1tpm2_duplicate(1) General Commands Manual tpm2_duplicate(1)
2
3
4
6 tpm2_duplicate(1) - Duplicates a loaded object so that it may be used
7 in a different hierarchy.
8
10 tpm2_duplicate [OPTIONS]
11
13 tpm2_duplicate(1) - This tool duplicates a loaded object so that it may
14 be used in a different hierarchy. The new parent key for the duplicate
15 may be on the same or different TPM or TPM_RH_NULL.
16
18 These options control the key importation process:
19
20 · -G, --wrapper-algorithm=ALGORITHM:
21 The symmetric algorithm to be used for the inner wrapper. Supports:
22
23 · aes - AES 128 in CFB mode.
24
25 · null - none
26
27 · -i, --encryptionkey-in=FILE:
28
29 Specifies the filename of the symmetric key (128 bit data) to be used
30 for the inner wrapper. Valid only when specified symmetric algorithm
31 is not null
32
33 · -o, --encryptionkey-out=FILE:
34
35 Specifies the filename to store the symmetric key (128 bit data) that
36 was used for the inner wrapper. Valid only when specified symmetric
37 algorithm is not null and --input-key-file is not specified. The TPM
38 generates the key in this case.
39
40 · -C, --parent-context=OBJECT:
41
42 The parent key object.
43
44 · -r, --private=FILE:
45
46 Specifies the file path to save the private portion of the duplicated
47 object.
48
49 · -s, --encrypted-seed=FILE:
50
51 The file to save the encrypted seed of the duplicated object.
52
53 · -p, --auth=AUTH:
54
55 The authorization value for the key, optional.
56
57 · -c, --key-context=OBJECT:
58
59 The object to be duplicated.
60
61 · --cphash=FILE
62
63 File path to record the hash of the command parameters. This is com‐
64 monly termed as cpHash. NOTE: When this option is selected, The tool
65 will not actually execute the command, it simply returns a cpHash.
66
67 References
69 The type of a context object, whether it is a handle or file name, is
70 determined according to the following logic in-order:
71
72 · If the argument is a file path, then the file is loaded as a restored
73 TPM transient object.
74
75 · If the argument is a prefix match on one of:
76
77 · owner: the owner hierarchy
78
79 · platform: the platform hierarchy
80
81 · endorsement: the endorsement hierarchy
82
83 · lockout: the lockout control persistent object
84
85 · If the argument argument can be loaded as a number it will be treat
86 as a handle, e.g. 0x81010013 and used directly.OBJECT.
87
89 Authorization for use of an object in TPM2.0 can come in 3 different
90 forms: 1. Password 2. HMAC 3. Sessions
91
92 NOTE: "Authorizations default to the EMPTY PASSWORD when not speci‐
93 fied".
94
95 Passwords
96 Passwords are interpreted in the following forms below using prefix
97 identifiers.
98
99 Note: By default passwords are assumed to be in the string form when
100 they do not have a prefix.
101
102 String
103 A string password, specified by prefix "str:" or it's absence (raw
104 string without prefix) is not interpreted, and is directly used for au‐
105 thorization.
106
107 Examples
108 foobar
109 str:foobar
110
111 Hex-string
112 A hex-string password, specified by prefix "hex:" is converted from a
113 hexidecimal form into a byte array form, thus allowing passwords with
114 non-printable and/or terminal un-friendly characters.
115
116 Example
117 hex:0x1122334455667788
118
119 File
120 A file based password, specified be prefix "file:" should be the path
121 of a file containing the password to be read by the tool or a "-" to
122 use stdin. Storing passwords in files prevents information leakage,
123 passwords passed as options can be read from the process list or common
124 shell history features.
125
126 Examples
127 # to use stdin and be prompted
128 file:-
129
130 # to use a file from a path
131 file:path/to/password/file
132
133 # to echo a password via stdin:
134 echo foobar | tpm2_tool -p file:-
135
136 # to use a bash here-string via stdin:
137
138 tpm2_tool -p file:- <<< foobar
139
140 Sessions
141 When using a policy session to authorize the use of an object, prefix
142 the option argument with the session keyword. Then indicate a path to
143 a session file that was created with tpm2_startauthsession(1). Option‐
144 ally, if the session requires an auth value to be sent with the session
145 handle (eg policy password), then append a + and a string as described
146 in the Passwords section.
147
148 Examples
149 To use a session context file called session.ctx.
150
151 session:session.ctx
152
153 To use a session context file called session.ctx AND send the authvalue
154 mypassword.
155
156 session:session.ctx+mypassword
157
158 To use a session context file called session.ctx AND send the HEX auth‐
159 value 0x11223344.
160
161 session:session.ctx+hex:11223344
162
163 PCR Authorizations
164 You can satisfy a PCR policy using the "pcr:" prefix and the PCR mini‐
165 language. The PCR minilanguage is as follows:
166 <pcr-spec>=<raw-pcr-file>
167
168 The PCR spec is documented in in the section "PCR bank specifiers".
169
170 The raw-pcr-file is an optional the output of the raw PCR contents as
171 returned by tpm2_pcrread(1).
172
173 PCR bank specifiers (common/pcr.md)
174
175 Examples
176 To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
177 er of:
178
179 pcr:sha256:0,1,2,3
180
181 specifying AUTH.
182
184 Options that take algorithms support "nice-names".
185
186 There are two major algorithm specification string classes, simple and
187 complex. Only certain algorithms will be accepted by the TPM, based on
188 usage and conditions.
189
190 Simple specifiers
191 These are strings with no additional specification data. When creating
192 objects, non-specified portions of an object are assumed to defaults.
193 You can find the list of known "Simple Specifiers Below".
194
195 Asymmetric
196 · rsa
197
198 · ecc
199
200 Symmetric
201 · aes
202
203 · camellia
204
205 Hashing Algorithms
206 · sha1
207
208 · sha256
209
210 · sha384
211
212 · sha512
213
214 · sm3_256
215
216 · sha3_256
217
218 · sha3_384
219
220 · sha3_512
221
222 Keyed Hash
223 · hmac
224
225 · xor
226
227 Signing Schemes
228 · rsassa
229
230 · rsapss
231
232 · ecdsa
233
234 · ecdaa
235
236 · ecschnorr
237
238 Asymmetric Encryption Schemes
239 · oaep
240
241 · rsaes
242
243 · ecdh
244
245 Modes
246 · ctr
247
248 · ofb
249
250 · cbc
251
252 · cfb
253
254 · ecb
255
256 Misc
257 · null
258
259 Complex Specifiers
260 Objects, when specified for creation by the TPM, have numerous algo‐
261 rithms to populate in the public data. Things like type, scheme and
262 asymmetric details, key size, etc. Below is the general format for
263 specifying this data: <type>:<scheme>:<symmetric-details>
264
265 Type Specifiers
266 This portion of the complex algorithm specifier is required. The re‐
267 maining scheme and symmetric details will default based on the type
268 specified and the type of the object being created.
269
270 · aes - Default AES: aes128
271
272 · aes128<mode> - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
273 If mode is not specified, defaults to null.
274
275 · aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
276
277 · aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
278
279 · ecc - Elliptical Curve, defaults to ecc256.
280
281 · ecc192 - 192 bit ECC
282
283 · ecc224 - 224 bit ECC
284
285 · ecc256 - 256 bit ECC
286
287 · ecc384 - 384 bit ECC
288
289 · ecc521 - 521 bit ECC
290
291 · rsa - Default RSA: rsa2048
292
293 · rsa1024 - RSA with 1024 bit keysize.
294
295 · rsa2048 - RSA with 2048 bit keysize.
296
297 · rsa4096 - RSA with 4096 bit keysize.
298
299 Scheme Specifiers
300 Next, is an optional field, it can be skipped.
301
302 Schemes are usually Signing Schemes or Asymmetric Encryption Schemes.
303 Most signing schemes take a hash algorithm directly following the sign‐
304 ing scheme. If the hash algorithm is missing, it defaults to sha256.
305 Some take no arguments, and some take multiple arguments.
306
307 Hash Optional Scheme Specifiers
308 These scheme specifiers are followed by a dash and a valid hash algo‐
309 rithm, For example: oaep-sha256.
310
311 · oaep
312
313 · ecdh
314
315 · rsassa
316
317 · rsapss
318
319 · ecdsa
320
321 · ecschnorr
322
323 Multiple Option Scheme Specifiers
324 This scheme specifier is followed by a count (max size UINT16) then
325 folloed by a dash(-) and a valid hash algorithm. * ecdaa For example,
326 ecdaa4-sha256. If no count is specified, it defaults to 4.
327
328 No Option Scheme Specifiers
329 This scheme specifier takes NO arguments. * rsaes
330
331 Symmetric Details Specifiers
332 This field is optional, and defaults based on the type of object being
333 created and it's attributes. Generally, any valid Symmetric specifier
334 from the Type Specifiers list should work. If not specified, an asym‐
335 metric objects symmetric details defaults to aes128cfb.
336
337 Examples
338 Create an rsa2048 key with an rsaes asymmetric encryption scheme
339 tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
340
341 Create an ecc256 key with an ecdaa signing scheme with a count of 4
342 and sha384 hash
343
344 /tpm2_create -C parent.ctx -G ecc256:ec‐
345 daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
346
348 This collection of options are common to many programs and provide in‐
349 formation that many users may expect.
350
351 · -h, --help=[man|no-man]: Display the tools manpage. By default, it
352 attempts to invoke the manpager for the tool, however, on failure
353 will output a short tool summary. This is the same behavior if the
354 "man" option argument is specified, however if explicit "man" is re‐
355 quested, the tool will provide errors from man on stderr. If the
356 "no-man" option if specified, or the manpager fails, the short op‐
357 tions will be output to stdout.
358
359 To successfully use the manpages feature requires the manpages to be
360 installed or on MANPATH, See man(1) for more details.
361
362 · -v, --version: Display version information for this tool, supported
363 tctis and exit.
364
365 · -V, --verbose: Increase the information that the tool prints to the
366 console during its execution. When using this option the file and
367 line number are printed.
368
369 · -Q, --quiet: Silence normal tool output to stdout.
370
371 · -Z, --enable-errata: Enable the application of errata fixups. Useful
372 if an errata fixup needs to be applied to commands sent to the TPM.
373 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
374 formation many users may expect.
375
377 The TCTI or "Transmission Interface" is the communication mechanism
378 with the TPM. TCTIs can be changed for communication with TPMs across
379 different mediums.
380
381 To control the TCTI, the tools respect:
382
383 1. The command line option -T or --tcti
384
385 2. The environment variable: TPM2TOOLS_TCTI.
386
387 Note: The command line option always overrides the environment vari‐
388 able.
389
390 The current known TCTIs are:
391
392 · tabrmd - The resource manager, called tabrmd
393 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
394 abrmd as a tcti name are synonymous.
395
396 · mssim - Typically used for communicating to the TPM software simula‐
397 tor.
398
399 · device - Used when talking directly to a TPM device file.
400
401 · none - Do not initalize a connection with the TPM. Some tools allow
402 for off-tpm options and thus support not using a TCTI. Tools that do
403 not support it will error when attempted to be used without a TCTI
404 connection. Does not support ANY options and MUST BE presented as
405 the exact text of "none".
406
407 The arguments to either the command line option or the environment
408 variable are in the form:
409
410 <tcti-name>:<tcti-option-config>
411
412 Specifying an empty string for either the <tcti-name> or <tcti-op‐
413 tion-config> results in the default being used for that portion respec‐
414 tively.
415
416 TCTI Defaults
417 When a TCTI is not specified, the default TCTI is searched for using
418 dlopen(3) semantics. The tools will search for tabrmd, device and
419 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
420 what TCTI will be chosen as the default by using the -v option to print
421 the version information. The "default-tcti" key-value pair will indi‐
422 cate which of the aforementioned TCTIs is the default.
423
424 Custom TCTIs
425 Any TCTI that implements the dynamic TCTI interface can be loaded. The
426 tools internally use dlopen(3), and the raw tcti-name value is used for
427 the lookup. Thus, this could be a path to the shared library, or a li‐
428 brary name as understood by dlopen(3) semantics.
429
431 This collection of options are used to configure the various known TCTI
432 modules available:
433
434 · device: For the device TCTI, the TPM character device file for use by
435 the device TCTI can be specified. The default is /dev/tpm0.
436
437 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI="de‐
438 vice:/dev/tpm0"
439
440 · mssim: For the mssim TCTI, the domain name or IP address and port
441 number used by the simulator can be specified. The default are
442 127.0.0.1 and 2321.
443
444 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
445 TI="mssim:host=localhost,port=2321"
446
447 · abrmd: For the abrmd TCTI, the configuration string format is a se‐
448 ries of simple key value pairs separated by a ',' character. Each
449 key and value string are separated by a '=' character.
450
451 · TCTI abrmd supports two keys:
452
453 1. 'bus_name' : The name of the tabrmd service on the bus (a
454 string).
455
456 2. 'bus_type' : The type of the dbus instance (a string) limited to
457 'session' and 'system'.
458
459 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
460 ample.FooBar:
461
462 \--tcti=tabrmd:bus_name=com.example.FooBar
463
464 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
465 sion:
466
467 \--tcti:bus_type=session
468
469 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
470 ules.
471
473 To duplicate a key, one needs the key to duplicate, created with a pol‐
474 icy that
475 allows duplication and a new parent:
476
477 tpm2_startauthsession -S session.dat
478 tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Duplicate
479 tpm2_flushcontext session.dat
480
481 tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctxt
482 tpm2_create -C primary.ctxt -g sha256 -G rsa -r key.prv -u key.pub \
483 -L policy.dat -a "sensitivedataorigin"
484
485 tpm2_loadexternal -C o -u new_parent.pub -c new_parent.ctxt
486
487 tpm2_startauthsession \--policy-session -S session.dat
488 tpm2_policycommandcode -S session.dat -L policy.dat TPM2_CC_Duplicate
489 tpm2_duplicate -C new_parent.ctxt -c key.ctxt -G null -p "session:session.dat" \
490 -r duprv.bin -s seed.dat
491 tpm2_flushcontext session.dat
492
494 Tools can return any of the following codes:
495
496 · 0 - Success.
497
498 · 1 - General non-specific error.
499
500 · 2 - Options handling error.
501
502 · 3 - Authentication error.
503
504 · 4 - TCTI related error.
505
506 · 5 - Non supported scheme. Applicable to tpm2_testparams.
507
509 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
510
512 See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
513
514
515
516tpm2-tools tpm2_duplicate(1)