Good afternoon all,

I'm seeing some odd behavior when trying to use the TPM2_Sign command in an EFI application.
I'm guessing what I'm seeing is vendor-dependent, but I wanted to throw it out here too in case there are other avenues I can look down while I'm trying to contact the vendor.

What I'm seeing is, when trying to sign with a loaded key, I'm getting a TPM_RC_VALUE error (exact code 0x84). The specification indicates this would be received if "the value to sign is larger than allowed for the type of keyHandle". However, I have intercepted the marshaled command and inspected it, and this is not the case.

I have verified that the key has the Sign attribute; the key's signature scheme is TPM_ALG_NULL and this is defined to SHA256 in the TPM2_Sign command; and that the hash value being sent in the TPM2_Sign TPM2B_DIGEST value is in fact the 32 bytes expected for an SHA256 hash.

The command is being sent via the EFI EFI_TCG2_PROTOCOL Submit Command operation, and I've validated in the vendor BIOS this is the correct protocol; plus there are some cases on other machines where this sign operation DOES work.

Is there any other reason this error code might be returned from a TPM2_Sign command? I can't believe it would be, but is there some kind of format or value expected in the provided hash? (This is NOT a restricted signing key)

For reference, here is an example marshaled command that fails:

     | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
------------------------------------------------------
0x00 | 80 02 00 00 00 49 00 00 01 5d 80 00 00 01 00 00 
0x10 | 00 09 03 00 00 00 00 00 01 00 00 00 20 e8 d0 09
0x20 | 45 d9 65 bf 21 46 cd 48 1f 57 72 82 bb 38 a7 a6 
0x30 | 70 c6 4d e3 a9 32 21 4f f3 7b 63 3f 8e 00 14 00
0x40 | 0b 80 24 40 00 00 07 00 00

Thanks for any insight.
--

Nick Meyer

Oath: