is there a way to export tpm 2.0 objects created in one tpm to another
Status: Beta
Brought to you by:
kagoldman
Menu
▾
▴
I have created a primary object.
create another object under this primary object.
loaded the above created object to the tpm
using above 3 steps created a sealed blob!
then I can unseal using the handle obtained from load
Also, I have context saved the handles of the primary object and the loaded object.
I can context load these handles on this same TPM if I flushcontext of these transient handles.
Is there a way to load these saved context on a different TPM chip? So, that I can do unseal of the sealed object on the other box?
PS: requirement is the sensitive data that is sealed can be generated at one box which has a tpm chip # 1.
Now, this sensitive data needs to be obtained in box # 2 with tpm chip # 2.
The specific answer: A saved context can only be loaded back to the same TPM.
The better answer: The concept you are looking for is 'duplication'. TPM1 wraps the data with a public key of TPM2 (duplicate). TPM2 unwraps the data with its private key and wraps it with its symmetric key (import). The result can be loaded (load) on TPM2.
The TSS https://sourceforge.net/projects/ibmtpm20tss/ has many examples in testdup.sh.
Duplication should be controlled by a policy. The duplication can have an optional inner, symmetric wrapper.
perfect. thank you much .. I understand now. I was using the saved context file and trying to load in other tpm. But after thinking, I see why that is not possible