Hello everyone,

New to the TPM world, I've been reading various docs and forums the past two weeks and I am now attempting to put all the learning into practice.
More specifically, I'm trying to have the TPM create an AES key.
Here is what I did so far:

DEFAULT_HIERARCHY="o"
DEFAULT_ATTRIBUTES="restricted|decrypt|fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda"
DEFAULT_PERSISTENT_HANDLE="0x81010001"
PARENT_PERSISTENT_HANDLE="0x81010002"

tpm2_createprimary --hierarchy=$DEFAULT_HIERARCHY --auth-hierarchy="$OWNER_PASSWORD" --object-attributes=$DEFAULT_ATTRIBUTES --halg sha256 --kalg rsa2048:aes128cfb --out-context-name=$PRIMARY_CONTEXT

tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PRIMARY_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --persistent=$DEFAULT_PERSISTENT_HANDLE

tpm2_create --context-parent=$PRIMARY_CONTEXT --object-attributes=$DEFAULT_ATTRIBUTES --pubfile=$PUBFILE --privfile=$PRIVFILE --halg sha256 --kalg rsa2048:aes128cfb

tpm2_load --quiet --context=$PRIMARY_CONTEXT --pubfile=$PUBFILE --privfile=$PRIVFILE --out-context=$PARENT_CONTEXT

tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --context=$PARENT_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --persistent=$PARENT_PERSISTENT_HANDLE

All of that is working great; a call to tpm2_listpersistent shows the two keys and their persistent handle.

Then I try to add an AES key to that hierarchy. I want this key to be usable only if some policy is satisfied:

tpm2_create --context-parent=$PARENT_CONTEXT --kalg=aes --pubfile=$PUBFILE --privfile=$PRIVFILE --policy-file=$AUTHORIZED_POLICY

This call returns the following:
                                                                                                                                                                                                           
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish ErrorCode (0x000002c4)
ERROR: Esys_Create(0x2C4) - tpm:parameter(2):value is out of range or is not correct for the context
ERROR: Unable to run tpm2_create

I then tried with "aes128" as key algorithm, instead of just "aes":
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish ErrorCode (0x000002c9)
ERROR: Esys_Create(0x2C9) - tpm:parameter(2):mode of operation not supported
ERROR: Unable to run tpm2_create

I also tried to specify a mode instead ("aes128cfb"):
WARNING:esys:src/tss2-esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys Finish ErrorCode (0x000002c2)
ERROR: Esys_Create(0x2C2) - tpm:parameter(2):inconsistent attributes
ERROR: Unable to run tpm2_create


After having read all the MAN pages twice, I still have no idea what is going on or what I did wrong. Most if not all of those commands were merely copy/pasted from the MAN pages at https://github.com/tpm2-software/tpm2-tools/tree/master/man .

I'm using a Lenovo X1 Carbon (3rd gen) with Intel PTT enabled, so the system sees a TPM2.0 device. I can provide more information if needed.
I would greatly appreciate if someone could provide some guidance on this issue; the TPM world being fascinating so far, I wouldn't want to be stuck on that problem.

Thanks in advance for your help,
Regards,

Nicolas