Looks like the PCRs changed. If that is an expected consequence of firmware updates
consider using policy authorize tool to address the PCR brittleness. Besides that I would
also look into the errors from session handling including whether or not you are starting
a real (non-trial) session when trying to satisfy the pcr policy.
Thanks and Regards,
From: Roberts, William C
Sent: Monday, April 29, 2019 7:29 AM
To: Nick Meyer; tpm2(a)lists.01.org; Desai, Imran
Subject: RE: [tpm2] RC 0x99d TPM_RC_POLICY_FAIL causes?
That error is:
tpm:session(1):a policy check failed
Imran, any ideas?
From: tpm2 [mailto:email@example.com] On Behalf Of Nick Meyer
Sent: Friday, April 26, 2019 9:56 AM
Subject: [tpm2] RC 0x99d TPM_RC_POLICY_FAIL causes?
We have a set of boxes that use TPM2_Sign() to sign a cryptographic challenge
during a startup process. The signing key is protected by a PCR policy; this policy is
the only policy in the session authorizing the sign. Occasionally, one of these
boxes will start returning 0x99d and refuse to sign the challenge, after which it
seems to be stuck in this inconsistent state until we generate a new signing key.
We are currently in the process of investigating if the PCRs have changed in these
cases; in the meantime, I wanted to ask here if there are any other causes
beyond the PCRs changing that could cause this error code, so that we can
investigate. We also believe it unlikely that the PCR update counter is an issue as
we would be expecting a TPM_RC_PCR_CHANGED return code in this case.
Appreciate any insight you may have.