tpm2sh 0.12.3 loads and processes multi-level ancestor chains correctly, policy expressions have now a more stable custom-built implemented parser:
https://crates.io/crates/tpm2sh The functionality is still mostly focused on key management and TPMKey ASN.1 generation from various internal and external sources, making it a tool with kernel testing focus. I've added optional parentPubkey field to the original TPMKey ASN.1 because that allows "tpm2sh load" to be ergonomic as it can traverse persistent and cached keys and discover parent, instead of requiring explicit '--parent' argument. This transcript demonstrates well the added ergonomics: ~ main ≡ ❯ tpm2sh create-primary ecc-nist-p256:sha256 vtpm:80000000 ~ main ≡ ❯ set DIGEST (tpm2sh policy --mode software 'pcr(sha256:7) or pcr(sha256:15)') ~ main ≡ ❯ tpm2sh create -P vtpm:80000000 --data deadbeef --policy $DIGEST keyedhash:sha256 | tpm2sh load vtpm:80000001 ~ main ≡ ❯ tpm2sh policy --mode session 'pcr(sha256:7) or pcr(sha256:15)' vtpm:03000000 ~ main ≡ ❯ tpm2sh unseal -A vtpm:03000000 vtpm:80000001 deadbeef ~ main ≡ ❯ openssl genrsa -out private.pem 2048 ~ main ≡ ❯ tpm2sh convert -P vtpm:80000000 -I private.pem | tpm2sh load vtpm:80000002 Without the extra field, also load commands would need to have "-P vtpm:80000000". BR, Jarkko
