Skip to content

Latest commit

 

History

History
132 lines (79 loc) · 3.5 KB

tpm2_policynamehash.1.md

File metadata and controls

132 lines (79 loc) · 3.5 KB

% tpm2_policynamehash(1) tpm2-tools | General Commands Manual

NAME

tpm2_policynamehash(1) - Couples a policy with names of specific objects.

SYNOPSIS

tpm2_policynamehash [OPTIONS]

DESCRIPTION

tpm2_policynamehash(1) - Couples a policy with names of specific objects. This is a deferred assertion where the hash of the names of all object handles in a TPM command is checked against the one specified in the policy.

OPTIONS

  • -L, --policy=FILE:

    File to save the compounded policy digest.

  • -S, --session=FILE:

    The policy session file generated via the -S option to tpm2_startauthsession(1).

  • -n, --name=FILE:

    The file containing the name hash of the referenced objects.

References

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.

EXAMPLES

Restrict key duplication to specific new parent and specific duplicable key.

Generate a duplicable object

openssl genrsa -out signing_key_private.pem 2048

openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout

tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx \
-n signing_key.name

tpm2_startauthsession -S session.ctx -g sha256

tpm2_policyauthorize -S session.ctx -L authorized.policy -n signing_key.name

tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate

tpm2_flushcontext session.ctx

tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx -Q

## The duplicable key
tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r key.prv -u key.pub \
-L policy.dat -a "sensitivedataorigin|sign|decrypt"

tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx

Create the new parent

tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r new_parent.prv \
-u new_parent.pub \
-a "decrypt|fixedparent|fixedtpm|restricted|sensitivedataorigin"

tpm2_loadexternal -Q -C o -u new_parent.pub -c new_parent.ctx

Modify the duplicable key policy to namehash policy to restrict parent and key

tpm2_readpublic -Q -c new_parent.ctx -n new_parent.name

tpm2_readpublic -Q -c key.ctx -n key.name

cat key.name new_parent.name | openssl dgst -sha256 -binary > name.hash

tpm2_startauthsession -S session.ctx -g sha256

tpm2_policynamehash -L policy.namehash -S session.ctx -n name.hash

tpm2_flushcontext session.ctx

openssl dgst -sha256 -sign signing_key_private.pem \
-out policynamehash.signature policy.namehash

tpm2_startauthsession -S session.ctx -g sha256

tpm2_policyauthorize -S session.ctx -L authorized.policy -i policy.namehash \
-n signing_key.name

tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate

tpm2_flushcontext session.ctx

Satisfy the policy and attempt key duplication

tpm2_verifysignature -c signing_key.ctx -g sha256 -m policy.namehash \
-s policynamehash.signature -t verification.tkt -f rsassa

tpm2_startauthsession -S session.ctx --policy-session -g sha256

tpm2_policynamehash -S session.ctx -n name.hash

tpm2_policyauthorize -S session.ctx -i policy.namehash -n signing_key.name \
-t verification.tkt

tpm2_policycommandcode -S session.ctx TPM2_CC_Duplicate

tpm2_duplicate -C new_parent.ctx -c key.ctx -G null -p "session:session.ctx" \
-r dupprv.bin -s dupseed.dat

tpm2_flushcontext session.ctx

returns

limitations

footer