% tpm2_policyduplicationselect(1) tpm2-tools | General Commands Manual
NAME
tpm2_policyduplicationselect(1) - Restricts duplication to a specific new parent.
SYNOPSIS
tpm2_policyduplicationselect [OPTIONS]
DESCRIPTION
tpm2_policyduplicationselect(1) - Restricts duplication to a specific new parent.
OPTIONS
-
-S, --session=FILE:
The policy session file generated via the -S option to tpm2_startauthsession(1).
-
-n, --object-name=FILE:
Input name file of the object to be duplicated.
-
-N, --parent-name=FILE:
Input name file of the new parent.
-
-L, --policy=FILE:
File to save the policy digest.
-
--include-object:
If exists, the object name will be included in the value in policy digest.
References
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
EXAMPLES
Setup a duplication role policy to restricted new parent
Create source parent and destination(or new) parent
tpm2_createprimary -C n -g sha256 -G rsa -c dst_n.ctx -Q
tpm2_createprimary -C o -g sha256 -G rsa -c src_o.ctx -Q
Create the restricted parent policy
tpm2_readpublic -c dst_n.ctx -n dst_n.name -Q
tpm2_startauthsession -S session.ctx
tpm2_policyduplicationselect -S session.ctx -N dst_n.name \
-L policydupselect.dat -Q
tpm2_flushcontext session.ctx
rm session.ctx
Create the object to be duplicated using the policy
tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
-L policydupselect.dat -a "sensitivedataorigin|sign|decrypt" -c dupkey.ctx -Q
tpm2_readpublic -c dupkey.ctx -n dupkey.name -Q
Satisfy the policy and duplicate the object
tpm2_startauthsession -S session.ctx --policy-session
tpm2_policyduplicationselect -S session.ctx -N dst_n.name -n dupkey.name -Q
tpm2_duplicate -C dst_n.ctx -c dupkey.ctx -G null -p session:session.ctx \
-r new_dupkey.priv -s dupseed.dat
tpm2_flushcontext session.ctx
rm session.ctx
NOTES
-
This command usually cooperates with tpm2_duplicate(1), so referring to the man page of tpm2_duplicate(1) is recommended.
-
This command will set the policy session's command code to TPM_CC_Duplicate which enables duplication role of the policy.