man page updates

seal_tpm2_key was missing a description of the --policy <file> option.
Also add a section to create_tpm2_key nor seal_tpm2_key describing how
to create importable keys/sealed data blobs.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

3 files changed, 40 insertions, 1 deletions

diff --git a/create_tpm2_key.1.in b/create_tpm2_key.1.in
index 848afdc..bbdfa9a 100644
--- a/create_tpm2_key.1.in
+++ b/create_tpm2_key.1.in
@@ -45,6 +45,25 @@ well as comma separated ranges.  So
 
  sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank
 
+[Import]
+
+In some cases, there may be a need to wrap a key without access to the
+TPM it will be use on.  For these cases an importable key may be
+specified with the --import option.  For this to work, you must use a
+public key corresponding exactly to the one the importing TPM will use
+(Note: only Elliptic Curve parents are currently supported).  For
+instance the owner seed elliptic curve storage key may be produced as
+
+tsscreateprimary -hi o -st -ecc nistp256 -opem parent.pub
+
+Then an importable key may be wrapped to the TPM via:
+
+create_tpm2_key --import parent.pub --wrap key.priv key.tpm
+
+Note that certain parameters must be assumed about a parent when it is
+wrapped, like the template (must be standard restricted decryption
+key) and the name hash (must be sha256).
+
 [Signed Policies]
 
 When the option --signed-policy <key> is used, it creates a key whose
diff --git a/seal_tpm2_data.1.in b/seal_tpm2_data.1.in
index 621b011..fe7b7c4 100644
--- a/seal_tpm2_data.1.in
+++ b/seal_tpm2_data.1.in
@@ -21,6 +21,25 @@ well as comma separated ranges.  So
 
  sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank
 
+[Import]
+
+In some cases, there may be a need to wrap a key without access to the
+TPM it will be use on.  For these cases an importable key may be
+specified with the --import option.  For this to work, you must use a
+public key corresponding exactly to the one the importing TPM will use
+(Note: only Elliptic Curve parents are currently supported).  For
+instance the owner seed elliptic curve storage key may be produced as
+
+tsscreateprimary -hi o -st -ecc nistp256 -opem parent.pub
+
+Then a sealed data file may be wrapped to the TPM via:
+
+echo "data" | seal_tpm2_data --import parent.pub seal.tpm
+
+Note that certain parameters must be assumed about a parent when it is
+wrapped, like the template (must be standard restricted decryption
+key) and the name hash (must be sha256).
+
 [Signed Policies]
 
 When the option --signed-policy <key> is used, it creates a sealed
diff --git a/seal_tpm2_data.c b/seal_tpm2_data.c
index a5d4569..1e4474c 100644
--- a/seal_tpm2_data.c
+++ b/seal_tpm2_data.c
@@ -80,9 +80,10 @@ usage(char *argv0)
 		"                                details about formatting\n"
 		"\t--signed-policy <key>         Add a signed policy directive that allows\n"
 		"\t                              policies signed by the specified public <key>\n"
-		"\t                              to authorize use of the key\n"
+		"\t                              to authorize unsealing\n"
 		"\t-i, --import <pubkey>         Create an importable key with the outer\n"
 		"                                wrapper encrypted to <pubkey>\n"
+		"\t-c, --policy                  Specify a policy for unsealing the data\n"
 		"\n"
 		"\n"
 		"Report bugs to " PACKAGE_BUGREPORT "\n",