We have a set of boxes that use TPM2_Sign() to sign a cryptographic challenge during a startup process. The signing key is protected by a PCR policy; this policy is the only policy in the session authorizing the sign. Occasionally, one of these boxes will start returning 0x99d and refuse to sign the challenge, after which it seems to be stuck in this inconsistent state until we generate a new signing key.

We are currently in the process of investigating if the PCRs have changed in these cases; in the meantime, I wanted to ask here if there are any other causes beyond the PCRs changing that could cause this error code, so that we can investigate. We also believe it unlikely that the PCR update counter is an issue as we would be expecting a TPM_RC_PCR_CHANGED return code in this case.

Appreciate any insight you may have.

Nick Meyer