In the book, "A Practical Guide to TPM 2.0", there's a process describing
key distribution which is as the following:
1. The central IT system creates an HMAC key using TPM2_GetRandom.
2. The central IT system encrypts the HMAC key with the public portion of the target
client’s storage key.
3. The central IT system signs the encrypted HMAC key with its private signing key.
This is done so the local platform knows that what is being sent is authorized by IT.
4. The encrypted HMAC key is sent to the client along with a signature that proves it
came from the central IT system.
5. The client verifies the signature on the encrypted key by loading the central
server’s public key. (This can be done with the TPM using TPM2_Load and then using
TPM2_VerifySignature, if you like.)
6. The client imports the verified, encrypted HMAC key into its system using
TPM2_Import, getting out a loadable, encrypted blob containing the HMAC key.
7. The client loads the HMAC key when the user wishes to use it, using TPM2_Load, and
uses it as normal. At this point, the local platform has received an HMAC key from the IT
8. system that has never been decrypted in the local system’s memory.
I wonder how to encrypts the HMAC key and how to import it using TPM2_Import? How to
import a symmetric key encrypted by a rsa public key? Appreciate for any replies,