified. The default is /dev/tpm0.
498
499 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
500 vice:/dev/tpm0"
501
502 · mssim: For the mssim TCTI, the domain name or IP address and port
503 number used by the simulator can be specified. The default are
504 127.0.0.1 and 2321.
505
506 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
507 TI="mssim:host=localhost,port=2321"
508
509 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
510 ries of simple key value pairs separated by a ',' character. Each
511 key and value string are separated by a '=' character.
512
513 · TCTI abrmd supports two keys:
514
515 1. 'bus_name' : The name of the tabrmd service on the bus (a
516 string).
517
518 2. 'bus_type' : The type of the dbus instance (a string) limited to
519 'session' and 'system'.
520
521 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
522 ample.FooBar:
523
524 \--tcti=tabrmd:bus_name=com.example.FooBar
525
526 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
527 sion:
528
529 \--tcti:bus_type=session
530
531 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
532 ules.
533
535 To import a key, one needs to have a parent key
536 tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
537
538 Create your key and and import it. If you already have a key, just use
539 that and skip creating it.
540
541 Import an AES 128 key
542 dd if=/dev/urandom of=sym.key bs=1 count=16
543
544 tpm2_import -C parent.ctx -i sym.key -u key.pub -r key.priv
545
546 Import an RSA key
547 openssl genrsa -out private.pem 2048
548
549 tpm2_import -C parent.ctx -G rsa -i private.pem -u key.pub -r key.priv
550
551 Import an ECC key
552 openssl ecparam -name prime256v1 -genkey -noout -out private.ecc.pem
553
554 tpm2_import -C parent.ctx -G ecc -i private.ecc.pem -u key.pub -r key.priv
555
556 Import a duplicated key
557 tpm2_import -C parent.ctx -i key.dup -u key.pub -r key.priv -L policy.dat
558
560 · The TPM requires that the name algorithm of the child be smaller than
561 the parent.
562
564 Tools can return any of the following codes:
565
566 · 0 - Success.
567
568 · 1 - General non-specific error.
569
570 · 2 - Options handling error.
571
572 · 3 - Authentication error.
573
574 · 4 - TCTI related error.
575
576 · 5 - Non supported scheme. Applicable to tpm2_testparams.
577
579 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
580
582 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
583
584
585
586tpm2-tools tpm2_import(1)