Hi, My goal is to verify the integrity of a file (its hash is 962f4b6aeb8b2d74dc595257cb4384fc266283816acc4940622f29ad748bcb6e) with a pcr policy. But I do not need to include a secret user data. So here is what I've done so far: - tpm2_pcrreset 16 - tpm2_pcrextend 16:sha256=962f4b6aeb8b2d74dc595257cb4384fc266283816acc4940622f29ad748bcb6e - `tpm2_createprimary -C o -G rsa2048 -c primary` - `tpm2_startauthsession -S session` - `tpm2_policypcr -S session -l sha256:16 -L pcr16_policy` - `tpm2_flushcontext session` - `tpm2_create -C primary -g sha256 -u pcr16.pub -r pcr16.priv -L pcr16_policy` => here I do NOT include any user data - `tpm2_load -C primary -u pcr16.pub -r pcr16.priv -c pcr16` - `tpm2_evictcontrol -c pcr16 0x81010000 -C o` Until now I've created a sealing object that I stored on the NV-RAM. Now I want to verify the file against the policy I've just created. So I reset PCR16, hash my file again and extend PCR16 with the new hash. - And now start a policy session with `tpm2_startauthsession --policy-session -S session` - `tpm2_policypcr -S session -l sha256:16` to include the PCR value into the session Now comes the problem - tpm2_unseal -p session:session -c 0x81010000 returns an ERROR: WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000018a) ERROR: Esys_Unseal(0x18A) - tpm:handle(1):the type of the value is not appropriate for the use ERROR: Unable to run tpm2_unseal I'm pretty sure that this comes from the fact that I did not include any user data when creating the sealing object. So my question: If I just want to verify the integrity of a file, is unseal still the right command?