search

tpm2-software / tpm2-tools

The source repository for the Trusted Platform Module (TPM2.0) tools
https://tpm2-software.github.io
721 stars 379 forks source link

Duplicate/Migratable key with PCR policy #3402

Open harpro777 opened 5 months ago

harpro777 commented 5 months ago

Apologies if this isn't the correct place to ask this but I'm not sure where else I should!.

I need to create a duplicate key which also allows for a PCR policy. Basically, I want to encrypt files on TPM-A and decrypt on TPM-B using the same object with a pcr policy so the decryption only work if the pcr values are the same.

I can create the duplicate object using tpm2_duplicate and migrate it do a another TPM but how do you then bind a PCR policy. I cant find documents suggesting it is possible but doesn't give and examples using tpm2_tools .

The two option's I've been investigating are as follows but I'm unsure which is correct or not.

1) Use tpm2_policycommandcode to create a policy with TPM2_CC_Duplicate and a policy with TPM2_CC_PolicyPCR and use tpm2_policyor to logically OR's two policies. Then apply the policy ? 2) Use tpm2_policyauthorize to mutable policies by tethering to a signing authority

Any help or assistance would be greatly apricated

salrashid123 commented 3 months ago

i'll try again: i this seemd to work:

Transfer TPM based key using PCR policy

i used the policy_or from above and further used policy_duplicateselect