It sounds like you need to be able to "tpm2_ptool link" persistent keys which is
a feature tracked on ticket: https://github.com/tpm2-software/tpm2-pkcs11/issues/611
So it's currently unimplemented. I can put it on the next feature release.
From: Emmanuel Deloget <emmanuel(a)deloget.com>
Sent: Thursday, September 23, 2021 12:37 AM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] tpm2-pkcs11 : import config from the deprecated tpm2-pk11 project
I'm trying to import my PKCS11 configuration from the old, fully deprecated project
tpm2-pk11. In this setup, the tpm2 holds persistent RSA keys and associate them with
adequately named certificates located on the file system. I understand that this should
have been done a lot earlier (but then, even a lot earlier would not have change much as
the development and even the first distributed products predated the very first commit of
tpm2-pkcs11) ; unfortunately days are limited and my todo list is way too long.
Keys were generated using tpm2_create a long, long time ago.
Since this is a really old setup, I no longer have the key.pub and key.priv files
available (they were trashed, as they are no longer useful). I can get the public key
through tpm2_readpublic but that won't help me much.
Now, the "Interoperability with Existing TPM2 Objects" document proposes a way
to init tpm2-pkcs11 using keys that were created with tpm2_create. Unfortunatly, it seems
it also requires two things I cannot provide it:
* pincodes, for /tpm2_ptool addtoken/ (this is an embedded platform; no pin codes; if
I'm forced to add them they'll end up as environment vars anyway so there is no
real interest for pincode in this situation)
* the key files, for /tpm2_ptool link/ (key.pub and key.priv are no longer available)
Is there any other way to import my configuration into tpm2-pkcs11 ? Not being able to do
it means that some of our oldest customers will have a bricked hardware (one of the
current token is used to identify the hardware and is set during production, so not being
able to reload it essentially means that this hardware will not be able to identify itself
to our services and will not work at all), and this is a hard sell...
-- Emmanuel Deloget