The policy was created according to the example at https://github.com/tpm2-software/tpm2-tools/blob/master/man/tpm2_policyauthorize.1.md

DEFAULT_MEASURED_PCRS="sha1:0,2,3,7,10,14"
DEFAULT_EXTERNAL_ATTRIBUTES="restricted|fixedtpm|fixedparent|noda"

tpm2_pcrlist --sel-list=$DEFAULT_MEASURED_PCRS --out-file=$MEASUREMENTS
tpm2_startauthsession --session=$SESSION
tpm2_policypcr --session=$SESSION --set-list=$DEFAULT_MEASURED_PCRS --pcr-input-file=$MEASUREMENTS --out-policy-file=$POLICY
yubico-piv-tool -a read-certificate -s 9c | openssl x509 -pubkey -noout > $PUBLIC_KEY
OPENSSL_CONF=engine.conf openssl dgst -engine pkcs11 -keyform engine -sha256 -sign 2 -out $POLICY_SIGNATURE $POLICY
tpm2_loadexternal --hierarchy=$DEFAULT_HIERARCHY --key-alg=rsa --pubfile=$PUBLIC_KEY --object-attributes=$DEFAULT_EXTERNAL_ATTRIBUTES --out-context=$SIGNING_CONTEXT --name=$SIGNING_KEY_NAME

tpm2_policyauthorize --session=$SESSION --in-policy-file=$POLICY --out-policy-file=$AUTHORIZED_POLICY --name=$SIGNING_KEY_NAME
tpm2_flushcontext --session=$SESSION

That executes without any errors.

On Thu, Apr 25, 2019, 17:57 Roberts, William C <william.c.roberts@intel.com> wrote:


> -----Original Message-----
> From: tpm2 [mailto:tpm2-bounces@lists.01.org] On Behalf Of Nicolas Broquet
> Sent: Sunday, April 21, 2019 12:07 PM
> To: tpm2@lists.01.org
> Subject: [tpm2] Help needed to setup an AES key
>
> Hello everyone,
>
>
> New to the TPM world, I've been reading various docs and forums the past two
> weeks and I am now attempting to put all the learning into practice.
> More specifically, I'm trying to have the TPM create an AES key.
> Here is what I did so far:
>
>
>
>
>       DEFAULT_HIERARCHY="o"
>       DEFAULT_ATTRIBUTES="restricted|decrypt|fixedtpm|fixedparent|sensi
> tivedataorigin|userwithauth|noda"
>       DEFAULT_PERSISTENT_HANDLE="0x81010001"
>       PARENT_PERSISTENT_HANDLE="0x81010002"
>
>       tpm2_createprimary --hierarchy=$DEFAULT_HIERARCHY --auth-
> hierarchy="$OWNER_PASSWORD" --object-attributes=$DEFAULT_ATTRIBUTES --
> halg sha256 --kalg rsa2048:aes128cfb --out-context-name=$PRIMARY_CONTEXT
>
>
>       tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --
> context=$PRIMARY_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --
> persistent=$DEFAULT_PERSISTENT_HANDLE
>
>
>       tpm2_create --context-parent=$PRIMARY_CONTEXT --object-
> attributes=$DEFAULT_ATTRIBUTES --pubfile=$PUBFILE --privfile=$PRIVFILE --halg
> sha256 --kalg rsa2048:aes128cfb
>
>
>       tpm2_load --quiet --context=$PRIMARY_CONTEXT --pubfile=$PUBFILE --
> privfile=$PRIVFILE --out-context=$PARENT_CONTEXT
>
>
>       tpm2_evictcontrol --hierarchy=$DEFAULT_HIERARCHY --
> context=$PARENT_CONTEXT --auth-hierarchy=$OWNER_PASSWORD --
> persistent=$PARENT_PERSISTENT_HANDLE
>
>
>
> All of that is working great; a call to tpm2_listpersistent shows the two keys and
> their persistent handle.
>
>
> Then I try to add an AES key to that hierarchy. I want this key to be usable only if
> some policy is satisfied:
>
>
>
>       tpm2_create --context-parent=$PARENT_CONTEXT --kalg=aes --
> pubfile=$PUBFILE --privfile=$PRIVFILE --policy-file=$AUTHORIZED_POLICY

Where did you get policy-file from?

>
>
> This call returns the following:
>
>
>
>       WARNING:esys:src/tss2-
> esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
>       ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
> Finish ErrorCode (0x000002c4)
>       ERROR: Esys_Create(0x2C4) - tpm:parameter(2):value is out of range or is
> not correct for the context
>       ERROR: Unable to run tpm2_create

FYI there is a scheme in the commands document where there is a thick line that indicates
The parameter section for a command. In your case parameter 2 is the public object template.
Doesn't seem to like it.

https://trustedcomputinggroup.org/wp-content/uploads/TPM-Rev-2.0-Part-3-Commands-01.38.pdf

You're likely just hitting different checks within the TPM and not really fixing the above issue. Those checks
have wildly complex interactions and I am by no means an expert. I have found the best way is to:
1. see if you can replicate on the software simulator.
2. place software simulator in debugger and figure out what exact check is failing.

>
>
> I then tried with "aes128" as key algorithm, instead of just "aes":
>
>       WARNING:esys:src/tss2-
> esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
>       ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
> Finish ErrorCode (0x000002c9)
>       ERROR: Esys_Create(0x2C9) - tpm:parameter(2):mode of operation not
> supported
>       ERROR: Unable to run tpm2_create
>
>
> I also tried to specify a mode instead ("aes128cfb"):
>
>       WARNING:esys:src/tss2-
> esys/api/Esys_Create.c:412:Esys_Create_Finish() Received TPM Error
>       ERROR:esys:src/tss2-esys/api/Esys_Create.c:156:Esys_Create() Esys
> Finish ErrorCode (0x000002c2)
>       ERROR: Esys_Create(0x2C2) - tpm:parameter(2):inconsistent attributes
>       ERROR: Unable to run tpm2_create
>
>
>
>
>
> After having read all the MAN pages twice, I still have no idea what is going on or
> what I did wrong. Most if not all of those commands were merely copy/pasted
> from the MAN pages at https://github.com/tpm2-software/tpm2-
> tools/tree/master/man .
>
>
> I'm using a Lenovo X1 Carbon (3rd gen) with Intel PTT enabled, so the system
> sees a TPM2.0 device. I can provide more information if needed.
> I would greatly appreciate if someone could provide some guidance on this issue;
> the TPM world being fascinating so far, I wouldn't want to be stuck on that
> problem.
>
> Thanks in advance for your help,
> Regards,
>
>
> Nicolas
>
>
>
>
>
>
>
>
>
>
>