1tpm2_duplicate(1)           General Commands Manual          tpm2_duplicate(1)
2
3
4

NAME

6       tpm2_duplicate(1)  -  Duplicates a loaded object so that it may be used
7       in a different hierarchy.
8

SYNOPSIS

10       tpm2_duplicate [OPTIONS]
11

DESCRIPTION

13       tpm2_duplicate(1) - This tool duplicates a loaded object so that it may
14       be used in a different hierarchy.  The new parent key for the duplicate
15       may be on the same or different TPM or TPM_RH_NULL.
16

OPTIONS

18       These options control the key importation process:
19
20       · -G, --wrapper-algorithm=ALGORITHM:
21         The symmetric algorithm to be used for the inner wrapper.  Supports:
22
23         · aes - AES 128 in CFB mode.
24
25         · null - none
26
27       · -i, --encryptionkey-in=FILE:
28
29         Specifies the filename of the symmetric key (128 bit data) to be used
30         for the inner wrapper.  Valid only when specified symmetric algorithm
31         is not null
32
33       · -o, --encryptionkey-out=FILE:
34
35         Specifies the filename to store the symmetric key (128 bit data) that
36         was  used for the inner wrapper.  Valid only when specified symmetric
37         algorithm is not null and --input-key-file is not specified.  The TPM
38         generates the key in this case.
39
40       · -C, --parent-context=OBJECT:
41
42         The parent key object.
43
44       · -r, --private=FILE:
45
46         Specifies the file path to save the private portion of the duplicated
47         object.
48
49       · -s, --encrypted-seed=FILE:
50
51         The file to save the encrypted seed of the duplicated object.
52
53       · -p, --auth=AUTH:
54
55         The authorization value for the key, optional.
56
57       · -c, --key-context=OBJECT:
58
59         The object to be duplicated.
60
61       · --cphash=FILE
62
63         File path to record the hash of the command parameters.  This is com‐
64         monly termed as cpHash.  NOTE: When this option is selected, The tool
65         will not actually execute the command, it simply returns a cpHash.
66
67   References

Context Object Format

69       The type of a context object, whether it is a handle or file  name,  is
70       determined according to the following logic in-order:
71
72       · If the argument is a file path, then the file is loaded as a restored
73         TPM transient object.
74
75       · If the argument is a prefix match on one of:
76
77         · owner: the owner hierarchy
78
79         · platform: the platform hierarchy
80
81         · endorsement: the endorsement hierarchy
82
83         · lockout: the lockout control persistent object
84
85       · If the argument argument can be loaded as a number it will  be  treat
86         as a handle, e.g.  0x81010013 and used directly.OBJECT.
87

Authorization Formatting

89       Authorization  for  use  of an object in TPM2.0 can come in 3 different
90       forms: 1.  Password 2.  HMAC 3.  Sessions
91
92       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
93       fied".
94
95   Passwords
96       Passwords  are  interpreted  in  the following forms below using prefix
97       identifiers.
98
99       Note: By default passwords are assumed to be in the  string  form  when
100       they do not have a prefix.
101
102   String
103       A  string  password,  specified  by  prefix "str:" or it's absence (raw
104       string without prefix) is not interpreted, and is directly used for au‐
105       thorization.
106
107   Examples
108              foobar
109              str:foobar
110
111   Hex-string
112       A  hex-string  password, specified by prefix "hex:" is converted from a
113       hexidecimal form into a byte array form, thus allowing  passwords  with
114       non-printable and/or terminal un-friendly characters.
115
116   Example
117              hex:0x1122334455667788
118
119   File
120       A  file  based password, specified be prefix "file:" should be the path
121       of a file containing the password to be read by the tool or  a  "-"  to
122       use  stdin.   Storing  passwords in files prevents information leakage,
123       passwords passed as options can be read from the process list or common
124       shell history features.
125
126   Examples
127              # to use stdin and be prompted
128              file:-
129
130              # to use a file from a path
131              file:path/to/password/file
132
133              # to echo a password via stdin:
134              echo foobar | tpm2_tool -p file:-
135
136              # to use a bash here-string via stdin:
137
138              tpm2_tool -p file:- <<< foobar
139
140   Sessions
141       When  using  a policy session to authorize the use of an object, prefix
142       the option argument with the session keyword.  Then indicate a path  to
143       a session file that was created with tpm2_startauthsession(1).  Option‐
144       ally, if the session requires an auth value to be sent with the session
145       handle  (eg policy password), then append a + and a string as described
146       in the Passwords section.
147
148   Examples
149       To use a session context file called session.ctx.
150
151              session:session.ctx
152
153       To use a session context file called session.ctx AND send the authvalue
154       mypassword.
155
156              session:session.ctx+mypassword
157
158       To use a session context file called session.ctx AND send the HEX auth‐
159       value 0x11223344.
160
161              session:session.ctx+hex:11223344
162
163   PCR Authorizations
164       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
165       language.       The     PCR     minilanguage     is     as     follows:
166       <pcr-spec>=<raw-pcr-file>
167
168       The PCR spec is documented in in the section "PCR bank specifiers".
169
170       The raw-pcr-file is an optional the output of the raw PCR  contents  as
171       returned by tpm2_pcrread(1).
172
173       PCR bank specifiers (common/pcr.md)
174
175   Examples
176       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
177       er of:
178
179              pcr:sha256:0,1,2,3
180
181       specifying AUTH.
182

Algorithm Specifiers

184       Options that take algorithms support "nice-names".
185
186       There are two major algorithm specification string classes, simple  and
187       complex.  Only certain algorithms will be accepted by the TPM, based on
188       usage and conditions.
189
190   Simple specifiers
191       These are strings with no additional specification data.  When creating
192       objects,  non-specified  portions of an object are assumed to defaults.
193       You can find the list of known "Simple Specifiers Below".
194
195   Asymmetric
196       · rsa
197
198       · ecc
199
200   Symmetric
201       · aes
202
203       · camellia
204
205   Hashing Algorithms
206       · sha1
207
208       · sha256
209
210       · sha384
211
212       · sha512
213
214       · sm3_256
215
216       · sha3_256
217
218       · sha3_384
219
220       · sha3_512
221
222   Keyed Hash
223       · hmac
224
225       · xor
226
227   Signing Schemes
228       · rsassa
229
230       · rsapss
231
232       · ecdsa
233
234       · ecdaa
235
236       · ecschnorr
237
238   Asymmetric Encryption Schemes
239       · oaep
240
241       · rsaes
242
243       · ecdh
244
245   Modes
246       · ctr
247
248       · ofb
249
250       · cbc
251
252       · cfb
253
254       · ecb
255
256   Misc
257       · null
258
259   Complex Specifiers
260       Objects, when specified for creation by the TPM,  have  numerous  algo‐
261       rithms  to  populate  in the public data.  Things like type, scheme and
262       asymmetric details, key size, etc.  Below is  the  general  format  for
263       specifying this data: <type>:<scheme>:<symmetric-details>
264
265   Type Specifiers
266       This  portion  of the complex algorithm specifier is required.  The re‐
267       maining scheme and symmetric details will default  based  on  the  type
268       specified and the type of the object being created.
269
270       · aes - Default AES: aes128
271
272       · aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
273         If mode is not specified, defaults to null.
274
275       · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
276
277       · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
278
279       · ecc - Elliptical Curve, defaults to ecc256.
280
281       · ecc192 - 192 bit ECC
282
283       · ecc224 - 224 bit ECC
284
285       · ecc256 - 256 bit ECC
286
287       · ecc384 - 384 bit ECC
288
289       · ecc521 - 521 bit ECC
290
291       · rsa - Default RSA: rsa2048
292
293       · rsa1024 - RSA with 1024 bit keysize.
294
295       · rsa2048 - RSA with 2048 bit keysize.
296
297       · rsa4096 - RSA with 4096 bit keysize.
298
299   Scheme Specifiers
300       Next, is an optional field, it can be skipped.
301
302       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
303       Most signing schemes take a hash algorithm directly following the sign‐
304       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
305       Some take no arguments, and some take multiple arguments.
306
307   Hash Optional Scheme Specifiers
308       These  scheme  specifiers are followed by a dash and a valid hash algo‐
309       rithm, For example: oaep-sha256.
310
311       · oaep
312
313       · ecdh
314
315       · rsassa
316
317       · rsapss
318
319       · ecdsa
320
321       · ecschnorr
322
323   Multiple Option Scheme Specifiers
324       This scheme specifier is followed by a count  (max  size  UINT16)  then
325       folloed  by a dash(-) and a valid hash algorithm.  * ecdaa For example,
326       ecdaa4-sha256.  If no count is specified, it defaults to 4.
327
328   No Option Scheme Specifiers
329       This scheme specifier takes NO arguments.  * rsaes
330
331   Symmetric Details Specifiers
332       This field is optional, and defaults based on the type of object  being
333       created  and it's attributes.  Generally, any valid Symmetric specifier
334       from the Type Specifiers list should work.  If not specified, an  asym‐
335       metric objects symmetric details defaults to aes128cfb.
336
337   Examples
338   Create an rsa2048 key with an rsaes asymmetric encryption scheme
339       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
340
341   Create an ecc256 key with an ecdaa signing scheme with a count of 4
342       and sha384 hash
343
344       /tpm2_create -C parent.ctx -G ecc256:ec‐
345       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
346

COMMON OPTIONS

348       This collection of options are common to many programs and provide  in‐
349       formation that many users may expect.
350
351       · -h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
352         attempts to invoke the manpager for the  tool,  however,  on  failure
353         will  output  a short tool summary.  This is the same behavior if the
354         "man" option argument is specified, however if explicit "man" is  re‐
355         quested,  the  tool  will  provide errors from man on stderr.  If the
356         "no-man" option if specified, or the manpager fails,  the  short  op‐
357         tions will be output to stdout.
358
359         To  successfully use the manpages feature requires the manpages to be
360         installed or on MANPATH, See man(1) for more details.
361
362       · -v, --version: Display version information for this  tool,  supported
363         tctis and exit.
364
365       · -V,  --verbose:  Increase the information that the tool prints to the
366         console during its execution.  When using this option  the  file  and
367         line number are printed.
368
369       · -Q, --quiet: Silence normal tool output to stdout.
370
371       · -Z, --enable-errata: Enable the application of errata fixups.  Useful
372         if an errata fixup needs to be applied to commands sent to  the  TPM.
373         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
374         formation many users may expect.
375

TCTI Configuration

377       The TCTI or "Transmission Interface"  is  the  communication  mechanism
378       with  the TPM.  TCTIs can be changed for communication with TPMs across
379       different mediums.
380
381       To control the TCTI, the tools respect:
382
383       1. The command line option -T or --tcti
384
385       2. The environment variable: TPM2TOOLS_TCTI.
386
387       Note: The command line option always overrides  the  environment  vari‐
388       able.
389
390       The current known TCTIs are:
391
392       · tabrmd      -     The     resource     manager,     called     tabrmd
393         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
394         abrmd as a tcti name are synonymous.
395
396       · mssim  - Typically used for communicating to the TPM software simula‐
397         tor.
398
399       · device - Used when talking directly to a TPM device file.
400
401       · none - Do not initalize a connection with the TPM.  Some tools  allow
402         for off-tpm options and thus support not using a TCTI.  Tools that do
403         not support it will error when attempted to be used  without  a  TCTI
404         connection.   Does  not  support ANY options and MUST BE presented as
405         the exact text of "none".
406
407       The arguments to either the command  line  option  or  the  environment
408       variable are in the form:
409
410       <tcti-name>:<tcti-option-config>
411
412       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
413       tion-config> results in the default being used for that portion respec‐
414       tively.
415
416   TCTI Defaults
417       When  a  TCTI  is not specified, the default TCTI is searched for using
418       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
419       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
420       what TCTI will be chosen as the default by using the -v option to print
421       the  version information.  The "default-tcti" key-value pair will indi‐
422       cate which of the aforementioned TCTIs is the default.
423
424   Custom TCTIs
425       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
426       tools internally use dlopen(3), and the raw tcti-name value is used for
427       the lookup.  Thus, this could be a path to the shared library, or a li‐
428       brary name as understood by dlopen(3) semantics.
429

TCTI OPTIONS

431       This collection of options are used to configure the various known TCTI
432       modules available:
433
434       · device: For the device TCTI, the TPM character device file for use by
435         the device TCTI can be specified.  The default is /dev/tpm0.
436
437         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
438         vice:/dev/tpm0"
439
440       · mssim: For the mssim TCTI, the domain name or  IP  address  and  port
441         number  used  by  the  simulator  can  be specified.  The default are
442         127.0.0.1 and 2321.
443
444         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
445         TI="mssim:host=localhost,port=2321"
446
447       · abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
448         ries of simple key value pairs separated by a  ','  character.   Each
449         key and value string are separated by a '=' character.
450
451         · TCTI abrmd supports two keys:
452
453           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
454              string).
455
456           2. 'bus_type' : The type of the dbus instance (a string) limited to
457              'session' and 'system'.
458
459         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
460         ample.FooBar:
461
462         \--tcti=tabrmd:bus_name=com.example.FooBar
463
464         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
465         sion:
466
467         \--tcti:bus_type=session
468
469         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
470         ules.
471

EXAMPLES

473       To duplicate a key, one needs the key to duplicate, created with a pol‐
474       icy that
475       allows duplication and a new parent:
476
477              tpm2_startauthsession -S session.dat
478              tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Duplicate
479              tpm2_flushcontext session.dat
480
481              tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctxt
482              tpm2_create -C primary.ctxt -g sha256 -G rsa -r key.prv -u key.pub \
483              -L policy.dat -a "sensitivedataorigin"
484
485              tpm2_loadexternal -C o -u new_parent.pub -c new_parent.ctxt
486
487              tpm2_startauthsession \--policy-session -S session.dat
488              tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Duplicate
489              tpm2_duplicate -C new_parent.ctxt -c key.ctxt -G null -p "session:session.dat" \
490              -r duprv.bin -s seed.dat
491              tpm2_flushcontext session.dat
492

Returns

494       Tools can return any of the following codes:
495
496       · 0 - Success.
497
498       · 1 - General non-specific error.
499
500       · 2 - Options handling error.
501
502       · 3 - Authentication error.
503
504       · 4 - TCTI related error.
505
506       · 5 - Non supported scheme.  Applicable to tpm2_testparams.
507

BUGS

509       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
510

HELP

512       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
513
514
515
516tpm2-tools                                                   tpm2_duplicate(1)
Impressum