Thanks guys, I'll try this but  i also wanted to know if there is a way to know if the TPM still has the EK and AK keys loaded? I have the EK handle and AK handle (not made it persistent) but I want to make sure it's present as these are necessary for ActivateCredential to succeed 
ESys_ActivateCredential complaining about secret parameter doesn't make sense to me, I tested on server side, ak_name is same as that sent and so is EK_PUB object as well as  EK_Cert in nvram, I call the same external_makecredential call that's in the GitHub to create secret and made sure secret,credblob matches on the client side when received from server.


On Tue, Mar 17, 2020 at 6:19 AM Imran Desai <> wrote:
Set this up with all handles in use made persistent. If you still see issues, gdb-break or turn on debug logging at the Esys call and compare the function arguments.
tpm2 mailing list --
To unsubscribe send an email to