In the file Documentation/security/keys-trusted-encrypted, an example is shown for to create an encrypted key rooted in trusted key. Basically, the following should work:

KMK_KEY=$(keyctl add trusted kmk "new 32" @u)
keyctl pipe $KMK_KEY > ~/kmk-trusted.blob
EVM_KEY=$(keyctl add encrypted evm "new default trusted:kmk 32" @u)
keyctl pipe $EVM_KEY > ~/evm-trusted.blob

But the last command does not work. It reports "keyctl_read_alloc: Operation not supported"

strace shows this:

keyctl(KEYCTL_READ, 404204492, NULL, 0) = 185
keyctl(KEYCTL_READ, 404204492, 0x557a43f66260, 185) = -1 EOPNOTSUPP (Operation not supported) 

I've tried this on kernel 4.4.163, 4.14.83, and 4.20.6, on a machine with real TPM, and a virtual TPM in a VM, both versions 1.2 and 2.0 and none of the cases work. 

"Trusted" keys are encrypted as a module and "Encrypted" keys are compiled into the kernel.

I think i found the problem in /usr/src/linux/security/keys/encrypted-keys/encrypted.h: 

#if defined(CONFIG_TRUSTED_KEYS) || \
  (defined(CONFIG_TRUSTED_KEYS_MODULE) && defined(CONFIG_ENCRYPTED_KEYS_MODULE))
extern struct key *request_trusted_key(const char *trusted_desc,
                                       const u8 **master_key, size_t *master_keylen);
#else
static inline struct key *request_trusted_key(const char *trusted_desc,
                                              const u8 **master_key,
                                              size_t *master_keylen)
{
        return ERR_PTR(-EOPNOTSUPP);
}
#endif 

The #if is false if CONFIG_TRUSTED_KEYS_MODULE && CONFIG_ENCRYPTED_KEYS. If I compile both "trusted" and "encrypted" keys in the kernel the problem goes away and it works normally. I have'nt tested both as module but I presume that would work too - basically any combination except the one I have.