Hi everyone, I am having a hard time finding where happens the creation of policy(authorization) for the tpm2-tools to create AIK under the EK hierarchy? I know the sequence goes like this: Createk ... Creatak ... using the object context created by EK But the EK context object does not carry the Policy Authorization for creating AIK, so I am guessing the TSS2 stack is creating it based on the input form the tools. I also tried looking up in the TCG spec for more information what is the authorization procedure to enable use of the EK Hierarchy, but the search on the TCG website returned only blog posts and two mentions of AIK in https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisi... In this document, endorsementPolicy and endorsementAuth are mentioned, but I am having hard time finding how the TSS / Tools interact to set those and later use them for the creation of AIK. Could someone point me to the right place of code? Best, Dimi