Hi Imran,

Thanks for your reply.

I had two cases, but for now, let's talk about the one in the 
tpm2_policyduplicationselect(1) man page. I did the exact steps listed 
there in the example. Then after the duplication, I did an import and 
load, as follows:

# tpm2_import -Q -C dst_n.ctx -i new_dupkey.priv -u dupkey.pub \
     -s dupseed.dat -r imported.priv -L policydupselect.dat

# tpm2_load -Q -C dst_n.ctx -r imported.priv -u dupkey.pub -c imported.ctx

I then tried to do tpm2_rsa_en/decrypt with imported.ctx. The decrypt is 
where the policy errors came up.


But as you point out below the "userwithauth" attribute is not part of 
the example in that man page. So let me try again with that attribute 
added. IIRC, the readpublic on the duplicated/imported key did reference 
a policy, which I could not figure out how to satisfy. Will get back to 
you shortly after trying again.

Thanks,
-ted


On 5/20/20 10:31 AM, Imran Desai wrote:
> Hi Ted,
>
> Based on what you said you want to accomplish and your above-mentioned references, I have a hunch that you have the keys set up incorrectly.
> Can you please,
> 1. Try to create a key with "userwithauth" set in the step in your script that references policy_duplication man page as in here: "tpm2_create -C src_o.ctx -g sha256 -G rsa -r dupkey.priv -u dupkey.pub \
> -L policydupselect.dat  -a "sensitivedataorigin|sign|decrypt|userwithauth" -c dupkey.ctx -Q"
> 2. Share your exact steps/ script that you implemented.
> 3. Share the key properties of the parent and child object you created. You can use tpm2_readpublic command to dump the key properties.
>
> Thanks
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

-- 
Ted H. Kim, PhD
ted.h.kim(a)oracle.com
+1 310-258-7515