% tpm2_policynamehash(1) tpm2-tools | General Commands Manual
NAME
tpm2_policynamehash(1) - Couples a policy with names of specific objects.
SYNOPSIS
tpm2_policynamehash [OPTIONS]
DESCRIPTION
tpm2_policynamehash(1) - Couples a policy with names of specific objects. This is a deferred assertion where the hash of the names of all object handles in a TPM command is checked against the one specified in the policy.
OPTIONS
-
-L, --policy=FILE:
File to save the compounded policy digest.
-
-S, --session=FILE:
The policy session file generated via the -S option to tpm2_startauthsession(1).
-
-n, --name=FILE:
The file containing the name hash of the referenced objects.
References
common options collection of common options that provide information many users may expect.
common tcti options collection of options used to configure the various known TCTI modules.
EXAMPLES
Restrict key duplication to specific new parent and specific duplicable key.
Generate a duplicable object
openssl genrsa -out signing_key_private.pem 2048
openssl rsa -in signing_key_private.pem -out signing_key_public.pem -pubout
tpm2_loadexternal -G rsa -C o -u signing_key_public.pem -c signing_key.ctx \
-n signing_key.name
tpm2_startauthsession -S session.ctx -g sha256
tpm2_policyauthorize -S session.ctx -L authorized.policy -n signing_key.name
tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate
tpm2_flushcontext session.ctx
tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx -Q
## The duplicable key
tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r key.prv -u key.pub \
-L policy.dat -a "sensitivedataorigin|sign|decrypt"
tpm2_load -Q -C primary.ctx -r key.prv -u key.pub -c key.ctx
Create the new parent
tpm2_create -Q -C primary.ctx -g sha256 -G rsa -r new_parent.prv \
-u new_parent.pub \
-a "decrypt|fixedparent|fixedtpm|restricted|sensitivedataorigin"
tpm2_loadexternal -Q -C o -u new_parent.pub -c new_parent.ctx
Modify the duplicable key policy to namehash policy to restrict parent and key
tpm2_readpublic -Q -c new_parent.ctx -n new_parent.name
tpm2_readpublic -Q -c key.ctx -n key.name
cat key.name new_parent.name | openssl dgst -sha256 -binary > name.hash
tpm2_startauthsession -S session.ctx -g sha256
tpm2_policynamehash -L policy.namehash -S session.ctx -n name.hash
tpm2_flushcontext session.ctx
openssl dgst -sha256 -sign signing_key_private.pem \
-out policynamehash.signature policy.namehash
tpm2_startauthsession -S session.ctx -g sha256
tpm2_policyauthorize -S session.ctx -L authorized.policy -i policy.namehash \
-n signing_key.name
tpm2_policycommandcode -S session.ctx -L policy.dat TPM2_CC_Duplicate
tpm2_flushcontext session.ctx
Satisfy the policy and attempt key duplication
tpm2_verifysignature -c signing_key.ctx -g sha256 -m policy.namehash \
-s policynamehash.signature -t verification.tkt -f rsassa
tpm2_startauthsession -S session.ctx --policy-session -g sha256
tpm2_policynamehash -S session.ctx -n name.hash
tpm2_policyauthorize -S session.ctx -i policy.namehash -n signing_key.name \
-t verification.tkt
tpm2_policycommandcode -S session.ctx TPM2_CC_Duplicate
tpm2_duplicate -C new_parent.ctx -c key.ctx -G null -p "session:session.ctx" \
-r dupprv.bin -s dupseed.dat
tpm2_flushcontext session.ctx