Preventing chained duplication using tpm2_policyduplicationselect

[salrashid123]

The default end-to-end example in tpm2_duplicate describes a way to Transfer from A->B

however, you can also repeat that process to further propagate the key from a->b->c.

here's an example:

• Chained duplication from A -> B -> C tpm2_policycommandcode

but what i really want is for the key to get used ONLY on B and prevent this chain and it seem tpm2_policyduplicationselect is whats needed somewhere.

the procedure i came up with seems to work but it'd be great if someone can confirm it ( if confirmed and there's interest in adding to to docs is warranted, i'll file the doc PR).

the thing i tried is replace tpm2_policycommandcode with tpm2_policyduplicationselect (i'm not sure if that is legit to do or not and the failed duplication could well be for some other reason and not the one i'm after..)

here's the procedure:

• Prevent Chained duplication from A -> B -> C using tpm2_policyduplicationselect

[AndreasFuchsTPM]

That is exactly correct and it would be great to have this be added to documentation. Maybe you can shrink it a bit (e.g. leaving out the counter example case for C) to still fit into the man page. I'm looking forward to your PR.

[salrashid123]

a small side comment about having an example of policies on duplication:

you can use these restrictions to also clarify the controls around using TPMs for authentication to cloud provider from on-prem hardware or remote systems.

for example if you can control duplication of rsa or hmac keys, you enable some usecases for auth i looked at earler:

• Google cloud uses RSA service account keys for auth (see gcp-adc-tpm)
• Azure applications also uses RSA keys (see azsigner)
• AWS uses HMAC (see aws_hmac and aws-tpm-process-credential)