Good afternoon all, I'm seeing some odd behavior when trying to use the TPM2_Sign command in an EFI application. I'm guessing what I'm seeing is vendor-dependent, but I wanted to throw it out here too in case there are other avenues I can look down while I'm trying to contact the vendor. What I'm seeing is, when trying to sign with a loaded key, I'm getting a TPM_RC_VALUE error (exact code 0x84). The specification indicates this would be received if "the value to sign is larger than allowed for the type of keyHandle". However, I have intercepted the marshaled command and inspected it, and this is not the case. I have verified that the key has the Sign attribute; the key's signature scheme is TPM_ALG_NULL and this is defined to SHA256 in the TPM2_Sign command; and that the hash value being sent in the TPM2_Sign TPM2B_DIGEST value is in fact the 32 bytes expected for an SHA256 hash. The command is being sent via the EFI EFI_TCG2_PROTOCOL Submit Command operation, and I've validated in the vendor BIOS this is the correct protocol; plus there are some cases on other machines where this sign operation DOES work. Is there any other reason this error code might be returned from a TPM2_Sign command? I can't believe it would be, but is there some kind of format or value expected in the provided hash? (This is NOT a restricted signing key) For reference, here is an example marshaled command that fails: | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ------------------------------------------------------ 0x00 | 80 02 00 00 00 49 00 00 01 5d 80 00 00 01 00 00 0x10 | 00 09 03 00 00 00 00 00 01 00 00 00 20 e8 d0 09 0x20 | 45 d9 65 bf 21 46 cd 48 1f 57 72 82 bb 38 a7 a6 0x30 | 70 c6 4d e3 a9 32 21 4f f3 7b 63 3f 8e 00 14 00 0x40 | 0b 80 24 40 00 00 07 00 00 Thanks for any insight. -- *Nick Meyer* *Oath:*