1tpm2_import(1)              General Commands Manual             tpm2_import(1)
2
3
4

NAME

6       tpm2_import(1)  - Imports an external key into the tpm as a TPM managed
7       key object.
8

SYNOPSIS

10       tpm2_import [OPTIONS]
11

DESCRIPTION

13       tpm2_import(1) - Imports an external generated key as TPM  managed  key
14       object.  It requires that the parent key object be a RSA key.  Can also
15       import a TPM managed key object created by the tpm2_duplicate tool.
16

OPTIONS

18       These options control the key importation process:
19
20-G, --key-algorithm=ALGORITHM:
21         The algorithm used by the key to be imported.  Supports:
22
23aes - AES 128, 192 or 256 key.
24
25rsa - RSA 1024 or 2048 key.
26
27ecc - ECC NIST P192, P224, P256, P384 or P521  public  and  private
28           key.
29
30-g, --hash-algorithm=ALGORITHM:
31
32         The hash algorithm for generating the objects name.  This is optional
33         and defaults to sha256 when not specified.  Algorithms should  follow
34         the  "formatting standards", see section "Algorithm Specifiers".  Al‐
35         so, see section "Supported Hash Algorithms" for a list  of  supported
36         hash algorithms.
37
38-i, --input=FILE:
39
40         Specifies the filename of the key to be imported.  For AES keys, this
41         file is the raw key bytes.  For assymetric keys in PEM or DER format.
42         A typical file is generated with openssl genrsa.
43
44-C, --parent-context=OBJECT:
45
46         The parent key object.
47
48-U, --parent-public=FILE:
49
50         Optional.  Specifies the parent key public data file input.  This can
51         be read with tpm2_readpublic(1) tool.  If not specified, the tool in‐
52         vokes a tpm2_readpublic on the parent object.
53
54-k, --encryption-key=FILE:
55
56         Optional.   Specifies the file containing the symmetric algorithm key
57         that was used for the inner wrapper.  If the file  is  specified  the
58         tool assumes the algorithm is AES 128 in CFB mode otherwise none.
59
60-r, --private=FILE:
61
62         Specifies  the  file path required to save the encrypted private por‐
63         tion of the object imported as key.
64
65         When importing a duplicated object this  option  specifies  the  file
66         containing  the private portion of the object to be imported.  # Pro‐
67         tection Details
68
69       Objects that can move outside of TPM need to  be  protected  (confiden‐
70       tiality  and  integrity).  For instance, transient objects require that
71       TPM protected data (key or seal material) be stored outside of the TPM.
72       This  is seen in tools like tpm2_create(1), where the -r option outputs
73       this protected data.  This blob contains the sensitive portions of  the
74       object.  The sensitive portions of the object are protected by the par‐
75       ent object, using the parent's symmetric encryption details to  encrypt
76       the sensitive data and HMAC it.
77
78       In-depth details can be found in sections 23 of:
79
80https://trustedcomputinggroup.org/wp-content/up
81         loads/TPM-Rev-2.0-Part-1-Architecture-01.38.pdf
82
83       Notably Figure 20, is relevant, even though it's specifically referring
84       to duplication blobs, the process is identical.
85
86       If  the  output  is from tpm2_duplicate(1), the output will be slightly
87       different, as described fully in section 23.
88
89-u, --public=FILE:
90
91         Specifies the file path required to save the public  portion  of  the
92         object imported as key
93
94         When  importing  a  duplicated  object this option specifies the file
95         containing the public portion of the object to be imported.
96
97-a, --attributes=ATTRIBUTES:
98
99         The object attributes, optional.
100
101-P, --parent-auth=AUTH:
102
103         The authorization value for using the parent key specified with -C.
104
105-p, --key-auth=AUTH:
106
107         The authorization value for the imported key, optional.
108
109-L, --policy=POLICY_FILE:
110
111         The policy file.
112
113-s, --seed=FILE:
114
115         Specifies the file containing the encrypted seed  of  the  duplicated
116         object.
117
118--passin=OSSL_PEM_FILE_PASSWORD
119
120         An  optional password for an Open SSL (OSSL) provided input file.  It
121         mirrors the -passin option of OSSL and is known to support the  pass,
122         file,  env,  fd  and  plain password formats of openssl.  (see man(1)
123         openssl) for more.
124
125--cphash=FILE
126
127         File path to record the hash of the command parameters.  This is com‐
128         monly termed as cpHash.  NOTE: When this option is selected, The tool
129         will not actually execute the command, it simply returns a cpHash.
130
131   References

Context Object Format

133       The type of a context object, whether it is a handle or file  name,  is
134       determined according to the following logic in-order:
135
136       • If the argument is a file path, then the file is loaded as a restored
137         TPM transient object.
138
139       • If the argument is a prefix match on one of:
140
141         • owner: the owner hierarchy
142
143         • platform: the platform hierarchy
144
145         • endorsement: the endorsement hierarchy
146
147         • lockout: the lockout control persistent object
148
149       • If the argument argument can be loaded as a number it will  be  treat
150         as a handle, e.g.  0x81010013 and used directly.OBJECT.
151

Authorization Formatting

153       Authorization  for  use  of an object in TPM2.0 can come in 3 different
154       forms: 1.  Password 2.  HMAC 3.  Sessions
155
156       NOTE: "Authorizations default to the EMPTY  PASSWORD  when  not  speci‐
157       fied".
158
159   Passwords
160       Passwords  are  interpreted  in  the following forms below using prefix
161       identifiers.
162
163       Note: By default passwords are assumed to be in the  string  form  when
164       they do not have a prefix.
165
166   String
167       A  string  password,  specified  by  prefix "str:" or it's absence (raw
168       string without prefix) is not interpreted, and is directly used for au‐
169       thorization.
170
171   Examples
172              foobar
173              str:foobar
174
175   Hex-string
176       A  hex-string  password, specified by prefix "hex:" is converted from a
177       hexidecimal form into a byte array form, thus allowing  passwords  with
178       non-printable and/or terminal un-friendly characters.
179
180   Example
181              hex:0x1122334455667788
182
183   File
184       A  file  based password, specified be prefix "file:" should be the path
185       of a file containing the password to be read by the tool or  a  "-"  to
186       use  stdin.   Storing  passwords in files prevents information leakage,
187       passwords passed as options can be read from the process list or common
188       shell history features.
189
190   Examples
191              # to use stdin and be prompted
192              file:-
193
194              # to use a file from a path
195              file:path/to/password/file
196
197              # to echo a password via stdin:
198              echo foobar | tpm2_tool -p file:-
199
200              # to use a bash here-string via stdin:
201
202              tpm2_tool -p file:- <<< foobar
203
204   Sessions
205       When  using  a policy session to authorize the use of an object, prefix
206       the option argument with the session keyword.  Then indicate a path  to
207       a session file that was created with tpm2_startauthsession(1).  Option‐
208       ally, if the session requires an auth value to be sent with the session
209       handle  (eg policy password), then append a + and a string as described
210       in the Passwords section.
211
212   Examples
213       To use a session context file called session.ctx.
214
215              session:session.ctx
216
217       To use a session context file called session.ctx AND send the authvalue
218       mypassword.
219
220              session:session.ctx+mypassword
221
222       To use a session context file called session.ctx AND send the HEX auth‐
223       value 0x11223344.
224
225              session:session.ctx+hex:11223344
226
227   PCR Authorizations
228       You can satisfy a PCR policy using the "pcr:" prefix and the PCR  mini‐
229       language.       The     PCR     minilanguage     is     as     follows:
230       <pcr-spec>=<raw-pcr-file>
231
232       The PCR spec is documented in in the section "PCR bank specifiers".
233
234       The raw-pcr-file is an optional the output of the raw PCR  contents  as
235       returned by tpm2_pcrread(1).
236
237       PCR bank specifiers (common/pcr.md)
238
239   Examples
240       To satisfy a PCR policy of sha256 on banks 0, 1, 2 and 3 use a specifi‐
241       er of:
242
243              pcr:sha256:0,1,2,3
244
245       specifying AUTH.
246

Algorithm Specifiers

248       Options that take algorithms support "nice-names".
249
250       There are two major algorithm specification string classes, simple  and
251       complex.  Only certain algorithms will be accepted by the TPM, based on
252       usage and conditions.
253
254   Simple specifiers
255       These are strings with no additional specification data.  When creating
256       objects,  non-specified  portions of an object are assumed to defaults.
257       You can find the list of known "Simple Specifiers Below".
258
259   Asymmetric
260       • rsa
261
262       • ecc
263
264   Symmetric
265       • aes
266
267       • camellia
268
269   Hashing Algorithms
270       • sha1
271
272       • sha256
273
274       • sha384
275
276       • sha512
277
278       • sm3_256
279
280       • sha3_256
281
282       • sha3_384
283
284       • sha3_512
285
286   Keyed Hash
287       • hmac
288
289       • xor
290
291   Signing Schemes
292       • rsassa
293
294       • rsapss
295
296       • ecdsa
297
298       • ecdaa
299
300       • ecschnorr
301
302   Asymmetric Encryption Schemes
303       • oaep
304
305       • rsaes
306
307       • ecdh
308
309   Modes
310       • ctr
311
312       • ofb
313
314       • cbc
315
316       • cfb
317
318       • ecb
319
320   Misc
321       • null
322
323   Complex Specifiers
324       Objects, when specified for creation by the TPM,  have  numerous  algo‐
325       rithms  to  populate  in the public data.  Things like type, scheme and
326       asymmetric details, key size, etc.  Below is  the  general  format  for
327       specifying this data: <type>:<scheme>:<symmetric-details>
328
329   Type Specifiers
330       This  portion  of the complex algorithm specifier is required.  The re‐
331       maining scheme and symmetric details will default  based  on  the  type
332       specified and the type of the object being created.
333
334       • aes - Default AES: aes128
335
336       • aes128<mode>  - 128 bit AES with optional mode (ctr|ofb|cbc|cfb|ecb).
337         If mode is not specified, defaults to null.
338
339       • aes192<mode> - Same as aes128<mode>, except for a 192 bit key size.
340
341       • aes256<mode> - Same as aes128<mode>, except for a 256 bit key size.
342
343       • ecc - Elliptical Curve, defaults to ecc256.
344
345       • ecc192 - 192 bit ECC
346
347       • ecc224 - 224 bit ECC
348
349       • ecc256 - 256 bit ECC
350
351       • ecc384 - 384 bit ECC
352
353       • ecc521 - 521 bit ECC
354
355       • rsa - Default RSA: rsa2048
356
357       • rsa1024 - RSA with 1024 bit keysize.
358
359       • rsa2048 - RSA with 2048 bit keysize.
360
361       • rsa4096 - RSA with 4096 bit keysize.
362
363   Scheme Specifiers
364       Next, is an optional field, it can be skipped.
365
366       Schemes are usually Signing Schemes or Asymmetric  Encryption  Schemes.
367       Most signing schemes take a hash algorithm directly following the sign‐
368       ing scheme.  If the hash algorithm is missing, it defaults  to  sha256.
369       Some take no arguments, and some take multiple arguments.
370
371   Hash Optional Scheme Specifiers
372       These  scheme  specifiers are followed by a dash and a valid hash algo‐
373       rithm, For example: oaep-sha256.
374
375       • oaep
376
377       • ecdh
378
379       • rsassa
380
381       • rsapss
382
383       • ecdsa
384
385       • ecschnorr
386
387   Multiple Option Scheme Specifiers
388       This scheme specifier is followed by a count  (max  size  UINT16)  then
389       followed by a dash(-) and a valid hash algorithm.  * ecdaa For example,
390       ecdaa4-sha256.  If no count is specified, it defaults to 4.
391
392   No Option Scheme Specifiers
393       This scheme specifier takes NO arguments.  * rsaes
394
395   Symmetric Details Specifiers
396       This field is optional, and defaults based on the type of object  being
397       created  and it's attributes.  Generally, any valid Symmetric specifier
398       from the Type Specifiers list should work.  If not specified, an  asym‐
399       metric objects symmetric details defaults to aes128cfb.
400
401   Examples
402   Create an rsa2048 key with an rsaes asymmetric encryption scheme
403       tpm2_create -C parent.ctx -G rsa2048:rsaes -u key.pub -r key.priv
404
405   Create an ecc256 key with an ecdaa signing scheme with a count of 4
406       and sha384 hash
407
408       /tpm2_create -C parent.ctx -G ecc256:ec‐
409       daa4-sha384 -u key.pub -r key.priv cryptographic algorithms ALGORITHM.
410

Object Attributes

412       Object Attributes are used to control various properties of created ob‐
413       jects.   When  specified  as an option, either the raw bitfield mask or
414       "nice-names" may be used.  The values can be found in Table 31  Part  2
415       of the TPM2.0 specification, which can be found here:
416
417       <https://trustedcomputinggroup.org/wp-content/uploads/TPM-
418       Rev-2.0-Part-2-Structures-01.38.pdf>
419
420       Nice names are calculated by taking the name field of table 31 and  re‐
421       moving  the  prefix TPMA_OBJECT_ and lowercasing the result.  Thus, TP‐
422       MA_OBJECT_FIXEDTPM becomes fixedtpm.  Nice names can  be  joined  using
423       the bitwise or "|" symbol.
424
425       For instance, to set The fields TPMA_OBJECT_FIXEDTPM, TPMA_OBJECT_NODA,
426       and TPMA_OBJECT_SIGN_ENCRYPT, the argument would be:
427
428       fixedtpm|noda|sign specifying the object attributes ATTRIBUTES.
429

COMMON OPTIONS

431       This collection of options are common to many programs and provide  in‐
432       formation that many users may expect.
433
434-h,  --help=[man|no-man]:  Display the tools manpage.  By default, it
435         attempts to invoke the manpager for the  tool,  however,  on  failure
436         will  output  a short tool summary.  This is the same behavior if the
437         "man" option argument is specified, however if explicit "man" is  re‐
438         quested,  the  tool  will  provide errors from man on stderr.  If the
439         "no-man" option if specified, or the manpager fails,  the  short  op‐
440         tions will be output to stdout.
441
442         To  successfully use the manpages feature requires the manpages to be
443         installed or on MANPATH, See man(1) for more details.
444
445-v, --version: Display version information for this  tool,  supported
446         tctis and exit.
447
448-V,  --verbose:  Increase the information that the tool prints to the
449         console during its execution.  When using this option  the  file  and
450         line number are printed.
451
452-Q, --quiet: Silence normal tool output to stdout.
453
454-Z, --enable-errata: Enable the application of errata fixups.  Useful
455         if an errata fixup needs to be applied to commands sent to  the  TPM.
456         Defining  the environment TPM2TOOLS_ENABLE_ERRATA is equivalent.  in‐
457         formation many users may expect.
458

TCTI Configuration

460       The TCTI or "Transmission Interface"  is  the  communication  mechanism
461       with  the TPM.  TCTIs can be changed for communication with TPMs across
462       different mediums.
463
464       To control the TCTI, the tools respect:
465
466       1. The command line option -T or --tcti
467
468       2. The environment variable: TPM2TOOLS_TCTI.
469
470       Note: The command line option always overrides  the  environment  vari‐
471       able.
472
473       The current known TCTIs are:
474
475       • tabrmd      -     The     resource     manager,     called     tabrmd
476         (https://github.com/tpm2-software/tpm2-abrmd).  Note that tabrmd  and
477         abrmd as a tcti name are synonymous.
478
479       • mssim  - Typically used for communicating to the TPM software simula‐
480         tor.
481
482       • device - Used when talking directly to a TPM device file.
483
484       • none - Do not initalize a connection with the TPM.  Some tools  allow
485         for off-tpm options and thus support not using a TCTI.  Tools that do
486         not support it will error when attempted to be used  without  a  TCTI
487         connection.   Does  not  support ANY options and MUST BE presented as
488         the exact text of "none".
489
490       The arguments to either the command  line  option  or  the  environment
491       variable are in the form:
492
493       <tcti-name>:<tcti-option-config>
494
495       Specifying  an  empty  string  for  either the <tcti-name> or <tcti-op‐
496       tion-config> results in the default being used for that portion respec‐
497       tively.
498
499   TCTI Defaults
500       When  a  TCTI  is not specified, the default TCTI is searched for using
501       dlopen(3) semantics.  The tools will  search  for  tabrmd,  device  and
502       mssim  TCTIs  IN THAT ORDER and USE THE FIRST ONE FOUND.  You can query
503       what TCTI will be chosen as the default by using the -v option to print
504       the  version information.  The "default-tcti" key-value pair will indi‐
505       cate which of the aforementioned TCTIs is the default.
506
507   Custom TCTIs
508       Any TCTI that implements the dynamic TCTI interface can be loaded.  The
509       tools internally use dlopen(3), and the raw tcti-name value is used for
510       the lookup.  Thus, this could be a path to the shared library, or a li‐
511       brary name as understood by dlopen(3) semantics.
512

TCTI OPTIONS

514       This collection of options are used to configure the various known TCTI
515       modules available:
516
517device: For the device TCTI, the TPM character device file for use by
518         the device TCTI can be specified.  The default is /dev/tpm0.
519
520         Example:    -T   device:/dev/tpm0   or   export   TPM2TOOLS_TCTI="de‐
521         vice:/dev/tpm0"
522
523        mssim: For the mssim TCTI, the domain name or  IP  address  and  port
524         number  used  by  the  simulator  can  be specified.  The default are
525         127.0.0.1 and 2321.
526
527         Example: -T mssim:host=localhost,port=2321  or  export  TPM2TOOLS_TC‐
528         TI="mssim:host=localhost,port=2321"
529
530        abrmd:  For  the abrmd TCTI, the configuration string format is a se‐
531         ries of simple key value pairs separated by a  ','  character.   Each
532         key and value string are separated by a '=' character.
533
534         • TCTI abrmd supports two keys:
535
536           1. 'bus_name'  :  The  name  of  the  tabrmd  service on the bus (a
537              string).
538
539           2. 'bus_type' : The type of the dbus instance (a string) limited to
540              'session' and 'system'.
541
542         Specify  the tabrmd tcti name and a config string of bus_name=com.ex‐
543         ample.FooBar:
544
545         \--tcti=tabrmd:bus_name=com.example.FooBar
546
547         Specify the default (abrmd) tcti and a config string of bus_type=ses‐
548         sion:
549
550         \--tcti:bus_type=session
551
552         NOTE:  abrmd  and tabrmd are synonymous.  the various known TCTI mod‐
553         ules.
554

EXAMPLES

556   To import a key, one needs to have a parent key
557              tpm2_createprimary -Grsa2048:aes128cfb -C o -c parent.ctx
558
559       Create your key and and import it.  If you already have a key, just use
560       that and skip creating it.
561
562   Import an AES 128 key
563              dd if=/dev/urandom of=sym.key bs=1 count=16
564
565              tpm2_import -C parent.ctx -i sym.key -u key.pub -r key.priv
566
567   Import an RSA key
568              openssl genrsa -out private.pem 2048
569
570              tpm2_import -C parent.ctx -G rsa -i private.pem -u key.pub -r key.priv
571
572   Import an ECC key
573              openssl ecparam -name prime256v1 -genkey -noout -out private.ecc.pem
574
575              tpm2_import -C parent.ctx -G ecc -i private.ecc.pem -u key.pub -r key.priv
576
577   Import a duplicated key
578              tpm2_import -C parent.ctx -i key.dup -u key.pub -r key.priv -L policy.dat
579

LIMITATIONS

581       • The TPM requires that the name algorithm of the child be smaller than
582         the parent.
583

Returns

585       Tools can return any of the following codes:
586
587       • 0 - Success.
588
589       • 1 - General non-specific error.
590
591       • 2 - Options handling error.
592
593       • 3 - Authentication error.
594
595       • 4 - TCTI related error.
596
597       • 5 - Non supported scheme.  Applicable to tpm2_testparams.
598

BUGS

600       Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
601

HELP

603       See the Mailing List (https://lists.01.org/mailman/listinfo/tpm2)
604
605
606
607tpm2-tools                                                      tpm2_import(1)
Impressum