1tpm2_policyduplicationselect(G1e)neral Commands Mantupaml2_policyduplicationselect(1)
2
3
4
6 tpm2_policyduplicationselect(1) - Restricts duplication to a specific
7 new parent.
8
10 tpm2_policyduplicationselect [OPTIONS]
11
13 tpm2_policyduplicationselect(1) - Restricts duplication to a specific
14 new parent.
15
17 • -S, --session=FILE:
18
19 The policy session file generated via the -S option to tpm2_star‐
20 tauthsession(1).
21
22 • -n, --object-name=FILE:
23
24 Input name file of the object to be duplicated.
25
26 • -N, --parent-name=FILE:
27
28 Input name file of the new parent.
29
30 • -L, --policy=FILE:
31
32 File to save the policy digest.
33
34 • --include-object:
35
36 If exists, the object name will be included in the value in policy
37 digest.
38
39 References
41 This collection of options are common to many programs and provide in‐
42 formation that many users may expect.
43
44 • -h, --help=[man|no-man]: Display the tools manpage. By default, it
45 attempts to invoke the manpager for the tool, however, on failure
46 will output a short tool summary. This is the same behavior if the
47 “man” option argument is specified, however if explicit “man” is re‐
48 quested, the tool will provide errors from man on stderr. If the
49 “no-man” option if specified, or the manpager fails, the short op‐
50 tions will be output to stdout.
51
52 To successfully use the manpages feature requires the manpages to be
53 installed or on MANPATH, See man(1) for more details.
54
55 • -v, --version: Display version information for this tool, supported
56 tctis and exit.
57
58 • -V, --verbose: Increase the information that the tool prints to the
59 console during its execution. When using this option the file and
60 line number are printed.
61
62 • -Q, --quiet: Silence normal tool output to stdout.
63
64 • -Z, --enable-errata: Enable the application of errata fixups. Useful
65 if an errata fixup needs to be applied to commands sent to the TPM.
66 Defining the environment TPM2TOOLS_ENABLE_ERRATA is equivalent. in‐
67 formation many users may expect.
68
70 The TCTI or “Transmission Interface” is the communication mechanism
71 with the TPM. TCTIs can be changed for communication with TPMs across
72 different mediums.
73
74 To control the TCTI, the tools respect:
75
76 1. The command line option -T or --tcti
77
78 2. The environment variable: TPM2TOOLS_TCTI.
79
80 Note: The command line option always overrides the environment vari‐
81 able.
82
83 The current known TCTIs are:
84
85 • tabrmd - The resource manager, called tabrmd
86 (https://github.com/tpm2-software/tpm2-abrmd). Note that tabrmd and
87 abrmd as a tcti name are synonymous.
88
89 • mssim - Typically used for communicating to the TPM software simula‐
90 tor.
91
92 • device - Used when talking directly to a TPM device file.
93
94 • none - Do not initalize a connection with the TPM. Some tools allow
95 for off-tpm options and thus support not using a TCTI. Tools that do
96 not support it will error when attempted to be used without a TCTI
97 connection. Does not support ANY options and MUST BE presented as
98 the exact text of “none”.
99
100 The arguments to either the command line option or the environment
101 variable are in the form:
102
103 <tcti-name>:<tcti-option-config>
104
105 Specifying an empty string for either the <tcti-name> or <tcti-op‐
106 tion-config> results in the default being used for that portion respec‐
107 tively.
108
109 TCTI Defaults
110 When a TCTI is not specified, the default TCTI is searched for using
111 dlopen(3) semantics. The tools will search for tabrmd, device and
112 mssim TCTIs IN THAT ORDER and USE THE FIRST ONE FOUND. You can query
113 what TCTI will be chosen as the default by using the -v option to print
114 the version information. The “default-tcti” key-value pair will indi‐
115 cate which of the aforementioned TCTIs is the default.
116
117 Custom TCTIs
118 Any TCTI that implements the dynamic TCTI interface can be loaded. The
119 tools internally use dlopen(3), and the raw tcti-name value is used for
120 the lookup. Thus, this could be a path to the shared library, or a li‐
121 brary name as understood by dlopen(3) semantics.
122
124 This collection of options are used to configure the various known TCTI
125 modules available:
126
127 • device: For the device TCTI, the TPM character device file for use by
128 the device TCTI can be specified. The default is /dev/tpm0.
129
130 Example: -T device:/dev/tpm0 or export TPM2TOOLS_TCTI=“de‐
131 vice:/dev/tpm0”
132
133 • mssim: For the mssim TCTI, the domain name or IP address and port
134 number used by the simulator can be specified. The default are
135 127.0.0.1 and 2321.
136
137 Example: -T mssim:host=localhost,port=2321 or export TPM2TOOLS_TC‐
138 TI=“mssim:host=localhost,port=2321”
139
140 • abrmd: For the abrmd TCTI, the configuration string format is a se‐
141 ries of simple key value pairs separated by a `,' character. Each
142 key and value string are separated by a `=' character.
143
144 • TCTI abrmd supports two keys:
145
146 1. `bus_name' : The name of the tabrmd service on the bus (a
147 string).
148
149 2. `bus_type' : The type of the dbus instance (a string) limited to
150 `session' and `system'.
151
152 Specify the tabrmd tcti name and a config string of bus_name=com.ex‐
153 ample.FooBar:
154
155 \--tcti=tabrmd:bus_name=com.example.FooBar
156
157 Specify the default (abrmd) tcti and a config string of bus_type=ses‐
158 sion:
159
160 \--tcti:bus_type=session
161
162 NOTE: abrmd and tabrmd are synonymous. the various known TCTI mod‐
163 ules.
164
166 Setup a duplication role policy to restricted new parent
167 Create source parent and destination(or new) parent
168 tpm2_createprimary -C n -g sha256 -G rsa -c dst_n.ctx -Q
169 tpm2_createprimary -C o -g sha256 -G rsa -c src_o.ctx -Q
170
171 Create the restricted parent policy
172 tpm2_readpublic -c dst_n.ctx -n dst_n.name -Q
173 tpm2_startauthsession -S session.ctx
174 tpm2_policyduplicationselect -S session.ctx -N dst_n.name \
175 -L policydupselect.dat -Q
176 tpm2_flushcontext session.ctx
177 rm session.ctx
178
179 Create the object to be duplicated using the policy
180 tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
181 -L policydupselect.dat -a "sensitivedataorigin|sign|decrypt" -c dupkey.ctx -Q
182 tpm2_readpublic -c dupkey.ctx -n dupkey.name -Q
183
184 Satisfy the policy and duplicate the object
185 tpm2_startauthsession -S session.ctx --policy-session
186 tpm2_policyduplicationselect -S session.ctx -N dst_n.name -n dupkey.name -Q
187 tpm2_duplicate -C dst_n.ctx -c dupkey.ctx -G null -p session:session.ctx \
188 -r new_dupkey.priv -s dupseed.dat
189 tpm2_flushcontext session.ctx
190 rm session.ctx
191
193 • This command usually cooperates with tpm2_duplicate(1), so referring
194 to the man page of tpm2_duplicate(1) is recommended.
195
196 • This command will set the policy session’s command code to TPM_CC_Du‐
197 plicate which enables duplication role of the policy.
198
200 Tools can return any of the following codes:
201
202 • 0 - Success.
203
204 • 1 - General non-specific error.
205
206 • 2 - Options handling error.
207
208 • 3 - Authentication error.
209
210 • 4 - TCTI related error.
211
212 • 5 - Non supported scheme. Applicable to tpm2_testparams.
213
215 It expects a session to be already established via tpm2_startauthses‐
216 sion(1) and requires one of the following:
217
218 • direct device access
219
220 • extended session support with tpm2-abrmd.
221
222 Without it, most resource managers will not save session state between
223 command invocations.
224
226 Github Issues (https://github.com/tpm2-software/tpm2-tools/issues)
227
229 See the Mailing List (https://lists.linuxfoundation.org/mailman/listin‐
230 fo/tpm2)
231
232
233
234tpm2-tools tpm2_policyduplicationselect(1)