Per your problem statement,
1. There is one unique primary object per user.
2. There is a multitude of such users.
3. There are multiple keys created under each of the primary object.
4. Invalidating the primary object would invalidate all the keys under the primary object
and thus the user.
To create unique primary keys you can add unique data to objects created with
tpm2_createprimary using the option "-u, --unique-data".
To create multiple keys simply run tpm2_create referencing the unique primary object as
To be able to invalidate the unique primary object, have its authorization policy set to
policyNV referencing an NV index of type TPM_NT_BITS. The NV index is of size equal to the
number of bits that can accommodate the total number of users. Now, use tpm2_nvsetbits to
represent the invalidation of a specific key.
Example. You have 16 users. NV Index of size 2 bytes.
0x0000 ==> All keys are active.
tpm2_nvsetbits ==> 0x0001 ==> Key#1 invalidated since policyNV since operandB
changed and is not equal to 0000 anymore.
and so on...