I'm working on implementing a TPM2_Sign operation protected by a PCR
policy. I have discovered that the policy digest appears to be zeroed out
as part of the sign operation.
The initial symptom of this was a 0x99d return code on a second sign
operation (in a test suite), TPM_RC_POLICY_FAIL. In order to debug, I
placed TPM2_PolicyGetDigest commands immediately before and after the first
sign. The preceding policy digest is as expected a random-looking hash; the
policy digest immediately following the sign command is all zeroes.
I realized at that point that I had forgotten to set the continueSession
bit in the session attribute flags of the auth structure I passed to
TPM2_Sign. I fixed this, but it had no impact on the outcome or my
The first sign operation returns RC_SUCCESS as expected, and after making I
see the continueSession bit set both in the command and response auth
structures; however the subsequent policy digest is still zeroed out.
I had considered that a PCR was possibly being changed somehow,
invalidating the PCR policy; however, I would expect TPM_RC_PCR_CHANGED to
be returned in this case, not TPM_RC_POLICY_FAIL.
Is there another reason that this *successful* sign operation would be
invalidating the session?
Thanks for your insight.
Show replies by date