% tpm2_policyduplicationselect(1) tpm2-tools | General Commands Manual

NAME

tpm2_policyduplicationselect(1) - Restricts duplication to a specific new parent.

SYNOPSIS

tpm2_policyduplicationselect [OPTIONS]

DESCRIPTION

tpm2_policyduplicationselect(1) - Restricts duplication to a specific new parent.

OPTIONS

  • -S, --session=FILE:

    The policy session file generated via the -S option to tpm2_startauthsession(1).

  • -n, --object-name=FILE:

    Input name file of the object to be duplicated.

  • -N, --parent-name=FILE:

    Input name file of the new parent.

  • -L, --policy=FILE:

    File to save the policy digest.

  • --include-object:

    If exists, the object name will be included in the value in policy digest.

References

common options collection of common options that provide information many users may expect.

common tcti options collection of options used to configure the various known TCTI modules.

EXAMPLES

Setup a duplication role policy to restricted new parent

Create source parent and destination(or new) parent

tpm2_createprimary -C n -g sha256 -G rsa -c dst_n.ctx -Q
tpm2_createprimary -C o -g sha256 -G rsa -c src_o.ctx -Q

Create the restricted parent policy

tpm2_readpublic -c dst_n.ctx -n dst_n.name -Q
tpm2_startauthsession -S session.ctx
tpm2_policyduplicationselect -S session.ctx  -N dst_n.name \
-L policydupselect.dat -Q
tpm2_flushcontext session.ctx
rm session.ctx

Create the object to be duplicated using the policy

tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
-L policydupselect.dat  -a "sensitivedataorigin|sign|decrypt" -c dupkey.ctx -Q
tpm2_readpublic -c dupkey.ctx -n dupkey.name -Q

Satisfy the policy and duplicate the object

tpm2_startauthsession -S session.ctx --policy-session
tpm2_policyduplicationselect -S session.ctx  -N dst_n.name -n dupkey.name -Q
tpm2_duplicate -C dst_n.ctx -c dupkey.ctx -G null -p session:session.ctx \
-r new_dupkey.priv -s dupseed.dat
tpm2_flushcontext  session.ctx
rm session.ctx

NOTES

  • This command usually cooperates with tpm2_duplicate(1), so referring to the man page of tpm2_duplicate(1) is recommended.

  • This command will set the policy session's command code to TPM_CC_Duplicate which enables duplication role of the policy.

returns

limitations

footer