Of the many ways, you can achieve this here is a way to do it with PolicyPcr --> Extend
a random value to debug-PCR (PCR#16) and create a key with policypcr referencing the debug
As long as no other data is extended into the debug-PCR from this point on the key can be
used indefinitely as long as pcrpolicy is satisfied.
Extend the debug-PCR once again with another random value once ready to dump the key. The
only reason to use debug-PCR 16 is if you do not want to disturb other PCR values
potentially invalidating the authorization of other TPM objects.
Note: Instead of extending the debug-PCR with a random value, you can also achieve the
same result by simply issuing tpm2_pcrreset on the debug-PCR which will change the pcr
contents to 0. This will happen anyway when the system or TPM restarts.