From: tpm2 [mailto:firstname.lastname@example.org] On Behalf Of Nick Meyer
Sent: Friday, April 26, 2019 9:56 AM
Subject: [tpm2] RC 0x99d TPM_RC_POLICY_FAIL causes?
We have a set of boxes that use TPM2_Sign() to sign a cryptographic challenge
during a startup process. The signing key is protected by a PCR policy; this policy is
the only policy in the session authorizing the sign. Occasionally, one of these
boxes will start returning 0x99d and refuse to sign the challenge, after which it
seems to be stuck in this inconsistent state until we generate a new signing key.
We are currently in the process of investigating if the PCRs have changed in these
cases; in the meantime, I wanted to ask here if there are any other causes
beyond the PCRs changing that could cause this error code, so that we can
investigate. We also believe it unlikely that the PCR update counter is an issue as
we would be expecting a TPM_RC_PCR_CHANGED return code in this case.
Appreciate any insight you may have.