diff options
author | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-01-30 16:11:42 -0500 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2023-01-30 16:11:42 -0500 |
commit | 7f45bc6c244b401e70b4113c1020de48d49cd1c9 (patch) | |
tree | 2d49aee07fbcdf19da048a21756e7abce809e426 | |
parent | 062e14c19ab156053ab9d3f8114e6d00f2b9657b (diff) | |
download | openssl_tpm2_engine-7f45bc6c244b401e70b4113c1020de48d49cd1c9.tar.gz |
man page updates
seal_tpm2_key was missing a description of the --policy <file> option.
Also add a section to create_tpm2_key nor seal_tpm2_key describing how
to create importable keys/sealed data blobs.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | create_tpm2_key.1.in | 19 | ||||
-rw-r--r-- | seal_tpm2_data.1.in | 19 | ||||
-rw-r--r-- | seal_tpm2_data.c | 3 |
3 files changed, 40 insertions, 1 deletions
diff --git a/create_tpm2_key.1.in b/create_tpm2_key.1.in index 848afdc..bbdfa9a 100644 --- a/create_tpm2_key.1.in +++ b/create_tpm2_key.1.in @@ -45,6 +45,25 @@ well as comma separated ranges. So sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank +[Import] + +In some cases, there may be a need to wrap a key without access to the +TPM it will be use on. For these cases an importable key may be +specified with the --import option. For this to work, you must use a +public key corresponding exactly to the one the importing TPM will use +(Note: only Elliptic Curve parents are currently supported). For +instance the owner seed elliptic curve storage key may be produced as + +tsscreateprimary -hi o -st -ecc nistp256 -opem parent.pub + +Then an importable key may be wrapped to the TPM via: + +create_tpm2_key --import parent.pub --wrap key.priv key.tpm + +Note that certain parameters must be assumed about a parent when it is +wrapped, like the template (must be standard restricted decryption +key) and the name hash (must be sha256). + [Signed Policies] When the option --signed-policy <key> is used, it creates a key whose diff --git a/seal_tpm2_data.1.in b/seal_tpm2_data.1.in index 621b011..fe7b7c4 100644 --- a/seal_tpm2_data.1.in +++ b/seal_tpm2_data.1.in @@ -21,6 +21,25 @@ well as comma separated ranges. So sha512:1,3-5 means PCRs 1,3,4 and 5 in the sha512 bank +[Import] + +In some cases, there may be a need to wrap a key without access to the +TPM it will be use on. For these cases an importable key may be +specified with the --import option. For this to work, you must use a +public key corresponding exactly to the one the importing TPM will use +(Note: only Elliptic Curve parents are currently supported). For +instance the owner seed elliptic curve storage key may be produced as + +tsscreateprimary -hi o -st -ecc nistp256 -opem parent.pub + +Then a sealed data file may be wrapped to the TPM via: + +echo "data" | seal_tpm2_data --import parent.pub seal.tpm + +Note that certain parameters must be assumed about a parent when it is +wrapped, like the template (must be standard restricted decryption +key) and the name hash (must be sha256). + [Signed Policies] When the option --signed-policy <key> is used, it creates a sealed diff --git a/seal_tpm2_data.c b/seal_tpm2_data.c index a5d4569..1e4474c 100644 --- a/seal_tpm2_data.c +++ b/seal_tpm2_data.c @@ -80,9 +80,10 @@ usage(char *argv0) " details about formatting\n" "\t--signed-policy <key> Add a signed policy directive that allows\n" "\t policies signed by the specified public <key>\n" - "\t to authorize use of the key\n" + "\t to authorize unsealing\n" "\t-i, --import <pubkey> Create an importable key with the outer\n" " wrapper encrypted to <pubkey>\n" + "\t-c, --policy Specify a policy for unsealing the data\n" "\n" "\n" "Report bugs to " PACKAGE_BUGREPORT "\n", |