I'm using TSS.MSR library for C++ (TSS.CPP). My goal is to generate a new AK from an existing EK that I'm reading using tpm.ReadPublic() command.
If I create an EK by myself using tpm.CreatePrimary(), without any auth or policy, I'm able to create an AK using tpm.Create() passing the ekHandle that I created. But when I use an already existing EK instead of my generated key the tpm.Create() command fails.
The EK is at index 0x81010001 and it is with a authPolicy set. The authPolicy is:
0x83, 0x71, 0x97, 0x67, 0x44, 0x84,
0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D,
0x46, 0xA5, 0xD7, 0x24, 0xFD, 0x52,
0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14,
0x69, 0xAA
This is the same as in table B.3.3 Template L-1: RSA 2048 (Storage) of TCG Credential Profile EK 2.0 document.
I think that the problem is related to sessions and policies, since with an EK without any auth set I can generate the AK properly.
Can anyone help me with that?
I tried to start a session using auto sess = tpm.StartAuthSession(TpmCpp::TPM_SE::POLICY, TpmCpp::TPM_ALG_ID::SHA256), then use tpm.PolicyAuthValue(sess), and finally pass the sess to the tpm._Sessions() but it didn't work. The error message is POLICY_FAIL.