Squashed 'libstb/tss2/ibmtpm20tss/utils/' content from commit fae1383d3d

git-subtree-dir: libstb/tss2/ibmtpm20tss/utils
git-subtree-split: fae1383d3d859bacac1084fe822ce9f313e01f4e
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>

758 files changed, 149568 insertions, 0 deletions

diff --git a/libstb/tss2/ibmtpm20tss/utils/CommandAttributeData.c b/libstb/tss2/ibmtpm20tss/utils/CommandAttributeData.c
new file mode 100644
index 0000000..48f3b16
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/CommandAttributeData.c
@@ -0,0 +1,960 @@
+/********************************************************************************/
+/*										*/
+/*			  Command Attributes Table   				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012 - 2019				*/
+/*										*/
+/********************************************************************************/
+
+// 9.3	CommandAttributeData.c
+
+#ifdef TPM_TPM12
+#include <ibmtss/tpmconstants12.h>
+#endif
+
+#include "CommandAttributes.h"
+#if defined COMPRESSED_LISTS
+#   define      PAD_LIST    0
+#else
+#   define      PAD_LIST    1
+#endif
+
+// This is the command code attribute array for GetCapability(). Both this array and
+// s_commandAttributes provides command code attributes, but tuned for different purpose
+
+/* bitfield is:
+   
+   command index
+   reserved
+   nv
+   extensive
+   flushed
+   cHandles
+   rHandle
+   V
+   reserved, flags TPM 1.2 command
+*/
+   
+#include "tssccattributes.h"
+
+const TPMA_CC_TSS    s_ccAttr [] = {
+    
+#if (PAD_LIST || CC_NV_UndefineSpaceSpecial)
+    {{0x011f, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_UndefineSpaceSpecial
+#endif
+#if (PAD_LIST || CC_EvictControl)
+    {{0x0120, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_EvictControl
+#endif
+#if (PAD_LIST || CC_HierarchyControl)
+    {{0x0121, 0, 1, 1, 0, 1, 0, 0, 0}},     // TPM_CC_HierarchyControl
+#endif
+#if (PAD_LIST || CC_NV_UndefineSpace)
+    {{0x0122, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_UndefineSpace
+#endif
+#if (PAD_LIST)
+    {{0x0123, 0, 0, 0, 0, 0, 0, 0, 0}},     // No command
+#endif
+#if (PAD_LIST || CC_ChangeEPS)
+    {{0x0124, 0, 1, 1, 0, 1, 0, 0, 0}},     // TPM_CC_ChangeEPS
+#endif
+#if (PAD_LIST || CC_ChangePPS)
+    {{0x0125, 0, 1, 1, 0, 1, 0, 0, 0}},     // TPM_CC_ChangePPS
+#endif
+#if (PAD_LIST || CC_Clear)
+    {{0x0126, 0, 1, 1, 0, 1, 0, 0, 0}},     // TPM_CC_Clear
+#endif
+#if (PAD_LIST || CC_ClearControl)
+    {{0x0127, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ClearControl
+#endif
+#if (PAD_LIST || CC_ClockSet)
+    {{0x0128, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ClockSet
+#endif
+#if (PAD_LIST || CC_HierarchyChangeAuth)
+    {{0x0129, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_HierarchyChangeAuth
+#endif
+#if (PAD_LIST || CC_NV_DefineSpace)
+    {{0x012a, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_NV_DefineSpace
+#endif
+#if (PAD_LIST || CC_PCR_Allocate)
+    {{0x012b, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PCR_Allocate
+#endif
+#if (PAD_LIST || CC_PCR_SetAuthPolicy)
+    {{0x012c, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PCR_SetAuthPolicy
+#endif
+#if (PAD_LIST || CC_PP_Commands)
+    {{0x012d, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PP_Commands
+#endif
+#if (PAD_LIST || CC_SetPrimaryPolicy)
+    {{0x012e, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_SetPrimaryPolicy
+#endif
+#if (PAD_LIST || CC_FieldUpgradeStart)
+    {{0x012f, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_FieldUpgradeStart
+#endif
+#if (PAD_LIST || CC_ClockRateAdjust)
+    {{0x0130, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ClockRateAdjust
+#endif
+#if (PAD_LIST || CC_CreatePrimary)
+    {{0x0131, 0, 0, 0, 0, 1, 1, 0, 0}},     // TPM_CC_CreatePrimary
+#endif
+#if (PAD_LIST || CC_NV_GlobalWriteLock)
+    {{0x0132, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_NV_GlobalWriteLock
+#endif
+#if (PAD_LIST || CC_GetCommandAuditDigest)
+    {{0x0133, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_GetCommandAuditDigest
+#endif
+#if (PAD_LIST || CC_NV_Increment)
+    {{0x0134, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_Increment
+#endif
+#if (PAD_LIST || CC_NV_SetBits)
+    {{0x0135, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_SetBits
+#endif
+#if (PAD_LIST || CC_NV_Extend)
+    {{0x0136, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_Extend
+#endif
+#if (PAD_LIST || CC_NV_Write)
+    {{0x0137, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_Write
+#endif
+#if (PAD_LIST || CC_NV_WriteLock)
+    {{0x0138, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_WriteLock
+#endif
+#if (PAD_LIST || CC_DictionaryAttackLockReset)
+    {{0x0139, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_DictionaryAttackLockReset
+#endif
+#if (PAD_LIST || CC_DictionaryAttackParameters)
+    {{0x013a, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_DictionaryAttackParameters
+#endif
+#if (PAD_LIST || CC_NV_ChangeAuth)
+    {{0x013b, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_NV_ChangeAuth
+#endif
+#if (PAD_LIST || CC_PCR_Event)
+    {{0x013c, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PCR_Event
+#endif
+#if (PAD_LIST || CC_PCR_Reset)
+    {{0x013d, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PCR_Reset
+#endif
+#if (PAD_LIST || CC_SequenceComplete)
+    {{0x013e, 0, 0, 0, 1, 1, 0, 0, 0}},     // TPM_CC_SequenceComplete
+#endif
+#if (PAD_LIST || CC_SetAlgorithmSet)
+    {{0x013f, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_SetAlgorithmSet
+#endif
+#if (PAD_LIST || CC_SetCommandCodeAuditStatus)
+    {{0x0140, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_SetCommandCodeAuditStatus
+#endif
+#if (PAD_LIST || CC_FieldUpgradeData)
+    {{0x0141, 0, 1, 0, 0, 0, 0, 0, 0}},     // TPM_CC_FieldUpgradeData
+#endif
+#if (PAD_LIST || CC_IncrementalSelfTest)
+    {{0x0142, 0, 1, 0, 0, 0, 0, 0, 0}},     // TPM_CC_IncrementalSelfTest
+#endif
+#if (PAD_LIST || CC_SelfTest)
+    {{0x0143, 0, 1, 0, 0, 0, 0, 0, 0}},     // TPM_CC_SelfTest
+#endif
+#if (PAD_LIST || CC_Startup)
+    {{0x0144, 0, 1, 0, 0, 0, 0, 0, 0}},     // TPM_CC_Startup
+#endif
+#if (PAD_LIST || CC_Shutdown)
+    {{0x0145, 0, 1, 0, 0, 0, 0, 0, 0}},     // TPM_CC_Shutdown
+#endif
+#if (PAD_LIST || CC_StirRandom)
+    {{0x0146, 0, 1, 0, 0, 0, 0, 0, 0}},     // TPM_CC_StirRandom
+#endif
+#if (PAD_LIST || CC_ActivateCredential)
+    {{0x0147, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_ActivateCredential
+#endif
+#if (PAD_LIST || CC_Certify)
+    {{0x0148, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_Certify
+#endif
+#if (PAD_LIST || CC_PolicyNV)
+    {{0x0149, 0, 0, 0, 0, 3, 0, 0, 0}},     // TPM_CC_PolicyNV
+#endif
+#if (PAD_LIST || CC_CertifyCreation)
+    {{0x014a, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_CertifyCreation
+#endif
+#if (PAD_LIST || CC_CertifyX509)
+    {{0x0197, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_CertifyX509
+#endif
+#if (PAD_LIST || CC_Duplicate)
+    {{0x014b, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_Duplicate
+#endif
+#if (PAD_LIST || CC_GetTime)
+    {{0x014c, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_GetTime
+#endif
+#if (PAD_LIST || CC_GetSessionAuditDigest)
+    {{0x014d, 0, 0, 0, 0, 3, 0, 0, 0}},     // TPM_CC_GetSessionAuditDigest
+#endif
+#if (PAD_LIST || CC_NV_Read)
+    {{0x014e, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_Read
+#endif
+#if (PAD_LIST || CC_NV_ReadLock)
+    {{0x014f, 0, 1, 0, 0, 2, 0, 0, 0}},     // TPM_CC_NV_ReadLock
+#endif
+#if (PAD_LIST || CC_ObjectChangeAuth)
+    {{0x0150, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_ObjectChangeAuth
+#endif
+#if (PAD_LIST || CC_PolicySecret)
+    {{0x0151, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_PolicySecret
+#endif
+#if (PAD_LIST || CC_Rewrap)
+    {{0x0152, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_Rewrap
+#endif
+#if (PAD_LIST || CC_Create)
+    {{0x0153, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_Create
+#endif
+#if (PAD_LIST || CC_ECDH_ZGen)
+    {{0x0154, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ECDH_ZGen
+#endif
+#if (PAD_LIST || CC_HMAC)
+    {{0x0155, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_HMAC
+#endif
+#if (PAD_LIST || CC_Import)
+    {{0x0156, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_Import
+#endif
+#if (PAD_LIST || CC_Load)
+    {{0x0157, 0, 0, 0, 0, 1, 1, 0, 0}},     // TPM_CC_Load
+#endif
+#if (PAD_LIST || CC_Quote)
+    {{0x0158, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_Quote
+#endif
+#if (PAD_LIST || CC_RSA_Decrypt)
+    {{0x0159, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_RSA_Decrypt
+#endif
+#if (PAD_LIST)
+    {{0x015a, 0, 0, 0, 0, 0, 0, 0, 0}},     // No command
+#endif
+#if (PAD_LIST || CC_HMAC_Start)
+    {{0x015b, 0, 0, 0, 0, 1, 1, 0, 0}},     // TPM_CC_HMAC_Start
+#endif
+#if (PAD_LIST || CC_SequenceUpdate)
+    {{0x015c, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_SequenceUpdate
+#endif
+#if (PAD_LIST || CC_Sign)
+    {{0x015d, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_Sign
+#endif
+#if (PAD_LIST || CC_Unseal)
+    {{0x015e, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_Unseal
+#endif
+#if (PAD_LIST)
+    {{0x015f, 0, 0, 0, 0, 0, 0, 0, 0}},     // No command
+#endif
+#if (PAD_LIST || CC_PolicySigned)
+    {{0x0160, 0, 0, 0, 0, 2, 0, 0, 0}},     // TPM_CC_PolicySigned
+#endif
+#if (PAD_LIST || CC_ContextLoad)
+    {{0x0161, 0, 0, 0, 0, 0, 1, 0, 0}},     // TPM_CC_ContextLoad
+#endif
+#if (PAD_LIST || CC_ContextSave)
+    {{0x0162, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ContextSave
+#endif
+#if (PAD_LIST || CC_ECDH_KeyGen)
+    {{0x0163, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ECDH_KeyGen
+#endif
+#if (PAD_LIST || CC_EncryptDecrypt)
+    {{0x0164, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_EncryptDecrypt
+#endif
+#if (PAD_LIST || CC_FlushContext)
+    {{0x0165, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_FlushContext
+#endif
+#if (PAD_LIST)
+    {{0x0166, 0, 0, 0, 0, 0, 0, 0, 0}},     // No command
+#endif
+#if (PAD_LIST || CC_LoadExternal)
+    {{0x0167, 0, 0, 0, 0, 0, 1, 0, 0}},     // TPM_CC_LoadExternal
+#endif
+#if (PAD_LIST || CC_MakeCredential)
+    {{0x0168, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_MakeCredential
+#endif
+#if (PAD_LIST || CC_NV_ReadPublic)
+    {{0x0169, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_NV_ReadPublic
+#endif
+#if (PAD_LIST || CC_PolicyAuthorize)
+    {{0x016a, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyAuthorize
+#endif
+#if (PAD_LIST || CC_PolicyAuthValue)
+    {{0x016b, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyAuthValue
+#endif
+#if (PAD_LIST || CC_PolicyCommandCode)
+    {{0x016c, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyCommandCode
+#endif
+#if (PAD_LIST || CC_PolicyCounterTimer)
+    {{0x016d, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyCounterTimer
+#endif
+#if (PAD_LIST || CC_PolicyCpHash)
+    {{0x016e, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyCpHash
+#endif
+#if (PAD_LIST || CC_PolicyLocality)
+    {{0x016f, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyLocality
+#endif
+#if (PAD_LIST || CC_PolicyNameHash)
+    {{0x0170, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyNameHash
+#endif
+#if (PAD_LIST || CC_PolicyOR)
+    {{0x0171, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyOR
+#endif
+#if (PAD_LIST || CC_PolicyTicket)
+    {{0x0172, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyTicket
+#endif
+#if (PAD_LIST || CC_ReadPublic)
+    {{0x0173, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ReadPublic
+#endif
+#if (PAD_LIST || CC_RSA_Encrypt)
+    {{0x0174, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_RSA_Encrypt
+#endif
+#if (PAD_LIST)
+    {{0x0175, 0, 0, 0, 0, 0, 0, 0, 0}},     // No command
+#endif
+#if (PAD_LIST || CC_StartAuthSession)
+    {{0x0176, 0, 0, 0, 0, 2, 1, 0, 0}},     // TPM_CC_StartAuthSession
+#endif
+#if (PAD_LIST || CC_VerifySignature)
+    {{0x0177, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_VerifySignature
+#endif
+#if (PAD_LIST || CC_ECC_Parameters)
+    {{0x0178, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_ECC_Parameters
+#endif
+#if (PAD_LIST || CC_FirmwareRead)
+    {{0x0179, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_FirmwareRead
+#endif
+#if (PAD_LIST || CC_GetCapability)
+    {{0x017a, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_GetCapability
+#endif
+#if (PAD_LIST || CC_GetRandom)
+    {{0x017b, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_GetRandom
+#endif
+#if (PAD_LIST || CC_GetTestResult)
+    {{0x017c, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_GetTestResult
+#endif
+#if (PAD_LIST || CC_Hash)
+    {{0x017d, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_Hash
+#endif
+#if (PAD_LIST || CC_PCR_Read)
+    {{0x017e, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_PCR_Read
+#endif
+#if (PAD_LIST || CC_PolicyPCR)
+    {{0x017f, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyPCR
+#endif
+#if (PAD_LIST || CC_PolicyRestart)
+    {{0x0180, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyRestart
+#endif
+#if (PAD_LIST || CC_ReadClock)
+    {{0x0181, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_ReadClock
+#endif
+#if (PAD_LIST || CC_PCR_Extend)
+    {{0x0182, 0, 1, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PCR_Extend
+#endif
+#if (PAD_LIST || CC_PCR_SetAuthValue)
+    {{0x0183, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PCR_SetAuthValue
+#endif
+#if (PAD_LIST || CC_NV_Certify)
+    {{0x0184, 0, 0, 0, 0, 3, 0, 0, 0}},     // TPM_CC_NV_Certify
+#endif
+#if (PAD_LIST || CC_EventSequenceComplete)
+    {{0x0185, 0, 1, 0, 1, 2, 0, 0, 0}},     // TPM_CC_EventSequenceComplete
+#endif
+#if (PAD_LIST || CC_HashSequenceStart)
+    {{0x0186, 0, 0, 0, 0, 0, 1, 0, 0}},     // TPM_CC_HashSequenceStart
+#endif
+#if (PAD_LIST || CC_PolicyPhysicalPresence)
+    {{0x0187, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyPhysicalPresence
+#endif
+#if (PAD_LIST || CC_PolicyDuplicationSelect)
+    {{0x0188, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyDuplicationSelect
+#endif
+#if (PAD_LIST || CC_PolicyGetDigest)
+    {{0x0189, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyGetDigest
+#endif
+#if (PAD_LIST || CC_TestParms)
+    {{0x018a, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_TestParms
+#endif
+#if (PAD_LIST || CC_Commit)
+    {{0x018b, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_Commit
+#endif
+#if (PAD_LIST || CC_PolicyPassword)
+    {{0x018c, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyPassword
+#endif
+#if (PAD_LIST || CC_ZGen_2Phase)
+    {{0x018d, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_ZGen_2Phase
+#endif
+#if (PAD_LIST || CC_EC_Ephemeral)
+    {{0x018e, 0, 0, 0, 0, 0, 0, 0, 0}},     // TPM_CC_EC_Ephemeral
+#endif
+#if (PAD_LIST || CC_PolicyNvWritten)
+    {{0x018f, 0, 0, 0, 0, 1, 0, 0, 0}},     // TPM_CC_PolicyNvWritten
+#endif
+#if (PAD_LIST || CC_PolicyTemplate)
+    {{0x0190, 0, 0, 0, 0, 1, 0, 0, 0}},       // TPM_CC_PolicyTemplate
+#endif
+#if (PAD_LIST || CC_CreateLoaded)
+    {{0x0191, 0, 0, 0, 0, 1, 1, 0, 0}},       // TPM_CC_CreateLoaded
+#endif
+#if (PAD_LIST || CC_PolicyAuthorizeNV)
+    {{0x0192, 0, 0, 0, 0, 3, 0, 0, 0}},       // TPM_CC_PolicyAuthorizeNV
+#endif
+#if (PAD_LIST || CC_EncryptDecrypt2)
+    {{0x0193, 0, 0, 0, 0, 1, 0, 0, 0}},       // TPM_CC_EncryptDecrypt2
+#endif
+    
+#if (PAD_LIST || CC_Vendor_TCG_Test)
+    {{0x0000, 0, 0, 0, 0, 0, 0, 1, 0}},     // TPM_CC_Vendor_TCG_Test
+#endif
+
+#if (PAD_LIST || CC_NTC2_PreConfig)
+    {{0x20000211, 0, 1, 0, 0, 0, 0, 1, 0}}, // TPM_CC_NTC2_PreConfig
+#endif
+
+#if (PAD_LIST || CC_NTC2_LockPreConfig)
+    {{0x20000212, 0, 1, 0, 0, 0, 0, 1, 0}}, // TPM_CC_NTC2_LockPreConfig
+#endif
+
+#if (PAD_LIST || CC_NTC2_GetConfig)
+    {{0x20000213, 0, 1, 0, 0, 0, 0, 1, 0}}, // TPM_CC_NTC2_GetConfig
+#endif
+
+    {{0x0000, 0, 0, 0, 0, 0, 0, 0, 0}},     // kg - terminator?
+};
+
+// This is the command code attribute structure.
+
+const COMMAND_ATTRIBUTES    s_commandAttributes [] = {
+#if (PAD_LIST || CC_NV_UndefineSpaceSpecial)
+    (COMMAND_ATTRIBUTES)(CC_NV_UndefineSpaceSpecial    *  // 0x011f
+			 (IS_IMPLEMENTED+HANDLE_1_ADMIN+HANDLE_2_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_EvictControl)
+    (COMMAND_ATTRIBUTES)(CC_EvictControl               *  // 0x0120
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_HierarchyControl)
+    (COMMAND_ATTRIBUTES)(CC_HierarchyControl           *  // 0x0121
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_NV_UndefineSpace)
+    (COMMAND_ATTRIBUTES)(CC_NV_UndefineSpace           *  // 0x0122
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST)
+    (COMMAND_ATTRIBUTES)(0),                              // 0x0123
+#endif
+#if (PAD_LIST || CC_ChangeEPS)
+    (COMMAND_ATTRIBUTES)(CC_ChangeEPS                  *  // 0x0124
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_ChangePPS)
+    (COMMAND_ATTRIBUTES)(CC_ChangePPS                  *  // 0x0125
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_Clear)
+    (COMMAND_ATTRIBUTES)(CC_Clear                      *  // 0x0126
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_ClearControl)
+    (COMMAND_ATTRIBUTES)(CC_ClearControl               *  // 0x0127
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_ClockSet)
+    (COMMAND_ATTRIBUTES)(CC_ClockSet                   *  // 0x0128
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_HierarchyChangeAuth)
+    (COMMAND_ATTRIBUTES)(CC_HierarchyChangeAuth        *  // 0x0129
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_NV_DefineSpace)
+    (COMMAND_ATTRIBUTES)(CC_NV_DefineSpace             *  // 0x012a
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_PCR_Allocate)
+    (COMMAND_ATTRIBUTES)(CC_PCR_Allocate               *  // 0x012b
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_PCR_SetAuthPolicy)
+    (COMMAND_ATTRIBUTES)(CC_PCR_SetAuthPolicy          *  // 0x012c
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_PP_Commands)
+    (COMMAND_ATTRIBUTES)(CC_PP_Commands                *  // 0x012d
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_REQUIRED)),
+#endif
+#if (PAD_LIST || CC_SetPrimaryPolicy)
+    (COMMAND_ATTRIBUTES)(CC_SetPrimaryPolicy           *  // 0x012e
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_FieldUpgradeStart)
+    (COMMAND_ATTRIBUTES)(CC_FieldUpgradeStart          *  // 0x012f
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_ADMIN+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_ClockRateAdjust)
+    (COMMAND_ATTRIBUTES)(CC_ClockRateAdjust            *  // 0x0130
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_CreatePrimary)
+    (COMMAND_ATTRIBUTES)(CC_CreatePrimary              *  // 0x0131
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+PP_COMMAND+ENCRYPT_2+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_NV_GlobalWriteLock)
+    (COMMAND_ATTRIBUTES)(CC_NV_GlobalWriteLock         *  // 0x0132
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_GetCommandAuditDigest)
+    (COMMAND_ATTRIBUTES)(CC_GetCommandAuditDigest      *  // 0x0133
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+HANDLE_2_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_NV_Increment)
+    (COMMAND_ATTRIBUTES)(CC_NV_Increment               *  // 0x0134
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_NV_SetBits)
+    (COMMAND_ATTRIBUTES)(CC_NV_SetBits                 *  // 0x0135
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_NV_Extend)
+    (COMMAND_ATTRIBUTES)(CC_NV_Extend                  *  // 0x0136
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_NV_Write)
+    (COMMAND_ATTRIBUTES)(CC_NV_Write                   *  // 0x0137
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_NV_WriteLock)
+    (COMMAND_ATTRIBUTES)(CC_NV_WriteLock               *  // 0x0138
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_DictionaryAttackLockReset)
+    (COMMAND_ATTRIBUTES)(CC_DictionaryAttackLockReset  *  // 0x0139
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_DictionaryAttackParameters)
+    (COMMAND_ATTRIBUTES)(CC_DictionaryAttackParameters *  // 0x013a
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_NV_ChangeAuth)
+    (COMMAND_ATTRIBUTES)(CC_NV_ChangeAuth              *  // 0x013b
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_ADMIN)),
+#endif
+#if (PAD_LIST || CC_PCR_Event)
+    (COMMAND_ATTRIBUTES)(CC_PCR_Event                  *  // 0x013c
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_PCR_Reset)
+    (COMMAND_ATTRIBUTES)(CC_PCR_Reset                  *  // 0x013d
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_SequenceComplete)
+    (COMMAND_ATTRIBUTES)(CC_SequenceComplete           *  // 0x013e
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_SetAlgorithmSet)
+    (COMMAND_ATTRIBUTES)(CC_SetAlgorithmSet            *  // 0x013f
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_SetCommandCodeAuditStatus)
+    (COMMAND_ATTRIBUTES)(CC_SetCommandCodeAuditStatus  *  // 0x0140
+			 (IS_IMPLEMENTED+HANDLE_1_USER+PP_COMMAND)),
+#endif
+#if (PAD_LIST || CC_FieldUpgradeData)
+    (COMMAND_ATTRIBUTES)(CC_FieldUpgradeData           *  // 0x0141
+			 (IS_IMPLEMENTED+DECRYPT_2)),
+#endif
+#if (PAD_LIST || CC_IncrementalSelfTest)
+    (COMMAND_ATTRIBUTES)(CC_IncrementalSelfTest        *  // 0x0142
+			 (IS_IMPLEMENTED)),
+#endif
+#if (PAD_LIST || CC_SelfTest)
+    (COMMAND_ATTRIBUTES)(CC_SelfTest                   *  // 0x0143
+			 (IS_IMPLEMENTED)),
+#endif
+#if (PAD_LIST || CC_Startup)
+    (COMMAND_ATTRIBUTES)(CC_Startup                    *  // 0x0144
+			 (IS_IMPLEMENTED+NO_SESSIONS)),
+#endif
+#if (PAD_LIST || CC_Shutdown)
+    (COMMAND_ATTRIBUTES)(CC_Shutdown                   *  // 0x0145
+			 (IS_IMPLEMENTED)),
+#endif
+#if (PAD_LIST || CC_StirRandom)
+    (COMMAND_ATTRIBUTES)(CC_StirRandom                 *  // 0x0146
+			 (IS_IMPLEMENTED+DECRYPT_2)),
+#endif
+#if (PAD_LIST || CC_ActivateCredential)
+    (COMMAND_ATTRIBUTES)(CC_ActivateCredential         *  // 0x0147
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_ADMIN+HANDLE_2_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_Certify)
+    (COMMAND_ATTRIBUTES)(CC_Certify                    *  // 0x0148
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_ADMIN+HANDLE_2_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_PolicyNV)
+    (COMMAND_ATTRIBUTES)(CC_PolicyNV                   *  // 0x0149
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_CertifyCreation)
+    (COMMAND_ATTRIBUTES)(CC_CertifyCreation            *  // 0x014a
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_CertifyX509)
+    (COMMAND_ATTRIBUTES)(CC_CertifyX509                *  // 0x0197
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_ADMIN+HANDLE_2_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_Duplicate)
+    (COMMAND_ATTRIBUTES)(CC_Duplicate                  *  // 0x014b
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_DUP+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_GetTime)
+    (COMMAND_ATTRIBUTES)(CC_GetTime                    *  // 0x014c
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+HANDLE_2_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_GetSessionAuditDigest)
+    (COMMAND_ATTRIBUTES)(CC_GetSessionAuditDigest      *  // 0x014d
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+HANDLE_2_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_NV_Read)
+    (COMMAND_ATTRIBUTES)(CC_NV_Read                    *  // 0x014e
+			 (IS_IMPLEMENTED+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_NV_ReadLock)
+    (COMMAND_ATTRIBUTES)(CC_NV_ReadLock                *  // 0x014f
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_ObjectChangeAuth)
+    (COMMAND_ATTRIBUTES)(CC_ObjectChangeAuth           *  // 0x0150
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_ADMIN+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_PolicySecret)
+    (COMMAND_ATTRIBUTES)(CC_PolicySecret               *  // 0x0151
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ALLOW_TRIAL+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_Rewrap)
+    (COMMAND_ATTRIBUTES)(CC_Rewrap                     *  // 0x0152
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_Create)
+    (COMMAND_ATTRIBUTES)(CC_Create                     *  // 0x0153
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_ECDH_ZGen)
+    (COMMAND_ATTRIBUTES)(CC_ECDH_ZGen                  *  // 0x0154
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_HMAC)
+    (COMMAND_ATTRIBUTES)(CC_HMAC                       *  // 0x0155
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_Import)
+    (COMMAND_ATTRIBUTES)(CC_Import                     *  // 0x0156
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_Load)
+    (COMMAND_ATTRIBUTES)(CC_Load                       *  // 0x0157
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_Quote)
+    (COMMAND_ATTRIBUTES)(CC_Quote                      *  // 0x0158
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_RSA_Decrypt)
+    (COMMAND_ATTRIBUTES)(CC_RSA_Decrypt                *  // 0x0159
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST)
+    (COMMAND_ATTRIBUTES)(0),                              // 0x015a
+#endif
+#if (PAD_LIST || CC_HMAC_Start)
+    (COMMAND_ATTRIBUTES)(CC_HMAC_Start                 *  // 0x015b
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_SequenceUpdate)
+    (COMMAND_ATTRIBUTES)(CC_SequenceUpdate             *  // 0x015c
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_Sign)
+    (COMMAND_ATTRIBUTES)(CC_Sign                       *  // 0x015d
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_Unseal)
+    (COMMAND_ATTRIBUTES)(CC_Unseal                     *  // 0x015e
+			 (IS_IMPLEMENTED+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST)
+    (COMMAND_ATTRIBUTES)(0),                              // 0x015f
+#endif
+#if (PAD_LIST || CC_PolicySigned)
+    (COMMAND_ATTRIBUTES)(CC_PolicySigned               *  // 0x0160
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_ContextLoad)
+    (COMMAND_ATTRIBUTES)(CC_ContextLoad                *  // 0x0161
+			 (IS_IMPLEMENTED+NO_SESSIONS+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_ContextSave)
+    (COMMAND_ATTRIBUTES)(CC_ContextSave                *  // 0x0162
+			 (IS_IMPLEMENTED+NO_SESSIONS)),
+#endif
+#if (PAD_LIST || CC_ECDH_KeyGen)
+    (COMMAND_ATTRIBUTES)(CC_ECDH_KeyGen                *  // 0x0163
+			 (IS_IMPLEMENTED+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_EncryptDecrypt)
+    (COMMAND_ATTRIBUTES)(CC_EncryptDecrypt             *  // 0x0164
+			 (IS_IMPLEMENTED+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_FlushContext)
+    (COMMAND_ATTRIBUTES)(CC_FlushContext               *  // 0x0165
+			 (IS_IMPLEMENTED+NO_SESSIONS)),
+#endif
+#if (PAD_LIST)
+    (COMMAND_ATTRIBUTES)(0),                              // 0x0166
+#endif
+#if (PAD_LIST || CC_LoadExternal)
+    (COMMAND_ATTRIBUTES)(CC_LoadExternal               *  // 0x0167
+			 (IS_IMPLEMENTED+DECRYPT_2+ENCRYPT_2+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_MakeCredential)
+    (COMMAND_ATTRIBUTES)(CC_MakeCredential             *  // 0x0168
+			 (IS_IMPLEMENTED+DECRYPT_2+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_NV_ReadPublic)
+    (COMMAND_ATTRIBUTES)(CC_NV_ReadPublic              *  // 0x0169
+			 (IS_IMPLEMENTED+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_PolicyAuthorize)
+    (COMMAND_ATTRIBUTES)(CC_PolicyAuthorize            *  // 0x016a
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyAuthValue)
+    (COMMAND_ATTRIBUTES)(CC_PolicyAuthValue            *  // 0x016b
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyCommandCode)
+    (COMMAND_ATTRIBUTES)(CC_PolicyCommandCode          *  // 0x016c
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyCounterTimer)
+    (COMMAND_ATTRIBUTES)(CC_PolicyCounterTimer         *  // 0x016d
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyCpHash)
+    (COMMAND_ATTRIBUTES)(CC_PolicyCpHash               *  // 0x016e
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyLocality)
+    (COMMAND_ATTRIBUTES)(CC_PolicyLocality             *  // 0x016f
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyNameHash)
+    (COMMAND_ATTRIBUTES)(CC_PolicyNameHash             *  // 0x0170
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyOR)
+    (COMMAND_ATTRIBUTES)(CC_PolicyOR                   *  // 0x0171
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyTicket)
+    (COMMAND_ATTRIBUTES)(CC_PolicyTicket               *  // 0x0172
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_ReadPublic)
+    (COMMAND_ATTRIBUTES)(CC_ReadPublic                 *  // 0x0173
+			 (IS_IMPLEMENTED+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_RSA_Encrypt)
+    (COMMAND_ATTRIBUTES)(CC_RSA_Encrypt                *  // 0x0174
+			 (IS_IMPLEMENTED+DECRYPT_2+ENCRYPT_2)),
+#endif
+#if (PAD_LIST)
+    (COMMAND_ATTRIBUTES)(0),                              // 0x0175
+#endif
+#if (PAD_LIST || CC_StartAuthSession)
+    (COMMAND_ATTRIBUTES)(CC_StartAuthSession           *  // 0x0176
+			 (IS_IMPLEMENTED+DECRYPT_2+ENCRYPT_2+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_VerifySignature)
+    (COMMAND_ATTRIBUTES)(CC_VerifySignature            *  // 0x0177
+			 (IS_IMPLEMENTED+DECRYPT_2)),
+#endif
+#if (PAD_LIST || CC_ECC_Parameters)
+    (COMMAND_ATTRIBUTES)(CC_ECC_Parameters             *  // 0x0178
+			 (IS_IMPLEMENTED)),
+#endif
+#if (PAD_LIST || CC_FirmwareRead)
+    (COMMAND_ATTRIBUTES)(CC_FirmwareRead               *  // 0x0179
+			 (IS_IMPLEMENTED+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_GetCapability)
+    (COMMAND_ATTRIBUTES)(CC_GetCapability              *  // 0x017a
+			 (IS_IMPLEMENTED)),
+#endif
+#if (PAD_LIST || CC_GetRandom)
+    (COMMAND_ATTRIBUTES)(CC_GetRandom                  *  // 0x017b
+			 (IS_IMPLEMENTED+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_GetTestResult)
+    (COMMAND_ATTRIBUTES)(CC_GetTestResult              *  // 0x017c
+			 (IS_IMPLEMENTED+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_Hash)
+    (COMMAND_ATTRIBUTES)(CC_Hash                       *  // 0x017d
+			 (IS_IMPLEMENTED+DECRYPT_2+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_PCR_Read)
+    (COMMAND_ATTRIBUTES)(CC_PCR_Read                   *  // 0x017e
+			 (IS_IMPLEMENTED)),
+#endif
+#if (PAD_LIST || CC_PolicyPCR)
+    (COMMAND_ATTRIBUTES)(CC_PolicyPCR                  *  // 0x017f
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyRestart)
+    (COMMAND_ATTRIBUTES)(CC_PolicyRestart              *  // 0x0180
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_ReadClock)
+    (COMMAND_ATTRIBUTES)(CC_ReadClock                  *  // 0x0181
+			 (IS_IMPLEMENTED+NO_SESSIONS)),
+#endif
+#if (PAD_LIST || CC_PCR_Extend)
+    (COMMAND_ATTRIBUTES)(CC_PCR_Extend                 *  // 0x0182
+			 (IS_IMPLEMENTED+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_PCR_SetAuthValue)
+    (COMMAND_ATTRIBUTES)(CC_PCR_SetAuthValue           *  // 0x0183
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER)),
+#endif
+#if (PAD_LIST || CC_NV_Certify)
+    (COMMAND_ATTRIBUTES)(CC_NV_Certify                 *  // 0x0184
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+HANDLE_2_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_EventSequenceComplete)
+    (COMMAND_ATTRIBUTES)(CC_EventSequenceComplete      *  // 0x0185
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+HANDLE_2_USER)),
+#endif
+#if (PAD_LIST || CC_HashSequenceStart)
+    (COMMAND_ATTRIBUTES)(CC_HashSequenceStart          *  // 0x0186
+			 (IS_IMPLEMENTED+DECRYPT_2+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_PolicyPhysicalPresence)
+    (COMMAND_ATTRIBUTES)(CC_PolicyPhysicalPresence     *  // 0x0187
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyDuplicationSelect)
+    (COMMAND_ATTRIBUTES)(CC_PolicyDuplicationSelect    *  // 0x0188
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyGetDigest)
+    (COMMAND_ATTRIBUTES)(CC_PolicyGetDigest            *  // 0x0189
+			 (IS_IMPLEMENTED+ALLOW_TRIAL+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_TestParms)
+    (COMMAND_ATTRIBUTES)(CC_TestParms                  *  // 0x018a
+			 (IS_IMPLEMENTED)),
+#endif
+#if (PAD_LIST || CC_Commit)
+    (COMMAND_ATTRIBUTES)(CC_Commit                     *  // 0x018b
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_PolicyPassword)
+    (COMMAND_ATTRIBUTES)(CC_PolicyPassword             *  // 0x018c
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_ZGen_2Phase)
+    (COMMAND_ATTRIBUTES)(CC_ZGen_2Phase                *  // 0x018d
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_EC_Ephemeral)
+    (COMMAND_ATTRIBUTES)(CC_EC_Ephemeral               *  // 0x018e
+			 (IS_IMPLEMENTED+ENCRYPT_2)),
+#endif
+#if (PAD_LIST || CC_PolicyNvWritten)
+    (COMMAND_ATTRIBUTES)(CC_PolicyNvWritten            *  // 0x018f
+			 (IS_IMPLEMENTED+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_PolicyTemplate)
+    (COMMAND_ATTRIBUTES)(CC_PolicyTemplate             *  // 0x0190
+			 (IS_IMPLEMENTED+DECRYPT_2+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_CreateLoaded)
+    (COMMAND_ATTRIBUTES)(CC_CreateLoaded               *  // 0x0191
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+PP_COMMAND+ENCRYPT_2+R_HANDLE)),
+#endif
+#if (PAD_LIST || CC_PolicyAuthorizeNV)
+    (COMMAND_ATTRIBUTES)(CC_PolicyAuthorizeNV          *  // 0x0192
+			 (IS_IMPLEMENTED+HANDLE_1_USER+ALLOW_TRIAL)),
+#endif
+#if (PAD_LIST || CC_EncryptDecrypt2)
+    (COMMAND_ATTRIBUTES)(CC_EncryptDecrypt2            *  // 0x0193
+			 (IS_IMPLEMENTED+DECRYPT_2+HANDLE_1_USER+ENCRYPT_2)),
+#endif
+    
+#if (PAD_LIST || CC_Vendor_TCG_Test)
+    (COMMAND_ATTRIBUTES)(CC_Vendor_TCG_Test            *  // 0x0000
+			 (IS_IMPLEMENTED+DECRYPT_2+ENCRYPT_2)),
+#endif
+
+#ifdef TPM_TSS_NUVOTON
+#if (PAD_LIST || CC_NTC2_PreConfig)
+    (COMMAND_ATTRIBUTES)(CC_NTC2_PreConfig             *  // 0x20000211
+			 (IS_IMPLEMENTED+NO_SESSIONS)),
+#endif
+#if (PAD_LIST || CC_NTC2_LockPreConfig)
+    (COMMAND_ATTRIBUTES)(CC_NTC2_LockPreConfig         *  // 0x20000212
+			 (IS_IMPLEMENTED+NO_SESSIONS)),
+#endif
+#if (PAD_LIST || CC_NTC2_GetConfig)
+    (COMMAND_ATTRIBUTES)(CC_NTC2_GetConfig             *  // 0x20000213
+			 (IS_IMPLEMENTED+NO_SESSIONS)),
+#endif
+#endif	/* TPM_TSS_NUVOTON */
+    
+    0
+};
diff --git a/libstb/tss2/ibmtpm20tss/utils/CommandAttributeData12.c b/libstb/tss2/ibmtpm20tss/utils/CommandAttributeData12.c
new file mode 100644
index 0000000..7bf8b6f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/CommandAttributeData12.c
@@ -0,0 +1,121 @@
+/********************************************************************************/
+/*										*/
+/*			  Command Attributes Table for TPM 1.2			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2018 - 2019				*/
+/*										*/
+/********************************************************************************/
+
+
+#include <ibmtss/tpmconstants12.h>
+
+#include "CommandAttributes.h"
+#if defined COMPRESSED_LISTS
+#   define      PAD_LIST    0
+#else
+#   define      PAD_LIST    1
+#endif
+
+// This is the command code attribute array for GetCapability(). Both this array and
+// s_commandAttributes provides command code attributes, but tuned for different purpose
+
+/* bitfield is:
+   
+   command index
+   reserved
+   nv
+   extensive
+   flushed
+   cHandles not included in HMAC
+   rHandle not included in HMAC
+   V
+   reserved, flags TPM 1.2 command
+*/
+   
+#include "tssccattributes.h"
+const TPMA_CC_TSS    s_ccAttr12 [] = {
+    
+    /*                                  R  N  E  F  C  R  V  R */
+
+    {{TPM_ORD_ActivateIdentity,		0, 0, 0, 0, 1, 0, 0, 1}},
+    {{TPM_ORD_ContinueSelfTest,		0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_CreateEndorsementKeyPair,	0, 1, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_CreateWrapKey,		0, 0, 0, 0, 1, 0, 0, 1}},
+    {{TPM_ORD_Extend,			0, 0, 0, 0, 1, 0, 0, 1}},
+    {{TPM_ORD_FlushSpecific,		0, 0, 0, 0, 1, 0, 0, 1}},
+    {{TPM_ORD_GetCapability,		0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_LoadKey2, 		0, 0, 0, 0, 1, 1, 0, 1}},
+    {{TPM_ORD_MakeIdentity, 		0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_NV_DefineSpace, 		1, 1, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_NV_ReadValueAuth,		1, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_NV_ReadValue,		1, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_NV_WriteValue,		1, 1, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_NV_WriteValueAuth,	1, 1, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_OIAP, 			0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_OSAP, 			0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_OwnerReadInternalPub,	0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_OwnerSetDisable, 		0, 1, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_PcrRead,			0, 0, 0, 0, 1, 0, 0, 1}},
+    {{TPM_ORD_PCR_Reset,		0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_ReadPubek, 		0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_Quote2, 			0, 0, 0, 0, 1, 0, 0, 1}},
+    {{TPM_ORD_Sign, 			0, 0, 0, 0, 1, 0, 0, 1}},
+    {{TPM_ORD_Startup, 			0, 1, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_TakeOwnership,		0, 0, 0, 0, 0, 0, 0, 1}},
+    {{TPM_ORD_Init, 			0, 0, 0, 0, 0, 0, 0, 1}},
+
+    {{0x0000, 				0, 0, 0, 0, 0, 0, 0, 0}},     // kg - terminator?
+};
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/CommandAttributes.h b/libstb/tss2/ibmtpm20tss/utils/CommandAttributes.h
new file mode 100644
index 0000000..c19a3fb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/CommandAttributes.h
@@ -0,0 +1,108 @@
+/********************************************************************************/
+/*										*/
+/*			  Command Attributes	   				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: CommandAttributes.h 1289 2018-07-30 16:31:47Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2018				*/
+/*										*/
+/********************************************************************************/
+
+#ifndef COMMANDATTRIBUTES_H
+#define COMMANDATTRIBUTES_H
+
+#include <ibmtss/TPM_Types.h>
+
+#define IS_IMPLEMENTED 	0x0001
+#define HANDLE_1_USER 	0x0002
+#define HANDLE_1_ADMIN	0x0004
+#define HANDLE_1_DUP	0x0008
+#define HANDLE_2_USER	0x0010
+#define PP_COMMAND	0x0020
+#define PP_REQUIRED	0x0040
+#define ALLOW_TRIAL	0x0080
+#define NO_SESSIONS	0x0100
+#define DECRYPT_2	0x0200
+#define DECRYPT_4	0x0400
+#define ENCRYPT_2	0x0800
+#define ENCRYPT_4	0x1000
+#define R_HANDLE	0x2000
+
+typedef UINT32 COMMAND_ATTRIBUTES;
+
+typedef union {
+    struct {
+	uint32_t commandCode;
+	uint8_t reserved1;
+	uint8_t nv;
+	uint8_t extensive;
+	uint8_t flushed;
+	uint8_t cHandles;
+	uint8_t rHandle;
+	uint8_t V;
+	uint8_t tpm12Ordinal;	/* kgold - was reserved, flags TPM 1.2 ordinal */
+    };
+    /* must be a union so the below 'bitfield' structure intiializer works */
+    uint8_t dummy;
+} TPMA_CC_TSS;
+
+extern const TPMA_CC_TSS s_ccAttr [];
+#ifdef TPM_TPM12
+extern const TPMA_CC_TSS s_ccAttr12 [];
+#endif
+
+extern const COMMAND_ATTRIBUTES    s_commandAttributes [];
+
+#endif
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/Commands.c b/libstb/tss2/ibmtpm20tss/utils/Commands.c
new file mode 100644
index 0000000..4f2a576
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Commands.c
@@ -0,0 +1,2294 @@
+/********************************************************************************/
+/*										*/
+/*			  Command Parameter Unmarshaling			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012 - 2019				*/
+/*										*/
+/********************************************************************************/
+
+/* The TSS using the command parameter unmarshaling to validate caller input parameters before
+   sending them to the TPM.
+
+   It is essentially the same as the TPM side code.
+*/
+
+#include "Commands_fp.h"
+#include <ibmtss/Parameters.h>
+
+#include <ibmtss/Unmarshal_fp.h>
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/*
+  In_Unmarshal - shared by TPM and TSS
+*/
+
+TPM_RC
+Startup_In_Unmarshal(Startup_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_SU_Unmarshalu(&target->startupType, buffer, size);	
+	if (rc != TPM_RC_SUCCESS) {	
+	    rc += RC_Startup_startupType;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Shutdown_In_Unmarshal(Shutdown_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_SU_Unmarshalu(&target->shutdownType, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Shutdown_shutdownType;
+	}
+    }
+    return rc;
+}
+TPM_RC
+SelfTest_In_Unmarshal(SelfTest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->fullTest, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SelfTest_fullTest;
+	}
+    }
+    return rc;
+}
+TPM_RC
+IncrementalSelfTest_In_Unmarshal(IncrementalSelfTest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_ALG_Unmarshalu(&target->toTest, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_IncrementalSelfTest_toTest;
+	}
+    }
+    return rc;
+}
+TPM_RC
+StartAuthSession_In_Unmarshal(StartAuthSession_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->tpmKey = handles[0];
+	target->bind = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->nonceCaller, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_StartAuthSession_nonceCaller;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(&target->encryptedSalt, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_StartAuthSession_encryptedSalt;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_SE_Unmarshalu(&target->sessionType, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_StartAuthSession_sessionType;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SYM_DEF_Unmarshalu(&target->symmetric, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_StartAuthSession_symmetric;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->authHash, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_StartAuthSession_authHash;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyRestart_In_Unmarshal(PolicyRestart_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	target->sessionHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+Create_In_Unmarshal(Create_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->parentHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_CREATE_Unmarshalu(&target->inSensitive, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Create_inSensitive;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->inPublic, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Create_inPublic;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->outsideInfo, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Create_outsideInfo;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->creationPCR, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Create_creationPCR;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Load_In_Unmarshal(Load_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->parentHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->inPrivate, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Load_inPrivate;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->inPublic, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Load_inPublic;
+	}
+    }
+    return rc;
+}
+TPM_RC
+LoadExternal_In_Unmarshal(LoadExternal_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_Unmarshalu(&target->inPrivate, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_LoadExternal_inPrivate;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->inPublic, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_LoadExternal_inPublic;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_LoadExternal_hierarchy;
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+ReadPublic_In_Unmarshal(ReadPublic_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->objectHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+ActivateCredential_In_Unmarshal(ActivateCredential_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->activateHandle = handles[0];
+	target->keyHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ID_OBJECT_Unmarshalu(&target->credentialBlob, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ActivateCredential_credentialBlob;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(&target->secret, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ActivateCredential_secret;
+	}
+    }
+    return rc;
+}
+TPM_RC
+MakeCredential_In_Unmarshal(MakeCredential_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->handle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->credential, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_MakeCredential_credential;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->objectName, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_MakeCredential_objectName;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Unseal_In_Unmarshal(Unseal_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->itemHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+ObjectChangeAuth_In_Unmarshal(ObjectChangeAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->objectHandle = handles[0];
+	target->parentHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->newAuth, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+CreateLoaded_In_Unmarshal(CreateLoaded_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->parentHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_CREATE_Unmarshalu(&target->inSensitive, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Create_inSensitive;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_TEMPLATE_Unmarshalu(&target->inPublic, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CreateLoaded_inPublic;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Duplicate_In_Unmarshal(Duplicate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->objectHandle = handles[0];
+	target->newParentHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->encryptionKeyIn, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Duplicate_encryptionKeyIn;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(&target->symmetricAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Duplicate_symmetricAlg;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Rewrap_In_Unmarshal(Rewrap_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->oldParent = handles[0];
+	target->newParent = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->inDuplicate, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Rewrap_inDuplicate;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->name, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Rewrap_name;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(&target->inSymSeed, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Rewrap_inSymSeed;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Import_In_Unmarshal(Import_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->parentHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->encryptionKey, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->objectPublic, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Import_objectPublic;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->duplicate, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Import_duplicate;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(&target->inSymSeed, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Import_inSymSeed;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(&target->symmetricAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Import_symmetricAlg;
+	}
+    }
+    return rc;
+}
+TPM_RC
+RSA_Encrypt_In_Unmarshal(RSA_Encrypt_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(&target->message, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_RSA_Encrypt_message;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_RSA_DECRYPT_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_RSA_Encrypt_inScheme;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->label, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_RSA_Encrypt_label;
+	}
+    }
+    return rc;
+}
+TPM_RC
+RSA_Decrypt_In_Unmarshal(RSA_Decrypt_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(&target->cipherText, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_RSA_Decrypt_cipherText;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_RSA_DECRYPT_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_RSA_Decrypt_inScheme;
+	}
+   }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->label, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_RSA_Decrypt_label;
+	}
+    }
+    return rc;
+}
+TPM_RC
+ECDH_KeyGen_In_Unmarshal(ECDH_KeyGen_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+ECDH_ZGen_In_Unmarshal(ECDH_ZGen_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->inPoint, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ECDH_ZGen_inPoint;
+	}
+    }
+    return rc;
+}
+TPM_RC
+ECC_Parameters_In_Unmarshal(ECC_Parameters_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ECC_CURVE_Unmarshalu(&target->curveID, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ECC_Parameters_curveID;
+	}
+    }
+    return rc;
+}
+TPM_RC
+ZGen_2Phase_In_Unmarshal(ZGen_2Phase_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyA = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->inQsB, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ZGen_2Phase_inQsB;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->inQeB, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ZGen_2Phase_inQeB;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ECC_KEY_EXCHANGE_Unmarshalu(&target->inScheme, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ZGen_2Phase_inScheme;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->counter, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ZGen_2Phase_counter;
+	}
+    }
+    return rc;
+}
+TPM_RC
+EncryptDecrypt_In_Unmarshal(EncryptDecrypt_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->decrypt, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt_decrypt;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_SYM_MODE_Unmarshalu(&target->mode, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt_mode;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_IV_Unmarshalu(&target->ivIn, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt_ivIn;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->inData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt_inData;
+	}
+    }
+    return rc;
+}
+TPM_RC
+EncryptDecrypt2_In_Unmarshal(EncryptDecrypt2_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->inData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt2_inData;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->decrypt, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt2_decrypt;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_SYM_MODE_Unmarshalu(&target->mode, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt2_mode;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_IV_Unmarshalu(&target->ivIn, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EncryptDecrypt2_ivIn;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Hash_In_Unmarshal(Hash_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->data, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Hash_data;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Hash_hashAlg;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Hash_hierarchy;
+	}
+    }
+    return rc;
+}
+TPM_RC
+HMAC_In_Unmarshal(HMAC_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->handle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->buffer, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HMAC_buffer;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HMAC_hashAlg;
+	}
+    }
+    return rc;
+}
+TPM_RC
+GetRandom_In_Unmarshal(GetRandom_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->bytesRequested, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetRandom_bytesRequested;
+	}
+    }
+    return rc;
+}
+TPM_RC
+StirRandom_In_Unmarshal(StirRandom_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(&target->inData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_StirRandom_inData;
+	}
+    }
+    return rc;
+}
+TPM_RC
+HMAC_Start_In_Unmarshal(HMAC_Start_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->handle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->auth, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HMAC_Start_auth;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HMAC_Start_hashAlg;
+	}
+    }
+    return rc;
+}
+TPM_RC
+HashSequenceStart_In_Unmarshal(HashSequenceStart_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->auth, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HashSequenceStart_auth;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HashSequenceStart_hashAlg;
+	}
+    }
+    return rc;
+}
+TPM_RC
+SequenceUpdate_In_Unmarshal(SequenceUpdate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->sequenceHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->buffer, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SequenceUpdate_buffer;
+	}
+    }
+    return rc;
+}
+TPM_RC
+SequenceComplete_In_Unmarshal(SequenceComplete_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->sequenceHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->buffer, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SequenceComplete_buffer;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SequenceComplete_hierarchy;
+	}
+    }
+    return rc;
+}
+TPM_RC
+EventSequenceComplete_In_Unmarshal(EventSequenceComplete_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->pcrHandle = handles[0];
+	target->sequenceHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->buffer, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EventSequenceComplete_buffer;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Certify_In_Unmarshal(Certify_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->objectHandle = handles[0];
+	target->signHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->qualifyingData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Certify_qualifyingData;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Certify_inScheme;
+	}
+    }
+    return rc;
+}
+TPM_RC
+CertifyX509_In_Unmarshal(CertifyX509_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->objectHandle = handles[0];
+	target->signHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->reserved, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CertifyX509_reserved;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CertifyX509_inScheme;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->partialCertificate, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CertifyX509_partialCertificate;
+	}
+    }
+    return rc;
+}
+TPM_RC
+CertifyCreation_In_Unmarshal(CertifyCreation_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->signHandle = handles[0];
+	target->objectHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->qualifyingData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CertifyCreation_creationHash;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->creationHash, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CertifyCreation_creationHash;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CertifyCreation_inScheme;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_CREATION_Unmarshalu(&target->creationTicket, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CertifyCreation_creationTicket;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Quote_In_Unmarshal(Quote_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->signHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->qualifyingData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Quote_qualifyingData;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Quote_inScheme;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->PCRselect, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Quote_PCRselect;
+	}
+    }
+    return rc;
+}
+TPM_RC
+GetSessionAuditDigest_In_Unmarshal(GetSessionAuditDigest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->privacyAdminHandle = handles[0];
+	target->signHandle = handles[1];
+	target->sessionHandle = handles[2];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->qualifyingData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetSessionAuditDigest_qualifyingData;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetSessionAuditDigest_inScheme;
+	}
+    }
+    return rc;
+}
+TPM_RC
+GetCommandAuditDigest_In_Unmarshal(GetCommandAuditDigest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->privacyHandle = handles[0];
+	target->signHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->qualifyingData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetCommandAuditDigest_qualifyingData;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetCommandAuditDigest_inScheme;
+	}
+    }
+    return rc;
+}
+TPM_RC
+GetTime_In_Unmarshal(GetTime_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->privacyAdminHandle = handles[0];
+	target->signHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->qualifyingData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetTime_qualifyingData;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetTime_inScheme;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Commit_In_Unmarshal(Commit_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->signHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->P1, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Commit_P1;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(&target->s2, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Commit_s2;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->y2, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Commit_y2;
+	}
+    }
+    return rc;
+}
+TPM_RC
+EC_Ephemeral_In_Unmarshal(EC_Ephemeral_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ECC_CURVE_Unmarshalu(&target->curveID, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EC_Ephemeral_curveID;
+	}
+    }
+    return rc;
+}
+TPM_RC
+VerifySignature_In_Unmarshal(VerifySignature_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->digest, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_VerifySignature_digest;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_VerifySignature_signature;
+	}
+    }
+    return rc;
+}
+TPM_RC
+Sign_In_Unmarshal(Sign_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->digest, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Sign_digest;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Sign_inScheme;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_HASHCHECK_Unmarshalu(&target->validation, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_Sign_validation;
+	}
+    }
+    return rc;
+}
+TPM_RC
+SetCommandCodeAuditStatus_In_Unmarshal(SetCommandCodeAuditStatus_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->auth = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->auditAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SetCommandCodeAuditStatus_auditAlg;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_CC_Unmarshalu(&target->setList, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SetCommandCodeAuditStatus_setList;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_CC_Unmarshalu(&target->clearList, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SetCommandCodeAuditStatus_clearList;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PCR_Extend_In_Unmarshal(PCR_Extend_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->pcrHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_DIGEST_VALUES_Unmarshalu(&target->digests, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_Extend_digests;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PCR_Event_In_Unmarshal(PCR_Event_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->pcrHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_EVENT_Unmarshalu(&target->eventData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_Event_eventData;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PCR_Read_In_Unmarshal(PCR_Read_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->pcrSelectionIn, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_Read_pcrSelectionIn;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PCR_Allocate_In_Unmarshal(PCR_Allocate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->pcrAllocation, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_Allocate_pcrAllocation;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PCR_SetAuthPolicy_In_Unmarshal(PCR_SetAuthPolicy_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->authPolicy, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_SetAuthPolicy_authPolicy;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_SetAuthPolicy_hashAlg;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_DH_PCR_Unmarshalu(&target->pcrNum, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_SetAuthPolicy_pcrNum;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PCR_SetAuthValue_In_Unmarshal(PCR_SetAuthValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->pcrHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->auth, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PCR_SetAuthValue_auth;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PCR_Reset_In_Unmarshal(PCR_Reset_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->pcrHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+PolicySigned_In_Unmarshal(PolicySigned_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authObject = handles[0];
+	target->policySession = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->nonceTPM, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySigned_nonceTPM;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->cpHashA, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySigned_cpHashA;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->policyRef, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySigned_policyRef;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_INT32_Unmarshalu(&target->expiration, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySigned_expiration;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->auth, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySigned_auth;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicySecret_In_Unmarshal(PolicySecret_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->policySession = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->nonceTPM, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySecret_nonceTPM;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->cpHashA, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySecret_cpHashA;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->policyRef, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySecret_policyRef;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_INT32_Unmarshalu(&target->expiration, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicySecret_expiration;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyTicket_In_Unmarshal(PolicyTicket_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_TIMEOUT_Unmarshalu(&target->timeout, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyTicket_timeout;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->cpHashA, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyTicket_cpHashA;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->policyRef, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyTicket_policyRef;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->authName, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyTicket_authName;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_AUTH_Unmarshalu(&target->ticket, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyTicket_ticket;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyOR_In_Unmarshal(PolicyOR_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	/* Policy OR requires at least two OR terms */
+	rc = TSS_TPML_DIGEST_Unmarshalu(&target->pHashList, buffer, size, 2);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyOR_pHashList;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyPCR_In_Unmarshal(PolicyPCR_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->pcrDigest, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyPCR_pcrDigest;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->pcrs, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyPCR_pcrs;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyLocality_In_Unmarshal(PolicyLocality_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMA_LOCALITY_Unmarshalu(&target->locality, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyLocality_locality;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyNV_In_Unmarshal(PolicyNV_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->nvIndex = handles[1];
+	target->policySession = handles[2];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_OPERAND_Unmarshalu(&target->operandB, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyNV_operandB;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->offset, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyNV_offset;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_EO_Unmarshalu(&target->operation, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyNV_operation;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyAuthorizeNV_In_Unmarshal(PolicyAuthorizeNV_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->nvIndex = handles[1];
+	target->policySession = handles[2];
+    }
+    return rc;
+}
+TPM_RC
+PolicyCounterTimer_In_Unmarshal(PolicyCounterTimer_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_OPERAND_Unmarshalu(&target->operandB, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyCounterTimer_operandB;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->offset, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyCounterTimer_offset;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_EO_Unmarshalu(&target->operation, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyCounterTimer_operation;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyCommandCode_In_Unmarshal(PolicyCommandCode_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_CC_Unmarshalu(&target->code, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyCommandCode_code;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyPhysicalPresence_In_Unmarshal(PolicyPhysicalPresence_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+PolicyCpHash_In_Unmarshal(PolicyCpHash_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->cpHashA, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyCpHash_cpHashA;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyNameHash_In_Unmarshal(PolicyNameHash_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->nameHash, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyNameHash_nameHash;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyDuplicationSelect_In_Unmarshal(PolicyDuplicationSelect_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->objectName, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyDuplicationSelect_objectName;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->newParentName, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyDuplicationSelect_newParentName;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->includeObject, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyDuplicationSelect_includeObject;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyAuthorize_In_Unmarshal(PolicyAuthorize_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->approvedPolicy, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyAuthorize_approvedPolicy;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->policyRef, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyAuthorize_policyRef;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->keySign, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyAuthorize_keySign;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_VERIFIED_Unmarshalu(&target->checkTicket, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyAuthorize_checkTicket;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyAuthValue_In_Unmarshal(PolicyAuthValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+PolicyPassword_In_Unmarshal(PolicyPassword_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+PolicyGetDigest_In_Unmarshal(PolicyGetDigest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+PolicyNvWritten_In_Unmarshal(PolicyNvWritten_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->writtenSet, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyNvWritten_writtenSet;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PolicyTemplate_In_Unmarshal(PolicyTemplate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->policySession = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->templateHash, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PolicyTemplate_templateHash;
+	}
+    }
+    return rc;
+}
+TPM_RC
+CreatePrimary_In_Unmarshal(CreatePrimary_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->primaryHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_CREATE_Unmarshalu(&target->inSensitive, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CreatePrimary_inSensitive;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->inPublic, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CreatePrimary_inPublic;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->outsideInfo, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CreatePrimary_outsideInfo;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->creationPCR, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_CreatePrimary_creationPCR;
+	}
+    }
+    return rc;
+}
+TPM_RC
+HierarchyControl_In_Unmarshal(HierarchyControl_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_ENABLES_Unmarshalu(&target->enable, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HierarchyControl_enable;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->state, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HierarchyControl_state;
+	}
+    }
+    return rc;
+}
+TPM_RC
+SetPrimaryPolicy_In_Unmarshal(SetPrimaryPolicy_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->authPolicy, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SetPrimaryPolicy_authPolicy;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SetPrimaryPolicy_hashAlg;
+	}
+    }
+    return rc;
+}
+TPM_RC
+ChangePPS_In_Unmarshal(ChangePPS_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+ChangeEPS_In_Unmarshal(ChangeEPS_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+Clear_In_Unmarshal(Clear_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+ClearControl_In_Unmarshal(ClearControl_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->auth = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->disable, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ClearControl_disable;
+	}
+    }
+    return rc;
+}
+TPM_RC
+HierarchyChangeAuth_In_Unmarshal(HierarchyChangeAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->newAuth, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_HierarchyChangeAuth_newAuth;
+	}
+    }
+    return rc;
+}
+TPM_RC
+DictionaryAttackLockReset_In_Unmarshal(DictionaryAttackLockReset_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->lockHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+DictionaryAttackParameters_In_Unmarshal(DictionaryAttackParameters_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->lockHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->newMaxTries, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_DictionaryAttackParameters_newMaxTries;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->newRecoveryTime, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_DictionaryAttackParameters_newRecoveryTime;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->lockoutRecovery, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_DictionaryAttackParameters_lockoutRecovery;
+	}
+    }
+    return rc;
+}
+TPM_RC
+PP_Commands_In_Unmarshal(PP_Commands_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->auth = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_CC_Unmarshalu(&target->setList, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PP_Commands_setList;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_CC_Unmarshalu(&target->clearList, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_PP_Commands_clearList;
+	}
+    }
+    return rc;
+}
+TPM_RC
+SetAlgorithmSet_In_Unmarshal(SetAlgorithmSet_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->algorithmSet, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_SetAlgorithmSet_algorithmSet;
+	}
+    }
+    return rc;
+}
+TPM_RC
+ContextSave_In_Unmarshal(ContextSave_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->saveHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+ContextLoad_In_Unmarshal(ContextLoad_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_CONTEXT_Unmarshalu(&target->context, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ContextLoad_context;
+	}
+    }
+    return rc;
+}
+TPM_RC
+FlushContext_In_Unmarshal(FlushContext_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_DH_CONTEXT_Unmarshalu(&target->flushHandle, buffer, size, NO);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_FlushContext_flushHandle;
+	}
+    }
+    return rc;
+}
+TPM_RC
+EvictControl_In_Unmarshal(EvictControl_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->auth = handles[0];
+	target->objectHandle = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_DH_PERSISTENT_Unmarshalu(&target->persistentHandle, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_EvictControl_persistentHandle;
+	}
+    }
+    return rc;
+}
+TPM_RC
+ClockSet_In_Unmarshal(ClockSet_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->auth = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->newTime, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ClockSet_newTime;
+	}
+    }
+    return rc;
+}
+TPM_RC
+ClockRateAdjust_In_Unmarshal(ClockRateAdjust_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->auth = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_CLOCK_ADJUST_Unmarshalu(&target->rateAdjust, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_ClockRateAdjust_rateAdjust;
+	}
+    }
+    return rc;
+}
+TPM_RC
+GetCapability_In_Unmarshal(GetCapability_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_CAP_Unmarshalu(&target->capability, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetCapability_capability;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->property, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetCapability_property;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->propertyCount, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_GetCapability_propertyCount;
+	}
+    }
+    return rc;
+}
+TPM_RC
+TestParms_In_Unmarshal(TestParms_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_PUBLIC_PARMS_Unmarshalu(&target->parameters, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_TestParms_parameters;
+	}
+    }
+    return rc;
+}
+TPM_RC
+NV_DefineSpace_In_Unmarshal(NV_DefineSpace_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->auth, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_DefineSpace_auth;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NV_PUBLIC_Unmarshalu(&target->publicInfo, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_DefineSpace_publicInfo;
+	}
+    }
+    return rc;
+}
+TPM_RC
+NV_UndefineSpace_In_Unmarshal(NV_UndefineSpace_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->nvIndex = handles[1];
+    }
+    return rc;
+}
+TPM_RC
+NV_UndefineSpaceSpecial_In_Unmarshal(NV_UndefineSpaceSpecial_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->nvIndex = handles[0];
+	target->platform = handles[1];
+    }
+    return rc;
+}
+TPM_RC
+NV_ReadPublic_In_Unmarshal(NV_ReadPublic_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->nvIndex = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+NV_Write_In_Unmarshal(NV_Write_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->nvIndex = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_NV_BUFFER_Unmarshalu(&target->data, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Write_data;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->offset, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Write_offset;
+	}
+    }
+    return rc;
+}
+TPM_RC
+NV_Increment_In_Unmarshal(NV_Increment_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->nvIndex = handles[1];
+    }
+    return rc;
+}
+TPM_RC
+NV_Extend_In_Unmarshal(NV_Extend_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+ 	target->nvIndex = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_NV_BUFFER_Unmarshalu(&target->data, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Extend_data;
+	}
+    }
+    return rc;
+}
+TPM_RC
+NV_SetBits_In_Unmarshal(NV_SetBits_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->nvIndex = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->bits, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_SetBits_bits;
+	}
+    }
+    return rc;
+}
+TPM_RC
+NV_WriteLock_In_Unmarshal(NV_WriteLock_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+	target->nvIndex = handles[1];
+    }
+    return rc;
+}
+TPM_RC
+NV_GlobalWriteLock_In_Unmarshal(NV_GlobalWriteLock_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+    }
+    return rc;
+}
+TPM_RC
+NV_Read_In_Unmarshal(NV_Read_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+ 	target->nvIndex = handles[1];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Read_size;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->offset, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Read_offset;
+	}
+    }
+    return rc;
+}
+TPM_RC
+NV_ReadLock_In_Unmarshal(NV_ReadLock_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    buffer = buffer;
+    size = size;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->authHandle = handles[0];
+ 	target->nvIndex = handles[1];
+    }
+    return rc;
+}
+TPM_RC
+NV_ChangeAuth_In_Unmarshal(NV_ChangeAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->nvIndex = handles[0];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->newAuth, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_ChangeAuth_newAuth;
+	}
+    }
+    return rc;
+}
+TPM_RC
+NV_Certify_In_Unmarshal(NV_Certify_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	target->signHandle = handles[0];
+	target->authHandle = handles[1];
+	target->nvIndex = handles[2];
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->qualifyingData, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Certify_qualifyingData;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIG_SCHEME_Unmarshalu(&target->inScheme, buffer, size, YES);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Certify_inScheme;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Certify_size;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->offset, buffer, size);
+	if (rc != TPM_RC_SUCCESS) {
+	    rc += RC_NV_Certify_offset;
+	}
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NOCMDCHECK */
diff --git a/libstb/tss2/ibmtpm20tss/utils/Commands12.c b/libstb/tss2/ibmtpm20tss/utils/Commands12.c
new file mode 100644
index 0000000..44e3d0a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Commands12.c
@@ -0,0 +1,599 @@
+/********************************************************************************/
+/*                                                                              */
+/*                              	                                   	*/
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*            $Id: Commands12.c 1285 2018-07-27 18:33:41Z kgoldman $         	*/
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2018						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include "Commands12_fp.h"
+#include <ibmtss/Parameters.h>
+
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/Unmarshal12_fp.h>
+
+COMMAND_PARAMETERS in;
+RESPONSE_PARAMETERS out;
+
+/*
+  In_Unmarshal
+*/
+
+TPM_RC
+ActivateIdentity_In_Unmarshal(ActivateIdentity_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	target->idKeyHandle = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->blobSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	if (target->blobSize > sizeof(target->blob)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->blob, target->blobSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+CreateEndorsementKeyPair_In_Unmarshal(CreateEndorsementKeyPair_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->antiReplay, TPM_NONCE_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_PARMS_Unmarshalu(&target->keyInfo, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+CreateWrapKey_In_Unmarshal(CreateWrapKey_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->parentHandle = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->dataUsageAuth, SHA1_DIGEST_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->dataMigrationAuth, SHA1_DIGEST_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Unmarshalu(&target->keyInfo, buffer, size);
+    	if (rc != 0) {
+    	    rc += (TPM_RC_P + TPM_RC_3);
+    	}
+    }
+    return rc;
+}
+
+TPM_RC
+Extend_In_Unmarshal(Extend_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	target->pcrNum = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->inDigest, SHA1_DIGEST_SIZE, buffer, size);
+    	if (rc != 0) {
+    	    rc += (TPM_RC_P + TPM_RC_1);
+    	}
+    }
+    return rc;
+}
+
+TPM_RC
+FlushSpecific_In_Unmarshal(FlushSpecific_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	target->handle = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->resourceType, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+GetCapability12_In_Unmarshal(GetCapability12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->capArea, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->subCapSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+	if (target->subCapSize > sizeof(target->subCap)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->subCap, target->subCapSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_3);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+LoadKey2_In_Unmarshal(LoadKey2_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->parentHandle = handles[0];
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Unmarshalu(&target->inKey, buffer, size);
+    	if (rc != 0) {
+    	    rc += (TPM_RC_P + TPM_RC_1);
+    	}
+    }
+    return rc;
+}
+
+TPM_RC
+MakeIdentity_In_Unmarshal(MakeIdentity_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->identityAuth, SHA1_DIGEST_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->labelPrivCADigest, SHA1_DIGEST_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Unmarshalu(&target->idKeyParams, buffer, size);
+    	if (rc != 0) {
+    	    rc += (TPM_RC_P + TPM_RC_3);
+    	}
+    }
+    return rc;
+}
+
+TPM_RC
+NV_DefineSpace12_In_Unmarshal(NV_DefineSpace12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	rc = TSS_TPM_NV_DATA_PUBLIC_Unmarshalu(&target->pubInfo, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->encAuth, SHA1_DIGEST_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+NV_ReadValueAuth_In_Unmarshal(NV_ReadValueAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->nvIndex = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->offset, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->dataSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+NV_ReadValue_In_Unmarshal(NV_ReadValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->nvIndex = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->offset, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->dataSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+NV_WriteValue_In_Unmarshal(NV_WriteValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->nvIndex = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->offset, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->dataSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+	if (target->dataSize > sizeof(target->data)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->data, target->dataSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_3);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+NV_WriteValueAuth_In_Unmarshal(NV_WriteValueAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->nvIndex = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->offset, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->dataSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+	if (target->dataSize > sizeof(target->data)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->data, target->dataSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_3);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+OSAP_In_Unmarshal(OSAP_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->entityType, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->entityValue, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->nonceOddOSAP, SHA1_DIGEST_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_3);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+OwnerSetDisable_In_Unmarshal(OwnerSetDisable_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->disableState, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+OwnerReadInternalPub_In_Unmarshal(OwnerReadInternalPub_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->keyHandle , buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+PcrRead12_In_Unmarshal(PcrRead12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    buffer = buffer;
+    size = size;
+
+    if (rc == 0) {
+	target->pcrIndex = handles[0];
+    }
+    return rc;
+}
+
+TPM_RC
+PCR_Reset12_In_Unmarshal(PCR_Reset12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+    	rc = TSS_TPM_PCR_SELECTION_Unmarshalu(&target->pcrSelection, buffer, size);
+    	if (rc != 0) {
+    	    rc += (TPM_RC_P + TPM_RC_1);
+    	}
+    }
+    return rc;
+}
+
+TPM_RC
+Quote2_In_Unmarshal(Quote2_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->externalData, SHA1_DIGEST_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_SELECTION_Unmarshalu(&target->targetPCR, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->addVersion, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_3);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+ReadPubek_In_Unmarshal(ReadPubek_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->antiReplay, TPM_NONCE_SIZE, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+Sign12_In_Unmarshal(Sign12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	target->keyHandle = handles[0];
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->areaToSignSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    if (rc == 0) {
+	if (target->areaToSignSize > sizeof(target->areaToSign)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->areaToSign, target->areaToSignSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+Startup12_In_Unmarshal(Startup12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+    if (rc == 0) {
+	rc = TSS_TPM_STARTUP_TYPE_Unmarshalu(&target->startupType, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+TakeOwnership_In_Unmarshal(TakeOwnership_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = 0;
+    handles = handles;
+
+   if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->protocolID, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_1);
+	}
+    }
+   if (rc == 0) {
+       rc = TSS_UINT32_Unmarshalu(&target->encOwnerAuthSize, buffer, size);	
+       if (rc != 0) {	
+	   rc += (TPM_RC_P + TPM_RC_1);
+       }
+   }
+     if (rc == 0) {
+	 if (target->encOwnerAuthSize > sizeof(target->encOwnerAuth)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->encOwnerAuth, target->encOwnerAuthSize , buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_2);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->encSrkAuthSize, buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_3);
+	}
+    }
+    if (rc == 0) {
+	if (target->encSrkAuthSize > sizeof(target->encSrkAuth)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->encSrkAuth, target->encSrkAuthSize , buffer, size);	
+	if (rc != 0) {	
+	    rc += (TPM_RC_P + TPM_RC_4);
+	}
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Unmarshalu(&target->srkParams, buffer, size);
+    	if (rc != 0) {
+    	    rc += (TPM_RC_P + TPM_RC_5);
+    	}
+    }
+    return rc;
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/Commands12_fp.h b/libstb/tss2/ibmtpm20tss/utils/Commands12_fp.h
new file mode 100644
index 0000000..29a4bf1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Commands12_fp.h
@@ -0,0 +1,93 @@
+/********************************************************************************/
+/*                                                                              */
+/*                              	                                        */
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*            $Id: Commands12_fp.h 1257 2018-06-27 20:52:08Z kgoldman $         */
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2018						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef COMMANDS12_FP_H
+#define COMMANDS12_FP_H
+
+#include <ibmtss/TPM_Types.h>
+#include <ibmtss/Parameters12.h>
+
+TPM_RC
+ActivateIdentity_In_Unmarshal(ActivateIdentity_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+CreateEndorsementKeyPair_In_Unmarshal(CreateEndorsementKeyPair_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+CreateWrapKey_In_Unmarshal(CreateWrapKey_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Extend_In_Unmarshal(Extend_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+FlushSpecific_In_Unmarshal(FlushSpecific_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+GetCapability12_In_Unmarshal(GetCapability12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+LoadKey2_In_Unmarshal(LoadKey2_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+MakeIdentity_In_Unmarshal(MakeIdentity_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_DefineSpace12_In_Unmarshal(NV_DefineSpace12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_ReadValueAuth_In_Unmarshal(NV_ReadValueAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_ReadValue_In_Unmarshal(NV_ReadValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_WriteValue_In_Unmarshal(NV_WriteValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_WriteValueAuth_In_Unmarshal(NV_WriteValueAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+OSAP_In_Unmarshal(OSAP_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+OwnerSetDisable_In_Unmarshal(OwnerSetDisable_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+OwnerReadInternalPub_In_Unmarshal(OwnerReadInternalPub_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PcrRead12_In_Unmarshal(PcrRead12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PCR_Reset12_In_Unmarshal(PCR_Reset12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+ReadPubek_In_Unmarshal(ReadPubek_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Quote2_In_Unmarshal(Quote2_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Sign12_In_Unmarshal(Sign12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Startup12_In_Unmarshal(Startup12_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+TakeOwnership_In_Unmarshal(TakeOwnership_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/Commands_fp.h b/libstb/tss2/ibmtpm20tss/utils/Commands_fp.h
new file mode 100644
index 0000000..8041d94
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Commands_fp.h
@@ -0,0 +1,505 @@
+/********************************************************************************/
+/*										*/
+/*			  Command and Response Marshal and Unmarshal		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012 - 2019				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef COMMANDS_FP_H
+#define COMMANDS_FP_H
+
+#include <ibmtss/TPM_Types.h>
+
+#include <ibmtss/ActivateCredential_fp.h>
+#include <ibmtss/CertifyCreation_fp.h>
+#include <ibmtss/CertifyX509_fp.h>
+#include <ibmtss/Certify_fp.h>
+#include <ibmtss/ChangeEPS_fp.h>
+#include <ibmtss/ChangePPS_fp.h>
+#include <ibmtss/ClearControl_fp.h>
+#include <ibmtss/Clear_fp.h>
+#include <ibmtss/ClockRateAdjust_fp.h>
+#include <ibmtss/ClockSet_fp.h>
+#include <ibmtss/Commit_fp.h>
+#include <ibmtss/ContextLoad_fp.h>
+#include <ibmtss/ContextSave_fp.h>
+#include <ibmtss/CreatePrimary_fp.h>
+#include <ibmtss/Create_fp.h>
+#include <ibmtss/CreateLoaded_fp.h>
+#include <ibmtss/DictionaryAttackLockReset_fp.h>
+#include <ibmtss/DictionaryAttackParameters_fp.h>
+#include <ibmtss/Duplicate_fp.h>
+#include <ibmtss/ECC_Parameters_fp.h>
+#include <ibmtss/ECDH_KeyGen_fp.h>
+#include <ibmtss/ECDH_ZGen_fp.h>
+#include <ibmtss/EC_Ephemeral_fp.h>
+#include <ibmtss/EncryptDecrypt_fp.h>
+#include <ibmtss/EncryptDecrypt2_fp.h>
+#include <ibmtss/EventSequenceComplete_fp.h>
+#include <ibmtss/EvictControl_fp.h>
+#include <ibmtss/FlushContext_fp.h>
+#include <ibmtss/GetCapability_fp.h>
+#include <ibmtss/GetCommandAuditDigest_fp.h>
+#include <ibmtss/GetRandom_fp.h>
+#include <ibmtss/GetSessionAuditDigest_fp.h>
+#include <ibmtss/GetTestResult_fp.h>
+#include <ibmtss/GetTime_fp.h>
+#include <ibmtss/HMAC_Start_fp.h>
+#include <ibmtss/HMAC_fp.h>
+#include <ibmtss/HashSequenceStart_fp.h>
+#include <ibmtss/Hash_fp.h>
+#include <ibmtss/HierarchyChangeAuth_fp.h>
+#include <ibmtss/HierarchyControl_fp.h>
+#include <ibmtss/Import_fp.h>
+#include <ibmtss/IncrementalSelfTest_fp.h>
+#include <ibmtss/LoadExternal_fp.h>
+#include <ibmtss/Load_fp.h>
+#include <ibmtss/MakeCredential_fp.h>
+#include <ibmtss/NV_Certify_fp.h>
+#include <ibmtss/NV_ChangeAuth_fp.h>
+#include <ibmtss/NV_DefineSpace_fp.h>
+#include <ibmtss/NV_Extend_fp.h>
+#include <ibmtss/NV_GlobalWriteLock_fp.h>
+#include <ibmtss/NV_Increment_fp.h>
+#include <ibmtss/NV_ReadLock_fp.h>
+#include <ibmtss/NV_ReadPublic_fp.h>
+#include <ibmtss/NV_Read_fp.h>
+#include <ibmtss/NV_SetBits_fp.h>
+#include <ibmtss/NV_UndefineSpaceSpecial_fp.h>
+#include <ibmtss/NV_UndefineSpace_fp.h>
+#include <ibmtss/NV_WriteLock_fp.h>
+#include <ibmtss/NV_Write_fp.h>
+#include <ibmtss/ObjectChangeAuth_fp.h>
+#include <ibmtss/PCR_Allocate_fp.h>
+#include <ibmtss/PCR_Event_fp.h>
+#include <ibmtss/PCR_Extend_fp.h>
+#include <ibmtss/PCR_Read_fp.h>
+#include <ibmtss/PCR_Reset_fp.h>
+#include <ibmtss/PCR_SetAuthPolicy_fp.h>
+#include <ibmtss/PCR_SetAuthValue_fp.h>
+#include <ibmtss/PP_Commands_fp.h>
+#include <ibmtss/PolicyAuthValue_fp.h>
+#include <ibmtss/PolicyAuthorize_fp.h>
+#include <ibmtss/PolicyCommandCode_fp.h>
+#include <ibmtss/PolicyCounterTimer_fp.h>
+#include <ibmtss/PolicyCpHash_fp.h>
+#include <ibmtss/PolicyDuplicationSelect_fp.h>
+#include <ibmtss/PolicyGetDigest_fp.h>
+#include <ibmtss/PolicyLocality_fp.h>
+#include <ibmtss/PolicyAuthorizeNV_fp.h>
+#include <ibmtss/PolicyNV_fp.h>
+#include <ibmtss/PolicyNvWritten_fp.h>
+#include <ibmtss/PolicyNameHash_fp.h>
+#include <ibmtss/PolicyOR_fp.h>
+#include <ibmtss/PolicyPCR_fp.h>
+#include <ibmtss/PolicyPassword_fp.h>
+#include <ibmtss/PolicyPhysicalPresence_fp.h>
+#include <ibmtss/PolicyRestart_fp.h>
+#include <ibmtss/PolicySecret_fp.h>
+#include <ibmtss/PolicySigned_fp.h>
+#include <ibmtss/PolicyTemplate_fp.h>
+#include <ibmtss/PolicyTicket_fp.h>
+#include <ibmtss/Quote_fp.h>
+#include <ibmtss/RSA_Decrypt_fp.h>
+#include <ibmtss/RSA_Encrypt_fp.h>
+#include <ibmtss/ReadClock_fp.h>
+#include <ibmtss/ReadPublic_fp.h>
+#include <ibmtss/Rewrap_fp.h>
+#include <ibmtss/SelfTest_fp.h>
+#include <ibmtss/SequenceComplete_fp.h>
+#include <ibmtss/SequenceUpdate_fp.h>
+#include <ibmtss/SetAlgorithmSet_fp.h>
+#include <ibmtss/SetCommandCodeAuditStatus_fp.h>
+#include <ibmtss/SetPrimaryPolicy_fp.h>
+#include <ibmtss/Shutdown_fp.h>
+#include <ibmtss/Sign_fp.h>
+#include <ibmtss/StartAuthSession_fp.h>
+#include <ibmtss/Startup_fp.h>
+#include <ibmtss/StirRandom_fp.h>
+#include <ibmtss/TestParms_fp.h>
+#include <ibmtss/Unseal_fp.h>
+#include <ibmtss/VerifySignature_fp.h>
+#include <ibmtss/ZGen_2Phase_fp.h>
+#include <ibmtss/NTC_fp.h>
+
+TPM_RC
+Startup_In_Unmarshal(Startup_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Shutdown_In_Unmarshal(Shutdown_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+SelfTest_In_Unmarshal(SelfTest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+IncrementalSelfTest_In_Unmarshal(IncrementalSelfTest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+IncrementalSelfTest_Out_Marshal(IncrementalSelfTest_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+UINT16
+GetTestResult_Out_Marshal(GetTestResult_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+StartAuthSession_In_Unmarshal(StartAuthSession_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+StartAuthSession_Out_Marshal(StartAuthSession_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+PolicyRestart_In_Unmarshal(PolicyRestart_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Create_In_Unmarshal(Create_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Create_Out_Marshal(Create_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Load_In_Unmarshal(Load_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Load_Out_Marshal(Load_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+LoadExternal_In_Unmarshal(LoadExternal_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+LoadExternal_Out_Marshal(LoadExternal_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ReadPublic_In_Unmarshal(ReadPublic_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ReadPublic_Out_Marshal(ReadPublic_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ActivateCredential_In_Unmarshal(ActivateCredential_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ActivateCredential_Out_Marshal(ActivateCredential_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+MakeCredential_In_Unmarshal(MakeCredential_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+MakeCredential_Out_Marshal(MakeCredential_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Unseal_In_Unmarshal(Unseal_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Unseal_Out_Marshal(Unseal_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ObjectChangeAuth_In_Unmarshal(ObjectChangeAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ObjectChangeAuth_Out_Marshal(ObjectChangeAuth_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+CreateLoaded_In_Unmarshal(CreateLoaded_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Duplicate_In_Unmarshal(Duplicate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Duplicate_Out_Marshal(Duplicate_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Rewrap_In_Unmarshal(Rewrap_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Rewrap_Out_Marshal(Rewrap_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Import_In_Unmarshal(Import_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Import_Out_Marshal(Import_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+RSA_Encrypt_In_Unmarshal(RSA_Encrypt_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+RSA_Encrypt_Out_Marshal(RSA_Encrypt_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+RSA_Decrypt_In_Unmarshal(RSA_Decrypt_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+RSA_Decrypt_Out_Marshal(RSA_Decrypt_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ECDH_KeyGen_In_Unmarshal(ECDH_KeyGen_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ECDH_KeyGen_Out_Marshal(ECDH_KeyGen_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ECDH_ZGen_In_Unmarshal(ECDH_ZGen_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ECDH_ZGen_Out_Marshal(ECDH_ZGen_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ECC_Parameters_In_Unmarshal(ECC_Parameters_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ECC_Parameters_Out_Marshal(ECC_Parameters_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ZGen_2Phase_In_Unmarshal(ZGen_2Phase_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ZGen_2Phase_Out_Marshal(ZGen_2Phase_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+EncryptDecrypt_In_Unmarshal(EncryptDecrypt_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+EncryptDecrypt_Out_Marshal(EncryptDecrypt_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+EncryptDecrypt2_In_Unmarshal(EncryptDecrypt2_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Hash_In_Unmarshal(Hash_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Hash_Out_Marshal(Hash_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+HMAC_In_Unmarshal(HMAC_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+HMAC_Out_Marshal(HMAC_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+GetRandom_In_Unmarshal(GetRandom_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+GetRandom_Out_Marshal(GetRandom_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+StirRandom_In_Unmarshal(StirRandom_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+HMAC_Start_In_Unmarshal(HMAC_Start_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+HMAC_Start_Out_Marshal(HMAC_Start_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+HashSequenceStart_In_Unmarshal(HashSequenceStart_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+HashSequenceStart_Out_Marshal(HashSequenceStart_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+SequenceUpdate_In_Unmarshal(SequenceUpdate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+SequenceComplete_In_Unmarshal(SequenceComplete_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+SequenceComplete_Out_Marshal(SequenceComplete_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+EventSequenceComplete_In_Unmarshal(EventSequenceComplete_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+EventSequenceComplete_Out_Marshal(EventSequenceComplete_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Certify_In_Unmarshal(Certify_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Certify_Out_Marshal(Certify_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+CertifyX509_In_Unmarshal(CertifyX509_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+CertifyCreation_In_Unmarshal(CertifyCreation_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+CertifyCreation_Out_Marshal(CertifyCreation_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+CertifyX509_In_Unmarshal(CertifyX509_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+CertifyX509_Out_Marshal(CertifyX509_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Quote_In_Unmarshal(Quote_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Quote_Out_Marshal(Quote_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+GetSessionAuditDigest_In_Unmarshal(GetSessionAuditDigest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+GetSessionAuditDigest_Out_Marshal(GetSessionAuditDigest_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+GetCommandAuditDigest_In_Unmarshal(GetCommandAuditDigest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+GetCommandAuditDigest_Out_Marshal(GetCommandAuditDigest_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+GetTime_In_Unmarshal(GetTime_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+GetTime_Out_Marshal(GetTime_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Commit_In_Unmarshal(Commit_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Commit_Out_Marshal(Commit_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+EC_Ephemeral_In_Unmarshal(EC_Ephemeral_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+EC_Ephemeral_Out_Marshal(EC_Ephemeral_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+VerifySignature_In_Unmarshal(VerifySignature_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+VerifySignature_Out_Marshal(VerifySignature_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+Sign_In_Unmarshal(Sign_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+Sign_Out_Marshal(Sign_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+SetCommandCodeAuditStatus_In_Unmarshal(SetCommandCodeAuditStatus_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PCR_Extend_In_Unmarshal(PCR_Extend_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PCR_Event_In_Unmarshal(PCR_Event_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+PCR_Event_Out_Marshal(PCR_Event_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+PCR_Read_In_Unmarshal(PCR_Read_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+PCR_Read_Out_Marshal(PCR_Read_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+PCR_Allocate_In_Unmarshal(PCR_Allocate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+PCR_Allocate_Out_Marshal(PCR_Allocate_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+PCR_SetAuthPolicy_In_Unmarshal(PCR_SetAuthPolicy_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PCR_SetAuthValue_In_Unmarshal(PCR_SetAuthValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PCR_Reset_In_Unmarshal(PCR_Reset_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicySigned_In_Unmarshal(PolicySigned_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+PolicySigned_Out_Marshal(PolicySigned_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+PolicySecret_In_Unmarshal(PolicySecret_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+PolicySecret_Out_Marshal(PolicySecret_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+PolicyTicket_In_Unmarshal(PolicyTicket_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyOR_In_Unmarshal(PolicyOR_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyPCR_In_Unmarshal(PolicyPCR_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyLocality_In_Unmarshal(PolicyLocality_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyNV_In_Unmarshal(PolicyNV_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyAuthorizeNV_In_Unmarshal(PolicyAuthorizeNV_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyCounterTimer_In_Unmarshal(PolicyCounterTimer_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyCommandCode_In_Unmarshal(PolicyCommandCode_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyPhysicalPresence_In_Unmarshal(PolicyPhysicalPresence_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyCpHash_In_Unmarshal(PolicyCpHash_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyNameHash_In_Unmarshal(PolicyNameHash_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyDuplicationSelect_In_Unmarshal(PolicyDuplicationSelect_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyAuthorize_In_Unmarshal(PolicyAuthorize_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyAuthValue_In_Unmarshal(PolicyAuthValue_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyPassword_In_Unmarshal(PolicyPassword_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyGetDigest_In_Unmarshal(PolicyGetDigest_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+PolicyGetDigest_Out_Marshal(PolicyGetDigest_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+PolicyNvWritten_In_Unmarshal(PolicyNvWritten_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PolicyTemplate_In_Unmarshal(PolicyTemplate_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+CreatePrimary_In_Unmarshal(CreatePrimary_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+CreatePrimary_Out_Marshal(CreatePrimary_Out *source, TPMI_ST_COMMAND_TAG  tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+HierarchyControl_In_Unmarshal(HierarchyControl_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+SetPrimaryPolicy_In_Unmarshal(SetPrimaryPolicy_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+ChangePPS_In_Unmarshal(ChangePPS_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+ChangeEPS_In_Unmarshal(ChangeEPS_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+Clear_In_Unmarshal(Clear_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+ClearControl_In_Unmarshal(ClearControl_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+HierarchyChangeAuth_In_Unmarshal(HierarchyChangeAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+DictionaryAttackLockReset_In_Unmarshal(DictionaryAttackLockReset_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+DictionaryAttackParameters_In_Unmarshal(DictionaryAttackParameters_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+PP_Commands_In_Unmarshal(PP_Commands_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+SetAlgorithmSet_In_Unmarshal(SetAlgorithmSet_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+ContextSave_In_Unmarshal(ContextSave_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ContextSave_Out_Marshal(ContextSave_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ContextLoad_In_Unmarshal(ContextLoad_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ContextLoad_Out_Marshal(ContextLoad_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+FlushContext_In_Unmarshal(FlushContext_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+EvictControl_In_Unmarshal(EvictControl_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+ReadClock_Out_Marshal(ReadClock_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+ClockSet_In_Unmarshal(ClockSet_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+ClockRateAdjust_In_Unmarshal(ClockRateAdjust_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+GetCapability_In_Unmarshal(GetCapability_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+GetCapability_Out_Marshal(GetCapability_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+TestParms_In_Unmarshal(TestParms_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_DefineSpace_In_Unmarshal(NV_DefineSpace_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_UndefineSpace_In_Unmarshal(NV_UndefineSpace_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_UndefineSpaceSpecial_In_Unmarshal(NV_UndefineSpaceSpecial_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_ReadPublic_In_Unmarshal(NV_ReadPublic_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+NV_ReadPublic_Out_Marshal(NV_ReadPublic_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+NV_Write_In_Unmarshal(NV_Write_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_Increment_In_Unmarshal(NV_Increment_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_Extend_In_Unmarshal(NV_Extend_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_SetBits_In_Unmarshal(NV_SetBits_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_WriteLock_In_Unmarshal(NV_WriteLock_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_GlobalWriteLock_In_Unmarshal(NV_GlobalWriteLock_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_Read_In_Unmarshal(NV_Read_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+NV_Read_Out_Marshal(NV_Read_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+TPM_RC
+NV_ReadLock_In_Unmarshal(NV_ReadLock_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_ChangeAuth_In_Unmarshal(NV_ChangeAuth_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+TPM_RC
+NV_Certify_In_Unmarshal(NV_Certify_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+UINT16
+NV_Certify_Out_Marshal(NV_Certify_Out *source, TPMI_ST_COMMAND_TAG tag, BYTE **buffer, uint32_t *size);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/Makefile.am b/libstb/tss2/ibmtpm20tss/utils/Makefile.am
new file mode 100644
index 0000000..1e51fe3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Makefile.am
@@ -0,0 +1,594 @@
+transform=s&^&tss&
+
+lib_LTLIBRARIES = libibmtss.la
+#if CONFIG_TPM20
+lib_LTLIBRARIES += libibmtssutils.la
+#endif
+
+# default TSS Library
+libibmtss_la_SOURCES = tssfile.c tsscryptoh.c tsscrypto.c
+libibmtss_la_LIBADD = $(LIBCRYPTO_LIBS)
+
+# TSS shared library object files (utils/makefile-common)
+libibmtss_la_SOURCES += tss.c tssproperties.c tssmarshal.c tssauth.c tssutils.c tsssocket.c tssdev.c tsstransmit.c tssresponsecode.c tssccattributes.c tssprint.c Unmarshal.c CommandAttributeData.c
+
+# TPM 2.0
+# TSS share libarary object files
+if CONFIG_TPM20
+libibmtss_la_SOURCES += tss20.c tssauth20.c Commands.c tssprintcmd.c
+libibmtss_la_SOURCES += ntc2lib.c tssntc.c
+endif
+
+# (from utils/makefile-common12)
+if CONFIG_TPM12
+libibmtss_la_SOURCES += tss12.c tssauth12.c tssmarshal12.c Unmarshal12.c Commands12.c tssccattributes12.c CommandAttributeData12.c
+endif
+
+libibmtss_la_CFLAGS = -fPIC
+if CONFIG_HWTPM
+libibmtss_la_CFLAGS += -DTPM_INTERFACE_TYPE_DEFAULT="\"dev\""
+endif
+
+if CONFIG_RMTPM
+libibmtss_la_CFLAGS += -DTPM_DEVICE_DEFAULT="\"/dev/tpmrm0\""
+endif
+
+if CONFIG_TPM20
+libibmtss_la_CFLAGS += -DTPM_TPM20
+endif
+
+if CONFIG_TPM12
+libibmtss_la_CFLAGS += -DTPM_TPM12
+endif
+
+if CONFIG_TSS_NOPRINT
+libibmtss_la_CFLAGS += -DTPM_TSS_NO_PRINT
+endif
+
+if CONFIG_TSS_NOFILE
+libibmtss_la_CFLAGS += -DTPM_TSS_NOFILE
+if CONFIG_TSS_NOCRYPTO
+libibmtss_la_CFLAGS += -DTPM_TSS_NOCRYPTO
+endif
+endif
+
+if CONFIG_TSS_NOECC
+libibmtss_la_CFLAGS += -DTPM_TSS_NOECC
+endif
+
+libibmtss_la_CCFLAGS = -Wall -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wformat=2 -Wold-style-definition -Wno-self-assign -ggdb
+libibmtss_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@
+
+libibmtssutils_la_SOURCES = cryptoutils.c ekutils.c imalib.c eventlib.c
+libibmtssutils_la_CFLAGS = -fPIC
+
+if CONFIG_TPM20
+libibmtssutils_la_CFLAGS += -DTPM_TPM20
+endif
+
+if CONFIG_TPM12
+libibmtssutils_la_CFLAGS += -DTPM_TPM12
+endif
+
+if CONFIG_TSS_NOECC
+libibmtssutils_la_CFLAGS += -DTPM_TSS_NOECC
+endif
+
+#current[:revision[:age]]
+#result: [current-age].age.revision
+libibmtssutils_la_LDFLAGS = -version-info @TSSLIB_VERSION_INFO@
+libibmtssutils_la_LIBADD = libibmtss.la $(LIBCRYPTO_LIBS)
+
+noinst_HEADERS = CommandAttributes.h imalib.h tssdev.h ntc2lib.h tssntc.h Commands_fp.h objecttemplates.h tssproperties.h cryptoutils.h Platform.h tssauth.h tsssocket.h ekutils.h eventlib.h tssccattributes.h
+# install every header in ibmtss
+nobase_include_HEADERS = ibmtss/*.h
+
+notrans_man_MANS = man/man1/*.1
+
+if CONFIG_TPM20
+noinst_HEADERS += tss20.h tssauth20.h ibmtss/tssprintcmd.h
+endif
+
+if CONFIG_TPM12
+noinst_HEADERS += tss12.h Commands12_fp.h tssauth12.h tssccattributes12.h ibmtss/Unmarshal12_fp.h ibmtss/Parameters12.h ibmtss/tpmstructures12.h ibmtss/tpmconstants12.h ibmtss/tpmtypes12.h
+endif
+
+if CONFIG_TPM20
+bin_PROGRAMS = activatecredential eventextend imaextend certify certifycreation certifyx509 changeeps changepps clear \
+	clearcontrol clockrateadjust clockset commit contextload contextsave create createloaded createprimary \
+	dictionaryattacklockreset dictionaryattackparameters duplicate eccparameters ecephemeral encryptdecrypt \
+	eventsequencecomplete evictcontrol flushcontext getcommandauditdigest getcapability getcryptolibrary \
+	getrandom gettestresult getsessionauditdigest gettime hashsequencestart hash hierarchycontrol \
+	hierarchychangeauth hmac hmacstart import importpem load loadexternal makecredential nvcertify nvchangeauth \
+	nvdefinespace nvextend nvglobalwritelock nvincrement nvread nvreadlock nvreadpublic nvsetbits \
+	nvundefinespace nvundefinespacespecial nvwrite nvwritelock objectchangeauth pcrallocate pcrevent pcrextend \
+	pcrread pcrreset policyauthorize policyauthvalue policycommandcode policycphash policynamehash \
+	policycountertimer policyduplicationselect policygetdigest policymaker policymakerpcr policyauthorizenv \
+	policynv policynvwritten policyor policypassword policypcr policyrestart policysigned policysecret \
+	policytemplate policyticket quote powerup readclock readpublic returncode rewrap rsadecrypt rsaencrypt \
+	sequenceupdate sequencecomplete setcommandcodeauditstatus setprimarypolicy shutdown sign startauthsession \
+	startup stirrandom unseal \
+	verifysignature zgen2phase signapp writeapp timepacket createek createekcert tpm2pem tpmpublic2eccpoint \
+	ntc2getconfig ntc2preconfig ntc2lockconfig publicname tpmcmd printattr
+
+if CONFIG_TSS_NOECC
+UTILS_CFLAGS = -DTPM_TSS_NOECC
+endif
+
+activatecredential_SOURCES = activatecredential.c
+activatecredential_CFLAGS = $(UTILS_CFLAGS)
+activatecredential_LDADD = libibmtssutils.la libibmtss.la
+
+eventextend_SOURCES = eventextend.c
+eventextend_CFLAGS = $(UTILS_CFLAGS)
+eventextend_LDADD = libibmtssutils.la libibmtss.la
+
+imaextend_SOURCES = imaextend.c
+imaextend_CFLAGS = $(UTILS_CFLAGS)
+imaextend_LDADD = libibmtssutils.la libibmtss.la
+
+certify_SOURCES = certify.c
+certify_CFLAGS = $(UTILS_CFLAGS)
+certify_LDADD = libibmtssutils.la libibmtss.la
+
+certifycreation_SOURCES = certifycreation.c
+certifycreation_CFLAGS = $(UTILS_CFLAGS)
+certifycreation_LDADD = libibmtssutils.la libibmtss.la
+
+certifyx509_SOURCES = certifyx509.c
+certifyx509_CFLAGS = $(UTILS_CFLAGS)
+certifyx509_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+changeeps_SOURCES = changeeps.c
+changeeps_CFLAGS = $(UTILS_CFLAGS)
+changeeps_LDADD = libibmtssutils.la libibmtss.la
+
+changepps_SOURCES = changepps.c
+changepps_CFLAGS = $(UTILS_CFLAGS) -DTPM_POSIX
+changepps_LDADD = libibmtssutils.la libibmtss.la
+
+clear_SOURCES = clear.c
+clear_CFLAGS = $(UTILS_CFLAGS)
+clear_LDADD = libibmtssutils.la libibmtss.la
+
+clearcontrol_SOURCES = clearcontrol.c
+clearcontrol_CFLAGS = $(UTILS_CFLAGS)
+clearcontrol_LDADD = libibmtssutils.la libibmtss.la
+
+clockrateadjust_SOURCES = clockrateadjust.c
+clockrateadjust_CFLAGS = $(UTILS_CFLAGS)
+clockrateadjust_LDADD = libibmtssutils.la libibmtss.la
+
+clockset_SOURCES = clockset.c
+clockset_CFLAGS = $(UTILS_CFLAGS)
+clockset_LDADD = libibmtssutils.la libibmtss.la
+
+commit_SOURCES = commit.c
+commit_CFLAGS = $(UTILS_CFLAGS)
+commit_LDADD = libibmtssutils.la libibmtss.la
+
+contextload_SOURCES = contextload.c
+contextload_CFLAGS = $(UTILS_CFLAGS)
+contextload_LDADD = libibmtssutils.la libibmtss.la
+
+contextsave_SOURCES = contextsave.c
+contextsave_CFLAGS = $(UTILS_CFLAGS)
+contextsave_LDADD = libibmtssutils.la libibmtss.la
+
+create_SOURCES = create.c objecttemplates.c
+create_CFLAGS = $(UTILS_CFLAGS)
+create_LDADD = libibmtssutils.la libibmtss.la
+
+createloaded_SOURCES = createloaded.c objecttemplates.c
+createloaded_CFLAGS = $(UTILS_CFLAGS)
+createloaded_LDADD = libibmtssutils.la libibmtss.la
+
+createprimary_SOURCES = createprimary.c objecttemplates.c
+createprimary_CFLAGS = $(UTILS_CFLAGS)
+createprimary_LDADD = libibmtssutils.la libibmtss.la
+
+dictionaryattacklockreset_SOURCES = dictionaryattacklockreset.c
+dictionaryattacklockreset_CFLAGS = $(UTILS_CFLAGS)
+dictionaryattacklockreset_LDADD = libibmtssutils.la libibmtss.la
+
+dictionaryattackparameters_SOURCES = dictionaryattackparameters.c
+dictionaryattackparameters_CFLAGS = $(UTILS_CFLAGS)
+dictionaryattackparameters_LDADD = libibmtssutils.la libibmtss.la
+
+duplicate_SOURCES = duplicate.c
+duplicate_CFLAGS = $(UTILS_CFLAGS)
+duplicate_LDADD = libibmtssutils.la libibmtss.la
+
+eccparameters_SOURCES = eccparameters.c
+eccparameters_CFLAGS = $(UTILS_CFLAGS)
+eccparameters_LDADD = libibmtssutils.la libibmtss.la
+
+ecephemeral_SOURCES = ecephemeral.c
+ecephemeral_CFLAGS = $(UTILS_CFLAGS)
+ecephemeral_LDADD = libibmtssutils.la libibmtss.la
+
+encryptdecrypt_SOURCES = encryptdecrypt.c
+encryptdecrypt_CFLAGS = $(UTILS_CFLAGS)
+encryptdecrypt_LDADD = libibmtssutils.la libibmtss.la
+
+eventsequencecomplete_SOURCES = eventsequencecomplete.c
+eventsequencecomplete_CFLAGS = $(UTILS_CFLAGS)
+eventsequencecomplete_LDADD = libibmtssutils.la libibmtss.la
+
+evictcontrol_SOURCES = evictcontrol.c
+evictcontrol_CFLAGS = $(UTILS_CFLAGS)
+evictcontrol_LDADD = libibmtssutils.la libibmtss.la
+
+flushcontext_SOURCES = flushcontext.c
+flushcontext_CFLAGS = $(UTILS_CFLAGS)
+flushcontext_LDADD = libibmtssutils.la libibmtss.la
+
+getcommandauditdigest_SOURCES = getcommandauditdigest.c
+getcommandauditdigest_CFLAGS = $(UTILS_CFLAGS)
+getcommandauditdigest_LDADD = libibmtssutils.la libibmtss.la
+
+getcapability_SOURCES = getcapability.c
+getcapability_CFLAGS = $(UTILS_CFLAGS)
+getcapability_LDADD = libibmtssutils.la libibmtss.la
+
+getcryptolibrary_SOURCES = getcryptolibrary.c
+getcryptolibrary_CFLAGS = $(UTILS_CFLAGS)
+getcryptolibrary_LDADD = libibmtssutils.la libibmtss.la
+
+getrandom_SOURCES = getrandom.c
+getrandom_CFLAGS = $(UTILS_CFLAGS)
+getrandom_LDADD = libibmtssutils.la libibmtss.la
+
+gettestresult_SOURCES = gettestresult.c
+gettestresult_CFLAGS = $(UTILS_CFLAGS)
+gettestresult_LDADD = libibmtssutils.la libibmtss.la
+
+getsessionauditdigest_SOURCES = getsessionauditdigest.c
+getsessionauditdigest_CFLAGS = $(UTILS_CFLAGS)
+getsessionauditdigest_LDADD = libibmtssutils.la libibmtss.la
+
+gettime_SOURCES = gettime.c
+gettime_CFLAGS = $(UTILS_CFLAGS)
+gettime_LDADD = libibmtssutils.la libibmtss.la
+
+hashsequencestart_SOURCES = hashsequencestart.c
+hashsequencestart_CFLAGS = $(UTILS_CFLAGS)
+hashsequencestart_LDADD = libibmtssutils.la libibmtss.la
+
+hash_SOURCES = hash.c
+hash_CFLAGS = $(UTILS_CFLAGS)
+hash_LDADD = libibmtssutils.la libibmtss.la
+
+hierarchycontrol_SOURCES = hierarchycontrol.c
+hierarchycontrol_CFLAGS = $(UTILS_CFLAGS)
+hierarchycontrol_LDADD = libibmtssutils.la libibmtss.la
+
+hierarchychangeauth_SOURCES = hierarchychangeauth.c
+hierarchychangeauth_CFLAGS = $(UTILS_CFLAGS)
+hierarchychangeauth_LDADD = libibmtssutils.la libibmtss.la
+
+hmac_SOURCES = hmac.c
+hmac_CFLAGS = $(UTILS_CFLAGS)
+hmac_LDADD = libibmtssutils.la libibmtss.la
+
+hmacstart_SOURCES = hmacstart.c
+hmacstart_CFLAGS = $(UTILS_CFLAGS)
+hmacstart_LDADD = libibmtssutils.la libibmtss.la
+
+import_SOURCES = import.c
+import_CFLAGS = $(UTILS_CFLAGS)
+import_LDADD = libibmtssutils.la libibmtss.la
+
+importpem_SOURCES = importpem.c objecttemplates.c
+importpem_CFLAGS = $(UTILS_CFLAGS)
+importpem_LDADD = libibmtssutils.la libibmtss.la
+
+load_SOURCES = load.c
+load_CFLAGS = $(UTILS_CFLAGS)
+load_LDADD = libibmtssutils.la libibmtss.la
+
+loadexternal_SOURCES = loadexternal.c
+loadexternal_CFLAGS = $(UTILS_CFLAGS)
+loadexternal_LDADD = libibmtssutils.la libibmtss.la
+
+makecredential_SOURCES = makecredential.c
+makecredential_CFLAGS = $(UTILS_CFLAGS)
+makecredential_LDADD = libibmtssutils.la libibmtss.la
+
+nvcertify_SOURCES = nvcertify.c
+nvcertify_CFLAGS = $(UTILS_CFLAGS)
+nvcertify_LDADD = libibmtssutils.la libibmtss.la
+
+nvchangeauth_SOURCES = nvchangeauth.c
+nvchangeauth_CFLAGS = $(UTILS_CFLAGS)
+nvchangeauth_LDADD = libibmtssutils.la libibmtss.la
+
+nvdefinespace_SOURCES = nvdefinespace.c
+nvdefinespace_CFLAGS = $(UTILS_CFLAGS)
+nvdefinespace_LDADD = libibmtssutils.la libibmtss.la
+
+nvextend_SOURCES = nvextend.c
+nvextend_CFLAGS = $(UTILS_CFLAGS)
+nvextend_LDADD = libibmtssutils.la libibmtss.la
+
+nvglobalwritelock_SOURCES = nvglobalwritelock.c
+nvglobalwritelock_CFLAGS = $(UTILS_CFLAGS)
+nvglobalwritelock_LDADD = libibmtssutils.la libibmtss.la
+
+nvincrement_SOURCES = nvincrement.c
+nvincrement_CFLAGS = $(UTILS_CFLAGS)
+nvincrement_LDADD = libibmtssutils.la libibmtss.la
+
+nvread_SOURCES = nvread.c
+nvread_CFLAGS = $(UTILS_CFLAGS)
+nvread_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+nvreadlock_SOURCES = nvreadlock.c
+nvreadlock_CFLAGS = $(UTILS_CFLAGS)
+nvreadlock_LDADD = libibmtssutils.la libibmtss.la
+
+nvreadpublic_SOURCES = nvreadpublic.c
+nvreadpublic_CFLAGS = $(UTILS_CFLAGS)
+nvreadpublic_LDADD = libibmtssutils.la libibmtss.la
+
+nvsetbits_SOURCES = nvsetbits.c
+nvsetbits_CFLAGS = $(UTILS_CFLAGS)
+nvsetbits_LDADD = libibmtssutils.la libibmtss.la
+
+nvundefinespace_SOURCES = nvundefinespace.c
+nvundefinespace_CFLAGS = $(UTILS_CFLAGS)
+nvundefinespace_LDADD = libibmtssutils.la libibmtss.la
+
+nvundefinespacespecial_SOURCES = nvundefinespacespecial.c
+nvundefinespacespecial_CFLAGS = $(UTILS_CFLAGS)
+nvundefinespacespecial_LDADD = libibmtssutils.la libibmtss.la
+
+nvwrite_SOURCES = nvwrite.c
+nvwrite_CFLAGS = $(UTILS_CFLAGS)
+nvwrite_LDADD = libibmtssutils.la libibmtss.la
+
+nvwritelock_SOURCES = nvwritelock.c
+nvwritelock_CFLAGS = $(UTILS_CFLAGS)
+nvwritelock_LDADD = libibmtssutils.la libibmtss.la
+
+objectchangeauth_SOURCES = objectchangeauth.c
+objectchangeauth_CFLAGS = $(UTILS_CFLAGS)
+objectchangeauth_LDADD = libibmtssutils.la libibmtss.la
+
+pcrallocate_SOURCES = pcrallocate.c
+pcrallocate_CFLAGS = $(UTILS_CFLAGS)
+pcrallocate_LDADD = libibmtssutils.la libibmtss.la
+
+pcrevent_SOURCES = pcrevent.c
+pcrevent_CFLAGS = $(UTILS_CFLAGS)
+pcrevent_LDADD = libibmtssutils.la libibmtss.la
+
+pcrextend_SOURCES = pcrextend.c
+pcrextend_CFLAGS = $(UTILS_CFLAGS)
+pcrextend_LDADD = libibmtssutils.la libibmtss.la
+
+pcrread_SOURCES = pcrread.c
+pcrread_CFLAGS = $(UTILS_CFLAGS)
+pcrread_LDADD = libibmtssutils.la libibmtss.la
+
+pcrreset_SOURCES = pcrreset.c
+pcrreset_CFLAGS = $(UTILS_CFLAGS)
+pcrreset_LDADD = libibmtssutils.la libibmtss.la
+
+policyauthorize_SOURCES = policyauthorize.c
+policyauthorize_CFLAGS = $(UTILS_CFLAGS)
+policyauthorize_LDADD = libibmtssutils.la libibmtss.la
+
+policyauthvalue_SOURCES = policyauthvalue.c
+policyauthvalue_CFLAGS = $(UTILS_CFLAGS)
+policyauthvalue_LDADD = libibmtssutils.la libibmtss.la
+
+policycommandcode_SOURCES = policycommandcode.c
+policycommandcode_CFLAGS = $(UTILS_CFLAGS)
+policycommandcode_LDADD = libibmtssutils.la libibmtss.la
+
+policycphash_SOURCES = policycphash.c
+policycphash_CFLAGS = $(UTILS_CFLAGS)
+policycphash_LDADD = libibmtssutils.la libibmtss.la
+
+policynamehash_SOURCES = policynamehash.c
+policynamehash_CFLAGS = $(UTILS_CFLAGS)
+policynamehash_LDADD = libibmtssutils.la libibmtss.la
+
+policycountertimer_SOURCES = policycountertimer.c
+policycountertimer_CFLAGS = $(UTILS_CFLAGS)
+policycountertimer_LDADD = libibmtssutils.la libibmtss.la
+
+policyduplicationselect_SOURCES = policyduplicationselect.c
+policyduplicationselect_CFLAGS = $(UTILS_CFLAGS)
+policyduplicationselect_LDADD = libibmtssutils.la libibmtss.la
+
+policygetdigest_SOURCES = policygetdigest.c
+policygetdigest_CFLAGS = $(UTILS_CFLAGS)
+policygetdigest_LDADD = libibmtssutils.la libibmtss.la
+
+policymaker_SOURCES = policymaker.c
+policymaker_CFLAGS = $(UTILS_CFLAGS)
+policymaker_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+policymakerpcr_SOURCES = policymakerpcr.c
+policymakerpcr_CFLAGS = $(UTILS_CFLAGS)
+policymakerpcr_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+policyauthorizenv_SOURCES = policyauthorizenv.c
+policyauthorizenv_CFLAGS = $(UTILS_CFLAGS)
+policyauthorizenv_LDADD = libibmtssutils.la libibmtss.la
+
+policynv_SOURCES = policynv.c
+policynv_CFLAGS = $(UTILS_CFLAGS)
+policynv_LDADD = libibmtssutils.la libibmtss.la
+
+policynvwritten_SOURCES = policynvwritten.c
+policynvwritten_CFLAGS = $(UTILS_CFLAGS)
+policynvwritten_LDADD = libibmtssutils.la libibmtss.la
+
+policyor_SOURCES = policyor.c
+policyor_CFLAGS = $(UTILS_CFLAGS)
+policyor_LDADD = libibmtssutils.la libibmtss.la
+
+policypassword_SOURCES = policypassword.c
+policypassword_CFLAGS = $(UTILS_CFLAGS)
+policypassword_LDADD = libibmtssutils.la libibmtss.la
+
+policypcr_SOURCES = policypcr.c
+policypcr_CFLAGS = $(UTILS_CFLAGS)
+policypcr_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+policyrestart_SOURCES = policyrestart.c
+policyrestart_CFLAGS = $(UTILS_CFLAGS)
+policyrestart_LDADD = libibmtssutils.la libibmtss.la
+
+policysigned_SOURCES = policysigned.c
+policysigned_CFLAGS = $(UTILS_CFLAGS)
+policysigned_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+policysecret_SOURCES = policysecret.c
+policysecret_CFLAGS = $(UTILS_CFLAGS)
+policysecret_LDADD = libibmtssutils.la libibmtss.la
+
+policytemplate_SOURCES = policytemplate.c
+policytemplate_CFLAGS = $(UTILS_CFLAGS)
+policytemplate_LDADD = libibmtssutils.la libibmtss.la
+
+policyticket_SOURCES = policyticket.c
+policyticket_CFLAGS = $(UTILS_CFLAGS)
+policyticket_LDADD = libibmtssutils.la libibmtss.la
+
+quote_SOURCES = quote.c
+quote_CFLAGS = $(UTILS_CFLAGS)
+quote_LDADD = libibmtssutils.la libibmtss.la
+
+powerup_SOURCES = powerup.c
+powerup_CFLAGS = $(UTILS_CFLAGS)
+powerup_LDADD = libibmtssutils.la libibmtss.la
+
+readclock_SOURCES = readclock.c
+readclock_CFLAGS = $(UTILS_CFLAGS)
+readclock_LDADD = libibmtssutils.la libibmtss.la
+
+readpublic_SOURCES = readpublic.c
+readpublic_CFLAGS = $(UTILS_CFLAGS)
+readpublic_LDADD = libibmtssutils.la libibmtss.la
+
+returncode_SOURCES = returncode.c
+returncode_CFLAGS = $(UTILS_CFLAGS)
+returncode_LDADD = libibmtssutils.la libibmtss.la
+
+rewrap_SOURCES = rewrap.c
+rewrap_CFLAGS = $(UTILS_CFLAGS)
+rewrap_LDADD = libibmtssutils.la libibmtss.la
+
+rsadecrypt_SOURCES = rsadecrypt.c
+rsadecrypt_CFLAGS = $(UTILS_CFLAGS)
+rsadecrypt_LDADD = libibmtssutils.la libibmtss.la
+
+rsaencrypt_SOURCES = rsaencrypt.c
+rsaencrypt_CFLAGS = $(UTILS_CFLAGS)
+rsaencrypt_LDADD = libibmtssutils.la libibmtss.la
+
+sequenceupdate_SOURCES = sequenceupdate.c
+sequenceupdate_CFLAGS = $(UTILS_CFLAGS)
+sequenceupdate_LDADD = libibmtssutils.la libibmtss.la
+
+sequencecomplete_SOURCES = sequencecomplete.c
+sequencecomplete_CFLAGS = $(UTILS_CFLAGS)
+sequencecomplete_LDADD = libibmtssutils.la libibmtss.la
+
+setcommandcodeauditstatus_SOURCES = setcommandcodeauditstatus.c
+setcommandcodeauditstatus_CFLAGS = $(UTILS_CFLAGS)
+setcommandcodeauditstatus_LDADD = libibmtssutils.la libibmtss.la
+
+setprimarypolicy_SOURCES = setprimarypolicy.c
+setprimarypolicy_CFLAGS = $(UTILS_CFLAGS)
+setprimarypolicy_LDADD = libibmtssutils.la libibmtss.la
+
+shutdown_SOURCES = shutdown.c
+shutdown_CFLAGS = $(UTILS_CFLAGS)
+shutdown_LDADD = libibmtssutils.la libibmtss.la
+
+sign_SOURCES = sign.c
+sign_CFLAGS = $(UTILS_CFLAGS)
+sign_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+startauthsession_SOURCES = startauthsession.c
+startauthsession_CFLAGS = $(UTILS_CFLAGS)
+startauthsession_LDADD = libibmtssutils.la libibmtss.la
+
+startup_SOURCES = startup.c
+startup_CFLAGS = $(UTILS_CFLAGS)
+startup_LDADD = libibmtssutils.la libibmtss.la
+
+stirrandom_SOURCES = stirrandom.c
+stirrandom_CFLAGS = $(UTILS_CFLAGS)
+stirrandom_LDADD = libibmtssutils.la libibmtss.la
+
+unseal_SOURCES = unseal.c
+unseal_CFLAGS = $(UTILS_CFLAGS)
+unseal_LDADD = libibmtssutils.la libibmtss.la
+
+verifysignature_SOURCES = verifysignature.c
+verifysignature_CFLAGS = $(UTILS_CFLAGS)
+verifysignature_LDADD = libibmtssutils.la libibmtss.la
+
+zgen2phase_SOURCES = zgen2phase.c
+zgen2phase_CFLAGS = $(UTILS_CFLAGS)
+zgen2phase_LDADD = libibmtssutils.la libibmtss.la
+
+signapp_SOURCES = signapp.c
+signapp_CFLAGS = $(UTILS_CFLAGS)
+signapp_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+writeapp_SOURCES = writeapp.c
+writeapp_CFLAGS = $(UTILS_CFLAGS)
+writeapp_LDADD = libibmtssutils.la libibmtss.la
+
+timepacket_SOURCES = timepacket.c
+timepacket_CFLAGS = $(UTILS_CFLAGS)
+timepacket_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+createek_SOURCES = createek.c
+createek_CFLAGS = $(UTILS_CFLAGS)
+createek_LDADD = libibmtssutils.la libibmtss.la $(LIBCRYPTO_LIBS)
+
+createekcert_SOURCES = createekcert.c
+createekcert_CFLAGS = $(UTILS_CFLAGS)
+createekcert_LDADD = libibmtssutils.la libibmtss.la
+
+tpm2pem_SOURCES = tpm2pem.c
+tpm2pem_CFLAGS = $(UTILS_CFLAGS)
+tpm2pem_LDADD = libibmtssutils.la libibmtss.la
+
+tpmpublic2eccpoint_SOURCES = tpmpublic2eccpoint.c
+tpmpublic2eccpoint_CFLAGS = $(UTILS_CFLAGS)
+tpmpublic2eccpoint_LDADD = libibmtssutils.la libibmtss.la
+
+ntc2getconfig_SOURCES = ntc2getconfig.c
+ntc2getconfig_CFLAGS = $(UTILS_CFLAGS)
+ntc2getconfig_LDADD = libibmtssutils.la libibmtss.la
+
+ntc2preconfig_SOURCES = ntc2preconfig.c
+ntc2preconfig_CFLAGS = $(UTILS_CFLAGS)
+ntc2preconfig_LDADD = libibmtssutils.la libibmtss.la
+
+ntc2lockconfig_SOURCES = ntc2lockconfig.c
+ntc2lockconfig_CFLAGS = $(UTILS_CFLAGS)
+ntc2lockconfig_LDADD = $(OPENSSL_LIBS) libibmtssutils.la libibmtss.la
+
+publicname_SOURCES = publicname.c
+publicname_CFLAGS = $(OPENSSL_CFLAGS)
+publicname_LDADD = $(OPENSSL_LIBS) libibmtssutils.la libibmtss.la
+
+tpmcmd_SOURCES = tpmcmd.c
+tpmcmd_CFLAGS = $(OPENSSL_CFLAGS)
+tpmcmd_LDADD = $(OPENSSL_LIBS) libibmtssutils.la libibmtss.la
+
+printattr_SOURCES = printattr.c
+printattr_CFLAGS = $(OPENSSL_CFLAGS)
+printattr_LDADD = $(OPENSSL_LIBS) libibmtssutils.la libibmtss.la
+
+endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/Platform.h b/libstb/tss2/ibmtpm20tss/utils/Platform.h
new file mode 100644
index 0000000..9c5a594
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Platform.h
@@ -0,0 +1,361 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Platform.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 122 */
+
+// C.8	Platform.h
+
+#ifndef    PLATFORM_H
+#define    PLATFORM_H
+
+// C.8.1.	Includes and Defines
+
+#include <ibmtss/BaseTypes.h>
+#include "stdint.h"
+#include "TpmError.h"
+#include <ibmtss/TpmBuildSwitches.h>
+
+// C.8.2.	Power Functions
+// C.8.2.1.	_plat__Signal_PowerOn
+// Signal power on This signal is simulate by a RPC call
+
+LIB_EXPORT int
+_plat__Signal_PowerOn(void);
+
+// C.8.2.2.	_plat__Signal_Reset
+// Signal reset This signal is simulate by a RPC call
+
+LIB_EXPORT int
+_plat__Signal_Reset(void);
+
+// C.8.2.3.	_plat__WasPowerLost()
+// Indicates if the power was lost before a _TPM__Init().
+
+LIB_EXPORT BOOL
+_plat__WasPowerLost(BOOL clear);
+
+// C.8.2.4.	_plat__Signal_PowerOff()
+// Signal power off This signal is simulate by a RPC call
+
+LIB_EXPORT void
+_plat__Signal_PowerOff(void);
+
+// C.8.3.	Physical Presence Functions
+// C.8.3.1.	_plat__PhysicalPresenceAsserted()
+// Check if physical presence is signaled
+// Return Value	Meaning
+// TRUE	if physical presence is signaled
+// FALSE	if physical presence is not signaled
+
+LIB_EXPORT BOOL
+_plat__PhysicalPresenceAsserted(void);
+
+// C.8.3.2.	_plat__Signal_PhysicalPresenceOn
+// Signal physical presence on This signal is simulate by a RPC call
+
+LIB_EXPORT void
+_plat__Signal_PhysicalPresenceOn(void);
+
+// C.8.3.3.	_plat__Signal_PhysicalPresenceOff()
+// Signal physical presence off This signal is simulate by a RPC call
+
+LIB_EXPORT void
+_plat__Signal_PhysicalPresenceOff(void);
+
+// C.8.4.	Command Canceling Functions
+// C.8.4.1.	_plat__IsCanceled()
+// Check if the cancel flag is set
+// Return Value	Meaning
+// TRUE	if cancel flag is set
+// FALSE	if cancel flag is not set
+
+LIB_EXPORT BOOL
+_plat__IsCanceled(void);
+
+// C.8.4.2.	_plat__SetCancel()
+// Set cancel flag.
+
+LIB_EXPORT void
+_plat__SetCancel(void);
+
+// C.8.4.3.	_plat__ClearCancel()
+// Clear cancel flag
+
+LIB_EXPORT void
+_plat__ClearCancel( void);
+
+// C.8.5.	NV memory functions
+// C.8.5.1.	_plat__NvErrors()
+
+// This function is used by the simulator to set the error flags in the NV subsystem to simulate an
+// error in the NV loading process
+
+LIB_EXPORT void
+_plat__NvErrors(
+		BOOL        recoverable,
+		BOOL        unrecoverable
+		);
+
+// C.8.5.2.	_plat__NVEnable()
+
+// Enable platform NV memory NV memory is automatically enabled at power on event.  This function is
+// mostly for TPM_Manufacture() to access NV memory without a power on event
+
+// Return Value	Meaning
+// 0	if success
+// non-0	if fail
+
+LIB_EXPORT int
+_plat__NVEnable(
+		void    *platParameter              // IN: platform specific parameters
+		);
+
+// C.8.5.3.	_plat__NVDisable()
+
+// Disable platform NV memory NV memory is automatically disabled at power off event.  This function
+// is mostly for TPM_Manufacture() to disable NV memory without a power off event
+
+LIB_EXPORT void
+_plat__NVDisable(void);
+
+// C.8.5.4.	_plat__IsNvAvailable()
+// Check if NV is available
+// Return Value	Meaning
+// 0	NV is available
+// 1	NV is not available due to write failure
+// 2	NV is not available due to rate limit
+
+LIB_EXPORT int
+_plat__IsNvAvailable(void);
+
+// C.8.5.5.	_plat__NvCommit()
+// Update NV chip
+// Return Value	Meaning
+// 0	NV write success
+// non-0	NV write fail
+
+LIB_EXPORT int
+_plat__NvCommit(void);
+
+// C.8.5.6.	_plat__NvMemoryRead()
+// Read a chunk of NV memory
+
+LIB_EXPORT void
+_plat__NvMemoryRead(
+		    unsigned int        startOffset,         // IN: read start
+		    unsigned int        size,                // IN: size of bytes to read
+		    void                *data                // OUT: data buffer
+		    );
+
+// C.8.5.7.	_plat__NvIsDifferent()
+
+// This function checks to see if the NV is different from the test value. This is so that NV will
+// not be written if it has not changed.
+
+// Return Value	Meaning
+// TRUE	the NV location is different from the test value
+// FALSE	the NV location is the same as the test value
+
+LIB_EXPORT BOOL
+_plat__NvIsDifferent(
+		     unsigned int         startOffset,         // IN: read start
+		     unsigned int         size,                // IN: size of bytes to compare
+		     void                *data                 // IN: data buffer
+		     );
+
+// C.8.5.8.	_plat__NvMemoryWrite()
+
+// Write a chunk of NV memory
+
+LIB_EXPORT void
+_plat__NvMemoryWrite(
+		     unsigned int        startOffset,         // IN: read start
+		     unsigned int        size,                // IN: size of bytes to read
+		     void                *data                // OUT: data buffer
+		     );
+
+// C.8.5.9.	_plat__NvMemoryClear()
+
+// Function is used to set a range of NV memory bytes to an implementation-dependent value. The
+// value represents the errase state of the memory.
+
+LIB_EXPORT void
+_plat__NvMemoryClear(
+		     unsigned int     start,         // IN: clear start
+		     unsigned int     size           // IN: number of bytes to be clear
+		     );
+
+// C.8.5.10.	_plat__NvMemoryMove()
+
+// Move a chunk of NV memory from source to destination This function should ensure that if there
+// overlap, the original data is copied before it is written
+
+LIB_EXPORT void
+_plat__NvMemoryMove(
+		    unsigned int        sourceOffset,         // IN: source offset
+		    unsigned int        destOffset,           // IN: destination offset
+		    unsigned int        size                  // IN: size of data being moved
+		    );
+
+// C.8.5.11.	_plat__SetNvAvail()
+
+// Set the current NV state to available.  This function is for testing purposes only.  It is not
+// part of the platform NV logic
+
+LIB_EXPORT void
+_plat__SetNvAvail(void);
+
+// C.8.5.12.	_plat__ClearNvAvail()
+
+// Set the current NV state to unavailable.  This function is for testing purposes only.  It is not
+// part of the platform NV logic
+
+LIB_EXPORT void
+_plat__ClearNvAvail(void);
+
+// C.8.6.	Locality Functions
+// C.8.6.1.	_plat__LocalityGet()
+// Get the most recent command locality in locality value form
+
+LIB_EXPORT unsigned char
+_plat__LocalityGet(void);
+
+// C.8.6.2.	_plat__LocalitySet()
+// Set the most recent command locality in locality value form
+
+LIB_EXPORT void
+_plat__LocalitySet(
+		   unsigned char   locality
+		   );
+
+// C.8.7.	Clock Constants and Functions
+// Assume that the nominal divisor is 30000
+
+#define     CLOCK_NOMINAL           30000
+
+// A 1% change in rate is 300 counts
+
+#define     CLOCK_ADJUST_COARSE     300
+
+// A .1 change in rate is 30 counts
+
+#define     CLOCK_ADJUST_MEDIUM     30
+
+// A minimum change in rate is 1 count
+
+#define     CLOCK_ADJUST_FINE       1
+
+// The clock tolerance is +/-15% (4500 counts) Allow some guard band (16.7%)
+
+#define     CLOCK_ADJUST_LIMIT      5000
+
+// C.8.7.1.	_plat__ClockReset()
+
+// This function sets the current clock time as initial time.  This function is called at a power on
+// event to reset the clock
+
+LIB_EXPORT void
+_plat__ClockReset(void);
+
+// C.8.7.2.	_plat__ClockTimeFromStart()
+
+// Function returns the compensated time from the start of the command when
+// _plat__ClockTimeFromStart() was called.
+
+LIB_EXPORT unsigned long long
+_plat__ClockTimeFromStart(void);
+
+// C.8.7.3.	_plat__ClockTimeElapsed()
+
+// Get the time elapsed from current to the last time the _plat__ClockTimeElapsed() is called.  For
+// the first _plat__ClockTimeElapsed() call after a power on event, this call report the elapsed
+// time from power on to the current call
+
+LIB_EXPORT unsigned long long
+_plat__ClockTimeElapsed(void);
+
+// C.8.7.4.	_plat__ClockAdjustRate()
+// Adjust the clock rate
+
+LIB_EXPORT void
+_plat__ClockAdjustRate(
+		       int         adjust              // IN: the adjust number.  It could be
+		       // positive or negative
+		       );
+
+// C.8.8.	Single Function Files
+// C.8.8.1.	_plat__GetEntropy()
+
+// This function is used to get available hardware entropy. In a hardware implementation of this
+// function, there would be no call to the system to get entropy. If the caller does not ask for any
+// entropy, then this is a startup indication and firstValue should be reset.
+
+//     Return Value	Meaning
+//     < 0	hardware failure of the entropy generator, this is sticky
+//       >= 0	the returned amount of entropy (bytes)
+
+LIB_EXPORT int32_t
+_plat__GetEntropy(
+		  unsigned char       *entropy,           // output buffer
+		  uint32_t             amount             // amount requested
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/Unmarshal.c b/libstb/tss2/ibmtpm20tss/utils/Unmarshal.c
new file mode 100644
index 0000000..70dacda
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Unmarshal.c
@@ -0,0 +1,4961 @@
+/********************************************************************************/
+/*										*/
+/*			     Parameter Unmarshaling				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <string.h>
+
+#include <ibmtss/Unmarshal_fp.h>
+
+/* The functions with the TSS_ prefix are preferred.  They use an unsigned size.  The functions
+   without the prefix are deprecated.  */
+
+/* TPM_TSS_NOCMDCHECK defined strips the unmarshal functions used for command parameter checking
+   TPM_TSS_NODEPRECATED	defines strips the deprecated functions that used a signed size
+*/
+
+/* The int and array functions are common to TPM 1.2 and TPM 2.0 */
+
+TPM_RC
+TSS_UINT8_Unmarshalu(UINT8 *target, BYTE **buffer, uint32_t *size)
+{
+    if (*size < sizeof(UINT8)) {
+	return TPM_RC_INSUFFICIENT;
+    }
+    *target = (*buffer)[0];
+    *buffer += sizeof(UINT8);
+    *size -= sizeof(UINT8);
+    return TPM_RC_SUCCESS;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+TPM_RC
+TSS_INT8_Unmarshalu(INT8 *target, BYTE **buffer, uint32_t *size)
+{
+    return TSS_UINT8_Unmarshalu((UINT8 *)target, buffer, size);
+}
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+TPM_RC
+TSS_UINT16_Unmarshalu(uint16_t *target, BYTE **buffer, uint32_t *size)
+{
+    if (*size < sizeof(uint16_t)) {
+	return TPM_RC_INSUFFICIENT;
+    }
+    *target = ((uint16_t)((*buffer)[0]) << 8) |
+	      ((uint16_t)((*buffer)[1]) << 0);
+    *buffer += sizeof(uint16_t);
+    *size -= sizeof(uint16_t);
+    return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TSS_UINT32_Unmarshalu(UINT32 *target, BYTE **buffer, uint32_t *size)
+{
+    if (*size < sizeof(uint32_t)) {
+	return TPM_RC_INSUFFICIENT;
+    }
+    *target = ((uint32_t)((*buffer)[0]) << 24) |
+	      ((uint32_t)((*buffer)[1]) << 16) |
+	      ((uint32_t)((*buffer)[2]) <<  8) |
+	      ((uint32_t)((*buffer)[3]) <<  0);
+    *buffer += sizeof(uint32_t);
+    *size -= sizeof(uint32_t);
+    return TPM_RC_SUCCESS;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK    
+TPM_RC
+TSS_INT32_Unmarshalu(INT32 *target, BYTE **buffer, uint32_t *size)
+{
+    return TSS_UINT32_Unmarshalu((UINT32 *)target, buffer, size);
+}
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+TPM_RC
+TSS_UINT64_Unmarshalu(UINT64 *target, BYTE **buffer, uint32_t *size)
+{
+    if (*size < sizeof(UINT64)) {
+	return TPM_RC_INSUFFICIENT;
+    }
+    *target = ((UINT64)((*buffer)[0]) << 56) |
+	      ((UINT64)((*buffer)[1]) << 48) |
+	      ((UINT64)((*buffer)[2]) << 40) |
+	      ((UINT64)((*buffer)[3]) << 32) |
+	      ((UINT64)((*buffer)[4]) << 24) |
+	      ((UINT64)((*buffer)[5]) << 16) |
+	      ((UINT64)((*buffer)[6]) <<  8) |
+	      ((UINT64)((*buffer)[7]) <<  0);
+    *buffer += sizeof(UINT64);
+    *size -= sizeof(UINT64);
+    return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TSS_Array_Unmarshalu(BYTE *targetBuffer, uint16_t targetSize, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (*size < targetSize) {
+	rc = TPM_RC_INSUFFICIENT;
+    }
+    else {
+	memcpy(targetBuffer, *buffer, targetSize);
+	*buffer += targetSize;
+	*size -= targetSize;
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NODEPRECATED
+#ifndef TPM_TSS_NOCMDCHECK
+TPM_RC UINT8_Unmarshal(UINT8 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_UINT8_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC INT8_Unmarshal(INT8 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_INT8_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC UINT16_Unmarshal(UINT16 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_UINT16_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC UINT32_Unmarshal(UINT32 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_UINT32_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC INT32_Unmarshal(INT32 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_INT32_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC UINT64_Unmarshal(UINT64 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_UINT64_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC Array_Unmarshal(BYTE *targetBuffer, UINT16 targetSize, BYTE **buffer, INT32 *size)
+{
+    return TSS_Array_Unmarshalu(targetBuffer, targetSize, buffer, (uint32_t *)size);
+}
+
+#endif /* TPM_TSS_NOCMDCHECK */
+#endif /* TPM_TSS_NODEPRECATED */
+#ifdef TPM_TPM20
+
+TPM_RC
+TSS_TPM2B_Unmarshalu(TPM2B *target, uint16_t targetSize, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size > targetSize) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_Array_Unmarshalu(target->buffer, target->size, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 5 - Definition of Types for Documentation Clarity */
+
+TPM_RC
+TSS_TPM_KEY_BITS_Unmarshalu(TPM_KEY_BITS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 7 - Definition of (UINT32) TPM_GENERATED Constants <O> */
+
+#ifndef TPM_TSS_NOCMDCHECK
+TPM_RC
+TSS_TPM_GENERATED_Unmarshalu(TPM_GENERATED *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (*target != TPM_GENERATED_VALUE) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 9 - Definition of (UINT16) TPM_ALG_ID Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_ALG_ID_Unmarshalu(TPM_ALG_ID *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants <IN/OUT, S> */
+
+#ifdef TPM_ALG_ECC
+TPM_RC
+TSS_TPM_ECC_CURVE_Unmarshalu(TPM_ECC_CURVE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+#endif	/*  TPM_ALG_ECC */
+
+/* Table 13 - Definition of (UINT32) TPM_CC Constants (Numeric Order) <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_CC_Unmarshalu(TPM_RC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 17 - Definition of (UINT32) TPM_RC Constants (Actions) <OUT> */
+
+TPM_RC
+TSS_TPM_RC_Unmarshalu(TPM_RC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 18 - Definition of (INT8) TPM_CLOCK_ADJUST Constants <IN> */
+
+TPM_RC
+TSS_TPM_CLOCK_ADJUST_Unmarshalu(TPM_CLOCK_ADJUST *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_INT8_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_CLOCK_COARSE_SLOWER:
+	  case TPM_CLOCK_MEDIUM_SLOWER:
+	  case TPM_CLOCK_FINE_SLOWER:
+	  case TPM_CLOCK_NO_CHANGE:
+	  case TPM_CLOCK_FINE_FASTER:
+	  case TPM_CLOCK_MEDIUM_FASTER:
+	  case TPM_CLOCK_COARSE_FASTER:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 19 - Definition of (UINT16) TPM_EO Constants <IN/OUT> */
+
+TPM_RC
+TSS_TPM_EO_Unmarshalu(TPM_EO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_EO_EQ:
+	  case TPM_EO_NEQ:
+	  case TPM_EO_SIGNED_GT:
+	  case TPM_EO_UNSIGNED_GT:
+	  case TPM_EO_SIGNED_LT:
+	  case TPM_EO_UNSIGNED_LT:
+	  case TPM_EO_SIGNED_GE:
+	  case TPM_EO_UNSIGNED_GE:
+	  case TPM_EO_SIGNED_LE:
+	  case TPM_EO_UNSIGNED_LE:
+	  case TPM_EO_BITSET:
+	  case TPM_EO_BITCLEAR:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 20 - Definition of (UINT16) TPM_ST Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_ST_Unmarshalu(TPM_ST *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+/* Table 21 - Definition of (UINT16) TPM_SU Constants <IN> */
+
+TPM_RC
+TSS_TPM_SU_Unmarshalu(TPM_SU *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_SU_CLEAR:
+	  case TPM_SU_STATE:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 22 - Definition of (UINT8) TPM_SE Constants <IN> */
+
+TPM_RC
+TSS_TPM_SE_Unmarshalu(TPM_SE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT8_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_SE_HMAC:
+	  case TPM_SE_POLICY:
+	  case TPM_SE_TRIAL:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 23 - Definition of (UINT32) TPM_CAP Constants  */
+
+TPM_RC
+TSS_TPM_CAP_Unmarshalu(TPM_CAP *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 24 - Definition of (UINT32) TPM_PT Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_PT_Unmarshalu(TPM_HANDLE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 25 - Definition of (UINT32) TPM_PT_PCR Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_PT_PCR_Unmarshalu(TPM_PT_PCR *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 27 - Definition of Types for Handles */
+
+TPM_RC
+TSS_TPM_HANDLE_Unmarshalu(TPM_HANDLE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 31 - Definition of (UINT32) TPMA_ALGORITHM Bits */
+
+TPM_RC
+TSS_TPMA_ALGORITHM_Unmarshalu(TPMA_ALGORITHM *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->val, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->val & TPMA_ALGORITHM_RESERVED) {
+	    rc = TPM_RC_RESERVED_BITS;
+	}
+    }
+    return rc;
+}
+
+/* Table 32 - Definition of (UINT32) TPMA_OBJECT Bits */
+
+TPM_RC
+TSS_TPMA_OBJECT_Unmarshalu(TPMA_OBJECT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->val, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->val & TPMA_OBJECT_RESERVED) {
+	    rc = TPM_RC_RESERVED_BITS;
+	}
+    }
+    return rc;
+}
+
+/* Table 33 - Definition of (UINT8) TPMA_SESSION Bits <IN/OUT> */
+
+TPM_RC
+TSS_TPMA_SESSION_Unmarshalu(TPMA_SESSION *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT8_Unmarshalu(&target->val, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->val & TPMA_SESSION_RESERVED) {
+	    rc = TPM_RC_RESERVED_BITS;
+	}
+    }
+    return rc;
+}
+
+/* Table 34 - Definition of (UINT8) TPMA_LOCALITY Bits <IN/OUT> */
+
+TPM_RC
+TSS_TPMA_LOCALITY_Unmarshalu(TPMA_LOCALITY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT8_Unmarshalu(&target->val, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 38 - Definition of (TPM_CC) TPMA_CC Bits <OUT> */
+
+TPM_RC
+TSS_TPMA_CC_Unmarshalu(TPMA_CC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->val, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->val & TPMA_CC_RESERVED) {
+	    rc = TPM_RC_RESERVED_BITS;
+	}
+    }
+    return rc;
+}
+
+/* Table 39 - Definition of (BYTE) TPMI_YES_NO Type */
+
+TPM_RC
+TSS_TPMI_YES_NO_Unmarshalu(TPMI_YES_NO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT8_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 40 - Definition of (TPM_HANDLE) TPMI_DH_OBJECT Type */
+
+TPM_RC
+TSS_TPMI_DH_OBJECT_Unmarshalu(TPMI_DH_OBJECT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotTransient = (*target < TRANSIENT_FIRST) || (*target > TRANSIENT_LAST);
+	BOOL isNotPersistent = (*target < PERSISTENT_FIRST) || (*target > PERSISTENT_LAST);
+	BOOL isNotLegalNull = (*target != TPM_RH_NULL) || !allowNull;
+	if (isNotTransient &&
+	    isNotPersistent &&
+	    isNotLegalNull) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+/* Table 41 - Definition of (TPM_HANDLE) TPMI_DH_PERSISTENT Type */
+
+#ifndef TPM_TSS_NOCMDCHECK
+TPM_RC
+TSS_TPMI_DH_PERSISTENT_Unmarshalu(TPMI_DH_PERSISTENT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotPersistent = (*target < PERSISTENT_FIRST) || (*target > PERSISTENT_LAST);
+	if (isNotPersistent) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 42 - Definition of (TPM_HANDLE) TPMI_DH_ENTITY Type <IN> */
+
+TPM_RC
+TSS_TPMI_DH_ENTITY_Unmarshalu(TPMI_DH_ENTITY *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotOwner = *target != TPM_RH_OWNER;
+	BOOL isNotEndorsement = *target != TPM_RH_ENDORSEMENT;
+	BOOL isNotPlatform = *target != TPM_RH_PLATFORM;
+	BOOL isNotLockout = *target != TPM_RH_LOCKOUT;
+	BOOL isNotTransient = (*target < TRANSIENT_FIRST) || (*target > TRANSIENT_LAST);
+	BOOL isNotPersistent = (*target < PERSISTENT_FIRST) || (*target > PERSISTENT_LAST);
+	BOOL isNotNv = (*target < NV_INDEX_FIRST) || (*target > NV_INDEX_LAST);
+	BOOL isNotPcr = (*target > PCR_LAST);
+	BOOL isNotAuth = (*target < TPM_RH_AUTH_00) || (*target > TPM_RH_AUTH_FF);
+	BOOL isNotLegalNull = (*target != TPM_RH_NULL) || !allowNull;
+	if (isNotOwner &&
+	    isNotEndorsement &&
+	    isNotPlatform &&
+	    isNotLockout &&
+	    isNotTransient &&
+	    isNotPersistent &&
+	    isNotNv &&
+	    isNotPcr &&
+	    isNotAuth &&
+	    isNotLegalNull) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 43 - Definition of (TPM_HANDLE) TPMI_DH_PCR Type <IN> */
+
+#ifndef TPM_TSS_NOCMDCHECK
+TPM_RC
+TSS_TPMI_DH_PCR_Unmarshalu(TPMI_DH_PCR *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotPcr = (*target > PCR_LAST);
+	BOOL isNotLegalNull = (*target != TPM_RH_NULL) || !allowNull;
+	if (isNotPcr &&
+	    isNotLegalNull) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 44 - Definition of (TPM_HANDLE) TPMI_SH_AUTH_SESSION Type <IN/OUT> */
+
+TPM_RC
+TSS_TPMI_SH_AUTH_SESSION_Unmarshalu(TPMI_SH_AUTH_SESSION *target, BYTE **buffer, uint32_t *size, BOOL allowPwd)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotHmacSession = (*target < HMAC_SESSION_FIRST ) || (*target > HMAC_SESSION_LAST);
+	BOOL isNotPolicySession = (*target < POLICY_SESSION_FIRST) || (*target > POLICY_SESSION_LAST);
+	BOOL isNotLegalPwd = (*target != TPM_RS_PW) || !allowPwd;
+	if (isNotHmacSession &&
+	    isNotPolicySession &&
+	    isNotLegalPwd) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 45 - Definition of (TPM_HANDLE) TPMI_SH_HMAC Type <IN/OUT> */
+
+#ifndef TPM_TSS_NOCMDCHECK
+TPM_RC
+TSS_TPMI_SH_HMAC_Unmarshalu(TPMI_SH_HMAC *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotHmacSession = (*target < HMAC_SESSION_FIRST ) || (*target > HMAC_SESSION_LAST);
+	if (isNotHmacSession) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 46 - Definition of (TPM_HANDLE) TPMI_SH_POLICY Type <IN/OUT> */
+
+TPM_RC
+TSS_TPMI_SH_POLICY_Unmarshalu(TPMI_SH_POLICY *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotPolicySession = (*target < POLICY_SESSION_FIRST) || (*target > POLICY_SESSION_LAST);
+	if (isNotPolicySession) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 47 - Definition of (TPM_HANDLE) TPMI_DH_CONTEXT Type  */
+
+TPM_RC
+TSS_TPMI_DH_CONTEXT_Unmarshalu(TPMI_DH_CONTEXT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotHmacSession = (*target < HMAC_SESSION_FIRST ) || (*target > HMAC_SESSION_LAST);
+	BOOL isNotPolicySession = (*target < POLICY_SESSION_FIRST) || (*target > POLICY_SESSION_LAST);
+	BOOL isNotTransient = (*target < TRANSIENT_FIRST) || (*target > TRANSIENT_LAST);
+	if (isNotHmacSession &&
+	    isNotPolicySession &&
+	    isNotTransient) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 49 - Definition of (TPM_HANDLE) TPMI_DH_SAVED Type  */
+
+TPM_RC
+TSS_TPMI_DH_SAVED_Unmarshalu(TPMI_DH_SAVED *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotHmacSession = (*target < HMAC_SESSION_FIRST ) || (*target > HMAC_SESSION_LAST);
+	BOOL isNotPolicySession = (*target < POLICY_SESSION_FIRST) || (*target > POLICY_SESSION_LAST);
+	BOOL isNotTransient = (*target != 0x80000000);
+	BOOL isNotSequence = (*target != 0x80000001);
+	BOOL isNotTransientStClear = (*target != 0x80000002);
+
+	if (isNotHmacSession &&
+	    isNotPolicySession &&
+	    isNotTransient && 
+	    isNotSequence &&
+	    isNotTransientStClear) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 48 - Definition of (TPM_HANDLE) TPMI_RH_HIERARCHY Type  */
+
+TPM_RC
+TSS_TPMI_RH_HIERARCHY_Unmarshalu(TPMI_RH_HIERARCHY *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_OWNER:
+	  case TPM_RH_PLATFORM:
+	  case TPM_RH_ENDORSEMENT:
+	    break;
+	  case TPM_RH_NULL:
+	    if (!allowNull) {
+		rc = TPM_RC_VALUE;
+	    }
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+/* Table 49 - Definition of (TPM_HANDLE) TPMI_RH_ENABLES Type */
+
+#ifndef TPM_TSS_NOCMDCHECK
+TPM_RC
+TSS_TPMI_RH_ENABLES_Unmarshalu(TPMI_RH_ENABLES *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_OWNER:
+	  case TPM_RH_PLATFORM:
+	  case TPM_RH_ENDORSEMENT:
+	  case TPM_RH_PLATFORM_NV:
+	    break;
+	  case TPM_RH_NULL:
+	    if (!allowNull) {
+		rc = TPM_RC_VALUE;
+	    }
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 50 - Definition of (TPM_HANDLE) TPMI_RH_HIERARCHY_AUTH Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_HIERARCHY_AUTH_Unmarshalu(TPMI_RH_HIERARCHY_AUTH *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_OWNER:
+	  case TPM_RH_PLATFORM:
+	  case TPM_RH_ENDORSEMENT:
+	  case TPM_RH_LOCKOUT:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 51 - Definition of (TPM_HANDLE) TPMI_RH_PLATFORM Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_PLATFORM_Unmarshalu(TPMI_RH_PLATFORM *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_PLATFORM:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 53 - Definition of (TPM_HANDLE) TPMI_RH_ENDORSEMENT Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_ENDORSEMENT_Unmarshalu(TPMI_RH_ENDORSEMENT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_ENDORSEMENT:
+	    break;
+	  case TPM_RH_NULL:
+	    if (!allowNull) {
+		rc = TPM_RC_VALUE;
+	    }
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 54 - Definition of (TPM_HANDLE) TPMI_RH_PROVISION Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_PROVISION_Unmarshalu(TPMI_RH_PROVISION *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_OWNER:
+	  case TPM_RH_PLATFORM:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 55 - Definition of (TPM_HANDLE) TPMI_RH_CLEAR Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_CLEAR_Unmarshalu(TPMI_RH_CLEAR *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_LOCKOUT:
+	  case TPM_RH_PLATFORM:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 56 - Definition of (TPM_HANDLE) TPMI_RH_NV_AUTH Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_NV_AUTH_Unmarshalu(TPMI_RH_NV_AUTH *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_OWNER:
+	  case TPM_RH_PLATFORM:
+	    break;
+	  default:
+	      {
+		  BOOL isNotNv = (*target < NV_INDEX_FIRST) || (*target > NV_INDEX_LAST);
+		  if (isNotNv) {
+		      rc = TPM_RC_VALUE;
+		  }
+	      }
+	}
+    }
+    return rc;
+}
+
+/* Table 57 - Definition of (TPM_HANDLE) TPMI_RH_LOCKOUT Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_LOCKOUT_Unmarshalu(TPMI_RH_LOCKOUT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_RH_LOCKOUT:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 58 - Definition of (TPM_HANDLE) TPMI_RH_NV_INDEX Type <IN/OUT> */
+
+TPM_RC
+TSS_TPMI_RH_NV_INDEX_Unmarshalu(TPMI_RH_NV_INDEX *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	BOOL isNotNv = (*target < NV_INDEX_FIRST) || (*target > NV_INDEX_LAST);
+	if (isNotNv) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
+
+TPM_RC
+TSS_TPMI_ALG_HASH_Unmarshalu(TPMI_ALG_HASH *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 61 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM Type */
+
+TPM_RC
+TSS_TPMI_ALG_SYM_Unmarshalu(TPMI_ALG_SYM *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 62 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_OBJECT Type */
+
+TPM_RC
+TSS_TPMI_ALG_SYM_OBJECT_Unmarshalu(TPMI_ALG_SYM_OBJECT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 63 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_MODE Type */
+
+TPM_RC
+TSS_TPMI_ALG_SYM_MODE_Unmarshalu(TPMI_ALG_SYM_MODE *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
+
+TPM_RC
+TSS_TPMI_ALG_KDF_Unmarshalu(TPMI_ALG_KDF *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+   
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 65 - Definition of (TPM_ALG_ID) TPMI_ALG_SIG_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_SIG_SCHEME_Unmarshalu(TPMI_ALG_SIG_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 66 - Definition of (TPM_ALG_ID) TPMI_ECC_KEY_EXCHANGE Type */
+
+TPM_RC
+TSS_TPMI_ECC_KEY_EXCHANGE_Unmarshalu(TPMI_ECC_KEY_EXCHANGE *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 67 - Definition of (TPM_ST) TPMI_ST_COMMAND_TAG Type */
+
+TPM_RC
+TSS_TPMI_ST_COMMAND_TAG_Unmarshalu(TPMI_ST_COMMAND_TAG *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ST_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_ST_NO_SESSIONS:
+	  case TPM_ST_SESSIONS:
+	    break;
+	  default:
+	    rc = TPM_RC_BAD_TAG;
+	}
+    }
+    return rc;
+}
+
+/* Table 70 TPMI_ALG_MAC_SCHEME */
+
+TPM_RC
+TSS_TPMI_ALG_MAC_SCHEME_Unmarshalu(TPMI_ALG_MAC_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+    
+/* Table 70 TPMI_ALG_CIPHER_MODE */
+
+TPM_RC
+TSS_TPMI_ALG_CIPHER_MODE_Unmarshalu(TPMI_ALG_CIPHER_MODE*target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 68 - Definition of TPMS_EMPTY Structure <IN/OUT> */
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC
+TSS_TPMS_EMPTY_Unmarshalu(TPMS_EMPTY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    target = target;
+    buffer = buffer;
+    size = size;
+    return rc;
+}
+
+/* Table 70 - Definition of TPMU_HA Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_HA_Unmarshalu(TPMU_HA *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_SHA1
+      case TPM_ALG_SHA1:
+	rc = TSS_Array_Unmarshalu(target->sha1, SHA1_DIGEST_SIZE, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SHA256
+      case TPM_ALG_SHA256:
+	rc = TSS_Array_Unmarshalu(target->sha256, SHA256_DIGEST_SIZE, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SHA384
+      case TPM_ALG_SHA384:
+	rc =TSS_Array_Unmarshalu(target->sha384, SHA384_DIGEST_SIZE, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SHA512
+      case TPM_ALG_SHA512:
+	rc = TSS_Array_Unmarshalu(target->sha512, SHA512_DIGEST_SIZE, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SM3_256
+      case TPM_ALG_SM3_256:
+	rc = TSS_Array_Unmarshalu(target->sm3_256, SM3_256_DIGEST_SIZE, buffer, size);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 71 - Definition of TPMT_HA Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPMT_HA_Unmarshalu(TPMT_HA *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_HA_Unmarshalu(&target->digest, buffer, size, target->hashAlg);
+    }
+    return rc;
+}
+
+/* Table 72 - Definition of TPM2B_DIGEST Structure */
+
+TPM_RC
+TSS_TPM2B_DIGEST_Unmarshalu(TPM2B_DIGEST *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 73 - Definition of TPM2B_DATA Structure */
+
+TPM_RC
+TSS_TPM2B_DATA_Unmarshalu(TPM2B_DATA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 74 - Definition of Types for TPM2B_NONCE */
+
+TPM_RC
+TSS_TPM2B_NONCE_Unmarshalu(TPM2B_NONCE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 75 - Definition of Types for TPM2B_AUTH */
+
+TPM_RC
+TSS_TPM2B_AUTH_Unmarshalu(TPM2B_AUTH *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 76 - Definition of Types for TPM2B_OPERAND */
+
+TPM_RC
+TSS_TPM2B_OPERAND_Unmarshalu(TPM2B_OPERAND *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 77 - Definition of TPM2B_EVENT Structure */
+
+TPM_RC
+TSS_TPM2B_EVENT_Unmarshalu(TPM2B_EVENT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+ 
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 78 - Definition of TPM2B_MAX_BUFFER Structure */
+
+TPM_RC
+TSS_TPM2B_MAX_BUFFER_Unmarshalu(TPM2B_MAX_BUFFER *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 79 - Definition of TPM2B_MAX_NV_BUFFER Structure */
+
+TPM_RC
+TSS_TPM2B_MAX_NV_BUFFER_Unmarshalu(TPM2B_MAX_NV_BUFFER *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 80 - Definition of TPM2B_TIMEOUT Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_TIMEOUT_Unmarshalu(TPM2B_TIMEOUT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 81 - Definition of TPM2B_IV Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_IV_Unmarshalu(TPM2B_IV *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 83 - Definition of TPM2B_NAME Structure */
+
+TPM_RC
+TSS_TPM2B_NAME_Unmarshalu(TPM2B_NAME *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.name), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 85 - Definition of TPMS_PCR_SELECTION Structure */
+
+TPM_RC
+TSS_TPMS_PCR_SELECTION_Unmarshalu(TPMS_PCR_SELECTION *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hash, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT8_Unmarshalu(&target->sizeofSelect, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->sizeofSelect > PCR_SELECT_MAX) {
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_Array_Unmarshalu(target->pcrSelect, target->sizeofSelect, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 88 - Definition of TPMT_TK_CREATION Structure */
+
+TPM_RC
+TSS_TPMT_TK_CREATION_Unmarshalu(TPMT_TK_CREATION *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ST_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->tag != TPM_ST_CREATION) {
+	    rc = TPM_RC_TAG;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->digest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 89 - Definition of TPMT_TK_VERIFIED Structure */
+
+TPM_RC
+TSS_TPMT_TK_VERIFIED_Unmarshalu(TPMT_TK_VERIFIED *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ST_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->tag != TPM_ST_VERIFIED) {
+	    rc = TPM_RC_TAG;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->digest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 90 - Definition of TPMT_TK_AUTH Structure */
+
+TPM_RC
+TSS_TPMT_TK_AUTH_Unmarshalu(TPMT_TK_AUTH *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ST_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if ((target->tag != TPM_ST_AUTH_SIGNED) &&
+	    (target->tag != TPM_ST_AUTH_SECRET)) {
+	    rc = TPM_RC_TAG;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->digest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 91 - Definition of TPMT_TK_HASHCHECK Structure */
+
+TPM_RC
+TSS_TPMT_TK_HASHCHECK_Unmarshalu(TPMT_TK_HASHCHECK *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ST_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->tag != TPM_ST_HASHCHECK) {
+	    rc = TPM_RC_TAG;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->digest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 92 - Definition of TPMS_ALG_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_ALG_PROPERTY_Unmarshalu(TPMS_ALG_PROPERTY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(&target->alg, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMA_ALGORITHM_Unmarshalu(&target->algProperties, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 93 - Definition of TPMS_TAGGED_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_TAGGED_PROPERTY_Unmarshalu(TPMS_TAGGED_PROPERTY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_PT_Unmarshalu(&target->property, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->value, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 94 - Definition of TPMS_TAGGED_PCR_SELECT Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_TAGGED_PCR_SELECT_Unmarshalu(TPMS_TAGGED_PCR_SELECT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_PT_PCR_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT8_Unmarshalu(&target->sizeofSelect, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_Array_Unmarshalu(target->pcrSelect, target->sizeofSelect, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 100 - Definition of TPMS_TAGGED_POLICY Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_TAGGED_POLICY_Unmarshalu(TPMS_TAGGED_POLICY *target, BYTE **buffer, uint32_t *size) 
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(&target->handle, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_HA_Unmarshalu(&target->policyHash, buffer, size, YES);
+    }
+    return rc;
+}
+
+/* Table 95 - Definition of TPML_CC Structure */
+
+TPM_RC
+TSS_TPML_CC_Unmarshalu(TPML_CC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_CAP_CC) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPM_CC_Unmarshalu(&target->commandCodes[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 96 - Definition of TPML_CCA Structure <OUT> */
+
+TPM_RC
+TSS_TPML_CCA_Unmarshalu(TPML_CCA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_CAP_CC) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMA_CC_Unmarshalu(&target->commandAttributes[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 97 - Definition of TPML_ALG Structure */
+
+TPM_RC
+TSS_TPML_ALG_Unmarshalu(TPML_ALG *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_ALG_LIST_SIZE) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(&target->algorithms[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 98 - Definition of TPML_HANDLE Structure <OUT> */
+
+TPM_RC
+TSS_TPML_HANDLE_Unmarshalu(TPML_HANDLE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_CAP_HANDLES) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(&target->handle[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 99 - Definition of TPML_DIGEST Structure */
+
+/* PolicyOr has a restriction of at least a count of two.  This function is also used to unmarshal
+   PCR_Read, where a count of one is permitted.
+*/
+
+TPM_RC
+TSS_TPML_DIGEST_Unmarshalu(TPML_DIGEST *target, BYTE **buffer, uint32_t *size, uint32_t minCount)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count < minCount) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > 8) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->digests[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 100 - Definition of TPML_DIGEST_VALUES Structure */
+
+TPM_RC
+TSS_TPML_DIGEST_VALUES_Unmarshalu(TPML_DIGEST_VALUES *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > HASH_COUNT) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMT_HA_Unmarshalu(&target->digests[i], buffer, size, NO);
+    }
+    return rc;
+}
+
+/* Table 102 - Definition of TPML_PCR_SELECTION Structure */
+
+TPM_RC
+TSS_TPML_PCR_SELECTION_Unmarshalu(TPML_PCR_SELECTION *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > HASH_COUNT) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMS_PCR_SELECTION_Unmarshalu(&target->pcrSelections[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 103 - Definition of TPML_ALG_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPML_ALG_PROPERTY_Unmarshalu(TPML_ALG_PROPERTY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_CAP_ALGS) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMS_ALG_PROPERTY_Unmarshalu(&target->algProperties[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 104 - Definition of TPML_TAGGED_TPM_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPML_TAGGED_TPM_PROPERTY_Unmarshalu(TPML_TAGGED_TPM_PROPERTY  *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_TPM_PROPERTIES) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMS_TAGGED_PROPERTY_Unmarshalu(&target->tpmProperty[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 105 - Definition of TPML_TAGGED_PCR_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPML_TAGGED_PCR_PROPERTY_Unmarshalu(TPML_TAGGED_PCR_PROPERTY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_PCR_PROPERTIES) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMS_TAGGED_PCR_SELECT_Unmarshalu(&target->pcrProperty[i], buffer, size);
+    }
+    return rc;
+}
+
+/* Table 106 - Definition of {ECC} TPML_ECC_CURVE Structure <OUT> */
+
+TPM_RC
+TSS_TPML_ECC_CURVE_Unmarshalu(TPML_ECC_CURVE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_ECC_CURVES) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPM_ECC_CURVE_Unmarshalu(&target->eccCurves[i], buffer, size);
+    }
+    return rc;	
+}
+
+/* Table 112 - Definition of TPML_TAGGED_POLICY Structure <OUT> */
+
+TPM_RC
+TSS_TPML_TAGGED_POLICY_Unmarshalu(TPML_TAGGED_POLICY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    uint32_t i;  
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > MAX_TAGGED_POLICIES) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMS_TAGGED_POLICY_Unmarshalu(&target->policies[i], buffer, size);
+    }
+    return rc;	
+}
+
+/* Table 107 - Definition of TPMU_CAPABILITIES Union <OUT> */
+
+TPM_RC
+TSS_TPMU_CAPABILITIES_Unmarshalu(TPMU_CAPABILITIES *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+      case TPM_CAP_ALGS:
+	rc = TSS_TPML_ALG_PROPERTY_Unmarshalu(&target->algorithms, buffer, size);
+	break;
+      case TPM_CAP_HANDLES:
+	rc = TSS_TPML_HANDLE_Unmarshalu(&target->handles, buffer, size);
+	break;
+      case TPM_CAP_COMMANDS:
+	rc = TSS_TPML_CCA_Unmarshalu(&target->command, buffer, size);
+	break;
+      case TPM_CAP_PP_COMMANDS:
+	rc = TSS_TPML_CC_Unmarshalu(&target->ppCommands, buffer, size);
+	break;
+      case TPM_CAP_AUDIT_COMMANDS:
+	rc = TSS_TPML_CC_Unmarshalu(&target->auditCommands, buffer, size);
+	break;
+      case TPM_CAP_PCRS:
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->assignedPCR, buffer, size);
+	break;
+      case TPM_CAP_TPM_PROPERTIES:
+	rc = TSS_TPML_TAGGED_TPM_PROPERTY_Unmarshalu(&target->tpmProperties, buffer, size);
+	break;
+      case TPM_CAP_PCR_PROPERTIES:
+	rc = TSS_TPML_TAGGED_PCR_PROPERTY_Unmarshalu(&target->pcrProperties, buffer, size);
+	break;
+      case TPM_CAP_ECC_CURVES:
+	rc = TSS_TPML_ECC_CURVE_Unmarshalu(&target->eccCurves, buffer, size);
+	break;
+      case TPM_CAP_AUTH_POLICIES:
+	rc = TSS_TPML_TAGGED_POLICY_Unmarshalu(&target->authPolicies, buffer, size);
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 108 - Definition of TPMS_CAPABILITY_DATA Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CAPABILITY_DATA_Unmarshalu(TPMS_CAPABILITY_DATA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+  
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_CAP_Unmarshalu(&target->capability, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_CAPABILITIES_Unmarshalu(&target->data, buffer, size, target->capability);
+    }
+    return rc;
+}
+
+/* Table 109 - Definition of TPMS_CLOCK_INFO Structure */
+
+TPM_RC
+TSS_TPMS_CLOCK_INFO_Unmarshalu(TPMS_CLOCK_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->clock, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->resetCount, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->restartCount, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->safe, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 110 - Definition of TPMS_TIME_INFO Structure */
+
+TPM_RC
+TSS_TPMS_TIME_INFO_Unmarshalu(TPMS_TIME_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->time, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_CLOCK_INFO_Unmarshalu(&target->clockInfo, buffer, size);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 111 - Definition of TPMS_TIME_ATTEST_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_TIME_ATTEST_INFO_Unmarshalu(TPMS_TIME_ATTEST_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_TIME_INFO_Unmarshalu(&target->time, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->firmwareVersion, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 112 - Definition of TPMS_CERTIFY_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CERTIFY_INFO_Unmarshalu(TPMS_CERTIFY_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->name, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->qualifiedName, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 113 - Definition of TPMS_QUOTE_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_QUOTE_INFO_Unmarshalu(TPMS_QUOTE_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->pcrSelect, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->pcrDigest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 114 - Definition of TPMS_COMMAND_AUDIT_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_COMMAND_AUDIT_INFO_Unmarshalu(TPMS_COMMAND_AUDIT_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->auditCounter, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(&target->digestAlg, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->auditDigest, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->commandDigest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 115 - Definition of TPMS_SESSION_AUDIT_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_SESSION_AUDIT_INFO_Unmarshalu(TPMS_SESSION_AUDIT_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->exclusiveSession, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->sessionDigest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 116 - Definition of TPMS_CREATION_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CREATION_INFO_Unmarshalu(TPMS_CREATION_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->objectName, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->creationHash, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 117 - Definition of TPMS_NV_CERTIFY_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_NV_CERTIFY_INFO_Unmarshalu(TPMS_NV_CERTIFY_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->indexName, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->offset, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_NV_BUFFER_Unmarshalu(&target->nvContents, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 125 - Definition of TPMS_NV_DIGEST_CERTIFY_INFO Structure <OUT> */
+TPM_RC
+TSS_TPMS_NV_DIGEST_CERTIFY_INFO_Unmarshalu(TPMS_NV_DIGEST_CERTIFY_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->indexName, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->nvDigest, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 118 - Definition of (TPM_ST) TPMI_ST_ATTEST Type <OUT> */
+
+TPM_RC
+TSS_TPMI_ST_ATTEST_Unmarshalu(TPMI_ST_ATTEST *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ST_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/*  Table 119 - Definition of TPMU_ATTEST Union <OUT> */
+
+TPM_RC
+TSS_TPMU_ATTEST_Unmarshalu(TPMU_ATTEST *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+      case TPM_ST_ATTEST_CERTIFY:
+	rc = TSS_TPMS_CERTIFY_INFO_Unmarshalu(&target->certify, buffer, size);
+	break;
+      case TPM_ST_ATTEST_CREATION:
+	rc = TSS_TPMS_CREATION_INFO_Unmarshalu(&target->creation, buffer, size);
+	break;
+      case TPM_ST_ATTEST_QUOTE:
+	rc = TSS_TPMS_QUOTE_INFO_Unmarshalu(&target->quote, buffer, size);
+	break;
+      case TPM_ST_ATTEST_COMMAND_AUDIT:
+	rc = TSS_TPMS_COMMAND_AUDIT_INFO_Unmarshalu(&target->commandAudit, buffer, size);
+	break;
+      case TPM_ST_ATTEST_SESSION_AUDIT:
+	rc = TSS_TPMS_SESSION_AUDIT_INFO_Unmarshalu(&target->sessionAudit, buffer, size);
+	break;
+      case TPM_ST_ATTEST_TIME:
+	rc = TSS_TPMS_TIME_ATTEST_INFO_Unmarshalu(&target->time, buffer, size);
+	break;
+      case TPM_ST_ATTEST_NV:
+	rc = TSS_TPMS_NV_CERTIFY_INFO_Unmarshalu(&target->nv, buffer, size);
+	break;
+      case TPM_ST_ATTEST_NV_DIGEST:
+	rc = TSS_TPMS_NV_DIGEST_CERTIFY_INFO_Unmarshalu(&target->nvDigest, buffer, size);
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+	
+    }
+    return rc;
+}
+
+/* Table 120 - Definition of TPMS_ATTEST Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_ATTEST_Unmarshalu(TPMS_ATTEST *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_GENERATED_Unmarshalu(&target->magic, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ST_ATTEST_Unmarshalu(&target->type, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->qualifiedSigner, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->extraData, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_CLOCK_INFO_Unmarshalu(&target->clockInfo, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->firmwareVersion, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_ATTEST_Unmarshalu(&target->attested, buffer, size, target->type);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 121 - Definition of TPM2B_ATTEST Structure <OUT> */
+
+TPM_RC
+TSS_TPM2B_ATTEST_Unmarshalu(TPM2B_ATTEST *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.attestationData), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 123 - Definition of TPMS_AUTH_RESPONSE Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_AUTH_RESPONSE_Unmarshalu(TPMS_AUTH_RESPONSE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->nonce, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMA_SESSION_Unmarshalu(&target->sessionAttributes, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->hmac, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 124 - Definition of {!ALG.S} (TPM_KEY_BITS) TPMI_!ALG.S_KEY_BITS Type */
+
+#ifdef TPM_ALG_AES
+
+TPM_RC
+TSS_TPMI_AES_KEY_BITS_Unmarshalu(TPMI_AES_KEY_BITS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_KEY_BITS_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+#endif	/* TPM_ALG_AES */
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+#ifdef TPM_ALG_CAMELLIA
+TPM_RC
+TSS_TPMI_CAMELLIA_KEY_BITS_Unmarshalu(TPMI_CAMELLIA_KEY_BITS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_KEY_BITS_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+#endif	/*  TPM_ALG_CAMELLIA */
+
+#ifdef TPM_ALG_SM4
+TPM_RC
+TSS_TPMI_SM4_KEY_BITS_Unmarshalu(TPMI_SM4_KEY_BITS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_KEY_BITS_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+#endif	/* TPM_ALG_SM4 */
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 125 - Definition of TPMU_SYM_KEY_BITS Union */
+
+TPM_RC
+TSS_TPMU_SYM_KEY_BITS_Unmarshalu(TPMU_SYM_KEY_BITS *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_AES
+      case TPM_ALG_AES:
+	rc = TSS_TPMI_AES_KEY_BITS_Unmarshalu(&target->aes, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SM4
+      case TPM_ALG_SM4:
+	rc = TSS_TPMI_SM4_KEY_BITS_Unmarshalu(&target->sm4, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_CAMELLIA
+      case TPM_ALG_CAMELLIA:
+	rc = TSS_TPMI_CAMELLIA_KEY_BITS_Unmarshalu(&target->camellia, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_XOR
+      case TPM_ALG_XOR:
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->xorr, buffer, size, NO);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 126 - Definition of TPMU_SYM_MODE Union */
+
+TPM_RC
+TSS_TPMU_SYM_MODE_Unmarshalu(TPMU_SYM_MODE *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_AES
+      case TPM_ALG_AES:
+	rc = TSS_TPMI_ALG_SYM_MODE_Unmarshalu(&target->aes, buffer, size, YES);
+	break;
+#endif
+#ifdef TPM_ALG_SM4
+      case TPM_ALG_SM4:
+	rc = TSS_TPMI_ALG_SYM_MODE_Unmarshalu(&target->sm4, buffer, size, YES);
+	break;
+#endif
+#ifdef TPM_ALG_CAMELLIA
+      case TPM_ALG_CAMELLIA:
+	rc = TSS_TPMI_ALG_SYM_MODE_Unmarshalu(&target->camellia, buffer, size, YES);
+	break;
+#endif
+      case TPM_ALG_XOR:
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 128 - Definition of TPMT_SYM_DEF Structure */
+
+TPM_RC
+TSS_TPMT_SYM_DEF_Unmarshalu(TPMT_SYM_DEF *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_SYM_Unmarshalu(&target->algorithm, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SYM_KEY_BITS_Unmarshalu(&target->keyBits, buffer, size, target->algorithm);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SYM_MODE_Unmarshalu(&target->mode, buffer, size, target->algorithm);
+    }
+    return rc;
+}
+
+/* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure */
+
+TPM_RC
+TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(TPMT_SYM_DEF_OBJECT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_SYM_OBJECT_Unmarshalu(&target->algorithm, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SYM_KEY_BITS_Unmarshalu(&target->keyBits, buffer, size, target->algorithm);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SYM_MODE_Unmarshalu(&target->mode, buffer, size, target->algorithm);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 130 - Definition of TPM2B_SYM_KEY Structure */
+
+TPM_RC
+TSS_TPM2B_SYM_KEY_Unmarshalu(TPM2B_SYM_KEY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 131 - Definition of TPMS_SYMCIPHER_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_SYMCIPHER_PARMS_Unmarshalu(TPMS_SYMCIPHER_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(&target->sym, buffer, size, NO);
+    }
+    return rc;
+}
+
+/* Table 132 - Definition of TPM2B_SENSITIVE_DATA Structure */
+
+TPM_RC
+TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(TPM2B_SENSITIVE_DATA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 133 - Definition of TPMS_SENSITIVE_CREATE Structure <IN> */
+
+TPM_RC
+TSS_TPMS_SENSITIVE_CREATE_Unmarshalu(TPMS_SENSITIVE_CREATE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->userAuth, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(&target->data, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 134 - Definition of TPM2B_SENSITIVE_CREATE Structure <IN, S> */
+
+TPM_RC
+TSS_TPM2B_SENSITIVE_CREATE_Unmarshalu(TPM2B_SENSITIVE_CREATE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t startSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size == 0) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	startSize = *size;
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SENSITIVE_CREATE_Unmarshalu(&target->sensitive, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size != startSize - *size) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+
+TPM_RC
+TSS_TPMS_SCHEME_HASH_Unmarshalu(TPMS_SCHEME_HASH *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, NO);
+    }
+    return rc;
+}
+
+/* Table 136 - Definition of {ECC} TPMS_SCHEME_ECDAA Structure */
+
+TPM_RC
+TSS_TPMS_SCHEME_ECDAA_Unmarshalu(TPMS_SCHEME_ECDAA *target, BYTE **buffer, uint32_t *size) 
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, NO);	
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->count, buffer, size);	
+    }
+    return rc;
+}
+
+/* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_KEYEDHASH_SCHEME_Unmarshalu(TPMI_ALG_KEYEDHASH_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
+
+TPM_RC
+TSS_TPMS_SCHEME_HMAC_Unmarshalu(TPMS_SCHEME_HMAC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 139 - Definition of TPMS_SCHEME_XOR Structure */
+
+TPM_RC
+TSS_TPMS_SCHEME_XOR_Unmarshalu(TPMS_SCHEME_XOR *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hashAlg, buffer, size, NO);	/* as of rev 147 */
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_KDF_Unmarshalu(&target->kdf, buffer, size, YES);
+    }
+    return rc;
+}
+
+/* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SCHEME_KEYEDHASH_Unmarshalu(TPMU_SCHEME_KEYEDHASH *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	rc = TSS_TPMS_SCHEME_HMAC_Unmarshalu(&target->hmac, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_XOR
+      case TPM_ALG_XOR:
+	rc = TSS_TPMS_SCHEME_XOR_Unmarshalu(&target->xorr, buffer, size);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_KEYEDHASH_SCHEME_Unmarshalu(TPMT_KEYEDHASH_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_KEYEDHASH_SCHEME_Unmarshalu(&target->scheme, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SCHEME_KEYEDHASH_Unmarshalu(&target->details, buffer, size, target->scheme);
+    }
+    return rc;
+}
+
+/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_RSAPSS_Unmarshalu(TPMS_SIG_SCHEME_RSAPSS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_RSASSA_Unmarshalu(TPMS_SIG_SCHEME_RSASSA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECDAA_Unmarshalu(TPMS_SIG_SCHEME_ECDAA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_ECDAA_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECDSA_Unmarshalu(TPMS_SIG_SCHEME_ECDSA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECSCHNORR_Unmarshalu(TPMS_SIG_SCHEME_ECSCHNORR *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_SM2_Unmarshalu(TPMS_SIG_SCHEME_SM2 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SIG_SCHEME_Unmarshalu(TPMU_SIG_SCHEME *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	rc = TSS_TPMS_SIG_SCHEME_RSASSA_Unmarshalu(&target->rsassa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	rc = TSS_TPMS_SIG_SCHEME_RSAPSS_Unmarshalu(&target->rsapss, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	rc = TSS_TPMS_SIG_SCHEME_ECDSA_Unmarshalu(&target->ecdsa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	rc = TSS_TPMS_SIG_SCHEME_ECDAA_Unmarshalu(&target->ecdaa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	rc = TSS_TPMS_SIG_SCHEME_SM2_Unmarshalu(&target->sm2, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	rc = TSS_TPMS_SIG_SCHEME_ECSCHNORR_Unmarshalu(&target->ecSchnorr, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	rc = TSS_TPMS_SCHEME_HMAC_Unmarshalu(&target->hmac, buffer, size);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_SIG_SCHEME_Unmarshalu(TPMT_SIG_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_SIG_SCHEME_Unmarshalu(&target->scheme, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SIG_SCHEME_Unmarshalu(&target->details, buffer, size, target->scheme);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 146 - Definition of Types for {RSA} Encryption Schemes */
+
+TPM_RC
+TSS_TPMS_ENC_SCHEME_OAEP_Unmarshalu(TPMS_ENC_SCHEME_OAEP *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 146 - Definition of Types for {RSA} Encryption Schemes */
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC
+TSS_TPMS_ENC_SCHEME_RSAES_Unmarshalu(TPMS_ENC_SCHEME_RSAES *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_EMPTY_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 147 - Definition of Types for {ECC} ECC Key Exchange */
+
+TPM_RC
+TSS_TPMS_KEY_SCHEME_ECDH_Unmarshalu(TPMS_KEY_SCHEME_ECDH *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size); 
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 147 - Definition of Types for {ECC} ECC Key Exchange */
+
+TPM_RC
+TSS_TPMS_KEY_SCHEME_ECMQV_Unmarshalu(TPMS_KEY_SCHEME_ECMQV *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size); 
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 148 - Definition of Types for KDF Schemes, hash-based key- or mask-generation functions */
+
+TPM_RC
+TSS_TPMS_SCHEME_KDF1_SP800_108_Unmarshalu(TPMS_SCHEME_KDF1_SP800_108 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size); 
+    }
+    return rc;
+}
+
+/* Table 148 - Definition of Types for KDF Schemes, hash-based key- or mask-generation functions */
+
+TPM_RC
+TSS_TPMS_SCHEME_KDF1_SP800_56A_Unmarshalu(TPMS_SCHEME_KDF1_SP800_56A *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size); 
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 148 - Definition of Types for KDF Schemes, hash-based key- or mask-generation functions */
+
+TPM_RC
+TSS_TPMS_SCHEME_KDF2_Unmarshalu(TPMS_SCHEME_KDF2 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 148 - Definition of Types for KDF Schemes, hash-based key- or mask-generation functions */
+
+TPM_RC
+TSS_TPMS_SCHEME_MGF1_Unmarshalu(TPMS_SCHEME_MGF1 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 149 - Definition of TPMU_KDF_SCHEME Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_KDF_SCHEME_Unmarshalu(TPMU_KDF_SCHEME *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_MGF1
+      case TPM_ALG_MGF1:
+	rc = TSS_TPMS_SCHEME_MGF1_Unmarshalu(&target->mgf1, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_KDF1_SP800_56A
+      case TPM_ALG_KDF1_SP800_56A:
+	rc = TSS_TPMS_SCHEME_KDF1_SP800_56A_Unmarshalu(&target->kdf1_SP800_56a, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_KDF2
+      case TPM_ALG_KDF2:
+	rc = TSS_TPMS_SCHEME_KDF2_Unmarshalu(&target->kdf2, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_KDF1_SP800_108
+      case TPM_ALG_KDF1_SP800_108:
+	rc = TSS_TPMS_SCHEME_KDF1_SP800_108_Unmarshalu(&target->kdf1_sp800_108, buffer, size);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 150 - Definition of TPMT_KDF_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_KDF_SCHEME_Unmarshalu(TPMT_KDF_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_KDF_Unmarshalu(&target->scheme, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_KDF_SCHEME_Unmarshalu(&target->details, buffer, size, target->scheme);
+    }
+    return rc;
+}
+
+/* Table 151 - Definition of (TPM_ALG_ID) TPMI_ALG_ASYM_SCHEME Type <> */
+
+#if 0
+TPM_RC
+TSS_TPMI_ALG_ASYM_SCHEME_Unmarshalu(TPMI_ALG_ASYM_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+#endif	/* 0 */
+
+/* Table 152 - Definition of TPMU_ASYM_SCHEME Union */
+
+TPM_RC
+TSS_TPMU_ASYM_SCHEME_Unmarshalu(TPMU_ASYM_SCHEME *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_ECDH
+      case TPM_ALG_ECDH:
+	rc = TSS_TPMS_KEY_SCHEME_ECDH_Unmarshalu(&target->ecdh, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECMQV
+      case TPM_ALG_ECMQV:
+	rc = TSS_TPMS_KEY_SCHEME_ECMQV_Unmarshalu(&target->ecmqvh, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	rc = TSS_TPMS_SIG_SCHEME_RSASSA_Unmarshalu(&target->rsassa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	rc = TSS_TPMS_SIG_SCHEME_RSAPSS_Unmarshalu(&target->rsapss, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	rc = TSS_TPMS_SIG_SCHEME_ECDSA_Unmarshalu(&target->ecdsa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	rc = TSS_TPMS_SIG_SCHEME_ECDAA_Unmarshalu(&target->ecdaa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	rc = TSS_TPMS_SIG_SCHEME_SM2_Unmarshalu(&target->sm2, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	rc = TSS_TPMS_SIG_SCHEME_ECSCHNORR_Unmarshalu(&target->ecSchnorr, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_RSAES
+      case TPM_ALG_RSAES:
+	rc = TSS_TPMS_ENC_SCHEME_RSAES_Unmarshalu(&target->rsaes, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_OAEP
+      case TPM_ALG_OAEP:
+	rc = TSS_TPMS_ENC_SCHEME_OAEP_Unmarshalu(&target->oaep, buffer, size);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 153 - Definition of TPMT_ASYM_SCHEME Structure <> */
+
+#if 0
+TPM_RC
+TSS_TPMT_ASYM_SCHEME_Unmarshalu(TPMT_ASYM_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_ASYM_SCHEME_Unmarshalu(&target->scheme, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_ASYM_SCHEME_Unmarshalu(&target->details, buffer, size, target->scheme);
+    }
+    return rc;
+}
+#endif	/* 0 */
+
+/* Table 154 - Definition of (TPM_ALG_ID) {RSA} TPMI_ALG_RSA_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_RSA_SCHEME_Unmarshalu(TPMI_ALG_RSA_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 155 - Definition of {RSA} TPMT_RSA_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_RSA_SCHEME_Unmarshalu(TPMT_RSA_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_RSA_SCHEME_Unmarshalu(&target->scheme, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_ASYM_SCHEME_Unmarshalu(&target->details, buffer, size, target->scheme);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 156 - Definition of (TPM_ALG_ID) {RSA} TPMI_ALG_RSA_DECRYPT Type */
+
+TPM_RC
+TSS_TPMI_ALG_RSA_DECRYPT_Unmarshalu(TPMI_ALG_RSA_DECRYPT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 157 - Definition of {RSA} TPMT_RSA_DECRYPT Structure */
+
+TPM_RC
+TSS_TPMT_RSA_DECRYPT_Unmarshalu(TPMT_RSA_DECRYPT *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_RSA_DECRYPT_Unmarshalu(&target->scheme, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_ASYM_SCHEME_Unmarshalu(&target->details, buffer, size, target->scheme);
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NOCMDCHECK */
+
+/* Table 158 - Definition of {RSA} TPM2B_PUBLIC_KEY_RSA Structure */
+TPM_RC
+TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(TPM2B_PUBLIC_KEY_RSA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 159 - Definition of {RSA} (TPM_KEY_BITS) TPMI_RSA_KEY_BITS Type */
+
+TPM_RC
+TSS_TPMI_RSA_KEY_BITS_Unmarshalu(TPMI_RSA_KEY_BITS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_KEY_BITS_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 160 - Definition of {RSA} TPM2B_PRIVATE_KEY_RSA Structure */
+
+TPM_RC
+TSS_TPM2B_PRIVATE_KEY_RSA_Unmarshalu(TPM2B_PRIVATE_KEY_RSA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+ 
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 161 - Definition of {ECC} TPM2B_ECC_PARAMETER Structure */
+
+TPM_RC
+TSS_TPM2B_ECC_PARAMETER_Unmarshalu(TPM2B_ECC_PARAMETER *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+     	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 162 - Definition of {ECC} TPMS_ECC_POINT Structure */
+
+TPM_RC
+TSS_TPMS_ECC_POINT_Unmarshalu(TPMS_ECC_POINT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->x, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->y, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 163 - Definition of {ECC} TPM2B_ECC_POINT Structure */
+
+TPM_RC
+TSS_TPM2B_ECC_POINT_Unmarshalu(TPM2B_ECC_POINT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t startSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size == 0) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	startSize = *size;
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_ECC_POINT_Unmarshalu(&target->point, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size != startSize - *size) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    return rc;
+}
+
+/* Table 164 - Definition of (TPM_ALG_ID) {ECC} TPMI_ALG_ECC_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_ECC_SCHEME_Unmarshalu(TPMI_ALG_ECC_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
+
+TPM_RC
+TSS_TPMI_ECC_CURVE_Unmarshalu(TPMI_ECC_CURVE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ECC_CURVE_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 166 - Definition of (TPMT_SIG_SCHEME) {ECC} TPMT_ECC_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_ECC_SCHEME_Unmarshalu(TPMT_ECC_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_ECC_SCHEME_Unmarshalu(&target->scheme, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_ASYM_SCHEME_Unmarshalu(&target->details, buffer, size, target->scheme);
+    }
+    return rc;
+}
+
+/* Table 167 - Definition of {ECC} TPMS_ALGORITHM_DETAIL_ECC Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_ALGORITHM_DETAIL_ECC_Unmarshalu(TPMS_ALGORITHM_DETAIL_ECC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ECC_CURVE_Unmarshalu(&target->curveID, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->keySize, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_KDF_SCHEME_Unmarshalu(&target->kdf, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_ECC_SCHEME_Unmarshalu(&target->sign, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->p, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->a, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->b, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->gX, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->gY, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->n, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->h, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 168 - Definition of {RSA} TPMS_SIGNATURE_RSA Structure */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_RSA_Unmarshalu(TPMS_SIGNATURE_RSA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hash, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(&target->sig, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 169 - Definition of Types for {RSA} Signature */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_RSASSA_Unmarshalu(TPMS_SIGNATURE_RSASSA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SIGNATURE_RSA_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 169 - Definition of Types for {RSA} Signature */
+    
+TPM_RC
+TSS_TPMS_SIGNATURE_RSAPSS_Unmarshalu(TPMS_SIGNATURE_RSAPSS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SIGNATURE_RSA_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 170 - Definition of {ECC} TPMS_SIGNATURE_ECC Structure */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECC_Unmarshalu(TPMS_SIGNATURE_ECC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->hash, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->signatureR, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->signatureS, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 171 - Definition of Types for {ECC} TPMS_SIGNATURE_ECC */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECDSA_Unmarshalu(TPMS_SIGNATURE_ECDSA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+     
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECDAA_Unmarshalu(TPMS_SIGNATURE_ECDAA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+     
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMS_SIGNATURE_SM2_Unmarshalu(TPMS_SIGNATURE_SM2 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+     
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECSCHNORR_Unmarshalu(TPMS_SIGNATURE_ECSCHNORR *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+     
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 172 - Definition of TPMU_SIGNATURE Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SIGNATURE_Unmarshalu(TPMU_SIGNATURE *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	rc = TSS_TPMS_SIGNATURE_RSASSA_Unmarshalu(&target->rsassa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	rc = TSS_TPMS_SIGNATURE_RSAPSS_Unmarshalu(&target->rsapss, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	rc = TSS_TPMS_SIGNATURE_ECDSA_Unmarshalu(&target->ecdsa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	rc = TSS_TPMS_SIGNATURE_ECDAA_Unmarshalu(&target->ecdaa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	rc = TSS_TPMS_SIGNATURE_SM2_Unmarshalu(&target->sm2, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	rc = TSS_TPMS_SIGNATURE_ECSCHNORR_Unmarshalu(&target->ecschnorr, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	rc = TSS_TPMT_HA_Unmarshalu(&target->hmac, buffer, size, NO);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 173 - Definition of TPMT_SIGNATURE Structure */
+
+TPM_RC
+TSS_TPMT_SIGNATURE_Unmarshalu(TPMT_SIGNATURE *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_SIG_SCHEME_Unmarshalu(&target->sigAlg, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SIGNATURE_Unmarshalu(&target->signature, buffer, size, target->sigAlg);
+    }
+    return rc;
+}
+
+/* Table 175 - Definition of TPM2B_ENCRYPTED_SECRET Structure */
+
+TPM_RC
+TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(TPM2B_ENCRYPTED_SECRET *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.secret), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
+
+TPM_RC
+TSS_TPMI_ALG_PUBLIC_Unmarshalu(TPMI_ALG_PUBLIC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(target, buffer, size);  
+    }
+    return rc;
+}
+
+/* Table 177 - Definition of TPMU_PUBLIC_ID Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_PUBLIC_ID_Unmarshalu(TPMU_PUBLIC_ID *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->keyedHash, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->sym, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA: 
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(&target->rsa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	rc = TSS_TPMS_ECC_POINT_Unmarshalu(&target->ecc, buffer, size);
+	break;
+#endif
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_KEYEDHASH_PARMS_Unmarshalu(TPMS_KEYEDHASH_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_KEYEDHASH_SCHEME_Unmarshalu(&target->scheme, buffer, size, YES);
+    }
+    return rc;
+}
+
+/* Table 179 - Definition of TPMS_ASYM_PARMS Structure <> */
+
+#if 0
+TPM_RC
+TSS_TPMS_ASYM_PARMS_Unmarshalu(TPMS_ASYM_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(&target->symmetric, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_ASYM_SCHEME_Unmarshalu(&target->scheme, buffer, size, YES);
+    }
+    return rc;
+}
+#endif
+
+/* Table 180 - Definition of {RSA} TPMS_RSA_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_RSA_PARMS_Unmarshalu(TPMS_RSA_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(&target->symmetric, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_RSA_SCHEME_Unmarshalu(&target->scheme, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RSA_KEY_BITS_Unmarshalu(&target->keyBits, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->exponent, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 181 - Definition of {ECC} TPMS_ECC_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_ECC_PARMS_Unmarshalu(TPMS_ECC_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(&target->symmetric, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_ECC_SCHEME_Unmarshalu(&target->scheme, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ECC_CURVE_Unmarshalu(&target->curveID, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_KDF_SCHEME_Unmarshalu(&target->kdf, buffer, size, YES);
+    }
+    return rc;
+}
+
+/* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_PUBLIC_PARMS_Unmarshalu(TPMU_PUBLIC_PARMS *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	rc = TSS_TPMS_KEYEDHASH_PARMS_Unmarshalu(&target->keyedHashDetail, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	rc = TSS_TPMS_SYMCIPHER_PARMS_Unmarshalu(&target->symDetail, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	rc = TSS_TPMS_RSA_PARMS_Unmarshalu(&target->rsaDetail, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	rc = TSS_TPMS_ECC_PARMS_Unmarshalu(&target->eccDetail, buffer, size);
+	break;
+#endif
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 183 - Definition of TPMT_PUBLIC_PARMS Structure */
+
+TPM_RC
+TSS_TPMT_PUBLIC_PARMS_Unmarshalu(TPMT_PUBLIC_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_PUBLIC_Unmarshalu(&target->type, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_PUBLIC_PARMS_Unmarshalu(&target->parameters, buffer, size, target->type);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 184 - Definition of TPMT_PUBLIC Structure */
+
+TPM_RC
+TSS_TPMT_PUBLIC_Unmarshalu(TPMT_PUBLIC *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_PUBLIC_Unmarshalu(&target->type, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->nameAlg, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMA_OBJECT_Unmarshalu(&target->objectAttributes, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->authPolicy, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_PUBLIC_PARMS_Unmarshalu(&target->parameters, buffer, size, target->type);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_PUBLIC_ID_Unmarshalu(&target->unique, buffer, size, target->type);
+    }
+    return rc;
+}
+
+/* Table 185 - Definition of TPM2B_PUBLIC Structure */
+
+TPM_RC
+TSS_TPM2B_PUBLIC_Unmarshalu(TPM2B_PUBLIC *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t startSize = 0;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size == 0) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	startSize = *size;
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_PUBLIC_Unmarshalu(&target->publicArea, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size != startSize - *size) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    return rc;
+}
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 192 - Definition of TPM2B_TEMPLATE Structure */
+
+TPM_RC
+TSS_TPM2B_TEMPLATE_Unmarshalu(TPM2B_TEMPLATE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+    
+/* Table 187 - Definition of TPMU_SENSITIVE_COMPOSITE Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SENSITIVE_COMPOSITE_Unmarshalu(TPMU_SENSITIVE_COMPOSITE *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    switch (selector) {
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	rc = TSS_TPM2B_PRIVATE_KEY_RSA_Unmarshalu(&target->rsa, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	rc = TSS_TPM2B_ECC_PARAMETER_Unmarshalu(&target->ecc, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	rc = TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(&target->bits, buffer, size);
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	rc = TSS_TPM2B_SYM_KEY_Unmarshalu(&target->sym, buffer, size);
+	break;
+#endif
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 188 - Definition of TPMT_SENSITIVE Structure */
+
+TPM_RC
+TSS_TPMT_SENSITIVE_Unmarshalu(TPMT_SENSITIVE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_PUBLIC_Unmarshalu(&target->sensitiveType, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->authValue, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->seedValue, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_SENSITIVE_COMPOSITE_Unmarshalu(&target->sensitive, buffer, size, target->sensitiveType);
+    }
+    return rc;
+}
+
+/* Table 189 - Definition of TPM2B_SENSITIVE Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_SENSITIVE_Unmarshalu(TPM2B_SENSITIVE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t startSize = 0;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->t.size, buffer, size);
+    }
+    if (target->t.size != 0) {
+	if (rc == TPM_RC_SUCCESS) {
+	    startSize = *size;
+	}
+	if (rc == TPM_RC_SUCCESS) {
+	    rc = TSS_TPMT_SENSITIVE_Unmarshalu(&target->t.sensitiveArea, buffer, size);
+	}
+	if (rc == TPM_RC_SUCCESS) {
+	    if (target->t.size != startSize - *size) {
+		rc = TPM_RC_SIZE;
+	    }
+	}
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 191 - Definition of TPM2B_PRIVATE Structure <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM2B_PRIVATE_Unmarshalu(TPM2B_PRIVATE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 193 - Definition of TPM2B_ID_OBJECT Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_ID_OBJECT_Unmarshalu(TPM2B_ID_OBJECT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.credential), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 196 - Definition of (UINT32) TPMA_NV Bits */
+
+TPM_RC
+TSS_TPMA_NV_Unmarshalu(TPMA_NV *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->val, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->val & TPMA_NV_RESERVED) {
+	    rc = TPM_RC_RESERVED_BITS;
+	}
+    }
+    return rc;
+}
+
+/* Table 197 - Definition of TPMS_NV_PUBLIC Structure */
+
+TPM_RC
+TSS_TPMS_NV_PUBLIC_Unmarshalu(TPMS_NV_PUBLIC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_NV_INDEX_Unmarshalu(&target->nvIndex, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->nameAlg, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMA_NV_Unmarshalu(&target->attributes, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->authPolicy, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->dataSize, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 198 - Definition of TPM2B_NV_PUBLIC Structure */
+
+TPM_RC
+TSS_TPM2B_NV_PUBLIC_Unmarshalu(TPM2B_NV_PUBLIC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t startSize = 0;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size == 0) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	startSize = *size;
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_NV_PUBLIC_Unmarshalu(&target->nvPublic, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size != startSize - *size) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Table 199 - Definition of TPM2B_CONTEXT_SENSITIVE Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_CONTEXT_SENSITIVE_Unmarshalu(TPM2B_CONTEXT_SENSITIVE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 200 - Definition of TPMS_CONTEXT_DATA Structure <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMS_CONTEXT_DATA_Unmarshalu(TPMS_CONTEXT_DATA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->integrity, buffer, size);	
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_CONTEXT_SENSITIVE_Unmarshalu(&target->encrypted, buffer, size);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCMDCHECK */
+
+/* Table 201 - Definition of TPM2B_CONTEXT_DATA Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_CONTEXT_DATA_Unmarshalu(TPM2B_CONTEXT_DATA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_Unmarshalu(&target->b, sizeof(target->t.buffer), buffer, size);
+    }
+    return rc;
+}
+
+/* Table 202 - Definition of TPMS_CONTEXT Structure */
+
+TPM_RC
+TSS_TPMS_CONTEXT_Unmarshalu(TPMS_CONTEXT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT64_Unmarshalu(&target->sequence, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_DH_SAVED_Unmarshalu(&target->savedHandle, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_RH_HIERARCHY_Unmarshalu(&target->hierarchy, buffer, size, YES);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_CONTEXT_DATA_Unmarshalu(&target->contextBlob, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 204 - Definition of TPMS_CREATION_DATA Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CREATION_DATA_Unmarshalu(TPMS_CREATION_DATA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->pcrSelect, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->pcrDigest, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMA_LOCALITY_Unmarshalu(&target->locality, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_Unmarshalu(&target->parentNameAlg, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->parentName, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->parentQualifiedName, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->outsideInfo, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 205 - Definition of TPM2B_CREATION_DATA Structure <OUT> */
+
+TPM_RC
+TSS_TPM2B_CREATION_DATA_Unmarshalu(TPM2B_CREATION_DATA *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t startSize = 0;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size == 0) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	startSize = *size;
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_CREATION_DATA_Unmarshalu(&target->creationData, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->size != startSize - *size) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    return rc;
+}
+#ifndef TPM_TSS_NOCMDCHECK
+
+/* Deprecated functions that use a sized value for the size parameter.  The recommended functions
+   use an unsigned value.
+
+*/
+
+TPM_RC TPM2B_Unmarshal(TPM2B *target, UINT16 targetSize, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_Unmarshalu(target, targetSize, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_KEY_BITS_Unmarshal(TPM_KEY_BITS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_KEY_BITS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_GENERATED_Unmarshal(TPM_GENERATED *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_GENERATED_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_ALG_ID_Unmarshal(TPM_ALG_ID *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_ALG_ID_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_ECC_CURVE_Unmarshal(TPM_ECC_CURVE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_ECC_CURVE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_CC_Unmarshal(TPM_RC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_CC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_RC_Unmarshal(TPM_RC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_RC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_CLOCK_ADJUST_Unmarshal(TPM_CLOCK_ADJUST *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_CLOCK_ADJUST_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_EO_Unmarshal(TPM_EO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_EO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_ST_Unmarshal(TPM_ST *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_ST_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_SU_Unmarshal(TPM_SU *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_SU_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_SE_Unmarshal(TPM_SE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_SE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_CAP_Unmarshal(TPM_CAP *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_CAP_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_PT_Unmarshal(TPM_HANDLE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_PT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_PT_PCR_Unmarshal(TPM_PT_PCR *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_PT_PCR_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM_HANDLE_Unmarshal(TPM_HANDLE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_HANDLE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMA_ALGORITHM_Unmarshal(TPMA_ALGORITHM *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_ALGORITHM_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMA_OBJECT_Unmarshal(TPMA_OBJECT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_OBJECT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMA_SESSION_Unmarshal(TPMA_SESSION *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_SESSION_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMA_LOCALITY_Unmarshal(TPMA_LOCALITY *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_LOCALITY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMA_CC_Unmarshal(TPMA_CC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_CC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_YES_NO_Unmarshal(TPMI_YES_NO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_YES_NO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_DH_OBJECT_Unmarshal(TPMI_DH_OBJECT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_DH_OBJECT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+#if 0
+TPM_RC TPMI_DH_PARENT_Unmarshal(TPMI_DH_PARENT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_DH_PARENT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+#endif
+
+TPM_RC TPMI_DH_PERSISTENT_Unmarshal(TPMI_DH_PERSISTENT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_DH_PERSISTENT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_DH_ENTITY_Unmarshal(TPMI_DH_ENTITY *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_DH_ENTITY_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_DH_PCR_Unmarshal(TPMI_DH_PCR *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_DH_PCR_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_SH_AUTH_SESSION_Unmarshal(TPMI_SH_AUTH_SESSION *target, BYTE **buffer, INT32 *size, BOOL allowPwd)
+{
+    return TSS_TPMI_SH_AUTH_SESSION_Unmarshalu(target, buffer, (uint32_t *)size, allowPwd);
+}
+
+TPM_RC TPMI_SH_HMAC_Unmarshal(TPMI_SH_HMAC *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_SH_HMAC_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_SH_POLICY_Unmarshal(TPMI_SH_POLICY *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_SH_POLICY_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_DH_CONTEXT_Unmarshal(TPMI_DH_CONTEXT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_DH_CONTEXT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_HIERARCHY_Unmarshal(TPMI_RH_HIERARCHY *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_HIERARCHY_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_ENABLES_Unmarshal(TPMI_RH_ENABLES *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_ENABLES_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_HIERARCHY_AUTH_Unmarshal(TPMI_RH_HIERARCHY_AUTH *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_HIERARCHY_AUTH_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_PLATFORM_Unmarshal(TPMI_RH_PLATFORM *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_PLATFORM_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_ENDORSEMENT_Unmarshal(TPMI_RH_ENDORSEMENT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_ENDORSEMENT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_PROVISION_Unmarshal(TPMI_RH_PROVISION *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_PROVISION_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_CLEAR_Unmarshal(TPMI_RH_CLEAR *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_CLEAR_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_NV_AUTH_Unmarshal(TPMI_RH_NV_AUTH *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_NV_AUTH_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_LOCKOUT_Unmarshal(TPMI_RH_LOCKOUT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_LOCKOUT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_RH_NV_INDEX_Unmarshal(TPMI_RH_NV_INDEX *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_RH_NV_INDEX_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_HASH_Unmarshal(TPMI_ALG_HASH *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_HASH_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_SYM_Unmarshal(TPMI_ALG_SYM *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_SYM_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_SYM_OBJECT_Unmarshal(TPMI_ALG_SYM_OBJECT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_SYM_OBJECT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_SYM_MODE_Unmarshal(TPMI_ALG_SYM_MODE *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_SYM_MODE_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_KDF_Unmarshal(TPMI_ALG_KDF *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_KDF_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_SIG_SCHEME_Unmarshal(TPMI_ALG_SIG_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_SIG_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ECC_KEY_EXCHANGE_Unmarshal(TPMI_ECC_KEY_EXCHANGE *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ECC_KEY_EXCHANGE_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ST_COMMAND_TAG_Unmarshal(TPMI_ST_COMMAND_TAG *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ST_COMMAND_TAG_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_ALG_MAC_SCHEME_Unmarshal(TPMI_ALG_MAC_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_MAC_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_CIPHER_MODE_Unmarshal(TPMI_ALG_CIPHER_MODE *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_CIPHER_MODE_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC TPMS_EMPTY_Unmarshal(TPMS_EMPTY *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_EMPTY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_HA_Unmarshal(TPMU_HA *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_HA_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_HA_Unmarshal(TPMT_HA *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_HA_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPM2B_DIGEST_Unmarshal(TPM2B_DIGEST *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_DIGEST_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_DATA_Unmarshal(TPM2B_DATA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_DATA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_NONCE_Unmarshal(TPM2B_NONCE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_NONCE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_AUTH_Unmarshal(TPM2B_AUTH *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_AUTH_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_OPERAND_Unmarshal(TPM2B_OPERAND *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_OPERAND_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_EVENT_Unmarshal(TPM2B_EVENT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_EVENT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_MAX_BUFFER_Unmarshal(TPM2B_MAX_BUFFER *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_MAX_BUFFER_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_MAX_NV_BUFFER_Unmarshal(TPM2B_MAX_NV_BUFFER *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_MAX_NV_BUFFER_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_TIMEOUT_Unmarshal(TPM2B_TIMEOUT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_TIMEOUT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_IV_Unmarshal(TPM2B_IV *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_IV_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_NAME_Unmarshal(TPM2B_NAME *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_NAME_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_PCR_SELECTION_Unmarshal(TPMS_PCR_SELECTION *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_PCR_SELECTION_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMT_TK_CREATION_Unmarshal(TPMT_TK_CREATION *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_CREATION_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMT_TK_VERIFIED_Unmarshal(TPMT_TK_VERIFIED *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_VERIFIED_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMT_TK_AUTH_Unmarshal(TPMT_TK_AUTH *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_AUTH_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMT_TK_HASHCHECK_Unmarshal(TPMT_TK_HASHCHECK *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_HASHCHECK_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_ALG_PROPERTY_Unmarshal(TPMS_ALG_PROPERTY *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ALG_PROPERTY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_TAGGED_PROPERTY_Unmarshal(TPMS_TAGGED_PROPERTY *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TAGGED_PROPERTY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_TAGGED_PCR_SELECT_Unmarshal(TPMS_TAGGED_PCR_SELECT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TAGGED_PCR_SELECT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_CC_Unmarshal(TPML_CC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_CC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_CCA_Unmarshal(TPML_CCA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_CCA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_ALG_Unmarshal(TPML_ALG *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_ALG_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_HANDLE_Unmarshal(TPML_HANDLE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_HANDLE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_DIGEST_Unmarshal(TPML_DIGEST *target, BYTE **buffer, INT32 *size,uint32_t minCount)
+{
+    return TSS_TPML_DIGEST_Unmarshalu(target, buffer, (uint32_t *)size, minCount);
+}
+
+TPM_RC TPML_DIGEST_VALUES_Unmarshal(TPML_DIGEST_VALUES *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_DIGEST_VALUES_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_PCR_SELECTION_Unmarshal(TPML_PCR_SELECTION *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_PCR_SELECTION_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_ALG_PROPERTY_Unmarshal(TPML_ALG_PROPERTY *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_ALG_PROPERTY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_TAGGED_TPM_PROPERTY_Unmarshal(TPML_TAGGED_TPM_PROPERTY  *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_TAGGED_TPM_PROPERTY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_TAGGED_PCR_PROPERTY_Unmarshal(TPML_TAGGED_PCR_PROPERTY  *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_TAGGED_PCR_PROPERTY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPML_ECC_CURVE_Unmarshal(TPML_ECC_CURVE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_ECC_CURVE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+#if 0
+TPM_RC TPML_TAGGED_POLICY_Unmarshal(TPML_TAGGED_POLICY *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_TAGGED_POLICY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+#endif
+
+TPM_RC TPMU_CAPABILITIES_Unmarshal(TPMU_CAPABILITIES *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_CAPABILITIES_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMS_CLOCK_INFO_Unmarshal(TPMS_CLOCK_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CLOCK_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_TIME_INFO_Unmarshal(TPMS_TIME_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TIME_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_TIME_ATTEST_INFO_Unmarshal(TPMS_TIME_ATTEST_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TIME_ATTEST_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_CERTIFY_INFO_Unmarshal(TPMS_CERTIFY_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CERTIFY_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_QUOTE_INFO_Unmarshal(TPMS_QUOTE_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_QUOTE_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_COMMAND_AUDIT_INFO_Unmarshal(TPMS_COMMAND_AUDIT_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_COMMAND_AUDIT_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SESSION_AUDIT_INFO_Unmarshal(TPMS_SESSION_AUDIT_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SESSION_AUDIT_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_CREATION_INFO_Unmarshal(TPMS_CREATION_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CREATION_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_NV_CERTIFY_INFO_Unmarshal(TPMS_NV_CERTIFY_INFO *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_NV_CERTIFY_INFO_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_ST_ATTEST_Unmarshal(TPMI_ST_ATTEST *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ST_ATTEST_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_ATTEST_Unmarshal(TPMU_ATTEST *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_ATTEST_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMS_ATTEST_Unmarshal(TPMS_ATTEST *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ATTEST_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_ATTEST_Unmarshal(TPM2B_ATTEST *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ATTEST_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_CAPABILITY_DATA_Unmarshal(TPMS_CAPABILITY_DATA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CAPABILITY_DATA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_AUTH_RESPONSE_Unmarshal(TPMS_AUTH_RESPONSE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_AUTH_RESPONSE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_AES_KEY_BITS_Unmarshal(TPMI_AES_KEY_BITS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_AES_KEY_BITS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_SYM_KEY_BITS_Unmarshal(TPMU_SYM_KEY_BITS *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SYM_KEY_BITS_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMU_SYM_MODE_Unmarshal(TPMU_SYM_MODE *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SYM_MODE_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_SYM_DEF_Unmarshal(TPMT_SYM_DEF *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_SYM_DEF_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMT_SYM_DEF_OBJECT_Unmarshal(TPMT_SYM_DEF_OBJECT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPM2B_SYM_KEY_Unmarshal(TPM2B_SYM_KEY *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SYM_KEY_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SYMCIPHER_PARMS_Unmarshal(TPMS_SYMCIPHER_PARMS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SYMCIPHER_PARMS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+#if 0
+TPM_RC TPM2B_LABEL_Unmarshal(TPM2B_LABEL *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_LABEL_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+#endif
+
+TPM_RC TPM2B_SENSITIVE_DATA_Unmarshal(TPM2B_SENSITIVE_DATA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SENSITIVE_CREATE_Unmarshal(TPMS_SENSITIVE_CREATE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SENSITIVE_CREATE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_SENSITIVE_CREATE_Unmarshal(TPM2B_SENSITIVE_CREATE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SENSITIVE_CREATE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SCHEME_HASH_Unmarshal(TPMS_SCHEME_HASH *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_HASH_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SCHEME_ECDAA_Unmarshal(TPMS_SCHEME_ECDAA *target, BYTE **buffer, INT32 *size) 
+{
+    return TSS_TPMS_SCHEME_ECDAA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_ALG_KEYEDHASH_SCHEME_Unmarshal(TPMI_ALG_KEYEDHASH_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_KEYEDHASH_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMS_SCHEME_HMAC_Unmarshal(TPMS_SCHEME_HMAC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_HMAC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SCHEME_XOR_Unmarshal(TPMS_SCHEME_XOR *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_XOR_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_SCHEME_KEYEDHASH_Unmarshal(TPMU_SCHEME_KEYEDHASH *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SCHEME_KEYEDHASH_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_KEYEDHASH_SCHEME_Unmarshal(TPMT_KEYEDHASH_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_KEYEDHASH_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMS_SIG_SCHEME_ECDAA_Unmarshal(TPMS_SIG_SCHEME_ECDAA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_ECDAA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIG_SCHEME_ECDSA_Unmarshal(TPMS_SIG_SCHEME_ECDSA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_ECDSA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIG_SCHEME_ECSCHNORR_Unmarshal(TPMS_SIG_SCHEME_ECSCHNORR *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_ECSCHNORR_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIG_SCHEME_RSAPSS_Unmarshal(TPMS_SIG_SCHEME_RSAPSS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_RSAPSS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIG_SCHEME_RSASSA_Unmarshal(TPMS_SIG_SCHEME_RSASSA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_RSASSA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIG_SCHEME_SM2_Unmarshal(TPMS_SIG_SCHEME_SM2 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_SM2_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_SIG_SCHEME_Unmarshal(TPMU_SIG_SCHEME *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SIG_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_SIG_SCHEME_Unmarshal(TPMT_SIG_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_SIG_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMS_ENC_SCHEME_OAEP_Unmarshal(TPMS_ENC_SCHEME_OAEP *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ENC_SCHEME_OAEP_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC TPMS_ENC_SCHEME_RSAES_Unmarshal(TPMS_ENC_SCHEME_RSAES *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ENC_SCHEME_RSAES_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_KEY_SCHEME_ECDH_Unmarshal(TPMS_KEY_SCHEME_ECDH *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_KEY_SCHEME_ECDH_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_KEY_SCHEME_ECMQV_Unmarshal(TPMS_KEY_SCHEME_ECMQV *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_KEY_SCHEME_ECMQV_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SCHEME_KDF1_SP800_108_Unmarshal(TPMS_SCHEME_KDF1_SP800_108 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_KDF1_SP800_108_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SCHEME_KDF1_SP800_56A_Unmarshal(TPMS_SCHEME_KDF1_SP800_56A *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_KDF1_SP800_56A_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SCHEME_KDF2_Unmarshal(TPMS_SCHEME_KDF2 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_KDF2_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SCHEME_MGF1_Unmarshal(TPMS_SCHEME_MGF1 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_MGF1_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_KDF_SCHEME_Unmarshal(TPMU_KDF_SCHEME *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_KDF_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_KDF_SCHEME_Unmarshal(TPMT_KDF_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_KDF_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+#if 0
+TPM_RC TPMI_ALG_ASYM_SCHEME_Unmarshal(TPMI_ALG_ASYM_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_ASYM_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+#endif
+
+TPM_RC TPMU_ASYM_SCHEME_Unmarshal(TPMU_ASYM_SCHEME *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_ASYM_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+#if 0
+TPM_RC TPMT_ASYM_SCHEME_Unmarshal(TPMT_ASYM_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_ASYM_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+#endif
+
+TPM_RC TPMI_ALG_RSA_SCHEME_Unmarshal(TPMI_ALG_RSA_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_RSA_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMT_RSA_SCHEME_Unmarshal(TPMT_RSA_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_RSA_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ALG_RSA_DECRYPT_Unmarshal(TPMI_ALG_RSA_DECRYPT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_RSA_DECRYPT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMT_RSA_DECRYPT_Unmarshal(TPMT_RSA_DECRYPT *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_RSA_DECRYPT_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPM2B_PUBLIC_KEY_RSA_Unmarshal(TPM2B_PUBLIC_KEY_RSA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_RSA_KEY_BITS_Unmarshal(TPMI_RSA_KEY_BITS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RSA_KEY_BITS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_PRIVATE_KEY_RSA_Unmarshal(TPM2B_PRIVATE_KEY_RSA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_PRIVATE_KEY_RSA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_ECC_PARAMETER_Unmarshal(TPM2B_ECC_PARAMETER *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ECC_PARAMETER_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_ECC_POINT_Unmarshal(TPMS_ECC_POINT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ECC_POINT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_ECC_POINT_Unmarshal(TPM2B_ECC_POINT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ECC_POINT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_ALG_ECC_SCHEME_Unmarshal(TPMI_ALG_ECC_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMI_ALG_ECC_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMI_ECC_CURVE_Unmarshal(TPMI_ECC_CURVE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ECC_CURVE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMT_ECC_SCHEME_Unmarshal(TPMT_ECC_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_ECC_SCHEME_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPMS_ALGORITHM_DETAIL_ECC_Unmarshal(TPMS_ALGORITHM_DETAIL_ECC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ALGORITHM_DETAIL_ECC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_RSA_Unmarshal(TPMS_SIGNATURE_RSA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_RSA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_RSASSA_Unmarshal(TPMS_SIGNATURE_RSASSA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_RSASSA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_RSAPSS_Unmarshal(TPMS_SIGNATURE_RSAPSS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_RSAPSS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_ECC_Unmarshal(TPMS_SIGNATURE_ECC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_ECDSA_Unmarshal(TPMS_SIGNATURE_ECDSA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECDSA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_ECDAA_Unmarshal(TPMS_SIGNATURE_ECDAA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECDAA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_SM2_Unmarshal(TPMS_SIGNATURE_SM2 *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_SM2_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_SIGNATURE_ECSCHNORR_Unmarshal(TPMS_SIGNATURE_ECSCHNORR *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECSCHNORR_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_SIGNATURE_Unmarshal(TPMU_SIGNATURE *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SIGNATURE_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_SIGNATURE_Unmarshal(TPMT_SIGNATURE *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_SIGNATURE_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPM2B_ENCRYPTED_SECRET_Unmarshal(TPM2B_ENCRYPTED_SECRET *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMI_ALG_PUBLIC_Unmarshal(TPMI_ALG_PUBLIC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_PUBLIC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_PUBLIC_ID_Unmarshal(TPMU_PUBLIC_ID *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_PUBLIC_ID_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMS_KEYEDHASH_PARMS_Unmarshal(TPMS_KEYEDHASH_PARMS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_KEYEDHASH_PARMS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+#if 0
+TPM_RC TPMS_ASYM_PARMS_Unmarshal(TPMS_ASYM_PARMS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ASYM_PARMS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+#endif
+
+TPM_RC TPMS_RSA_PARMS_Unmarshal(TPMS_RSA_PARMS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_RSA_PARMS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_ECC_PARMS_Unmarshal(TPMS_ECC_PARMS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ECC_PARMS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_PUBLIC_PARMS_Unmarshal(TPMU_PUBLIC_PARMS *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_PUBLIC_PARMS_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_PUBLIC_PARMS_Unmarshal(TPMT_PUBLIC_PARMS *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_PUBLIC_PARMS_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMT_PUBLIC_Unmarshal(TPMT_PUBLIC *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPMT_PUBLIC_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPM2B_PUBLIC_Unmarshal(TPM2B_PUBLIC *target, BYTE **buffer, INT32 *size, BOOL allowNull)
+{
+    return TSS_TPM2B_PUBLIC_Unmarshalu(target, buffer, (uint32_t *)size, allowNull);
+}
+
+TPM_RC TPM2B_TEMPLATE_Unmarshal(TPM2B_TEMPLATE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_TEMPLATE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMU_SENSITIVE_COMPOSITE_Unmarshal(TPMU_SENSITIVE_COMPOSITE *target, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SENSITIVE_COMPOSITE_Unmarshalu(target, buffer, (uint32_t *)size, selector);
+}
+
+TPM_RC TPMT_SENSITIVE_Unmarshal(TPMT_SENSITIVE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_SENSITIVE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_SENSITIVE_Unmarshal(TPM2B_SENSITIVE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SENSITIVE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_PRIVATE_Unmarshal(TPM2B_PRIVATE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_PRIVATE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_ID_OBJECT_Unmarshal(TPM2B_ID_OBJECT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ID_OBJECT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMA_NV_Unmarshal(TPMA_NV *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_NV_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_NV_PUBLIC_Unmarshal(TPMS_NV_PUBLIC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_NV_PUBLIC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_NV_PUBLIC_Unmarshal(TPM2B_NV_PUBLIC *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_NV_PUBLIC_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_CONTEXT_SENSITIVE_Unmarshal(TPM2B_CONTEXT_SENSITIVE *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_CONTEXT_SENSITIVE_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_CONTEXT_DATA_Unmarshal(TPMS_CONTEXT_DATA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CONTEXT_DATA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_CONTEXT_DATA_Unmarshal(TPM2B_CONTEXT_DATA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_CONTEXT_DATA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_CONTEXT_Unmarshal(TPMS_CONTEXT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CONTEXT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPMS_CREATION_DATA_Unmarshal(TPMS_CREATION_DATA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CREATION_DATA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+TPM_RC TPM2B_CREATION_DATA_Unmarshal(TPM2B_CREATION_DATA *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_CREATION_DATA_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+
+#endif 	/* TPM_TSS_NOCMDCHECK */
+
+#endif /* TPM_TPM20 */
diff --git a/libstb/tss2/ibmtpm20tss/utils/Unmarshal12.c b/libstb/tss2/ibmtpm20tss/utils/Unmarshal12.c
new file mode 100644
index 0000000..34a4bb1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/Unmarshal12.c
@@ -0,0 +1,542 @@
+/********************************************************************************/
+/*										*/
+/*			     Parameter Unmarshaling				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Unmarshal12.c 1285 2018-07-27 18:33:41Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2017					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <string.h>
+
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tpmconstants12.h>
+#include <ibmtss/Unmarshal12_fp.h>
+
+TPM_RC
+TSS_TPM_STARTUP_TYPE_Unmarshalu(TPM_STARTUP_TYPE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_ST_CLEAR:
+	  case TPM_ST_STATE:
+	  case TPM_ST_DEACTIVATED:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* 5.0 */
+
+
+TPM_RC
+TSS_TPM_VERSION_Unmarshalu(TPM_VERSION *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->major, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->minor, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->revMajor, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->revMinor, buffer, size);
+    }
+    return rc;
+}
+
+/* 6.0 */
+
+TPM_RC
+TSS_TPM_TAG_Unmarshalu(TPM_TAG *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(target, buffer, size);  
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	switch (*target) {
+	  case TPM_TAG_RSP_COMMAND:
+	  case TPM_TAG_RSP_AUTH1_COMMAND:
+	  case TPM_TAG_RSP_AUTH2_COMMAND:
+	    break;
+	  default:
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+ 
+/* 8.0 */
+
+TPM_RC
+TSS_TPM_PCR_SELECTION_Unmarshalu(TPM_PCR_SELECTION *target, BYTE **buffer, uint32_t *size)
+{ 
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->sizeOfSelect, buffer, size);   
+    }
+    if (rc == 0) {
+	if (target->sizeOfSelect > sizeof(target->pcrSelect)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->pcrSelect, target->sizeOfSelect, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM4B_TPM_PCR_INFO_LONG_Unmarshalu(TPM_PCR_INFO_LONG *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t sizeRead32;
+    uint32_t startSize;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&sizeRead32, buffer, size);
+    }
+    if (rc == 0) {
+	if (sizeRead32 == 0) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == 0) {
+	startSize = *size;
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_LONG_Unmarshalu(target, buffer, size);
+    }
+    if (rc == 0) {
+	if (sizeRead32 != startSize - *size) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_PCR_INFO_LONG_Unmarshalu(TPM_PCR_INFO_LONG *target, BYTE **buffer, uint32_t *size)
+{ 
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);                      
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->localityAtCreation, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->localityAtRelease, buffer, size);   
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_SELECTION_Unmarshalu(&target->creationPCRSelection, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_SELECTION_Unmarshalu(&target->releasePCRSelection, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->digestAtCreation, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->digestAtRelease, SHA1_DIGEST_SIZE, buffer, size); 
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_PCR_INFO_SHORT_Unmarshalu(TPM_PCR_INFO_SHORT *target, BYTE **buffer, uint32_t *size)
+{ 
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_SELECTION_Unmarshalu(&target->pcrSelection, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->localityAtRelease, buffer, size);   
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->digestAtRelease, SHA1_DIGEST_SIZE, buffer, size); 
+    }
+    return rc;
+}
+
+/* 9.0 */
+
+TPM_RC
+TSS_TPM_SYMMETRIC_KEY_Unmarshalu(TPM_SYMMETRIC_KEY *target, BYTE **buffer, uint32_t *size)
+{ 
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->algId, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->encScheme, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->size, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->size > sizeof(target->data)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->data, target->size, buffer, size); 
+    }
+    return rc;
+}
+
+/* 10.0 */
+
+TPM_RC
+TSS_TPM_RSA_KEY_PARMS_Unmarshalu(TPM_RSA_KEY_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->keyLength, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->numPrimes, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->exponentSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->exponentSize > sizeof(target->exponent)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->exponent, target->exponentSize, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMU_PARMS_Unmarshalu(TPMU_PARMS *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+      case TPM_ALG_RSA:		/* A structure of type TPM_RSA_KEY_PARMS */
+	rc = TSS_TPM_RSA_KEY_PARMS_Unmarshalu(&target->rsaParms, buffer, size);
+	break;
+      case TPM_ALG_AES128:	/* A structure of type TPM_SYMMETRIC_KEY_PARMS */
+	/* not implemented yet */
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM4B_TPMU_PARMS_Unmarshalu(TPMU_PARMS *target, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    uint32_t sizeRead32;
+    uint32_t startSize;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&sizeRead32, buffer, size);
+    }
+    if (rc == 0) {
+	if (sizeRead32 == 0) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == 0) {
+	startSize = *size;
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_PARMS_Unmarshalu(target, buffer, size, selector);
+    }
+    if (rc == 0) {
+	if (sizeRead32 != startSize - *size) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_KEY_PARMS_Unmarshalu(TPM_KEY_PARMS *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->algorithmID, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->encScheme, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->sigScheme, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_TPM4B_TPMU_PARMS_Unmarshalu(&target->parms, buffer, size, target->algorithmID);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_KEY12_Unmarshalu(TPM_KEY12 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->fill, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->keyUsage, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->keyFlags, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->authDataUsage, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_PARMS_Unmarshalu(&target->algorithmParms, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM4B_TPM_PCR_INFO_LONG_Unmarshalu(&target->PCRInfo, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_STORE_PUBKEY_Unmarshalu(&target->pubKey, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_STORE_PUBKEY_Unmarshalu(&target->encData, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_STORE_PUBKEY_Unmarshalu(TPM_STORE_PUBKEY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->keyLength, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->keyLength > sizeof(target->key)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->key, target->keyLength, buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_TPM_PUBKEY_Unmarshalu(TPM_PUBKEY *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_PARMS_Unmarshalu(&target->algorithmParms, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_STORE_PUBKEY_Unmarshalu(&target->pubKey, buffer, size);
+    }
+    return rc;
+}
+
+/* 19 */
+
+TPM_RC
+TSS_TPM_NV_ATTRIBUTES_Unmarshalu(TPM_NV_ATTRIBUTES *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);                      
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->attributes, buffer, size);                      
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_NV_DATA_PUBLIC_Unmarshalu(TPM_NV_DATA_PUBLIC *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);                      
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->nvIndex, buffer, size);                      
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_SHORT_Unmarshalu(&target->pcrInfoRead, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_SHORT_Unmarshalu(&target->pcrInfoWrite, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_NV_ATTRIBUTES_Unmarshalu(&target->permission, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->bReadSTClear, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->bWriteSTClear, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->bWriteDefine, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->dataSize, buffer, size);                      
+    }
+    return rc;
+}						  
+
+/* 21 */
+
+TPM_RC
+TSS_TPM_CAP_VERSION_INFO_Unmarshalu(TPM_CAP_VERSION_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_VERSION_Unmarshalu(&target->version, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->specLevel, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->errataRev, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->tpmVendorID, sizeof(target->tpmVendorID), buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->vendorSpecificSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->vendorSpecificSize > sizeof(target->vendorSpecific)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->vendorSpecific, target->vendorSpecificSize, buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_TPM_DA_INFO_Unmarshalu(TPM_DA_INFO *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->state, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->currentCount, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->thresholdCount, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_DA_ACTION_TYPE_Unmarshalu(&target->actionAtThreshold, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->actionDependValue, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->vendorDataSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->vendorDataSize > sizeof(target->vendorData)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->vendorData, target->vendorDataSize , buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_TPM_DA_INFO_LIMITED_Unmarshalu(TPM_DA_INFO_LIMITED *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->state, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_DA_ACTION_TYPE_Unmarshalu(&target->actionAtThreshold, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->vendorDataSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->vendorDataSize > sizeof(target->vendorData)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->vendorData, target->vendorDataSize , buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_TPM_DA_ACTION_TYPE_Unmarshalu(TPM_DA_ACTION_TYPE *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->tag, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->actions, buffer, size);
+    }
+    return rc;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/activatecredential.c b/libstb/tss2/ibmtpm20tss/utils/activatecredential.c
new file mode 100644
index 0000000..07be715
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/activatecredential.c
@@ -0,0 +1,328 @@
+/********************************************************************************/
+/*										*/
+/*			    ActivateCredential					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ActivateCredential_In 	in;
+    ActivateCredential_Out 	out;
+    TPMI_DH_OBJECT		activateHandle = 0;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    const char			*inputCredentialFilename = NULL;
+    const char			*secretFilename = NULL;
+    const char			*outputCredentialFilename = NULL;
+    const char			*activatePassword = NULL; 
+    const char			*keyPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-icred") == 0) {
+	    i++;
+	    if (i < argc) {
+		inputCredentialFilename = argv[i];
+	    }
+	    else {
+		printf("-icred option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ocred") == 0) {
+	    i++;
+	    if (i < argc) {
+		outputCredentialFilename = argv[i];
+	    }
+	    else {
+		printf("-ocred option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-is") == 0) {
+	    i++;
+	    if (i < argc) {
+		secretFilename = argv[i];
+	    }
+	    else {
+		printf("-is option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &activateHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		activatePassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (activateHandle == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+     if (inputCredentialFilename == NULL) {
+	printf("Missing name parameter -icred\n");
+	printUsage();
+    }
+    if (secretFilename == NULL) {
+	printf("Missing name parameter -is\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.activateHandle = activateHandle;
+	in.keyHandle = keyHandle;
+    }
+    /* read the credential */
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.credentialBlob,
+				    (UnmarshalFunction_t)TSS_TPM2B_ID_OBJECT_Unmarshalu,
+				    inputCredentialFilename);
+    }
+    /* read the secret */
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.secret,
+				    (UnmarshalFunction_t)TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu,
+				    secretFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ActivateCredential,
+			 sessionHandle0, activatePassword, sessionAttributes0,
+			 sessionHandle1, keyPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* optionally save the certInfo */
+    if ((rc == 0) && (outputCredentialFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.certInfo.t.buffer,
+				      out.certInfo.t.size,
+				      outputCredentialFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("activatecredential: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("activatecredential: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("activatecredential\n");
+    printf("\n");
+    printf("Runs TPM2_ActivateCredential\n");
+    printf("\n");
+    printf("\t-ha\tactivation handle of object associated with the certificate\n");
+    printf("\t-hk\thandle of loaded decryption key\n");
+    printf("\t-icred\tinput credential file name\n");
+    printf("\t-is\tsecret file name\n");
+    printf("\n");
+    printf("\t[-pwda\tpassword for activation key (default empty)]\n");
+    printf("\t[-pwdk\tpassword for decryption key (default empty)]\n");
+    printf("\t[-ocred\t output credential file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2]\tsession handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/applink.c b/libstb/tss2/ibmtpm20tss/utils/applink.c
new file mode 100644
index 0000000..92d9c87
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/applink.c
@@ -0,0 +1,107 @@
+#define APPLINK_STDIN	1
+#define APPLINK_STDOUT	2
+#define APPLINK_STDERR	3
+#define APPLINK_FPRINTF	4
+#define APPLINK_FGETS	5
+#define APPLINK_FREAD	6
+#define APPLINK_FWRITE	7
+#define APPLINK_FSETMOD	8
+#define APPLINK_FEOF	9
+#define APPLINK_FCLOSE 	10	/* should not be used */
+
+#define APPLINK_FOPEN	11	/* solely for completeness */
+#define APPLINK_FSEEK	12
+#define APPLINK_FTELL	13
+#define APPLINK_FFLUSH	14
+#define APPLINK_FERROR	15
+#define APPLINK_CLEARERR 16
+#define APPLINK_FILENO	17	/* to be used with below */
+
+#define APPLINK_OPEN	18	/* formally can't be used, as flags can vary */
+#define APPLINK_READ	19
+#define APPLINK_WRITE	20
+#define APPLINK_LSEEK	21
+#define APPLINK_CLOSE	22
+#define APPLINK_MAX	22	/* always same as last macro */
+
+#ifndef APPMACROS_ONLY
+#include <stdio.h>
+#include <io.h>
+#include <fcntl.h>
+
+static void *app_stdin(void)		{ return stdin;  }
+static void *app_stdout(void)		{ return stdout; }
+static void *app_stderr(void)		{ return stderr; }
+static int   app_feof(FILE *fp)		{ return feof(fp); }
+static int   app_ferror(FILE *fp)	{ return ferror(fp); }
+static void  app_clearerr(FILE *fp)	{ clearerr(fp); }
+static int   app_fileno(FILE *fp)	{ return _fileno(fp); }
+static int   app_fsetmod(FILE *fp,char mod)
+{ return _setmode (_fileno(fp),mod=='b'?_O_BINARY:_O_TEXT); }
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    /* function prototype */
+__declspec(dllexport)
+void **
+#if defined(__BORLANDC__)
+    __stdcall	/* __stdcall appears to be the only way to get the name
+		 * decoration right with Borland C. Otherwise it works
+		 * purely incidentally, as we pass no parameters. */
+#else
+    __cdecl
+#endif
+    OPENSSL_Applink(void);
+
+    /* function implementation */
+    __declspec(dllexport)
+void **
+#if defined(__BORLANDC__)
+__stdcall	/* __stdcall appears to be the only way to get the name
+		 * decoration right with Borland C. Otherwise it works
+		 * purely incidentally, as we pass no parameters. */
+#else
+__cdecl
+#endif
+OPENSSL_Applink(void)
+{ static int once=1;
+  static void *OPENSSL_ApplinkTable[APPLINK_MAX+1]={(void *)APPLINK_MAX};
+
+    if (once)
+    {	OPENSSL_ApplinkTable[APPLINK_STDIN]	= app_stdin;
+	OPENSSL_ApplinkTable[APPLINK_STDOUT]	= app_stdout;
+	OPENSSL_ApplinkTable[APPLINK_STDERR]	= app_stderr;
+	OPENSSL_ApplinkTable[APPLINK_FPRINTF]	= fprintf;
+	OPENSSL_ApplinkTable[APPLINK_FGETS]	= fgets;
+	OPENSSL_ApplinkTable[APPLINK_FREAD]	= fread;
+	OPENSSL_ApplinkTable[APPLINK_FWRITE]	= fwrite;
+	OPENSSL_ApplinkTable[APPLINK_FSETMOD]	= app_fsetmod;
+	OPENSSL_ApplinkTable[APPLINK_FEOF]	= app_feof;
+	OPENSSL_ApplinkTable[APPLINK_FCLOSE]	= fclose;
+
+	OPENSSL_ApplinkTable[APPLINK_FOPEN]	= fopen;
+	OPENSSL_ApplinkTable[APPLINK_FSEEK]	= fseek;
+	OPENSSL_ApplinkTable[APPLINK_FTELL]	= ftell;
+	OPENSSL_ApplinkTable[APPLINK_FFLUSH]	= fflush;
+	OPENSSL_ApplinkTable[APPLINK_FERROR]	= app_ferror;
+	OPENSSL_ApplinkTable[APPLINK_CLEARERR]	= app_clearerr;
+	OPENSSL_ApplinkTable[APPLINK_FILENO]	= app_fileno;
+
+	OPENSSL_ApplinkTable[APPLINK_OPEN]	= _open;
+	OPENSSL_ApplinkTable[APPLINK_READ]	= _read;
+	OPENSSL_ApplinkTable[APPLINK_WRITE]	= _write;
+	OPENSSL_ApplinkTable[APPLINK_LSEEK]	= _lseek;
+	OPENSSL_ApplinkTable[APPLINK_CLOSE]	= _close;
+
+	once = 0;
+    }
+
+  return OPENSSL_ApplinkTable;
+}
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/cakey.pem b/libstb/tss2/ibmtpm20tss/utils/cakey.pem
new file mode 100644
index 0000000..cd24444
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/cakey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,DC8B29E70BAB3352C50FCDD88DCF6D71
+
+qAJXoHCJv0ke4jrCnrXcWwpCXYJqyphZ1qQY3TS2UZwpGT4nCQPnFfcKLIQptuZ+
+Q0lu+QYkrMsZ4/+aymY0DIlqNYDfgHhJ6Pfgpt3JDFAw7nePrFVQeo4XRUR+uNTm
+OH/fTKcdNx9arkI+rvz7hsxZSo4MR5Nej+kRtJyLuNNQicmte0GzvA98tClbT+5f
+iI/lTki5lpf68Mn4kc5XkOkctQXMu31tkdeRnaKRUga1Zcf36eKzd3FLw6Lg6rQC
+7Zrl9oLup0wvVfkc4j6KnPGUKxpIH8NudSTQJtQ72e4klHlgEx8pp/EHT/Xo+NQA
+rWlpz5hMbx7tje0hDschtfEbyzgWCAz10WVe49xP8oi/+y9v9c4WfZ300mnw1jtm
+6Gcm7W0Q+IiyJ64Xk/HseSIELn6EpfUBqJf6CUmj2MS+1DRM0NJB0ck4gt5fJGMl
+ASCIxXphwMu0gzAgP5TrMQYaRJuNGGbXbMX2O8lQQjHfP+Gl2YRjuITXkSBwojhA
+plhF6r1Y5tHAINlgW3/hp3g5KT85hIKwE9KuHB8ArJiCUgl370cAQz5UBlSKKnbT
+PKvkiq3oOH2TYZ9Lz+4ElAdW8xe+r4uRuZMperDZUbU/qi7sK3I7tT2cJLqKBQZM
+1t7u5VvB7cMvLGAPs/gyKKtltbiSFarIcW/PssS7rGuHfLbuFc42A45g2Ndt0dMx
+PKqSwlanXyvksjRb5egymN4BbFJ49fnY38M7gDvYLujhH27PZCOv70SnRI2LGLJH
+dhqPZ+Bb1pUB2CjX+xGw/NWehmBLURYNVgLBbvTqdZ8iCQC3PWPggq+f3KGSyU9r
+unuCLm+CUQ0iOaA+egq0rUCSQkA1MXGtjh/Vdv4e5xl9lxOBdsv25xHwjcWrDFWj
+pR1xsFSGoL0pDN6ZklyYBEj4BTg1/Jlf7ljQ+mti99mxroclKMrAKivPYQ38Gcgc
+virFMjQk5OT0g+mD+rpHRc5CGwWglAvddjCT5IsXks3dt/kGNhAVfQtKA7mJxf6n
+z0EXJn9KFvljUratXtT0TyQjcQ0zYs9dKwcq/couEXeVa98tdnrwtfgmKw7wyCWW
+PJd8eZY9aaZdWwzff19bBUURcYsiJIYij6PmhY40WB5/4MBmD43vnrbrIJaIQqDU
+f7TBiIWq5TzoWo/dYc1nyaPeXuc822YSR9KfCTOyxH27ipJ+b9mL315FgVjILdyO
+/Y3IFzWkxmd+15gFA4HGnVN32w3fovjfZbOwAw57y31qzgrSZi07z+rpJJNy9VOB
+cXYlZ632UIJ38yRiZe14u0+3I79RKr/gWB4CzUuSpXQLPt8vBfU3oP7tKSh58Rcq
+Nyc3/gAlQQW7/mCeoilhbnQvVnq20hjuoLeY0FmYNA+0rc49FNDsDeegLgopv+UN
+7z2rVQNykQorJWDLTAHvRrHrb67oTIE8bzcupmcVR7RmzeL8Sp8xmiuYAUNKemih
+6KlaONH91/LdYsp/zM46jjulp6VEEJXzBUAAssiKXnyAEhqFAq56rV3xDNwUAHXE
+i2jkvf6p8lgBSU+8UvwYXKMDWjl78cmVZkp1p17CPP1JGK4TaEoFwyVZIZWsZl/D
+-----END RSA PRIVATE KEY-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/cakeyecc.pem b/libstb/tss2/ibmtpm20tss/utils/cakeyecc.pem
new file mode 100644
index 0000000..498ded4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/cakeyecc.pem
@@ -0,0 +1,7 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIHeMEkGCSqGSIb3DQEFDTA8MBsGCSqGSIb3DQEFDDAOBAiv+ODLOPcsbwICCAAw
+HQYJYIZIAWUDBAEqBBC/F0OaeoTz2ROpX89quSvWBIGQl4BxlX1Lvy31myw1vPN0
+w/1Wqozirz53nIsVN/q+jV4zgx4fu/KWqKMFYwtb+BkGWBueCh5jRJ9YvEqMpUl+
+LX4YgKGm7q4LQaf3DdRaWc5/99iIzMsdwGt/nbpZ0eyl1gwnwkU4+06RTE1156Li
+AnZcGYkwxCS8DKdy7qeU9n915io+A9hJucwXjvHOOo0S
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/.cvsignore b/libstb/tss2/ibmtpm20tss/utils/certificates/.cvsignore
new file mode 100644
index 0000000..455c618
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/.cvsignore
@@ -0,0 +1,4 @@
+*.dump
+*.der
+*.cer
+*.crt
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_01.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_01.pem
new file mode 100644
index 0000000..738637b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_01.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIEMV64bDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0wNTEwMjAxMzQ3NDNaFw0yNTEwMjAxMzQ3NDNaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALftPhYN
+t4rE+JnU/XOPICbOBLvfo6iA7nuq7zf4DzsAWBdsZEdFJQfaK331ihG3IpQnlQ2i
+YtDim289265f0J4OkPFpKeFU27CsfozVaNUm6UR/uzwA8ncxFc3iZLRMRNLru/Al
+VG053ULVDQMVx2iwwbBSAYO9pGiGbk1iMmuZaSErMdb9v0KRUyZM7yABiyDlM3cz
+UQX5vLWV0uWqxdGoHwNva5u3ynP9UxPTZWHZOHE6+14rMzpobs6Ww2RR8BgF96rh
+4rRAZEl8BXhwiQq4STvUXkfvdpWH4lzsGcDDtrB6Nt3KvVNvsKz+b07Dk+Xzt+EH
+NTf3Byk2HlvX+scCAwEAAaOCATswggE3MB0GA1UdDgQWBBQ4k8292HPEIzMV4bE7
+qWoNI8wQxzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBABJ1+Ap3rNlxZ0FW0aIgdzktbNHlvXWNxFdYIBbM
+OKjmbOos0Y4O60eKPu259XmMItCUmtbzF3oKYXq6ybARUT2Lm+JsseMF5VgikSlU
+BJALqpKVjwAds81OtmnIQe2LSu4xcTSavpsL4f52cUAu/maMhtSgN9mq5roYptq9
+DnSSDZrX4uYiMPl//rBaNDBflhJ727j8xo9CCohF3yQUoQm7coUgbRMzyO64yMIO
+3fhb+Vuc7sNwrMOz3VJN14C3JMoGgXy0c57IP/kD5zGRvljKEvrRC2I147+fPeLS
+DueRMS6lblvRKiZgmGAg7YaKOkOaEmVDMQ+fTo2Po7hI5wc=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_02.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_02.pem
new file mode 100644
index 0000000..d287844
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_02.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIEaItIgTANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0wNjEyMjExMDM0MDBaFw0yNjEyMjExMDM0MDBaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAwMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK6KnP5R
+8ppq9TtPu3mAs3AFxdWhzK5ks+BixGR6mpzyXG64Bjl4xzBXeBIVtlBZXYvIAJ5s
+eCTEEsnZc9eKNJeFLdmXQ/siRrTeonyxoS4aL1mVEQebLUz2gN9J6j1ewly+OvGk
+jEYouGCzA+fARzLeRIrhuhBI0kUChbH7VM8FngJsbT4xKB3EJ6Wttma25VSimkAr
+SPS6dzUDRS1OFCWtAtHJW6YjBnA4wgR8WfpXsnjeNpwEEB+JciWu1VAueLNI+Kis
+RiferCfsgWRvHkR6RQf04h+FlhnYHJnf1ktqcEi1oYAjLsbYOAwqyoU1Pev9cS28
+EA6FTJcxjuHhH9ECAwEAAaOCATswggE3MB0GA1UdDgQWBBRDMlr1UAQGVIkwzamm
+fceAZ7l4ATAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBAIZAaYGzf9AYv6DqoUNx6wdpayhCeX75/IHuFQ/d
+gLzat9Vd6qNKdAByskpOjpE0KRauEzD/BhTtkEJDazPSmVP1QxAPjqGaD+JjqhS/
+Q6aY+1PSDi2zRIDA66V2yFJDcUBTtShbdTg144YSkVSY5UCKhQrsdg8yAbs7saAB
+LHzVebTXffjmkTk5GZk26d/AZQRjfssta1N/TWhWTfuZtwYvjZmgDPeCfr6AOPLr
+pVJz+ntzUKGpQ+5mwDJXMZ0qeiFIgXUlU0D+lfuajc/x9rgix9cM+o7amgDlRi1T
+55Uu2vzUQ9jLUaISFaTTMag+quBDhx8BDVu+igLp5hvBtxQ=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_03.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_03.pem
new file mode 100644
index 0000000..14e0703
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_03.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIEH7fYljANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0wNzA0MTMxNjQ0MjRaFw0yNzA0MTMxNjQ0MjRaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAwMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJWdPAuH
+z/p1tIwB1QXlPD/PjedZ4uBZdwPH5tI3Uve0TzbR/mO5clx/loWn7nZ5cHkH1nhB
+R67JEFY0a9GithPfITh0XRxPcisLBE/SoqZ90KHFaS+N6SwOpdCP0GlUg1OesKCF
+79Z6fXrkTZsVpPqdawdZK+oUsDO9z9U6xqV7bwsS75Y+QiHsm6UTgAkSNQnuFMP3
+NqQyDi/BaWaYRGQ6K8pM7Y7e1h21z/+5X7LncZXU8hgpYpu2zQPg96IkYboVUKL4
+00snaPcOvfagsBUGlBltNfz7geaSuWTCdwEiwlkCYZqCtbkAj5FiStajrzP72BfT
+2fshIv+5eF7Qp5ECAwEAAaOCATswggE3MB0GA1UdDgQWBBTGyypNtylL6RFyT1BB
+MQtMQvibsjAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBAGN1bkh4J90DGcOPP2BlwE6ejJ0iDKf1zF+7CLu5
+WS5K4dvuzsWUoQ5eplUt1LrIlorLr46mLokZD0RTG8t49Rcw4AvxMgWk7oYk69q2
+0MGwXwgZ5OQypHaPwslmddLcX+RyEvjrdGpQx3E/87ZrQP8OKnmqI3pBlB8QwCGL
+SV9AERaGDpzIHoObLlUjgHuD6aFekPfeIu1xbN25oZCWmqFVIhkKxWE1Xu+qqHIA
+dnCFhoIWH3ie9OsJh/iDRaANYYGyplIibDx1FJA8fqiBiBBKUlPoJvbqmZs4meMd
+OoeOuCvQ7op28UtaoV6H6BSYmN5dOgW7r1lX2Re0nd84NGE=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_04.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_04.pem
new file mode 100644
index 0000000..9a94f1d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_04.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIEDhD4wDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0wNzEyMDMxMzA3NTVaFw0yNzEyMDMxMzA3NTVaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAwNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3UBmDk
+jJzzJ+WCgrq4tILtE9KJPMGHwvCsbJOlo7eHiEb8JQzGK1prkPQ3dowFRXPnqONP
+WUa36/J3R32xgvuZHqAdliZCt8IUb9qYhDenuXo1SSqJ8LWp30QIJ0vnkaQ2TCkO
+bveZZR3hK2OZKRTkFaV/iy2RH+Qs4JAe3diD8mlIu2gXAXnKJSkrzW6gbMzrlTOi
+RCuGcatpy7Hfmodbz/0Trbuwtc3dyJZ3Ko1z9bz2Oirjh93RrmYjbtL0HhkAjMOR
+83GLrzwUddSqmxtXXX8j5i+/gmE3AO71swOIESdGugxaKUzJ1jTqWKMZcx0E6BFI
+lDIfKk0fJlSxHfECAwEAAaOCATswggE3MB0GA1UdDgQWBBSIs8E/YQXRBCKfWsDr
+SZVkrNRzvTAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBAFtqClQNBLOzcGZUpsBqlz3frzM45iiBpxosG1Re
+IgoAgtIBEtl609TG51tmpm294KqpfKZVO+xNzovm8k/heGb0jmYf+q1ggrk2qT4v
+Qy2jgE0jbP/P8WWq8NHC13uMcBUGPaka7yofEDDwz7TcduQyJVfG2pd1vflnzP0+
+iiJpfCk3CAQQnb+B7zsOp7jHNwpvHP+FhNwZaikaa0OdR/ML9da1sOOW3oJSTEjW
+SMLuhaZHtcVgitvtOVvCI/aq47rNJku3xQ7c/s8FHnFzQQ+Q4TExbP20SrqQIlL/
+9sFAb7/nKYNauusakiF3pfvMrJOJigNfJyIcWaGfyyQtVVI=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_05.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_05.pem
new file mode 100644
index 0000000..d7376ac
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_05.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIEVuRoqzANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0wOTEyMTExMDM4NDJaFw0yOTEyMTExMDM4NDJaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAwNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL79zMCO
+bjkg7gCWEuyGO49CisF/QrGoz9adW1FBuSW8U9IOlvWXNsvoasC1mhrsfkRRojuU
+mWifxxxcVfOI9v1SbRfJ+i6lG21IcVe6ywLJdDliT+3vzvrb/2hU/XjCCMDWb/Pw
+aZslV5iL4QEiKxvRIiWMYHW0MkkL7mzRBDVN/Vz3ZiL5Lpq7awiKuX9OXpS2a1wf
+qSGAlm2TxjU884q9Ky85JJugn0Q/C3dc8aaFPKLHlRs6rIvN1l0LwB1b5EWPzTPJ
+d9EhRPFJOAbJS66nSgX06Fl7eWB71ow6w/25otLQCbpy6OrF8wBVMtPMHqFb1c32
+PaaNzpCBnIU7vaMCAwEAAaOCATswggE3MB0GA1UdDgQWBBS7z3zBhCExZtq1vlOo
+cBTd00jYzDAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBAHomNJtmFNtRJI2+s6ZwdzCTHXXIcR/T+N/lfPbE
+hIUG4Kg+3uQMP7zBi22m3I3Kk9SXsjLqV5mnsQUGMGlF7jw5W5Q+d6NSJz4taw9D
+2DsiUxE/i5vrjWiUaWxv2Eckd4MUexe5Qz8YSh4FPqLB8FZnAlgx2kfdzRIUjkMq
+EgFK8ZRSUjXdczvsud68YPVMIZTxK0L8POGJ6RYiDrjTelprfZ4pKKZ79XwxwAIo
+pG6emUEf+doRT0KoHoCHr9vvWCWKhojqlQ6jflPZcEsNBMbq5KHVN77vOU58OKx1
+56v3EaqrZenVFt8+n6h2NzhOmg2quQXIr0V9jEg8GAMehDs=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_08.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_08.pem
new file mode 100644
index 0000000..f23eef0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_08.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIEfGoY6jANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xMjA3MTcwOTI0NTJaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAwODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOJaIJu6
+r/betrMgWJ/JZ5j8ytoAA9RWq0cw7+W0e5L2kDLJMM288wYT+iEbfwx6sWSLAl7q
+okXYDtTB9MFNhQ5ZWFLslFXbYigtXJxwANcSdPISTF1Czn6LLi1fu1EHddwCXFC8
+xaX0iGgQ9pZklvAy2ijK9BPHquWisisEiWZNRT9dCVylzOR3+p2YOC3ZrRmg7Bj+
+DkC7dltTTO6dPR+LNOFe01pJlpZdF4YHcu4EC10gRu0quZz1LtDZWFKezK7rg5Rj
+LSAJbKOsGXjl6hQXMtADEX9Vlz1vItD21OYCNRsu6VdipiL0bl0aAio4BV3GMyjk
+0gHnQwCk9k/YPU8CAwEAAaOCATswggE3MB0GA1UdDgQWBBRMS01kiQjkW/5aENNj
+h6aIrsHPeDAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBALMiDyQ9WKH/eTI84Mk8KYk+TXXEwf+fhgeCvxOQ
+G0FTSmOpJaNIzxWXr/gDbY3dO0ODjWRKYvhimZUuV+ckMA+wZX2C6o8g5njpWIOH
+pSAa+W35ijArh0Zt3MASJ46avd+fnQGTdzT0hK46gx6n2KixLvaZsR3JtuwUFYlQ
+wzmz/UsbBNEoPiR8p5E0Zf5GEGiTqkmBVYyS6XA34axpMMRHy0wI7AGs0gVihwUM
+rr0iWOu+GAcrm11lcYzqJvuEkfenAF62ufA2Ktv+Ut2xiRC0jUIp73CeplAJsqBr
+camV3pJn3qYPI5c1njMRYnoRFWQbrOR5ADWDQLFQPYRrJmg=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_17.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_17.pem
new file mode 100644
index 0000000..89fb7c6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_17.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEJCe5vDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xMzAxMTgxNDE4NTlaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAxNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDzzG8C
+6MBIZQEQJzEGlkSoFfYx7UFnbAXOP35eXkDfs79tmXh/Kpvo+LgDXAPVwiJgcphS
+MNTOhAes1kA/cuGk2/BpUE5W+owIB6cEUm6sHjea5VnrS7rZ205lKzsU5ThJel53
+aLzgv/r4AMYfHyJid1xSbheQor7PmgcqWPag8wQrUnn+mVe8rcPJclQotmsV1SY/
+AMUorEdxbeaTgZkP8jvCjywzty2Jtfju75BTtg0jBDEIHWVuqOwWx879nvWpBho8
+khOU1FPZrHc5fVm0w7ryWCZvZVWUacMAeYfVqDOOEPxUzZMDA8NwB9bh5sY/Nrz7
+oeSUr7Ps2aJAf/kCAwEAAaOBwTCBvjAdBgNVHQ4EFgQU7D+NTMEqvoigGQZOimK3
+AY+i41kwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBAJ1qznUH6nCB
+1akxmhMYWBEjQsqHdy+lwYYMNHl98s9AnHWMXzpGcGUJg695D9hQrw4kHpjn9a1L
+yxTA4NPz3W3k5gk4Jtp20yJeClGXEIcf86WsJwyC1gDGQfV2k+vdzlhpfCJLVq1i
+Ec0I/AlwOJBgRvLmldPuYAqtDTE0drffAkhaMoEr5d+X5cC1iAsvpPw0dL+AqqFh
+3+YVDtrjdmhcHtopQfzM4/voZr9F+t+WBdg+NIfZHJZud/ZX+4FrNco91wDueryU
+Az7W27Cet2fUk9zv/GYMRVrS8lO7K76Leawt4fNtLDBVQLlj+3RYyU5cK8aj8yAe
+KboVHBoSukQ=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_18.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_18.pem
new file mode 100644
index 0000000..af1a703
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_18.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIEW1RJ0TANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xMzAxMTgxNDMyNDBaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAxODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANs3+XqT
+S/vs4eR8quyXIgPFixBg75cWbSjl7yXHylta8sLrmog5xtMdtjtUZIE6ko34PQ0r
+b2nLnviHzmKsVGcEgVqB5DYR4p1/WcuQXY+POaWeWnHUVI8wErvjfuCBkkofL5lE
+wD+HaznTRE9ZMFpmRGGbC5oVsGSd1OGefjeaIK3DMZFQle5YQgbFh5CccQ8nTOHK
+cPqcgEI/ncAZMecGMZFmXvgxn24tQ+PCutuBvmY1BYt76US5MnKr9rKpcBtmygRY
+xTMWmEETr3lTlElvEzDuMmj+cjrbweMZldS1r3Vf+hCGrDidcQidu3BY5v+ZifUL
+Db0ekQBo2NVFUTcCAwEAAaOCATswggE3MB0GA1UdDgQWBBR1aP8m830RJoVntoZO
+xyoIyBiJHjAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBAMuw0E9SWAmRoMyYeH4QfA0Eu2DHHsAVvpTWICqN
+YCWCnDku3PEUJpAS02Iu4MN2EUjywgIgccYjawfiI1xQ+qKJWVVXo1rScfRn3g4a
+LyfBzZDo/ka7dK1azNDI2ieRrh6pPvIgYAriipX6kVTNV2tTpQVF+OoeXOvqMyIY
+sIpwZCIwSTvgwMIQblik9IQt+rxh3fqESlAZ9NztFnA+ftTS1YeeQR/OjLxUtUX0
+lbKHtjIuvokyEAj1C+TMASt2CMsRuSf5U0nVA4Ekci+XzCIhvPnB2860TMvq+hzy
+ANAzLSZsSZOo8KYY9ZgBdksLpPPrOYTFSMXO+oom5xh5r/Q=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_20.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_20.pem
new file mode 100644
index 0000000..10c6fe9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_20.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEnzCCA4egAwIBAgIESa1p+zANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xMzA4MjcxMzU4NTlaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAyMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAISatv1/
+C6U9+bRoGnFIRJP99ETyRdBaZZbjMzomJ0+n6VsyZKU8HshD1D56e7td3nOqMixg
+ygaBK3Fq6jgR4nEDafH8bXvhY+6nLYzqgWub8htqAjOxyw9AVSJaeByr1Xo9OZJX
+06exrdSikAW6ANcn9khpEpl3kUB/z4qY+tDgabIYQokVvEZ1KCYXbAKTQaV1j2CJ
+DYExo82lQJepEATiVpXlM71UCxpdpeudiWKYRWY7oV5EpyOcMzolYVfQ6c/2EDhj
+6CxlYALKzu7xgNLXfhUCJWPjCK7NDr86n5s1tKHmJUdbHyqnes8h5p/7MVAn+BuA
+auk5MR7GY5TfkwECAwEAAaOCATswggE3MB0GA1UdDgQWBBSP/UeIDiOaOjog3hPt
+8QHogqnSHTAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADBYBgNV
+HSABAf8ETjBMMEoGC2CGSAGG+EUBBy8BMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93
+d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDCBlwYDVR0jBIGP
+MIGMgBRW65FEhWPWcrOu1EWWC/eUDlRCpqFxpG8wbTELMAkGA1UEBhMCREUxEDAO
+BgNVBAgTB0JhdmFyaWExITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBB
+RzEMMAoGA1UECxMDQUlNMRswGQYDVQQDExJJRlggVFBNIEVLIFJvb3QgQ0GCAQMw
+DQYJKoZIhvcNAQEFBQADggEBAJWePIX29bPvG9qnOWWGOuIsUhChgOzaLA/LkJEQ
+HnRMPUU8hO9RGMuFW0QN62eSKel/H0M1ty3XtjMMxRg7DqJiRN7FgPkEN6gCX9TZ
+lyNyxz8gNULrhQ5fB3oorQd0Miwo4zJ+GjW3tmCkfPzoXz8h6gRlIRtY+6mvaVw1
+ad0QgF3Dp6R1yY1jmCHqG0w26PU97G6Lk6l+y9cJzmgVxVgmYdRXQvsb0HVn0Vg7
+CYcq9L+VXwRmLH5YkehVS5r+VBXYCMiTCOLZ4GAtYkSQIUqZZk4lgM2uBXBdqqyo
+0JAQaJMmyFG7GkB1SItEl3RGdLIX4pdbwRcRecB+TOE/dWM=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_21.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_21.pem
new file mode 100644
index 0000000..fbc00fb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Intermediate_CA_21.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEANn6EDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xMzA4MjcxNDAyMjFaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFJOXEJ
+l01sCFDIpgME7X0gmxuI9DW2lTlNrZ+05kGAAqOUCWbS8EEDyIZZYA7qjipcaXxf
+mJ9i0zoG2hC1AHXzfzzmrQcEE6DhCeFv5lKzk8Ta/FV5zLmRXppw9cBbzg00HWuI
+f0PEM0vY7GopP/q3N/d6RQac0DRdPVNOhNApApw3omfAzC2Nzj4sdvIaQPXY1GOI
+Koy7ktgjVoUmZ1Po8FHni2geh4EKWyHvcZZiqCCN/ZTFWhJqES454Ncy1zxZkJX6
+/1K7wOjFs9zZBNBd4A1cURLz33t2YCq+XcD4+JtViJokxU7boSNK5Ji+mwLLXIBI
+0dyQIQcFuvwOKDcCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUoMnewI/TmotZxGvL6H/Z
+lIxV+XAwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBAMvISZvt0QDC
+8OW67Lcn6FKjl95hm/MdhNX3QwkRaSYFCpVDW8dk622SFrwlzKoMAnNSlpwf7MOl
+9n5Fkd4gSlyMOdBIwtd53mAOVRCRIhHgrrfmi76saLsaNQci3kjnCDYL4U68o1dQ
+41zlCko8vb7EO5/2fBKG/DS1gzGW1y3ctEpYNn38TunrDYgkUksNKaSZtmrfXNeI
+ZavtFtxRQo5v5VNUqOkyfvn4dB/og+xFnqOCpi7FLNAfG/1DnLhvheHk5Ii51oKs
+iOIcij0vGiyKbozlNvHl+0xe7UOT1s1U6YdzWz6YmzyCEjOkz720TenG99l89UZX
+71FyouYrMhw=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Root_CA.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Root_CA.pem
new file mode 100644
index 0000000..4fe98e7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IFX_TPM_EK_Root_CA.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEUDCCAzigAwIBAgIQRyQE4N8hgD99IM2HSOq5WjANBgkqhkiG9w0BAQUFADCB
+ljELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTswOQYDVQQL
+EzJWZXJpU2lnbiBUcnVzdGVkIENvbXB1dGluZyBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTExMC8GA1UEAxMoVmVyaVNpZ24gVHJ1c3RlZCBQbGF0Zm9ybSBNb2R1bGUg
+Um9vdCBDQTAeFw0wNTEwMjUwMDAwMDBaFw0zMDEwMjQyMzU5NTlaMG0xCzAJBgNV
+BAYTAkRFMRAwDgYDVQQIEwdCYXZhcmlhMSEwHwYDVQQKExhJbmZpbmVvbiBUZWNo
+bm9sb2dpZXMgQUcxDDAKBgNVBAsTA0FJTTEbMBkGA1UEAxMSSUZYIFRQTSBFSyBS
+b290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1yZqFFg0PLDo
+cW7Fyis2Xe5vERxnJ+KlEMUOQnrw5At9f0/ggovDM8uCVW71T6e24T6HH6kUQZCt
+yddtsaf0tebmA3TxjiuBzBAtT6qyns35+sXuL6uZaLnjGKXDv+uByOzpmBXUSwq1
+tdSTPQ0wWWQ6v/qwKofZdxAaPCTIBw61G08rkUT42a1hPESmVFrmc5hcnn4AQmJE
+cjcOhClwIKE9OQw8TzI+7ncgCZlY3FZFKqHp7NRNnaihpmKbHvn5wXIUnKuvS4iZ
+HqSbzGBuZ0ogqJ22ruDJi+JWYUWBmgI1JO85CPJ1Q58t0ME3hM3oWeqV6adWUcIc
+IpclkYQWlwIDAQABo4HBMIG+MBIGA1UdEwEB/wQIMAYBAf8CAQEwWAYDVR0gAQH/
+BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3LnZl
+cmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwDgYDVR0PAQH/BAQDAgIE
+MB0GA1UdDgQWBBRW65FEhWPWcrOu1EWWC/eUDlRCpjAfBgNVHSMEGDAWgBQPFPXj
+IIhEFsomv40fzjcV6kVvBjANBgkqhkiG9w0BAQUFAAOCAQEAWKL5zsV8p/TZk3mt
+9m9NAqXWBDVHBnDgBE+Qphf25s+3s098vkWVLTddH3PtddF3MEYC4W8+dn4tyFe9
+mQ+96q8dwJdNabwBokrZy2beL71CXt/4jYNN0j/N9uYO4vIDBFDKRMWCtUO217+w
+xQTSOv5+mpgFw7UML/QpgpdmZy2i+eZPxDo8dzT+YJXC5vsHVSooA3rWDDzvnoLC
+cmDDiT3pG6AdjAN61MeeHHmoJavV8Tvdoa3g14Sn1lL+TQ1xaznyh520sX0dXPTp
+GqZbDzqEMiVbG7vFECqINE96/rwppJlWK91F1MZikGXr7FeF5C0JutGLb0gaYOmv
+Yau4DQ==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-IFX_TPM_EK_Intermediate_CA_48-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-IFX_TPM_EK_Intermediate_CA_48-C-v01_00-EN.pem
new file mode 100644
index 0000000..bfc5726
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-IFX_TPM_EK_Intermediate_CA_48-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEZmv8sDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNzA4MjExMzM0MzhaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSA0ODCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOhEJeRA
+L+2FCGv1Gp58ZomkW57YaxYF8tX75eV3H37eBg65bsr9fivzLI93zOnQhVP8rFqA
+MxWWvkm3mPGtbVgCCdQU6KpPBb9y4d5EnJXC5TQ6eqOj/h40Dv98PGNxuuxIXf5N
+iYkTs2C7qe0ZvxMFMbC+Zh7LpU7X6seE4tzNFS67xYNNTMen/K/QwEgWNxzRxO9+
+Dwi0ybzX0yFnLF6mX17+p2D7mk9QlLso1pyaK7eLTo3boletX1Hy43E7SrXZDOhW
+WIfKL7to2/szblRPZza1LcPD6q9HfqzTsnq4pGxIji61Hm4lLYb7272GBMp8i9LM
+dZG5zbvvM4ujyKUCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUm8NagruRQWj2xTVYfo1w
+iLz1jlYwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBAJqCjlFEJD3u
+7ZeAOZoYz6nU7EHV2CbMpUSFUUZ1j0npIBDIfnOCJFj5xnysdN1GnruhHPqHyTPp
+wcUNeXgpGh02/peR1Pt5nPz87RBgdkzApPEDZAONmsBPhZGW20jIojJYeOsIWT2r
+9nWSc8TaNLC9c+lo5P2oZT4aRB1SKdk4HPd2ZJLOFL1ziEIuNVwtJ1vjQVB3OaBi
+PSIu56xopxEKsuEJzoGwFvDWxhVM3jN9qM1vyOYuU11kMr0zyFwW1dv8evKkNvZ/
+f5WCfvnusaV8KgsxOxwiP9zHcqQ5pMj6ZZX/AB6w7R81HQ4TKh7dgenkzDuJRUbA
+xH34CWV0uvo=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-Infineon_TPM_EK_Intermediate_CA25-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-Infineon_TPM_EK_Intermediate_CA25-C-v01_00-EN.pem
new file mode 100644
index 0000000..a23fd09
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-Infineon_TPM_EK_Intermediate_CA25-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEFLjKeTANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNTA1MTkwODQwNDdaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAyNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANtaHXlX
+JprVsWAKov/mD3JPCnD9pKnoI1ODtdgOfVNk7IHHHuqeX4GezJ062wzT4HXfbwLu
+kZ34+fyUbWgaq/Ig3MYpLwfF/V/0S+XOiFpJiIYK8Vr7404Cw5Inu0gkGUbN8+1F
+JXC2jjtvVA5CbzqHjcA+KRNc9PnTyhguSCFMcTxpVLAemIlOX5uvDnAF3yfJG7HI
+QtyUm+E757DxRX2MKe+/BALh5IgPyBDS38b2t7G9c5gA6jH7XVMd/7zEtWogHhWE
+7lNXqlgJFxYGkDDT8toy3qiOusagHz0yTnFS2R4Hv9BGItdnM/MxzFNN2AnIvz4H
+hkuOtutced3o+y0CAwEAAaOBwTCBvjAdBgNVHQ4EFgQUl+XRzYsEl8BLRlWoacjz
+DvqJOI0wDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBABKmY19oBOwZ
+fJPhhjTGmxJsUM2mYAb7HvmLPp7iE0iGjqgzMRl6xCCpd77kO+m9sr4OFf2JygCS
+wO0F+ZaBWJOFtlHhyHGyjvspP3tbpGqCO+HO+JAICjtD78MzJZBMbpDRBsccKe1I
+WvBkP2h5QHBmaw6ACTbFBOrPv/1VQiP2nLF5QzHfyHAVIzemxLVlhptk/Fnr8gR6
+ronVPD7EYTdc4SgIxQaKuktrrnXZ2O6XALLUkW3WjOLetCR1HdoBpBiHfgxYNg6b
+zHFZ7HdLTWnzVAHia/BhIfFlucNNo6DrHk4yKVOy5/yIXgI3pjR+HlRXz9WEtTiu
+dQh/7jQ9tss=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-OPTIGA(TM)_ECC_Manufacturing_CA_011.crt-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-OPTIGA(TM)_ECC_Manufacturing_CA_011.crt-C-v01_00-EN.pem
new file mode 100644
index 0000000..74fdcb6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-OPTIGA(TM)_ECC_Manufacturing_CA_011.crt-C-v01_00-EN.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAs2gAwIBAgIEAxHqozAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEh
+MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ
+R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUND
+IFJvb3QgQ0EwHhcNMTUwODI3MTIzMjM5WhcNMzUwODI3MTIzMjM5WjCBgzELMAkG
+A1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEaMBgG
+A1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9QVElH
+QShUTSkgRUNDIE1hbnVmYWN0dXJpbmcgQ0EgMDExMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEEFSwmnoHF+cFvvzNGm8WrWz7Dja7KFVsiSYeZzE9Svn9AduLqbfC
+hhlUF/JntiuWgn5LK6Z3ITHPEg9DgCa/3KOCATgwggE0MFcGCCsGAQUFBwEBBEsw
+STBHBggrBgEFBQcwAoY7aHR0cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhRWNj
+Um9vdENBL09wdGlnYUVjY1Jvb3RDQS5jcnQwHQYDVR0OBBYEFJF3PLhoJOHBlUnt
+isEz3ManNpuFMA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAGAQH/AgEAMEwG
+A1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYUVj
+Y1Jvb3RDQS9PcHRpZ2FFY2NSb290Q0EuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQB
+FAEwHwYDVR0jBBgwFoAUtBiFyEpKxRJ68kA53sT1ix5+StEwEAYDVR0lBAkwBwYF
+Z4EFCAEwCgYIKoZIzj0EAwMDaQAwZgIxAPjxzTlhPxleoQE9IGaEXWP5w4OjC+Zw
+2aaSk+f46h8O4FZK3Csf1XzIoa0tLG4O3wIxALssqv1PeM0rotzWRTjTF4cJ9GfX
+TvSHONnkZyiiOxMJGgjPmW6fRZshWROK7eU7uw==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-OPTIGA(TM)_RSA_Manufacturing_CA_011.crt-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-OPTIGA(TM)_RSA_Manufacturing_CA_011.crt-C-v01_00-EN.pem
new file mode 100644
index 0000000..ea8c357
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-OPTIGA(TM)_RSA_Manufacturing_CA_011.crt-C-v01_00-EN.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFszCCA5ugAwIBAgIEXYw6ZDANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE
+RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP
+UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg
+UlNBIFJvb3QgQ0EwHhcNMTUwODI3MTIyODU3WhcNMzUwODI3MTIyODU3WjCBgzEL
+MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEa
+MBgGA1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9Q
+VElHQShUTSkgUlNBIE1hbnVmYWN0dXJpbmcgQ0EgMDExMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAue1NnPP7ZWDRj1of4h/vyabVX9ZLHiwuBIZkheDk
+NF4jsn+uR8xud3RXZrNd6lga6kmJPBwwa60HNc4bJ1XuFVy6Ch2V6yYNqzrIHgTB
+zfc5GqfjVXir47tRws2Em01lv+hLPcx0wdJLw1WVadwjPjKDVauNMTaWcZbQryXn
+ZQkDTlNJqMEwCdYrnSxpNtgvmM/OqvdgQyGTV+N1A1uHGTqMyaRVzuq9BGyLfLrd
+bCgum4OUTlwmhVkRXCoo4loa6Mx3qlP4WsPLe0pnGnBNXzUO2Y+F2Ye2S45R58ox
+keP2fznHY0z/7FDAJSYZSmfnjGwuNGANhoqzkjmAvfDOXwIDAQABo4IBODCCATQw
+VwYIKwYBBQUHAQEESzBJMEcGCCsGAQUFBzAChjtodHRwOi8vcGtpLmluZmluZW9u
+LmNvbS9PcHRpZ2FSc2FSb290Q0EvT3B0aWdhUnNhUm9vdENBLmNydDAdBgNVHQ4E
+FgQUXCkgdCF5vHBNsdjFTDTKlEBWF8owDgYDVR0PAQH/BAQDAgAGMBIGA1UdEwEB
+/wQIMAYBAf8CAQAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3BraS5pbmZpbmVv
+bi5jb20vT3B0aWdhUnNhUm9vdENBL09wdGlnYVJzYVJvb3RDQS5jcmwwFQYDVR0g
+BA4wDDAKBggqghQARAEUATAfBgNVHSMEGDAWgBTcu1ar8Rj8ppp1ERBlhBKe1UGS
+uTAQBgNVHSUECTAHBgVngQUIATANBgkqhkiG9w0BAQsFAAOCAgEAYeUbnJWPImxO
+yGYdc9kPj9xGd59U0Y4bypm3z2YW4tPLr2c5MP8Tte0Cpq3AD+V9MlWQW3VRhcv8
+ATEcKyWoOEBSPzNcSMDekjwAnS4mAOEdlJ5rG+bbixH5116QYUCkJvdVYIb3sZTy
+02hj2Z3zofmz/9CSCuKqeQdoF4l/3olR8k46Pd/Z9DUZSCxW26WYzviYORzAusoi
+H9qGgO7NLkFeYBlKFrkplOWlNTpM1psfAYhIuhhnIGarcp+59owc99n/f3VS6mQn
+789KMaVPJYqOC2/t1R5P/hgwoDxbjoRmy74f+nUmMdp7lF55GsN/APQ71LgqDg8V
+LuVVuaFSW5kb8DWDjG/z5fNR46/TBI2VFAAabuYmfC2y9n4CYRNdSHH8FnDOGdxl
+ll6VJi3x84ywPxNf3m9ok8j+lmoiGm82YUlZbAnjFIoNtNvFIh5NoPzf6/LHEKYD
+zOaK3TimuJESzPuxjTumUj06rceOokczl2oVvGzvHqWYAWU8gJQa1aY3LkQ0fK5q
++Vc/+uenilJEXEQZX2Y5Px8dLDcr9rPiMuxY76sEcg+PFvJLg9QIhKkgzt74v8Ih
+aeDhrhAwKgDKcWAohYA/WQluxQommKp0N0s/Oi6yICpV73l41ea7kKzrjMu40IUS
+befqsgmXOcuz+HHnTsINAd1EK+kMoFI=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM1.2_VRSN_root_certificate-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM1.2_VRSN_root_certificate-C-v01_00-EN.pem
new file mode 100644
index 0000000..fa0a280
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM1.2_VRSN_root_certificate-C-v01_00-EN.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9zCCAt+gAwIBAgIQc3HALwPpy5ENrJ49S+Yo0TANBgkqhkiG9w0BAQUFADCB
+ljELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTswOQYDVQQL
+EzJWZXJpU2lnbiBUcnVzdGVkIENvbXB1dGluZyBDZXJ0aWZpY2F0aW9uIEF1dGhv
+cml0eTExMC8GA1UEAxMoVmVyaVNpZ24gVHJ1c3RlZCBQbGF0Zm9ybSBNb2R1bGUg
+Um9vdCBDQTAeFw0wNTEwMjUwMDAwMDBaFw00NTEwMjQyMzU5NTlaMIGWMQswCQYD
+VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xOzA5BgNVBAsTMlZlcmlT
+aWduIFRydXN0ZWQgQ29tcHV0aW5nIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MTEw
+LwYDVQQDEyhWZXJpU2lnbiBUcnVzdGVkIFBsYXRmb3JtIE1vZHVsZSBSb290IENB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2VBrQOh7Y1WHczxt1IGn
+rlBKKr0K6OZXVllr6F5vuF0lneajCRpxZJUne7v7/apxesr59LrQcDbOktlrGXXz
+OXjKBaXZBkKOO8ROIE2Ae6rslOMynlPHWP4HKdogZe3LPPViuC14uhgz5iXJ8pFf
+UQdKxCdKWTzICg0B+l46pp42Fxr83eR72O9kSzEqijkaYdoDx06yxWALguUGzS7H
+5sycnu2tAGDGFrmsQoh8mK4FUi5vce8JuWuhirCXZzmP/fV4tYndw+HJS/D7XuWk
+BWcbm0clLTbmYZ7Ae1rl1XTP5pd8Q3cHGB6R0HcXyACyE4Vjp/g0J3HJjHd3L6Tr
+wwIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4E
+FgQUDxT14yCIRBbKJr+NH843FepFbwYwDQYJKoZIhvcNAQEFBQADggEBAH6Ujdhq
+L8b38+swPJ2Jowu7UxcgzRWr2ayLqx8MwQkN1giSLsxcj6sHseMwqHLz2fCFfK2W
+Si5ZeyIWlB1TOJtwdpcmafFNPs0hOWWyl3D4uY2kfiQFu+GdpRtM7T+lsgDLlXvz
+t6nW2TscwGRKZA34hhvtE7294JJ56DlIcdSm3CY9MBvJ+pF2LyOC1NddHDf8ywKE
+XA9CXVmu3dpvwE+s7flQPS2E+y5EaWkXtKso2JTaHMS3PSwSJRhmknf/QtEkPZfb
+jzbhZZxVu48EZKOJL8lXzqm4hgpf7kX+WrVsCAny6AJkNn1xsQfvT0Y5OaVNH2RF
+j4ORjyt4A5du3H4=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem
new file mode 100644
index 0000000..50544dd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICWzCCAeKgAwIBAgIBBDAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEhMB8G
+A1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo
+VE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUNDIFJv
+b3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYDVQQG
+EwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQL
+DBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShU
+TSkgRUNDIFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQm1HxLVgvAu1q2
+GM+ymTz12zdTEu0JBVG9CdsVEJv/pE7pSWOlsG3YwU792YAvjSy7zL+WtDK40KGe
+Om8bSWt46QJ00MQUkYxz6YqXbb14BBr06hWD6u6IMBupNkPd9pKjQjBAMB0GA1Ud
+DgQWBBS0GIXISkrFEnryQDnexPWLHn5K0TAOBgNVHQ8BAf8EBAMCAAYwDwYDVR0T
+AQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjA6QZcV8DjjbPuKjKDZQmTRywZk
+MAn8wE6kuW3EouVvBt+/2O+szxMe4vxj8R6TDCYCMG7c9ov86ll/jDlJb/q0L4G+
++O3Bdel9P5+cOgzIGANkOPEzBQM3VfJegfnriT/kaA==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA29-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA29-C-v01_00-EN.pem
new file mode 100644
index 0000000..2a7e2e2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA29-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEcWsKzTANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNTA1MTkwODQ0NTVaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSAyOTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1CQ3B3
+aJCs4znGLX+q6EO7LHZdJ2hcBEHSeDYakpBitMlcxXITyGTpHLuSsRUfF6NGpOdU
+xmbyo+B+qf+5yA/lTZR59zRYxkv3sMpOOIId0xjoLW/jh5A8pzyj5Z20jv47PHyJ
+WZvoe7XkOab1hDpBLUoyHxVJVUSLccoLX9pHXIahyZnd56AaoWQ25l8LBIdMDbOX
+BUa9gGFXBYxVdqXACyvOcXPIh/OI3E1SZ8aPpcR/zuPYSRBxzXdC1DFiyyhfW6Xg
+2qDpEP3OVmxbv3s3AdUWYAkDRBlf1yeEVr2YSDgvxfzq6/k6LsiMVyJyNRlpLpDS
+P4acNNixr0mdQScCAwEAAaOBwTCBvjAdBgNVHQ4EFgQU9T5PR14NPG4rPlbjroq7
+lTEiYX8wDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBAE32RSaqKXQY
+09Oqvl0RnpmnqXd4X7opdam1XxbohB7tsC1hjsvZ0zSXZ68MJUhqaoEZRAShS9xp
+JZ04yiaYB6cqMPa/APlR1+CW/Ff7FroRRaxF4Jia4EBVooWb18uR4YBZkCyJNBkn
+ch0YltTMKpBga6+n8nJUuS7idTyw38cts+gPZIs8jS6+J4/3Bkq25V1OmbQvjwcA
+6xZ7Y5PPGPUCWhIS2C1syRGjOG8xVEjRwC8KwbQ9tiH+LjbWsyJHC7rltt7bp4L6
+YNmtpBF3sdtUopVbw1d3zXi/nJydqpXJJhgp6gsj1lFqE98oBwamuAUq6SlW7o1r
+MCA/Va9Mn6E=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_49-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_49-C-v01_00-EN.pem
new file mode 100644
index 0000000..7b2b168
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_49-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEHZiMxTANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNzA4MjExMzM2MTlaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSA0OTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALC9fdSh
+l+2uEu3rXJijH1evABQsqY7Z1BLhoejD0fgbwVKTbuaxJZy0mocPNYp9ygyY2Gbf
+Mycn5viX7crF6hQuwr4vC7gUpy1Zht6tCtIOzvpJKWbBykT++wUzwxF4PNSNP0An
+uZa2cD0RCiV9S9Aybwno+SgCCmuVPeT7jx3L7D6qYUL2Bow4tMjkHoVESWWgTf5k
+zC6hwJ43TP0fTU2nbzG1cFeueagDqOlvX9FYkgko688f8P7nWrzkSt6ecVYSLMSh
+GkuqDd9z+SauWHQ7ST2MS8ijkwGAQbVD2LIj0pTeHU/o7I9NToRkbRtreN6t005Q
+fMz0ct4cqe0EVbsCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUNlIAjh+4xZmFrcYyF7aE
+enUu/uAwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBAKAhZdWFtAWb
+oevoXcOWoQaODTIFRVa3nGw/tFX6oYzBZXMqqHNMHDaffhUgP9za/I3YlDGLqaeg
+WKbCN2N+SlshleLTDX5I2kuvUFmYVq9Jk6QLSNwBufeDW3GYf9erTCm7CZ5JeeKU
+EzQkSnMEz+FbOjOZ+OqDs5w1dk/zvN/qzbLJJUnuSnx/2hl7JfpXQ3j/oTo4ryWl
+8IxqbjS1qy8ukaPJG5zQu+xaWSOr1zfkq5ZSY/oWG3IadKc2vStEjUCq+un/LcMH
+yuSAZQIDCR190SBTQE4tC+eIaXl6FK+EPJAB76Mos7e6ErV/F6sSf1j5J40SLTUf
+K2owrzyHFkk=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_53-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_53-C-v01_00-EN.pem
new file mode 100644
index 0000000..31b3fb2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_53-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEC/Gs7zANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNzA4MjExMzM4MjFaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSA1MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJWs4L3V
+UiRqEu9B/aIcIU19FA9tnhyFG4mYTUBt4ho4FfeYbE3uAzxpNo819VlzId/pt7FD
+v46Da3vs+ut29keREQovnS1HpOxZhWVh8j67Kr3BFVSzd9OZRyCDMe435cRHwP/3
+W0LXkpADFwaF/4O7/i2vzK04HK0Wb2vwIZFIixrQGVwavn/7YFeh5NQm8OU51XLE
+n7GIXhHAyUXV4RpKcHhbDPuw67obUqkvulswEHe1M/hsqtPaY5cWeIl+Jjv9/kp2
+Ikl6eDclp7yHXc13Xvh2vqfrfeC2Bz3SPWLX4h9qptyC5td0tONfCMbzE9wk7D+C
+eeM9b6W9kRE+f1MCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUKneg40LLxscu4/r8Owp7
+zqfJzk4wDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBAGhDSonPnyer
+gyjkb0D/mejWOyOWAlM2YCktqx99hxWg8m/aIMRBP/xlVkd1GR4pp3TdP//EE4JQ
+Swwk4A81K+HY/WRflX8R5+SdaskKAXWqIwmXILVuxgXJCnAkWAoX3ZK+eneWSZ9i
+pGp0n33b2lyNh110IitPpgip73Amj7Jp5oRfN7SxeAxLYgxnjjvsnWOd+OZ+/K2A
+GX+rGzlGZ36RvaiGUY4cJyHSdoQh3sGm8xjqTf2pddoWydoxmgifzG+01jLRi5Uh
+Gbyq7M+wuG7aFlZuPMN4tBltBZAqxk9o4Vsf5uT/wjdWjWP+V62lutDM8lFdq3Tq
+egGHxNUN5IY=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_54-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_54-C-v01_00-EN.pem
new file mode 100644
index 0000000..810bc9b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_54-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEQx49BDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNzA4MjExMzQwMThaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSA1NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7G1JeF
+Hb1FbO/L//24maD8vTYhdN8rJ6rukZ0tPuX/UZUcWMatsbfYeIIfSf2faX0Qk/Bp
+XoBFa3rRlnMJa1RFf4p9PH8p0/O0su/GFyNkAp4RtwXfU0zniY2avTo60ttP45ei
+n3k+V+mN3Qp/Z6Cv8tIrUCeMomnUfFBj//xolnaeBJTJqB9N9EspMP/ZKqWYzF3z
+9fuHDaaPHJ51PbMqsPnC2TpFL2WoqAIZH5eduVi9UgHKI0uZG1K48RmmLwvjEyoi
+B69Elg9Gxb8pjMwDFONCkUCSKPvLDUSFbVGfX063STp20f6QH4IDwy/Ewon/Ti6m
+hwBNdsdvzuLV3gECAwEAAaOBwTCBvjAdBgNVHQ4EFgQUQEBgcCitE0/Fb7t7mvkO
+hb3iGd4wDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBACttyUx8sgLo
+/NJGDs8yjVFzMdGSqFWeKbJux2TrKJ21yQ1kwT80JInmV0tPlEkPBhk76gN/UdhW
+LgEa8NUa4Lfb4kHreSeeJUQYJ6yxwRWQK6L7XoWRoyT4ziLS2lvJrVTOfxLq+n43
+5UCnN0WuMsCmE4VRaIGTNe0qBljvl4V3sLc/9XB7q+WoccRRC58L9x+6YaEekQ1b
+ZV4UAaEozlRtqyhgaJ5DnTVxcoyyk/3r4Dut2Cw9xdbpxPLnByfkVcXjBzDgYyLo
+ytjIjpT81ddKoZdH5S1qTMo3lyx2zVB4TsbWpv4+Q8qHeU0L1qMfjJi0I0PTf5j0
++tm+htxY9/Y=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_62-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_62-C-v01_00-EN.pem
new file mode 100644
index 0000000..44fb62f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_62-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEaKPtQzANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNzA4MjExMzQzMzNaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSA2MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJC1kYiE
+VaHloKcYnzxDUlU+Wwk7AVaoZd0nCK+EH4Khbtf5OhjqJ7W37TSBjG63eCMcQRWV
+YuPAwQj9i5CnLO4/Q1pU8TZA6LQfdsBuGeE8UYBjvgR8k2NpPPLQUuQJVLN0hC9C
+ZtRYjSjgGroG1HDq8HR6f95NU/PwUWuh0T8hT5J0Fv6JJ9qfOImC/FAychOFd2Dh
+uoSkJ61Uu2NtSuywYQ42+cSMtJbOzc1TWnyJxQ1//nsDhbRs01TZX6v6WPNxW7ng
+HzsDJWAfM8UejWV0aXkFR2SGkqKj4HbdcOUO4PiY8TmQsfx3rRD6eZeVm++Ozost
+CSG43qzrMrIDJkkCAwEAAaOBwTCBvjAdBgNVHQ4EFgQU2xsj2J2JM3VhLPVRaj10
+FJw/6ZwwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBANKMf/BNsisc
+97BN12tShgS3MiHsJDB1vIM5NLZ32laCv4hkGy18L70BipXvAcvJXxf0CqE25rOi
+Un2sLBO+NIWtF2k/JodLZbhzp0PgZ/9ftchAAjkJUK7vsXH9ADM60+O8lh1N64XH
+K+i0ZRR3jNND0/Q/JhJZiPeQNLAZlue6KydWGR+dkuicJWDAs0D0V48bxs9mG+Lj
++nn4VvfQYi1Kz2F42v5b5yX3Rihyja7ZXyoy+1sNCfUDviVJ/IK1tWOhpDS8GL7k
+CyQC09drpnzWHiT8qRyUu7GzFFStod4XWlAtpBwNGZ/eeVKaitU+u+OpHkSC0UTC
+09GGE7xes1c=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_63-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_63-C-v01_00-EN.pem
new file mode 100644
index 0000000..463f838
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_EK_Intermediate_CA_63-C-v01_00-EN.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJDCCAwygAwIBAgIEH9B9WDANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJE
+RTEQMA4GA1UECBMHQmF2YXJpYTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9n
+aWVzIEFHMQwwCgYDVQQLEwNBSU0xGzAZBgNVBAMTEklGWCBUUE0gRUsgUm9vdCBD
+QTAeFw0xNzA4MjExMzQ0MTlaFw0zMDEwMTgyMzU5NTlaMHcxCzAJBgNVBAYTAkRF
+MQ8wDQYDVQQIEwZTYXhvbnkxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2ll
+cyBBRzEMMAoGA1UECxMDQUlNMSYwJAYDVQQDEx1JRlggVFBNIEVLIEludGVybWVk
+aWF0ZSBDQSA2MzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALkHRgiW
+Vjfv9aSAZ1+5jqsOBr+02Ki2X0fCZL71YSNiz90P2vud+iSeVBTSjDGrHLd3DlGa
+MYxe1DPF3PVk0QNMXVledT52wOuGp5s+6uoSX+4W/zU3efC4zEJvvGz9qiwwDO4W
+H6FgjTvVE+Rrn2pbrzW8n2lIvHnJLVGzHiSZfayQrmS0rAHrrbJSFvts1x/Al4GL
+ky7RyCgqJw+KxDNZ16x4k0Gv9PhboKyUc+h/Hn+2w5RcAlKTZukLCfujg6KRUJek
+v51ekPQzRf8mw4z5x2Bd5nmxNNWJ+4CGoG+/N+mP/n2gaYMZdadQzn6l+/WtIKhr
+6QWnAYye++AKbEMCAwEAAaOBwTCBvjAdBgNVHQ4EFgQUomzurJX6M2cyGdDCp3Y3
+EC+1P/IwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwWAYDVR0g
+AQH/BE4wTDBKBgtghkgBhvhFAQcvATA7MDkGCCsGAQUFBwIBFi1odHRwOi8vd3d3
+LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L2luZGV4Lmh0bWwwHwYDVR0jBBgwFoAU
+VuuRRIVj1nKzrtRFlgv3lA5UQqYwDQYJKoZIhvcNAQEFBQADggEBAEVQDi0bnfgY
+GaCMLvCnwhtqgc/rCSk2VYGlZ2QS8q+MmnegR9Lb3vZAsDT8c2TgvrnK1pHrFbsx
+vZ9xloJkUt+aCIZ/8PR+wFZrsX0P7mLT9HgJDrCciN4b/giDto9IQ5WBtp/Fr3oM
+Wg91QZdONHDtR/X7UYZMm6Ev6vQAdnZkSHnZApR+0yKoBJYININZfI9ePZ+s5Bll
+meTVjyKtCG8LgcGDDq8Vaodl36VQya5TEkT3e6rLvl9XyhxG4R3xzNEK/0x5Rh4C
+ZQLB4V09fbciSfsXpOflmO5rF7kDBIJyLhwWONtnsW8m3hGI0qhwb0MoLQ/OW4CA
+7wYXq7TEzK4=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem
new file mode 100644
index 0000000..939d7be
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFqzCCA5OgAwIBAgIBAzANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJERTEh
+MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ
+R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgUlNB
+IFJvb3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYD
+VQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYD
+VQQLDBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElH
+QShUTSkgUlNBIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQC7E+gc0B5T7awzux66zMMZMTtCkPqGv6a3NVx73ICg2DSwnipFwBiUl9soEodn
+25SVVN7pqmvKA2gMTR5QexuYS9PPerfRZrBY00xyFx84V+mIRPg4YqUMLtZBcAwr
+R3GO6cffHp20SBH5ITpuqKciwb0v5ueLdtZHYRPq1+jgy58IFY/vACyF/ccWZxUS
+JRNSe4ruwBgI7NMWicxiiWQmz1fE3e0mUGQ1tu4M6MpZPxTZxWzN0mMz9noj1oIT
+ZUnq/drN54LHzX45l+2b14f5FkvtcXxJ7OCkI7lmWIt8s5fE4HhixEgsR2RX5hzl
+8XiHiS7uD3pQhBYSBN5IBbVWREex1IUat5eAOb9AXjnZ7ivxJKiY/BkOmrNgN8k2
+7vOS4P81ix1GnXsjyHJ6mOtWRC9UHfvJcvM3U9tuU+3dRfib03NGxSPnKteL4SP1
+bdHfiGjV3LIxzFHOfdjM2cvFJ6jXg5hwXCFSdsQm5e2BfT3dWDBSfR4h3Prpkl6d
+cAyb3nNtMK3HR5yl6QBuJybw8afHT3KRbwvOHOCR0ZVJTszclEPcM3NQdwFlhqLS
+ghIflaKSPv9yHTKeg2AB5q9JSG2nwSTrjDKRab225+zJ0yylH5NwxIBLaVHDyAEu
+81af+wnm99oqgvJuDKSQGyLf6sCeuy81wQYO46yNa+xJwQIDAQABo0IwQDAdBgNV
+HQ4EFgQU3LtWq/EY/KaadREQZYQSntVBkrkwDgYDVR0PAQH/BAQDAgAGMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGHTBUx3ETIXYJsaAgb2pyyN
+UltVL2bKzGMVSsnTCrXUU8hKrDQh3jNIMrS0d6dU/fGaGJvehxmmJfjaN/IFWA4M
+BdZEnpAe2fJEP8vbLa/QHVfsAVuotLD6QWAqeaC2txpxkerveoV2JAwj1jrprT4y
+rkS8SxZuKS05rYdlG30GjOKTq81amQtGf2NlNiM0lBB/SKTt0Uv5TK0jIWbz2WoZ
+gGut7mF0md1rHRauWRcoHQdxWSQTCTtgoQzeBj4IS6N3QxQBKV9LL9UWm+CMIT7Y
+np8bSJ8oW4UdpSuYWe1ZwSjZyzDiSzpuc4gTS6aHfMmEfoVwC8HN03/HD6B1Lwo2
+DvEaqAxkya9IYWrDqkMrEErJO6cqx/vfIcfY/8JYmUJGTmvVlaODJTwYwov/2rjr
+la5gR+xrTM7dq8bZimSQTO8h6cdL6u+3c8mGriCQkNZIZEac/Gdn+KwydaOZIcnf
+Rdp3SalxsSp6cWwJGE4wpYKB2ClM2QF3yNQoTGNwMlpsxnU72ihDi/RxyaRTz9OR
+pubNq8Wuq7jQUs5U00ryrMCZog1cxLzyfZwwCYh6O2CmbvMoydHNy5CU3ygxaLWv
+JpgZVHN103npVMR3mLNa3QE+5MFlBlP3Mmystu8iVAKJas39VO5y5jad4dRLkwtM
+6sJa8iBpdRjZrBp5sJBI
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonECCChain010.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonECCChain010.pem
new file mode 100644
index 0000000..cd9b1c4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonECCChain010.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAs2gAwIBAgIES+VajjAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEh
+MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ
+R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUND
+IFJvb3QgQ0EwHhcNMTUwODI3MTIzMjEzWhcNMzUwODI3MTIzMjEzWjCBgzELMAkG
+A1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEaMBgG
+A1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9QVElH
+QShUTSkgRUNDIE1hbnVmYWN0dXJpbmcgQ0EgMDEwMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEmNM2OAm+Z8nWW8uHW1r2td77f6n1J6nQt8tT4PG6nx/PInVVpo5z
+CB0wlYJhZT/bwWM5fgaYBe/KsruY7tUea6OCATgwggE0MFcGCCsGAQUFBwEBBEsw
+STBHBggrBgEFBQcwAoY7aHR0cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhRWNj
+Um9vdENBL09wdGlnYUVjY1Jvb3RDQS5jcnQwHQYDVR0OBBYEFB/N+47OQIZ12WPl
+5RCNVcmE3Xl6MA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAGAQH/AgEAMEwG
+A1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYUVj
+Y1Jvb3RDQS9PcHRpZ2FFY2NSb290Q0EuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQB
+FAEwHwYDVR0jBBgwFoAUtBiFyEpKxRJ68kA53sT1ix5+StEwEAYDVR0lBAkwBwYF
+Z4EFCAEwCgYIKoZIzj0EAwMDaAAwZQIwQm072iAm/wOXnhC0Zn632aUqJZESMNfy
+/iA9jmpWqfiDq3mpIni+nYz8FJ0E5qM2AjEAtFT6U066B4jGvuK2uMDcP8IHxSle
+pjHLOVkOV0MoZ6CkK4enQu8p0qn1PqNOqSGT
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICWzCCAeKgAwIBAgIBBDAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEhMB8G
+A1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJR0Eo
+VE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUNDIFJv
+b3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYDVQQG
+EwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQL
+DBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShU
+TSkgRUNDIFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQm1HxLVgvAu1q2
+GM+ymTz12zdTEu0JBVG9CdsVEJv/pE7pSWOlsG3YwU792YAvjSy7zL+WtDK40KGe
+Om8bSWt46QJ00MQUkYxz6YqXbb14BBr06hWD6u6IMBupNkPd9pKjQjBAMB0GA1Ud
+DgQWBBS0GIXISkrFEnryQDnexPWLHn5K0TAOBgNVHQ8BAf8EBAMCAAYwDwYDVR0T
+AQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjA6QZcV8DjjbPuKjKDZQmTRywZk
+MAn8wE6kuW3EouVvBt+/2O+szxMe4vxj8R6TDCYCMG7c9ov86ll/jDlJb/q0L4G+
++O3Bdel9P5+cOgzIGANkOPEzBQM3VfJegfnriT/kaA==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonOPTIGAECCManufacturingCA010.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonOPTIGAECCManufacturingCA010.pem
new file mode 100644
index 0000000..352d0d8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonOPTIGAECCManufacturingCA010.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDRzCCAs2gAwIBAgIES+VajjAKBggqhkjOPQQDAzB3MQswCQYDVQQGEwJERTEh
+MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ
+R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgRUND
+IFJvb3QgQ0EwHhcNMTUwODI3MTIzMjEzWhcNMzUwODI3MTIzMjEzWjCBgzELMAkG
+A1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEaMBgG
+A1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9QVElH
+QShUTSkgRUNDIE1hbnVmYWN0dXJpbmcgQ0EgMDEwMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAEmNM2OAm+Z8nWW8uHW1r2td77f6n1J6nQt8tT4PG6nx/PInVVpo5z
+CB0wlYJhZT/bwWM5fgaYBe/KsruY7tUea6OCATgwggE0MFcGCCsGAQUFBwEBBEsw
+STBHBggrBgEFBQcwAoY7aHR0cDovL3BraS5pbmZpbmVvbi5jb20vT3B0aWdhRWNj
+Um9vdENBL09wdGlnYUVjY1Jvb3RDQS5jcnQwHQYDVR0OBBYEFB/N+47OQIZ12WPl
+5RCNVcmE3Xl6MA4GA1UdDwEB/wQEAwIABjASBgNVHRMBAf8ECDAGAQH/AgEAMEwG
+A1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9wa2kuaW5maW5lb24uY29tL09wdGlnYUVj
+Y1Jvb3RDQS9PcHRpZ2FFY2NSb290Q0EuY3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQB
+FAEwHwYDVR0jBBgwFoAUtBiFyEpKxRJ68kA53sT1ix5+StEwEAYDVR0lBAkwBwYF
+Z4EFCAEwCgYIKoZIzj0EAwMDaAAwZQIwQm072iAm/wOXnhC0Zn632aUqJZESMNfy
+/iA9jmpWqfiDq3mpIni+nYz8FJ0E5qM2AjEAtFT6U066B4jGvuK2uMDcP8IHxSle
+pjHLOVkOV0MoZ6CkK4enQu8p0qn1PqNOqSGT
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonOPTIGARSAManufacturingCA010.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonOPTIGARSAManufacturingCA010.pem
new file mode 100644
index 0000000..7d563c8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonOPTIGARSAManufacturingCA010.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFszCCA5ugAwIBAgIEJl+qTzANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE
+RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP
+UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg
+UlNBIFJvb3QgQ0EwHhcNMTUwODI3MTIyODIyWhcNMzUwODI3MTIyODIyWjCBgzEL
+MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEa
+MBgGA1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9Q
+VElHQShUTSkgUlNBIE1hbnVmYWN0dXJpbmcgQ0EgMDEwMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAwEtScKQB4zjh2Ci7OOxmnIhSVCncEZYYc9daievb
+XPn8fsWp39O9RG+27tGWQgTrxtNnm12dOEVUWCG2azr3o1DREr/ESOHQ8/3kXhY2
+86DmGZS4M02rya7uv+DWcKuZi9KR3NmbFHfqp2zp9S9xjUaugDVQYqsFJ2EYC89J
+7obFHcfw0KYiUili1NDGzcYnnTSKhKPTsVloTezq6HgqeZArkOX/O1NIZX9RRpAb
+DnJ8GgVLqZ4gCkbFTbA9FY1S5fQsTTU3nv7HB7LkAsY+BPNbOjY4nq8nLc3LP4x1
+wj7iisx9Icn/fIgFldYFDHy09hlOQntWM94hLXIT0nc/1QIDAQABo4IBODCCATQw
+VwYIKwYBBQUHAQEESzBJMEcGCCsGAQUFBzAChjtodHRwOi8vcGtpLmluZmluZW9u
+LmNvbS9PcHRpZ2FSc2FSb290Q0EvT3B0aWdhUnNhUm9vdENBLmNydDAdBgNVHQ4E
+FgQU2KP1VghaaMiqXV/gebzG6cbTd2QwDgYDVR0PAQH/BAQDAgAGMBIGA1UdEwEB
+/wQIMAYBAf8CAQAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3BraS5pbmZpbmVv
+bi5jb20vT3B0aWdhUnNhUm9vdENBL09wdGlnYVJzYVJvb3RDQS5jcmwwFQYDVR0g
+BA4wDDAKBggqghQARAEUATAfBgNVHSMEGDAWgBTcu1ar8Rj8ppp1ERBlhBKe1UGS
+uTAQBgNVHSUECTAHBgVngQUIATANBgkqhkiG9w0BAQsFAAOCAgEAo2BsBPPBEiXO
+/fp4Lj00Dz+nb4g0SZLC0zIp0xvzM/ibGZufYb854+kq9RY1SeFz7It+DVOgdoCh
+GdFc6CXHqZdZoFpFkQY7I31OPkzy65uQnIzsRLce+Ct4Lts5+I0XHDpxtGOCLaWo
+Ms1bTleWljsxgmw3CWY9V14tIF5dEEmnUgjgbDo7Ai5nLahgfqNU4XfXK9zSRX+R
+V0IiYDVFDQqfzJ4GroB4ttYthzr1x1e+vJd4Bh9ErF3v9L8cCthKytOwu65npYBG
+UGH+aWRoaX/3pROjXEZFhFHfNETFc+gVXesIfYeJJQPygudADNYfVtAsDF4qx3JT
+UUlgmzC3z7YivGGBD1Uoj2b7x1DCCy0x0v8ibXbgd7nT0g6a0lZGt4i4gvbUUbEm
+463Vr8Bb1XgA5bsbevUdR8SmuIY0PiS7qioQs4cRGagOSVG0MlKtDD9E/jZ5PUZI
+RpTduKG/lLwH0HHeNgKmDt/pTQWa4/sUgp/KHqg1E82J7sCu4vB/Bk1pTybe4GV/
+YDSc1NGABsWRzZnrIHrIVsXYM5rQzV9+/+BxRmhEqUVUGNzsFYW/RRieNWyojYG6
+v54K9BtAELt1tWXBDE/2Np/RFZQNeEFh2pkLxRNOXytuVoXwII7QNr4TDef2PmE+
+thsvOkC60E8ZEsKZ8GU3Q32lT5CExWI=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonRSAChain010.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonRSAChain010.pem
new file mode 100644
index 0000000..426183f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/InfineonRSAChain010.pem
@@ -0,0 +1,66 @@
+-----BEGIN CERTIFICATE-----
+MIIFszCCA5ugAwIBAgIEJl+qTzANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJE
+RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJP
+UFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkg
+UlNBIFJvb3QgQ0EwHhcNMTUwODI3MTIyODIyWhcNMzUwODI3MTIyODIyWjCBgzEL
+MAkGA1UEBhMCREUxITAfBgNVBAoMGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEa
+MBgGA1UECwwRT1BUSUdBKFRNKSBUUE0yLjAxNTAzBgNVBAMMLEluZmluZW9uIE9Q
+VElHQShUTSkgUlNBIE1hbnVmYWN0dXJpbmcgQ0EgMDEwMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAwEtScKQB4zjh2Ci7OOxmnIhSVCncEZYYc9daievb
+XPn8fsWp39O9RG+27tGWQgTrxtNnm12dOEVUWCG2azr3o1DREr/ESOHQ8/3kXhY2
+86DmGZS4M02rya7uv+DWcKuZi9KR3NmbFHfqp2zp9S9xjUaugDVQYqsFJ2EYC89J
+7obFHcfw0KYiUili1NDGzcYnnTSKhKPTsVloTezq6HgqeZArkOX/O1NIZX9RRpAb
+DnJ8GgVLqZ4gCkbFTbA9FY1S5fQsTTU3nv7HB7LkAsY+BPNbOjY4nq8nLc3LP4x1
+wj7iisx9Icn/fIgFldYFDHy09hlOQntWM94hLXIT0nc/1QIDAQABo4IBODCCATQw
+VwYIKwYBBQUHAQEESzBJMEcGCCsGAQUFBzAChjtodHRwOi8vcGtpLmluZmluZW9u
+LmNvbS9PcHRpZ2FSc2FSb290Q0EvT3B0aWdhUnNhUm9vdENBLmNydDAdBgNVHQ4E
+FgQU2KP1VghaaMiqXV/gebzG6cbTd2QwDgYDVR0PAQH/BAQDAgAGMBIGA1UdEwEB
+/wQIMAYBAf8CAQAwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL3BraS5pbmZpbmVv
+bi5jb20vT3B0aWdhUnNhUm9vdENBL09wdGlnYVJzYVJvb3RDQS5jcmwwFQYDVR0g
+BA4wDDAKBggqghQARAEUATAfBgNVHSMEGDAWgBTcu1ar8Rj8ppp1ERBlhBKe1UGS
+uTAQBgNVHSUECTAHBgVngQUIATANBgkqhkiG9w0BAQsFAAOCAgEAo2BsBPPBEiXO
+/fp4Lj00Dz+nb4g0SZLC0zIp0xvzM/ibGZufYb854+kq9RY1SeFz7It+DVOgdoCh
+GdFc6CXHqZdZoFpFkQY7I31OPkzy65uQnIzsRLce+Ct4Lts5+I0XHDpxtGOCLaWo
+Ms1bTleWljsxgmw3CWY9V14tIF5dEEmnUgjgbDo7Ai5nLahgfqNU4XfXK9zSRX+R
+V0IiYDVFDQqfzJ4GroB4ttYthzr1x1e+vJd4Bh9ErF3v9L8cCthKytOwu65npYBG
+UGH+aWRoaX/3pROjXEZFhFHfNETFc+gVXesIfYeJJQPygudADNYfVtAsDF4qx3JT
+UUlgmzC3z7YivGGBD1Uoj2b7x1DCCy0x0v8ibXbgd7nT0g6a0lZGt4i4gvbUUbEm
+463Vr8Bb1XgA5bsbevUdR8SmuIY0PiS7qioQs4cRGagOSVG0MlKtDD9E/jZ5PUZI
+RpTduKG/lLwH0HHeNgKmDt/pTQWa4/sUgp/KHqg1E82J7sCu4vB/Bk1pTybe4GV/
+YDSc1NGABsWRzZnrIHrIVsXYM5rQzV9+/+BxRmhEqUVUGNzsFYW/RRieNWyojYG6
+v54K9BtAELt1tWXBDE/2Np/RFZQNeEFh2pkLxRNOXytuVoXwII7QNr4TDef2PmE+
+thsvOkC60E8ZEsKZ8GU3Q32lT5CExWI=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFqzCCA5OgAwIBAgIBAzANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJERTEh
+MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYDVQQLDBJPUFRJ
+R0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElHQShUTSkgUlNB
+IFJvb3QgQ0EwHhcNMTMwNzI2MDAwMDAwWhcNNDMwNzI1MjM1OTU5WjB3MQswCQYD
+VQQGEwJERTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRswGQYD
+VQQLDBJPUFRJR0EoVE0pIERldmljZXMxKDAmBgNVBAMMH0luZmluZW9uIE9QVElH
+QShUTSkgUlNBIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQC7E+gc0B5T7awzux66zMMZMTtCkPqGv6a3NVx73ICg2DSwnipFwBiUl9soEodn
+25SVVN7pqmvKA2gMTR5QexuYS9PPerfRZrBY00xyFx84V+mIRPg4YqUMLtZBcAwr
+R3GO6cffHp20SBH5ITpuqKciwb0v5ueLdtZHYRPq1+jgy58IFY/vACyF/ccWZxUS
+JRNSe4ruwBgI7NMWicxiiWQmz1fE3e0mUGQ1tu4M6MpZPxTZxWzN0mMz9noj1oIT
+ZUnq/drN54LHzX45l+2b14f5FkvtcXxJ7OCkI7lmWIt8s5fE4HhixEgsR2RX5hzl
+8XiHiS7uD3pQhBYSBN5IBbVWREex1IUat5eAOb9AXjnZ7ivxJKiY/BkOmrNgN8k2
+7vOS4P81ix1GnXsjyHJ6mOtWRC9UHfvJcvM3U9tuU+3dRfib03NGxSPnKteL4SP1
+bdHfiGjV3LIxzFHOfdjM2cvFJ6jXg5hwXCFSdsQm5e2BfT3dWDBSfR4h3Prpkl6d
+cAyb3nNtMK3HR5yl6QBuJybw8afHT3KRbwvOHOCR0ZVJTszclEPcM3NQdwFlhqLS
+ghIflaKSPv9yHTKeg2AB5q9JSG2nwSTrjDKRab225+zJ0yylH5NwxIBLaVHDyAEu
+81af+wnm99oqgvJuDKSQGyLf6sCeuy81wQYO46yNa+xJwQIDAQABo0IwQDAdBgNV
+HQ4EFgQU3LtWq/EY/KaadREQZYQSntVBkrkwDgYDVR0PAQH/BAQDAgAGMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGHTBUx3ETIXYJsaAgb2pyyN
+UltVL2bKzGMVSsnTCrXUU8hKrDQh3jNIMrS0d6dU/fGaGJvehxmmJfjaN/IFWA4M
+BdZEnpAe2fJEP8vbLa/QHVfsAVuotLD6QWAqeaC2txpxkerveoV2JAwj1jrprT4y
+rkS8SxZuKS05rYdlG30GjOKTq81amQtGf2NlNiM0lBB/SKTt0Uv5TK0jIWbz2WoZ
+gGut7mF0md1rHRauWRcoHQdxWSQTCTtgoQzeBj4IS6N3QxQBKV9LL9UWm+CMIT7Y
+np8bSJ8oW4UdpSuYWe1ZwSjZyzDiSzpuc4gTS6aHfMmEfoVwC8HN03/HD6B1Lwo2
+DvEaqAxkya9IYWrDqkMrEErJO6cqx/vfIcfY/8JYmUJGTmvVlaODJTwYwov/2rjr
+la5gR+xrTM7dq8bZimSQTO8h6cdL6u+3c8mGriCQkNZIZEac/Gdn+KwydaOZIcnf
+Rdp3SalxsSp6cWwJGE4wpYKB2ClM2QF3yNQoTGNwMlpsxnU72ihDi/RxyaRTz9OR
+pubNq8Wuq7jQUs5U00ryrMCZog1cxLzyfZwwCYh6O2CmbvMoydHNy5CU3ygxaLWv
+JpgZVHN103npVMR3mLNa3QE+5MFlBlP3Mmystu8iVAKJas39VO5y5jad4dRLkwtM
+6sJa8iBpdRjZrBp5sJBI
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IntelEKIntermediate.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IntelEKIntermediate.pem
new file mode 100644
index 0000000..fea2f4f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IntelEKIntermediate.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDvjCCA2SgAwIBAgIUbOv9CbWie5MIiWFjQaGYw+NfG50wCgYIKoZIzj0EAwIw
+gYcxCzAJBgNVBAYMAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMSEwHwYDVQQLDBhUUE0gRUsg
+cm9vdCBjZXJ0IHNpZ25pbmcxFjAUBgNVBAMMDXd3dy5pbnRlbC5jb20wHhcNMTUw
+MzI0MDAwMDAwWhcNNDkxMjMxMjM1OTU5WjCBlTELMAkGA1UEBgwCVVMxCzAJBgNV
+BAgMAkNBMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEaMBgGA1UECgwRSW50ZWwgQ29y
+cG9yYXRpb24xLzAtBgNVBAsMJlRQTSBFSyBpbnRlcm1lZGlhdGUgZm9yIFNQVEhf
+RVBJRF9QUk9EMRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEryzECW6qpKxLE8m3YQwVO+oiea9EkzNEVxDAA/IOaq+u1MMY
+W1POaBQFO17J57eFLmTfC3pCtaBnB9mWsjFhzqOCAZwwggGYMB8GA1UdIwQYMBaA
+FOhSBcJP2NLVpSFHFrbODHtbuncPMB0GA1UdDgQWBBRec8iao+kCsnK58HQffYcw
+4+xySjASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjATBgNVHSUB
+Af8ECTAHBgVngQUIATBwBgNVHSABAf8EZjBkMGIGCiqGSIb4TQEFAgEwVDBSBggr
+BgEFBQcCARZGaHR0cDovL3VwZ3JhZGVzLmludGVsLmNvbS9jb250ZW50L0NSTC9l
+a2NlcnQvRUtjZXJ0UG9saWN5U3RhdGVtZW50LnBkZjBcBggrBgEFBQcBAQRQME4w
+TAYIKwYBBQUHMAKGQGh0dHA6Ly91cGdyYWRlcy5pbnRlbC5jb20vY29udGVudC9D
+UkwvZWtjZXJ0L0VLUm9vdFB1YmxpY0tleS5jZXIwTQYDVR0fBEYwRDBCoECgPoY8
+aHR0cDovL3VwZ3JhZGVzLmludGVsLmNvbS9jb250ZW50L0NSTC9la2NlcnQvRUtf
+UGxhdGZvcm0uY3JsMAoGCCqGSM49BAMCA0gAMEUCIEwoRGZXyGrOi5c5XQ0sogO0
+7nKarDdxCHJjJmfB2j98AiEAzEpP1ysDBAD6k97Y0XVrqn4srCNv6132mRKeSw16
+wMk=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/IntelEKRootCA.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/IntelEKRootCA.pem
new file mode 100644
index 0000000..d30b958
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/IntelEKRootCA.pem
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdzCCAh6gAwIBAgIUB+dPf7a3IyJGO923z34oQLRP7pwwCgYIKoZIzj0EAwIw
+gYcxCzAJBgNVBAYMAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xh
+cmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMSEwHwYDVQQLDBhUUE0gRUsg
+cm9vdCBjZXJ0IHNpZ25pbmcxFjAUBgNVBAMMDXd3dy5pbnRlbC5jb20wHhcNMTQw
+MTE1MDAwMDAwWhcNNDkxMjMxMjM1OTU5WjCBhzELMAkGA1UEBgwCVVMxCzAJBgNV
+BAgMAkNBMRQwEgYDVQQHDAtTYW50YSBDbGFyYTEaMBgGA1UECgwRSW50ZWwgQ29y
+cG9yYXRpb24xITAfBgNVBAsMGFRQTSBFSyByb290IGNlcnQgc2lnbmluZzEWMBQG
+A1UEAwwNd3d3LmludGVsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJR9
+gVEsjUrMb+E/dl19ywJsKZDnghmwVyG16dAfQ0Pftp1bjhtPEGEguvbLGRRopKWH
+VscAOlTFnvCHq+6/9/SjZjBkMB8GA1UdIwQYMBaAFOhSBcJP2NLVpSFHFrbODHtb
+uncPMB0GA1UdDgQWBBToUgXCT9jS1aUhRxa2zgx7W7p3DzASBgNVHRMBAf8ECDAG
+AQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAgNHADBEAiAldFScWQ6L
+PQgW/YT+2GILcATEA2TgzASaCrG+AzL6FgIgLH8ABRzm028hRYR/JZVGkHiomzYX
+VILmTjHwSL7uZBU=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA001.crt b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA001.crt
new file mode 100644
index 0000000..c7b7e8d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA001.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNDCCArmgAwIBAgICEAAwCgYIKoZIzj0EAwMwazELMAkGA1UEBhMCQ04xITAf
+BgNVBAoMGE5hdGlvbnogVGVjaG5vbG9naWVzIEluYzEbMBkGA1UECwwSTmF0aW9u
+eiBUUE0gRGV2aWNlMRwwGgYDVQQDDBNOYXRpb256IFRQTSBSb290IENBMB4XDTE3
+MDUxMzAwMDAwMFoXDTM3MDUxMzAwMDAwMFoweDELMAkGA1UEBhMCQ04xITAfBgNV
+BAoMGE5hdGlvbnogVGVjaG5vbG9naWVzIEluYzEbMBkGA1UECwwSTmF0aW9ueiBU
+UE0gRGV2aWNlMSkwJwYDVQQDDCBOYXRpb256IFRQTSBNYW51ZmFjdHVyaW5nIENB
+IDAwMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABA8ri4sMjK5RoF9LOA8eZs9ZHKJ1
+dXT/w28Vtwe6yBA4Op5w0n0o3+9NPPKJfsw1YDoeKZ9kwvpxTVM7kBtpKOw6NRRq
+bUAkzAfYqIwpHPPhN25JSOXhl3bn36dSCfUCfqOCASEwggEdMEsGCCsGAQUFBwEB
+BD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3BraS5uYXRpb256LmNvbS5jbi9Fa1Jv
+b3RDQS9Fa1Jvb3RDQS5jcnQwHQYDVR0OBBYEFAIsvu1ddwYPKDPp1TdrqLwwjNm6
+MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9wa2kubmF0aW9uei5jb20uY24vRWtS
+b290Q0EvRWtSb290Q0EuY3JsMBYGA1UdIAQPMA0wCwYJKoEcho0hAQUBMB8GA1Ud
+IwQYMBaAFDq8/wjfXgEMK2QHi8fOlQb0CP3kMBAGA1UdJQQJMAcGBWeBBQgBMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMDA2kA
+MGYCMQC3Z7rH2wyIAhKM/2TopTbWUzrTTlwyjHw1ShOcovNEMgevVM/+AV1SAGSL
++n3LengCMQCYnzH/Wk4o4+0lOrnUDLNT4L7N6d3IIFGs0XARk1S/RCBoyGSlHUP3
+7JhNd0voDIc=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA002.crt b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA002.crt
new file mode 100644
index 0000000..d9b5779
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA002.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCArmgAwIBAgICEAEwCgYIKoZIzj0EAwMwazELMAkGA1UEBhMCQ04xITAf
+BgNVBAoMGE5hdGlvbnogVGVjaG5vbG9naWVzIEluYzEbMBkGA1UECwwSTmF0aW9u
+eiBUUE0gRGV2aWNlMRwwGgYDVQQDDBNOYXRpb256IFRQTSBSb290IENBMB4XDTE3
+MDUxNDAwMDAwMFoXDTM3MDUxNDAwMDAwMFoweDELMAkGA1UEBhMCQ04xITAfBgNV
+BAoMGE5hdGlvbnogVGVjaG5vbG9naWVzIEluYzEbMBkGA1UECwwSTmF0aW9ueiBU
+UE0gRGV2aWNlMSkwJwYDVQQDDCBOYXRpb256IFRQTSBNYW51ZmFjdHVyaW5nIENB
+IDAwMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABLq7H/y6uXdkXZWYlGAHJGjaPsS6
+cnLxp+oMnOQhr/wuTviTiCWA7gFaPOeEg5JSC944VG54M+JS0jKnlM38CMPWBKQQ
+nNEaWWMkJbhI/DychOqZ9bHVN0DmsrBWeSzFdKOCASEwggEdMEsGCCsGAQUFBwEB
+BD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3BraS5uYXRpb256LmNvbS5jbi9Fa1Jv
+b3RDQS9Fa1Jvb3RDQS5jcnQwHQYDVR0OBBYEFAPRzeQ46j2zTZQxgcHNUX1ogGLv
+MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9wa2kubmF0aW9uei5jb20uY24vRWtS
+b290Q0EvRWtSb290Q0EuY3JsMBYGA1UdIAQPMA0wCwYJKoEcho0hAQUBMB8GA1Ud
+IwQYMBaAFDq8/wjfXgEMK2QHi8fOlQb0CP3kMBAGA1UdJQQJMAcGBWeBBQgBMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMDA2gA
+MGUCMFWbhtvZOP+xqrxC2N5ArgiBBfheFTWM5rectLY50LQJpOMaiVSFs72PUrhz
+IFX6ewIxAPL7H/hDyflrnB1kUrcbMaRxjuV8xP6h6bT6hrz5x4Y+nORKkxbz2KLU
+G3zS/IDHOQ==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA003.crt b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA003.crt
new file mode 100644
index 0000000..ef95ed6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkMfrCA003.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMzCCArmgAwIBAgICEAIwCgYIKoZIzj0EAwMwazELMAkGA1UEBhMCQ04xITAf
+BgNVBAoMGE5hdGlvbnogVGVjaG5vbG9naWVzIEluYzEbMBkGA1UECwwSTmF0aW9u
+eiBUUE0gRGV2aWNlMRwwGgYDVQQDDBNOYXRpb256IFRQTSBSb290IENBMB4XDTE3
+MDUxNTAwMDAwMFoXDTM3MDUxNTAwMDAwMFoweDELMAkGA1UEBhMCQ04xITAfBgNV
+BAoMGE5hdGlvbnogVGVjaG5vbG9naWVzIEluYzEbMBkGA1UECwwSTmF0aW9ueiBU
+UE0gRGV2aWNlMSkwJwYDVQQDDCBOYXRpb256IFRQTSBNYW51ZmFjdHVyaW5nIENB
+IDAwMzB2MBAGByqGSM49AgEGBSuBBAAiA2IABCtznQzLxTR4YGov53b3NXkjNBcb
+iWeC7XsukpYkm61dxCw+bsP+jm1soaN9/WDcodzN8hlBFVYWwL79K+S5w9Xojnik
+rrnadWfCJ/LwmY1esyjQEmSbCXiukCZGfB8Nq6OCASEwggEdMEsGCCsGAQUFBwEB
+BD8wPTA7BggrBgEFBQcwAoYvaHR0cDovL3BraS5uYXRpb256LmNvbS5jbi9Fa1Jv
+b3RDQS9Fa1Jvb3RDQS5jcnQwHQYDVR0OBBYEFOuy9OMS5lKcTtDNtoIoWArlID1F
+MEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9wa2kubmF0aW9uei5jb20uY24vRWtS
+b290Q0EvRWtSb290Q0EuY3JsMBYGA1UdIAQPMA0wCwYJKoEcho0hAQUBMB8GA1Ud
+IwQYMBaAFDq8/wjfXgEMK2QHi8fOlQb0CP3kMBAGA1UdJQQJMAcGBWeBBQgBMA4G
+A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMAoGCCqGSM49BAMDA2gA
+MGUCMBFkhoH7ATgC8Z9QAsWJ6YZzI9wsXMcLjytBY1Ae9gWkFQEnfrx43gd+/pRl
+2Mpy5AIxANhHc4NyRsFsZ828jOUthQIH0A8rckSDwNkoGWGVAuny/S9Gww6k5EM4
+EwQq9W0Syw==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkRootCA.crt b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkRootCA.crt
new file mode 100644
index 0000000..36cdff8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/NationZEkRootCA.crt
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRDCCAcqgAwIBAgIBATAKBggqhkjOPQQDAzBrMQswCQYDVQQGEwJDTjEhMB8G
+A1UECgwYTmF0aW9ueiBUZWNobm9sb2dpZXMgSW5jMRswGQYDVQQLDBJOYXRpb256
+IFRQTSBEZXZpY2UxHDAaBgNVBAMME05hdGlvbnogVFBNIFJvb3QgQ0EwHhcNMTcw
+NTEyMDAwMDAwWhcNNDcwNTEzMDAwMDAwWjBrMQswCQYDVQQGEwJDTjEhMB8GA1UE
+CgwYTmF0aW9ueiBUZWNobm9sb2dpZXMgSW5jMRswGQYDVQQLDBJOYXRpb256IFRQ
+TSBEZXZpY2UxHDAaBgNVBAMME05hdGlvbnogVFBNIFJvb3QgQ0EwdjAQBgcqhkjO
+PQIBBgUrgQQAIgNiAATvuDTN8TNvp3A9fSjWpDARLmvz7ItQrDq/mmuzvzInwQfs
+YKUUJza4MXB3yS0PH1jjv1YMvaIBIalAgc+kahScQUy6W2fy6hd36pazmc/vQfG3
+Gdhw56gGwRHx4rn4TuqjQjBAMB0GA1UdDgQWBBQ6vP8I314BDCtkB4vHzpUG9Aj9
+5DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNo
+ADBlAjApzqSmd4cCMKC7slJ4NE/7zweXZx89JzSEnEWGcq78jbbXCw6yM+R4nCNX
+phflI9QCMQCeFOAvyR+DQvThfGFINABej+1zeDVIjuZHat3FHVyV0UQVClPgMlZu
+TntipXwGOVY=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA0100.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA0100.pem
new file mode 100644
index 0000000..5e3a4a1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA0100.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICCDCCAa2gAwIBAgIJAKSOwvBmtTZjMAoGCCqGSM49BAMCMFUxUzAfBgNVBAMT
+GE51dm90b24gVFBNIFJvb3QgQ0EgMDEwMDAlBgNVBAoTHk51dm90b24gVGVjaG5v
+bG9neSBDb3Jwb3JhdGlvbjAJBgNVBAYTAlRXMB4XDTE1MDQyMDA3NDIwM1oXDTM1
+MDQxNjA3NDIwM1owVTFTMB8GA1UEAxMYTnV2b3RvbiBUUE0gUm9vdCBDQSAwMTAw
+MCUGA1UEChMeTnV2b3RvbiBUZWNobm9sb2d5IENvcnBvcmF0aW9uMAkGA1UEBhMC
+VFcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATRh5Aw2OaeLSXA3llLU6KcpZ+7
+kX9dOTXrQ5fRlhdO//IbMA4DotivYL2y9rgWOIPB8hwlA50RDxlzJPKlD6o5o2Yw
+ZDAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU
+SC1WgM6Cj0gKjk9fZUgdajmRtGIwHwYDVR0jBBgwFoAUSC1WgM6Cj0gKjk9fZUgd
+ajmRtGIwCgYIKoZIzj0EAwIDSQAwRgIhAPqfjnMuNRbMdpLN7GjxtAhPqLLuh/CD
+TgU12LegjOpOAiEApW30TPJ2uhasTeMvdbtxKCc45sGrM+YYE4UxxiYZxqY=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA1110.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA1110.pem
new file mode 100644
index 0000000..96cecd9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA1110.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----

+MIICBjCCAaygAwIBAgIIEDiqn2SaqGMwCgYIKoZIzj0EAwIwVTFTMB8GA1UEAxMY

+TnV2b3RvbiBUUE0gUm9vdCBDQSAxMTEwMCUGA1UEChMeTnV2b3RvbiBUZWNobm9s

+b2d5IENvcnBvcmF0aW9uMAkGA1UEBhMCVFcwHhcNMTUwNTExMDg0MzMzWhcNMzUw

+NTA3MDg0MzMzWjBVMVMwHwYDVQQDExhOdXZvdG9uIFRQTSBSb290IENBIDExMTAw

+JQYDVQQKEx5OdXZvdG9uIFRlY2hub2xvZ3kgQ29ycG9yYXRpb24wCQYDVQQGEwJU

+VzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDVkEOpuyhuviaDH6xQj3faaV2Z4

+FvXSdwUkTiB1JjPDgv1PU0SFYtEE1W9VmI1GcOn5FAUi2/QM36DPhmPTd+qjZjBk

+MA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQV

+kdS26vmNAQSGS2kDpI3QAmB30zAfBgNVHSMEGDAWgBQVkdS26vmNAQSGS2kDpI3Q

+AmB30zAKBggqhkjOPQQDAgNIADBFAiEAlfxysfHDcxYDed5dmRbvHPKHLEEq9Y9P

+wAxoKqH7Q5kCIGfsxiLr2j9nJ9jELwXz0/VWN9PhUNdM3qmsx2JEne6p

+-----END CERTIFICATE-----

diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA2110.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA2110.pem
new file mode 100644
index 0000000..6381f75
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/NuvotonTPMRootCA2110.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----

+MIICBjCCAaygAwIBAgIIP5MvnZk8FrswCgYIKoZIzj0EAwIwVTFTMB8GA1UEAxMY

+TnV2b3RvbiBUUE0gUm9vdCBDQSAyMTEwMCUGA1UEChMeTnV2b3RvbiBUZWNobm9s

+b2d5IENvcnBvcmF0aW9uMAkGA1UEBhMCVFcwHhcNMTUxMDE5MDQzMjAwWhcNMzUx

+MDE1MDQzMjAwWjBVMVMwHwYDVQQDExhOdXZvdG9uIFRQTSBSb290IENBIDIxMTAw

+JQYDVQQKEx5OdXZvdG9uIFRlY2hub2xvZ3kgQ29ycG9yYXRpb24wCQYDVQQGEwJU

+VzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPv9uK2BNm8/nmIyNsc2/aKHV0WR

+ptzge3jKAIgUMosQIokl4LE3iopXWD3Hruxjf9vkLMDJrTeK3hWh2ySS4ySjZjBk

+MA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSf

+u3mqD1JieL7RUJKacXHpajW+9zAfBgNVHSMEGDAWgBSfu3mqD1JieL7RUJKacXHp

+ajW+9zAKBggqhkjOPQQDAgNIADBFAiEA/jiywhOKpiMOUnTfDmXsXfDFokhKVNTX

+B6Xtqm7J8L4CICjT3/Y+rrSnf8zrBXqWeHDh8Wi41+w2ppq6Ev9orZFI

+-----END CERTIFICATE-----

diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/cacert.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/cacert.pem
new file mode 100644
index 0000000..b752ba5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/cacert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlKgAwIBAgIJALbpb8xivmmsMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwIWW9ya3Rvd24xDDAKBgNVBAoM
+A0lCTTEOMAwGA1UEAwwFRUsgQ0EwHhcNMTYwNTIzMTkwNjExWhcNMjYwMjIwMTkw
+NjExWjBLMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCFlvcmt0
+b3duMQwwCgYDVQQKDANJQk0xDjAMBgNVBAMMBUVLIENBMIIBIzANBgkqhkiG9w0B
+AQEFAAOCARAAMIIBCwKCAQICsUzdWU1yjZNL5QeJU/emaKBbOuHvZqdCvApjGM+T
+31XO1s52BkxRtOjULxd+xiK0xogdxDwwsnh/o/YR9zmj7aDVFz068WCEBvjKkClf
+KOk+1VpdAFzni+NNYMNESNul3ZWwEzpfBmghI7zJQrUBh1rn27PC9OtfTFhONzRT
+XPq5K2vScvU3Wz0papT4+hEmsd8YyhMYJr00cjV2bDzphZ7wg9YNNpUMJZ4yipYy
+4XLG+HVPb9DyERFQNpDooA/ZhCZVT8auDbdSvYyrO9q+Uxz30UeqXK3YnDCyk00k
+JCBWmf3TobjWMKwZO3gUIRMrBuJ7UsEtkkh8+jLaJ7Qcl68CAwEAAaNQME4wHQYD
+VR0OBBYEFMSPNuKcE6FeRlRc+DKJeakTyaDpMB8GA1UdIwQYMBaAFMSPNuKcE6Fe
+RlRc+DKJeakTyaDpMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEDAAFr
+xBCzqiAkYNofYGNidpGrkiP2T3xj/hUx57HjVVoWNlVDBGsxbnoB+WlBqzApJLZC
+/XZs/zuvS4bnMiSUEw2v8v3/sAqkzMJN7VOg0US1etNjPSrlBmSeun/6HX0C+5M2
+wQ836P6Y49PePvJO6zGdxJ9SlZ8jKNgtQgQKyUSViSEj0N09CndQJMnOPYIYhc+T
+/9/HPaNMymHu7Hep0/NgASoLnm8LzP+nzmR286L4DeZ47hKBHMbnTeNNlodEjh92
+AyI4yaGKjujRjPokTHWUWjFt6t1VXn1cc6Sdpj2YVeFCjkjB9NmDV+Msv9h4UAqy
+K0wEax/1fsWqDeoom5I1NA==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/cacertecc.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/cacertecc.pem
new file mode 100644
index 0000000..a47eb31
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/cacertecc.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4zCCAYmgAwIBAgIJALX8+MVL3dXPMAoGCCqGSM49BAMCME4xCzAJBgNVBAYT
+AlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwIWW9ya3Rvd24xDDAKBgNVBAoMA0lC
+TTERMA8GA1UEAwwIRUsgRUMgQ0EwHhcNMTcwMTEzMjAzOTE2WhcNMjcwMTExMjAz
+OTE2WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCFlvcmt0
+b3duMQwwCgYDVQQKDANJQk0xETAPBgNVBAMMCEVLIEVDIENBMFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEahnfxuCQ+NsMcDIe8GZxIiFSX65CXICk6zc3NLRPbPvq
+ToRdIanaP14TT6eu76FkNDzbtsY6PSMgVNTeAAnfGqNQME4wHQYDVR0OBBYEFAFk
+p5Lu8Z+laxVYak8/WHhLsG+lMB8GA1UdIwQYMBaAFAFkp5Lu8Z+laxVYak8/WHhL
+sG+lMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgQ9GClH24Y9NPpKdh
+3HTwudrjYPYyjK8o5HQ9c8Xc9ecCIQD0NgIj1iUvkEzgNoXS7UP1RD0MpKdzywqM
+5RyP15ckRA==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/gstpmroot.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/gstpmroot.pem
new file mode 100644
index 0000000..b40c5e9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/gstpmroot.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1zCCAr+gAwIBAgILBAAAAAABIBkJGa4wDQYJKoZIhvcNAQELBQAwgYcxOzA5
+BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTMwMQYDVQQDEypHbG9iYWxT
+aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIFJvb3QgQ0EwHhcNMDkwMzE4MTAw
+MDAwWhcNNDkwMzE4MTAwMDAwWjCBhzE7MDkGA1UECxMyR2xvYmFsU2lnbiBUcnVz
+dGVkIENvbXB1dGluZyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEzARBgNVBAoTCkds
+b2JhbFNpZ24xMzAxBgNVBAMTKkdsb2JhbFNpZ24gVHJ1c3RlZCBQbGF0Zm9ybSBN
+b2R1bGUgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPi3
+Gi0wHyTT7dq24caFAp31gXFDvALRGJrMiP+TunIYPacYD8eBVSNEiVoCUcVfYxzl
+/DPTxmRyGXgQM8CVh9THrxDTW7N2PSAoZ7fvlmjTiBL/IQ7m1F+9wGI/FuaMTphz
+w6lBda7HFlIYKTbM/vz24axCHLzJ8Xir2L889D9MMIerBRqouVsDGauH+TIOdw4o
+IGKhorqfsDro57JHwViMWlbB1Ogad7PBX5X/e9GDNdZTdo4c0bZnKO+dEtzEgKCh
+JmQ53Mxa9y4xPMGRRnjLsyxuM99vkkYXy7rnxctSo7GtGIJJVabNuXZ0peaY9ku0
+CUgKAsQndLkTHz8bIh0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB
+/wQFMAMBAf8wHQYDVR0OBBYEFB4jY/CFtfYlTu0awFC+ZXzH1BV6MA0GCSqGSIb3
+DQEBCwUAA4IBAQCVb7lI4d49u7EtCX03/rUCCiaZ64NMxxqRmcSVdUx6yRrbl8NN
+FNr6ym2kTvwe1+JkTCiDxKzJsOR/jcPczAFiYpFbZQYLA6RK0bzbL9RGcaw5LLhY
+o/flqsu3N2/HNesWbekoxLosP6NLGEOnpj1B+R3y7HCQq/08U5l3Ete6TRKTAavc
+0mty+uCFtLXf+tirl7xSaIGD0LwcYNdzLEB9g4je6FQSWL0QOXb+zR755QYupZAw
+G1PnOgYWfqWowKcQQexFPrKGlzh0ncITV/nBEi++fnnZ7TFiwaKwe+WussrROV1S
+DDF29dmoMcbSFDL+DgSMabVT6Qr6Ze1rbmSh
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/rootcerts.txt b/libstb/tss2/ibmtpm20tss/utils/certificates/rootcerts.txt
new file mode 100644
index 0000000..6c2a04f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/rootcerts.txt
@@ -0,0 +1,49 @@
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-OPTIGA(TM)_ECC_Manufacturing_CA_011.crt-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-OPTIGA(TM)_RSA_Manufacturing_CA_011.crt-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/InfineonECCChain010.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/InfineonOPTIGAECCManufacturingCA010.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/InfineonOPTIGARSAManufacturingCA010.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/InfineonRSAChain010.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/NuvotonTPMRootCA0100.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/NuvotonTPMRootCA1110.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/NuvotonTPMRootCA2110.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/cacert.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/cacertecc.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/gstpmroot.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmeccint01.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmeccroot01.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmekint01.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmekint02.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmekint03.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmekint04.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmekint05.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/stmtpmekroot.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/tpmeccroot.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IntelEKIntermediate.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IntelEKRootCA.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/NationZEkMfrCA001.crt
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/NationZEkMfrCA002.crt
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/NationZEkMfrCA003.crt
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/NationZEkRootCA.crt
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Root_CA.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM1.2_VRSN_root_certificate-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_01.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_02.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_03.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_04.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_05.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_08.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_17.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_18.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_20.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_21.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-Infineon_TPM_EK_Intermediate_CA25-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA29-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-IFX_TPM_EK_Intermediate_CA_48-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_49-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_53-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_54-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_62-C-v01_00-EN.pem
+/gsa/yktgsa/home/k/g/kgold/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_63-C-v01_00-EN.pem
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/rootcerts.windows.txt b/libstb/tss2/ibmtpm20tss/utils/certificates/rootcerts.windows.txt
new file mode 100644
index 0000000..0316180
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/rootcerts.windows.txt
@@ -0,0 +1,49 @@
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-OPTIGA(TM)_ECC_Manufacturing_CA_011.crt-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-OPTIGA(TM)_RSA_Manufacturing_CA_011.crt-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_ECC_Root_CA-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_RSA_Root_CA-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/InfineonECCChain010.pem
+c:/users/ibm_admin/tpm2/utils/certificates/InfineonOPTIGAECCManufacturingCA010.pem
+c:/users/ibm_admin/tpm2/utils/certificates/InfineonOPTIGARSAManufacturingCA010.pem
+c:/users/ibm_admin/tpm2/utils/certificates/InfineonRSAChain010.pem
+c:/users/ibm_admin/tpm2/utils/certificates/NuvotonTPMRootCA0100.pem
+c:/users/ibm_admin/tpm2/utils/certificates/NuvotonTPMRootCA1110.pem
+c:/users/ibm_admin/tpm2/utils/certificates/NuvotonTPMRootCA2110.pem
+c:/users/ibm_admin/tpm2/utils/certificates/cacert.pem
+c:/users/ibm_admin/tpm2/utils/certificates/cacertecc.pem
+c:/users/ibm_admin/tpm2/utils/certificates/gstpmroot.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmeccint01.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmeccroot01.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmekint01.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmekint02.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmekint03.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmekint04.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmekint05.pem
+c:/users/ibm_admin/tpm2/utils/certificates/stmtpmekroot.pem
+c:/users/ibm_admin/tpm2/utils/certificates/tpmeccroot.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IntelEKIntermediate.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IntelEKRootCA.pem
+c:/users/ibm_admin/tpm2/utils/certificates/NationZEkMfrCA001.crt
+c:/users/ibm_admin/tpm2/utils/certificates/NationZEkMfrCA002.crt
+c:/users/ibm_admin/tpm2/utils/certificates/NationZEkMfrCA003.crt
+c:/users/ibm_admin/tpm2/utils/certificates/NationZEkRootCA.crt
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Root_CA.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM1.2_VRSN_root_certificate-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_01.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_02.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_03.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_04.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_05.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_08.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_17.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_18.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_20.pem
+c:/users/ibm_admin/tpm2/utils/certificates/IFX_TPM_EK_Intermediate_CA_21.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-Infineon_TPM_EK_Intermediate_CA25-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA29-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-IFX_TPM_EK_Intermediate_CA_48-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_49-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_53-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_54-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_62-C-v01_00-EN.pem
+c:/users/ibm_admin/tpm2/utils/certificates/Infineon-TPM_EK_Intermediate_CA_63-C-v01_00-EN.pem
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmeccint01.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmeccint01.pem
new file mode 100644
index 0000000..21767a5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmeccint01.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICZTCCAeugAwIBAgIEQAAAATAKBggqhkjOPQQDAzBOMQswCQYDVQQGEwJDSDEe
+MBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMR8wHQYDVQQDExZTVE0gVFBN
+IEVDQyBSb290IENBIDAxMB4XDTE1MTAxNDE1MzQ0MFoXDTM1MTIzMTIzNTk1OVow
+VjELMAkGA1UEBhMCQ0gxHjAcBgNVBAoTFVNUTWljcm9lbGVjdHJvbmljcyBOVjEn
+MCUGA1UEAxMeU1RNIFRQTSBFQ0MgSW50ZXJtZWRpYXRlIENBIDAxMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEvUVh5iXWQ0kYwUoy7bqWMVkRG5abfGOsV2SLLRNx
+i7nmfa3q1sxh9KVRCDjhvElQb8B+DIG1L9m65NR+9AAjRqOBrjCBqzAdBgNVHQ4E
+FgQUfrg2zvvfimNx/3Mz+brXFGFslsswHwYDVR0jBBgwFoAUIJJWPAtDqAVyUwMp
+BxwH4OvsAwQwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYBBQUHAgEWIWh0
+dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8BAf8EBAMCAgQw
+EgYDVR0TAQH/BAgwBgEB/wIBADAKBggqhkjOPQQDAwNoADBlAjEApGAqByxXaxnZ
+gVkFeRywQ7Z/kZlRSVPJqU5aytBCrFLk5sNAb+pu69HKNuWlAMW7AjBza9+mibY2
+i82zFtTQqkjo0pDVAyF3iX1ejqGDEW/PinHJTmNC76R34flkucEhX+U=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmeccroot01.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmeccroot01.pem
new file mode 100644
index 0000000..532bbcb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmeccroot01.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAk+gAwIBAgIORyzLp/OdsAvb9r+66LowCgYIKoZIzj0EAwMwgYsxOzA5
+BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTcwNQYDVQQDEy5HbG9iYWxT
+aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIEVDQyBSb290IENBMB4XDTE1MTAy
+ODAwMDAwMFoXDTM4MDExOTAzMTQwN1owTjELMAkGA1UEBhMCQ0gxHjAcBgNVBAoT
+FVNUTWljcm9lbGVjdHJvbmljcyBOVjEfMB0GA1UEAxMWU1RNIFRQTSBFQ0MgUm9v
+dCBDQSAwMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABG7/OLXMiprQQHwNnkpT6aqG
+zOGLcbbAgUtyjlXOZtuv0GB0ttJ6fwMwgFtt8RKlko8Bwn89/BoZOUcI4ne8ddRS
+oqE6StnU3I13qqjalToq3Rnz61Omn6NErK1pxUe3j6OBtTCBsjAOBgNVHQ8BAf8E
+BAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUIJJWPAtDqAVyUwMp
+BxwH4OvsAwQwHwYDVR0jBBgwFoAUYT78EZkKf7CpW5CgJl4pYUe3MAMwTAYDVR0g
+BEUwQzBBBgkrBgEEAaAyAVowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
+YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCgYIKoZIzj0EAwMDZwAwZAIwWnuUAzwy
+vHUhHehymKTZ2QcPUwHX0LdcVTac4ohyEL3zcuv/dM0BN62kFxHgBOhWAjAIxt9i
+50yAxy0Z/MeV2NTXqKpLwdhWNuzOSFZnzRKsh9MxY3zj8nebDNlHTDGSMR0=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint01.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint01.pem
new file mode 100644
index 0000000..75c2380
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint01.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIEQAAAATANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJD
+SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0g
+VFBNIEVLIFJvb3QgQ0EwHhcNMDkwNzI4MDAwMDAwWhcNMjkxMjMxMDAwMDAwWjBV
+MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSYw
+JAYDVQQDEx1TVE0gVFBNIEVLIEludGVybWVkaWF0ZSBDQSAwMTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAJQYnWO8iw955vWqakWNr3YyazQnNzqV97+l
+Qa+wUKMVY+lsyhAyOyXO31j4+clvsj6+JhNEwQtcnpkSc+TX60eZvLhgZPUgRVuK
+B9w4GUVyg/db593QUmP8K41Is8E+l32CQdcVh9go0toqf/oS/za1TDFHEHLlB4dC
+joKkfr3/hkGA9XJaoUopO2ELt4Otop12aw1BknoiTh1+YbzrZtAlIwK2TX99GW3S
+IjaCi+fLoXyK2Fmx8vKnr9JfNL888xK9BQfhZzKmbKm/eLD1e1CFRs1B3z2gd3ax
+pW5j1OIkSBMOIUeip5+7xvYo2gor5mxatB+rzSvrWup9AwIcymMCAwEAAaOBrjCB
+qzAdBgNVHQ4EFgQU88kVdKbnc/8TvwxrrXp7Zc8ceCAwHwYDVR0jBBgwFoAUb+bF
+bAe3bIsKgZKDXMtBHvaO0ScwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYB
+BQUHAgEWIWh0dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8B
+Af8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEA
+x4vL9XKio0c8mmtKCC0TFYEwCbH4ZCoOjyzpVcQFN7YNARFA62pqFVFq2nIeoAl1
+cCxy62kEPfUmYtu4j7MozXaCNMCZUdj9Upkgnhe46nMUpff/zNN0+x/uN9exKoaT
+8ofwdSdFCeCAcrz1FeiaH5+IxNAPtASQditvE2O5WJxD6awGyCUMMy+931bX8Iba
+KjBrW3iuy7//JRXp9/ZDoSNo/7fN3ogSkeK1a8c0wseyhK/ubGjjojZCcDCASD6q
+FlkYFt2MQq5IaRMt0n1PPKL66ZQCAqo8lAnnXklvTx+fyYcwZ5waOTIUN6kV/3Bs
+ewZ7cb+IDxqwZbQhxSWqnQ==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint02.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint02.pem
new file mode 100644
index 0000000..60ceac2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint02.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIEQAAABTANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJD
+SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0g
+VFBNIEVLIFJvb3QgQ0EwHhcNMTEwMTIxMDAwMDAwWhcNMjkxMjMxMDAwMDAwWjBV
+MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSYw
+JAYDVQQDEx1TVE0gVFBNIEVLIEludGVybWVkaWF0ZSBDQSAwMjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAJO3ihn/uHgV3HrlPZpv8+1+xg9ccLf3pVXJ
+oT5n8PHHixN6ZRBmf/Ng85/ODZzxnotC64WD8GHMLyQ0Cna3MJF+MGJZ5R5JkuJR
+B4CtgTPwcTVZIsCuup0aDWnPzYqHwvfaiD2FD0aaxCnTKIjWU9OztTD2I61xW2LK
+EY4Vde+W3C7WZgS5TpqkbhJzy2NJj6oSMDKklfI3X8jVf7bngMcCR3X3NcIo349I
+Dt1r1GfwB+oWrhogZVnMFJKAoSYP8aQrLDVl7SQOAgTXz2IDD6bo1jga/8Kb72dD
+h8D2qrkqWh7Hwdas3jqqbb9uiq6O2dJJY86FjffjXPo3jGlFjTsCAwEAAaOBrjCB
+qzAdBgNVHQ4EFgQUVx+Aa0fM55v6NZR87Yi40QBa4J4wHwYDVR0jBBgwFoAUb+bF
+bAe3bIsKgZKDXMtBHvaO0ScwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYB
+BQUHAgEWIWh0dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8B
+Af8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEA
+vmfL0ySkdZKRQGL1ifx3iIDx59qq0ICApIoDcrx4ibMG9wZ6MjhIVs9yXh/N/IAP
+/uz96XZ4PR+Ljm9IfrVVsNxegHkmZxOhYJo567tna3hAWrj/onlXE8FgvxV3fwDq
+AREaGXLyQhgRXUsepfsikguF+GdFoI/5vF5go8JrJpmXrLkiDnE2GyOQ0Bj6EdFC
+bVXc7n+iYtdIoEq/H7sRX6Jz+i44EEg/pXebCeS29awwas/kQtfA/+LLl3AHfUVQ
+b/FyjA+MnZVPhgg4MvXwy0ZHu3yuBX/Is6WS6cAlIQBpDFnLh2ZWAIIJ7pPxucM2
+SA76Pwf+QZIYDwybBwlppQ==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint03.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint03.pem
new file mode 100644
index 0000000..c284952
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint03.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIEQAAAAzANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJD
+SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0g
+VFBNIEVLIFJvb3QgQ0EwHhcNMTIwNjIzMDAwMDAwWhcNMjkxMjMxMDAwMDAwWjBV
+MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSYw
+JAYDVQQDEx1TVE0gVFBNIEVLIEludGVybWVkaWF0ZSBDQSAwMzCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKUVK0+9LHDAyaDdkZ9I3c3itcDJmIz/OwTs
+2ET2zAA1bE4BtSRj3rUXnzas8MBtRXQyfDdXIpL80PJywtRep/IujY0YqmI1TCee
+A76SIPDDgi0W3h6hwTC1mvxW4I8i8ZAqB/iB6+o3A7rapZTsvfj9FwkhG6Fnafc+
+dvNI4nVdu6L5TBhp73HnJvVvjs6YfzRcYi6LXCpUZtQQk8DcKYLmID2W9Tm1QjR6
+COh/xuJIo0bWGlBfUq3X92ilID1wuGi27JLveoOk5tHh0lkBhwV1XYEhdUifroPE
+qylX9pqZk5SseiQ6XBzYX5K4ZIqODSMWX92G+tBpkL/Rb7MpM3kCAwEAAaOBrjCB
+qzAdBgNVHQ4EFgQUAFamENU9GzttvRQJSy3Ofh91btAwHwYDVR0jBBgwFoAUb+bF
+bAe3bIsKgZKDXMtBHvaO0ScwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYB
+BQUHAgEWIWh0dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8B
+Af8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEA
+5xoP4zJRAs6TDRYIwZBOFmUDkyFHDcgLZP+gAA7o8UgpNDlSIm4gSGwGxGdxwIqW
+rSkt8Sd5W0WLBeL31GrgacK5tgQ6hRA40GJgWXlafjCWJW4gUKosdU+hyY/FuStj
+QmIlPwbVr8YV/01fhFAbcQOkmj248w64kavh2/36NsEX1uv/k4HFUqaY2j6/ahli
+mIjO5BE29FC8u/UHu3iKgj42LbLlZ4HbJZhwJrAkRYamnrGDEvr7O5hCNcSBRhKc
+GMMrx7PpPwBZ/jpYTHZ+qS+hjM5a5DRdr/rwsTygeg1Zi+UKt7scgkyKAnMVn0Y4
+Fp9CalunK6GC0OVOIWX55A==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint04.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint04.pem
new file mode 100644
index 0000000..596e62d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint04.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIEQAAABDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJD
+SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0g
+VFBNIEVLIFJvb3QgQ0EwHhcNMTUwMjA2MDAwMDAwWhcNMzkxMjMxMDAwMDAwWjBV
+MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSYw
+JAYDVQQDEx1TVE0gVFBNIEVLIEludGVybWVkaWF0ZSBDQSAwNDCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMJbZogFS+eKFqDq6zbqCSmU7UbjG/NFVuiC
+l9xQQeiZ+Xz0cuDDZhOVK2htH3XzjYVuWm2go8dFkWOEADs75LYrU2sTt9WlyZBf
+uocI0GohEY+KhMaLpZZJGMqr+wIgLKNXgcc7vB7uS+yvmjjjOM17Rxise1yVlN6H
+IQYMpL55HWzAMs5JS0an6IEdHbc8/2mCZdBtZZTxLq4eER4e4Nt7YqkRHc/nZ1aY
+utP3aiGIzyPjYFshKlooyvjVv3rutJORSBm4aNKEQUhLWBTnr/eaAj8ey4Bas/Gk
+2xKI8kBVxlLm2DruJ1rRFAhfNRH+U6SGC4Av3zx0cYbzc80DjMMCAwEAAaOBrjCB
+qzAdBgNVHQ4EFgQUzyPllSbkRsP+TxPraG9iTXBTBfIwHwYDVR0jBBgwFoAUb+bF
+bAe3bIsKgZKDXMtBHvaO0ScwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYB
+BQUHAgEWIWh0dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8B
+Af8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEA
+kEwaAL2giuQ+oPLbGAelCXD/SX6TeyfngynUeAazK53iLZVu8tcUISOiivFrWVIm
+aHGvUl07ofoJ+WKU8qFCx6Hb5C6qVMdcc5fVYCDSwHP+cOWlK6v463qfIa3vrPzL
+Fa7kM/bXhKO59yJ0208iulKkJEJxgyHLzKq9lxLl9Vvkcx1X8zg4OTX3YmXJeZwe
+qPro14qItt5bMfMVkeB8cwmlPNQdKwAsjbpoaWAIPZxsbBeyX7xVVbsnH9eU3d/7
+2Bdjk211qOvpISuhEUp2NBVOHlz5OX/a7PWyqGvFQj0Ajy6yLw7mqtDbx7/v2Cbv
+Fc10VHsSBkm/NGj/j9GRng==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint05.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint05.pem
new file mode 100644
index 0000000..f90f182
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekint05.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDzDCCArSgAwIBAgIEQAAABjANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJD
+SDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0g
+VFBNIEVLIFJvb3QgQ0EwHhcNMTUxMDEwMDAwMDAwWhcNMzUxMjMxMDAwMDAwWjBV
+MQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RNaWNyb2VsZWN0cm9uaWNzIE5WMSYw
+JAYDVQQDEx1TVE0gVFBNIEVLIEludGVybWVkaWF0ZSBDQSAwNTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALVW5ScoSiCyneCNrPfMobJiouF4syrDrCax
+nTycQfJS4CsZwcaFEaZqKvuqwfNEk/L7dX4mc2e7wRQphYjtrXblzCAUcgSaMtae
+Pjqb6tHOSEDScU3++NHGcJZfnb5UJErab6eNrc7DPTuqfx1C2OX212SRs+mBb0mr
+v6GU1EsPiJGl+joegKA8sJk0BwL4g4LlxNKCRU5EL2/hoxKbhLi//BG9drWZejOY
+aRBlWloF50vhwqnRsReSEWwO2HN7G0RPdVPbu6u2Ay+Qb3+/jAxHDIm5KKa7+tQd
+/Ck9Jicmldm+cT5b6lgy0eLWBVzvVjuqSuYoVLuc2mDEAmAWga0CAwEAAaOBrjCB
+qzAdBgNVHQ4EFgQUGtuZSrWL5XoMybkA54UeGkPAhmAwHwYDVR0jBBgwFoAUb+bF
+bAe3bIsKgZKDXMtBHvaO0ScwRQYDVR0gAQH/BDswOTA3BgRVHSAAMC8wLQYIKwYB
+BQUHAgEWIWh0dHA6Ly93d3cuc3QuY29tL1RQTS9yZXBvc2l0b3J5LzAOBgNVHQ8B
+Af8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEA
+5pMimBvsGIBd92cEZszwvsKPiWugfPyFz8Dvybio7TTZA2L1K7n3xGwspDBti4lh
+aP2ZTw+F+A2GYqBIy77pnA72tEEIZHuW1WhDxDb48w+XGwf5f0r2FiheShySkyyk
+i+mFz6YoTIZMeEbWhH4UnmPnQ6RPgGEg+hBvCUnEvEVK4pssK01SgH/6SUwqEGbV
+XewmPLe1fSIVmZDUB9ojEthJ9kTW8+WhlRGO3f1juWX7BXu/YI3d56wLGQ3STUGO
+bNDkSXjvyVkbU04pHIC2QihLAmwxBE4SlQUaBwXyNhdTQLzNq12u2P3Sj1A5OFZc
+tPKVAYvTlfvwtFDqv978+Q==
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekroot.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekroot.pem
new file mode 100644
index 0000000..81b747b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/stmtpmekroot.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEDDCCAvSgAwIBAgILBAAAAAABIsFs834wDQYJKoZIhvcNAQELBQAwgYcxOzA5
+BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTMwMQYDVQQDEypHbG9iYWxT
+aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIFJvb3QgQ0EwHhcNMDkwNzI4MTIw
+MDAwWhcNMzkxMjMxMjM1OTU5WjBKMQswCQYDVQQGEwJDSDEeMBwGA1UEChMVU1RN
+aWNyb2VsZWN0cm9uaWNzIE5WMRswGQYDVQQDExJTVE0gVFBNIEVLIFJvb3QgQ0Ew
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxBLG5wcB9J0MsiJMreoWQ
+l21bBN12SSGZPJ3HoPjzcrzAz6SPy+TrFmZ6eUVspsFL/23wdPprqTUtDHi+C2pw
+k/3dF3/Rb2t/yHgiPlbCshYpi5f/rJ7nzbQ1ca2LzX3saBe53VfNQQV0zd5uM0DT
+SrmAKU1RIAj2WlZFWXoN4NWTyRtqT5suPHa2y8FlCWMZKlS0FiY4pfM20b5YQ+EL
+4zqb9zN53u/TdYZegrfSlc30Nl9G13Mgi+8rtPFKwsxx05EBbhVroH7aKVI1djsf
+E1MVrUzw62PHik3xlzznXML8OjY//xKeiCWcsApuGCaIAf7TsTRi2l8DNB3rCr1X
+AgMBAAGjgbQwgbEwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQEw
+HQYDVR0OBBYEFG/mxWwHt2yLCoGSg1zLQR72jtEnMEsGA1UdIAREMEIwQAYJKwYB
+BAGgMgFaMDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQv
+cmVwb3NpdG9yeS8wHwYDVR0jBBgwFoAUHiNj8IW19iVO7RrAUL5lfMfUFXowDQYJ
+KoZIhvcNAQELBQADggEBAFrKpwFmRh7BGdpPZWc1Y6wIbdTAF6T+q1KwDJcyAjgJ
+qThFp3xTAt3tvyVrCRf7T/YARYE24DNa0iFaXsIXeQASDYHJjAZ6LQTslYBeRYLb
+C9v8ZE2ocKSCiC8ALYlJWk39Wob0H1Lk6l2zcUo3oKczGiAcRrlmwV496wvGyted
+2RBcLZro7yhOOGr9KMabV14fNl0lG+31J1nWI2hgTqh53GXg1QH2YpggD3b7UbVm
+c6GZaX37N3z15XfQafuAfHt10kYCNdePzC9tOwirHIsO8lrxoNlzOSxX8SqQGbBI
++kWoe5+SY3gdOGGDQKIdw3W1poMN8bQ5x7XFcgVMwVU=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certificates/tpmeccroot.pem b/libstb/tss2/ibmtpm20tss/utils/certificates/tpmeccroot.pem
new file mode 100644
index 0000000..13be323
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certificates/tpmeccroot.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAjqgAwIBAgIORdycjBUV21nQRkudeekwCgYIKoZIzj0EAwMwgYsxOzA5
+BgNVBAsTMkdsb2JhbFNpZ24gVHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MRMwEQYDVQQKEwpHbG9iYWxTaWduMTcwNQYDVQQDEy5HbG9iYWxT
+aWduIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIEVDQyBSb290IENBMB4XDTE0MTEy
+NjAwMDAwMFoXDTM4MDExOTAzMTQwN1owgYsxOzA5BgNVBAsTMkdsb2JhbFNpZ24g
+VHJ1c3RlZCBDb21wdXRpbmcgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRMwEQYDVQQK
+EwpHbG9iYWxTaWduMTcwNQYDVQQDEy5HbG9iYWxTaWduIFRydXN0ZWQgUGxhdGZv
+cm0gTW9kdWxlIEVDQyBSb290IENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAENTps
+86FDUD+bep3kd1U5pnita316zBktOVNWxZQ+Ymua0oaR66ItzHrl19zYSGbW6ar0
+1V91kktxWDJ6UFl3MyH3yXKsCHS2O5vxMlfmdRp8tpebMorHtIWf9u1+ctNFo2Mw
+YTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYT78
+EZkKf7CpW5CgJl4pYUe3MAMwHwYDVR0jBBgwFoAUYT78EZkKf7CpW5CgJl4pYUe3
+MAMwCgYIKoZIzj0EAwMDZwAwZAIwd02iAb5aN/pQGWdTJ7/lgMhFCuOLGtQ+ocdV
+/xmoxdIWLtggAuq9fFDfsu/vzeJ7AjAGhdk03AjHpLl0dAp7aCI8D8qupwyYTBaL
+rSJCZDMHhvNhETbbLu8uEPKt/U6/mGM=
+-----END CERTIFICATE-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/certify.c b/libstb/tss2/ibmtpm20tss/utils/certify.c
new file mode 100644
index 0000000..f1f54d0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certify.c
@@ -0,0 +1,411 @@
+/********************************************************************************/
+/*										*/
+/*			    Certify						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Certify_In 			in;
+    Certify_Out 		out;
+    TPMI_DH_OBJECT		objectHandle = 0;
+    TPMI_DH_OBJECT		signHandle = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    const char			*keyPassword = NULL; 
+    const char			*objectPassword = NULL; 
+    const char			*signatureFilename = NULL;
+    const char			*attestInfoFilename = NULL;
+    const char			*qualifyingDataFilename = NULL;
+    TPM_ALG_ID			sigAlg = TPM_ALG_RSA;
+    TPMS_ATTEST 		tpmsAttest;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&objectHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdo") == 0) {
+	    i++;
+	    if (i < argc) {
+		objectPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdo option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    sigAlg = TPM_ALG_RSA;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    sigAlg = TPM_ALG_ECDSA;
+		}
+		else if (strcmp(argv[i],"hmac") == 0) {
+		    sigAlg = TPM_ALG_HMAC;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		attestInfoFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-qd") == 0) {
+	    i++;
+	    if (i < argc) {
+		qualifyingDataFilename = argv[i];
+	    }
+	    else {
+		printf("-qd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (objectHandle == 0) {
+	printf("Missing object handle parameter -ho\n");
+	printUsage();
+    }
+    if (signHandle == 0) {
+	printf("Missing sign handle parameter -hk\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform certifying */
+	in.objectHandle = objectHandle;
+	in.signHandle = signHandle;
+	if (sigAlg == TPM_ALG_RSA) {
+	    /* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	    in.inScheme.scheme = TPM_ALG_RSASSA;	
+	    /* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	    /* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    in.inScheme.details.rsassa.hashAlg = halg;
+	}
+	else if (sigAlg == TPM_ALG_ECDSA) {
+	    in.inScheme.scheme = TPM_ALG_ECDSA;	
+	    in.inScheme.details.ecdsa.hashAlg = halg;
+	}
+	else {	/* HMAC */
+	    in.inScheme.scheme = TPM_ALG_HMAC;	
+	    in.inScheme.details.hmac.hashAlg = halg;
+	}
+    }
+    /* data supplied by the caller */
+    if (rc == 0) {
+	if (qualifyingDataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.qualifyingData.b,
+				 sizeof(in.qualifyingData.t.buffer),
+				 qualifyingDataFilename);
+	}
+	else {
+	    in.qualifyingData.t.size = 0;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Certify,
+			 sessionHandle0, objectPassword, sessionAttributes0,
+			 sessionHandle1, keyPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint8_t *tmpBuffer = out.certifyInfo.t.attestationData;
+	uint32_t tmpSize = out.certifyInfo.t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&tpmsAttest, &tmpBuffer, &tmpSize);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMS_ATTEST_Print(&tpmsAttest, 0);
+    }
+    /* For an attestation command using the ECDAA scheme, both the qualifiedSigner and extraData
+       fields in the attestation block (a TPMS_ATTEST) are set to be the Empty Buffer */
+    if ((rc == 0) && (in.inScheme.scheme != ALG_ECDAA_VALUE)) {
+	int match;
+	match = TSS_TPM2B_Compare(&in.qualifyingData.b, &tpmsAttest.extraData.b);
+	if (!match) {
+	    printf("certify: failed, extraData != qualifyingData\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+    }
+    if ((rc == 0) && (attestInfoFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.certifyInfo.t.attestationData,
+				      out.certifyInfo.t.size,
+				      attestInfoFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+	if (tssUtilsVerbose) printf("certify: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("certify: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("certify\n");
+    printf("\n");
+    printf("Runs TPM2_Certify\n");
+    printf("\n");
+    printf("\t-ho\tobject handle\n");
+    printf("\t[-pwdo\tpassword for object (default empty)]\n");
+    printf("\t-hk\tcertifying key handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
+    printf("\t[-qd\tqualifying data file name]\n");
+    printf("\t[-os\tsignature file name (default do not save)]\n");
+    printf("\t[-oa\tattestation output file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/certifycreation.c b/libstb/tss2/ibmtpm20tss/utils/certifycreation.c
new file mode 100644
index 0000000..ab54c0a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certifycreation.c
@@ -0,0 +1,453 @@
+/********************************************************************************/
+/*										*/
+/*			    CertifyCreation					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    CertifyCreation_In 		in;
+    CertifyCreation_Out 	out;
+    TPMI_DH_OBJECT		objectHandle = 0;
+    TPMI_DH_OBJECT		signHandle = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    const char			*keyPassword = NULL; 
+    const char			*signatureFilename = NULL;
+    const char			*attestInfoFilename = NULL;
+    const char			*qualifyingDataFilename = NULL;
+    const char			*ticketFilename = NULL;
+    const char			*creationHashFilename = NULL;
+    unsigned char 		*buffer = NULL;
+    size_t 			length;
+    int				useRsa = 1;
+    TPMS_ATTEST 		tpmsAttest;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&objectHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    useRsa = 1;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    useRsa = 0;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		attestInfoFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-qd") == 0) {
+	    i++;
+	    if (i < argc) {
+		qualifyingDataFilename = argv[i];
+	    }
+	    else {
+		printf("-qd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ch") == 0) {
+	    i++;
+	    if (i < argc) {
+		creationHashFilename = argv[i];
+	    }
+	    else {
+		printf("-ch option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (objectHandle == 0) {
+	printf("Missing object handle parameter -ho\n");
+	printUsage();
+    }
+    if (signHandle == 0) {
+	printf("Missing sign handle parameter -hk\n");
+	printUsage();
+    }
+    if (ticketFilename == NULL) {
+	printf("Missing ticket parameter -tk\n");
+	printUsage();
+    }
+    if (creationHashFilename == NULL) {
+	printf("Missing creation hash file parameter -ch\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform certifying */
+	in.objectHandle = objectHandle;
+	in.signHandle = signHandle;
+	if (useRsa) {
+	    /* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	    in.inScheme.scheme = TPM_ALG_RSASSA;	
+	    /* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	    /* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    in.inScheme.details.rsassa.hashAlg = halg;
+	}
+	else {	/* ecc */
+	    in.inScheme.scheme = TPM_ALG_ECDSA;	
+	    in.inScheme.details.ecdsa.hashAlg = halg;
+	}
+    }
+    /* qualifyingData supplied by the caller */
+    if (rc == 0) {
+	if (qualifyingDataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.qualifyingData.b,
+				 sizeof(in.qualifyingData.t.buffer),
+				 qualifyingDataFilename);
+	}
+	else {
+	    in.qualifyingData.t.size = 0;
+	}
+    }
+    /* creationTicket */
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.creationTicket,
+				    (UnmarshalFunction_t)TSS_TPMT_TK_CREATION_Unmarshalu,
+				    ticketFilename);
+    }
+    /* creationHash */
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,	/* freed @1 */
+				     &length,
+				     creationHashFilename);
+    }
+    if (rc == 0) {
+	if (length > sizeof(TPMU_HA)) {
+	    printf("Size of creationHash %lu greater than hash size %lu\n",
+		   (unsigned long)length, (unsigned long)sizeof(TPMU_HA));
+	    rc = 1;	
+	}
+    }
+    if (rc == 0) {
+	in.creationHash.t.size = (uint16_t)length;
+	memcpy(in.creationHash.t.buffer, buffer, length);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_CertifyCreation,
+			 sessionHandle0, keyPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint8_t *tmpBuffer = out.certifyInfo.t.attestationData;
+	uint32_t tmpSize = out.certifyInfo.t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&tpmsAttest, &tmpBuffer, &tmpSize);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMS_ATTEST_Print(&tpmsAttest, 0);
+    }
+    if (rc == 0) {
+	int match;
+	match = TSS_TPM2B_Compare(&in.qualifyingData.b, &tpmsAttest.extraData.b);
+	if (!match) {
+	    printf("certifycreation: failed, extraData != qualifyingData\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	int match;
+	match = TSS_TPM2B_Compare(&in.creationHash.b, &tpmsAttest.attested.creation.creationHash.b);
+	if (!match) {
+	    printf("certifycreation: failed, in creationHash != out creationHash\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+    }
+    if ((rc == 0) && (attestInfoFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.certifyInfo.t.attestationData,
+				      out.certifyInfo.t.size,
+				      attestInfoFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+	if (tssUtilsVerbose) printf("certifycreation: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("certifycreation: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("certifycreation\n");
+    printf("\n");
+    printf("Runs TPM2_CertifyCreation\n");
+    printf("\n");
+    printf("\t-ho\tobject handle\n");
+    printf("\t-hk\tcertifying key handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc) (default rsa)]\n");
+    printf("\t[-qd\tqualifying data file name]\n");
+    printf("\t-tk\tinput ticket file name\n");
+    printf("\t-ch\tinput creation hash file name\n");
+    printf("\t[-os\tsignature file name] (default do not save)\n");
+    printf("\t[-oa\tattestation output file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/certifyx509.c b/libstb/tss2/ibmtpm20tss/utils/certifyx509.c
new file mode 100644
index 0000000..ace43d0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/certifyx509.c
@@ -0,0 +1,1497 @@
+/********************************************************************************/
+/*										*/
+/*			    CertifyX509						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* CertifyX509 exercises the TPM2_CertifyX509 command.  It:
+
+   - Creates a partialCertificate parameter
+   - Runs the TPM2_CertifyX509 command
+   - Reconstructs the X509 certificate from the addedToCertificate and signature outputs
+*/
+
+/* mbedtls does not support this utility */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include "cryptoutils.h"
+
+#ifndef TPM_TSS_MBEDTLS
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tssfile.h>
+
+/* NOTE: This is currently openssl only. */
+#include <ekutils.h>
+
+static void printUsage(void);
+
+TPM_RC createPartialCertificate(X509 *x509Certificate,
+				uint8_t *partialCertificateDer,
+				uint16_t *partialCertificateDerLength,
+				size_t partialCertificateDerSize,
+				const char *keyUsage,
+				uint32_t tpmaObject,
+				int addTpmaObject,
+				int subeqiss);
+TPM_RC convertCertToPartialCert(uint16_t *partialCertificateDerLength,
+				uint8_t *partialCertificateDer,
+				uint16_t certificateDerLength,
+				uint8_t *certificateDer);
+TPM_RC reformCertificate(X509 *x509Certificate,
+			 int useRsa,
+			 TPM2B_MAX_BUFFER *addedToCertificate,
+			 TPMT_SIGNATURE *tSignature);
+TPM_RC addSerialNumber(X509 		*x509Certificate,
+		       unsigned char *tmpAddedToCert,
+		       uint16_t *tmpAddedToCertIndex);
+TPM_RC addPubKeyRsa(X509 		*x509Certificate,
+		    unsigned char 	*tmpAddedToCert,
+		    uint16_t 		*tmpAddedToCertIndex);
+TPM_RC addSignatureRsa(X509 		*x509Certificate,
+		       TPMT_SIGNATURE 	*tSignature);
+TPM_RC addSignatureEcc(X509 		*x509Certificate,
+		       TPMT_SIGNATURE 	*signature);
+TPM_RC addPubKeyEcc(X509 		*x509Certificate,
+		    unsigned char 	*tmpAddedToCert,
+		    uint16_t 		*tmpAddedToCertIndex);
+TPM_RC addCertExtensionTpmaOid(X509 *x509Certificate,
+			       uint32_t tpmaObject);
+
+TPM_RC getDataLength(uint8_t type,
+		     uint16_t *wrapperLength,
+		     uint16_t *dataLength,
+		     uint16_t *certificateDerIndex,
+		     uint8_t *certificateDer);
+
+TPM_RC skipSequence(uint16_t *certificateDerIndex, uint8_t *certificateDer);
+TPM_RC skipBitString(uint16_t *dataLength,
+		     uint16_t *certificateDerIndex, uint8_t *certificateDer);
+
+TPM_RC copyType(uint8_t type,
+		uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer,
+		uint16_t *certificateDerIndex, uint8_t *certificateDer);
+
+TPM_RC getInteger(uint16_t *integerLength, unsigned char *integerStream,
+		  uint16_t *certificateDerIndex, unsigned char *certificateDer);
+TPM_RC prependSequence(uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer);
+
+int verbose = FALSE;
+
+/* FIXME
+   length checks
+*/
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    CertifyX509_In 		in;
+    CertifyX509_Out 		out;
+    TPMI_DH_OBJECT		objectHandle = 0;
+    TPMI_DH_OBJECT		signHandle = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    unsigned int 		bit = 0;
+    int 			testBit = FALSE;
+    const char			*keyPassword = NULL; 
+    const char			*objectPassword = NULL; 
+    const char			*outPartialCertificateFilename = NULL;
+    const char			*outCertificateFilename = NULL;
+    const char			*addedToCertificateFilename = NULL;
+    const char			*tbsDigestFilename = NULL;
+    const char			*signatureFilename = NULL;
+
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    int				useRsa = 1;
+    int				subeqiss = FALSE;	/* TRUE: subject = issuer */
+    const char 			*keyUsage = "critical,digitalSignature,keyCertSign,cRLSign";
+    uint32_t			tpmaObject = 0;
+    int				addTpmaObject = FALSE;
+    X509 			*x509Certificate = NULL;
+    unsigned char 		*x509Der = NULL;
+    uint32_t 			x509DerLength = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&objectHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdo") == 0) {
+	    i++;
+	    if (i < argc) {
+		objectPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdo option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    useRsa = 1;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    useRsa = 0;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ku") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyUsage = argv[i];
+	    }
+	    else {
+		printf("-ku option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-iob") == 0) {
+	    i++;
+	    if (i < argc) {
+		addTpmaObject = TRUE;
+		sscanf(argv[i], "%x", &tpmaObject);
+	    }
+	    else {
+		printf("-iob option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sub") == 0) {
+	    subeqiss = TRUE;
+	}
+	else if (strcmp(argv[i],"-opc") == 0) {
+	    i++;
+	    if (i < argc) {
+		outPartialCertificateFilename = argv[i];
+	    }
+	    else {
+		printf("-opc option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ocert") == 0) {
+	    i++;
+	    if (i < argc) {
+		outCertificateFilename = argv[i];
+	    }
+	    else {
+		printf("-ocert option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		addedToCertificateFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-otbs") == 0) {
+	    i++;
+	    if (i < argc) {
+		tbsDigestFilename = argv[i];
+	    }
+	    else {
+		printf("-otbs option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    verbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (objectHandle == 0) {
+	printf("Missing object handle parameter -ho\n");
+	printUsage();
+    }
+    if (signHandle == 0) {
+	printf("Missing sign handle parameter -hk\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* Handle of the object to be certified */
+	in.objectHandle = objectHandle;
+	/* Handle of key that will perform certifying */
+	in.signHandle = signHandle;
+	if (useRsa) {
+	    /* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	    in.inScheme.scheme = TPM_ALG_RSASSA;	
+	    /* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	    /* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    in.inScheme.details.rsassa.hashAlg = halg;
+	}
+	else {	/* ecc */
+	    in.inScheme.scheme = TPM_ALG_ECDSA;	
+	    in.inScheme.details.ecdsa.hashAlg = halg;
+	}
+	in.reserved.t.size = 0;
+    }
+    /* initialize a new, empty X509 structure.  It will first be used to form the partialCertificate
+       command parameter, and then be used to reform the certificate from the response
+       parameters. */
+    if (rc == 0) {
+	x509Certificate = X509_new();				/* freed @1 */
+	if (x509Certificate == NULL) {
+	    printf("main: Error in X509_new\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* form partial certificate */
+    if (rc == 0) {
+	rc = createPartialCertificate(x509Certificate,
+				      in.partialCertificate.t.buffer,
+				      &in.partialCertificate.b.size,
+				      sizeof(in.partialCertificate.t.buffer),
+				      keyUsage,
+				      tpmaObject,
+				      addTpmaObject,
+				      subeqiss);
+    }
+    if ((rc == 0) && (testBit)) {
+	unsigned int bitInByte = bit % 8;
+	unsigned int byteInDer = bit / 8;
+	if (byteInDer <= in.partialCertificate.b.size) {
+	    if (verbose) {
+		printf("main: Testing byte %u bit %u\n", byteInDer, bitInByte);
+		printf("main: Byte was %02x\n", in.partialCertificate.t.buffer[byteInDer]);
+	    }		
+	    in.partialCertificate.t.buffer[byteInDer] ^= (1 << bitInByte);
+	    if (verbose) printf("main: Byte is %02x\n", in.partialCertificate.t.buffer[byteInDer]);
+	}
+	else {
+	    printf("Bad -bit parameter, byte %u, DER length %u\n",
+		   byteInDer, in.partialCertificate.b.size);
+	    rc = TSS_RC_BAD_PROPERTY;
+	}
+    }
+    /* for debug, or stop here for sample of how to create the partialCertificate parameter */
+    if (rc == 0) {
+	if (outPartialCertificateFilename != NULL) {
+	    rc = TSS_File_WriteBinaryFile(in.partialCertificate.b.buffer,
+					  in.partialCertificate.b.size,
+					  outPartialCertificateFilename);
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_CertifyX509,
+			 sessionHandle0, objectPassword, sessionAttributes0,
+			 sessionHandle1, keyPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc != 0) {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("certifyx509: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    /* write response parameters for debug */
+    if ((rc == 0) && (addedToCertificateFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.addedToCertificate.t.buffer,
+				      out.addedToCertificate.t.size,
+				      addedToCertificateFilename);
+    }
+    if ((rc == 0) && (tbsDigestFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.tbsDigest.t.buffer,
+				      out.tbsDigest.t.size,
+				      tbsDigestFilename);
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+    }
+    if (rc == 0) {
+	if (verbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+    }
+    /* reform the signed certificate from the original input plus the response parameters */
+    if (rc == 0) {
+	rc = reformCertificate(x509Certificate,
+			       useRsa,
+			       &out.addedToCertificate,
+			       &out.signature);
+    }
+    if (rc == 0) {
+	if (verbose) X509_print_fp(stdout, x509Certificate);	/* for debug */
+	rc = convertX509ToDer(&x509DerLength,
+			      &x509Der,				/* freed @2 */
+			      x509Certificate);
+    }
+    if ((rc == 0) && (outCertificateFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(x509Der, x509DerLength,
+				      outCertificateFilename);
+    }
+    if (x509Certificate != NULL) {
+	X509_free(x509Certificate);			/* @1 */
+    }
+    free(x509Der);					/* @2 */		
+    return rc;
+}
+
+/* example of a 20 year validity */
+#define CERT_DURATION (60 * 60 * 24 * ((365 * 20) + 5))		/* +5 for leap years */
+
+/* in this test, the issuer and subject are the same, making a self signed certificate.  This is
+   simply so that openssl can be used to verify the certificate signature.
+ */
+
+char *issuerEntries[] = {
+    "US"			,
+    "NY"			,
+    "Yorktown"			,
+    "IBM"			,
+    NULL			,
+    "CA"			,
+    NULL	
+};
+
+char *subjectEntries[] = {
+    "US"			,
+    "NY"			,
+    "Yorktown"			,
+    "IBM"			,
+    NULL			,
+    "Subject"			,
+    NULL	
+};
+
+/* createPartialCertificate() forms the partialCertificate DER.  It starts with an empty X509
+   structure and adds the needed parameters.  Then (in a total hack), converts the X509 structure to
+   DER, parses the DER field by field, and outputs just the fields required for the
+   partialCertificate parameter.
+
+   subeqiss FALSE: subject name is independent of issuer name
+   subeqiss TRUE:  subject name is the same as the issuer name
+*/
+
+TPM_RC createPartialCertificate(X509 *x509Certificate,			/* input / output */
+				uint8_t *partialCertificateDer,		/* output */
+				uint16_t *partialCertificateDerLength,
+				size_t partialCertificateDerSize,
+				const char *keyUsage,
+				uint32_t tpmaObject,
+				int addTpmaObject,
+				int subeqiss)				/* subject variation */
+{
+    TPM_RC 	rc = 0;
+    int		irc;
+    ASN1_TIME	*arc;			/* return code */
+
+    X509_NAME 	*x509IssuerName = NULL;	/* composite issuer name, key/value pairs */
+    X509_NAME 	*x509SubjectName = NULL;/* composite subject name, key/value pairs */
+    size_t	issuerEntriesSize = sizeof(issuerEntries)/sizeof(char *);
+    size_t	subjectEntriesSize = sizeof(subjectEntries)/sizeof(char *);
+  
+    uint32_t 	certificateDerLength = 0;
+    uint8_t 	*certificateDer = NULL;
+
+    partialCertificateDerSize = partialCertificateDerSize;	/* FIXME needs size check */
+
+    /* add certificate version X509 v3 */
+    if (rc == 0) {
+	irc = X509_set_version(x509Certificate, 2L);	/* value 2 == v3 */
+	if (irc != 1) {
+	    printf("createPartialCertificate: Error in X509_set_version\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add issuer */
+    if (rc == 0) {
+	if (verbose) printf("createPartialCertificate: Adding issuer, size %lu\n",
+				(unsigned long)issuerEntriesSize);
+	rc = createX509Name(&x509IssuerName,
+			    issuerEntriesSize,
+			    issuerEntries);
+    }
+    if (rc == 0) {
+	irc = X509_set_issuer_name(x509Certificate, x509IssuerName);
+	if (irc != 1) {
+	    printf("createPartialCertificate: Error setting issuer\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add validity */
+    if (rc == 0) {
+	/* can't fail, just returns a structure member */
+	ASN1_TIME *notBefore = X509_get_notBefore(x509Certificate);
+	arc = X509_gmtime_adj(notBefore ,0L);			/* set to today */
+	if (arc == NULL) {
+	    printf("createPartialCertificate: Error setting notBefore time\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	/* can't fail, just returns a structure member */
+	ASN1_TIME *notAfter = X509_get_notAfter(x509Certificate);
+	arc = X509_gmtime_adj(notAfter, CERT_DURATION);		/* set to duration */
+	if (arc == NULL) {
+	    printf("createPartialCertificate: Error setting notAfter time\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add subject */
+    if (rc == 0) {
+	/* normal case */
+	if (!subeqiss) {
+	    if (verbose) printf("createPartialCertificate: Adding subject, size %lu\n",
+				(unsigned long)subjectEntriesSize);
+	    rc = createX509Name(&x509SubjectName,
+				subjectEntriesSize,
+				subjectEntries);
+	}
+	/* special case, self signed CA, make the subject the same as the issuer */
+	else {
+	    if (verbose) printf("createPartialCertificate: Adding subject (issuer), size %lu\n",
+				(unsigned long)issuerEntriesSize);
+	    rc = createX509Name(&x509SubjectName,
+				issuerEntriesSize,
+				issuerEntries);
+	}
+    }
+    if (rc == 0) {
+	irc = X509_set_subject_name(x509Certificate, x509SubjectName);
+	if (irc != 1) {
+	    printf("createPartialCertificate: Error setting subject\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add some certificate extensions, requires corresponding bits in subject key */
+    if (rc == 0) {
+	if (verbose) printf("createPartialCertificate: Adding extensions\n");
+	rc = addCertExtension(x509Certificate,
+			      NID_key_usage, keyUsage);
+    }
+    /* optional TPMA_OBJECT extension */
+    /* From TCG OID registry tcg-tpmaObject 2.23.133.10.1.1.1  */
+    if (rc == 0) {
+	if (addTpmaObject) {
+	    rc = addCertExtensionTpmaOid(x509Certificate, tpmaObject);
+	}
+    }
+    /* convertX509ToDer() serializes the openSSL X509 structure to a DER certificate stream */
+    if (rc == 0) {
+	rc = convertX509ToDer(&certificateDerLength,
+			      &certificateDer,		/* freed @4 */
+			      x509Certificate);		/* input */
+    }
+    /* for debug.  The structure is incomplete and so will trace with errors */
+    if (rc == 0) {
+	if (verbose) printf("createPartialCertificate: Trace preliminary certificate\n");
+	if (verbose) X509_print_fp(stdout, x509Certificate);
+    }
+#if 1
+    /* for debug.  Use dumpasn1 to view the incomplete certificate */
+    if (rc == 0) {
+	rc = TSS_File_WriteBinaryFile(certificateDer, certificateDerLength , "tmpx509i.bin");
+    }
+#endif
+    /* extract the partialCertificate DER from the X509 DER */
+    if (rc == 0) {
+	rc = convertCertToPartialCert(partialCertificateDerLength,
+				      partialCertificateDer,	/* output partial */
+				      certificateDerLength,
+				      certificateDer);		/* input X509 */
+    }
+    free(certificateDer);	/* @4 */
+    return rc;
+}
+
+/* addCertExtension() adds the tpmaObject extension oid to the X509 certificate
+
+ */ 
+
+TPM_RC addCertExtensionTpmaOid(X509 *x509Certificate, uint32_t tpmaObject)
+{
+    TPM_RC 		rc = 0;
+    X509_EXTENSION 	*extension = NULL;	/* freed @1 */
+
+
+    uint8_t tpmaObjectOid[] = {0x06, 0x07, 0x67, 0x81, 0x05, 0x0A, 0x01, 0x01, 0x01};
+    const uint8_t *tmpOidPtr;
+
+    /* BIT STRING 0x03 length 5 no padding 0, 4 dummy bytes of TPMA_OBJECT */
+    uint8_t tpmaObjectData[] = {0x03, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00};
+    ASN1_OBJECT *object = NULL;
+    ASN1_OCTET_STRING *osData = NULL; 
+    uint8_t *tmpOdPtr;
+    uint32_t tpmaObjectNbo = htonl(tpmaObject);
+
+    if (rc == 0) {
+	tmpOidPtr = tpmaObjectOid; 
+	object = d2i_ASN1_OBJECT(NULL, &tmpOidPtr, sizeof(tpmaObjectOid));	/* freed @2 */
+	if (object ==  NULL) {
+	    printf("d2i_ASN1_OBJECT failed\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	osData = ASN1_OCTET_STRING_new();	/* freed @3 */
+	if (osData == NULL) {
+	    printf("d2i_ASN1_OCTET_STRING failed\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	tmpOdPtr = tpmaObjectData;
+	memcpy(tmpOdPtr + 3, &tpmaObjectNbo, sizeof(uint32_t));
+	ASN1_OCTET_STRING_set(osData, tmpOdPtr, sizeof (tpmaObjectData));
+    }
+    if (rc == 0) {
+	extension = X509_EXTENSION_create_by_OBJ(NULL,		/* freed @1 */
+						 object,
+						 0,			/* int crit */
+						 osData);
+	if (extension == NULL) {
+	    printf("X509_EXTENSION_create_by_OBJ failed\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	int irc = X509_add_ext(x509Certificate,	/* the certificate */
+			       extension,		/* the extension to add */
+			       -1);			/* location - append */
+	if (irc != 1) {
+	    printf("addCertExtension: Error adding oid to extension\n");
+	}
+    }
+    if (extension != NULL) {
+	X509_EXTENSION_free(extension);	/* @1 */
+    }
+    if (object != NULL) {
+	ASN1_OBJECT_free(object);		/* @2 */
+    }
+    if (osData != NULL) {
+	ASN1_OCTET_STRING_free(osData);	/* @3 */
+    }
+    return rc;
+}
+
+
+/* convertCertToPartialCert() extracts the partialCertificate DER from the X509 DER
+
+   It assumes that the input is well formed and has exactly the fields required.
+*/
+
+TPM_RC convertCertToPartialCert(uint16_t *partialCertificateDerLength,
+				  uint8_t *partialCertificateDer,
+				  uint16_t certificateDerLength,
+				  uint8_t *certificateDer)
+{
+    TPM_RC 	rc = 0;
+    uint16_t 	certificateDerIndex = 0;	/* index into the DER input */
+    
+    
+    certificateDerLength = certificateDerLength; 	/* FIXME for future error checking */
+    *partialCertificateDerLength = 0;			/* updates on each call */
+    
+    /* skip the outer SEQUENCE wrapper */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Skip outer SEQUENCE wrapper\n");
+	rc = skipSequence(&certificateDerIndex, certificateDer);
+    }
+    /* skip the inner SEQUENCE wrapper, will be back filled with the total length */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Skip inner SEQUENCE wrapper\n");
+	rc = skipSequence(&certificateDerIndex, certificateDer);
+    }
+    /* skip the a3 wrapping the version */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Skip a3 version wrapper\n");
+	rc = copyType(0xa0, NULL, NULL, 		/* NULL says to skip */
+		      &certificateDerIndex, certificateDer);
+    }
+    /* skip the integer (version) */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Skip version\n");
+	rc = copyType(0x02, NULL, NULL, 		/* NULL says to skip */
+		      &certificateDerIndex, certificateDer);
+    }
+    /* skip the sequence (serial number) */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Skip serial number\n");
+	rc = copyType(0x30, NULL, NULL, 		/* NULL says to skip */
+		      &certificateDerIndex, certificateDer);
+    }
+    /* copy the next SEQUENCE, issuer */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Copy issuer\n");
+	rc = copyType(0x30, partialCertificateDerLength, partialCertificateDer,
+		      &certificateDerIndex, certificateDer);
+    }
+    /* copy the next SEQUENCE, validity */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Copy validity\n");
+	rc = copyType(0x30, partialCertificateDerLength, partialCertificateDer,
+		      &certificateDerIndex, certificateDer);
+    }
+    /* copy the next SEQUENCE, subject */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Copy subject\n");
+	rc = copyType(0x30, partialCertificateDerLength, partialCertificateDer,
+		      &certificateDerIndex, certificateDer);
+    }
+    /* skip the SEQUENCE (public key) */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Skip public key\n");
+	rc = copyType(0x30, NULL, NULL, 		/* NULL says to skip */
+		      &certificateDerIndex, certificateDer);
+    }
+    /* copy the a3 and encapsulating sequence */
+    if (rc == 0) {
+	if (verbose) printf("convertCertToPartialCert: Copy a3 extensions\n");
+	rc = copyType(0xa3, partialCertificateDerLength, partialCertificateDer,
+		      &certificateDerIndex, certificateDer);
+    }
+    /* shift and back fill the sequence length */
+    if (rc == 0) {
+	rc = prependSequence(partialCertificateDerLength, partialCertificateDer);
+    }
+    return rc;
+}
+
+/* reformCertificate() starts with the X509 certificate used as the input partialCertificate
+   parameter plus a few fields like the version.  It adds the output addedToCertificate and
+   signature values to reform the X509 certificate that the TPM signed.
+*/
+
+TPM_RC reformCertificate(X509 *x509Certificate,
+			 int useRsa,
+			 TPM2B_MAX_BUFFER *addedToCertificate,
+			 TPMT_SIGNATURE *tSignature)
+{
+    TPM_RC 		rc = 0;
+    unsigned char 	*tmpAddedToCert = NULL;
+    /* size_t 		tmpAddedToCertLength = 0; FIXME better to sanity check length */
+
+    /* the index increments, so this function must parse the addedToCertificate in its order */
+    uint16_t 		tmpAddedToCertIndex = 0;
+
+    tmpAddedToCert = addedToCertificate->t.buffer;
+    /* tmpAddedToCertLength = addedToCertificate->t.size; */
+
+    /* add serial number */
+    if (rc == 0) {
+	rc = addSerialNumber(x509Certificate,
+			     tmpAddedToCert,
+			     &tmpAddedToCertIndex);
+    }
+    if (useRsa) {
+	/* add public key algorithm and public key */
+	if (rc == 0) {
+	    rc = addPubKeyRsa(x509Certificate,
+			      tmpAddedToCert,
+			      &tmpAddedToCertIndex);
+	}
+	/* add certificate signature */
+	if (rc == 0) {
+	    rc = addSignatureRsa(x509Certificate, tSignature);
+	}
+    }
+    else {
+	/* add public key  */
+	if (rc == 0) {
+	    rc = addPubKeyEcc(x509Certificate,
+			      tmpAddedToCert,
+			      &tmpAddedToCertIndex);
+	}
+	/* add certificate signature */
+	if (rc == 0) {
+	    rc = addSignatureEcc(x509Certificate, tSignature);
+	}
+    }
+    return rc;
+}
+
+/* addSerialNumber() is the first call from reforming the certificate. tmpAddedToCertIndex will be
+   0.
+
+   After the call, tmpAddedToCertIndex will point after the serial number.
+*/
+
+TPM_RC addSerialNumber(X509 		*x509Certificate,
+			 unsigned char 	*tmpAddedToCert,
+			 uint16_t 	*tmpAddedToCertIndex)
+{
+    TPM_RC 		rc = 0;
+    ASN1_INTEGER 	*x509Serial;		/* certificate serial number in ASN1 */
+    BIGNUM 		*x509SerialBN;		/* certificate serial number as a BIGNUM */
+    unsigned char 	x509SerialBin[1048]; 	/* certificate serial number in binary */
+    uint16_t 		integerLength = 0;
+
+    /* FIXME check the size */
+
+    x509SerialBN = NULL;
+
+    /* skip outer sequence */
+    if (rc == 0) {
+	rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip version */
+    if (rc == 0) {
+	rc = copyType(0xa0, NULL, NULL, 		/* NULL says to skip */
+		      tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* get integer serial number from addedToCertificate */
+    if (rc == 0) {
+	rc = getInteger(&integerLength, x509SerialBin,
+			tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* convert the integer stream to a BIGNUM */
+    if (rc == 0) {
+	x509SerialBN = BN_bin2bn(x509SerialBin, integerLength, x509SerialBN); 	/* freed @1 */
+	if (x509SerialBN == NULL) {
+	    printf("addSerialNumber: Error in serial number BN_bin2bn\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add it into the final certificate */
+    if (rc == 0) {
+	/* get the serial number structure member, can't fail */
+	x509Serial = X509_get_serialNumber(x509Certificate);
+	/* convert the BIGNUM to ASN1 and add to X509 certificate */
+	x509Serial = BN_to_ASN1_INTEGER(x509SerialBN, x509Serial);
+	if (x509Serial == NULL) {
+	    printf("addSerialNumber: Error setting certificate serial number\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (x509SerialBN != NULL) BN_clear_free(x509SerialBN );		/* @1 */
+    return rc;
+}
+
+/* addPubKeyRsa() adds the public key to the certificate. tmpAddedToCertIndex must point to the
+   public key.
+ */
+
+TPM_RC addPubKeyRsa(X509 		*x509Certificate,
+		    unsigned char 	*tmpAddedToCert,
+		    uint16_t 		*tmpAddedToCertIndex)
+{
+    TPM_RC 			rc = 0;
+    TPM2B_PUBLIC_KEY_RSA 	tpm2bRsa;
+    uint16_t 			dataLength;
+
+    /* skip the SEQUENCE with the Signature Algorithm object identifier */
+    if (rc == 0) {
+	rc = copyType(0x30, NULL, NULL, 		/* NULL says to skip */
+		      tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip the SEQUENCE wrapper for the Subject Public Key Info */
+    if (rc == 0) {
+	rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip the SEQUENCE Public Key Algorithm */
+    if (rc == 0) {
+	rc = copyType(0x30, NULL, NULL, 		/* NULL says to skip */
+		      tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip the BIT STRING intoduction to the public key */
+    if (rc == 0) {
+	rc = skipBitString(&dataLength, tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip the SEQUENCE wrapper for the public key */
+    if (rc == 0) {
+	rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* get the integer public modulus FIXME missing length check */
+    if (rc == 0) {
+	rc = getInteger(&tpm2bRsa.t.size, tpm2bRsa.t.buffer,
+			tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    if (rc == 0) {
+	rc = addCertKeyRsa(x509Certificate,
+			   &tpm2bRsa);	/* certified public key */
+    }
+    /* skip the INTEGER public exponent - should not matter since it's the last item */
+    /* FIXME test for 010001 */
+    if (rc == 0) {
+	uint16_t dummy;
+	rc = getInteger(&dummy, NULL,
+			tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    return rc;
+}
+
+/* addPubKeyEcc() adds the public key to the certificate. tmpAddedToCertIndex must point to the
+   public key.
+*/
+
+
+TPM_RC addPubKeyEcc(X509 		*x509Certificate,
+		    unsigned char 	*tmpAddedToCert,
+		    uint16_t 		*tmpAddedToCertIndex)
+{
+    TPM_RC 		rc = 0;
+    uint16_t 		dataLength;
+    TPMS_ECC_POINT 	tpmsEccPoint;
+
+    /* skip the SEQUENCE with the Signature Algorithm object identifier ecdsaWithSHA256 */
+    if (rc == 0) {
+	rc = copyType(0x30, NULL, NULL, 		/* NULL says to skip */
+		      tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip the SEQUENCE wrapper for the Subject Public Key Info */
+    if (rc == 0) {
+	rc = skipSequence(tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip the SEQUENCE Public Key Algorithm */
+    if (rc == 0) {
+	rc = copyType(0x30, NULL, NULL, 		/* NULL says to skip */
+		      tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* skip the BIT STRING intoduction to the public key */
+    if (rc == 0) {
+	rc = skipBitString(&dataLength, tmpAddedToCertIndex, tmpAddedToCert);
+    }
+    /* the next bytes are the 04, x and y */
+    if (rc == 0) {
+
+	/* FIXME check that dataLength is 65 */
+
+	*tmpAddedToCertIndex += 1;	/* skip the 0x04 compression byte */
+
+	tpmsEccPoint.x.t.size = 32;	
+	memcpy(tpmsEccPoint.x.t.buffer, tmpAddedToCert +  *tmpAddedToCertIndex, 32);	
+	*tmpAddedToCertIndex += 32;
+
+	tpmsEccPoint.y.t.size = 32;	
+	memcpy(tpmsEccPoint.y.t.buffer, tmpAddedToCert +  *tmpAddedToCertIndex, 32);	
+	*tmpAddedToCertIndex += 32;
+
+	rc = addCertKeyEcc(x509Certificate, &tpmsEccPoint);
+    }
+    return rc;
+}
+
+/* addSignatureRsa() copies the TPMT_SIGNATURE output of the TPM2_CertifyX509 command to the X509
+   certificate.
+ */
+
+TPM_RC addSignatureRsa(X509 		*x509Certificate,
+		       TPMT_SIGNATURE 	*tSignature)
+{
+    TPM_RC 		rc = 0;
+    int 		irc;
+    X509_ALGOR 		*signatureAlgorithm = NULL;
+    X509_ALGOR 		*certSignatureAlgorithm = NULL;
+    ASN1_BIT_STRING 	*asn1Signature = NULL;
+    
+    /* FIXME check sign length */
+    
+    if (rc == 0) {
+	certSignatureAlgorithm = (X509_ALGOR *)X509_get0_tbs_sigalg(x509Certificate);
+	X509_get0_signature((OSSLCONST ASN1_BIT_STRING**)&asn1Signature,
+			    (OSSLCONST X509_ALGOR **)&signatureAlgorithm,
+			    x509Certificate);
+    }
+    /* set the algorithm in the top level structure */
+    if (rc == 0) {
+	X509_ALGOR_set0(signatureAlgorithm,
+			OBJ_nid2obj(NID_sha256WithRSAEncryption), V_ASN1_NULL, NULL);
+    }
+    /* set the algorithm in the to be signed structure */
+    if (rc == 0) {
+	X509_ALGOR_set0(certSignatureAlgorithm,
+			OBJ_nid2obj(NID_sha256WithRSAEncryption), V_ASN1_NULL, NULL);
+    }
+    /* ASN1_BIT_STRING x509Certificate->signature contains a BIT STRING with the RSA signature */
+    if (rc == 0) {
+	irc = ASN1_BIT_STRING_set(asn1Signature,
+				  tSignature->signature.rsassa.sig.t.buffer,
+				  tSignature->signature.rsassa.sig.t.size);
+	asn1Signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+	asn1Signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
+	if (irc == 0) {
+	    printf("addSignatureRsa: Error in ASN1_BIT_STRING_set for signature\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    return rc;
+}
+
+/* addSignatureEcc() copies the TPMT_SIGNATURE output of the TPM2_CertifyX509 command to the X509
+   certificate.
+*/
+
+TPM_RC addSignatureEcc(X509 		*x509Certificate,
+		       TPMT_SIGNATURE 	*tSignature)
+{
+    TPM_RC 		rc = 0;
+    int 		irc;
+    X509_ALGOR 		*signatureAlgorithm = NULL;
+    X509_ALGOR 		*certSignatureAlgorithm = NULL;
+    ASN1_BIT_STRING 	*asn1Signature = NULL;
+    BIGNUM 		*rSig = NULL;
+    BIGNUM 		*sSig = NULL;
+    ECDSA_SIG 		*ecdsaSig = NULL;
+    unsigned char 	*ecdsaSigBin = NULL;
+    int 		ecdsaSigBinLength;
+
+    /* FIXME check sign length */
+    
+    if (rc == 0) {
+	certSignatureAlgorithm = (X509_ALGOR *)X509_get0_tbs_sigalg(x509Certificate);
+	X509_get0_signature((OSSLCONST ASN1_BIT_STRING**)&asn1Signature,
+			    (OSSLCONST X509_ALGOR **)&signatureAlgorithm,
+			    x509Certificate);
+    }
+    /* set the algorithm in the top level structure */
+    if (rc == 0) {
+	X509_ALGOR_set0(signatureAlgorithm,
+			OBJ_nid2obj(NID_ecdsa_with_SHA256), V_ASN1_UNDEF, NULL);
+    }
+    /* set the algorithm in the to be signed structure */
+    if (rc == 0) {
+	X509_ALGOR_set0(certSignatureAlgorithm,
+			OBJ_nid2obj(NID_ecdsa_with_SHA256), V_ASN1_UNDEF, NULL);
+    }
+    /* ASN1_BIT_STRING x509Certificate->signature contains a sequence with two INTEGER, R and S */
+    /* construct DER and then ASN1_BIT_STRING_set into X509 */
+    if (rc == 0) {
+	rSig = BN_new();
+	if (rSig == NULL) {
+	    printf("addSignatureEcc: BN_new() failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	sSig = BN_new();
+	if (sSig == NULL) {
+	    printf("addSignatureEcc: BN_new() failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+        rSig = BN_bin2bn(tSignature->signature.ecdsa.signatureR.b.buffer,
+			 tSignature->signature.ecdsa.signatureR.b.size, rSig);
+        if (rSig == NULL) {
+            printf("addSignatureEcc: Error in BN_bin2bn\n");
+            rc = TSS_RC_BIGNUM;
+        }
+    }
+    if (rc == 0) {
+        sSig = BN_bin2bn(tSignature->signature.ecdsa.signatureS.b.buffer,
+			 tSignature->signature.ecdsa.signatureS.b.size, sSig);
+        if (sSig == NULL) {
+            printf("addSignatureEcc: Error in BN_bin2bn\n");
+            rc = TSS_RC_BIGNUM;
+        }
+    }
+    if (rc == 0) {
+	ecdsaSig = ECDSA_SIG_new();		/* freed @1 */
+	if (ecdsaSig == NULL) {
+	    printf("addSignatureEcc: ECDSA_SIG_new() failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	irc = ECDSA_SIG_set0(ecdsaSig, rSig, sSig);
+	if (irc != 1) {
+	    printf("addSignatureEcc: Error in ECDSA_SIG_set0\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* serialize the signature to DER */
+    if (rc == 0) {
+	ecdsaSigBinLength = i2d_ECDSA_SIG(ecdsaSig, &ecdsaSigBin);	/* freed @2 */
+	if (ecdsaSigBinLength < 0) {
+	    printf("addSignatureEcc: Error in signature serialization i2d_ECDSA_SIG()\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add the DER signature to the certificate */
+    if (rc == 0) {
+	irc = ASN1_BIT_STRING_set(asn1Signature,
+				  ecdsaSigBin,
+				  ecdsaSigBinLength);
+	asn1Signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
+	asn1Signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
+	if (irc == 0) {
+	    printf("addSignatureEcc: Error in ASN1_BIT_STRING_set for signature\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* freed by ECDSA_SIG_free */
+    if (ecdsaSig == NULL) {
+	BN_free(rSig);
+	BN_free(sSig);
+    }
+    ECDSA_SIG_free(ecdsaSig);		/* @1 */
+    OPENSSL_free(ecdsaSigBin);		/* @2 */
+    return rc;
+}
+
+/* getDataLength() checks the type, gets the length of the wrapper and following data */
+
+TPM_RC getDataLength(uint8_t type,			/* expected type */
+		       uint16_t *wrapperLength,		/* wrapper */
+		       uint16_t *dataLength,		/* data */
+		       uint16_t *certificateDerIndex,
+		       uint8_t *certificateDer)
+{
+    TPM_RC 	rc = 0;
+    uint32_t	i = 0;
+    uint16_t	lengthLength = 0;	/* number of length bytes */
+
+    /* validate the wrapper type */
+    if (rc == 0) {
+	if (certificateDer[*certificateDerIndex] != type) {
+	    printf("getDataLength: index %u expect %02x actual %02x\n",
+		   *certificateDerIndex, type, certificateDer[*certificateDerIndex]);
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* get the length */
+    if (rc == 0) {
+	/* long form length starts with the 'length of the length' */
+	if ((certificateDer[*certificateDerIndex + 1] & 0x80)) {
+	    lengthLength = certificateDer[*certificateDerIndex + 1] & 0x7f;
+	    if (lengthLength <= sizeof(*dataLength)) {
+
+		*dataLength = 0;
+		for (i = 0 ; i < lengthLength ; i++) {
+		    *dataLength <<= (i * 8);
+		    *dataLength += certificateDer[*certificateDerIndex + 2 + i];
+		}
+	    }
+	    else {
+		printf("getDataLength: lengthLength %u too large for uint16_t\n", lengthLength);
+		rc = TSS_RC_X509_ERROR;
+	    }
+	}
+	/* short form length is in byte following type */
+	else {
+	    *dataLength = certificateDer[*certificateDerIndex + 1] & 0x7f;
+	}
+    }
+    if (rc == 0) {
+	*wrapperLength = 2 + lengthLength;
+	if (verbose) printf("getDataLength: wrapperLength %u dataLength %u\n",
+			    *wrapperLength, *dataLength);
+    }
+    return rc;
+}
+
+/* skipSequence() moves the certificateDerIndex past the SEQUENCE and its length.  I.e., it just
+   skips the wrapper, not the contents
+*/
+
+TPM_RC skipSequence(uint16_t *certificateDerIndex, uint8_t *certificateDer)
+{
+    TPM_RC 	rc = 0;
+    uint16_t 	wrapperLength;
+    uint16_t 	dataLength;
+
+    if (rc == 0) {
+	rc = getDataLength(0x30,		/* variable length SEQUENCE */
+			   &wrapperLength,
+			   &dataLength,
+			   certificateDerIndex, certificateDer);
+    }
+    if (rc == 0) {
+	*certificateDerIndex += wrapperLength;
+    }
+    return rc;
+}
+
+/* skipBitString() moves the certificateDerIndex past the BIT STRING, its length, and its padding,
+   not the contents
+*/
+
+TPM_RC skipBitString(uint16_t *dataLength,
+		     uint16_t *certificateDerIndex, uint8_t *certificateDer)
+{
+    TPM_RC 	rc = 0;
+    uint16_t 	wrapperLength;
+
+    if (rc == 0) {
+	rc = getDataLength(0x03,		/* BIT STRING */
+			   &wrapperLength,  
+			   dataLength,
+			   certificateDerIndex, certificateDer);
+    }
+    if (rc == 0) {
+	*certificateDerIndex += wrapperLength;
+	*certificateDerIndex += 1;	/* BIT STRING padding */
+    }
+    return rc;
+}
+
+/* copyType() copies the type at certificateDerIndex to partialCertificateDer.
+
+   certificateDerIndex and partialCertificateDerLength are updated
+*/
+
+TPM_RC copyType(uint8_t type,			/* expected type */
+		  uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer,
+		  uint16_t *certificateDerIndex, uint8_t *certificateDer)
+{
+    TPM_RC 	rc = 0;
+    uint16_t 	wrapperLength = 0;
+    uint16_t 	dataLength = 0;
+
+    if (rc == 0) {
+	rc = getDataLength(type,
+			   &wrapperLength,  
+			   &dataLength,
+			   certificateDerIndex, certificateDer);
+    }
+    if (rc == 0) {
+	if (partialCertificateDer != NULL) {
+	    memcpy(partialCertificateDer + *partialCertificateDerLength,
+		   &(certificateDer[*certificateDerIndex]),
+		   wrapperLength + dataLength);
+	    *partialCertificateDerLength += wrapperLength + dataLength;
+	}
+	*certificateDerIndex += wrapperLength + dataLength;
+    }
+    return rc;
+}
+
+/* getInteger() copies the INTEGER data (not including the wrapper) to integerStream.
+
+   certificateDerIndex is updated.
+*/
+
+TPM_RC getInteger(uint16_t *integerDataLength, unsigned char *integerStream,
+		    uint16_t *certificateDerIndex, unsigned char *certificateDer)
+{
+    TPM_RC 	rc = 0;
+    uint16_t 	wrapperLength = 0;
+
+    if (rc == 0) {
+	rc = getDataLength(0x02,		/* INTEGER */
+			   &wrapperLength,  
+			   integerDataLength,
+			   certificateDerIndex, certificateDer);
+    }
+    if (rc == 0) {
+	if (integerStream != NULL) {
+	    memcpy(integerStream,
+		   certificateDer + *certificateDerIndex + wrapperLength,
+		   *integerDataLength);
+	}
+	*certificateDerIndex += wrapperLength + *integerDataLength;
+    }
+    return rc;
+}
+
+/* prependSequence() shifts the DER down and back fills the SEQUENCE and length */
+
+TPM_RC prependSequence(uint16_t *partialCertificateDerLength, uint8_t *partialCertificateDer)
+{
+    TPM_RC 	rc = 0;
+    uint16_t	prefixLength;
+    uint16_t	lengthLength = 0;
+    uint16_t	i = 0;
+
+    if (verbose) printf("prependSequence: total length %u %04x\n",
+			*partialCertificateDerLength, *partialCertificateDerLength);
+    /* calculate the number of prepended bytes */
+    if (rc == 0) {
+	/* long form length when greater than 7f */
+	if ((*partialCertificateDerLength) > 0x7f) {
+	    lengthLength = (*partialCertificateDerLength / 0x100) + 1;	/* +1 to round up */
+	    prefixLength = 2 + lengthLength;	/* SEQUENCE + length of length + length bytes */
+	}
+	/* short form length when up to 7f */
+	else {
+	    prefixLength = 2;	/* SEQUENCE + length byte */
+	}
+    }
+    /* shift the partialCertificateDer down by prefix length */
+    if (rc == 0) {
+	memmove(partialCertificateDer + prefixLength,
+		partialCertificateDer,
+		*partialCertificateDerLength);
+    }
+    /* construct the prefix */
+    if (rc == 0) {
+	partialCertificateDer[0] = 0x30; 	/* SEQUENCE */
+	/* long form length */
+	if (lengthLength > 0) {
+	    partialCertificateDer[1] = 0x80 + lengthLength; 	/* byte 1 bit 7 set for long form */
+	    for (i = 0 ; i < lengthLength ; i++) {		/* start at byte 2 */
+		partialCertificateDer[2 + i] =			/* add length bytes */
+		    (*partialCertificateDerLength >> ((lengthLength - i - 1) * 8)) & 0xff;
+	    }
+	}
+	/* short form length */
+	else {
+	    /* just length for short form, cast safe bacause of above test */
+	    partialCertificateDer[1] = (uint8_t)*partialCertificateDerLength;
+	}
+	*partialCertificateDerLength += prefixLength;	/* adjust the total length of the DER */
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("certifyx509\n");
+    printf("\n");
+    printf("Runs TPM2_Certifyx509\n");
+    printf("\n");
+    printf("\t-ho\tobject handle\n");
+    printf("\t[-pwdo\tpassword for object (default empty)]\n");
+    printf("\t-hk\tcertifying key handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc) (default rsa)]\n");
+
+    printf("\t[-ku\tX509 key usage - string - comma separated, no spaces]\n");
+    printf("\t[-iob\tTPMA_OBJECT - 4 byte hex]\n");
+    printf("\t\te.g. sign: critical,digitalSignature,keyCertSign,cRLSign (default)\n");
+    printf("\t\te.g. decrypt: critical,dataEncipherment,keyAgreement,encipherOnly,decipherOnly\n");
+    printf("\t\te.g. fixedTPM: critical,nonRepudiation\n");
+    printf("\t\te.g. parent (restrict decrypt): critical,keyEncipherment\n");
+    
+    printf("\t[-bit\tbit in partialCertificate to toggle]\n");
+    printf("\t[-sub\tsubject same as issuer for self signed (root) certificate]\n");
+    printf("\t[-opc\tpartial certificate file name (default do not save)]\n");
+    printf("\t[-oa\taddedToCertificate file name (default do not save)]\n");
+    printf("\t[-otbs\tsigned tbsDigest file name (default do not save)]\n");
+    printf("\t[-os\tsignature file name (default do not save)]\n");
+    printf("\t[-ocert\t reconstructed certificate file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
+
+#endif	/* TPM_TSS_MBEDTLS */
+
+#ifdef TPM_TSS_MBEDTLS
+
+int verbose;
+
+int main(int argc, char *argv[])
+{
+    argc = argc;
+    argv = argv;
+    printf("certifyx509 not supported with mbedtls yet\n");
+    return 0;
+}
+
+#endif	/* TPM_TSS_MBEDTLS */
diff --git a/libstb/tss2/ibmtpm20tss/utils/changeeps.c b/libstb/tss2/ibmtpm20tss/utils/changeeps.c
new file mode 100644
index 0000000..157ec60
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/changeeps.c
@@ -0,0 +1,216 @@
+/********************************************************************************/
+/*										*/
+/*			    ChangeEPS 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ChangeEPS_In 		in;
+    const char			*authPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	in.authHandle = TPM_RH_PLATFORM;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ChangeEPS,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("changeeps: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("changeeps: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("changeeps\n");
+    printf("\n");
+    printf("Runs TPM2_ChangeEPS\n");
+    printf("\n");
+    printf("\t-pwda\tauthorization password (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/changepps.c b/libstb/tss2/ibmtpm20tss/utils/changepps.c
new file mode 100644
index 0000000..8de39ff
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/changepps.c
@@ -0,0 +1,216 @@
+/********************************************************************************/
+/*										*/
+/*			    ChangePPS 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ChangePPS_In 		in;
+    const char			*authPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+ 
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	in.authHandle = TPM_RH_PLATFORM;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ChangePPS,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("changepps: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("changepps: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("changepps\n");
+    printf("\n");
+    printf("Runs TPM2_ChangePPS\n");
+    printf("\n");
+    printf("\t-pwda\tauthorization password (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/clear.c b/libstb/tss2/ibmtpm20tss/utils/clear.c
new file mode 100644
index 0000000..ae9ce25
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/clear.c
@@ -0,0 +1,238 @@
+/********************************************************************************/
+/*										*/
+/*			    Clear 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Clear_In 			in;
+    char 			authHandleChar = 0;
+    const char			*authPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		authHandleChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (authHandleChar == 'l') {
+	    in.authHandle = TPM_RH_LOCKOUT;
+	}
+	else if (authHandleChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Clear,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}	
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("clear: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("clear: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("clear\n");
+    printf("\n");
+    printf("Runs TPM2_Clear\n");
+    printf("\n");
+    printf("\t-hi\tauthhandle hierarchy (l, p)\n");
+    printf("\t\tl lockout, p platform\n");
+    printf("\t-pwda\tauthorization password (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/clearcontrol.c b/libstb/tss2/ibmtpm20tss/utils/clearcontrol.c
new file mode 100644
index 0000000..9e2ad69
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/clearcontrol.c
@@ -0,0 +1,258 @@
+/********************************************************************************/
+/*										*/
+/*			    ClearControl 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ClearControl_In 		in;
+    char 			authHandleChar = 0;
+    const char			*authPassword = NULL; 
+    int				state = 1;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		authHandleChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-state") == 0) {
+	    i++;
+	    if (i < argc) {
+		state = atoi(argv[i]);
+	    }
+	    else {
+		printf("-state option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (authHandleChar == 'l') {
+	    in.auth = TPM_RH_LOCKOUT;
+	}
+	else if (authHandleChar == 'p') {
+	    in.auth = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	if (state != 0) {
+	    in.disable = YES;
+	}
+	else {
+	    in.disable = NO;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ClearControl,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("clearcontrol: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("clearcontrol: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("clearcontrol\n");
+    printf("\n");
+    printf("Runs TPM2_ClearControl\n");
+    printf("\n");
+    printf("\t-hi\tauthhandle hierarchy (l, p)\n");
+    printf("\t\tl lockout, p platform\n");
+    printf("\t-pwda\tauthorization password (default empty)\n");
+    printf("\t-state\t0 to disable, 1 to enable (default enable)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/clockrateadjust.c b/libstb/tss2/ibmtpm20tss/utils/clockrateadjust.c
new file mode 100644
index 0000000..7edf41c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/clockrateadjust.c
@@ -0,0 +1,260 @@
+/********************************************************************************/
+/*										*/
+/*			   ClockRateAdjust					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <inttypes.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ClockRateAdjust_In 		in;
+    char 			hierarchyChar = 'p';
+    TPMI_RH_HIERARCHY		authHandle = TPM_RH_PLATFORM;
+    const char			*parentPassword = NULL; 
+    TPM_CLOCK_ADJUST 		rateAdjust = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-adj") == 0) {
+	    i++;
+	    if (i < argc) {
+		int tmp;	/* sscanf with char is not portable */
+		sscanf(argv[i],"%d", &tmp);
+		rateAdjust = tmp;
+	    }
+	    else {
+		printf("Missing parameter for -adj\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.rateAdjust = rateAdjust;
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY authHandle */
+    if (rc == 0) {
+	if (hierarchyChar == 'o') {
+	    authHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    authHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Bad parameter %c for -hi\n", hierarchyChar);
+	    printUsage();
+	}
+	in.auth = authHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ClockRateAdjust,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("clockrateadjust: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("clockrateadjust: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("clockrateadjust\n");
+    printf("\n");
+    printf("Runs TPM2_ClockRateAdjust\n");
+    printf("\n");
+    printf("\t[-hi\thierarchy auth (p, o) (default p)]\n"); 
+    printf("\t[-pwdp\thierarchy password (default empty)]\n");
+    printf("\t[-adj\trate adjust (default 0)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/clockset.c b/libstb/tss2/ibmtpm20tss/utils/clockset.c
new file mode 100644
index 0000000..cc6b15b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/clockset.c
@@ -0,0 +1,310 @@
+/********************************************************************************/
+/*										*/
+/*			   ClockSet						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <inttypes.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ClockSet_In 		in;
+    char 			hierarchyChar = 'p';
+    TPMI_RH_HIERARCHY		authHandle = TPM_RH_PLATFORM;
+    const char			*parentPassword = NULL; 
+    uint64_t			newClock = 0;
+    unsigned int		addSec = 0;
+    const char			*clockFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-clock") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%"SCNu64, &newClock);
+	    }
+	    else {
+		printf("Missing parameter for -clock\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-addsec") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &addSec);
+	    }
+	    else {
+		printf("Missing parameter for -addsec\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-iclock") == 0) {
+	    i++;
+	    if (i < argc) {
+		clockFilename = argv[i];
+	    }
+	    else {
+		printf("-iclock option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((newClock == 0) && (clockFilename == NULL)) {
+	printf("Missing -clock or -iclock\n");
+	printUsage();
+    }
+    if ((newClock != 0) && (clockFilename != NULL)) {
+	printf("Cannot have both -clock and -iclock\n");
+	printUsage();
+    }
+    if ((rc == 0) && (newClock != 0)) {
+	in.newTime = newClock;
+    }
+    if ((rc == 0) && (clockFilename != NULL)) {
+	unsigned char *data = NULL;
+	size_t length;
+	if (rc == 0) {
+	    rc = TSS_File_ReadBinaryFile(&data, &length, clockFilename);	/* freed @1 */
+	}
+	if (rc == 0) {
+	    if (length != sizeof(in.newTime)) {
+		printf("Clock file %s length %lu should be %lu\n",
+		       clockFilename, (unsigned long)length, (unsigned long)sizeof(in.newTime));
+	    }
+	}
+	if (rc == 0) {
+	    memcpy((uint8_t *)&in.newTime, data, length);
+	}
+	free(data);	/* @1 */
+    }	
+    /* Table 50 - TPMI_RH_HIERARCHY authHandle */
+    if (rc == 0) {
+	in.newTime += (addSec * 1000);	/* new clock is in msec */
+	if (tssUtilsVerbose) printf("clockset: New clock %"PRIu64"\n", in.newTime);
+	if (hierarchyChar == 'o') {
+	    authHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    authHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Bad parameter %c for -hi\n", hierarchyChar);
+	    printUsage();
+	}
+	in.auth = authHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ClockSet,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("clockset: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("clockset: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("clockset\n");
+    printf("\n");
+    printf("Runs TPM2_ClockSet\n");
+    printf("\n");
+    printf("\t-clock\t\tnew clock\n");
+    printf("\t-iclock\t\tnew clock file name\n");
+    printf("\t[-addsec\tseconds to add to new clock]\n");
+    printf("\t-hi\t\thierarchy (o, p) (default platform)\n");
+    printf("\t\to owner, p platform\n");
+    printf("\t-pwdp\t\tpassword for hierarchy (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2]\t session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/commit.c b/libstb/tss2/ibmtpm20tss/utils/commit.c
new file mode 100644
index 0000000..b6c5600
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/commit.c
@@ -0,0 +1,395 @@
+/********************************************************************************/
+/*										*/
+/*			    Commit						*/
+/*	     		Written by Bill Martin 					*/
+/*                 Green Hills Integrity Software Services 			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+#include "objecttemplates.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC 			rc = 0;
+    int 			i;    /* argc iterator */
+    TSS_CONTEXT 		*tssContext = NULL;
+    Commit_In   		in;
+    Commit_Out   		out;
+    TPMI_DH_OBJECT      	signHandle = 0;
+    TPMA_OBJECT         	objectAttributes;
+    const char          	*s2Filename = NULL;
+    const char          	*y2Filename = NULL;
+    const char 			*dataFilename = NULL;
+    const char       		*Kfilename = NULL;
+    const char          	*Lfilename = NULL;
+    const char          	*Efilename = NULL;
+    const char                  *counterFilename = NULL;
+    const char          	*keyPassword = NULL;
+    TPMI_SH_AUTH_SESSION        sessionHandle0 = TPM_RS_PW;
+    unsigned int                sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION        sessionHandle1 = TPM_RH_NULL;
+    unsigned int                sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION        sessionHandle2 = TPM_RH_NULL;
+    unsigned int                sessionAttributes2 = 0;
+ 
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    objectAttributes.val = 0;
+    objectAttributes.val |= TPMA_OBJECT_NODA;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+        if (strcmp(argv[i], "-hk") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &signHandle);
+            }
+            else {
+                printf("Missing parameter for -hk\n");
+                printUsage();
+            }
+        }
+	else if (strcmp(argv[i], "-pt")  == 0) {
+	    i++;
+	    if (i < argc) {
+		dataFilename = argv[i];
+	    } else {
+		printf("-pt option needs a value\n");
+		printUsage();
+	    }
+	}
+        // for inSensitive data s2 see stirrandom.c
+        // I think this is gX put in array form
+        else if (strcmp(argv[i],"-s2") == 0) {
+            i++;
+            if (i < argc) {
+                s2Filename = argv[i];
+            }
+            else {
+                printf("-s2 option needs a value\n");
+                printUsage();
+            }
+        }
+        // for inSensitive data y2 see stirrandom.c
+        // I think this is gX put in array form
+        else if (strcmp(argv[i],"-y2") == 0) {
+            i++;
+            if (i < argc) {
+                y2Filename = argv[i];
+            }
+            else {
+                printf("-y2 option needs a value\n");
+                printUsage();
+            }
+        }
+	else if (strcmp(argv[i], "-Kf")  == 0) {
+	    i++;
+	    if (i < argc) {
+		Kfilename = argv[i];
+	    } else {
+		printf("-Kf option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-Lf")  == 0) {
+	    i++;
+	    if (i < argc) {
+                Lfilename = argv[i];
+	    } else {
+		printf("-Lf option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-Ef")  == 0) {
+	    i++;
+	    if (i < argc) {
+		Efilename = argv[i];
+	    } else {
+		printf("-Ef option needs a value\n");
+		printUsage();
+	    }
+	}
+        else if (strcmp(argv[i], "-cf")  == 0) {
+	    i++;
+	    if (i < argc) {
+		counterFilename = argv[i];
+	    } else {
+		printf("-cf option needs a value\n");
+		printUsage();
+	    }
+	}
+        else if (strcmp(argv[i],"-pwdk") == 0) {
+            i++;
+            if (i < argc) {
+                keyPassword = argv[i];
+            }
+            else {
+                printf("-pwdk option needs a value\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-se0") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionHandle0);
+            }
+            else {
+                printf("Missing parameter for -se0\n");
+                printUsage();
+            }
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionAttributes0);
+                if (sessionAttributes0 > 0xff) {
+                    printf("Out of range session attributes for -se0\n");
+                    printUsage();
+                }
+            }
+            else {
+                printf("Missing parameter for -se0\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-se1") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionHandle1);
+            }
+            else {
+                printf("Missing parameter for -se1\n");
+                printUsage();
+            }
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionAttributes1);
+                if (sessionAttributes1 > 0xff) {
+                    printf("Out of range session attributes for -se1\n");
+                    printUsage();
+                }
+            }
+            else {
+                printf("Missing parameter for -se1\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-se2") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionHandle2);
+            }
+            else {
+                printf("Missing parameter for -se2\n");
+                printUsage();
+            }
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionAttributes2);
+                if (sessionAttributes2 > 0xff) {
+                    printf("Out of range session attributes for -se2\n");
+                    printUsage();
+                }
+            }
+            else {
+                printf("Missing parameter for -se2\n");
+                printUsage();
+            }
+        }
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (signHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform signing */
+	in.signHandle = signHandle;
+    }
+    /* set P1 */
+    if (rc == 0) {
+	if (dataFilename != NULL) {
+	    rc = TSS_File_ReadStructure(&in.P1,
+					(UnmarshalFunction_t)TSS_TPM2B_ECC_POINT_Unmarshalu,
+					dataFilename);
+	}
+	else {
+	    in.P1.point.x.t.size = 0;
+	    in.P1.point.y.t.size = 0;
+	}
+    }
+    /* set S2 */
+    if (rc == 0) {
+	if (s2Filename != NULL) {
+	    rc = TSS_File_Read2B(&in.s2.b,
+				 sizeof(in.s2.t.buffer),
+				 s2Filename);
+	}
+	else {
+	    in.s2.t.size = 0;
+	}
+    }
+    /* set y2 */
+    if (rc == 0) {
+	if (y2Filename != NULL) {
+	    rc = TSS_File_Read2B(&in.y2.b,
+				 sizeof(in.y2.t.buffer),
+				 y2Filename);
+	}
+	else {
+	    in.y2.t.size = 0;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Commit,
+                         sessionHandle0, keyPassword, sessionAttributes0,
+                         sessionHandle1, NULL, sessionAttributes1,
+                         sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (Kfilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.K,
+				     (MarshalFunction_t)TSS_TPM2B_ECC_POINT_Marshalu,
+				     Kfilename);
+
+
+    }
+    if ((rc == 0) && (Lfilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.L,
+				     (MarshalFunction_t)TSS_TPM2B_ECC_POINT_Marshalu,
+				     Lfilename);
+
+
+    }
+    if ((rc == 0) && (Efilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.E,
+				     (MarshalFunction_t)TSS_TPM2B_ECC_POINT_Marshalu,
+				     Efilename);
+
+
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("counter is %d\n", out.counter);
+        if (counterFilename != NULL)  {
+	    rc = TSS_File_WriteStructure(&out.counter,
+					 (MarshalFunction_t)TSS_UINT16_Marshalu,
+					 counterFilename);
+        }
+    } 
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("commit: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("commit: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("commit\n");
+    printf("\n");
+    printf("Runs TPM2_Commit\n");
+    printf("\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t[-pt\tpoint input file name (default empty)]\n");
+    printf("\t[-s2\ts2 input file name (default empty)]\n");
+    printf("\t[-y2\ty2 input file name (default empty)]\n");
+    printf("\t[-Kf\tK output data file name (default do not save)]\n");
+    printf("\t[-Lf\toutput data file name (default do not save)]\n");
+    printf("\t[-Ef\toutput data file name (default do not save)]\n");
+    printf("\t[-cf\toutput counter file name (default do not save)]\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1); 
+}
+
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/contextload.c b/libstb/tss2/ibmtpm20tss/utils/contextload.c
new file mode 100644
index 0000000..315953b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/contextload.c
@@ -0,0 +1,146 @@
+/********************************************************************************/
+/*										*/
+/*			   ContextLoad 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ContextLoad_In 		in;
+    ContextLoad_Out		out;
+    const char			*contextFilename = NULL;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		contextFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (contextFilename == NULL) {
+	printf("Missing context file parameter -if\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.context,
+				    (UnmarshalFunction_t)TSS_TPMS_CONTEXT_Unmarshalu,
+				    contextFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ContextLoad,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("Handle %08x\n", out.loadedHandle);
+	if (tssUtilsVerbose) printf("contextload: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("contextload: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("contextload\n");
+    printf("\n");
+    printf("Runs TPM2_ContextLoad\n");
+    printf("\n");
+    printf("\t-if\tcontext file name\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/contextsave.c b/libstb/tss2/ibmtpm20tss/utils/contextsave.c
new file mode 100644
index 0000000..33e8c54
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/contextsave.c
@@ -0,0 +1,162 @@
+/********************************************************************************/
+/*										*/
+/*			   ContextSave 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ContextSave_In 		in;
+    ContextSave_Out 		out;
+    TPMI_DH_CONTEXT		saveHandle = 0;
+    const char			*contextFilename = NULL;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &saveHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		contextFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (saveHandle == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.saveHandle = saveHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ContextSave,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* save the context */
+    if ((rc == 0) && (contextFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.context,
+				     (MarshalFunction_t)TSS_TPMS_CONTEXT_Marshalu,
+				     contextFilename );
+    }
+    if (rc == 0) {
+	printf("TPMS_CONTEXT.savedHandle %08x\n", out.context.savedHandle);
+	if (tssUtilsVerbose) printf("contextsave: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("contextsave: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("contextsave\n");
+    printf("\n");
+    printf("Runs TPM2_ContextSave\n");
+    printf("\n");
+    printf("\t-ha\thandle\n");
+    printf("\t[-of\tcontext file name (default do not save)]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/create.c b/libstb/tss2/ibmtpm20tss/utils/create.c
new file mode 100644
index 0000000..f1be83d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/create.c
@@ -0,0 +1,717 @@
+/********************************************************************************/
+/*										*/
+/*			    Create 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscryptoh.h>
+
+#include "objecttemplates.h"
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Create_In 			in;
+    Create_Out 			out;
+    TPMI_DH_OBJECT		parentHandle = 0;
+    TPMA_OBJECT			addObjectAttributes;
+    TPMA_OBJECT			deleteObjectAttributes;
+    int				keyType = 0;
+    uint32_t 			keyTypeSpecified = 0;
+    int				rev116 = FALSE;
+    TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
+    TPMI_ECC_CURVE		curveID = TPM_ECC_NONE;
+    TPMI_RSA_KEY_BITS 		keyBits = 2048;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_HASH		nalg = TPM_ALG_SHA256;
+    const char			*policyFilename = NULL;
+    const char			*publicKeyFilename = NULL;
+    const char			*privateKeyFilename = NULL;
+    const char			*pemFilename = NULL;
+    const char			*ticketFilename = NULL;
+    const char			*creationHashFilename = NULL;
+    const char 			*dataFilename = NULL;
+    const char			*keyPassword = NULL; 
+    const char			*parentPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    addObjectAttributes.val = 0;
+    addObjectAttributes.val |= TPMA_OBJECT_NODA;
+    deleteObjectAttributes.val = 0;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &parentHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-bl") == 0) {
+	    keyType = TYPE_BL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-den") == 0) {
+	    keyType = TYPE_DEN;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-deo") == 0) {
+	    keyType = TYPE_DEO;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dee") == 0) {
+	    keyType = TYPE_DEE;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-des") == 0) {
+	    keyType = TYPE_DES;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-st") == 0) {
+	    keyType = TYPE_ST;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-si") == 0) {
+	    keyType = TYPE_SI;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dau") == 0) {
+	    keyType = TYPE_DAA;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dar") == 0) {
+	    keyType = TYPE_DAAR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-sir") == 0) {
+	    keyType = TYPE_SIR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-kh") == 0) {
+	    keyType = TYPE_KH;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-khr") == 0) {
+	    keyType = TYPE_KHR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dp") == 0) {
+	    keyType = TYPE_DP;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-gp") == 0) {
+	    keyType = TYPE_GP;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-116") == 0) {
+	    rev116 = TRUE;
+	}
+	else if (strcmp(argv[i], "-rsa") == 0) {
+	    algPublic = TPM_ALG_RSA;
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%hu", &keyBits);
+	    }
+	    else {
+		printf("Missing parameter for -rsa\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-ecc") == 0) {
+	    algPublic = TPM_ALG_ECC;
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"bnp256") == 0) {
+		    curveID = TPM_ECC_BN_P256;
+		}
+		else if (strcmp(argv[i],"nistp256") == 0) {
+		    curveID = TPM_ECC_NIST_P256;
+		}
+		else if (strcmp(argv[i],"nistp384") == 0) {
+		    curveID = TPM_ECC_NIST_P384;
+		}
+		else {
+		    printf("Bad parameter %s for -ecc\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-ecc option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-kt") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i], "f") == 0) {
+		    addObjectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+   		}
+		else if (strcmp(argv[i], "p") == 0) {
+		    addObjectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+		}
+		else if (strcmp(argv[i], "nf") == 0) {
+		    deleteObjectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+		}
+		else if (strcmp(argv[i], "np")  == 0) {
+		    deleteObjectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+		}
+		else if (strcmp(argv[i], "ed")  == 0) {
+		    addObjectAttributes.val |= TPMA_OBJECT_ENCRYPTEDDUPLICATION;
+		}
+		else {
+		    printf("Bad parameter %s for -kt\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -kt\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-uwa") == 0) {
+	    deleteObjectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	}
+	else if (strcmp(argv[i], "-da") == 0) {
+	    addObjectAttributes.val &= ~TPMA_OBJECT_NODA;
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    nalg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-opu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opr") == 0) {
+	    i++;
+	    if (i < argc) {
+		privateKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-opr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemFilename = argv[i];
+	    }
+	    else {
+		printf("-opem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ch") == 0) {
+	    i++;
+	    if (i < argc) {
+		creationHashFilename = argv[i];
+	    }
+	    else {
+		printf("-ch option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pol") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyFilename = argv[i];
+	    }
+	    else {
+		printf("-pol option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		deleteObjectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
+		dataFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (parentHandle == 0) {
+	printf("Missing handle parameter -hp\n");
+	printUsage();
+    }
+    if (keyTypeSpecified != 1) {
+	printf("Missing or too many key attributes\n");
+	printUsage();
+    }
+    switch (keyType) {
+      case TYPE_BL:
+	if (dataFilename == NULL) {
+	    printf("-bl needs -if (sealed data object needs data to seal)\n");
+	    printUsage();
+	}
+	break;
+      case TYPE_DAA:
+      case TYPE_DAAR:
+	if (algPublic != TPM_ALG_ECC) {
+	    printf("-dau and -dar need -ecc\n");
+ 	    printUsage();
+	}
+	if (dataFilename != NULL) {
+	    printf("asymmetric key cannot have -if (sensitive data)\n");
+	    printUsage();
+	}
+	break;
+      case TYPE_ST:
+      case TYPE_DEN:
+      case TYPE_DEO:
+      case TYPE_DEE:
+      case TYPE_SI:
+      case TYPE_SIR:
+      case TYPE_GP:
+	if (dataFilename != NULL) {
+	    printf("asymmetric key cannot have -if (sensitive data)\n");
+	    printUsage();
+	}
+	break;
+      case TYPE_DES:
+      case TYPE_KH:
+      case TYPE_KHR:
+      case TYPE_DP:
+	/* inSensitive optional for symmetric keys */
+	break;
+    }
+    if (rc == 0) {
+	in.parentHandle = parentHandle;
+    }
+    /* Table 134 - Definition of TPM2B_SENSITIVE_CREATE inSensitive */
+    if (rc == 0) {
+	/* Table 133 - Definition of TPMS_SENSITIVE_CREATE Structure <IN>sensitive  */
+	/* Table 75 - Definition of Types for TPM2B_AUTH userAuth */
+	if (keyPassword == NULL) {
+	    in.inSensitive.sensitive.userAuth.t.size = 0;
+	}
+	else {
+	    rc = TSS_TPM2B_StringCopy(&in.inSensitive.sensitive.userAuth.b,
+				      keyPassword,
+				      sizeof(in.inSensitive.sensitive.userAuth.t.buffer));
+	}
+    }
+    if (rc == 0) {
+	/* Table 132 - Definition of TPM2B_SENSITIVE_DATA Structure data */
+	if (dataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.inSensitive.sensitive.data.b,
+				 sizeof(in.inSensitive.sensitive.data.t.buffer),
+				 dataFilename);
+	}
+	else {
+	    in.inSensitive.sensitive.data.t.size = 0;
+	}
+    }
+    /* TPM2B_PUBLIC */
+    if (rc == 0) {
+	switch (keyType) {
+	  case TYPE_BL:
+	    rc = blPublicTemplate(&in.inPublic.publicArea,
+				  addObjectAttributes, deleteObjectAttributes,
+				  nalg,
+				  policyFilename);
+	    break;
+	  case TYPE_ST:
+	  case TYPE_DAA:
+	  case TYPE_DAAR:
+	  case TYPE_DEN:
+	  case TYPE_DEO:
+	  case TYPE_DEE:
+	  case TYPE_SI:
+	  case TYPE_SIR:
+	  case TYPE_GP:
+	    rc = asymPublicTemplate(&in.inPublic.publicArea,
+				    addObjectAttributes, deleteObjectAttributes,
+				    keyType, algPublic, keyBits, curveID, nalg, halg,
+				    policyFilename);
+	    break;
+	  case TYPE_DES:
+	    rc = symmetricCipherTemplate(&in.inPublic.publicArea,
+					 addObjectAttributes, deleteObjectAttributes,
+					 nalg, rev116,
+					 policyFilename);
+	    break;
+	  case TYPE_KH:
+	  case TYPE_KHR:
+	    rc = keyedHashPublicTemplate(&in.inPublic.publicArea,
+					 addObjectAttributes, deleteObjectAttributes,
+					 keyType, nalg, halg,
+					 policyFilename);
+	    break;
+	  case TYPE_DP:
+	    rc = derivationParentPublicTemplate(&in.inPublic.publicArea,
+						addObjectAttributes, deleteObjectAttributes,
+						nalg, halg,
+						policyFilename);
+	} 
+    }
+    if (rc == 0) {
+	/* TPM2B_DATA outsideInfo */
+	in.outsideInfo.t.size = 0;
+	/* Table 102 - TPML_PCR_SELECTION creationPCR */
+	in.creationPCR.count = 0;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Create,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /*
+      validate the creation data
+    */
+    {
+	uint16_t	written = 0;
+	uint8_t		*buffer = NULL;		/* for the free */
+	uint32_t 	sizeInBytes;
+	TPMT_HA		digest;
+
+	/* get the digest size from the Name algorithm */
+	if (rc == 0) {
+	    sizeInBytes = TSS_GetDigestSize(nalg);
+	    if (out.creationHash.b.size != sizeInBytes) {
+		printf("create: failed, "
+		       "creationData size %u incompatible with name algorithm %04x\n",
+		       out.creationHash.b.size, nalg);
+		rc = EXIT_FAILURE;
+	    }
+	}
+	/* re-marshal the output structure */
+	if (rc == 0) {
+	    rc = TSS_Structure_Marshal(&buffer,	/* freed @1 */
+				       &written,
+				       &out.creationData.creationData,
+				       (MarshalFunction_t)TSS_TPMS_CREATION_DATA_Marshalu);
+	}
+	/* recalculate the creationHash from creationData */
+	if (rc == 0) {
+	    digest.hashAlg = nalg;			/* Name digest algorithm */
+	    rc = TSS_Hash_Generate(&digest,	
+				   written, buffer,
+				   0, NULL);
+	}
+	/* compare the digest to creation hash */
+	if (rc == 0) {
+	    int irc;
+	    irc = memcmp((uint8_t *)&digest.digest, &out.creationHash.b.buffer, sizeInBytes);
+	    if (irc != 0) {
+		printf("create: failed, creationData hash does not match creationHash\n");
+		rc = EXIT_FAILURE;
+	    }
+	}
+	free(buffer);	/* @1 */
+    }
+    /* save the private key */
+    if ((rc == 0) && (privateKeyFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outPrivate,
+				     (MarshalFunction_t)TSS_TPM2B_PRIVATE_Marshalu,
+				     privateKeyFilename);
+    }
+    /* save the public key */
+    if ((rc == 0) && (publicKeyFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outPublic,
+				     (MarshalFunction_t)TSS_TPM2B_PUBLIC_Marshalu,
+				     publicKeyFilename);
+    }
+    /* save the optional PEM public key */
+    if ((rc == 0) && (pemFilename != NULL)) {
+	rc = convertPublicToPEM(&out.outPublic,
+				pemFilename);
+    }
+    /* save the optional creation ticket */
+    if ((rc == 0) && (ticketFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.creationTicket,
+				     (MarshalFunction_t)TSS_TPMT_TK_CREATION_Marshalu,
+				     ticketFilename);
+    }
+    /* save the optional creation hash */
+    if ((rc == 0) && (creationHashFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.creationHash.b.buffer,
+				      out.creationHash.b.size,
+				      creationHashFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("create: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("create: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("create\n");
+    printf("\n");
+    printf("Runs TPM2_Create\n");
+    printf("\n");
+    printf("\t-hp parent handle\n");
+    printf("\n");
+    printUsageTemplate();
+    printf("\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-pwdp\tpassword for parent key (default empty)]\n");
+    printf("\n");
+    printf("\t[-opu\tpublic key file name (default do not save)]\n");
+    printf("\t[-opr\tprivate key file name (default do not save)]\n");
+    printf("\t[-opem\tpublic key PEM format file name (default do not save)]\n");
+    printf("\t[-tk\toutput ticket file name (default do not save)]\n");
+    printf("\t[-ch\toutput creation hash file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/createek.c b/libstb/tss2/ibmtpm20tss/utils/createek.c
new file mode 100644
index 0000000..d15aa8f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/createek.c
@@ -0,0 +1,294 @@
+/********************************************************************************/
+/*										*/
+/*			     IWG EK Index Parsing				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This demo application shows the EK createprimary process.
+
+   It reads the EK template at 01c00004 (RSA) 01c0000c (EC)
+
+   It reads the EK nonce at 01c00003 (RSA) 01c0000b (EC)
+
+   It constructs an EK createprimary input and runs the command
+
+   It reads the EK certificate at 01c00002 (RSA) 01c0000a (EC) 
+
+   It compares the public key from the createprimary to that of the certificate.
+
+   If validates the EK certificate against the TPM vendor root CA certificate.
+
+   To validate certificate against the root, it must be in a file in PEM format.  The root typically
+   comes from the TPM vendor in DER (binary) format.  Convert using openssl, approximately:
+
+   > openssl x509 -inform der -outform pem -in certificate.der -out certificate.pem
+
+   This is a one time operation.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+#include "ekutils.h"
+
+/* local function prototypes */
+
+static void printUsage(void);
+
+/* possible utility commands */
+
+#define EKTemplateType		1
+#define EKNonceType		2
+#define EKCertType		3
+#define CreateprimaryType	4
+
+#define AlgRSA			1
+#define AlgEC			2
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    unsigned int		ui;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    int				inputType = 0;
+    const char 			*listFilename = NULL;
+    unsigned int		inputCount = 0;
+    unsigned int		algType = 0;
+    /* initialized to suppress false gcc -O3 warning */
+    TPMI_RH_NV_INDEX		ekCertIndex = 0;
+    TPMI_RH_NV_INDEX		ekNonceIndex = 0;
+    TPMI_RH_NV_INDEX		ekTemplateIndex = 0;
+    TPMT_PUBLIC 		tpmtPublic;
+    char			*rootFilename[MAX_ROOTS];
+    unsigned int		rootFileCount = 0;
+    unsigned char 		*nonce = NULL; 		/* freed @1 */
+    uint16_t 			nonceSize;
+    void 			*ekCertificate = NULL;
+    uint8_t 			*modulusBin = NULL;
+    int				modulusBytes;
+    unsigned int 		noFlush = 0;		/* default flush after validation */
+    TPM_HANDLE 			keyHandle;		/* primary key handle */
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* for free */
+    for (i = 0 ; i < MAX_ROOTS ; i++) {
+	rootFilename[i] = NULL;
+    }
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-te") == 0) {
+	    inputType = EKTemplateType;
+	    inputCount++;
+	}
+	else if (strcmp(argv[i],"-no") == 0) {
+	    inputType = EKNonceType;
+	    inputCount++;
+	}
+	else if (strcmp(argv[i],"-ce") == 0) {
+	    inputType = EKCertType;
+	    inputCount++;
+	}
+	else if (strcmp(argv[i],"-cp") == 0) {
+	    inputType = CreateprimaryType;
+	    inputCount++;
+	}
+	else if (strcmp(argv[i],"-root") == 0) {
+	    i++;
+	    if (i < argc) {
+		listFilename = argv[i];
+	    }
+	    else {
+		printf("-root option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-alg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    algType = AlgRSA;
+		    ekCertIndex = EK_CERT_RSA_INDEX;
+		    ekNonceIndex = EK_NONCE_RSA_INDEX;
+		    ekTemplateIndex = EK_TEMPLATE_RSA_INDEX;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    algType = AlgEC;
+		    ekCertIndex = EK_CERT_EC_INDEX;
+		    ekNonceIndex = EK_NONCE_EC_INDEX;
+		    ekTemplateIndex = EK_TEMPLATE_EC_INDEX;
+		}
+		else {
+		    printf("Bad parameter %s for -alg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-alg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-noflush") == 0) {
+	    noFlush = 1;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+ 	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (inputCount > 1) {
+	printf("Only one of -te, -no, -ce can be specified\n");
+	printUsage();
+    }
+    if ((inputCount == 0) && (listFilename == NULL)) {
+	printf("Nothing to do\n");
+	printUsage();
+    }
+    if (algType == 0) {
+	printf("-alg must be specified\n");
+	printUsage();
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    if (rc == 0) {
+	switch (inputType) {
+	  case EKTemplateType:
+	    rc = processEKTemplate(tssContext, &tpmtPublic, ekTemplateIndex, TRUE);
+	    if (rc != 0) {
+		printf("No EK template\n");
+	    }
+	    break;
+	  case EKNonceType:
+	    rc = processEKNonce(tssContext, &nonce, &nonceSize, ekNonceIndex, TRUE);
+	    if (rc != 0) {
+		printf("No EK nonce\n");
+	    }
+	    break;
+	  case EKCertType:
+	    rc = processEKCertificate(tssContext,
+				      &ekCertificate,			/* freed @2 */
+				      &modulusBin, &modulusBytes,	/* freed @3 */
+				      ekCertIndex,
+				      TRUE);		/* print the EK certificate */
+	    break;
+	  case CreateprimaryType:
+	    rc = processPrimary(tssContext, &keyHandle,
+				ekCertIndex, ekNonceIndex, ekTemplateIndex,
+				noFlush, TRUE);
+	    break;
+	}
+    }
+    if (listFilename != NULL) {
+	if (rc == 0) {
+	    rc = getRootCertificateFilenames(rootFilename,	/* freed @4 */
+					     &rootFileCount,
+					     listFilename,
+					     tssUtilsVerbose);
+	}
+	if (rc == 0) {
+	    rc = processRoot(tssContext,
+			     ekCertIndex,
+			     (const char **)rootFilename,
+			     rootFileCount,
+			     TRUE); 
+	}
+    }
+    if ((rc == 0) && noFlush && (inputType == CreateprimaryType)) {
+	printf("Primary key Handle %08x\n", keyHandle);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    free(nonce);			/* @1 */
+    x509FreeStructure(ekCertificate);  	/* @2 */
+    free(modulusBin);			/* @3 */
+    for (ui = 0 ; ui < rootFileCount ; ui++) {
+	free(rootFilename[ui]);		/* @4 */
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("createek\n");
+    printf("\n");
+    printf("Parses and prints the various EK NV indexes specified by the IWG\n");
+    printf("Creates a primary key based on the EK NV indexes\n");
+    printf("\n");
+    printf("\t-te\tprint EK Template \n");
+    printf("\t-no\tprint EK nonce \n");
+    printf("\t-ce\tprint EK certificate \n");
+    printf("\t-cp\tCreatePrimary using the EK template and EK nonce.\n");
+    printf("\t\tValidate the EK against the EK certificate\n");
+    printf("\t[-noflush\tDo not flush the primary key after validation]\n");
+    printf("\t[-root\tfilename - validate EK certificate against the root]\n");
+    printf("\t\tfilename contains a list of PEM format CA root certificate\n"
+	   "\t\tfilenames, one per line.\n");
+    printf("\t\tThe list may contain up to %u certificates.\n", MAX_ROOTS);
+    printf("\t-alg (rsa or ecc) \n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/createekcert.c b/libstb/tss2/ibmtpm20tss/utils/createekcert.c
new file mode 100644
index 0000000..072407c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/createekcert.c
@@ -0,0 +1,488 @@
+/********************************************************************************/
+/*										*/
+/*		TPM 2.0 Attestation - Client EK and EK certificate  		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This program provisions an EK certificate.  It is required only for a SW TPM, which does not, of
+   course, come with a certificate.
+
+   NOTE This is a one time operation unless the EPS is changed, typically through the TSS regression
+   test.  I suggest saving the NVChip file.
+
+   Steps implemented:
+
+   Create a primary key using the default IWG template
+   
+   Create a certificate using the CA key cakey.pem
+
+   Create NV Index if not already provisioned.
+
+   Write the certificate to NV.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsscrypto.h>
+#include "ekutils.h"
+
+/* local function prototypes */
+
+static void printUsage(void);
+
+static TPM_RC defineEKCertIndex(TSS_CONTEXT *tssContext,
+				uint32_t certLength,	
+				TPMI_RH_NV_INDEX nvIndex,
+				const char *platformPassword);
+static TPM_RC storeEkCertificate(TSS_CONTEXT *tssContext,
+				 uint32_t certLength,
+				 unsigned char *certificate,	
+				 TPMI_RH_NV_INDEX nvIndex,
+				 const char *platformPassword);
+
+int vverbose = 0;
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    int 		rc = 0;
+    int			i;    /* argc iterator */
+    TSS_CONTEXT 	*tssContext = NULL;
+    int			noFlush = FALSE;
+    const char		*certificateFilename = NULL;
+    TPMI_RH_NV_INDEX	ekCertIndex = EK_CERT_RSA_INDEX;
+    /* the CA for endorsement key certificates */
+    const char 		*caKeyFileName = NULL;
+    const char 		*caKeyPassword = "";
+    const char		*platformPassword = NULL; 
+    TPMT_PUBLIC 	tpmtPublicOut;		/* primary key public part */
+    char 		*x509CertString = NULL;
+    char 		*pemCertString = NULL;
+    uint32_t 		certLength;
+    unsigned char 	*certificate = NULL;
+
+    /* FIXME may be better from command line or config file */
+    char *subjectEntries[] = {
+	"US",		/* 0 country */
+	"NY",		/* 1 state */
+	"Yorktown",	/* 2 locality*/
+	"IBM",		/* 3 organization */
+	NULL,		/* 4 organization unit */
+	"IBM's SW TPM",	/* 5 common name */
+	NULL		/* 6 email */
+    };
+    /* FIXME should come from root certificate, cacert.pem, cacertec.pem */
+    char *rootIssuerEntriesRsa[] = {
+	"US"			,
+	"NY"			,
+	"Yorktown"		,
+	"IBM"			,
+	NULL			,
+	"EK CA"			,
+	NULL	
+    };
+    char *rootIssuerEntriesEc[] = {
+	"US"			,
+	"NY"			,
+	"Yorktown"		,
+	"IBM"			,
+	NULL			,
+	"EK EC CA"		,
+	NULL	
+    };
+    /* default RSA */
+    char 		**issuerEntries = rootIssuerEntriesRsa;
+    size_t		issuerEntriesSize = sizeof(rootIssuerEntriesRsa)/sizeof(char *);
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-noflush") == 0) {
+	    noFlush = TRUE;
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		certificateFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-alg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    ekCertIndex = EK_CERT_RSA_INDEX;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    ekCertIndex = EK_CERT_EC_INDEX;
+		}
+		else {
+		    printf("Bad parameter %s for -alg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-alg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-caalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    issuerEntries = rootIssuerEntriesRsa;
+		    issuerEntriesSize = sizeof(rootIssuerEntriesRsa)/sizeof(char *);
+		}
+		else if (strcmp(argv[i],"ec") == 0) {
+		    issuerEntries = rootIssuerEntriesEc;
+		    issuerEntriesSize = sizeof(rootIssuerEntriesEc)/sizeof(char *);
+		}
+		else {
+		    printf("Bad parameter %s for -caalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-alg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-cakey") == 0) {
+	    i++;
+	    if (i < argc) {
+		caKeyFileName = argv[i];
+	    }
+	    else {
+		printf("ERROR: Missing parameter for -cakey\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-capwd") == 0) {
+	    i++;
+	    if (i < argc) {
+		caKeyPassword = argv[i];
+	    }
+	    else {
+		printf("ERROR: Missing parameter for -capwd\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		platformPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = 1;
+	}
+	else if (strcmp(argv[i],"-vv") == 0) {
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");	/* trace entire TSS */
+	    tssUtilsVerbose = 1;
+	    vverbose = 1;
+	}
+	else {
+ 	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (caKeyFileName == NULL) {
+	printf("ERROR: Missing -cakey\n");
+	printUsage();
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* create a primary EK using the default IWG template */
+    if (rc == 0) {
+	TPM_HANDLE keyHandle;
+	rc = processCreatePrimary(tssContext,
+				  &keyHandle,
+				  ekCertIndex,		/* RSA or EC */
+				  NULL, 0,		/* EK nonce, can be NULL */
+				  NULL,			/* template */
+				  &tpmtPublicOut,	/* primary key */
+				  noFlush,
+				  tssUtilsVerbose);		/* print errors */
+    }
+    /* create the EK certificate from the EK public key, using the above issuer and subject */
+    if (rc == 0) {
+	rc = createCertificate(&x509CertString,			/* freed @3 */
+			       &pemCertString,			/* freed @2 */
+			       &certLength,
+			       &certificate,			/* output, freed @1 */
+			       &tpmtPublicOut,			/* public key to be certified */
+			       caKeyFileName,			/* CA signing key */
+			       issuerEntriesSize,
+			       issuerEntries,			/* certificate issuer */
+			       sizeof(subjectEntries)/sizeof(char *),
+			       subjectEntries,			/* certificate subject */
+			       caKeyPassword);			/* CA signing key password */
+    }
+    /* If the NV index is not defined, define it */
+    if (rc == 0) {
+	rc = defineEKCertIndex(tssContext,
+			       certLength,	
+			       ekCertIndex,
+			       platformPassword);
+    }
+    /* store the EK certificate in NV */
+    if (rc == 0) {
+	rc = storeEkCertificate(tssContext,
+				certLength, certificate,	
+				ekCertIndex,
+				platformPassword);
+    }
+    /* optionally store the certificate in DER format */
+    if ((rc == 0) && (certificateFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(certificate, certLength, certificateFilename);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    free(certificate);			/* @1 */
+    free(pemCertString);		/* @2 */
+    free(x509CertString);		/* @3 */
+    return rc;
+}
+
+/* defineEKCertIndex() defines the EK certificate index if it is not already defined */
+
+static TPM_RC defineEKCertIndex(TSS_CONTEXT *tssContext,
+				uint32_t certLength,	
+				TPMI_RH_NV_INDEX nvIndex,
+				const char *platformPassword)
+{
+    TPM_RC 		rc = 0;
+    NV_ReadPublic_In 	nvReadPublicIn;
+    NV_ReadPublic_Out	nvReadPublicOut;
+    NV_DefineSpace_In 	nvDefineSpaceIn;
+    
+    /* read metadata to make sure the index is there, the size is sufficient, and get the Name */
+    if (tssUtilsVerbose) printf("defineEKCertIndex: certificate length %u\n", certLength);
+    if (rc == 0) {
+	nvReadPublicIn.nvIndex = nvIndex;
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&nvReadPublicOut,
+			 (COMMAND_PARAMETERS *)&nvReadPublicIn,
+			 NULL,
+			 TPM_CC_NV_ReadPublic,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    /* if already defined, check the size */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("defineEKCertIndex: defined data size %u\n",
+			    nvReadPublicOut.nvPublic.nvPublic.dataSize);
+	if (nvReadPublicOut.nvPublic.nvPublic.dataSize < certLength) {
+	    printf("defineEKCertIndex: data size %u insufficient for certificate %u\n",
+		   nvReadPublicOut.nvPublic.nvPublic.dataSize, certLength);
+	    rc = EXIT_FAILURE;
+	}
+    }
+    else if ((rc & 0xff) == TPM_RC_HANDLE) {
+	rc = 0;		/* not an error yet, define the index for the EK certificate */
+	nvDefineSpaceIn.authHandle = TPM_RH_PLATFORM;
+	nvDefineSpaceIn.auth.b.size = 0;					/* empty auth */
+	nvDefineSpaceIn.publicInfo.nvPublic.authPolicy.t.size = 0;		/* empty policy */
+	nvDefineSpaceIn.publicInfo.nvPublic.nvIndex = nvIndex;	/* handle of the data area */
+	nvDefineSpaceIn.publicInfo.nvPublic.nameAlg = TPM_ALG_SHA256; 	/* name hash algorithm */
+	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val = 0;
+	/* PC Client specification */
+	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_ORDINARY;
+	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_PLATFORMCREATE;
+	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_AUTHREAD;
+	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_NO_DA;
+	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_PPWRITE;
+	/* required for Microsoft Windows certification test */
+	nvDefineSpaceIn.publicInfo.nvPublic.attributes.val |= TPMA_NVA_OWNERREAD; 
+	if (certLength < 1000) {
+	    nvDefineSpaceIn.publicInfo.nvPublic.dataSize = 1000;		/* minimum size */
+	}
+	else {
+	    nvDefineSpaceIn.publicInfo.nvPublic.dataSize = certLength;
+	}
+	/* call TSS to execute the command */
+	if (rc == 0) {
+	    rc = TSS_Execute(tssContext,
+			     NULL,
+			     (COMMAND_PARAMETERS *)&nvDefineSpaceIn,
+			     NULL,
+			     TPM_CC_NV_DefineSpace,
+			     TPM_RS_PW, platformPassword, 0,
+			     TPM_RH_NULL, NULL, 0);
+	}
+    }
+    if (rc != 0) {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("defineEKCertIndex: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	printf("ERROR: defineEKCertIndex: requires certificate min length %u at index %08x\n",
+	       certLength, nvIndex);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+/* storeEkCertificate() writes the EK certificate at the specified NV index.  It does not define the
+   NV index.  */
+
+static TPM_RC storeEkCertificate(TSS_CONTEXT *tssContext,
+				 uint32_t certLength,
+				 unsigned char *certificate,	
+				 TPMI_RH_NV_INDEX nvIndex,
+				 const char *platformPassword)
+{
+    TPM_RC 		rc = 0;
+    NV_Write_In 	nvWriteIn;
+    uint32_t 		nvBufferMax;		/* max write in one chunk */
+    uint16_t 		bytesWritten;		/* bytes written so far */
+    int			done = FALSE;
+
+    if (rc == 0) {
+	rc = readNvBufferMax(tssContext,
+			     &nvBufferMax);
+    }    
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("storeEkCertificate: writing %u bytes to %08x\n",
+			    certLength, nvIndex);
+	nvWriteIn.authHandle = TPM_RH_PLATFORM;  
+	nvWriteIn.nvIndex = nvIndex;
+	nvWriteIn.offset = 0;
+	bytesWritten = 0;	/* bytes written so far */
+    }
+    while ((rc == 0) && !done) {
+	uint16_t writeBytes;		/* bytes to write in this pass */
+	if (rc == 0) {
+	    nvWriteIn.offset = bytesWritten;
+	    if ((uint32_t)(certLength - bytesWritten) < nvBufferMax) {
+		writeBytes = certLength - bytesWritten;	/* last chunk */
+	    }
+	    else {
+		writeBytes = nvBufferMax;	/* next chunk */
+	    }
+	    rc = TSS_TPM2B_Create(&nvWriteIn.data.b, certificate + bytesWritten, writeBytes,
+				  sizeof(nvWriteIn.data.t.buffer));
+	}
+	if (rc == 0) {
+	    rc = TSS_Execute(tssContext,
+			     NULL,
+			     (COMMAND_PARAMETERS *)&nvWriteIn,
+			     NULL,
+			     TPM_CC_NV_Write,
+			     TPM_RS_PW, platformPassword, 0,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	if (rc == 0) {
+	    bytesWritten += writeBytes;
+	    if (bytesWritten == certLength) {
+		done = TRUE;
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("storeEkCertificate: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("storeEkCertificate: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	if (rc == TSS_RC_FILE_OPEN) {
+	    printf("Possible cause: missing nvreadpublic before nvwrite\n");
+	}
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("createekcert\n");
+    printf("\n");
+    printf("Provisions an EK certificate, using the default IWG template\n");
+    printf("E.g.,\n");
+    printf("\n");
+    printf("Usage: createekcert -alg rsa -cakey cakey.pem    -capwd rrrr -v\n");
+    printf("or:    createekcert -alg ecc -cakey cakeyecc.pem -capwd rrrr -caalg ec -v\n");
+    printf("\n");
+    printf("\t[-pwdp\t\tplatform hierarchy password (default empty)]\n");
+    printf("\t-cakey\t\tCA PEM key file name\n");
+    printf("\t[-capwd\t\tCA PEM key password (default empty)]\n");
+    printf("\t[-caalg\t\tCA key algorithm (rsa or ec) (default rsa)]\n");
+    printf("\t[-alg\t\t(rsa or ecc certificate) (default rsa)]\n");
+    printf("\t[-noflush\tdo not flush the primary key]\n");
+    printf("\t[-of\t\tDER certificate output file name]\n");
+    printf("\n");
+    printf("Currently:\n");
+    printf("\n");
+    printf("\tCertificate issuer, subject, and validity are hard coded.\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/createloaded.c b/libstb/tss2/ibmtpm20tss/utils/createloaded.c
new file mode 100644
index 0000000..a481cb3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/createloaded.c
@@ -0,0 +1,635 @@
+/********************************************************************************/
+/*										*/
+/*			    Create Loaded					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+#include "objecttemplates.h"
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    CreateLoaded_In 		in;
+    CreateLoaded_Out		out;
+    TPMT_PUBLIC			publicArea;
+    TPMI_DH_OBJECT		parentHandle = 0;
+    TPMA_OBJECT			addObjectAttributes;
+    TPMA_OBJECT			deleteObjectAttributes;
+    int 			derived = FALSE;	/* parent is derivation parent */
+    int				keyType = 0;
+    uint32_t 			keyTypeSpecified = 0;
+    int				rev116 = FALSE;
+    TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
+    TPMI_RSA_KEY_BITS 		keyBits = 2048;
+    TPMI_ECC_CURVE		curveID = TPM_ECC_NONE;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_HASH		nalg = TPM_ALG_SHA256;
+    const char			*policyFilename = NULL;
+    const char			*publicKeyFilename = NULL;
+    const char			*privateKeyFilename = NULL;
+    const char			*pemFilename = NULL;
+    const char 			*dataFilename = NULL;
+    const char			*keyPassword = NULL; 
+    const char			*parentPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    addObjectAttributes.val = 0;
+    addObjectAttributes.val |= TPMA_OBJECT_NODA;
+    deleteObjectAttributes.val = 0;
+ 	
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &parentHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-bl") == 0) {
+	    keyType = TYPE_BL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-den") == 0) {
+	    keyType = TYPE_DEN;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-deo") == 0) {
+	    keyType = TYPE_DEO;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dee") == 0) {
+	    keyType = TYPE_DEE;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-des") == 0) {
+	    keyType = TYPE_DES;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-st") == 0) {
+	    keyType = TYPE_ST;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-si") == 0) {
+	    keyType = TYPE_SI;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-sir") == 0) {
+	    keyType = TYPE_SIR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-kh") == 0) {
+	    keyType = TYPE_KH;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-khr") == 0) {
+	    keyType = TYPE_KHR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dp") == 0) {
+	    keyType = TYPE_DP;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-gp") == 0) {
+	    keyType = TYPE_GP;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-116") == 0) {
+	    rev116 = TRUE;
+	}
+	else if (strcmp(argv[i], "-der") == 0) {
+	    derived = TRUE;
+	}
+	else if (strcmp(argv[i], "-rsa") == 0) {
+	    algPublic = TPM_ALG_RSA;
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%hu", &keyBits);
+	    }
+	    else {
+		printf("Missing parameter for -rsa\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-ecc") == 0) {
+	    algPublic = TPM_ALG_ECC;
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"bnp256") == 0) {
+		    curveID = TPM_ECC_BN_P256;
+		}
+		else if (strcmp(argv[i],"nistp256") == 0) {
+		    curveID = TPM_ECC_NIST_P256;
+		}
+		else if (strcmp(argv[i],"nistp384") == 0) {
+		    curveID = TPM_ECC_NIST_P384;
+		}
+		else {
+		    printf("Bad parameter %s for -ecc\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-ecc option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-kt") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (i < argc) {
+		    if (strcmp(argv[i], "f") == 0) {
+			addObjectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+		    }
+		    else if (strcmp(argv[i], "p") == 0) {
+			addObjectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+		    }
+		    else if (strcmp(argv[i], "nf") == 0) {
+			deleteObjectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+		    }
+		    else if (strcmp(argv[i], "np")  == 0) {
+			deleteObjectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+		    }
+		    else if (strcmp(argv[i], "ed")  == 0) {
+			addObjectAttributes.val |= TPMA_OBJECT_ENCRYPTEDDUPLICATION;
+		    }
+		    else {
+			printf("Bad parameter %c for -kt\n", argv[i][0]);
+			printUsage();
+		    }
+		}
+	    }
+	    else {
+		printf("Missing parameter for -kt\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-uwa") == 0) {
+	    deleteObjectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	}
+	else if (strcmp(argv[i], "-da") == 0) {
+	    addObjectAttributes.val &= ~TPMA_OBJECT_NODA;
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-opu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opr") == 0) {
+	    i++;
+	    if (i < argc) {
+		privateKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-opr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemFilename = argv[i];
+	    }
+	    else {
+		printf("-opem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pol") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyFilename = argv[i];
+	    }
+	    else {
+		printf("-pol option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		dataFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (parentHandle == 0) {
+	printf("Missing handle parameter -hp\n");
+	printUsage();
+    }
+    if (keyTypeSpecified != 1) {
+	printf("Missing key attributes\n");
+	printUsage();
+    }
+    switch (keyType) {
+      case TYPE_BL:
+	if (dataFilename == NULL) {
+	    printf("-bl needs -if (sealed data object needs data to seal)\n");
+	    printUsage();
+	}
+	break;
+      case TYPE_ST:
+      case TYPE_DEN:
+      case TYPE_DEO:
+      case TYPE_DEE:
+      case TYPE_SI:
+      case TYPE_SIR:
+      case TYPE_GP:
+	if (dataFilename != NULL) {
+	    printf("asymmetric key cannot have -if (sensitive data)\n");
+	    printUsage();
+	}
+      case TYPE_DES:
+      case TYPE_KH:
+      case TYPE_KHR:
+      case TYPE_DP:
+	/* inSensitive optional for symmetric keys */
+	break;
+    }
+    if (rc == 0) {
+	in.parentHandle = parentHandle;
+    }
+    /* Table 134 - Definition of TPM2B_SENSITIVE_CREATE inSensitive */
+    if (rc == 0) {
+	/* Table 133 - Definition of TPMS_SENSITIVE_CREATE Structure <IN>sensitive  */
+	/* Table 75 - Definition of Types for TPM2B_AUTH userAuth */
+	if (keyPassword == NULL) {
+	    in.inSensitive.sensitive.userAuth.t.size = 0;
+	}
+	else {
+	    rc = TSS_TPM2B_StringCopy(&in.inSensitive.sensitive.userAuth.b,
+				      keyPassword,
+				      sizeof(in.inSensitive.sensitive.userAuth.t.buffer));
+	}
+    }
+    if (rc == 0) {
+	/* Table 132 - Definition of TPM2B_SENSITIVE_DATA Structure data */
+	if (dataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.inSensitive.sensitive.data.b,
+				 sizeof(in.inSensitive.sensitive.data.t.buffer),
+				 dataFilename);
+	}
+	else {
+	    in.inSensitive.sensitive.data.t.size = 0;
+	}
+    }
+    /* TPM2B_PUBLIC */
+    if (rc == 0) {
+	switch (keyType) {
+	  case TYPE_BL:
+	    rc = blPublicTemplate(&publicArea,
+				  addObjectAttributes, deleteObjectAttributes,
+				  nalg,
+				  policyFilename);
+	    break;
+	  case TYPE_ST:
+	  case TYPE_DEN:
+	  case TYPE_DEO:
+	  case TYPE_DEE:
+	  case TYPE_SI:
+	  case TYPE_SIR:
+	  case TYPE_GP:
+	    rc = asymPublicTemplate(&publicArea,
+				    addObjectAttributes, deleteObjectAttributes,
+				    keyType, algPublic, keyBits, curveID, nalg, halg,
+				    policyFilename);
+	    break;
+	  case TYPE_DES:
+	    rc = symmetricCipherTemplate(&publicArea,
+					 addObjectAttributes, deleteObjectAttributes,
+					 nalg, rev116,
+					 policyFilename);
+	    break;
+	  case TYPE_KH:
+	  case TYPE_KHR:
+	    rc = keyedHashPublicTemplate(&publicArea,
+					 addObjectAttributes, deleteObjectAttributes,
+					 keyType, nalg, halg,
+					 policyFilename);
+	    break;
+	  case TYPE_DP:
+	    rc = derivationParentPublicTemplate(&publicArea,
+						addObjectAttributes, deleteObjectAttributes,
+						nalg, halg,
+						policyFilename);
+	} 
+    }
+    /* marshal the TPMT_PUBLIC into the TPM2B_TEMPLATE */
+    if (rc == 0) {
+	uint16_t written = 0;
+	uint32_t size = sizeof(in.inPublic.t.buffer);
+	uint8_t *buffer = in.inPublic.t.buffer;
+	if (!derived) {		/* not derivation parent */
+	    rc = TSS_TPMT_PUBLIC_Marshalu(&publicArea, &written, &buffer, &size);
+	}
+	else {			/* derivation parent */
+	    /* The API changed from rev 142 to 146.  This is the 146 API.  It is unlikely that any
+	       138 HW TPM will implement the 142 errata, but care must be taken to use a current SW
+	       TPM. */
+	    /* derived key has TPMS_CONTEXT parameter */
+	    publicArea.unique.derive.label.t.size = 0;
+	    publicArea.unique.derive.context.t.size = 0;
+	    /* sensitiveDataOrigin has to be CLEAR in a derived object */	
+	    publicArea.objectAttributes.val &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
+	    rc = TSS_TPMT_PUBLIC_D_Marshalu(&publicArea, &written, &buffer, &size);
+	}
+	in.inPublic.t.size = written;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_CreateLoaded,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* save the private key */
+    if ((rc == 0) && (privateKeyFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outPrivate,
+				     (MarshalFunction_t)TSS_TPM2B_PRIVATE_Marshalu,
+				     privateKeyFilename);
+    }
+    /* save the public key */
+    if ((rc == 0) && (publicKeyFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outPublic,
+				     (MarshalFunction_t)TSS_TPM2B_PUBLIC_Marshalu,
+				     publicKeyFilename);
+    }
+    /* save the optional PEM public key */
+    if ((rc == 0) && (pemFilename != NULL)) {
+	rc = convertPublicToPEM(&out.outPublic,
+				pemFilename);
+    }
+    if (rc == 0) {
+	printf("Handle %08x\n", out.objectHandle);
+	if (tssUtilsVerbose) printf("createloaded: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("createloaded: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("createloaded\n");
+    printf("\n");
+    printf("Runs TPM2_CreateLoaded\n");
+    printf("\n");
+    printf("\t-hp parent handle (can be hierarchy)\n");
+    printf("\t\t40000001 Owner\n");
+    printf("\t\t4000000c Platform\n");
+    printf("\t\t4000000b Endorsement\n");
+    printf("\n");
+    printUsageTemplate();
+    printf("\n");
+    printf("\t[-der\tobject's parent is a derivation parent]\n");
+    printf("\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-pwdp\tpassword for parent key (default empty)]\n");
+    printf("\n");
+    printf("\t[-opu\tpublic key file name (default do not save)]\n");
+    printf("\t[-opr\tprivate key file name (default do not save)]\n");
+    printf("\t[-opem\tpublic key PEM format file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/createprimary.c b/libstb/tss2/ibmtpm20tss/utils/createprimary.c
new file mode 100644
index 0000000..3c7676f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/createprimary.c
@@ -0,0 +1,806 @@
+/********************************************************************************/
+/*										*/
+/*			    Create Primary	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscryptoh.h>
+
+#include "objecttemplates.h"
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    CreatePrimary_In 		in;
+    CreatePrimary_Out 		out;
+    char 			hierarchyChar = 'n';
+    TPMI_RH_HIERARCHY		primaryHandle = TPM_RH_NULL;
+    TPMA_OBJECT			addObjectAttributes;
+    TPMA_OBJECT			deleteObjectAttributes;
+    int				keyType = TYPE_ST;
+    uint32_t 			keyTypeSpecified = 0;
+    int				rev116 = FALSE;
+    const char 			*uniqueFilename = NULL;
+    TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_HASH		nalg = TPM_ALG_SHA256;
+    TPMI_RSA_KEY_BITS 		keyBits = 2048;
+    TPMI_ECC_CURVE		curveID = TPM_ECC_NONE;
+    const char			*policyFilename = NULL;
+    const char			*publicKeyFilename = NULL;
+    const char			*pemFilename = NULL;
+    const char			*ticketFilename = NULL;
+    const char			*creationHashFilename = NULL;
+    const char 			*dataFilename = NULL;
+    const char			*keyPassword = NULL; 
+    const char			*parentPassword = NULL; 
+    const char			*parentPasswordFilename = NULL; 
+    const char			*parentPasswordPtr = NULL; 
+    uint8_t			*parentPasswordBuffer = NULL;		/* for the free */
+    size_t 			parentPasswordLength = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    addObjectAttributes.val = 0;
+    addObjectAttributes.val |= TPMA_OBJECT_NODA;
+    addObjectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+    addObjectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+    deleteObjectAttributes.val = 0;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-bl") == 0) {
+	    keyType = TYPE_BL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-den") == 0) {
+	    keyType = TYPE_DEN;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-deo") == 0) {
+	    keyType = TYPE_DEO;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dee") == 0) {
+	    keyType = TYPE_DEE;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-des") == 0) {
+	    keyType = TYPE_DES;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-st") == 0) {
+	    keyType = TYPE_ST;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-si") == 0) {
+	    keyType = TYPE_SI;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-sir") == 0) {
+	    keyType = TYPE_SIR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dau") == 0) {
+	    keyType = TYPE_DAA;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dar") == 0) {
+	    keyType = TYPE_DAAR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-kh") == 0) {
+	    keyType = TYPE_KH;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-khr") == 0) {
+	    keyType = TYPE_KHR;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-dp") == 0) {
+	    keyType = TYPE_DP;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-gp") == 0) {
+	    keyType = TYPE_GP;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-116") == 0) {
+	    rev116 = TRUE;
+	}
+	else if (strcmp(argv[i], "-rsa") == 0) {
+	    algPublic = TPM_ALG_RSA;
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%hu", &keyBits);
+	    }
+	    else {
+		printf("Missing parameter for -rsa\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-ecc") == 0) {
+	    algPublic = TPM_ALG_ECC;
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"bnp256") == 0) {
+		    curveID = TPM_ECC_BN_P256;
+		}
+		else if (strcmp(argv[i],"nistp256") == 0) {
+		    curveID = TPM_ECC_NIST_P256;
+		}
+		else if (strcmp(argv[i],"nistp384") == 0) {
+		    curveID = TPM_ECC_NIST_P384;
+		}
+		else {
+		    printf("Bad parameter %s for -ecc\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-ecc option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-kt") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i], "f") == 0) {
+		    addObjectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+   		}
+		else if (strcmp(argv[i], "p") == 0) {
+		    addObjectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+		}
+		else if (strcmp(argv[i], "nf") == 0) {
+		    deleteObjectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+		}
+		else if (strcmp(argv[i], "np")  == 0) {
+		    deleteObjectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+		}
+		else if (strcmp(argv[i], "ed")  == 0) {
+		    addObjectAttributes.val |= TPMA_OBJECT_ENCRYPTEDDUPLICATION;
+		}
+		else {
+		    printf("Bad parameter %s for -kt\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -kt\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-uwa") == 0) {
+	    deleteObjectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	}
+	else if (strcmp(argv[i], "-da") == 0) {
+	    addObjectAttributes.val &= ~TPMA_OBJECT_NODA;
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    nalg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdpi") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPasswordFilename = argv[i];
+	    }
+	    else {
+		printf("-pwdpi option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-iu") == 0) {
+	    i++;
+	    if (i < argc) {
+		uniqueFilename = argv[i];
+	    }
+	    else {
+		printf("-iu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-opu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemFilename = argv[i];
+	    }
+	    else {
+		printf("-opem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ch") == 0) {
+	    i++;
+	    if (i < argc) {
+		creationHashFilename = argv[i];
+	    }
+	    else {
+		printf("-ch option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pol") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyFilename = argv[i];
+	    }
+	    else {
+		printf("-pol option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		dataFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (keyTypeSpecified > 1) {
+	printf("Too many key attributes\n");
+	printUsage();
+    }
+    switch (keyType) {
+      case TYPE_BL:
+	if (dataFilename == NULL) {
+	    printf("-bl needs -if (sealed data object needs data to seal)\n");
+	    printUsage();
+	}
+	break;
+      case TYPE_DAA:
+      case TYPE_DAAR:
+	if (algPublic != TPM_ALG_ECC) {
+	    printf("-dau and -dar need -ecc\n");
+ 	    printUsage();
+	}
+	if (dataFilename != NULL) {
+	    printf("asymmetric key cannot have -if (sensitive data)\n");
+	    printUsage();
+	}
+	break;
+      case TYPE_ST:
+      case TYPE_DEN:
+      case TYPE_DEO:
+      case TYPE_DEE:
+      case TYPE_SI:
+      case TYPE_SIR:
+      case TYPE_GP:
+	if (dataFilename != NULL) {
+	    printf("asymmetric key cannot have -if (sensitive data)\n");
+	    printUsage();
+	}
+	break;
+      case TYPE_DES:
+      case TYPE_KH:
+      case TYPE_KHR:
+      case TYPE_DP:
+	/* inSensitive optional for symmetric keys */
+	break;
+    }
+    if (rc == 0) {
+	if ((parentPassword != NULL) && (parentPasswordFilename != NULL)) {
+	    printf("Cannot specify both -pwdp and -pwdpi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	/* command auth from string */
+	if (parentPassword != NULL) {
+	    parentPasswordPtr = parentPassword; 
+	}
+	/* command parent from file */
+	else if (parentPasswordFilename != NULL) {
+	    if (rc == 0) {
+		/* must be freed by caller */
+		rc = TSS_File_ReadBinaryFile(&parentPasswordBuffer,	/* freed @1 */
+					     &parentPasswordLength,
+					     parentPasswordFilename);
+	    }
+	    if (rc == 0) {
+		if (parentPasswordLength > sizeof(TPMU_HA)) {
+		    printf("Password too long %u\n", (unsigned int)parentPasswordLength);
+		    rc = TSS_RC_INSUFFICIENT_BUFFER;
+		}
+	    }
+	    if (rc == 0) {
+		parentPasswordPtr = (const char *)parentPasswordBuffer;
+	    }
+	}
+	/* no command parent specified */
+	else {
+	    parentPasswordPtr = NULL;
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (hierarchyChar == 'e') {
+	    primaryHandle = TPM_RH_ENDORSEMENT;
+	}
+	else if (hierarchyChar == 'o') {
+	    primaryHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    primaryHandle = TPM_RH_PLATFORM;
+	}
+	else if (hierarchyChar == 'n') {
+	    primaryHandle = TPM_RH_NULL;
+	}
+	else {
+	    printf("Bad parameter %c for -hi\n", hierarchyChar);
+	    printUsage();
+	}
+	in.primaryHandle = primaryHandle;
+    }
+    /* Table 134 - TPM2B_SENSITIVE_CREATE inSensitive */
+    if (rc == 0) {
+	/* Table 133 - TPMS_SENSITIVE_CREATE */
+	{
+	    if (keyPassword == NULL) {
+		in.inSensitive.sensitive.userAuth.t.size = 0;
+	    }
+	    else {
+		rc = TSS_TPM2B_StringCopy(&in.inSensitive.sensitive.userAuth.b,
+					  keyPassword,
+					  sizeof(in.inSensitive.sensitive.userAuth.t.buffer));
+	    }
+	}
+    }
+    if (rc == 0) {
+	/* Table 132 - Definition of TPM2B_SENSITIVE_DATA Structure data */
+	if (dataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.inSensitive.sensitive.data.b,
+				 sizeof(in.inSensitive.sensitive.data.t.buffer),
+				 dataFilename);
+	}
+	else {
+	    in.inSensitive.sensitive.data.t.size = 0;
+	}
+    }
+    /* Table 185 - TPM2B_PUBLIC	inPublic */
+    if (rc == 0) {
+	switch (keyType) {
+	  case TYPE_BL:
+	    rc = blPublicTemplate(&in.inPublic.publicArea,
+				  addObjectAttributes, deleteObjectAttributes,
+				  nalg,
+				  policyFilename);
+	    break;
+	  case TYPE_ST:
+	  case TYPE_DAA:
+	  case TYPE_DAAR:
+	  case TYPE_DEN:
+	  case TYPE_DEO:
+	  case TYPE_DEE:
+	  case TYPE_SI:
+	  case TYPE_SIR:
+	  case TYPE_GP:
+	    rc = asymPublicTemplate(&in.inPublic.publicArea,
+				    addObjectAttributes, deleteObjectAttributes,
+				    keyType, algPublic, keyBits, curveID, nalg, halg,
+				    policyFilename);
+	    break;
+	  case TYPE_DES:
+	    rc = symmetricCipherTemplate(&in.inPublic.publicArea,
+					 addObjectAttributes, deleteObjectAttributes,
+					 nalg, rev116,
+					 policyFilename);
+	    break;
+	  case TYPE_KH:
+	  case TYPE_KHR:
+	    rc = keyedHashPublicTemplate(&in.inPublic.publicArea,
+					 addObjectAttributes, deleteObjectAttributes,
+					 keyType, nalg, halg,
+					 policyFilename);
+	    break;
+	  case TYPE_DP:
+	    rc = derivationParentPublicTemplate(&in.inPublic.publicArea,
+						addObjectAttributes, deleteObjectAttributes,
+						nalg, halg,
+						policyFilename);
+	    break;
+	}
+    }
+    /* Table 177 - TPMU_PUBLIC_ID unique */
+    /* Table 158 - TPM2B_PUBLIC_KEY_RSA rsa */
+    if (rc == 0) {
+	if (uniqueFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.inPublic.publicArea.unique.rsa.b,
+				 sizeof(in.inPublic.publicArea.unique.rsa.t.buffer),
+				 uniqueFilename);
+	}
+	else {
+	    in.inPublic.publicArea.unique.rsa.t.size = 0;
+	}
+    }
+    /* TPM2B_DATA outsideInfo */
+    if (rc == 0) {
+	in.outsideInfo.t.size = 0;
+    }
+    /* Table 102 - TPML_PCR_SELECTION */
+    /* TPML_PCR_SELECTION	creationPCR */
+    if (rc == 0) {
+	in.creationPCR.count = 0;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_CreatePrimary,
+			 sessionHandle0, parentPasswordPtr, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /*
+      validate the creation data
+    */
+    {
+	uint16_t	written = 0;
+	uint8_t		*buffer = NULL;		/* for the free */
+	uint32_t 	sizeInBytes;
+	TPMT_HA		digest;
+
+	/* get the digest size from the Name algorithm */
+	if (rc == 0) {
+	    sizeInBytes = TSS_GetDigestSize(nalg);
+	    if (out.creationHash.b.size != sizeInBytes) {
+		printf("createprimary: failed, "
+		       "creationData size %u incompatible with name algorithm %04x\n",
+		       out.creationHash.b.size, nalg);
+		rc = EXIT_FAILURE;
+	    }
+	}
+	/* re-marshal the output structure */
+	if (rc == 0) {
+	    rc = TSS_Structure_Marshal(&buffer,	/* freed @1 */
+				       &written,
+				       &out.creationData.creationData,
+				       (MarshalFunction_t)TSS_TPMS_CREATION_DATA_Marshalu);
+	}
+	/* recalculate the creationHash from creationData */
+	if (rc == 0) {
+	    digest.hashAlg = nalg;			/* Name digest algorithm */
+	    rc = TSS_Hash_Generate(&digest,	
+				   written, buffer,
+				   0, NULL);
+	}
+	/* compare the digest to creation hash */
+	if (rc == 0) {
+	    int irc;
+	    irc = memcmp((uint8_t *)&digest.digest, &out.creationHash.b.buffer, sizeInBytes);
+	    if (irc != 0) {
+		printf("createprimary: failed, creationData hash does not match creationHash\n");
+		rc = EXIT_FAILURE;
+	    }
+	}
+	free(buffer);	/* @1 */
+    }
+    /* save the public key */
+    if ((rc == 0) && (publicKeyFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outPublic,
+				     (MarshalFunction_t)TSS_TPM2B_PUBLIC_Marshalu,
+				     publicKeyFilename);
+    }
+    /* save the optional PEM public key */
+    if ((rc == 0) && (pemFilename != NULL)) {
+	rc = convertPublicToPEM(&out.outPublic,
+				pemFilename);
+    }
+    /* save the optional creation ticket */
+    if ((rc == 0) && (ticketFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.creationTicket,
+				     (MarshalFunction_t)TSS_TPMT_TK_CREATION_Marshalu,
+				     ticketFilename);
+    }
+    /* save the optional creation hash */
+    if ((rc == 0) && (creationHashFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.creationHash.b.buffer,
+				      out.creationHash.b.size,
+				      creationHashFilename);
+    }
+    if (rc == 0) {
+	printf("Handle %08x\n", out.objectHandle);
+	if (algPublic == TPM_ALG_RSA) {
+	    if (tssUtilsVerbose) TSS_PrintAll("createprimary: public modulus",
+				      out.outPublic.publicArea.unique.rsa.t.buffer,
+				      out.outPublic.publicArea.unique.rsa.t.size);
+	}
+	else if (algPublic == TPM_ALG_ECC) {
+	    if (tssUtilsVerbose) TSS_PrintAll("createprimary: public point X",
+				      out.outPublic.publicArea.unique.ecc.x.t.buffer,
+				      out.outPublic.publicArea.unique.ecc.x.t.size);
+	    if (tssUtilsVerbose) TSS_PrintAll("createprimary: public point Y",
+				      out.outPublic.publicArea.unique.ecc.y.t.buffer,
+				      out.outPublic.publicArea.unique.ecc.y.t.size);
+	}
+	if (tssUtilsVerbose) printf("createprimary: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("createprimary: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(parentPasswordBuffer);		/* @1 */
+    parentPasswordBuffer = NULL;
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("createprimary creates a primary storage key\n");
+    printf("\n");
+    printf("Runs TPM2_CreatePrimary\n");
+    printf("\n");
+    printf("\t[-hi\t\thierarchy (e, o, p, n) (default null)]\n");
+    printf("\t[-pwdp\t\tpassword for hierarchy (default empty)]\n");
+    printf("\t[-pwdpi\t\tpassword file name for hierarchy (default empty)]\n");
+    printf("\t[-pwdk\t\tpassword for key (default empty)]\n");
+    printf("\t[-iu\t\tinPublic unique field file (default none)]\n");
+    printf("\t[-opu\t\tpublic key file name (default do not save)]\n");
+    printf("\t[-opem\t\tpublic key PEM format file name (default do not save)]\n");
+    printf("\t[-tk\t\toutput ticket file name]\n");
+    printf("\t[-ch\t\toutput creation hash file name]\n");
+    printf("\n");
+    printUsageTemplate();
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/cryptoutils.c b/libstb/tss2/ibmtpm20tss/utils/cryptoutils.c
new file mode 100644
index 0000000..af46b3c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/cryptoutils.c
@@ -0,0 +1,2079 @@
+/********************************************************************************/
+/*										*/
+/*			OpenSSL Crypto Utilities				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* These functions are worthwhile sample code that probably (judgment call) do not belong in the TSS
+   library.
+
+   They abstract out crypto library functions.
+
+   They show how to convert public or private EC or RSA among PEM format <-> EVP format <-> EC_KEY
+   or RSA format <-> binary arrays <-> TPM format TPM2B_PRIVATE, TPM2B_SENSITIVE, TPM2B_PUBLIC
+   usable for loadexternal or import.
+
+   There are functions to convert public keys from TPM <-> RSA, ECC <-> PEM, and to verify a TPM
+   signature using a PEM format public key.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <limits.h>
+
+#ifndef TPM_TSS_NORSA
+#include <openssl/rsa.h>
+#endif /* TPM_TSS_NORSA */
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#ifndef TPM_TSS_NOECC
+#include <openssl/ec.h>
+#endif
+
+#ifndef TPM_TSS_NOFILE
+#include <ibmtss/tssfile.h>
+#endif
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/Implementation.h>
+
+#include "objecttemplates.h"
+#include "cryptoutils.h"
+
+/* verbose tracing flag shared by command line utilities */
+
+int tssUtilsVerbose;
+
+/* openssl compatibility functions, during the transition from 1.0.1, 1.0.2, 1.1.0, 1.1.1.  Some
+   structures were made opaque, with gettters and setters.  Some parameters were made const.  Some
+   function names changed. */
+
+/* Some functions add const to parameters as of openssl 1.1.0 */
+
+/* These functions are only required for OpenSSL 1.0.  OpenSSL 1.1 has them, and the structures are
+   opaque. */
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+{
+    if (r == NULL || s == NULL)
+	return 0;
+    BN_clear_free(sig->r);
+    BN_clear_free(sig->s);
+    sig->r = r;
+    sig->s = s;
+    return 1;
+}
+
+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+{
+    if (pr != NULL) {
+	*pr = sig->r;
+    }
+    if (ps != NULL) {
+	*ps = sig->s;
+    }
+    return;
+}
+
+const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
+{
+    return x->cert_info->signature;
+}
+
+void RSA_get0_key(const RSA *rsaKey,
+		  const BIGNUM **n,
+		  const BIGNUM **e,
+		  const BIGNUM **d)
+{
+    if (n != NULL) {
+	*n = rsaKey->n;
+    }
+    if (e != NULL) {
+	*e = rsaKey->e;
+    }
+    if (d != NULL) {
+	*d = rsaKey->d;
+    }
+    return;
+}
+
+void RSA_get0_factors(const RSA *rsaKey,
+		      const BIGNUM **p,
+		      const BIGNUM **q)
+{
+    if (p != NULL) {
+	*p = rsaKey->p;
+    }
+    if (q != NULL) {
+	*q = rsaKey->q;
+    }
+    return;
+}
+
+#endif	/* pre openssl 1.1 */
+
+/* These functions are only required for OpenSSL 1.0.1 OpenSSL 1.0.2 has them, and the structures
+   are opaque.   In 1.1.0, the parameters became const.  */
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000
+
+void X509_get0_signature(OSSLCONST ASN1_BIT_STRING **psig,
+                         OSSLCONST X509_ALGOR **palg, const X509 *x)
+{
+    *psig = x->signature;
+    *palg = x->sig_alg;
+    return;
+}
+
+#endif	/* pre openssl 1.0.2 */
+
+#ifndef TPM_TSS_NOFILE
+
+/* getCryptoLibrary() returns a string indicating the underlying crypto library.
+
+   It can be used for programs that must account for library differences.
+*/
+
+void getCryptoLibrary(const char **name)
+{
+    *name = "openssl";
+    return;
+}
+    
+/* convertPemToEvpPrivKey() converts a PEM key file to an openssl EVP_PKEY key pair */
+
+TPM_RC convertPemToEvpPrivKey(EVP_PKEY **evpPkey,		/* freed by caller */
+			      const char *pemKeyFilename,
+			      const char *password)
+{
+    TPM_RC 	rc = 0;
+    FILE 	*pemKeyFile = NULL;
+
+    if (rc == 0) {
+	rc = TSS_File_Open(&pemKeyFile, pemKeyFilename, "rb"); 	/* closed @2 */
+    }
+    if (rc == 0) {
+	*evpPkey = PEM_read_PrivateKey(pemKeyFile, NULL, NULL, (void *)password);
+	if (*evpPkey == NULL) {
+	    printf("convertPemToEvpPrivKey: Error reading key file %s\n", pemKeyFilename);
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (pemKeyFile != NULL) {
+	fclose(pemKeyFile);			/* @2 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOFILE */
+
+#ifndef TPM_TSS_NOFILE
+
+/* convertPemToEvpPubKey() converts a PEM public key file to an openssl EVP_PKEY public key */
+
+TPM_RC convertPemToEvpPubKey(EVP_PKEY **evpPkey,		/* freed by caller */
+			     const char *pemKeyFilename)
+{
+    TPM_RC 	rc = 0;
+    FILE 	*pemKeyFile = NULL;
+
+    if (rc == 0) {
+	rc = TSS_File_Open(&pemKeyFile, pemKeyFilename, "rb"); 	/* closed @2 */
+    }
+    if (rc == 0) {
+	*evpPkey = PEM_read_PUBKEY(pemKeyFile, NULL, NULL, NULL);
+	if (*evpPkey == NULL) {
+	    printf("convertPemToEvpPubKey: Error reading key file %s\n", pemKeyFilename);
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (pemKeyFile != NULL) {
+	fclose(pemKeyFile);			/* @2 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOFILE */
+
+#ifndef TPM_TSS_NOFILE
+
+/* convertPemToRsaPrivKey() converts a PEM format keypair file to a library specific RSA key
+   token.
+
+   The return is void because the structure is opaque to the caller.  This accomodates other crypto
+   libraries.
+
+   rsaKey is an RSA structure 
+*/
+
+TPM_RC convertPemToRsaPrivKey(void **rsaKey,		/* freed by caller */
+			      const char *pemKeyFilename,
+			      const char *password)
+{
+    TPM_RC 	rc = 0;
+    FILE 	*pemKeyFile = NULL;
+
+    if (rc == 0) {
+	rc = TSS_File_Open(&pemKeyFile, pemKeyFilename, "rb"); 	/* closed @1 */
+    }
+    if (rc == 0) {
+	*rsaKey = (void *)PEM_read_RSAPrivateKey(pemKeyFile, NULL, NULL, (void *)password);
+	if (*rsaKey == NULL) {
+	    printf("convertPemToRsaPrivKey: Error in OpenSSL PEM_read_RSAPrivateKey()\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (pemKeyFile != NULL) {
+	fclose(pemKeyFile);			/* @1 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOFILE */
+
+#ifndef TPM_TSS_NOECC
+
+/* convertEvpPkeyToEckey retrieves the EC_KEY key token from the EVP_PKEY */
+
+TPM_RC convertEvpPkeyToEckey(EC_KEY **ecKey,		/* freed by caller */
+			     EVP_PKEY *evpPkey)
+{
+    TPM_RC 	rc = 0;
+    
+    if (rc == 0) {
+	*ecKey = EVP_PKEY_get1_EC_KEY(evpPkey);
+	if (*ecKey == NULL) {
+	    printf("convertEvpPkeyToEckey: Error extracting EC key from EVP_PKEY\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* convertEvpPkeyToRsakey() retrieves the RSA key token from the EVP_PKEY */
+
+TPM_RC convertEvpPkeyToRsakey(RSA **rsaKey,		/* freed by caller */
+			      EVP_PKEY *evpPkey)
+{
+    TPM_RC 	rc = 0;
+    
+    if (rc == 0) {
+	*rsaKey = EVP_PKEY_get1_RSA(evpPkey);
+	if (*rsaKey == NULL) {
+	    printf("convertEvpPkeyToRsakey: EVP_PKEY_get1_RSA failed\n");  
+	    rc = EXIT_FAILURE;
+	}
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOECC
+
+/* convertEcKeyToPrivateKeyBin() converts an OpenSSL EC_KEY to a binary array
+
+   FIXME  Only supports NIST P256 curve.
+*/
+
+TPM_RC convertEcKeyToPrivateKeyBin(int 		*privateKeyBytes,
+				   uint8_t 	**privateKeyBin,	/* freed by caller */
+				   const EC_KEY *ecKey)
+{
+    TPM_RC 		rc = 0;
+    const EC_GROUP 	*ecGroup = NULL;
+    int			nid;
+    const BIGNUM 	*privateKeyBn = NULL;
+    int 		bnBytes;
+    
+    /* get the group from the key */
+    if (rc == 0) {   
+	ecGroup = EC_KEY_get0_group(ecKey);
+	if (ecGroup == NULL) {
+	    printf("convertEcKeyToPrivateKeyBin: Error extracting EC group from EC key\n");
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    /* and then the curve from the group */
+    if (rc == 0) {
+	nid = EC_GROUP_get_curve_name(ecGroup);
+	/* map NID to size of private key */
+	switch (nid) {
+	  case NID_X9_62_prime256v1:
+	    *privateKeyBytes = 32;
+	    break;
+	  default:
+	    printf("convertEcKeyToPrivateKeyBin: Error, curve NID %u not supported\n", nid);
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    /* get the ECC private key as a BIGNUM from the EC_KEY */
+    if (rc == 0) {
+	privateKeyBn = EC_KEY_get0_private_key(ecKey);
+    }
+    /* sanity check the BN size against the curve */
+    if (rc == 0) {
+	bnBytes = BN_num_bytes(privateKeyBn);
+	if (bnBytes > *privateKeyBytes) {
+	    printf("convertEcKeyToPrivateKeyBin: Error, private key %d bytes too large for curve\n",
+		   bnBytes);
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    /* allocate a buffer for the private key array  based on the curve */
+    if (rc == 0) {
+	rc = TSS_Malloc(privateKeyBin, *privateKeyBytes);
+    }
+    /* convert the private key bignum to binary */
+    if (rc == 0) {
+	/* TPM rev 116 required the ECC private key to be zero padded in the duplicate parameter of
+	   import */
+	memset(*privateKeyBin, 0, *privateKeyBytes - bnBytes);
+	BN_bn2bin(privateKeyBn, (*privateKeyBin) + (*privateKeyBytes - bnBytes));
+	if (tssUtilsVerbose) TSS_PrintAll("convertEcKeyToPrivateKeyBin:", *privateKeyBin, *privateKeyBytes);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* convertRsaKeyToPrivateKeyBin() converts an OpenSSL RSA key token private prime p to a binary
+   array */
+
+TPM_RC convertRsaKeyToPrivateKeyBin(int 	*privateKeyBytes,
+				    uint8_t 	**privateKeyBin,	/* freed by caller */
+				    const RSA	*rsaKey)
+{
+    TPM_RC 		rc = 0;
+    const BIGNUM 	*p = NULL;
+    const BIGNUM 	*q;
+
+    /* get the private primes */
+    if (rc == 0) {
+	rc = getRsaKeyParts(NULL, NULL, NULL, &p, &q, rsaKey);
+    }
+    /* allocate a buffer for the private key array */
+    if (rc == 0) {
+	*privateKeyBytes = BN_num_bytes(p);
+	rc = TSS_Malloc(privateKeyBin, *privateKeyBytes);
+    }
+    /* convert the private key bignum to binary */
+    if (rc == 0) {
+	BN_bn2bin(p, *privateKeyBin);
+    }    
+    return rc;
+}
+
+
+#ifndef TPM_TSS_NOECC
+
+/* convertEcKeyToPublicKeyBin() converts an OpenSSL EC_KEY public key token to a binary array */
+
+TPM_RC convertEcKeyToPublicKeyBin(int 		*modulusBytes,
+				  uint8_t 	**modulusBin,	/* freed by caller */
+				  const EC_KEY 	*ecKey)
+{
+    TPM_RC 		rc = 0;
+    const EC_POINT 	*ecPoint = NULL;
+    const EC_GROUP 	*ecGroup = NULL;
+
+    if (rc == 0) {
+	ecPoint = EC_KEY_get0_public_key(ecKey);
+	if (ecPoint == NULL) {
+	    printf("convertEcKeyToPublicKeyBin: Error extracting EC point from EC public key\n");
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    if (rc == 0) {   
+	ecGroup = EC_KEY_get0_group(ecKey);
+	if (ecGroup == NULL) {
+	    printf("convertEcKeyToPublicKeyBin: Error extracting EC group from EC public key\n");
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    /* get the public modulus */
+    if (rc == 0) {   
+	*modulusBytes = EC_POINT_point2oct(ecGroup, ecPoint,
+					   POINT_CONVERSION_UNCOMPRESSED,
+					   NULL, 0, NULL);
+    }
+    if (rc == 0) {   
+	rc = TSS_Malloc(modulusBin, *modulusBytes);
+    }
+    if (rc == 0) {
+	EC_POINT_point2oct(ecGroup, ecPoint,
+			   POINT_CONVERSION_UNCOMPRESSED,
+			   *modulusBin, *modulusBytes, NULL);
+	if (tssUtilsVerbose) TSS_PrintAll("convertEcKeyToPublicKeyBin:", *modulusBin, *modulusBytes);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* convertRsaKeyToPublicKeyBin() converts from an openssl RSA key token to a public modulus */
+
+TPM_RC convertRsaKeyToPublicKeyBin(int 		*modulusBytes,
+				   uint8_t 	**modulusBin,	/* freed by caller */
+				   void 	*rsaKey)
+{
+    TPM_RC 		rc = 0;
+    const BIGNUM 	*n = NULL;
+    const BIGNUM 	*e;
+    const BIGNUM 	*d;
+
+    /* get the public modulus from the RSA key token */
+    if (rc == 0) {
+	rc = getRsaKeyParts(&n, &e, &d, NULL, NULL, rsaKey);
+    }
+    if (rc == 0) {
+	*modulusBytes = BN_num_bytes(n);
+    }
+    if (rc == 0) {   
+	rc = TSS_Malloc(modulusBin, *modulusBytes);
+    }
+    if (rc == 0) {
+	BN_bn2bin(n, *modulusBin);
+    }
+    return rc;
+}
+
+#ifdef TPM_TPM20
+
+#ifndef TPM_TSS_NOECC
+
+/* convertEcPrivateKeyBinToPrivate() converts an EC 'privateKeyBin' to either a
+   TPM2B_PRIVATE or a TPM2B_SENSITIVE
+
+*/
+
+TPM_RC convertEcPrivateKeyBinToPrivate(TPM2B_PRIVATE 	*objectPrivate,
+				       TPM2B_SENSITIVE 	*objectSensitive,
+				       int 		privateKeyBytes,
+				       uint8_t 		*privateKeyBin,
+				       const char 	*password)
+{
+    TPM_RC 		rc = 0;
+    TPMT_SENSITIVE	tSensitive;
+    TPM2B_SENSITIVE	bSensitive;
+
+    if (rc == 0) {
+	if (((objectPrivate == NULL) && (objectSensitive == NULL)) ||
+	    ((objectPrivate != NULL) && (objectSensitive != NULL))) {
+	    printf("convertEcPrivateKeyBinToPrivate: Only one result supported\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    /* In some cases, the sensitive data is not encrypted and the integrity value is not present.
+       When an integrity value is not needed, it is not present and it is not represented by an
+       Empty Buffer.
+
+       In this case, the TPM2B_PRIVATE will just be a marshaled TPM2B_SENSITIVE, which is a
+       marshaled TPMT_SENSITIVE */	
+
+    /* construct TPMT_SENSITIVE	*/
+    if (rc == 0) {
+	/* This shall be the same as the type parameter of the associated public area. */
+	tSensitive.sensitiveType = TPM_ALG_ECC;
+	tSensitive.seedValue.b.size = 0;
+	/* key password converted to TPM2B */
+	rc = TSS_TPM2B_StringCopy(&tSensitive.authValue.b, password,
+				  sizeof(tSensitive.authValue.t.buffer));
+    }
+    if (rc == 0) {
+	if (privateKeyBytes > 32) {	/* hard code NISTP256 */
+	    printf("convertEcPrivateKeyBinToPrivate: Error, private key size %u not 32\n",
+		   privateKeyBytes);
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	tSensitive.sensitive.ecc.t.size = privateKeyBytes;
+	memcpy(tSensitive.sensitive.ecc.t.buffer, privateKeyBin, privateKeyBytes);
+    }
+    /* FIXME common code for EC and RSA */
+    /* marshal the TPMT_SENSITIVE into a TPM2B_SENSITIVE */	
+    if (rc == 0) {
+	if (objectPrivate != NULL) {
+	    uint32_t size = sizeof(bSensitive.t.sensitiveArea);	/* max size */
+	    uint8_t *buffer = bSensitive.b.buffer;		/* pointer that can move */
+	    bSensitive.t.size = 0;				/* required before marshaling */
+	    rc = TSS_TPMT_SENSITIVE_Marshalu(&tSensitive,
+					    &bSensitive.b.size,	/* marshaled size */
+					    &buffer,		/* marshal here */
+					    &size);		/* max size */
+	}
+	else {	/* return TPM2B_SENSITIVE */
+	    objectSensitive->t.sensitiveArea = tSensitive;
+	}	
+    }
+    /* marshal the TPM2B_SENSITIVE (as a TPM2B_PRIVATE, see above) into a TPM2B_PRIVATE */
+    if (rc == 0) {
+	if (objectPrivate != NULL) {
+	    uint32_t size = sizeof(objectPrivate->t.buffer);	/* max size */
+	    uint8_t *buffer = objectPrivate->t.buffer;		/* pointer that can move */
+	    objectPrivate->t.size = 0;				/* required before marshaling */
+	    rc = TSS_TPM2B_PRIVATE_Marshalu((TPM2B_PRIVATE *)&bSensitive,
+					   &objectPrivate->t.size,	/* marshaled size */
+					   &buffer,		/* marshal here */
+					   &size);		/* max size */
+	}
+    }
+    return rc;
+}
+
+#endif 	/* TPM_TSS_NOECC */
+#endif 	/* TPM_TPM20 */
+
+#ifdef TPM_TPM20
+
+/* convertRsaPrivateKeyBinToPrivate() converts an RSA prime 'privateKeyBin' to either a
+   TPM2B_PRIVATE or a TPM2B_SENSITIVE
+
+*/
+
+TPM_RC convertRsaPrivateKeyBinToPrivate(TPM2B_PRIVATE 	*objectPrivate,
+					TPM2B_SENSITIVE *objectSensitive,
+					int 		privateKeyBytes,
+					uint8_t 	*privateKeyBin,
+					const char 	*password)
+{
+    TPM_RC 		rc = 0;
+    TPMT_SENSITIVE	tSensitive;
+    TPM2B_SENSITIVE	bSensitive;
+
+    if (rc == 0) {
+	if (((objectPrivate == NULL) && (objectSensitive == NULL)) ||
+	    ((objectPrivate != NULL) && (objectSensitive != NULL))) {
+	    printf("convertRsaPrivateKeyBinToPrivate: Only one result supported\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    /* In some cases, the sensitive data is not encrypted and the integrity value is not present.
+       When an integrity value is not needed, it is not present and it is not represented by an
+       Empty Buffer.
+
+       In this case, the TPM2B_PRIVATE will just be a marshaled TPM2B_SENSITIVE, which is a
+       marshaled TPMT_SENSITIVE */	
+
+    /* construct TPMT_SENSITIVE	*/
+    if (rc == 0) {
+	/* This shall be the same as the type parameter of the associated public area. */
+	tSensitive.sensitiveType = TPM_ALG_RSA;
+	/* generate a seed for storage keys */
+	tSensitive.seedValue.b.size = 32; 	/* FIXME hard coded seed length */
+	rc = TSS_RandBytes(tSensitive.seedValue.b.buffer, tSensitive.seedValue.b.size);
+    }
+    /* key password converted to TPM2B */
+    if (rc == 0) {
+	rc = TSS_TPM2B_StringCopy(&tSensitive.authValue.b, password,
+				  sizeof(tSensitive.authValue.t.buffer));
+    }
+    if (rc == 0) {
+	if ((size_t)privateKeyBytes > sizeof(tSensitive.sensitive.rsa.t.buffer)) {
+	    printf("convertRsaPrivateKeyBinToPrivate: "
+		   "Error, private key modulus %d greater than %lu\n",
+		   privateKeyBytes, (unsigned long)sizeof(tSensitive.sensitive.rsa.t.buffer));
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	tSensitive.sensitive.rsa.t.size = privateKeyBytes;
+	memcpy(tSensitive.sensitive.rsa.t.buffer, privateKeyBin, privateKeyBytes);
+    }
+    /* FIXME common code for EC and RSA */
+    /* marshal the TPMT_SENSITIVE into a TPM2B_SENSITIVE */	
+    if (rc == 0) {
+	if (objectPrivate != NULL) {
+	    uint32_t size = sizeof(bSensitive.t.sensitiveArea);	/* max size */
+	    uint8_t *buffer = bSensitive.b.buffer;		/* pointer that can move */
+	    bSensitive.t.size = 0;				/* required before marshaling */
+	    rc = TSS_TPMT_SENSITIVE_Marshalu(&tSensitive,
+					    &bSensitive.b.size,	/* marshaled size */
+					    &buffer,		/* marshal here */
+					    &size);		/* max size */
+	}
+	else {	/* return TPM2B_SENSITIVE */
+	    objectSensitive->t.sensitiveArea = tSensitive;
+	}	
+    }
+    /* marshal the TPM2B_SENSITIVE (as a TPM2B_PRIVATE, see above) into a TPM2B_PRIVATE */
+    if (rc == 0) {
+	if (objectPrivate != NULL) {
+	    uint32_t size = sizeof(objectPrivate->t.buffer);	/* max size */
+	    uint8_t *buffer = objectPrivate->t.buffer;		/* pointer that can move */
+	    objectPrivate->t.size = 0;				/* required before marshaling */
+	    rc = TSS_TPM2B_PRIVATE_Marshalu((TPM2B_PRIVATE *)&bSensitive,
+					   &objectPrivate->t.size,	/* marshaled size */
+					   &buffer,		/* marshal here */
+					   &size);		/* max size */
+	}
+    }
+    return rc;
+}
+
+#endif /* TPM_TPM20 */
+
+#ifndef TPM_TSS_NOECC
+
+/* convertEcPublicKeyBinToPublic() converts an EC modulus and other parameters to a TPM2B_PUBLIC
+
+   FIXME  Only supports NIST P256 curve.
+*/
+
+TPM_RC convertEcPublicKeyBinToPublic(TPM2B_PUBLIC 		*objectPublic,
+				     int			keyType,
+				     TPMI_ALG_SIG_SCHEME 	scheme,
+				     TPMI_ALG_HASH 		nalg,
+				     TPMI_ALG_HASH		halg,
+				     TPMI_ECC_CURVE 		curveID,
+				     int 			modulusBytes,
+				     uint8_t 			*modulusBin)
+{
+    TPM_RC 		rc = 0;
+
+    scheme = scheme;	/* scheme parameter not supported yet */
+    if (rc == 0) {
+	if (modulusBytes != 65) {	/* 1 for compression + 32 + 32 */
+	    printf("convertEcPublicKeyBinToPublic: public modulus expected 65 bytes, actual %u\n",
+		   modulusBytes);
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	/* Table 184 - Definition of TPMT_PUBLIC Structure */
+	objectPublic->publicArea.type = TPM_ALG_ECC;
+	objectPublic->publicArea.nameAlg = nalg;
+	objectPublic->publicArea.objectAttributes.val = TPMA_OBJECT_NODA;
+	objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	switch (keyType) {
+	  case TYPE_SI:
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_SIGN;
+	    objectPublic->publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
+	    objectPublic->publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_ECDSA;
+	    break;
+	  case TYPE_ST:		/* for public part only */
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
+	    objectPublic->publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
+	    objectPublic->publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+	    objectPublic->publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+	    objectPublic->publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+	    break;
+	  case TYPE_DEN:	/* for public and private part */
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	    objectPublic->publicArea.objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	    objectPublic->publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
+	    objectPublic->publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_ECDH;
+	    break;
+	}
+	objectPublic->publicArea.authPolicy.t.size = 0;
+	/* Table 152 - Definition of TPMU_ASYM_SCHEME Union */
+	objectPublic->publicArea.parameters.eccDetail.scheme.details.ecdsa.hashAlg = halg;
+	objectPublic->publicArea.parameters.eccDetail.curveID = curveID;	
+	objectPublic->publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+	objectPublic->publicArea.parameters.eccDetail.kdf.details.mgf1.hashAlg = halg;
+
+	objectPublic->publicArea.unique.ecc.x.t.size = 32;	
+	memcpy(objectPublic->publicArea.unique.ecc.x.t.buffer, modulusBin +1, 32);	
+
+	objectPublic->publicArea.unique.ecc.y.t.size = 32;	
+	memcpy(objectPublic->publicArea.unique.ecc.y.t.buffer, modulusBin +33, 32);	
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* convertRsaPublicKeyBinToPublic() converts a public modulus to a TPM2B_PUBLIC structure. */
+
+TPM_RC convertRsaPublicKeyBinToPublic(TPM2B_PUBLIC 		*objectPublic,
+				      int			keyType,
+				      TPMI_ALG_SIG_SCHEME 	scheme,
+				      TPMI_ALG_HASH 		nalg,
+				      TPMI_ALG_HASH		halg,
+				      int 			modulusBytes,
+				      uint8_t 			*modulusBin)
+{
+    TPM_RC 		rc = 0;
+
+    if (rc == 0) {
+	if ((size_t)modulusBytes > sizeof(objectPublic->publicArea.unique.rsa.t.buffer)) {
+	    printf("convertRsaPublicKeyBinToPublic: Error, "
+		   "public key modulus %d greater than %lu\n", modulusBytes,
+		   (unsigned long)sizeof(objectPublic->publicArea.unique.rsa.t.buffer));
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	/* Table 184 - Definition of TPMT_PUBLIC Structure */
+	objectPublic->publicArea.type = TPM_ALG_RSA;
+	objectPublic->publicArea.nameAlg = nalg;
+	objectPublic->publicArea.objectAttributes.val = TPMA_OBJECT_NODA;
+	objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	switch (keyType) {
+	  case TYPE_SI:
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_SIGN;
+	    objectPublic->publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
+	    break;
+	  case TYPE_ST:		/* for public part only */
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
+	    objectPublic->publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
+	    objectPublic->publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+	    objectPublic->publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+	    break;
+	  case TYPE_DEN:	/* for public and private part */
+	    objectPublic->publicArea.objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	    objectPublic->publicArea.objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	    objectPublic->publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
+	    break;
+	}
+	objectPublic->publicArea.authPolicy.t.size = 0;
+	/* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+	objectPublic->publicArea.parameters.rsaDetail.scheme.scheme = scheme;
+	objectPublic->publicArea.parameters.rsaDetail.scheme.details.rsassa.hashAlg = halg;
+	objectPublic->publicArea.parameters.rsaDetail.keyBits = modulusBytes * 8;	
+	objectPublic->publicArea.parameters.rsaDetail.exponent = 0;
+
+	objectPublic->publicArea.unique.rsa.t.size = modulusBytes;
+	memcpy(objectPublic->publicArea.unique.rsa.t.buffer, modulusBin, modulusBytes);
+    }
+    return rc;
+}
+
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NOECC
+
+/* convertEcKeyToPrivate() converts an openssl EC_KEY to token to either a TPM2B_PRIVATE or
+   TPM2B_SENSITIVE
+*/
+
+TPM_RC convertEcKeyToPrivate(TPM2B_PRIVATE 	*objectPrivate,
+			     TPM2B_SENSITIVE 	*objectSensitive,
+			     EC_KEY 		*ecKey,
+			     const char 	*password)
+{
+    TPM_RC 	rc = 0;
+    int 	privateKeyBytes;
+    uint8_t 	*privateKeyBin = NULL;
+    
+    /* convert an openssl EC_KEY token to a binary array */
+    if (rc == 0) {
+	rc = convertEcKeyToPrivateKeyBin(&privateKeyBytes,
+					 &privateKeyBin,	/* freed @1 */
+					 ecKey);
+    }
+    if (rc == 0) {
+	rc = convertEcPrivateKeyBinToPrivate(objectPrivate,
+					     objectSensitive,
+					     privateKeyBytes,
+					     privateKeyBin,
+					     password);
+    }
+    free(privateKeyBin);		/* @1 */
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* convertRsaKeyToPrivate() converts an openssl RSA key token to either a TPM2B_PRIVATE or
+   TPM2B_SENSITIVE
+*/
+
+TPM_RC convertRsaKeyToPrivate(TPM2B_PRIVATE 	*objectPrivate,
+			      TPM2B_SENSITIVE 	*objectSensitive,
+			      RSA 		*rsaKey,
+			      const char 	*password)
+{
+    TPM_RC 	rc = 0;
+    int 	privateKeyBytes;
+    uint8_t 	*privateKeyBin = NULL;
+
+    /* convert an openssl RSA key token private prime p to a binary array */
+    if (rc == 0) {
+	rc = convertRsaKeyToPrivateKeyBin(&privateKeyBytes,
+					  &privateKeyBin,	/* freed @1 */
+					  rsaKey);
+    }
+    /* convert an RSA prime 'privateKeyBin' to either a TPM2B_PRIVATE or a TPM2B_SENSITIVE */
+    if (rc == 0) {
+	rc = convertRsaPrivateKeyBinToPrivate(objectPrivate,
+					      objectSensitive,
+					      privateKeyBytes,
+					      privateKeyBin,
+					      password);
+    }
+    free(privateKeyBin);		/* @1 */
+    return rc;
+}
+
+#ifndef TPM_TSS_NOECC
+
+/* convertEcKeyToPublic() converts an EC_KEY to a TPM2B_PUBLIC */
+
+TPM_RC convertEcKeyToPublic(TPM2B_PUBLIC 		*objectPublic,
+			    int				keyType,
+			    TPMI_ALG_SIG_SCHEME 	scheme,
+			    TPMI_ALG_HASH 		nalg,
+			    TPMI_ALG_HASH		halg,
+			    EC_KEY 			*ecKey)
+{
+    TPM_RC 		rc = 0;
+    int 		modulusBytes;
+    uint8_t 		*modulusBin = NULL;
+    TPMI_ECC_CURVE	curveID;
+    
+    if (rc == 0) {
+	rc = convertEcKeyToPublicKeyBin(&modulusBytes,
+					&modulusBin,		/* freed @1 */
+					ecKey);
+    }
+    if (rc == 0) {
+	rc = getEcCurve(&curveID, ecKey);
+    }
+    if (rc == 0) {
+	rc = convertEcPublicKeyBinToPublic(objectPublic,
+					   keyType,
+					   scheme,
+					   nalg,
+					   halg,
+					   curveID,
+					   modulusBytes,
+					   modulusBin);
+    }
+    free(modulusBin);		/* @1 */
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* convertRsaKeyToPublic() converts from an openssl RSA key token to a TPM2B_PUBLIC */
+
+TPM_RC convertRsaKeyToPublic(TPM2B_PUBLIC 		*objectPublic,
+			     int			keyType,
+			     TPMI_ALG_SIG_SCHEME 	scheme,
+			     TPMI_ALG_HASH 		nalg,
+			     TPMI_ALG_HASH		halg,
+			     void 			*rsaKey)
+{
+    TPM_RC 		rc = 0;
+    int 		modulusBytes;
+    uint8_t 		*modulusBin = NULL;
+    
+    /* openssl RSA key token to a public modulus */
+    if (rc == 0) {
+	rc = convertRsaKeyToPublicKeyBin(&modulusBytes,
+					 &modulusBin,		/* freed @1 */
+					 rsaKey);
+    }
+    /* public modulus to TPM2B_PUBLIC */
+    if (rc == 0) {
+	rc = convertRsaPublicKeyBinToPublic(objectPublic,
+					    keyType,
+					    scheme,
+					    nalg,
+					    halg,
+					    modulusBytes,
+					    modulusBin);
+    }
+    free(modulusBin);		/* @1 */
+    return rc;
+}
+
+#endif
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NOECC
+
+/* convertEcPemToKeyPair() converts a PEM file to a TPM2B_PUBLIC and TPM2B_PRIVATE */
+
+TPM_RC convertEcPemToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+			     TPM2B_PRIVATE 		*objectPrivate,
+			     int			keyType,
+			     TPMI_ALG_SIG_SCHEME 	scheme,
+			     TPMI_ALG_HASH 		nalg,
+			     TPMI_ALG_HASH		halg,
+			     const char 		*pemKeyFilename,
+			     const char 		*password)
+{
+    TPM_RC 	rc = 0;
+    EVP_PKEY 	*evpPkey = NULL;
+    EC_KEY 	*ecKey = NULL;
+
+    /* convert a PEM file to an openssl EVP_PKEY */
+    if (rc == 0) {
+	rc = convertPemToEvpPrivKey(&evpPkey,		/* freed @1 */
+				    pemKeyFilename,
+				    password);
+    }
+    if (rc == 0) {
+	rc = convertEvpPkeyToEckey(&ecKey,		/* freed @2 */
+				   evpPkey);
+    }
+    if (rc == 0) {
+	rc = convertEcKeyToPrivate(objectPrivate,	/* TPM2B_PRIVATE */
+				   NULL,		/* TPM2B_SENSITIVE */
+				   ecKey,
+				   password);
+    }
+    if (rc == 0) {
+	rc = convertEcKeyToPublic(objectPublic,
+				  keyType,
+				  scheme,
+				  nalg,
+				  halg,
+				  ecKey);
+    }
+    EC_KEY_free(ecKey);   		/* @2 */
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+#endif
+#endif
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NOECC
+
+/* convertEcPemToPublic() converts an ECC P256 signing public key in PEM format to a
+   TPM2B_PUBLIC */
+
+TPM_RC convertEcPemToPublic(TPM2B_PUBLIC 	*objectPublic,
+			    int			keyType,
+			    TPMI_ALG_SIG_SCHEME scheme,
+			    TPMI_ALG_HASH 	nalg,
+			    TPMI_ALG_HASH	halg,
+			    const char		*pemKeyFilename)
+{
+    TPM_RC	rc = 0;
+    EVP_PKEY  	*evpPkey = NULL;
+    EC_KEY 	*ecKey = NULL;
+
+    if (rc == 0) {
+	rc = convertPemToEvpPubKey(&evpPkey,		/* freed @1 */
+				   pemKeyFilename);
+    }
+    if (rc == 0) {
+	rc = convertEvpPkeyToEckey(&ecKey,		/* freed @2 */
+				   evpPkey);
+    }
+    if (rc == 0) {
+	rc = convertEcKeyToPublic(objectPublic,
+				  keyType,
+				  scheme,
+				  nalg,
+				  halg,
+				  ecKey);
+    }
+    if (ecKey != NULL) {
+	EC_KEY_free(ecKey);   		/* @2 */
+    }
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+#endif
+#endif
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NORSA
+
+/* convertRsaPemToKeyPair() converts an RSA PEM file to a TPM2B_PUBLIC and TPM2B_PRIVATE */
+
+TPM_RC convertRsaPemToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+			      TPM2B_PRIVATE 		*objectPrivate,
+			      int			keyType,
+			      TPMI_ALG_SIG_SCHEME 	scheme,
+			      TPMI_ALG_HASH 		nalg,
+			      TPMI_ALG_HASH		halg,
+			      const char 		*pemKeyFilename,
+			      const char 		*password)
+{
+    TPM_RC 	rc = 0;
+    EVP_PKEY 	*evpPkey = NULL;
+    RSA		*rsaKey = NULL;
+    
+    if (rc == 0) {
+	rc = convertPemToEvpPrivKey(&evpPkey,		/* freed @1 */
+				    pemKeyFilename,
+				    password);
+    }
+    if (rc == 0) {
+	rc = convertEvpPkeyToRsakey(&rsaKey,		/* freed @2 */
+				    evpPkey);
+    }
+    if (rc == 0) {
+	rc = convertRsaKeyToPrivate(objectPrivate,	/* TPM2B_PRIVATE */
+				    NULL,		/* TPM2B_SENSITIVE */
+				    rsaKey,
+				    password);
+    }
+    if (rc == 0) {
+	rc = convertRsaKeyToPublic(objectPublic,
+				   keyType,
+				   scheme,
+				   nalg,
+				   halg,
+				   rsaKey);
+    }
+    TSS_RsaFree(rsaKey);		/* @2 */
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+#endif /* TPM_TPM20 */
+#endif /* TPM_TSS_NOFILE */
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NOECC
+
+/* convertEcDerToKeyPair() converts an EC keypair stored in DER to a TPM2B_PUBLIC and
+   TPM2B_SENSITIVE.  Useful for LoadExternal.
+
+*/
+
+TPM_RC convertEcDerToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+			     TPM2B_SENSITIVE 		*objectSensitive,
+			     int			keyType,
+			     TPMI_ALG_SIG_SCHEME 	scheme,
+			     TPMI_ALG_HASH 		nalg,
+			     TPMI_ALG_HASH		halg,
+			     const char			*derKeyFilename,
+			     const char 		*password)
+{
+    TPM_RC		rc = 0;
+    EC_KEY		*ecKey = NULL;
+    unsigned char	*derBuffer = NULL;
+    size_t		derSize;
+
+    /* read the DER file */
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&derBuffer,     	/* freed @1 */
+				     &derSize,
+				     derKeyFilename); 
+    }    
+    if (rc == 0) {
+	const unsigned char *tmpPtr = derBuffer;	/* because pointer moves */
+	ecKey = d2i_ECPrivateKey(NULL, &tmpPtr, derSize);	/* freed @2 */
+	if (ecKey == NULL) {
+	    printf("convertEcDerToKeyPair: could not convert key to EC_KEY\n");
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    if (rc == 0) {
+	rc = convertEcKeyToPrivate(NULL,		/* TPM2B_PRIVATE */
+				   objectSensitive,	/* TPM2B_SENSITIVE */
+				   ecKey,
+				   password);
+    }	
+    if (rc == 0) {
+	rc = convertEcKeyToPublic(objectPublic,
+				  keyType,
+				  scheme,
+				  nalg,
+				  halg,
+				  ecKey);
+    }
+    free(derBuffer);		/* @1 */
+    if (ecKey != NULL) {
+	EC_KEY_free(ecKey);		/* @2 */
+    }
+    return rc;
+}
+
+/* convertEcDerToPublic() converts an EC public key stored in DER to a TPM2B_PUBLIC.  Useful to
+   calculate a Name.
+
+*/
+
+TPM_RC convertEcDerToPublic(TPM2B_PUBLIC 		*objectPublic,
+			    int				keyType,
+			    TPMI_ALG_SIG_SCHEME 	scheme,
+			    TPMI_ALG_HASH 		nalg,
+			    TPMI_ALG_HASH		halg,
+			    const char			*derKeyFilename)
+{
+    TPM_RC		rc = 0;
+    EVP_PKEY 		*evpPkey = NULL;
+    EC_KEY		*ecKey = NULL;
+    unsigned char	*derBuffer = NULL;
+    size_t		derSize;
+
+    /* read the DER file */
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&derBuffer,     	/* freed @1 */
+				     &derSize,
+				     derKeyFilename); 
+    }    
+    if (rc == 0) {
+	const unsigned char *tmpPtr = derBuffer;	/* because pointer moves */
+	evpPkey = d2i_PUBKEY(NULL, &tmpPtr, derSize);	/* freed @2 */
+	if (evpPkey == NULL) {
+	    printf("convertEcDerToPublic: could not convert key to EVP_PKEY\n");
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    if (rc == 0) {
+	rc = convertEvpPkeyToEckey(&ecKey,		/* freed @3 */
+				   evpPkey);
+    }
+    if (rc == 0) {
+	rc = convertEcKeyToPublic(objectPublic,
+				  keyType,
+				  scheme,
+				  nalg,
+				  halg,
+				  ecKey);
+    }
+    free(derBuffer);			/* @1 */
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    if (ecKey != NULL) {
+	EC_KEY_free(ecKey);		/* @2 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+#endif
+#endif
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NORSA
+
+/* convertRsaDerToKeyPair() converts an RSA keypair stored in DER to a TPM2B_PUBLIC and
+   TPM2B_SENSITIVE.  Useful for LoadExternal.
+
+*/
+
+TPM_RC convertRsaDerToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+			      TPM2B_SENSITIVE 		*objectSensitive,
+			      int			keyType,
+			      TPMI_ALG_SIG_SCHEME 	scheme,
+			      TPMI_ALG_HASH 		nalg,
+			      TPMI_ALG_HASH		halg,
+			      const char		*derKeyFilename,
+			      const char 		*password)
+{
+    TPM_RC		rc = 0;
+    RSA 		*rsaKey = NULL;
+    unsigned char	*derBuffer = NULL;
+    size_t		derSize;
+
+    /* read the DER file */
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&derBuffer,     	/* freed @1 */
+				     &derSize,
+				     derKeyFilename); 
+    }    
+    if (rc == 0) {
+	const unsigned char *tmpPtr = derBuffer;	/* because pointer moves */
+	rsaKey = d2i_RSAPrivateKey(NULL, &tmpPtr, derSize);	/* freed @2 */
+	if (rsaKey == NULL) {
+	    printf("convertRsaDerToKeyPair: could not convert key to RSA\n");
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    if (rc == 0) {
+	rc = convertRsaKeyToPrivate(NULL,		/* TPM2B_PRIVATE */
+				    objectSensitive,	/* TPM2B_SENSITIVE */
+				    rsaKey,
+				    password);	
+    }	
+    if (rc == 0) {
+	rc = convertRsaKeyToPublic(objectPublic,
+				   keyType,
+				   scheme,
+				   nalg,
+				   halg,
+				   rsaKey);
+    }
+    free(derBuffer);			/* @1 */
+    TSS_RsaFree(rsaKey);		/* @2 */
+    return rc;
+}
+
+/* convertRsaDerToPublic() converts an RSA public key stored in DER to a TPM2B_PUBLIC.  Useful to
+   calculate a Name.
+
+*/
+
+TPM_RC convertRsaDerToPublic(TPM2B_PUBLIC 		*objectPublic,
+			     int			keyType,
+			     TPMI_ALG_SIG_SCHEME 	scheme,
+			     TPMI_ALG_HASH 		nalg,
+			     TPMI_ALG_HASH		halg,
+			     const char			*derKeyFilename)
+{
+    TPM_RC		rc = 0;
+    RSA 		*rsaKey = NULL;
+    unsigned char	*derBuffer = NULL;
+    size_t		derSize;
+
+    /* read the DER file */
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&derBuffer,     	/* freed @1 */
+				     &derSize,
+				     derKeyFilename); 
+    }    
+    if (rc == 0) {
+	const unsigned char *tmpPtr = derBuffer;	/* because pointer moves */
+	rsaKey = d2i_RSA_PUBKEY(NULL, &tmpPtr, derSize);	/* freed @2 */
+	if (rsaKey == NULL) {
+	    printf("convertRsaDerToPublic: could not convert key to RSA\n");
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    if (rc == 0) {
+	rc = convertRsaKeyToPublic(objectPublic,
+				   keyType,
+				   scheme,
+				   nalg,
+				   halg,
+				   rsaKey);
+    }
+    free(derBuffer);			/* @1 */
+    TSS_RsaFree(rsaKey);		/* @2 */
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+#endif /* TPM_TPM20 */
+#endif /* TPM_TSS_NOFILE */
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+
+/* convertRsaPemToPublic() converts an RSA public key in PEM format to a TPM2B_PUBLIC */
+
+TPM_RC convertRsaPemToPublic(TPM2B_PUBLIC 		*objectPublic,
+			     int			keyType,
+			     TPMI_ALG_SIG_SCHEME 	scheme,
+			     TPMI_ALG_HASH 		nalg,
+			     TPMI_ALG_HASH		halg,
+			     const char 		*pemKeyFilename)
+{
+    TPM_RC	rc = 0;
+    EVP_PKEY 	*evpPkey = NULL;
+    RSA		*rsaKey = NULL;
+
+    if (rc == 0) {
+	rc = convertPemToEvpPubKey(&evpPkey,		/* freed @1 */
+				   pemKeyFilename);
+    }
+    if (rc == 0) {
+	rc = convertEvpPkeyToRsakey(&rsaKey,		/* freed @2 */
+				    evpPkey);
+    }
+    if (rc == 0) {
+	rc = convertRsaKeyToPublic(objectPublic,
+				   keyType,
+				   scheme,
+				   nalg,
+				   halg,
+				   rsaKey);
+    }
+    RSA_free(rsaKey);			/* @2 */ 
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif
+#endif
+
+/* getRsaKeyParts() gets the RSA key parts from an OpenSSL RSA key token.
+
+   If n is not NULL, returns n, e, and d.  If p is not NULL, returns p and q.
+*/
+
+TPM_RC getRsaKeyParts(const BIGNUM **n,
+		     const BIGNUM **e,
+		     const BIGNUM **d,
+		     const BIGNUM **p,
+		     const BIGNUM **q,
+		     const RSA *rsaKey)
+{
+    TPM_RC  	rc = 0;
+    if (n != NULL) {
+	RSA_get0_key(rsaKey, n, e, d);
+    }
+    if (p != NULL) {
+	RSA_get0_factors(rsaKey, p, q);
+    }
+    return rc;
+}
+
+/* returns the type (EVP_PKEY_RSA or EVP_PKEY_EC) of the EVP_PKEY.
+
+ */
+
+int getRsaPubkeyAlgorithm(EVP_PKEY *pkey)
+{
+    int 			pkeyType;	/* RSA or EC */
+    pkeyType = EVP_PKEY_base_id(pkey);
+    return pkeyType;
+}
+
+#ifndef TPM_TSS_NOFILE
+
+/* convertPublicToPEM() saves a PEM format public key from a TPM2B_PUBLIC
+   
+*/
+
+TPM_RC convertPublicToPEM(const TPM2B_PUBLIC *public,
+			  const char *pemFilename)
+{
+    TPM_RC 	rc = 0;
+    EVP_PKEY 	*evpPubkey = NULL;          	/* OpenSSL public key, EVP format */
+
+    /* convert TPM2B_PUBLIC to EVP_PKEY */
+    if (rc == 0) {
+	switch (public->publicArea.type) {
+#ifndef TPM_TSS_NORSA
+	  case TPM_ALG_RSA:
+	    rc = convertRsaPublicToEvpPubKey(&evpPubkey,	/* freed @1 */
+					     &public->publicArea.unique.rsa);
+	    break;
+#endif /* TPM_TSS_NORSA */
+#ifndef TPM_TSS_NOECC
+	  case TPM_ALG_ECC:
+	    rc = convertEcPublicToEvpPubKey(&evpPubkey,		/* freed @1 */
+					    &public->publicArea.unique.ecc);
+	    break;
+#endif	/* TPM_TSS_NOECC */
+	  default:
+	    printf("convertPublicToPEM: Unknown publicArea.type %04hx unsupported\n",
+		   public->publicArea.type);
+	    rc = TSS_RC_NOT_IMPLEMENTED;
+	    break;
+	}
+    }
+    /* write the openssl structure in PEM format */
+    if (rc == 0) {
+	rc = convertEvpPubkeyToPem(evpPubkey,
+				   pemFilename);
+
+    }
+    if (evpPubkey != NULL) {
+	EVP_PKEY_free(evpPubkey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NOFILE */
+
+#ifndef TPM_TSS_NORSA
+
+/* convertRsaPublicToEvpPubKey() converts an RSA TPM2B_PUBLIC to a EVP_PKEY.
+
+*/
+
+TPM_RC convertRsaPublicToEvpPubKey(EVP_PKEY **evpPubkey,	/* freed by caller */
+				   const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa)
+{
+    TPM_RC 	rc = 0;
+    int		irc;
+    RSA		*rsaPubKey = NULL;
+    
+    if (rc == 0) {
+	*evpPubkey = EVP_PKEY_new();
+	if (*evpPubkey == NULL) {
+	    printf("convertRsaPublicToEvpPubKey: EVP_PKEY failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* TPM to RSA token */
+    if (rc == 0) {
+	/* public exponent */
+	unsigned char earr[3] = {0x01, 0x00, 0x01};
+	rc = TSS_RSAGeneratePublicTokenI
+	     ((void **)&rsaPubKey,			/* freed as part of EVP_PKEY  */
+	      tpm2bRsa->t.buffer,  		/* public modulus */
+	      tpm2bRsa->t.size,
+	      earr,      			/* public exponent */
+	      sizeof(earr));
+    }
+    /* RSA token to EVP */
+    if (rc == 0) {
+	irc  = EVP_PKEY_assign_RSA(*evpPubkey, rsaPubKey);
+	if (irc == 0) {
+	    TSS_RsaFree(rsaPubKey);	/* because not assigned tp EVP_PKEY */
+	    printf("convertRsaPublicToEvpPubKey: EVP_PKEY_assign_RSA failed\n");
+	    rc = TSS_RC_RSA_KEY_CONVERT;
+	}
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+
+#ifndef TPM_TSS_NOECC
+
+/* convertEcPublicToEvpPubKey() converts an EC TPMS_ECC_POINT to an EVP_PKEY.
+ */
+
+TPM_RC convertEcPublicToEvpPubKey(EVP_PKEY **evpPubkey,		/* freed by caller */
+				  const TPMS_ECC_POINT *tpmsEccPoint)
+{
+    TPM_RC 	rc = 0;
+    int		irc;
+    EC_GROUP 	*ecGroup = NULL;
+    EC_KEY 	*ecKey = NULL;
+    BIGNUM 	*x = NULL;		/* freed @2 */
+    BIGNUM 	*y = NULL;		/* freed @3 */
+    
+    if (rc == 0) {
+	ecKey = EC_KEY_new();		/* freed @1 */
+	if (ecKey == NULL) {
+	    printf("convertEcPublicToEvpPubKey: Error creating EC_KEY\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	ecGroup = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);	/* freed @4 */
+	if (ecGroup == NULL) {
+	    printf("convertEcPublicToEvpPubKey: Error in EC_GROUP_new_by_curve_name\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	/* returns void */
+	EC_GROUP_set_asn1_flag(ecGroup, OPENSSL_EC_NAMED_CURVE);
+    }
+    /* assign curve to EC_KEY */
+    if (rc == 0) {
+	irc = EC_KEY_set_group(ecKey, ecGroup);
+	if (irc != 1) {
+	    printf("convertEcPublicToEvpPubKey: Error in EC_KEY_set_group\n");
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    if (rc == 0) {
+	rc = convertBin2Bn(&x,				/* freed @2 */
+			   tpmsEccPoint->x.t.buffer,
+			   tpmsEccPoint->x.t.size);	
+    }
+    if (rc == 0) {
+	rc = convertBin2Bn(&y,				/* freed @3 */
+			   tpmsEccPoint->y.t.buffer,
+			   tpmsEccPoint->y.t.size);
+    }
+    if (rc == 0) {
+	irc = EC_KEY_set_public_key_affine_coordinates(ecKey, x, y);
+	if (irc != 1) {
+	    printf("convertEcPublicToEvpPubKey: "
+		   "Error converting public key from X Y to EC_KEY format\n");
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    if (rc == 0) {
+	*evpPubkey = EVP_PKEY_new();		/* freed by caller */
+	if (*evpPubkey == NULL) {
+	    printf("convertEcPublicToEvpPubKey: EVP_PKEY failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	irc = EVP_PKEY_set1_EC_KEY(*evpPubkey, ecKey);
+	if (irc != 1) {
+	    printf("convertEcPublicToEvpPubKey: "
+		   "Error converting public key from EC to EVP format\n");
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    if (ecGroup != NULL) {
+	EC_GROUP_free(ecGroup);	/* @4 */
+    }
+    if (ecKey != NULL) {
+	EC_KEY_free(ecKey);	/* @1 */
+    }
+    if (x != NULL) {
+	BN_free(x);		/* @2 */
+    }
+    if (y != NULL) {
+	BN_free(y);		/* @3 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+#ifndef TPM_TSS_NOFILE
+
+TPM_RC convertEvpPubkeyToPem(EVP_PKEY *evpPubkey,
+			     const char *pemFilename)
+{
+    TPM_RC 	rc = 0;
+    int		irc;
+    FILE 	*pemFile = NULL; 
+    
+    if (rc == 0) {
+	pemFile = fopen(pemFilename, "wb");	/* close @1 */
+	if (pemFile == NULL) {
+	    printf("convertEvpPubkeyToPem: Unable to open PEM file %s for write\n", pemFilename);
+	    rc = TSS_RC_FILE_OPEN;
+	}
+    }
+    if (rc == 0) {
+	irc = PEM_write_PUBKEY(pemFile, evpPubkey);
+	if (irc == 0) {
+	    printf("convertEvpPubkeyToPem: Unable to write PEM file %s\n", pemFilename);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    if (pemFile != NULL) {
+	fclose(pemFile);			/* @1 */
+    }
+    return rc;
+}
+
+#endif
+#ifndef TPM_TSS_NOFILE
+
+/* verifySignatureFromPem() verifies the signature 'tSignature' against the digest 'message' using
+   the public key in the PEM format file 'pemFilename'.
+
+*/
+
+TPM_RC verifySignatureFromPem(unsigned char *message,
+			      unsigned int messageSize,
+			      TPMT_SIGNATURE *tSignature,
+			      TPMI_ALG_HASH halg,
+			      const char *pemFilename)
+{
+    TPM_RC 		rc = 0;
+    EVP_PKEY 		*evpPkey = NULL;        /* OpenSSL public key, EVP format */
+    
+    /* read the public key from PEM format */
+    if (rc == 0) {
+	rc = convertPemToEvpPubKey(&evpPkey,		/* freed @1*/
+				   pemFilename);
+    }
+    /* RSA or EC */
+    if (rc == 0) {
+	switch(tSignature->sigAlg) {
+#ifndef TPM_TSS_NORSA
+	  case TPM_ALG_RSASSA:
+	  case TPM_ALG_RSAPSS:
+	    rc = verifyRSASignatureFromEvpPubKey(message,
+						 messageSize,
+						 tSignature,
+						 halg,
+						 evpPkey);
+	    break;
+#else
+	    halg = halg;
+#endif /* TPM_TSS_NORSA */
+#ifndef TPM_TSS_NOECC
+	  case TPM_ALG_ECDSA:
+	    rc = verifyEcSignatureFromEvpPubKey(message,
+						messageSize,
+						tSignature,
+						evpPkey);
+	    break;
+#endif	/* TPM_TSS_NOECC */
+	  default:
+	    printf("verifySignatureFromPem: Unknown signature algorithm %04x\n", tSignature->sigAlg);
+	    rc = TSS_RC_BAD_SIGNATURE_ALGORITHM;
+	}
+    }
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif
+
+#ifndef TPM_TSS_NORSA
+
+/* verifyRSASignatureFromEvpPubKey() verifies the signature 'tSignature' against the digest
+   'message' using the RSA public key in evpPkey.
+
+*/
+
+TPM_RC verifyRSASignatureFromEvpPubKey(unsigned char *message,
+				       unsigned int messageSize,
+				       TPMT_SIGNATURE *tSignature,
+				       TPMI_ALG_HASH halg,
+				       EVP_PKEY *evpPkey)
+{
+    TPM_RC 		rc = 0;
+    RSA 		*rsaPubKey = NULL;	/* OpenSSL public key, RSA format */
+    
+    /* construct the RSA key token */
+    if (rc == 0) {
+	rsaPubKey = EVP_PKEY_get1_RSA(evpPkey);	/* freed @1 */
+	if (rsaPubKey == NULL) {
+	    printf("verifyRSASignatureFromEvpPubKey: EVP_PKEY_get1_RSA failed\n");
+	    rc = TSS_RC_RSA_KEY_CONVERT;
+	}
+    }
+    if (rc == 0) {
+	rc = verifyRSASignatureFromRSA(message,
+				       messageSize,
+				       tSignature,
+				       halg,
+				       rsaPubKey);
+    }
+    TSS_RsaFree(rsaPubKey);          	/* @1 */
+    return rc;
+}
+
+/* signRSAFromRSA() signs digest to signature, using th4 RSA key rsaKey. */
+
+TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength,
+		      size_t signatureSize,
+		      const uint8_t *digest, size_t digestLength,
+		      TPMI_ALG_HASH hashAlg,
+		      void *rsaKey)
+{
+    TPM_RC 		rc = 0;
+    int			irc;
+    int			nid;			/* openssl hash algorithm */
+    
+    /* map the hash algorithm to the openssl NID */
+    if (rc == 0) {
+	switch (hashAlg) {
+	  case TPM_ALG_SHA1:
+	    nid = NID_sha1;
+	    break;
+	  case TPM_ALG_SHA256:
+	    nid = NID_sha256;
+	    break;
+	  case TPM_ALG_SHA384:
+	    nid = NID_sha384;
+	    break;
+	  case TPM_ALG_SHA512:
+	    nid = NID_sha512;
+	    break;
+	  default:
+	    printf("signRSAFromRSA: Error, hash algorithm %04hx unsupported\n", hashAlg);
+	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+	}
+    }
+    /* validate that the length of the resulting signature will fit in the
+       signature array */
+    if (rc == 0) {
+	unsigned int keySize = RSA_size(rsaKey);
+	if (keySize > signatureSize) {
+	    printf("signRSAFromRSA: Error, private key length %u > signature buffer %u\n",
+		   keySize, (unsigned int)signatureSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	unsigned int siglen;
+	irc = RSA_sign(nid,
+		       digest, digestLength,
+		       signature, &siglen,
+		       rsaKey);
+	*signatureLength = siglen;
+	if (irc != 1) {
+	    printf("signRSAFromRSA: Error in OpenSSL RSA_sign()\n");
+	    rc = TSS_RC_RSA_SIGNATURE;
+	}
+    }
+    return rc;
+}
+
+/* verifyRSASignatureFromRSA() verifies the signature 'tSignature' against the digest 'message'
+   using the RSA public key in the OpenSSL RSA format.
+
+   Supports RSASSA and RSAPSS schemes.
+*/
+
+TPM_RC verifyRSASignatureFromRSA(unsigned char *message,
+				 unsigned int messageSize,
+				 TPMT_SIGNATURE *tSignature,
+				 TPMI_ALG_HASH halg,
+				 void *rsaPubKey)
+{
+    TPM_RC 		rc = 0;
+    int			irc;
+    int 		nid = 0;	/* initialized these two to suppress false gcc -O3
+					   warnings */
+    const EVP_MD 	*md = NULL;
+    /* map from hash algorithm to openssl nid */
+    if (rc == 0) {
+	switch (halg) {
+	  case TPM_ALG_SHA1:
+	    nid = NID_sha1;
+	    md = EVP_sha1();
+	    break;
+	  case TPM_ALG_SHA256:
+	    nid = NID_sha256;
+	    md = EVP_sha256();
+	    break;
+	  case TPM_ALG_SHA384:
+	    nid = NID_sha384;
+	    md = EVP_sha384();
+	    break;
+	  case TPM_ALG_SHA512:
+	    nid = NID_sha512;
+	    md = EVP_sha512();
+	    break;
+	  default:
+	    printf("verifyRSASignatureFromRSA: Unknown hash algorithm %04x\n", halg);
+	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+	}
+    }
+    /* verify the signature */
+    if (tSignature->sigAlg == TPM_ALG_RSASSA) {
+	if (rc == 0) {
+	    irc = RSA_verify(nid,
+			     message, messageSize,
+			     tSignature->signature.rsassa.sig.t.buffer,
+			     tSignature->signature.rsassa.sig.t.size,
+			     rsaPubKey);
+	    if (irc != 1) {
+		printf("verifyRSASignatureFromRSA: Bad signature\n");
+		rc = TSS_RC_RSA_SIGNATURE;
+	    }
+	}
+    }
+    else if (tSignature->sigAlg == TPM_ALG_RSAPSS) {
+	uint8_t decryptedSig[sizeof(tSignature->signature.rsapss.sig.t.buffer)];
+	if (rc == 0) {
+	    irc = RSA_public_decrypt(tSignature->signature.rsapss.sig.t.size,
+				     tSignature->signature.rsapss.sig.t.buffer,
+				     decryptedSig,
+				     rsaPubKey,
+				     RSA_NO_PADDING);
+	    if (irc == -1) {
+		printf("verifyRSASignatureFromRSA: RSAPSS Bad signature\n");
+		rc = TSS_RC_RSA_SIGNATURE;
+	    }
+	}
+	if (rc == 0) {
+	    irc = RSA_verify_PKCS1_PSS(rsaPubKey,
+				       message,
+				       md,
+				       decryptedSig,
+				       -2); /* salt length recovered from signature*/
+	    if (irc != 1) {
+		printf("verifyRSASignatureFromRSA: RSAPSS Bad signature\n");
+		rc = TSS_RC_RSA_SIGNATURE;
+	    }
+	}
+    }
+    else {
+	printf("verifyRSASignatureFromRSA: Bad signature scheme %04x\n",
+	       tSignature->sigAlg);
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+
+#ifndef TPM_TSS_NOECC
+
+/* verifyEcSignatureFromEvpPubKey() verifies the signature 'tSignature' against the digest 'message'
+   using the EC public key in evpPkey.
+
+*/
+
+TPM_RC verifyEcSignatureFromEvpPubKey(unsigned char *message,
+				      unsigned int messageSize,
+				      TPMT_SIGNATURE *tSignature,
+				      EVP_PKEY *evpPkey)
+{
+    TPM_RC 		rc = 0;
+    int			irc;
+    EC_KEY 		*ecKey = NULL;
+    BIGNUM 		*r = NULL;
+    BIGNUM 		*s = NULL;
+    ECDSA_SIG 		*ecdsaSig = NULL;
+
+    /* construct the EC key token */
+    if (rc == 0) {
+	ecKey = EVP_PKEY_get1_EC_KEY(evpPkey);	/* freed @1 */
+	if (ecKey == NULL) {
+	    printf("verifyEcSignatureFromEvpPubKey: EVP_PKEY_get1_EC_KEY failed\n");  
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    /* construct the ECDSA_SIG signature token */
+    if (rc == 0) {
+	rc = convertBin2Bn(&r,			/* freed @2 */
+			   tSignature->signature.ecdsa.signatureR.t.buffer,
+			   tSignature->signature.ecdsa.signatureR.t.size);
+    }	
+    if (rc == 0) {
+	rc = convertBin2Bn(&s,			/* freed @2 */
+			   tSignature->signature.ecdsa.signatureS.t.buffer,
+			   tSignature->signature.ecdsa.signatureS.t.size);
+    }
+    /* ECDSA_SIG_new() allocates an empty ECDSA_SIG structure.  */
+    if (rc == 0) {
+	ecdsaSig = ECDSA_SIG_new(); 		/* freed @2 */
+	if (ecdsaSig == NULL) {
+	    printf("verifyEcSignatureFromEvpPubKey: Error creating ECDSA_SIG_new\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	int irc = ECDSA_SIG_set0(ecdsaSig, r, s);	
+	if (irc != 1) {
+            printf("verifyEcSignatureFromEvpPubKey: Error in ECDSA_SIG_set0()\n");
+            rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    /* verify the signature */
+    if (rc == 0) {
+	irc = ECDSA_do_verify(message, messageSize, 
+			      ecdsaSig, ecKey);
+	if (irc != 1) {		/* quote signature did not verify */
+	    printf("verifyEcSignatureFromEvpPubKey: Bad signature\n");
+	    rc = TSS_RC_EC_SIGNATURE;
+	}
+    }
+    if (ecKey != NULL) {
+	EC_KEY_free(ecKey);		/* @1 */
+    }
+    /* if the ECDSA_SIG was allocated correctly, r and s are implicitly freed */
+    if (ecdsaSig != NULL) {
+	ECDSA_SIG_free(ecdsaSig);	/* @2 */
+    }
+    /* if not, explicitly free */
+    else {
+	if (r != NULL) BN_free(r);	/* @2 */
+	if (s != NULL) BN_free(s);	/* @2 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+#ifndef TPM_TSS_NOFILE
+
+/* verifySignatureFromHmacKey() verifies the signature (MAC) against the digest 'message'
+   using the HMAC key in raw binary format.
+*/
+
+TPM_RC verifySignatureFromHmacKey(unsigned char *message,
+				  unsigned int messageSize,
+				  TPMT_SIGNATURE *tSignature,
+				  TPMI_ALG_HASH halg,
+				  const char *hmacKeyFilename)
+{
+    TPM_RC 		rc = 0;
+    TPM2B_KEY 		hmacKey;
+    uint32_t 		sizeInBytes;
+    
+    /* read the HMAC key */
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&hmacKey.b,
+			     sizeof(hmacKey.t.buffer),
+			     hmacKeyFilename);
+    }
+    if (rc == 0) {
+	sizeInBytes = TSS_GetDigestSize(halg);
+	rc = TSS_HMAC_Verify(&tSignature->signature.hmac,
+			     &hmacKey,		/* input HMAC key */
+			     sizeInBytes,
+			     messageSize, message,
+			     0, NULL);
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NOFILE */
+
+/* convertRsaBinToTSignature() converts an RSA binary signature to a TPMT_SIGNATURE */
+
+TPM_RC convertRsaBinToTSignature(TPMT_SIGNATURE *tSignature,
+				 TPMI_ALG_HASH halg,
+				 uint8_t *signatureBin,
+				 size_t signatureBinLen)
+{
+    TPM_RC rc = 0;
+
+    tSignature->sigAlg = TPM_ALG_RSASSA;
+    tSignature->signature.rsassa.hash = halg;
+    tSignature->signature.rsassa.sig.t.size = (uint16_t)signatureBinLen;
+    memcpy(&tSignature->signature.rsassa.sig.t.buffer, signatureBin, signatureBinLen);
+    return rc;
+}
+
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NOECC
+
+/* convertEcBinToTSignature() converts an EC binary signature to a TPMT_SIGNATURE */
+
+TPM_RC convertEcBinToTSignature(TPMT_SIGNATURE *tSignature,
+				TPMI_ALG_HASH halg,
+				const uint8_t *signatureBin,
+				size_t signatureBinLen)
+{
+    TPM_RC rc = 0;
+    ECDSA_SIG 		*ecSig = NULL;
+    int 		rBytes;
+    int 		sBytes;
+    const BIGNUM 	*pr = NULL;
+    const BIGNUM 	*ps = NULL;
+    
+    if (rc == 0) {
+	tSignature->sigAlg = TPM_ALG_ECDSA;
+	tSignature->signature.ecdsa.hash = halg;
+    }
+    /* convert DER to ECDSA_SIG */
+    if (rc == 0) {
+	ecSig = d2i_ECDSA_SIG(NULL, &signatureBin, signatureBinLen);	/* freed @1 */
+	if (ecSig == NULL) {
+	    printf("convertEcBinToTSignature: could not convert signature to ECDSA_SIG\n");
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    /* check that the signature size agrees with the currently hard coded P256 curve */
+    if (rc == 0) {
+	ECDSA_SIG_get0(ecSig, &pr, &ps);
+	rBytes = BN_num_bytes(pr);
+	sBytes = BN_num_bytes(ps);
+	if ((rBytes > 32) ||
+	    (sBytes > 32)) {
+	    printf("convertEcBinToTSignature: signature rBytes %u or sBytes %u greater than 32\n",
+		   rBytes, sBytes);
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    /* extract the raw signature bytes from the openssl structure BIGNUMs */
+    if (rc == 0) {
+	tSignature->signature.ecdsa.signatureR.t.size = rBytes;
+	tSignature->signature.ecdsa.signatureS.t.size = sBytes;
+
+	BN_bn2bin(pr, (unsigned char *)&tSignature->signature.ecdsa.signatureR.t.buffer);
+	BN_bn2bin(ps, (unsigned char *)&tSignature->signature.ecdsa.signatureS.t.buffer);
+	if (tssUtilsVerbose) {
+	    TSS_PrintAll("convertEcBinToTSignature: signature R",
+			 tSignature->signature.ecdsa.signatureR.t.buffer,
+			 tSignature->signature.ecdsa.signatureR.t.size);		
+	    TSS_PrintAll("convertEcBinToTSignature: signature S",
+			 tSignature->signature.ecdsa.signatureS.t.buffer,
+			 tSignature->signature.ecdsa.signatureS.t.size);		
+	}
+    }
+    if (ecSig != NULL) {
+	ECDSA_SIG_free(ecSig);		/* @1 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+#ifndef TPM_TSS_NOECC
+
+/* getEcCurve() gets the TCG algorithm ID curve associated with the openssl EC_KEY */
+
+TPM_RC getEcCurve(TPMI_ECC_CURVE *curveID,
+		  const EC_KEY *ecKey)
+{
+    TPM_RC 		rc = 0;
+    const EC_GROUP 	*ecGroup;
+    int			nid;
+    
+    if (rc == 0) {
+	ecGroup = EC_KEY_get0_group(ecKey);
+	nid = EC_GROUP_get_curve_name(ecGroup);	/* openssl NID */
+	/* NID to TCG curve ID */
+	switch (nid) {
+	  case NID_X9_62_prime256v1:
+	    *curveID = TPM_ECC_NIST_P256;
+	    break;
+	  default:
+	    printf("getEcCurve: Error, curve NID %u not supported \n", nid);
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+#endif
+
+/* convertBin2Bn() wraps the openSSL function in an error handler
+
+   Converts a char array to bignum
+*/
+
+TPM_RC convertBin2Bn(BIGNUM **bn,			/* freed by caller */
+		     const unsigned char *bin,
+		     unsigned int bytes)
+{
+    TPM_RC rc = 0;
+
+    /* BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+    
+       BN_bin2bn() converts the positive integer in big-endian form of length len at s into a BIGNUM
+       and places it in ret. If ret is NULL, a new BIGNUM is created.
+
+       BN_bin2bn() returns the BIGNUM, NULL on error.
+    */
+    if (rc == 0) {
+        *bn = BN_bin2bn(bin, bytes, *bn);
+        if (*bn == NULL) {
+            printf("convertBin2Bn: Error in BN_bin2bn\n");
+            rc = TSS_RC_BIGNUM;
+        }
+    }
+    return rc;
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/cryptoutils.h b/libstb/tss2/ibmtpm20tss/utils/cryptoutils.h
new file mode 100644
index 0000000..a7b851b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/cryptoutils.h
@@ -0,0 +1,333 @@
+/********************************************************************************/
+/*										*/
+/*			Sample Crypto Utilities					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef CRYPTUTILS_H
+#define CRYPTUTILS_H
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#include <winsock2.h>
+#include <windows.h>
+#endif
+
+/* TPM_TSS_NO_OPENSSL is a legacy macro.  cryptoutils was exposing several OpenSSL specific
+   functions.  They are not available for other crypto libraries.  For OpenSSL, they are available
+   but deprecated.  */
+
+#ifndef TPM_TSS_NO_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/pem.h>
+#endif	/* TPM_TSS_NO_OPENSSL */
+
+#ifdef TPM_TSS_MBEDTLS
+#include <mbedtls/pk.h>
+#endif	/* TPM_TSS_MBEDTLS */
+
+#include <ibmtss/tss.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    /*
+      crypto library independent functions
+    */
+
+    void getCryptoLibrary(const char **name);
+    
+    TPM_RC convertPemToRsaPrivKey(void **rsaKey,
+				  const char *pemKeyFilename,
+				  const char *password);
+    TPM_RC convertRsaKeyToPublicKeyBin(int 	*modulusBytes,
+				       uint8_t 	**modulusBin,
+				       void	*rsaKey);
+    TPM_RC convertRsaKeyToPublic(TPM2B_PUBLIC 		*objectPublic,
+				 int			keyType,
+				 TPMI_ALG_SIG_SCHEME 	scheme,
+				 TPMI_ALG_HASH 		nalg,
+				 TPMI_ALG_HASH		halg,
+				 void			*rsaKey);
+    TPM_RC convertRsaPemToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+				  TPM2B_PRIVATE 	*objectPrivate,
+				  int			keyType,
+				  TPMI_ALG_SIG_SCHEME 	scheme,
+				  TPMI_ALG_HASH 	nalg,
+				  TPMI_ALG_HASH		halg,
+				  const char 		*pemKeyFilename,
+				  const char 		*password);
+    TPM_RC convertRsaDerToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+				  TPM2B_SENSITIVE 	*objectSensitive,
+				  int			keyType,
+				  TPMI_ALG_SIG_SCHEME 	scheme,
+				  TPMI_ALG_HASH 	nalg,
+				  TPMI_ALG_HASH		halg,
+				  const char		*derKeyFilename,
+				  const char 		*password);
+    TPM_RC convertRsaDerToPublic(TPM2B_PUBLIC 		*objectPublic,
+				 int			keyType,
+				 TPMI_ALG_SIG_SCHEME 	scheme,
+				 TPMI_ALG_HASH 		nalg,
+				 TPMI_ALG_HASH		halg,
+				 const char		*derKeyFilename);
+    TPM_RC convertRsaPemToPublic(TPM2B_PUBLIC 		*objectPublic,
+				 int			keyType,
+				 TPMI_ALG_SIG_SCHEME 	scheme,
+				 TPMI_ALG_HASH 		nalg,
+				 TPMI_ALG_HASH		halg,
+				 const char 		*pemKeyFilename);
+    TPM_RC convertRsaPrivateKeyBinToPrivate(TPM2B_PRIVATE 	*objectPrivate,
+					    TPM2B_SENSITIVE 	*objectSensitive,
+					    int 		privateKeyBytes,
+					    uint8_t 		*privateKeyBin,
+					    const char 		*password);
+    TPM_RC convertRsaPublicKeyBinToPublic(TPM2B_PUBLIC 		*objectPublic,
+					  int			keyType,
+					  TPMI_ALG_SIG_SCHEME 	scheme,
+					  TPMI_ALG_HASH 	nalg,
+					  TPMI_ALG_HASH		halg,
+					  int 			modulusBytes,
+					  uint8_t 		*modulusBin);
+    TPM_RC convertPublicToPEM(const TPM2B_PUBLIC *public,
+			      const char *pemFilename);
+
+    TPM_RC signRSAFromRSA(uint8_t *signature, size_t *signatureLength,
+			  size_t signatureSize,
+			  const uint8_t *digest, size_t digestLength,
+			  TPMI_ALG_HASH hashAlg,
+			  void *rsaKey);
+    TPM_RC verifySignatureFromPem(unsigned char *message,
+				  unsigned int messageSize,
+				  TPMT_SIGNATURE *tSignature,
+				  TPMI_ALG_HASH halg,
+				  const char *pemFilename);
+    TPM_RC verifyRSASignatureFromRSA(unsigned char *message,
+				     unsigned int messageSize,
+				     TPMT_SIGNATURE *tSignature,
+				     TPMI_ALG_HASH halg,
+				     void *rsaPubKey);
+    TPM_RC verifySignatureFromHmacKey(unsigned char *message,
+				      unsigned int messageSize,
+				      TPMT_SIGNATURE *tSignature,
+				      TPMI_ALG_HASH halg,
+				      const char *hmacKeyFilename);
+
+    TPM_RC convertRsaBinToTSignature(TPMT_SIGNATURE *tSignature,
+				     TPMI_ALG_HASH halg,
+				     uint8_t *signatureBin,
+				     size_t signatureBinLen);
+
+    /* Some OpenSSL builds do not include ECC */
+
+#ifndef TPM_TSS_NOECC
+
+    TPM_RC convertEcPemToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+				 TPM2B_PRIVATE 		*objectPrivate,
+				 int			keyType,
+				 TPMI_ALG_SIG_SCHEME 	scheme,
+				 TPMI_ALG_HASH 		nalg,
+				 TPMI_ALG_HASH		halg,
+				 const char 		*pemKeyFilename,
+				 const char 		*password);
+    TPM_RC convertEcPemToPublic(TPM2B_PUBLIC 		*objectPublic,
+				int			keyType,
+				TPMI_ALG_SIG_SCHEME 	scheme,
+				TPMI_ALG_HASH 		nalg,
+				TPMI_ALG_HASH		halg,
+				const char		*pemKeyFilename);
+    TPM_RC convertEcDerToKeyPair(TPM2B_PUBLIC 		*objectPublic,
+				 TPM2B_SENSITIVE 	*objectSensitive,
+				 int			keyType,
+				 TPMI_ALG_SIG_SCHEME 	scheme,
+				 TPMI_ALG_HASH 		nalg,
+				 TPMI_ALG_HASH		halg,
+				 const char		*derKeyFilename,
+				 const char 		*password);
+    TPM_RC convertEcDerToPublic(TPM2B_PUBLIC 		*objectPublic,
+				int			keyType,
+				TPMI_ALG_SIG_SCHEME 	scheme,
+				TPMI_ALG_HASH 		nalg,
+				TPMI_ALG_HASH		halg,
+				const char		*derKeyFilename);
+    TPM_RC convertEcPrivateKeyBinToPrivate(TPM2B_PRIVATE 	*objectPrivate,
+					   TPM2B_SENSITIVE 	*objectSensitive,
+					   int 			privateKeyBytes,
+					   uint8_t 		*privateKeyBin,
+					   const char 		*password);
+    TPM_RC convertEcBinToTSignature(TPMT_SIGNATURE 	*tSignature,
+				    TPMI_ALG_HASH 	halg,
+				    const uint8_t 	*signatureBin,
+				    size_t 		signatureBinLen);
+    
+#endif	/* TPM_TSS_NOECC */
+    
+    /*
+      OpenSSL specific functions
+
+      These are not intended for general use.
+    */
+   
+#ifndef TPM_TSS_NO_OPENSSL
+
+/* Some functions add const to parameters as of openssl 1.1.0 */
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+#define OSSLCONST
+#else
+#define OSSLCONST const
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+    int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+    void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+    const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
+    void RSA_get0_key(const RSA *rsaKey,
+		      const BIGNUM **n,
+		      const BIGNUM **e,
+		      const BIGNUM **d);
+    void RSA_get0_factors(const RSA *rsaKey,
+			  const BIGNUM **p,
+			  const BIGNUM **q);
+#endif	/* pre openssl 1.1 */
+
+#if OPENSSL_VERSION_NUMBER < 0x10002000
+    void X509_get0_signature(OSSLCONST ASN1_BIT_STRING **psig,
+			     OSSLCONST X509_ALGOR **palg, const X509 *x);
+#endif	/* pre openssl 1.0.2 */
+
+    TPM_RC convertPemToEvpPrivKey(EVP_PKEY **evpPkey,
+				  const char *pemKeyFilename,
+				  const char *password);
+    TPM_RC convertPemToEvpPubKey(EVP_PKEY **evpPkey,
+				 const char *pemKeyFilename);
+    TPM_RC convertEvpPubkeyToPem(EVP_PKEY *evpPubkey,
+				 const char *pemFilename);
+    TPM_RC convertBin2Bn(BIGNUM **bn,
+			 const unsigned char *bin,
+			 unsigned int bytes);
+    
+    TPM_RC convertEvpPkeyToRsakey(RSA **rsaKey,
+				  EVP_PKEY *evpPkey);
+    TPM_RC convertRsaKeyToPrivateKeyBin(int 	*privateKeyBytes,
+					uint8_t 	**privateKeyBin,
+					const RSA	 *rsaKey);
+    TPM_RC convertRsaKeyToPrivate(TPM2B_PRIVATE 	*objectPrivate,
+				  TPM2B_SENSITIVE 	*objectSensitive,
+				  RSA 			*rsaKey,
+				  const char 		*password);
+    TPM_RC getRsaKeyParts(const BIGNUM **n,
+			  const BIGNUM **e,
+			  const BIGNUM **d,
+			  const BIGNUM **p,
+			  const BIGNUM **q,
+			  const RSA *rsaKey);
+    int getRsaPubkeyAlgorithm(EVP_PKEY *pkey);
+    TPM_RC convertRsaPublicToEvpPubKey(EVP_PKEY **evpPubkey,
+				       const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa);
+    TPM_RC verifyRSASignatureFromEvpPubKey(unsigned char *message,
+					   unsigned int messageSize,
+					   TPMT_SIGNATURE *tSignature,
+					   TPMI_ALG_HASH halg,
+					   EVP_PKEY *evpPkey);
+
+#ifndef TPM_TSS_NOECC
+    TPM_RC convertEvpPkeyToEckey(EC_KEY **ecKey,
+				 EVP_PKEY *evpPkey);
+    TPM_RC convertEcKeyToPrivateKeyBin(int 		*privateKeyBytes,
+				       uint8_t 		**privateKeyBin,
+				       const EC_KEY 	*ecKey);
+    TPM_RC convertEcKeyToPublicKeyBin(int 		*modulusBytes,
+				      uint8_t 		**modulusBin,
+				      const EC_KEY 	*ecKey);
+    TPM_RC convertEcPublicKeyBinToPublic(TPM2B_PUBLIC 		*objectPublic,
+					 int			keyType,
+					 TPMI_ALG_SIG_SCHEME 	scheme,
+					 TPMI_ALG_HASH 		nalg,
+					 TPMI_ALG_HASH		halg,
+					 TPMI_ECC_CURVE 	curveID,
+					 int 			modulusBytes,
+					 uint8_t 		*modulusBin);
+    TPM_RC convertEcKeyToPrivate(TPM2B_PRIVATE 		*objectPrivate,
+				 TPM2B_SENSITIVE 	*objectSensitive,
+				 EC_KEY 		*ecKey,
+				 const char 		*password);
+    TPM_RC convertEcKeyToPublic(TPM2B_PUBLIC 		*objectPublic,
+				int			keyType,
+				TPMI_ALG_SIG_SCHEME 	scheme,
+				TPMI_ALG_HASH 		nalg,
+				TPMI_ALG_HASH		halg,
+				EC_KEY 			*ecKey);
+    TPM_RC convertEcPublicToEvpPubKey(EVP_PKEY **evpPubkey,	
+				      const TPMS_ECC_POINT *tpmsEccPoint);
+    TPM_RC verifyEcSignatureFromEvpPubKey(unsigned char *message,
+					  unsigned int messageSize,
+					  TPMT_SIGNATURE *tSignature,
+					  EVP_PKEY *evpPkey);
+    TPM_RC getEcCurve(TPMI_ECC_CURVE *curveID,
+		      const EC_KEY *ecKey);
+    
+#endif /* TPM_TSS_NOECC */
+#endif /* TPM_TSS_NO_OPENSSL */
+
+    /*
+      mbedtls specific functions
+
+      These are not intended for general use, but are used by ekutils.c
+    */
+
+#ifdef TPM_TSS_MBEDTLS
+    
+    TPM_RC convertPkToRsaKey(mbedtls_rsa_context **rsaCtx,
+			     mbedtls_pk_context *pkCtx);
+    TPM_RC convertPkToEckey(mbedtls_ecp_keypair **ecCtx,
+			    mbedtls_pk_context	*pkCtx);
+    TPM_RC convertEcKeyToPublicKeyXYBin(size_t			*xBytes,
+					uint8_t 		**xBin,
+					size_t			*yBytes,
+					uint8_t 		**yBin,
+					mbedtls_ecp_keypair 	*ecKp);
+
+#endif	/* TPM_TSS_MBEDTLS */
+    
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/dictionaryattacklockreset.c b/libstb/tss2/ibmtpm20tss/utils/dictionaryattacklockreset.c
new file mode 100644
index 0000000..897c6f5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/dictionaryattacklockreset.c
@@ -0,0 +1,216 @@
+/********************************************************************************/
+/*										*/
+/*			    DictionaryAttackLockReset 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC				rc = 0;
+    int					i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    DictionaryAttackLockReset_In 	in;
+    const char				*password = NULL; 
+    TPMI_SH_AUTH_SESSION    		sessionHandle0 = TPM_RS_PW;
+    unsigned int			sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    		sessionHandle1 = TPM_RH_NULL;
+    unsigned int			sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    		sessionHandle2 = TPM_RH_NULL;
+    unsigned int			sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwd") == 0) {
+	    i++;
+	    if (i < argc) {
+		password = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.lockHandle = TPM_RH_LOCKOUT;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_DictionaryAttackLockReset,
+			 sessionHandle0, password, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("dictionaryattacklockreset: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("dictionaryattacklockreset: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("dictionaryattacklockreset\n");
+    printf("\n");
+    printf("Runs TPM2_DictionaryAttackLockReset\n");
+    printf("\n");
+    printf("\t[-pwd\tlockout auth password (default empty)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/dictionaryattackparameters.c b/libstb/tss2/ibmtpm20tss/utils/dictionaryattackparameters.c
new file mode 100644
index 0000000..e359eb6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/dictionaryattackparameters.c
@@ -0,0 +1,255 @@
+/********************************************************************************/
+/*										*/
+/*			    DictionaryAttackParameters 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC				rc = 0;
+    int					i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    DictionaryAttackParameters_In 	in;
+    const char				*password = NULL;
+    uint32_t				newMaxTries = 1;
+    uint32_t				newRecoveryTime = 10;
+    uint32_t				lockoutRecovery = 1;
+    TPMI_SH_AUTH_SESSION    		sessionHandle0 = TPM_RS_PW;
+    unsigned int			sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    		sessionHandle1 = TPM_RH_NULL;
+    unsigned int			sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    		sessionHandle2 = TPM_RH_NULL;
+    unsigned int			sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwd") == 0) {
+	    i++;
+	    if (i < argc) {
+		password = argv[i];
+	    }
+	    else {
+		printf("-pwd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nmt") == 0) {
+	    i++;
+	    if (i < argc) {
+		newMaxTries = atoi(argv[i]);
+	    }
+	    else {
+		printf("-nmt option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nrt") == 0) {
+	    i++;
+	    if (i < argc) {
+		newRecoveryTime = atoi(argv[i]);
+	    }
+	    else {
+		printf("-nrt option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-lr") == 0) {
+	    i++;
+	    if (i < argc) {
+		lockoutRecovery = atoi(argv[i]);
+	    }
+	    else {
+		printf("-lr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.lockHandle = TPM_RH_LOCKOUT;
+	in.newMaxTries = newMaxTries ;
+	in.newRecoveryTime = newRecoveryTime;
+	in.lockoutRecovery = lockoutRecovery;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_DictionaryAttackParameters,
+			 sessionHandle0, password, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("dictionaryattackparameters: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("dictionaryattackparameters: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("dictionaryattackparameters\n");
+    printf("\n");
+    printf("Runs TPM2_DictionaryAttackParameters\n");
+    printf("\n");
+    printf("\t[-pwd\tlockout auth password (default empty)]\n");
+    printf("\t[-nmt\tnew max tries (default 1 try)]\n");
+    printf("\t[-nrt\tnew recovery time (default 10 seconds)]\n");
+    printf("\t[-lr\tlockout recovery (default 1 second)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/duplicate.c b/libstb/tss2/ibmtpm20tss/utils/duplicate.c
new file mode 100644
index 0000000..87b33a4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/duplicate.c
@@ -0,0 +1,353 @@
+/********************************************************************************/
+/*										*/
+/*			   Duplicate		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Duplicate_In 		in;
+    Duplicate_Out 		out;
+    TPMI_DH_OBJECT		objectHandle = 0;
+    TPMI_DH_OBJECT		newParentHandle = TPM_RH_NULL;
+    const char 			*encryptionKeyInFilename = NULL;
+    const char 			*encryptionKeyOutFilename = NULL;
+    const char			*duplicateFilename = NULL;
+    const char			*outSymSeedFilename = NULL;
+    const char			*objectPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure */
+    in.symmetricAlg.algorithm = TPM_ALG_NULL;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &objectHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdo") == 0) {
+	    i++;
+	    if (i < argc) {
+		objectPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdo option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &newParentHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ik") == 0) {
+	    i++;
+	    if (i < argc) {
+		encryptionKeyInFilename = argv[i];
+	    }
+	    else {
+		printf("-ik option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"aes") == 0) {
+		    in.symmetricAlg.algorithm = TPM_ALG_AES;
+		    in.symmetricAlg.keyBits.aes = 128;
+		    in.symmetricAlg.mode.aes = TPM_ALG_CFB;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oek") == 0) {
+	    i++;
+	    if (i < argc) {
+		encryptionKeyOutFilename = argv[i];
+	    }
+	    else {
+		printf("-oek option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-od") == 0) {
+	    i++;
+	    if (i < argc) {
+		duplicateFilename = argv[i];
+	    }
+	    else {
+		printf("-od option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oss") == 0) {
+	    i++;
+	    if (i < argc) {
+		outSymSeedFilename = argv[i];
+	    }
+	    else {
+		printf("-oss option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (objectHandle == 0) {
+	printf("Missing or bad object handle parameter -ho\n");
+	printUsage();
+    }
+    if ((in.symmetricAlg.algorithm == TPM_ALG_NULL) &&
+	(encryptionKeyInFilename != NULL)) {
+	printf("-ik needs -salg\n");
+	printUsage();
+    }
+    if ((in.symmetricAlg.algorithm != TPM_ALG_NULL) &&
+	(encryptionKeyInFilename == NULL)) {
+	printf("-salg needs -ik\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.objectHandle = objectHandle;
+	in.newParentHandle = newParentHandle;
+    }
+    /* optional symmetric encryption key */
+    if (encryptionKeyInFilename != NULL) {
+	rc = TSS_File_Read2B(&in.encryptionKeyIn.b,
+			     sizeof(in.encryptionKeyIn.t.buffer),
+			     encryptionKeyInFilename);
+    }
+    else {
+	in.encryptionKeyIn.t.size = 0;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Duplicate,
+			 sessionHandle0, objectPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (encryptionKeyOutFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.encryptionKeyOut.t.buffer,
+				      out.encryptionKeyOut.t.size,
+				      encryptionKeyOutFilename);
+    }
+    if ((rc == 0) && (duplicateFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.duplicate.t.buffer,
+				      out.duplicate.t.size,
+				      duplicateFilename);
+    }
+    if ((rc == 0) && (outSymSeedFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.outSymSeed.t.secret,
+				      out.outSymSeed.t.size,
+				      outSymSeedFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("duplicate: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("duplicate: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("duplicate\n");
+    printf("\n");
+    printf("Runs TPM2_Duplicate\n");
+    printf("\n");
+    printf("\t-ho\tobject handle\n");
+    printf("\t[-pwdo\tpassword for object (default empty)]\n");
+    printf("\t[-hp\tnew parent handle (default TPM_RH_NULL)]\n");
+    printf("\t[-ik\tencryption key in file name]\n");
+    printf("\t[-salg\tsymmetric algorithm (aes)(default none)]\n");
+    printf("\n");
+    printf("\t[-oek\tencryption key out file name (default do not save)]\n");
+    printf("\t[-od\tduplicate private area file name (default do not save)]\n");
+    printf("\t[-oss\tsymmetric seed file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/eccparameters.c b/libstb/tss2/ibmtpm20tss/utils/eccparameters.c
new file mode 100644
index 0000000..052019f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/eccparameters.c
@@ -0,0 +1,172 @@
+/********************************************************************************/
+/*										*/
+/*			   ECC_Parameters					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ECC_Parameters_In 		in;
+    ECC_Parameters_Out 		out;
+    const char 			*datafilename = NULL;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    in.curveID = TPM_ECC_NONE;
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-cv") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"bnp256") == 0) {
+		    in.curveID = TPM_ECC_BN_P256;
+		}
+		else if (strcmp(argv[i],"nistp256") == 0) {
+		    in.curveID = TPM_ECC_NIST_P256;
+		}
+		else if (strcmp(argv[i],"nistp384") == 0) {
+		    in.curveID = TPM_ECC_NIST_P384;
+		}
+		else {
+		    printf("Bad parameter %s for -cv\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-cv option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i], "-of")  == 0) {
+	    i++;
+	    if (i < argc) {
+		datafilename = argv[i];
+	    } else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (in.curveID == TPM_ECC_NONE) {
+	printf("Missing or bad parameter for -cv\n");
+	printUsage();
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ECC_Parameters,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (datafilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.parameters,
+				     (MarshalFunction_t)TSS_TPMS_ALGORITHM_DETAIL_ECC_Marshalu,
+				     datafilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("eccparameters: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("eccparameters: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("eccparameters\n");
+    printf("\n");
+    printf("Runs TPM2_ECC_Parameters\n");
+    printf("\n");
+    printf("\t-cv\tcurve ID\n");
+    printf("\t\tbnp256\n");
+    printf("\t\tnistp256\n");
+    printf("\t\tnistp384\n");
+    printf("\t[-of data file, ECC parameters (default do not save)]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/ecephemeral.c b/libstb/tss2/ibmtpm20tss/utils/ecephemeral.c
new file mode 100644
index 0000000..1f1597e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ecephemeral.c
@@ -0,0 +1,195 @@
+/********************************************************************************/
+/*										*/
+/*			    EC_Ephemeral					*/
+/*	     		Written by Bill Martin 					*/
+/*                 Green Hills Integrity Software Services 			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+/* 
+
+
+ */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC 			rc = 0;
+    int 			i;    /* argc iterator */
+    TSS_CONTEXT 		*tssContext = NULL;
+    EC_Ephemeral_In 		in;
+    EC_Ephemeral_Out            out;
+    TPMI_ECC_CURVE              curveID = TPM_ECC_NONE;
+    const char                  *QFilename = NULL;
+    const char                  *counterFilename = NULL;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i], "-ecc") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"bnp256") == 0) {
+		    curveID = TPM_ECC_BN_P256;
+		}
+		else if (strcmp(argv[i],"nistp256") == 0) {
+		    curveID = TPM_ECC_NIST_P256;
+		}
+		else if (strcmp(argv[i],"nistp384") == 0) {
+		    curveID = TPM_ECC_NIST_P384;
+		}
+		else {
+		    printf("Bad parameter %s for -ecc\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-ecc option needs a value\n");
+		printUsage();
+	    }
+	}
+        else if (strcmp(argv[i], "-oq") == 0) {
+            i++;
+            if (i < argc) {
+                QFilename = argv[i];
+            } else {
+                printf("-oq option needs a value\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i], "-cf")  == 0) {
+	    i++;
+	    if (i < argc) {
+		counterFilename = argv[i];
+	    } else {
+		printf("-cf option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (curveID == TPM_ECC_NONE) {
+	printf("Missing curve ID -ecc\n");
+	printUsage();
+    }
+    if (rc == 0) {
+        in.curveID = curveID;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+                         (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_EC_Ephemeral,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	} 
+    }
+    if ((rc == 0) && (QFilename != NULL)) {
+        rc = TSS_File_WriteStructure(&out.Q,
+                                     (MarshalFunction_t)TSS_TPM2B_ECC_POINT_Marshalu,
+				     QFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("counter is %d\n", out.counter);
+	if (counterFilename != NULL)  {
+	    rc = TSS_File_WriteStructure(&out.counter,
+					 (MarshalFunction_t)TSS_UINT16_Marshalu,
+					 counterFilename);
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("ecephemeral: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("ecephemeral: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("ecephmeral\n");
+    printf("\n");
+    printf("Runs TPM2_EC_Ephemeral\n");
+    printf("\n");
+    printf("\t-ecc\tcurve\n");
+    printf("\t\tbnp256\n");
+    printf("\t\tnistp256\n");
+    printf("\t\tnistp384\n");
+    printf("\t[-oq\toutput Q ephemeral public key file name (default do not save)]\n");
+    printf("\t[-cf\toutput counter file name (default do not save)]\n");
+    exit(1); 
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/ekutils.c b/libstb/tss2/ibmtpm20tss/utils/ekutils.c
new file mode 100644
index 0000000..4e3fcbc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ekutils.c
@@ -0,0 +1,2314 @@
+/********************************************************************************/
+/*										*/
+/*			EK Index Parsing Utilities (and more)			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* These functions are worthwhile sample code that probably (judgment call) do not belong in the
+   TSS library.
+
+   They started as code to manipulate EKs, EK templates, and EK certificates.
+
+   Other useful X509 certificate crypto functions are migrating here.  Much of it is OpenSSL
+   specific, but it also provides examples of how to port from OpenSSL 1.0 to 1.1.
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <limits.h>
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+#include "cryptoutils.h"
+#include "ekutils.h"
+
+/* windows apparently uses _MAX_PATH in stdlib.h */
+#ifndef PATH_MAX
+#ifdef _MAX_PATH
+#define PATH_MAX _MAX_PATH
+#else
+/* Debian/Hurd does not define MAX_PATH */
+#define PATH_MAX 4096
+#endif
+#endif
+
+/* The print flag is set by the caller, depending on whether it wants information displayed.
+
+   tssUtilsVerbose is a global, used for verbose debug print
+
+   Errors are always printed.
+*/
+
+extern int tssUtilsVerbose;
+
+#ifdef TPM_TPM20
+
+/* readNvBufferMax() determines the maximum NV read/write block size.  The limit is typically set by
+   the TPM property TPM_PT_NV_BUFFER_MAX.  However, it's possible that a value could be larger than
+   the TSS side structure MAX_NV_BUFFER_SIZE.
+*/
+
+TPM_RC readNvBufferMax(TSS_CONTEXT *tssContext,
+		       uint32_t *nvBufferMax)
+{
+    TPM_RC			rc = 0;
+    GetCapability_In 		in;
+    GetCapability_Out		out;
+
+    in.capability = TPM_CAP_TPM_PROPERTIES;
+    in.property = TPM_PT_NV_BUFFER_MAX;
+    in.propertyCount = 1;	/* ask for one property */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_GetCapability,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    /* sanity check that the property name is correct (demo of how to parse the structure) */
+    if (rc == 0) {
+	if ((out.capabilityData.data.tpmProperties.count > 0) &&
+	    (out.capabilityData.data.tpmProperties.tpmProperty[0].property ==
+	     TPM_PT_NV_BUFFER_MAX)) {
+	    *nvBufferMax = out.capabilityData.data.tpmProperties.tpmProperty[0].value;
+	}
+	else {
+	    if (tssUtilsVerbose) printf("readNvBufferMax: wrong property returned: %08x\n",
+		   out.capabilityData.data.tpmProperties.tpmProperty[0].property);
+	    /* hard code a value for a back level HW TPM that does not implement
+	       TPM_PT_NV_BUFFER_MAX yet */
+	    *nvBufferMax = 512;
+	}
+	if (tssUtilsVerbose) printf("readNvBufferMax: TPM max read/write: %u\n", *nvBufferMax);
+	/* in addition, the maximum TSS side structure MAX_NV_BUFFER_SIZE is accounted for.  The TSS
+	   value is typically larger than the TPM value. */
+	if (*nvBufferMax > MAX_NV_BUFFER_SIZE) {
+	    *nvBufferMax = MAX_NV_BUFFER_SIZE;
+	}
+	if (tssUtilsVerbose) printf("readNvBufferMax: combined max read/write: %u\n", *nvBufferMax);
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("getcapability: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+/* getIndexSize() uses TPM2_NV_ReadPublic() to return the NV index size */
+
+TPM_RC getIndexSize(TSS_CONTEXT *tssContext,
+		    uint16_t *dataSize,
+		    TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC			rc = 0;
+    NV_ReadPublic_In 		in;
+    NV_ReadPublic_Out		out;
+    
+    if (rc == 0) {
+	/* if (tssUtilsVerbose) printf("getIndexSize: index %08x\n", nvIndex); */
+	in.nvIndex = nvIndex;
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_ReadPublic,
+			 TPM_RH_NULL, NULL, 0);
+	/* only print if verbose, since EK nonce and template index may not exist */
+	if ((rc != 0) && tssUtilsVerbose) {
+	    const char *msg;
+	    const char *submsg;
+	    const char *num;
+	    printf("nvreadpublic: failed, rc %08x\n", rc);
+	    TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	    printf("%s%s%s\n", msg, submsg, num);
+	}
+    }
+    if (rc == 0) {
+	/* if (tssUtilsVerbose) printf("getIndexSize: size %u\n", out.nvPublic.t.nvPublic.dataSize); */
+	*dataSize = out.nvPublic.nvPublic.dataSize;
+    }
+    return rc;
+}
+
+/* getIndexData() uses TPM2_NV_Read() to return the NV index contents.
+
+   It assumes index authorization with an empty password
+*/
+
+TPM_RC getIndexData(TSS_CONTEXT *tssContext,
+		    unsigned char **readBuffer,		/* freed by caller */
+		    TPMI_RH_NV_INDEX nvIndex,
+		    uint16_t readDataSize)		/* total size to read */
+{
+    TPM_RC			rc = 0;
+    int				done = FALSE;
+    uint32_t 			nvBufferMax;
+    uint16_t 			bytesRead;			/* bytes read so far */
+    NV_Read_In 			in;
+    NV_Read_Out			out;
+    
+    /* data may have to be read in chunks.  Read the TPM_PT_NV_BUFFER_MAX, the chunk size */
+    if (rc == 0) {
+	rc = readNvBufferMax(tssContext,
+			     &nvBufferMax);
+    }    
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("getIndexData: index %08x\n", nvIndex);
+	in.authHandle = nvIndex;	/* index authorization */
+	in.nvIndex = nvIndex;
+	in.offset = 0;			/* start at beginning */
+	bytesRead = 0;			/* bytes read so far */
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(readBuffer, readDataSize);
+    }
+    /* call TSS to execute the command */
+    while ((rc == 0) && !done) {
+	if (rc == 0) {
+	    /* read a chunk */
+	    in.offset = bytesRead;
+	    if ((uint32_t)(readDataSize - bytesRead) < nvBufferMax) {
+		in.size = readDataSize - bytesRead;	/* last chunk */
+	    }
+	    else {
+		in.size = nvBufferMax;		/* next chunk */
+	    }
+	}
+	if (rc == 0) {
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out,
+			     (COMMAND_PARAMETERS *)&in,
+			     NULL,
+			     TPM_CC_NV_Read,
+			     TPM_RS_PW, NULL, 0,
+			     TPM_RH_NULL, NULL, 0);
+	    if (rc != 0) {
+		const char *msg;
+		const char *submsg;
+		const char *num;
+		printf("nvread: failed, rc %08x\n", rc);
+		TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+		printf("%s%s%s\n", msg, submsg, num);
+	    }
+	}
+ 	/* copy the results to the read buffer */
+	if (rc == 0) {
+	    memcpy(*readBuffer + bytesRead, out.data.b.buffer, out.data.b.size);
+	    bytesRead += out.data.b.size;
+	    if (bytesRead == readDataSize) {
+		done = TRUE;
+	    }
+	}
+    }
+    return rc;
+}
+
+/* getIndexContents() uses TPM2_NV_ReadPublic() to get the NV index size, then uses TPM2_NV_Read()
+   to read the entire contents.
+
+*/
+
+TPM_RC getIndexContents(TSS_CONTEXT *tssContext,
+			unsigned char **readBuffer,		/* freed by caller */
+			uint16_t *readBufferSize,		/* total size read */
+			TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC			rc = 0;
+
+    /* first read the public index size */
+    if (rc == 0) {
+	rc = getIndexSize(tssContext, readBufferSize, nvIndex);
+    }
+    /* read the entire index */
+    if (rc == 0) {
+	rc = getIndexData(tssContext,
+			  readBuffer,			/* freed by caller */
+			  nvIndex,
+			  *readBufferSize);		/* total size to read */
+    }
+    return rc;
+}
+
+/* IWG (TCG Infrastructure Work Group) default EK primary key policy */
+
+static const unsigned char iwgPolicy[] = {
+    0x83, 0x71, 0x97, 0x67, 0x44, 0x84, 0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D, 0x46, 0xA5, 0xD7, 0x24,
+    0xFD, 0x52, 0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64, 0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14, 0x69, 0xAA
+};
+
+/* RSA EK primary key IWG default template */
+
+void getRsaTemplate(TPMT_PUBLIC *tpmtPublic)
+{
+    tpmtPublic->type = TPM_ALG_RSA;
+    tpmtPublic->nameAlg = TPM_ALG_SHA256;
+    tpmtPublic->objectAttributes.val = TPMA_OBJECT_FIXEDTPM |
+				       TPMA_OBJECT_FIXEDPARENT |
+				       TPMA_OBJECT_SENSITIVEDATAORIGIN |
+				       TPMA_OBJECT_ADMINWITHPOLICY |
+				       TPMA_OBJECT_RESTRICTED |
+				       TPMA_OBJECT_DECRYPT;
+    tpmtPublic->authPolicy.t.size = 32;
+    memcpy(&tpmtPublic->authPolicy.t.buffer, iwgPolicy, 32);
+    tpmtPublic->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
+    tpmtPublic->parameters.rsaDetail.symmetric.keyBits.aes = 128;
+    tpmtPublic->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+    tpmtPublic->parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+    tpmtPublic->parameters.rsaDetail.scheme.details.anySig.hashAlg = 0;
+    tpmtPublic->parameters.rsaDetail.keyBits = 2048;
+    tpmtPublic->parameters.rsaDetail.exponent = 0;
+    tpmtPublic->unique.rsa.t.size = 256;
+    memset(&tpmtPublic->unique.rsa.t.buffer, 0, 256);
+    return;
+}
+
+/* ECC EK primary key IWG default template */
+
+void getEccTemplate(TPMT_PUBLIC *tpmtPublic)
+{
+    tpmtPublic->type = TPM_ALG_ECC;
+    tpmtPublic->nameAlg = TPM_ALG_SHA256;
+    tpmtPublic->objectAttributes.val = TPMA_OBJECT_FIXEDTPM |
+				       TPMA_OBJECT_FIXEDPARENT |
+				       TPMA_OBJECT_SENSITIVEDATAORIGIN |
+				       TPMA_OBJECT_ADMINWITHPOLICY |
+				       TPMA_OBJECT_RESTRICTED |
+				       TPMA_OBJECT_DECRYPT;
+    tpmtPublic->authPolicy.t.size = sizeof(iwgPolicy);
+    memcpy(tpmtPublic->authPolicy.t.buffer, iwgPolicy, sizeof(iwgPolicy));
+    tpmtPublic->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
+    tpmtPublic->parameters.eccDetail.symmetric.keyBits.aes = 128;
+    tpmtPublic->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+    tpmtPublic->parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+    tpmtPublic->parameters.eccDetail.scheme.details.anySig.hashAlg = 0;
+    tpmtPublic->parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
+    tpmtPublic->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+    tpmtPublic->parameters.eccDetail.kdf.details.mgf1.hashAlg = 0;
+    tpmtPublic->unique.ecc.x.t.size = 32;	
+    memset(&tpmtPublic->unique.ecc.x.t.buffer, 0, 32);	
+    tpmtPublic->unique.ecc.y.t.size = 32;	
+    memset(&tpmtPublic->unique.ecc.y.t.buffer, 0, 32);	
+    return;
+}
+
+/* getIndexX509Certificate() reads the X509 certificate from the nvIndex and converts the DER
+   (binary) to OpenSSL X509 format
+
+*/
+
+TPM_RC getIndexX509Certificate(TSS_CONTEXT *tssContext,
+			       void **certificate,		/* freed by caller */
+			       TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC			rc = 0;
+    unsigned char 		*certData = NULL; 		/* freed @1 */
+    uint16_t 			certSize;
+
+    /* read the certificate from NV to a DER stream */
+    if (rc == 0) {
+	rc = getIndexContents(tssContext,
+			      &certData,
+			      &certSize,
+			      nvIndex);
+    }
+    /* unmarshal the DER stream to an OpenSSL X509 structure */
+    if (rc == 0) {
+	unsigned char 		*tmpData = NULL; 
+	tmpData = certData;			/* tmp pointer because d2i moves the pointer */
+	*certificate = d2i_X509(NULL,			/* freed by caller */
+				 (const unsigned char **)&tmpData, certSize);
+	if (*certificate == NULL) {
+	    printf("getIndexX509Certificate: Could not parse X509 certificate\n");
+	    rc = TPM_RC_INTEGRITY;
+	}
+    }
+    free(certData);			/* @1 */
+    return rc;
+}
+
+#endif	/* TPM20 */
+
+#ifndef TPM_TSS_NOFILE
+#ifndef TPM_TSS_NORSA
+
+/* getPubkeyFromDerCertFile() gets an OpenSSL RSA public key token from a DER format X509
+   certificate stored in a file.
+
+   Returns both the OpenSSL X509 certificate token and RSA public key token.
+*/
+
+uint32_t getPubkeyFromDerCertFile(RSA  **rsaPkey,
+				  X509 **x509,
+				  const char *derCertificateFileName)
+{
+    uint32_t rc = 0;
+    FILE *fp = NULL;
+
+    /* open the file */
+    if (rc == 0) {
+	fp = fopen(derCertificateFileName, "rb");
+	if (fp == NULL) {
+	    printf("getPubkeyFromDerCertFile: Error opening %s\n", derCertificateFileName);
+	    rc = TSS_RC_FILE_OPEN;
+	}
+    }
+    /* read the file and convert the X509 DER to OpenSSL format */
+    if (rc == 0) {
+	*x509 = d2i_X509_fp(fp, NULL);
+	if (*x509 == NULL) {
+	    printf("getPubkeyFromDerCertFile: Error converting %s\n", derCertificateFileName);
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* extract the OpenSSL format public key from the X509 token */
+    if (rc == 0) {
+	rc = getPubKeyFromX509Cert(rsaPkey, *x509);
+    }
+    /* for debug, print the X509 certificate */
+    if (rc == 0) {
+	if (tssUtilsVerbose) X509_print_fp(stdout, *x509);
+    }
+    if (fp != NULL) {
+	fclose(fp);
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+#endif /* TPM_TSS_NOFILE */
+
+#ifndef TPM_TSS_NORSA
+
+/* getPubKeyFromX509Cert() gets an OpenSSL RSA public key token from an OpenSSL X509 certificate
+   token. */
+
+uint32_t getPubKeyFromX509Cert(RSA  **rsaPkey,
+			       X509 *x509)
+{
+    uint32_t rc = 0;
+    EVP_PKEY *evpPkey = NULL;
+
+    if (rc == 0) {
+	evpPkey = X509_get_pubkey(x509);	/* freed @1 */
+	if (evpPkey == NULL) {
+	    printf("getPubKeyFromX509Cert: X509_get_pubkey failed\n");  
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	*rsaPkey = EVP_PKEY_get1_RSA(evpPkey);
+	if (*rsaPkey == NULL) {
+	    printf("getPubKeyFromX509Cert: EVP_PKEY_get1_RSA failed\n");  
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    return rc;
+}
+#endif /* TPM_TSS_NORSA */
+
+#ifndef TPM_TSS_NOFILE
+
+/* getRootCertificateFilenames() reads listFilename, which is a list of filenames.  The intent is
+   that the filenames are a list of EK TPM vendor root certificates in PEM format.
+
+   It accepts up to MAX_ROOTS filenames, which is a #define.
+
+*/
+
+TPM_RC getRootCertificateFilenames(char *rootFilename[],
+				   unsigned int *rootFileCount,
+				   const char *listFilename,
+				   int print)
+{
+    TPM_RC		rc = 0;
+    int			done = 0;
+    FILE		*listFile = NULL;		/* closed @1 */
+
+    *rootFileCount = 0;
+
+    if (rc == 0) {
+	listFile = fopen(listFilename, "rb");		/* closed @1 */
+	if (listFile == NULL) {
+	    printf("getRootCertificateFilenames: Error opening list file %s\n",
+		   listFilename);  
+	    rc = TSS_RC_FILE_OPEN;
+	}
+    }
+    while ((rc == 0) && !done && (*rootFileCount < MAX_ROOTS)) {
+	size_t rootFilenameLength;
+	if (rc == 0) {
+	    rootFilename[*rootFileCount] = malloc(PATH_MAX);
+	    if (rootFilename[*rootFileCount] == NULL) {
+		printf("getRootCertificateFilenames: Error allocating memory\n");
+		rc = TSS_RC_OUT_OF_MEMORY;
+	    }
+	}
+	if (rc == 0) {
+	    char *tmpptr = fgets(rootFilename[*rootFileCount], PATH_MAX-1, listFile);
+	    if (tmpptr == NULL) {	/* end of file */
+		free(rootFilename[*rootFileCount]);	/* free malloced but unused entry */
+		done = 1;
+	    }
+	}
+	if ((rc == 0) && !done) {
+	    rootFilenameLength = strlen(rootFilename[*rootFileCount]);
+	    if (rootFilename[*rootFileCount][rootFilenameLength-1] != '\n') {
+		printf("getRootCertificateFilenames: filename %s too long\n",
+		       rootFilename[*rootFileCount]);
+		rc = TSS_RC_OUT_OF_MEMORY;
+		free(rootFilename[*rootFileCount]);	/* free malloced but bad entry */
+		done = 1;
+	    }
+	}
+	if ((rc == 0) && !done) {
+	    rootFilename[*rootFileCount][rootFilenameLength-1] = '\0';	/* remove newline */
+	    if (print) printf("getRootCertificateFilenames: Root file name %u\n%s\n",
+			      *rootFileCount, rootFilename[*rootFileCount]);
+	    (*rootFileCount)++;
+	}
+    }
+    if (listFile != NULL) {
+	fclose(listFile);		/* @1 */
+    }
+    return rc;
+}
+
+#endif
+
+#ifndef TPM_TSS_NOFILE
+
+/* getCaStore() creates an OpenSSL X509_STORE, populated by the root certificates in the
+   rootFilename array.  Depending on the vendor, some certificates may be intermediate certificates.
+   OpenSSL handles this internally by walking the chain back to the root.
+
+   The caCert array is returned because it must be freed after the caStore is freed
+
+   NOTE:  There is no TPM interaction.
+*/ 
+
+TPM_RC getCaStore(X509_STORE **caStore,		/* freed by caller */
+		  X509 	*caCert[],		/* freed by caller */
+		  const char *rootFilename[],
+		  unsigned int rootFileCount)
+{
+    TPM_RC			rc = 0;
+    FILE 			*caCertFile = NULL;		/* closed @1 */
+    unsigned int 		i;
+
+    if (rc == 0) {
+	*caStore  = X509_STORE_new();
+	if (*caStore == NULL) {
+	    printf("getCaStore: X509_store_new failed\n");  
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    for (i = 0 ; (i < rootFileCount) && (rc == 0) ; i++) {
+	/* read a root certificate from the file */
+	caCertFile = fopen(rootFilename[i], "rb");	/* closed @1 */
+	if (caCertFile == NULL) {
+	    printf("getCaStore: Error opening CA root certificate file %s\n",
+		   rootFilename[i]);  
+	    rc = TSS_RC_FILE_OPEN;
+	}
+	/* convert the root certificate from PEM to X509 */
+	if (rc == 0) {
+	    caCert[i] = PEM_read_X509(caCertFile, NULL, NULL, NULL);	/* freed by caller */
+	    if (caCert[i] == NULL) {
+		printf("getCaStore: Error reading CA root certificate file %s\n",
+		       rootFilename[i]);  
+		rc = TSS_RC_FILE_READ;
+	    } 
+	}
+	if ((rc == 0) && tssUtilsVerbose) {
+	    X509_NAME *x509Name;
+	    char *subject = NULL;
+	    x509Name = X509_get_subject_name(caCert[i]);
+	    subject = X509_NAME_oneline(x509Name, NULL, 0);
+	    printf("getCaStore: subject %u: %s\n", i, subject);
+	    OPENSSL_free(subject);
+	}
+
+	/* add the CA X509 certificate to the certificate store */
+	if (rc == 0) {
+	    X509_STORE_add_cert(*caStore, caCert[i]);    
+	}
+	if (caCertFile != NULL) {
+	    fclose(caCertFile);		/* @1 */
+	    caCertFile = NULL;
+	}
+    }
+    return rc;
+}
+
+#endif
+
+#ifndef TPM_TSS_NOFILE
+
+/* verifyCertificate() verifies a certificate (typically an EK certificate against the root CA
+   certificate (typically the TPM vendor CA certificate chain)
+
+   The 'rootFileCount' root certificates are stored in the files whose paths are in the array
+   'rootFilename'
+
+*/
+
+TPM_RC verifyCertificate(void *x509Certificate,
+			 const char *rootFilename[],
+			 unsigned int rootFileCount,
+			 int print)
+{
+    TPM_RC			rc = 0;
+    unsigned int		i;
+    X509_STORE 			*caStore = NULL;	/* freed @1 */
+    X509 			*caCert[MAX_ROOTS];	/* freed @2 */
+    X509_STORE_CTX 		*verifyCtx = NULL;	/* freed @3 */
+
+    for (i = 0 ; i < rootFileCount ; i++) {
+	caCert[i] = NULL;    				/* for free @2 */
+    }
+    /* get the root CA certificate chain */
+    if (rc == 0) {
+	rc = getCaStore(&caStore,			/* freed @1 */
+			caCert,				/* freed @2 */
+			rootFilename,
+			rootFileCount);
+    }
+    /* create the certificate verify context */
+    if (rc == 0) {
+	verifyCtx = X509_STORE_CTX_new();		/* freed @3 */
+	if (verifyCtx == NULL) {
+	    printf("verifyCertificate: X509_STORE_CTX_new failed\n");  
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* add the root certificate store and EK certificate to be verified to the verify context */
+    if (rc == 0) {
+	int irc = X509_STORE_CTX_init(verifyCtx,
+				      caStore,		/* trusted certificates */
+				      x509Certificate,	/* end entity certificate */
+				      NULL);		/* untrusted (intermediate) certificates */
+	if (irc != 1) {
+	    printf("verifyCertificate: "
+		   "Error in X509_STORE_CTX_init initializing verify context\n");  
+	    rc = TSS_RC_RSA_SIGNATURE;
+	}	    
+    }
+    /* walk the certificate chain */
+    if (rc == 0) {
+	int irc = X509_verify_cert(verifyCtx);
+	if (irc != 1) {
+	    printf("verifyCertificate: Error in X509_verify_cert verifying certificate\n");  
+	    rc = TSS_RC_RSA_SIGNATURE;
+	}
+	else {
+	    if (print) printf("EK certificate verified against the root\n");
+	}
+    }
+    if (caStore != NULL) {
+	X509_STORE_free(caStore);	/* @1 */
+    }
+    for (i = 0 ; i < rootFileCount ; i++) {
+	X509_free(caCert[i]);	   	/* @2 */
+    }
+    if (verifyCtx != NULL) {
+	X509_STORE_CTX_free(verifyCtx);	/* @3 */
+    }
+    return rc;
+}
+
+/* verifyKeyUsage() validates the key usage for an EK.
+
+   If the EK has the decrypt attribute set, the keyEncipherment bit MUST be set for an RSA EK
+   certificate; the keyAgreement bit MUST be set for an ECC EK certificate.
+*/
+
+TPM_RC verifyKeyUsage(X509 *ekX509Certificate,		/* X509 certificate */
+		      int pkeyType,			/* RSA or ECC */
+		      int print)
+{
+    TPM_RC		rc = 0;
+    ASN1_BIT_STRING 	*keyUsage = NULL;
+    uint8_t 		bitmap;
+    int 		keyAgreement;		/* boolean flags */
+    int 		keyEncipherment;
+    
+    if (rc == 0) {
+	keyUsage = X509_get_ext_d2i(ekX509Certificate, NID_key_usage,	/* freed @1 */
+				    NULL, NULL);
+	if (keyUsage == NULL) {
+	    printf("verifyKeyUsage: Cannot find key usage\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	if (keyUsage->length == 0) {
+	    printf("verifyKeyUsage: Key usage length 0 bytes\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	bitmap = keyUsage->data[0];
+	keyEncipherment = bitmap & (1<<5);		/* bit 2 little endian */
+	keyAgreement = bitmap & (1<<3);			/* bit 4 little endian */
+	if (keyEncipherment) {		/* bit 2 little endian */
+	    if (print) printf("verifyKeyUsage: Key Encipherment\n");
+	}
+	if (keyAgreement) {		/* bit 4 little endian */
+	    if (print) printf("verifyKeyUsage: Key Agreement\n");
+	}
+	if (pkeyType == EVP_PKEY_RSA) {
+	    if (!keyEncipherment) {
+		printf("ERROR: verifyKeyUsage: RSA Key usage %02x not Key Encipherment\n",
+		       bitmap);
+		rc = TSS_RC_X509_ERROR;
+	    }
+	}
+	else if (pkeyType ==  EVP_PKEY_EC) {
+	    /* ECC should be key agreement, but some HW TPMs use key encipherment */
+	    if (!keyEncipherment && !keyAgreement) {
+		printf("ERROR: verifyKeyUsage: ECC Key usage %02x not "
+		       "Key agreement or key encipherment\n",
+		       bitmap);
+		rc = TSS_RC_X509_ERROR;
+	    }
+	}
+	else {
+	    printf("ERROR: verifyKeyUsage: Public key is not RSA or ECC\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (keyUsage != NULL) {
+	ASN1_BIT_STRING_free(keyUsage);		/* @1 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOFILE */
+
+#ifdef TPM_TPM20
+
+/* processEKNonce()reads the EK nonce from NV and returns the contents and size */
+   
+TPM_RC processEKNonce(TSS_CONTEXT *tssContext,
+		      unsigned char **nonce, 	/* freed by caller */
+		      uint16_t *nonceSize,
+		      TPMI_RH_NV_INDEX ekNonceIndex,
+		      int print)
+{
+    TPM_RC			rc = 0;
+
+    if (rc == 0) { 
+	rc = getIndexContents(tssContext,
+			      nonce,
+			      nonceSize,
+			      ekNonceIndex);
+    }
+    /* optional tracing */
+    if (rc == 0) {
+	if (print) TSS_PrintAll("EK Nonce: ", *nonce, *nonceSize);
+    }
+    return rc;
+}
+
+/* processEKTemplate() reads the EK template from NV and returns the unmarshaled TPMT_PUBLIC */
+
+TPM_RC processEKTemplate(TSS_CONTEXT *tssContext,
+			 TPMT_PUBLIC *tpmtPublic,
+			 TPMI_RH_NV_INDEX ekTemplateIndex,
+			 int print)
+{
+    TPM_RC			rc = 0;
+    uint16_t 			dataSize;
+    unsigned char 		*data = NULL; 		/* freed @1 */
+    uint32_t 			tmpDataSize;
+    unsigned char 		*tmpData = NULL; 
+
+    if (rc == 0) {
+	rc = getIndexContents(tssContext,
+			      &data,
+			      &dataSize,
+			      ekTemplateIndex);
+    }
+    /* unmarshal the data stream */
+    if (rc == 0) {
+	tmpData = data;		/* temps because unmarshal moves the pointers */
+	tmpDataSize = dataSize;
+	rc = TSS_TPMT_PUBLIC_Unmarshalu(tpmtPublic, &tmpData, &tmpDataSize, YES);
+    }
+    /* optional tracing */
+    if (rc == 0) {
+	if (print) TSS_TPMT_PUBLIC_Print(tpmtPublic, 0);
+    }
+    free(data);   			/* @1 */
+    return rc;
+}
+
+/* processEKCertificate() reads the EK certificate from NV and returns an X509 certificate
+   structure.  It also extracts and returns the public modulus.
+
+   The return is void because the structure is opaque to the caller.  This accomodates other crypto
+   libraries.
+
+   ekCertificate is an X509 structure.
+*/
+    
+TPM_RC processEKCertificate(TSS_CONTEXT *tssContext,
+			    void **ekCertificate,	/* freed by caller */
+			    uint8_t **modulusBin,	/* freed by caller */
+			    int *modulusBytes,
+			    TPMI_RH_NV_INDEX ekCertIndex,
+			    int print)
+{
+    TPM_RC			rc = 0;
+
+    /* read the EK X509 certificate from NV and convert the DER (binary) to OpenSSL X509 format */
+    if (rc == 0) {
+	rc = getIndexX509Certificate(tssContext,
+				     ekCertificate,	/* freed by caller */
+				     ekCertIndex);
+	if (rc != 0) {
+	    printf("No EK certificate\n");
+	}
+    }
+    /* extract the public modulus from the X509 structure */
+    if (rc == 0) {
+	rc = convertCertificatePubKey(modulusBin,	/* freed by caller */
+				      modulusBytes,
+				      *ekCertificate,
+				      ekCertIndex,
+				      print);
+    }
+    return rc;
+}
+
+#endif	/* TPM20 */
+
+/* convertX509ToDer() serializes the openSSL X509 structure to a DER certificate
+
+ */
+
+TPM_RC convertX509ToDer(uint32_t *certLength,
+			unsigned char **certificate,	/* output, freed by caller */
+			X509 *x509Certificate)		/* input */
+{
+    TPM_RC 		rc = 0;		/* general return code */
+    int			irc;
+
+    /* sanity check for memory leak */
+    if (rc == 0) {
+	if (*certificate != NULL) {
+	    printf("ERROR: convertX509ToDer: Error, certificate not NULL at entry\n");
+	    rc = TSS_RC_X509_ERROR;
+	}	
+    }
+    if (rc == 0) {
+	irc = i2d_X509(x509Certificate, NULL);
+	if (irc < 0) {
+	    printf("ERROR: convertX509ToDer: Error in certificate serialization i2d_X509()\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+	else {
+	    *certLength = irc; 
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(certificate, *certLength);
+    }
+    /* convert the X509 structure to binary (internal to DER format) */
+    if (rc == 0) {
+	unsigned char *tmpptr = *certificate;
+	if (tssUtilsVerbose) printf("convertX509ToDer: Serializing certificate\n");
+	irc = i2d_X509(x509Certificate, &tmpptr);
+	if (irc < 0) {
+	    printf("ERROR: convertX509ToDer: Error in certificate serialization i2d_X509()\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOECC
+
+/* convertX509ToEc extracts the public key from an X509 structure to an openssl EC_KEY structure
+
+ */
+
+TPM_RC convertX509ToEc(EC_KEY **ecKey,	/* freed by caller */
+		       X509 *x509)
+{
+    TPM_RC rc = 0;
+    EVP_PKEY *evpPkey = NULL;
+
+    if (tssUtilsVerbose) printf("convertX509ToEc: Entry\n\n");
+    if (rc == 0) {
+	evpPkey = X509_get_pubkey(x509);	/* freed @1 */
+	if (evpPkey == NULL) {
+	    printf("ERROR: convertX509ToEc: X509_get_pubkey failed\n");  
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    if (rc == 0) {
+	*ecKey = EVP_PKEY_get1_EC_KEY(evpPkey);
+	if (*ecKey == NULL) {
+	    printf("ERROR: convertX509ToEc: EVP_PKEY_get1_EC_KEY failed\n");  
+	    rc = TSS_RC_EC_KEY_CONVERT;
+	}
+    }
+    if (evpPkey != NULL) {
+	EVP_PKEY_free(evpPkey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* convertCertificatePubKey() returns the public modulus from an openssl X509 certificate
+   structure.  ekCertIndex determines whether the algorithm is RSA or ECC.
+
+   If print is true, prints the EK certificate
+
+   The return is void because the structure is opaque to the caller.  This accomodates other crypto
+   libraries.
+
+   ekCertificate is an X509 structure.
+*/
+
+TPM_RC convertCertificatePubKey(uint8_t **modulusBin,	/* freed by caller */
+				int *modulusBytes,
+				void *ekCertificate,
+				TPMI_RH_NV_INDEX ekCertIndex,
+				int print)
+{
+    TPM_RC			rc = 0;
+    EVP_PKEY 			*pkey = NULL;
+    int 			pkeyType;	/* RSA or EC */
+    
+    /* use openssl to print the X509 certificate */
+#ifndef TPM_TSS_NOFILE		/* stdout is a file descriptor */
+    if (rc == 0) {
+	if (print) X509_print_fp(stdout, ekCertificate);
+    }
+#endif
+    /* extract the public key */
+    if (rc == 0) {
+	pkey = X509_get_pubkey(ekCertificate);		/* freed @2 */
+	if (pkey == NULL) {
+#ifndef TPM_TSS_NORSA
+	    if (tssUtilsVerbose) printf("convertCertificatePubKey: "
+				"Could not extract public key from X509 certificate, "
+				"may be TPM 1.2\n");
+	    /* if the conversion failed, this may be a TPM 1.2 certificate with a non-standard TCG
+	       algorithm.  Try a different method to get the public modulus. */
+	    rc = convertCertificatePubKey12(modulusBin,	/* freed by caller */
+					    modulusBytes,
+					    ekCertificate);
+#else	    
+	    printf("convertCertificatePubKey12: Could not extract X509_PUBKEY public key "
+		   "from X509 certificate\n");
+	    rc =  TPM_RC_INTEGRITY;
+#endif /* TPM_TSS_NORSA */
+
+	}
+	else {
+	    if (rc == 0) {
+		pkeyType = getRsaPubkeyAlgorithm(pkey);
+	    }
+	    switch (ekCertIndex) {
+#ifndef TPM_TSS_NORSA
+	      case EK_CERT_RSA_INDEX:
+		  {
+		      RSA *rsaKey = NULL;
+		      /* check that the public key algorithm matches the ekCertIndex algorithm */
+		      if (rc == 0) {
+			  if (pkeyType != EVP_PKEY_RSA) {
+			      printf("convertCertificatePubKey: "
+				     "Public key from X509 certificate is not RSA\n");
+			      rc = TPM_RC_INTEGRITY;
+			  }
+		      }
+		      /* convert the public key to OpenSSL structure */
+		      if (rc == 0) {
+			  rsaKey = EVP_PKEY_get1_RSA(pkey);		/* freed @3 */
+			  if (rsaKey == NULL) {
+			      printf("convertCertificatePubKey: Could not extract RSA public key "
+				     "from X509 certificate\n");
+			      rc = TPM_RC_INTEGRITY;
+			  }
+		      }
+		      if (rc == 0) {
+			  rc = convertRsaKeyToPublicKeyBin(modulusBytes,
+							   modulusBin,	/* freed by caller */
+							   rsaKey);
+		      }
+		      if (rc == 0) {
+			  if (print) TSS_PrintAll("Certificate public key:",
+						  *modulusBin, *modulusBytes);
+		      }    
+		      RSA_free(rsaKey);   		/* @3 */
+		  }
+		  break;
+#endif /* TPM_TSS_NORSA */
+#ifndef TPM_TSS_NOECC
+	      case EK_CERT_EC_INDEX:
+		  {
+		      EC_KEY *ecKey = NULL;
+		      /* check that the public key algorithm matches the ekCertIndex algorithm */
+		      if (rc == 0) {
+			  if (pkeyType != EVP_PKEY_EC) {
+			      printf("convertCertificatePubKey: "
+				     "Public key from X509 certificate is not EC\n");
+			      rc = TPM_RC_INTEGRITY;
+			  }
+		      }
+		      /* convert the public key to OpenSSL structure */
+		      if (rc == 0) {
+			  ecKey = EVP_PKEY_get1_EC_KEY(pkey);		/* freed @3 */
+			  if (ecKey == NULL) {
+			      printf("convertCertificatePubKey: Could not extract EC public key "
+				     "from X509 certificate\n");
+			      rc = TPM_RC_INTEGRITY;
+			  }
+		      }
+		      if (rc == 0) {
+			  rc = convertEcKeyToPublicKeyBin(modulusBytes,
+							  modulusBin,	/* freed by caller */
+							  ecKey);
+		      }
+		      if (rc == 0) {
+			  if (print) TSS_PrintAll("Certificate public key:",
+						  *modulusBin, *modulusBytes);
+		      }
+		      EC_KEY_free(ecKey);   		/* @3 */
+		  }
+		  break;
+#endif	/* TPM_TSS_NOECC */
+	      default:
+		printf("convertCertificatePubKey: "
+		       "ekCertIndex %08x (asymmetric algorithm) not supported\n", ekCertIndex);
+		rc = TPM_RC_INTEGRITY;
+		break;
+	    }
+	}
+	EVP_PKEY_free(pkey);   		/* @2 */
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NORSA
+
+TPM_RC convertCertificatePubKey12(uint8_t **modulusBin,	/* freed by caller */
+				  int *modulusBytes,
+				  X509 *ekCertificate)
+{
+    TPM_RC		rc = 0;
+    int			irc;
+    X509_PUBKEY 	*pubkey = NULL;
+    ASN1_OBJECT 	*ppkalg = NULL;			/* ignore OID */
+    const unsigned char *pk = NULL;			/* do not free */
+    int 		ppklen;
+    X509_ALGOR 		*palg = NULL;			/* algorithm identifier for public key */
+    RSA 		*rsaKey = NULL;
+
+    /* get internal pointer to the public key in the certificate */
+    if (rc == 0) {
+	pubkey = X509_get_X509_PUBKEY(ekCertificate);	/* do not free */
+	if (pubkey == NULL) {
+	    printf("convertCertificatePubKey12: Could not extract X509_PUBKEY public key "
+		   "from X509 certificate\n");
+	    rc = TPM_RC_INTEGRITY;
+	}
+    }
+    /* get the public key parameters, as a byte stream pk */
+    if (rc == 0) {
+	irc = X509_PUBKEY_get0_param(&ppkalg,
+				     &pk, &ppklen,	/* internal, don't free */
+				     &palg, pubkey);
+	if (irc != 1) {
+	    printf("convertCertificatePubKey12: Could not extract public key parameters "
+		   "from X509 certificate\n");
+	    rc = TPM_RC_INTEGRITY;
+	}
+    }
+    if (rc == 0) {
+	const unsigned char *tmppk = pk;	/* because d2i moves the pointer */
+	rsaKey = d2i_RSAPublicKey(NULL, &tmppk, ppklen);	/* freed @1 */
+	if (rsaKey == NULL) {
+	    printf("convertCertificatePubKey12: Could not convert to RSA structure\n");
+	    rc = TPM_RC_INTEGRITY;
+	}
+    }
+    if (rc == 0) {
+	rc = convertRsaKeyToPublicKeyBin(modulusBytes,
+					 modulusBin,	/* freed by caller */
+					 rsaKey);
+	TSS_PrintAll("convertCertificatePubKey12", *modulusBin, *modulusBytes);
+    }
+    if (rsaKey != NULL) {
+	RSA_free(rsaKey);		/* @1 */
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+
+#ifndef TPM_TSS_NOFILE		/* stdout is a file descriptor */
+
+TPM_RC convertX509PemToDer(uint32_t *certLength,
+			    unsigned char **certificate,	/* output, freed by caller */
+			    const char *pemCertificateFilename)
+{
+    TPM_RC rc = 0;
+    X509 	*x509Certificate = NULL;
+
+    if (rc == 0) {
+	rc = convertPemToX509(&x509Certificate,		/* freed @1 */
+			      pemCertificateFilename);
+    }
+    if (rc == 0) {
+	rc = convertX509ToDer(certLength,
+			      certificate,		/* output, freed by caller */
+			      x509Certificate);		/* input */
+    }
+    if (x509Certificate != NULL) {
+	X509_free(x509Certificate);	/* @1 */
+    }
+    return rc;
+}
+
+#endif
+
+#ifndef TPM_TSS_NOFILE
+
+/* convertPemToX509() reads a PEM file and converts it to an OpenSSL X509 structure
+
+ */
+
+uint32_t convertPemToX509(X509 **x509,				/* freed by caller */
+			  const char *pemCertificateFilename)
+{
+    uint32_t 	rc = 0;
+    int		irc;
+    FILE 	*pemCertificateFile = NULL;
+
+    if (tssUtilsVerbose) printf("convertPemToX509: Reading PEM certificate file %s\n",
+			pemCertificateFilename);
+    if (rc == 0) {
+	pemCertificateFile = fopen(pemCertificateFilename, "r");
+	if (pemCertificateFile == NULL) {
+	    printf("convertPemToX509: Cannot open PEM file %s\n", pemCertificateFilename);
+	    rc = TSS_RC_FILE_OPEN;
+	}
+    }
+    /* convert the platform certificate from PEM to DER */
+    if (rc == 0) {
+	*x509 = PEM_read_X509(pemCertificateFile , NULL, NULL, NULL);	/* freed @1 */
+	if (*x509 == NULL) {
+	    printf("convertPemToX509: Cannot parse PEM certificate file %s\n",
+		   pemCertificateFilename);
+	    rc = TSS_RC_FILE_READ;
+	}
+    }
+    /* for debug */
+    if ((rc == 0) && tssUtilsVerbose) {
+	irc = X509_print_fp(stdout, *x509);
+	if (irc != 1) {
+	    printf("ERROR: convertPemToX509: Error in certificate print X509_print_fp()\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (pemCertificateFile != NULL) {
+	fclose(pemCertificateFile);		/* @1 */
+    }
+    return rc;
+}
+
+#endif
+
+/* convertDerToX509() converts a DER stream to an OpenSSL X509 structure
+
+   The return is void because the structure is opaque to the caller.  This accomodates other crypto
+   libraries.
+*/
+
+uint32_t convertDerToX509(void **x509Certificate,			/* freed by caller */
+			  uint16_t readLength,
+			  const unsigned char *readBuffer)
+{
+    uint32_t 	rc = 0;
+    *x509Certificate = d2i_X509(NULL,					/* freed by caller */
+				&readBuffer, readLength);
+    if (*x509Certificate == NULL) {
+	printf("convertDerToX509: Could not parse X509 certificate\n");
+	rc = TSS_RC_X509_ERROR;
+    }
+    return rc;
+}
+
+/* x509FreeStructure() is the library specific free structure.
+
+   The parameter is void because the structure is opaque to the caller.  This accomodates other
+   crypto libraries.
+*/
+
+void x509FreeStructure(void *x509)
+{
+    if (x509 != NULL) {
+	X509_free(x509);
+    }
+    return;
+}
+
+/* x509PrintStructure() prints the structure to stdout
+
+   The parameter is void because the structure is opaque to the caller.  This accomodates other
+   crypto libraries.
+*/
+
+void x509PrintStructure(void *x509)
+{
+    X509_print_fp(stdout, x509);
+    return;
+}
+
+/* convertPemMemToX509() converts an in-memory PEM format X509 certificate to an openssl X509
+   structure.
+
+*/
+
+uint32_t convertPemMemToX509(X509 **x509,		/* freed by caller */
+			     const char *pemCertificate)
+{
+    uint32_t rc = 0;
+    BIO *bio = NULL;
+    int pemLength;
+    int writeLen = 0;
+
+    if (tssUtilsVerbose) printf("convertPemMemToX509: pemCertificate\n%s\n", pemCertificate);  
+    /* create a BIO that uses an in-memory buffer */
+    if (rc == 0) {
+	bio = BIO_new(BIO_s_mem());		/* freed @1 */
+	if (bio == NULL) {
+	    printf("convertPemMemToX509: BIO_new failed\n");  
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* write the PEM from memory to BIO */
+    if (rc == 0) {
+	pemLength = strlen(pemCertificate);
+	writeLen = BIO_write(bio, pemCertificate, pemLength);
+	if (writeLen != pemLength) {
+	    printf("convertPemMemToX509: BIO_write failed\n");  
+	    rc = TPM_RC_INTEGRITY;
+	}
+    }
+    /* convert the properly formatted PEM to X509 structure */
+    if (rc == 0) {
+	*x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+	if (*x509 == NULL) {
+	    printf("convertPemMemToX509: PEM_read_bio_X509 failed\n");
+	    rc = TPM_RC_INTEGRITY;
+	}
+    }
+    /* for debug */
+#ifndef TPM_TSS_NOFILE		/* stdout is a file descriptor */
+    if (rc == 0) {
+	if (tssUtilsVerbose) X509_print_fp(stdout, *x509);
+    }
+#endif
+    if (bio != NULL) {
+	BIO_free(bio);			/* @1 */
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOFILE
+
+/* convertX509ToPem() writes an OpenSSL X509 structure to a PEM format file
+
+   The return is void because the structure is opaque to the caller.  This accomodates other crypto
+   libraries.
+ 
+   For OpenSSL, the type is X509*
+*/
+
+TPM_RC convertX509ToPem(const char *pemFilename,
+			void *x509)
+{
+    TPM_RC 	rc = 0;
+    int		irc;
+    FILE 	*pemFile = NULL;
+
+    if (tssUtilsVerbose) printf("convertX509ToPem: Writing PEM certificate file %s\n",
+			pemFilename);
+    if (rc == 0) {
+	pemFile = fopen(pemFilename, "w");	/* close @1 */
+	if (pemFile == NULL) {
+	    printf("convertX509ToPem: Cannot open PEM file %s\n", pemFilename);
+	    rc = TSS_RC_FILE_OPEN;
+	}
+    }
+    if (rc == 0) {
+	irc = PEM_write_X509(pemFile, x509);
+	if (irc == 0) {
+	    printf("convertX509ToPem: Unable to write PEM file %s\n", pemFilename);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    if (pemFile != NULL) {
+	fclose(pemFile);	/* @1 */
+    }
+    return rc;
+}
+
+#endif
+
+/* convertX509ToPemMem() converts an OpenSSL X509 structure to PEM format in memory */
+
+TPM_RC convertX509ToPemMem(char **pemString,	/* freed by caller */
+			   X509 *x509)
+{
+    TPM_RC 		rc = 0;		/* general return code */
+    int			irc;
+    char 		*data = NULL;
+    long 		length;
+    
+    /* create a BIO that uses an in-memory buffer */
+    BIO *bio = NULL;
+    if (rc == 0) {
+	bio = BIO_new(BIO_s_mem());		/* freed @1 */
+	if (bio == NULL) {
+	    printf("convertX509ToPemMem: BIO_new failed\n");  
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* convert X509 to PEM and write the PEM to memory */
+    if (rc == 0) {
+	irc = PEM_write_bio_X509(bio, x509);
+	if (irc != 1) {
+	    printf("convertX509ToPemMem: PEM_write_bio_X509 failed\n");
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    if (rc == 0) {
+	length = BIO_get_mem_data(bio, &data);
+	*pemString = malloc(length+1);
+	if (*pemString == NULL) {
+	    printf("ERROR: convertX509ToPemMem: Cannot malloc %lu\n", length);  
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+	else {
+	    (*pemString)[length] = '\0';
+	}
+    }
+    if (rc == 0) {
+	irc = BIO_read(bio, *pemString, length);
+ 	if (irc <= 0) {
+	    printf("ERROR: convertX509ToPemMem: BIO_read failed\n");
+	    rc = TSS_RC_FILE_READ;
+	}
+    }
+    if (bio != NULL) {
+	BIO_free(bio);			/* @1 */
+    }
+    return rc;
+}
+
+/* convertX509ToString() converts an OpenSSL X509 structure to a human readable string */
+
+TPM_RC convertX509ToString(char **x509String,	/* freed by caller */
+			     X509 *x509)
+{
+    TPM_RC 	rc = 0;
+    int		irc;
+    char 	*data = NULL;
+    long 	length;
+
+    /* create a BIO that uses an in-memory buffer */
+    BIO *bio = NULL;
+    if (rc == 0) {
+	bio = BIO_new(BIO_s_mem());		/* freed @1 */
+	if (bio == NULL) {
+	    printf("convertX509ToString: BIO_new failed\n");  
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* write the string to memory */
+    if (rc == 0) {
+	irc = X509_print(bio, x509);
+	if (irc != 1) {
+	    printf("convertX509ToString X509_print failed\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	length = BIO_get_mem_data(bio, &data);
+	*x509String = malloc(length+1);
+	if (*x509String == NULL) {
+	    printf("convertX509ToString: Cannot malloc %lu\n", length);  
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+	else {
+	    (*x509String)[length] = '\0';
+	}
+    }
+    if (rc == 0) {
+	irc = BIO_read(bio, *x509String, length);
+ 	if (irc <= 0) {
+	    printf("convertX509ToString BIO_read failed\n");
+	    rc = TSS_RC_FILE_READ;
+	}
+    }
+    if (bio != NULL) {
+	BIO_free(bio);			/* @1 */
+    }
+    return rc;
+}
+
+/*
+  Certificate Creation
+*/
+
+/* These are the names inserted into the certificates.  If changed, the entries also change.  At run
+   time, the mapping from key to nid is done once and used repeatedly.  */
+    
+CertificateName certificateName[] = {
+    { "countryName",			NID_undef},	/* 0 */
+    { "stateOrProvinceName",		NID_undef},	/* 1 */
+    { "localityName",			NID_undef},	/* 2 */
+    { "organizationName",		NID_undef},	/* 3 */
+    { "organizationalUnitName",		NID_undef},	/* 4 */
+    { "commonName",			NID_undef},	/* 5 */
+    { "emailAddress",			NID_undef},	/* 6 */
+};
+
+TPM_RC calculateNid(void)
+{
+    TPM_RC rc = 0;
+    size_t 	i;
+
+    for (i=0 ; (i < sizeof(certificateName)/sizeof(CertificateName)) && (rc == 0) ; i++) {
+	certificateName[i].nid = OBJ_txt2nid(certificateName[i].key);	/* look up the NID for the
+									   field */
+	if (certificateName[i].nid == NID_undef) {
+	    printf("calculateNid: Error finding nid for %s\n", certificateName[i].key);
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    return rc;
+}
+
+/* createCertificate() constructs a certificate from the issuer and subject.  The public key to be
+   certified is tpmtPublic.
+
+   It signs the certificate using the CA key in caKeyFileName protected by the password
+   caKeyPassword.  The CA signing key algorithm caKeyAlg is RSA or ECC.
+
+   The certificate is returned as a DER encoded array 'certificate', a PEM string, and a formatted
+   string.
+
+*/
+
+TPM_RC createCertificate(char **x509CertString,		/* freed by caller */
+			 char **pemCertString,		/* freed by caller */
+			 uint32_t *certLength,		/* output, certificate length */
+			 unsigned char **certificate,	/* output, freed by caller */
+			 TPMT_PUBLIC *tpmtPublic,	/* key to be certified */	
+			 const char *caKeyFileName,
+			 size_t issuerEntriesSize,
+			 char **issuerEntries,
+			 size_t subjectEntriesSize,
+			 char **subjectEntries,
+			 const char *caKeyPassword)
+{
+    TPM_RC 		rc = 0;
+    X509 		*x509Certificate = NULL;
+    uint16_t 		publicKeyLength;
+    const unsigned char *publicKey = NULL;
+    
+    /* allocate memory for the X509 structure */
+    if (rc == 0) {
+	x509Certificate = X509_new();		/* freed @2 */
+	if (x509Certificate == NULL) {
+	    printf("createCertificate: Error in X509_new\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* hash unique field to create serial number */
+    if (rc == 0) {
+	if (tpmtPublic->type == TPM_ALG_RSA) {
+	    publicKeyLength = tpmtPublic->unique.rsa.t.size;
+	    publicKey = tpmtPublic->unique.rsa.t.buffer;
+	}
+	else if (tpmtPublic->type == TPM_ALG_ECC) {
+	    publicKeyLength = tpmtPublic->unique.ecc.x.t.size;
+	    publicKey = tpmtPublic->unique.ecc.x.t.buffer;
+	}
+	else {
+	    printf("createCertificate: public key algorithm %04x not supported\n",
+		   tpmtPublic->type);
+	    rc = TSS_RC_BAD_SIGNATURE_ALGORITHM;
+	}
+    }    
+    /* fill in basic X509 information - version, serial, validity, issuer, subject */
+    if (rc == 0) {
+	rc = startCertificate(x509Certificate,
+			      publicKeyLength, publicKey,
+			      issuerEntriesSize, issuerEntries,
+			      subjectEntriesSize, subjectEntries);
+    }
+    /* If the EK has the decrypt attribute set, the keyEncipherment bit MUST be set for an RSA EK
+       certificate; the keyAgreement bit MUST be set for an ECC EK certificate. */
+    if (rc == 0) {
+	if (tpmtPublic->type == TPM_ALG_RSA) {
+	    rc = addCertExtension(x509Certificate, NID_key_usage, "critical,keyEncipherment");
+	}
+	if (tpmtPublic->type == TPM_ALG_ECC) {
+	    rc = addCertExtension(x509Certificate, NID_key_usage, "critical,keyAgreement");
+	}
+    }
+    /* add the TPM public key to be certified */
+    if (rc == 0) {
+	switch (tpmtPublic->type) {
+#ifndef TPM_TSS_NORSA
+	  case TPM_ALG_RSA:
+	    rc = addCertKeyRsa(x509Certificate, &tpmtPublic->unique.rsa);
+	    break;
+#endif /* TPM_TSS_NORSA */
+#ifndef TPM_TSS_NOECC
+	  case TPM_ALG_ECC:
+	    rc = addCertKeyEcc(x509Certificate, &tpmtPublic->unique.ecc);
+	    break;
+#endif	/* TPM_TSS_NOECC */
+	  default:
+	    printf("createCertificate: public key algorithm %04x not supported\n",
+		   tpmtPublic->type);
+	    rc = TSS_RC_BAD_SIGNATURE_ALGORITHM;
+	}
+    }
+    /* sign the certificate with the root CA key */
+    if (rc == 0) {
+	rc = addCertSignatureRoot(x509Certificate, caKeyFileName, caKeyPassword);
+    }
+    if (rc == 0) {
+	rc = convertX509ToDer(certLength, certificate,	/* freed by caller */
+			      x509Certificate);		/* in */
+    }
+    if (rc == 0) {
+	rc = convertX509ToPemMem(pemCertString,		/* freed by caller */
+				 x509Certificate);
+    }
+    if (rc == 0) {
+	rc = convertX509ToString(x509CertString,	/* freed by caller */
+				 x509Certificate);
+    }
+    X509_free(x509Certificate);		/* @2 */
+    return rc;
+}
+
+/* Certificate duration period is hard coded to 20 years */
+
+#define CERT_DURATION (60 * 60 * 24 * ((365 * 20) + 2))		/* +2 for leap years */
+
+/* startCertificate() fills in basic X509 information, such as:
+   version
+   serial number
+   issuer
+   validity
+   subject
+*/
+
+TPM_RC startCertificate(X509 *x509Certificate,	/* X509 certificate to be generated */
+			uint16_t keyLength,
+			const unsigned char *keyBuffer,	/* key to be certified */
+			size_t issuerEntriesSize,
+			char **issuerEntries,		/* certificate issuer */
+			size_t subjectEntriesSize,
+			char **subjectEntries)		/* certificate subject */
+{
+    TPM_RC 		rc = 0;			/* general return code */
+    int			irc;			/* integer return code */
+    ASN1_TIME 		*arc;			/* return code */
+    ASN1_INTEGER 	*x509Serial;		/* certificate serial number in ASN1 */
+    BIGNUM 		*x509SerialBN;		/* certificate serial number as a BIGNUM */
+    unsigned char 	x509Serialbin[SHA1_DIGEST_SIZE]; /* certificate serial number in binary */
+    X509_NAME 		*x509IssuerName;	/* composite issuer name, key/value pairs */
+    X509_NAME 		*x509SubjectName;	/* composite subject name, key/value pairs */
+
+    x509IssuerName = NULL;	/* freed @1 */
+    x509SubjectName = NULL;	/* freed @2 */
+    x509SerialBN = NULL;	/* freed @3 */ 
+
+    /* add certificate version X509 v3 */
+    if (rc == 0) {
+	irc = X509_set_version(x509Certificate, 2L);	/* value 2 == v3 */
+	if (irc != 1) {
+	    printf("startCertificate: Error in X509_set_version\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /*
+      add certificate serial number
+    */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("startCertificate: Adding certificate serial number\n");
+	/* to create a unique serial number, hash the key to be certified */
+	SHA1(keyBuffer, keyLength, x509Serialbin);
+	/* convert the SHA1 digest to a BIGNUM */
+	x509SerialBN = BN_bin2bn(x509Serialbin, SHA1_DIGEST_SIZE, x509SerialBN);
+	if (x509SerialBN == NULL) {
+	    printf("startCertificate: Error in serial number BN_bin2bn\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	/* get the serial number structure member, can't fail */
+	x509Serial = X509_get_serialNumber(x509Certificate);
+	/* convert the BIGNUM to ASN1 and add to X509 certificate */
+	x509Serial = BN_to_ASN1_INTEGER(x509SerialBN, x509Serial);
+	if (x509Serial == NULL) {
+	    printf("startCertificate: Error setting certificate serial number\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add issuer */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("startCertificate: Adding certificate issuer\n");
+	rc = createX509Name(&x509IssuerName,
+			    issuerEntriesSize,
+			    issuerEntries);
+    }
+    if (rc == 0) {
+	irc = X509_set_issuer_name(x509Certificate, x509IssuerName);
+	if (irc != 1) {
+	    printf("startCertificate: Error setting certificate issuer\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add validity */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("startCertificate: Adding certificate validity\n");
+    }
+    if (rc == 0) {
+	/* can't fail, just returns a structure member */
+	ASN1_TIME *notBefore = X509_get_notBefore(x509Certificate);
+	arc = X509_gmtime_adj(notBefore ,0L);			/* set to today */
+	if (arc == NULL) {
+	    printf("startCertificate: Error setting notBefore time\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	/* can't fail, just returns a structure member */
+	ASN1_TIME *notAfter = X509_get_notAfter(x509Certificate);
+	arc = X509_gmtime_adj(notAfter, CERT_DURATION);		/* set to duration */
+	if (arc == NULL) {
+	    printf("startCertificate: Error setting notAfter time\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* add subject */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("startCertificate: Adding certificate subject\n");
+	rc = createX509Name(&x509SubjectName,
+			    subjectEntriesSize,
+			    subjectEntries);
+    }
+    if (rc == 0) {
+	irc = X509_set_subject_name(x509Certificate, x509SubjectName);
+	if (irc != 1) {
+	    printf("startCertificate: Error setting certificate subject\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* cleanup */
+    X509_NAME_free(x509IssuerName);		/* @1 */
+    X509_NAME_free(x509SubjectName);		/* @2 */
+    BN_free(x509SerialBN);			/* @3 */
+    return rc;
+}
+
+/* createX509Name() create an X509 name (issuer or subject) from a pointer to issuer or subject
+   entries
+
+*/
+
+TPM_RC createX509Name(X509_NAME **x509Name,
+		      size_t entriesSize,
+		      char **entries)
+{
+    TPM_RC 		rc = 0;		/* general return code */
+    int			irc;		/* integer return code */
+    size_t  		i;
+    X509_NAME_ENTRY 	*nameEntry;		/* single field of the name */
+
+    nameEntry = NULL;
+
+    /* Precalculate the openssl nids, into global table */
+    if (rc == 0) {
+	rc = calculateNid();
+    }
+    if (rc == 0) {
+	*x509Name = X509_NAME_new();
+	if (*x509Name == NULL) {
+	    printf("createX509Name: Error in X509_NAME_new()\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    for (i=0 ; (i < entriesSize) && (rc == 0) ; i++) {
+	if ((rc == 0) && (entries[i] != NULL)) {
+	    nameEntry =
+		X509_NAME_ENTRY_create_by_NID(NULL,		/* caller creates object */
+					      certificateName[i].nid,
+					      MBSTRING_ASC,	/* character encoding */
+					      (unsigned char *)entries[i],	/* to add */
+					      -1);		/* length, -1 is C string */
+
+	    if (nameEntry == NULL) {
+		printf("createX509Name: Error creating entry for %s\n",
+		       certificateName[i].key);
+		rc = TSS_RC_X509_ERROR;
+	    }
+	}
+	if ((rc == 0) && (entries[i] != NULL)) {
+	    irc = X509_NAME_add_entry(*x509Name,	/* add to issuer */
+				      nameEntry,	/* add the entry */
+				      -1,		/* location - append */	
+				      0);		/* set - not multivalued */
+	    if (irc != 1) {
+		printf("createX509Name: Error adding entry for %s\n",
+		       certificateName[i].key);
+		rc = TSS_RC_X509_ERROR;
+	    }
+	}
+	X509_NAME_ENTRY_free(nameEntry);	/* callee checks for NULL */
+	nameEntry = NULL;
+    }
+    return rc;
+}
+
+/* addCertExtension() adds the extension type 'nid' to the X509 certificate
+
+ */ 
+
+TPM_RC addCertExtension(X509 *x509Certificate, int nid, const char *value)
+{
+    TPM_RC 		rc = 0;
+    X509_EXTENSION 	*extension = NULL;	/* freed @1 */
+
+    if (rc == 0) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+	/* the cast is required for the older openssl 1.0 API */
+	extension = X509V3_EXT_conf_nid(NULL, NULL,	/* freed @1 */
+					nid, (char *)value);
+#else
+	extension = X509V3_EXT_conf_nid(NULL, NULL,	/* freed @1 */
+					nid, value);
+#endif
+	if (extension == NULL) {
+	    printf("addCertExtension: Error creating nid %i extension %s\n",
+		   nid, value);
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	int irc = X509_add_ext(x509Certificate,		/* the certificate */
+			       extension,		/* the extension to add */
+			       -1);			/* location - append */
+	if (irc != 1) {
+	    printf("addCertExtension: Error adding nid %i extension %s\n",
+		   nid, value);
+	}
+    }
+    if (extension != NULL) {
+	X509_EXTENSION_free(extension);		/* @1 */
+    }
+    return rc;
+}
+ 
+#ifndef TPM_TSS_NORSA
+
+/* addCertKeyRsa() adds the TPM RSA public key (the key to be certified) to the openssl X509
+   certificate
+
+*/
+
+TPM_RC addCertKeyRsa(X509 *x509Certificate,
+		     const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa)	/* key to be certified */
+{
+    TPM_RC 		rc = 0;		/* general return code */
+    int			irc;		/* integer return code */
+    EVP_PKEY 		*evpPubkey = NULL;	/* EVP format public key to be certified */
+
+    if (tssUtilsVerbose) printf("addCertKeyRsa: add public key to certificate\n");
+    /* convert from TPM key data format to openSSL RSA type */
+    if (rc == 0) {
+	rc = convertRsaPublicToEvpPubKey(&evpPubkey,	/* freed @1 */
+					 tpm2bRsa);
+    }
+    /* add the public key to the certificate */
+    if (rc == 0) {
+	irc = X509_set_pubkey(x509Certificate, evpPubkey);
+	if (irc != 1) {
+	    printf("addCertKeyRsa: Error adding public key to certificate\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* cleanup */
+    if (evpPubkey != NULL) {
+	EVP_PKEY_free(evpPubkey);	/* @1 */
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+
+#ifndef TPM_TSS_NOECC
+
+/* addCertKeyEcc() adds the TPM ECC public key (the key to be certified) to the openssl X509
+   certificate
+
+*/
+
+TPM_RC addCertKeyEcc(X509 *x509Certificate,
+		     const TPMS_ECC_POINT *tpmsEccPoint)
+{
+    TPM_RC 		rc = 0;			/* general return code */
+    int			irc;
+    EVP_PKEY 		*evpPubkey = NULL;	/* EVP format public key to be certified */
+
+    /* convert EC TPMS_ECC_POINT to an EVP_PKEY */
+    if (rc == 0) {
+	rc = convertEcPublicToEvpPubKey(&evpPubkey,		/* freed @1 */
+					tpmsEccPoint);
+    }
+    /* add the public key to the certificate */
+    if (rc == 0) {
+	irc = X509_set_pubkey(x509Certificate, evpPubkey);
+	if (irc != 1) {
+	    printf("addCertKeyEcc: Error adding public key to certificate\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* cleanup */
+    if (evpPubkey != NULL) {
+	EVP_PKEY_free(evpPubkey);	/* @1 */
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+/* addCertSignatureRoot() uses the openSSL root key to sign the X509 certificate.
+
+   As a sanity check, it verifies the certificate.
+*/
+
+TPM_RC addCertSignatureRoot(X509 *x509Certificate,	/* certificate to be signed */
+			    const char *caKeyFileName,	/* openSSL root CA key password */
+			    const char *caKeyPassword)
+{
+    TPM_RC 		rc = 0;		/* general return code */
+    int			irc;		/* integer return code */
+    FILE 		*fp = NULL;
+    /* signing key */
+    const EVP_MD	*digest = NULL;		/* signature digest algorithm */
+    EVP_PKEY 		*evpSignkey;		/* EVP format */
+
+    evpSignkey = NULL;		/* freed @1 */
+
+    /* open the CA signing key file */
+    if (rc == 0) {
+	fp = fopen(caKeyFileName,"r");
+	if (fp == NULL) {
+	    printf("addCertSignatureRoot: Error, Cannot open %s\n", caKeyFileName);
+	    rc = TSS_RC_FILE_OPEN;
+	}
+    }
+    /* convert the CA signing key from PEM to EVP_PKEY format */
+    if (rc == 0) {
+	evpSignkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)caKeyPassword);	
+	if (evpSignkey == NULL) {
+	    printf("addCertSignatureRoot: Error calling PEM_read_PrivateKey() from %s\n",
+		   caKeyFileName);
+	    rc = TSS_RC_FILE_READ;
+	}
+    }
+    /* close the CA signing key file */
+    if (fp != NULL) { 
+	fclose(fp);
+    }
+    /* set the certificate signature digest algorithm */
+    if (rc == 0) {
+	digest = EVP_sha256();	/* no error return */
+    }
+    /* sign the certificate with the root CA signing key */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("addCertSignatureRoot: Signing the certificate\n");
+	irc = X509_sign(x509Certificate, evpSignkey, digest);
+	if (irc == 0) {	/* returns signature size, 0 on error */
+	    printf("addCertSignature: Error signing certificate\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* verify the signature */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("addCertSignatureRoot: Verifying the certificate\n");
+	irc = X509_verify(x509Certificate, evpSignkey);
+	if (irc != 1) {
+	    printf("addCertSignatureRoot: Error verifying certificate\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    /* cleanup */
+    if (evpSignkey != NULL) {
+	EVP_PKEY_free(evpSignkey);	/* @1 */
+    }
+    return rc;
+}
+
+#ifdef TPM_TPM20
+
+/* processRoot() validates the certificate at ekCertIndex against the root CA certificates at
+   rootFilename.
+ */
+
+#ifndef TPM_TSS_NOFILE
+
+TPM_RC processRoot(TSS_CONTEXT *tssContext,
+		   TPMI_RH_NV_INDEX ekCertIndex,
+		   const char *rootFilename[],
+		   unsigned int rootFileCount,
+		   int print)
+{
+    TPM_RC	rc = 0;
+    void	*ekCertificate = NULL;		/* freed @1 */
+
+    /* read the EK X509 certificate from NV */
+    if (rc == 0) {
+	rc = getIndexX509Certificate(tssContext,
+				     &ekCertificate,	/* freed @1 */
+				     ekCertIndex);
+	if (rc != 0) {
+	    printf("processRoot: No EK certificate\n");  
+	}
+    }
+    if (rc == 0) {
+	rc = verifyCertificate(ekCertificate,
+			       rootFilename,
+			       rootFileCount,
+			       print);
+	if (rc != 0) {
+	    printf("processRoot: EK certificate did not verify\n");
+	}
+    }
+    if (ekCertificate != NULL) {
+	X509_free(ekCertificate);   	/* @1 */
+    }
+    return rc;
+}
+
+#endif
+
+/* processCreatePrimary() combines the EK nonce and EK template from NV to form the
+   createprimary input.  It creates the primary key.
+
+   ekCertIndex determines whether an RSA or ECC key is created.
+   
+   If nonce is NULL, the default IWG templates are used.  If nonce is non-NULL, the nonce and
+   tpmtPublicIn are used.
+
+   After returning the TPMT_PUBLIC, flushes the primary key unless noFlush is TRUE.  If noFlush is
+   FALSE, returns the loaded handle, else returns TPM_RH_NULL.
+*/
+
+TPM_RC processCreatePrimary(TSS_CONTEXT *tssContext,
+			    TPM_HANDLE *keyHandle,		/* primary key handle */
+			    TPMI_RH_NV_INDEX ekCertIndex,
+			    unsigned char *nonce,
+			    uint16_t nonceSize,
+			    TPMT_PUBLIC *tpmtPublicIn,		/* template */
+			    TPMT_PUBLIC *tpmtPublicOut,		/* primary key */
+			    unsigned int noFlush,	/* TRUE - don't flush the primary key */
+			    int print)
+{
+    TPM_RC			rc = 0;
+    CreatePrimary_In 		inCreatePrimary;
+    CreatePrimary_Out 		outCreatePrimary;
+
+    /* sanity check nonce size (should never happen on HW TPM) */
+    if ((rc == 0) && (nonce != NULL)) {
+	if (ekCertIndex == EK_CERT_RSA_INDEX) {			/* RSA primary key */
+	    if (nonceSize > 256) {
+		printf("processCreatePrimary: RSA NV nonce size %u > 256\n", nonceSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	else {							/* EC primary key */
+	    if (nonceSize > 32) {
+		printf("processCreatePrimary: EC NV nonce size %u > 32\n", nonceSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }    
+    /* set up the createprimary in parameters */
+    if (rc == 0) {
+	inCreatePrimary.primaryHandle = TPM_RH_ENDORSEMENT;
+	inCreatePrimary.inSensitive.sensitive.userAuth.t.size = 0;
+	inCreatePrimary.inSensitive.sensitive.data.t.size = 0;
+	/* creation data */
+	inCreatePrimary.outsideInfo.t.size = 0;
+	inCreatePrimary.creationPCR.count = 0;
+    }
+    /* construct the template from the NV template and nonce */
+    if ((rc == 0) && (nonce != NULL)) {
+	inCreatePrimary.inPublic.publicArea = *tpmtPublicIn;
+	if (ekCertIndex == EK_CERT_RSA_INDEX) {			/* RSA primary key */
+	    /* unique field is 256 bytes */
+	    inCreatePrimary.inPublic.publicArea.unique.rsa.t.size = 256;
+	    /* first part is nonce */
+	    memcpy(inCreatePrimary.inPublic.publicArea.unique.rsa.t.buffer, nonce, nonceSize);
+	    /* padded with zeros */
+	    memset(inCreatePrimary.inPublic.publicArea.unique.rsa.t.buffer + nonceSize, 0,
+		   256 - nonceSize);
+	}
+	else {							/* EC primary key */
+	    /* unique field is X and Y points */
+	    /* X gets nonce and pad */
+	    inCreatePrimary.inPublic.publicArea.unique.ecc.x.t.size = 32;
+	    memcpy(inCreatePrimary.inPublic.publicArea.unique.ecc.x.t.buffer, nonce, nonceSize);
+	    memset(inCreatePrimary.inPublic.publicArea.unique.ecc.x.t.buffer + nonceSize, 0,
+		   32 - nonceSize);
+	    /* Y gets zeros */
+	    inCreatePrimary.inPublic.publicArea.unique.ecc.y.t.size = 32;
+	    memset(inCreatePrimary.inPublic.publicArea.unique.ecc.y.t.buffer, 0, 32);
+	}
+    }
+    /* construct the template from the default IWG template */
+    if ((rc == 0) && (nonce == NULL)) {
+	if (ekCertIndex == EK_CERT_RSA_INDEX) {			/* RSA primary key */
+	    getRsaTemplate(&inCreatePrimary.inPublic.publicArea);
+	}
+	else {							/* EC primary key */
+	    getEccTemplate(&inCreatePrimary.inPublic.publicArea);
+	}
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&outCreatePrimary,
+			 (COMMAND_PARAMETERS *)&inCreatePrimary,
+			 NULL,
+			 TPM_CC_CreatePrimary,
+			 TPM_RS_PW, NULL, 0,
+			 TPM_RH_NULL, NULL, 0);
+	if (rc != 0) {
+	    const char *msg;
+	    const char *submsg;
+	    const char *num;
+	    printf("createprimary: failed, rc %08x\n", rc);
+	    TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	    printf("%s%s%s\n", msg, submsg, num);
+	}
+    }
+    /* return the primary key */
+    if (rc == 0) {
+	*tpmtPublicOut = outCreatePrimary.outPublic.publicArea;
+    }
+    /* flush the primary key */
+    if (rc == 0) {
+	if (!noFlush) {		/* flush the primary key */
+	    FlushContext_In 		inFlushContext;
+	    *keyHandle = TPM_RH_NULL;	    
+	    inFlushContext.flushHandle = outCreatePrimary.objectHandle;
+	    rc = TSS_Execute(tssContext,
+			     NULL, 
+			     (COMMAND_PARAMETERS *)&inFlushContext,
+			     NULL,
+			     TPM_CC_FlushContext,
+			     TPM_RH_NULL, NULL, 0);
+	    if (rc != 0) {
+		const char *msg;
+		const char *submsg;
+		const char *num;
+		printf("flushcontext: failed, rc %08x\n", rc);
+		TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+		printf("%s%s%s\n", msg, submsg, num);
+	    }
+	}
+	else {	/* not flushed, return the handle */
+	    *keyHandle = outCreatePrimary.objectHandle;
+	}
+    }	    
+    /* trace the public key */
+    if (rc == 0) {
+	if (ekCertIndex == EK_CERT_RSA_INDEX) {
+	    if (print) TSS_PrintAll("createprimary: RSA public key",
+				    outCreatePrimary.outPublic.publicArea.unique.rsa.t.buffer,
+				    outCreatePrimary.outPublic.publicArea.unique.rsa.t.size);
+	}
+	else {
+	    if (print) TSS_PrintAll("createprimary: ECC public key x",
+				    outCreatePrimary.outPublic.publicArea.unique.ecc.x.t.buffer,
+				    outCreatePrimary.outPublic.publicArea.unique.ecc.x.t.size);
+	    if (print) TSS_PrintAll("createprimary: ECC public key y",
+				    outCreatePrimary.outPublic.publicArea.unique.ecc.y.t.buffer,
+				    outCreatePrimary.outPublic.publicArea.unique.ecc.y.t.size);
+	}
+    }
+    return rc;
+}
+
+/* processValidatePrimary() compares the public key in the EK certificate to the public key output
+   of createprimary.  */
+
+TPM_RC processValidatePrimary(uint8_t *publicKeyBin,		/* from certificate */
+			      int publicKeyBytes,
+			      TPMT_PUBLIC *tpmtPublic,		/* primary key */
+			      TPMI_RH_NV_INDEX ekCertIndex,
+			      int print)
+{
+    TPM_RC			rc = 0;
+
+    print = print;
+    /* compare the X509 certificate public key to the createprimary public key */
+    switch (ekCertIndex) {
+#ifndef TPM_TSS_NORSA
+      case EK_CERT_RSA_INDEX:
+	  {
+	      int irc;
+	      /* RSA just has a public modulus */
+	      if (rc == 0) {
+		  if (tpmtPublic->unique.rsa.t.size != publicKeyBytes) {
+		      printf("processValidatePrimary: "
+			     "X509 certificate key length %u does not match output of createprimary %u\n",
+			     publicKeyBytes,
+			     tpmtPublic->unique.rsa.t.size);
+		      rc = TPM_RC_INTEGRITY;
+		  }
+	      }
+	      if (rc == 0) {
+		  irc = memcmp(publicKeyBin,
+			       tpmtPublic->unique.rsa.t.buffer,
+			       publicKeyBytes);
+		  if (irc != 0) {
+		      printf("processValidatePrimary: "
+			     "Public key from X509 certificate does not match output of createprimary\n");
+		      rc = TPM_RC_INTEGRITY;
+		  }
+	      }
+	  }
+	  break;
+#endif /* TPM_TSS_NORSA */
+#ifndef TPM_TSS_NOECC
+      case EK_CERT_EC_INDEX:
+	  {
+	      int irc;
+	      /* ECC has X and Y points */
+	      /* compression algorithm is the extra byte at the beginning of the certificate */
+	      if (rc == 0) {
+		  if (tpmtPublic->unique.ecc.x.t.size +
+		      tpmtPublic->unique.ecc.y.t.size + 1
+		      != publicKeyBytes) {
+		      printf("processValidatePrimary: "
+			     "X509 certificate key length %u does not match "
+			     "output of createprimary x %u +y %u\n",
+			     publicKeyBytes,
+			     tpmtPublic->unique.ecc.x.t.size,
+			     tpmtPublic->unique.ecc.y.t.size);
+		      rc = TPM_RC_INTEGRITY;
+		  }
+	      }
+	      /* check X */
+	      if (rc == 0) {
+		  irc = memcmp(publicKeyBin +1,
+			       tpmtPublic->unique.ecc.x.t.buffer,
+			       tpmtPublic->unique.ecc.x.t.size);
+		  if (irc != 0) {
+		      printf("processValidatePrimary: "
+			     "Public key X from X509 certificate does not match "
+			     "output of createprimary\n");
+		      rc = TPM_RC_INTEGRITY;
+		  }
+	      }
+	      /* check Y */
+	      if (rc == 0) {
+		  irc = memcmp(publicKeyBin + 1 + tpmtPublic->unique.ecc.x.t.size,
+			       tpmtPublic->unique.ecc.y.t.buffer,
+			       tpmtPublic->unique.ecc.y.t.size);
+		  if (irc != 0) {
+		      printf("processValidatePrimary: "
+			     "Public key Y from X509 certificate does not match "
+			     "output of createprimary\n");
+		      rc = TPM_RC_INTEGRITY;
+		  }
+	      }	
+	  }
+	  break;
+#endif /* TPM_TSS_NOECC */
+      default:
+	printf("processValidatePrimary: "
+	       "ekCertIndex %08x (asymmetric algorithm) not supported\n", ekCertIndex);
+	rc = TPM_RC_INTEGRITY;
+	break;
+    }
+    if (rc == 0) {
+	if (print) printf("processValidatePrimary: "
+			  "Public key from X509 certificate matches output of createprimary\n");
+    }
+    return rc;
+}
+
+/* processPrimary() reads the EK nonce and EK template from NV.  It combines them to form the
+   createprimary input.  It creates the primary key.
+
+   It reads the EK certificate from NV.  It extracts the public key.
+
+   Finally, it compares the public key in the certificate to the public key output of createprimary.
+*/
+
+TPM_RC processPrimary(TSS_CONTEXT *tssContext,
+		      TPM_HANDLE *keyHandle,		/* primary key handle */
+		      TPMI_RH_NV_INDEX ekCertIndex,
+		      TPMI_RH_NV_INDEX ekNonceIndex, 
+		      TPMI_RH_NV_INDEX ekTemplateIndex,
+		      unsigned int noFlush,		/* TRUE - don't flush the primary key */
+		      int print)
+{
+    TPM_RC			rc = 0;
+    void 			*ekCertificate = NULL;
+    unsigned char 		*nonce = NULL;
+    uint16_t 			nonceSize;
+    TPMT_PUBLIC 		tpmtPublicIn;		/* template */
+    TPMT_PUBLIC 		tpmtPublicOut;		/* primary key */
+    uint8_t 			*publicKeyBin = NULL;	/* from certificate */
+    int				publicKeyBytes;
+    int 			validate = FALSE;	/* validate the certificate */
+
+    /* get the EK nonce */
+    if (rc == 0) {
+	rc = processEKNonce(tssContext, &nonce, &nonceSize, ekNonceIndex, print); /* freed @1 */
+	if ((rc & 0xff) == TPM_RC_HANDLE) {
+	    if (print) printf("processPrimary: EK nonce not found, use default template\n");
+	    rc = 0;
+	}
+    }
+    if (rc == 0) {
+	/* if the nonce was found, get the EK template */
+	if (nonce != NULL) {
+	    rc = processEKTemplate(tssContext, &tpmtPublicIn, ekTemplateIndex, print);
+	}
+    }
+    /* create the primary key */
+    if (rc == 0) {
+	rc = processCreatePrimary(tssContext,
+				  keyHandle,
+				  ekCertIndex,
+				  nonce, nonceSize,		/* EK nonce, can be NULL */
+				  &tpmtPublicIn,		/* template */
+				  &tpmtPublicOut,		/* primary key */
+				  noFlush,
+				  print);
+    }
+    /* validate against the certificate if the algorithm is compiled in */
+    if (rc == 0) {
+#ifndef TPM_TSS_NORSA
+	if (ekCertIndex == EK_CERT_RSA_INDEX) {
+	    validate = TRUE;
+	}
+#endif /* TPM_TSS_NORSA */
+#ifndef TPM_TSS_NOECC
+	if (ekCertIndex == EK_CERT_EC_INDEX) {
+	    validate = TRUE;
+	}
+#endif	/* TPM_TSS_NOECC */
+    }
+    /* get the EK certificate */
+    if ((rc == 0) && validate) {
+	rc = processEKCertificate(tssContext,
+				  &ekCertificate,			/* freed @2 */
+				  &publicKeyBin, &publicKeyBytes,	/* freed @3 */
+				  ekCertIndex,
+				  print);
+    }
+    /* compare the public key in the EK certificate to the public key output */
+    if ((rc == 0) && validate) {
+	rc = processValidatePrimary(publicKeyBin,	/* certificate */
+				    publicKeyBytes,
+				    &tpmtPublicOut,	/* primary key */
+				    ekCertIndex,
+				    print);
+    }
+    if ((rc == 0) && validate) {
+	if (print) printf("Public key from X509 certificate matches output of createprimary\n");
+    } 
+    free(nonce);			/* @1 */
+    if (ekCertificate != NULL) {
+	X509_free(ekCertificate);   	/* @2 */
+    }
+    free(publicKeyBin);			/* @3 */
+    return rc;
+}
+
+#endif	/* TPM20 */
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/ekutils.h b/libstb/tss2/ibmtpm20tss/utils/ekutils.h
new file mode 100644
index 0000000..bffde53
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ekutils.h
@@ -0,0 +1,258 @@
+/********************************************************************************/
+/*										*/
+/*			IWG EK Index Parsing Utilities				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef EKUTILS_H
+#define EKUTILS_H
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#ifndef TPM_TSS_NO_OPENSSL
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/bn.h>
+#endif	/* TPM_TSS_NO_OPENSSL */
+
+#include <ibmtss/tss.h>
+
+/* legacy TCG IWG NV indexes */
+
+#define EK_CERT_RSA_INDEX 	0x01c00002
+#define EK_NONCE_RSA_INDEX 	0x01c00003 
+#define EK_TEMPLATE_RSA_INDEX 	0x01c00004
+
+#define EK_CERT_EC_INDEX 	0x01c0000a
+#define EK_NONCE_EC_INDEX 	0x01c0000b
+#define EK_TEMPLATE_EC_INDEX 	0x01c0000c
+
+#define MAX_ROOTS		100	/* 100 should be more than enough */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    /*
+      crypto library independent functions
+    */
+    
+    TPM_RC readNvBufferMax(TSS_CONTEXT *tssContext,
+			   uint32_t *nvBufferMax);
+    TPM_RC getIndexSize(TSS_CONTEXT *tssContext,
+			uint16_t *dataSize,
+			TPMI_RH_NV_INDEX nvIndex);
+    TPM_RC getIndexData(TSS_CONTEXT *tssContext,
+			unsigned char **buffer,
+			TPMI_RH_NV_INDEX nvIndex,
+			uint16_t dataSize);
+    TPM_RC getIndexContents(TSS_CONTEXT *tssContext,
+			    unsigned char **buffer,
+			    uint16_t *bufferSize,
+			    TPMI_RH_NV_INDEX nvIndex);
+    void getRsaTemplate(TPMT_PUBLIC *tpmtPublic);
+    void getEccTemplate(TPMT_PUBLIC *tpmtPublic);
+    TPM_RC getRootCertificateFilenames(char *rootFilename[],
+				       unsigned int *rootFileCount,
+				       const char *listFilename,
+				       int print);
+    TPM_RC processEKNonce(TSS_CONTEXT *tssContext,
+			  unsigned char **nonce,
+			  uint16_t *nonceSize,
+			  TPMI_RH_NV_INDEX ekNonceIndex,
+			  int print);
+    TPM_RC processEKTemplate(TSS_CONTEXT *tssContext,
+			     TPMT_PUBLIC *tpmtPublic,
+			     TPMI_RH_NV_INDEX ekTemplateIndex,
+			     int print);
+    TPM_RC convertDerToX509(void **x509Certificate,
+			    uint16_t readLength,
+			    const unsigned char *readBuffer);
+    TPM_RC convertX509PemToDer(uint32_t *certLength,
+				unsigned char **certificate,
+				const char *pemCertificateFilename);
+    TPM_RC convertX509ToPem(const char *pemFilename,
+			    void *x509);
+    void x509FreeStructure(void *x509);
+    void x509PrintStructure(void *x509);
+    TPM_RC processEKCertificate(TSS_CONTEXT *tssContext,
+				void **ekCertificate,
+				uint8_t **modulusBin,
+				int *modulusBytes,
+				TPMI_RH_NV_INDEX ekCertIndex,
+				int print);
+    TPM_RC getIndexX509Certificate(TSS_CONTEXT *tssContext,
+				   void **certificate,
+				   TPMI_RH_NV_INDEX nvIndex);
+    TPM_RC convertCertificatePubKey(uint8_t **modulusBin,
+				    int *modulusBytes,
+				    void *ekCertificate,
+				    TPMI_RH_NV_INDEX ekCertIndex,
+				    int print);
+    TPM_RC createCertificate(char **x509CertString,
+			     char **pemCertString,
+			     uint32_t *certLength,
+			     unsigned char **certificate,
+			     TPMT_PUBLIC *tpmtPublic,	
+			     const char *caKeyFileName,
+			     size_t issuerEntriesSize,
+			     char **issuerEntries,
+			     size_t subjectEntriesSize,
+			     char **subjectEntries,
+			     const char *caKeyPassword);
+    TPM_RC processRoot(TSS_CONTEXT *tssContext,
+		       TPMI_RH_NV_INDEX ekCertIndex,
+		       const char *rootFilename[],
+		       unsigned int rootFileCount,
+		       int print);
+    TPM_RC verifyCertificate(void *x509Certificate,
+			     const char *rootFilename[],
+			     unsigned int rootFileCount,
+			     int print);
+    TPM_RC processCreatePrimary(TSS_CONTEXT *tssContext,
+				TPM_HANDLE *keyHandle,
+				TPMI_RH_NV_INDEX ekCertIndex,
+				unsigned char *nonce,
+				uint16_t nonceSize,
+				TPMT_PUBLIC *tpmtPublicIn,
+				TPMT_PUBLIC *tpmtPublicOut,
+				unsigned int noFlush,
+				int print);
+    TPM_RC processValidatePrimary(uint8_t *publicKeyBin,
+				  int publicKeyBytes,
+				  TPMT_PUBLIC *tpmtPublic,
+				  TPMI_RH_NV_INDEX ekCertIndex,
+				  int print);
+    TPM_RC processPrimary(TSS_CONTEXT *tssContext,
+			  TPM_HANDLE *keyHandle,
+			  TPMI_RH_NV_INDEX ekCertIndex,
+			  TPMI_RH_NV_INDEX ekNonceIndex, 
+			  TPMI_RH_NV_INDEX ekTemplateIndex,
+			  unsigned int noFlush,
+			  int print);
+
+    /*
+      deprecated OpenSSL specific functions
+    */
+   
+#ifndef TPM_TSS_NO_OPENSSL
+
+
+    uint32_t getPubkeyFromDerCertFile(RSA  **rsaPkey,
+				      X509 **x509,
+				      const char *derCertificateFileName);
+    uint32_t getPubKeyFromX509Cert(RSA  **rsaPkey,
+				   X509 *x509);
+    TPM_RC getCaStore(X509_STORE **caStore,
+		      X509 *caCert[],
+		      const char *rootFilename[],
+		      unsigned int rootFileCount);
+    TPM_RC verifyKeyUsage(X509 *ekX509Certificate,
+			  int pkeyType,
+			  int print);
+    TPM_RC convertX509ToDer(uint32_t *certLength,
+			    unsigned char **certificate,
+			    X509 *x509Certificate);
+#ifndef TPM_TSS_NOECC
+    TPM_RC convertX509ToEc(EC_KEY **ecKey,
+			   X509 *x509);
+#endif	/* TPM_TSS_NOECC */
+    TPM_RC convertX509ToDer(uint32_t *certLength,
+			    unsigned char **certificate,
+			    X509 *x509Certificate);
+    TPM_RC convertPemToX509(X509 **x509,
+			    const char *pemCertificateFilename);
+    TPM_RC convertPemMemToX509(X509 **x509,
+			       const char *pemCertificate);
+    TPM_RC convertX509ToPemMem(char **pemString,
+			       X509 *x509);
+    TPM_RC convertX509ToString(char **x509String,
+			       X509 *x509);
+    TPM_RC convertCertificatePubKey12(uint8_t **modulusBin,
+				      int *modulusBytes,
+				      X509 *ekCertificate);
+
+    /* certificate key to nid mapping array */
+
+    TPM_RC startCertificate(X509 *x509Certificate,
+			    uint16_t keyLength,
+			    const unsigned char *keyBuffer,
+			    size_t issuerEntriesSize,
+			    char **issuerEntries,
+			    size_t subjectEntriesSize,
+			    char **subjectEntries);
+
+    typedef struct tdCertificateName
+    {
+	const char *key;
+	int nid;
+    } CertificateName;
+
+    TPM_RC calculateNid(void);
+    TPM_RC createX509Name(X509_NAME **x509Name,
+			  size_t entriesSize,
+			  char **entries);
+    TPM_RC addCertExtension(X509 *x509Certificate, int nid, const char *value);
+    TPM_RC addCertKeyRsa(X509 *x509Certificate,
+			 const TPM2B_PUBLIC_KEY_RSA *tpm2bRsa);
+#ifndef TPM_TSS_NOECC
+    TPM_RC addCertKeyEcc(X509 *x509Certificate,
+			 const TPMS_ECC_POINT *tpmsEccPoint);
+#endif	/* TPM_TSS_NOECC */
+    TPM_RC addCertSignatureRoot(X509 *x509Certificate,
+				const char *caKeyFileName,
+				const char *caKeyPassword);
+    TPM_RC TSS_RSAGetKey(const BIGNUM **n,
+			 const BIGNUM **e,
+			 const BIGNUM **d,
+			 const BIGNUM **p,
+			 const BIGNUM **q,
+			 const RSA *rsaKey);
+
+    int TSS_Pubkey_GetAlgorithm(EVP_PKEY *pkey);
+
+
+#endif /* TPM_TSS_NO_OPENSSL */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/encryptdecrypt.c b/libstb/tss2/ibmtpm20tss/utils/encryptdecrypt.c
new file mode 100644
index 0000000..cd958a3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/encryptdecrypt.c
@@ -0,0 +1,363 @@
+/********************************************************************************/
+/*										*/
+/*			   EncryptDecrypt					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+
+static void printDecrypt(EncryptDecrypt_Out *out);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    EncryptDecrypt_In 		in;
+    EncryptDecrypt_Out 		out;
+    EncryptDecrypt2_In 		in2;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    const char			*inFilename = NULL;
+    const char			*outFilename = NULL;
+    TPMI_YES_NO			decrypt = NO;
+    int				two = FALSE;
+    const char			*keyPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    uint16_t			written;
+    size_t			length;
+    uint8_t			*buffer = NULL;		/* for the free */
+    uint8_t			*buffer1 = NULL;	/* for marshaling */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-d") == 0) {
+	    decrypt = YES;
+	}
+ 	else if (strcmp(argv[i],"-2") == 0) {
+	    two = TRUE;
+	}
+ 	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if (inFilename == NULL) {
+	printf("Missing encrypted message -if\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     inFilename);
+    }
+    if (rc == 0) {
+	if (length > sizeof(in.inData.t.buffer)) {
+	    printf("Input data too long %u\n", (uint32_t)length);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	if (!two) {	/* use TPM_CC_EncryptDecrypt */
+	    /* the symmetric key used for the operation */
+	    in.keyHandle = keyHandle;
+	    /* if YES, then the operation is decryption; if NO, the operation is encryption */
+	    in.decrypt = decrypt;
+	    /* symmetric mode */
+	    in.mode = TPM_ALG_NULL;
+	    /* an initial value as required by the algorithm */
+	    in.ivIn.t.size = MAX_SYM_BLOCK_SIZE;
+	    memset(in.ivIn.t.buffer, 0, MAX_SYM_BLOCK_SIZE);
+	    /* the data to be encrypted/decrypted */
+	    in.inData.t.size = (uint16_t)length;
+	    if (length > 0) {	/* if length is 0, buffer is NULL */
+		memcpy(in.inData.t.buffer, buffer, length);
+	    }
+	}
+	else {
+	    /* the symmetric key used for the operation */
+	    in2.keyHandle = keyHandle;
+	    /* if YES, then the operation is decryption; if NO, the operation is encryption */
+	    in2.decrypt = decrypt;
+	    /* symmetric mode */
+	    in2.mode = TPM_ALG_NULL;
+	    /* an initial value as required by the algorithm */
+	    in2.ivIn.t.size = MAX_SYM_BLOCK_SIZE;
+	    memset(in2.ivIn.t.buffer, 0, MAX_SYM_BLOCK_SIZE);
+	    /* the data to be encrypted/decrypted */
+	    in2.inData.t.size = (uint16_t)length;
+	    if (length > 0) {	/* if length is 0, buffer is NULL */
+		memcpy(in2.inData.t.buffer, buffer, length);
+	    }
+	}
+    }
+    free (buffer);	/* @1 */
+    buffer = NULL;
+
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	if (!two) {	/* use TPM_CC_EncryptDecrypt */
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out,
+			     (COMMAND_PARAMETERS *)&in,
+			     NULL,
+			     TPM_CC_EncryptDecrypt,
+			     sessionHandle0, keyPassword, sessionAttributes0,
+			     sessionHandle1, NULL, sessionAttributes1,
+			     sessionHandle2, NULL, sessionAttributes2,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	else {	/* use TPM_CC_EncryptDecrypt2 */
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out,
+			     (COMMAND_PARAMETERS *)&in2,
+			     NULL,
+			     TPM_CC_EncryptDecrypt2,
+			     sessionHandle0, keyPassword, sessionAttributes0,
+			     sessionHandle1, NULL, sessionAttributes1,
+			     sessionHandle2, NULL, sessionAttributes2,
+			     TPM_RH_NULL, NULL, 0);
+	}
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (outFilename != NULL)) {
+	written = 0;
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&out.outData, &written, NULL, NULL);
+    }
+    if ((rc == 0) && (outFilename != NULL)) {
+	buffer = realloc(buffer, written);	/* freed @2 */
+	buffer1 = buffer;
+	written = 0;
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&out.outData, &written, &buffer1, NULL);
+    }    
+    if ((rc == 0) && (outFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(buffer + sizeof(uint16_t),
+				      written - sizeof(uint16_t),
+				      outFilename);
+    }    
+    free(buffer);	/* @2 */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printDecrypt(&out);
+	if (tssUtilsVerbose) printf("encryptdecrypt: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("encryptdecrypt: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printDecrypt(EncryptDecrypt_Out *out)
+{
+    TSS_PrintAll("outData", out->outData.t.buffer, out->outData.t.size);
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("encryptdecrypt\n");
+    printf("\n");
+    printf("Runs TPM2_EncryptDecrypt\n");
+    printf("\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t-pwdk\tpassword for key (default empty)\n");
+    printf("\t-d\tdecrypt (default encrypt)\n");
+    printf("\t-if\tinput file name\n");
+    printf("\t[-of\toutput file name (default do not save)]\n");
+    printf("\t[-2\tuse TPM2_EncryptDecrypt2]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/eventextend.c b/libstb/tss2/ibmtpm20tss/utils/eventextend.c
new file mode 100644
index 0000000..31b49d1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/eventextend.c
@@ -0,0 +1,390 @@
+/********************************************************************************/
+/*										*/
+/*		      Extend an EVENT measurement file into PCRs		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* eventextend is test/demo code.  It parses a TPM2 event log file and extends the measurements into
+   TPM PCRs or simulated PCRs.  This simulates the actions that would be performed by BIOS /
+   firmware in a hardware platform.  */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsscryptoh.h>
+
+#include "eventlib.h"
+
+/* local prototypes */
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char * argv[])
+{
+    TPM_RC 			rc = 0;
+    int 			i = 0;
+    TSS_CONTEXT			*tssContext = NULL;
+    const char 			*infilename = NULL;
+    FILE 			*infile = NULL;
+    int				tpm = FALSE;	/* extend into TPM */
+    int				sim = FALSE;	/* extend into simulated PCRs */
+    int				nospec = FALSE;	/* event log does not start with spec file */
+    int				noSpace = FALSE;
+    uint32_t 			bankNum = 0;	/* PCR hash bank */
+    unsigned int 		pcrNum = 0;	/* PCR number iterator */
+    TPMI_DH_PCR 		pcrMax = 7;
+    TPMT_HA 			simPcrs[HASH_COUNT][IMPLEMENTATION_PCR];
+    TPMT_HA 			bootAggregates[HASH_COUNT];
+    TCG_PCR_EVENT2 		event2;			/* TPM 2.0 event log entry */
+    TCG_PCR_EVENT 		event;			/* TPM 1.2 event log entry */
+    TCG_EfiSpecIDEvent 		specIdEvent;
+    unsigned int 		lineNum;
+    int 			endOfFile = FALSE;
+	
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; i<argc ; i++) {
+	if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		infilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+		exit(2);
+	    }
+	}
+	else if (strcmp(argv[i],"-tpm") == 0) {
+	    tpm = TRUE;
+	}
+	else if (strcmp(argv[i],"-nospec") == 0) {
+	    nospec = TRUE;
+	}
+	else if (strcmp(argv[i],"-sim") == 0) {
+	    sim = TRUE;
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-pcrmax") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &pcrMax);
+	    }
+	    else {
+		printf("Missing parameter for -pcrmax");
+		printUsage();
+	    }
+	}
+	else if (!strcmp(argv[i], "-h")) {
+	    printUsage();
+	}
+	else if (!strcmp(argv[i], "-v")) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (infilename == NULL) {
+	printf("Missing -if argument\n");
+	printUsage();
+    }
+    if (!tpm && !sim) {
+	printf("-tpm or -sim must be specified\n");
+	printUsage();
+    }
+    if (sim && nospec) {
+	printf("-sim incompatible with -nospec\n");
+	printUsage();
+    }
+    /*
+    ** read the event log file
+    */
+    infile = fopen(infilename,"rb");
+    if (infile == NULL) {
+	printf("Unable to open input file '%s'\n", infilename);
+	exit(-4);
+    }
+    /* the first event is a TPM 1.2 format event */
+    /* read an event line */
+    if ((rc == 0) && !nospec) {
+	rc = TSS_EVENT_Line_Read(&event, &endOfFile, infile);
+    }
+    /* debug tracing */
+    if ((rc == 0) && !nospec && !endOfFile && tssUtilsVerbose) {
+	printf("\neventextend: line 0\n");
+	TSS_EVENT_Line_Trace(&event);
+    }
+    /* parse the event, populates the TCG_EfiSpecIDEvent structure */
+    if ((rc == 0) && !nospec && !endOfFile) {
+	rc = TSS_SpecIdEvent_Unmarshal(&specIdEvent,
+				       event.eventDataSize, event.event);
+    }
+    /* range check numberOfAlgorithms before the trace */
+    if ((rc == 0) && !nospec && !endOfFile) {
+	if (specIdEvent.numberOfAlgorithms > HASH_COUNT) {
+	    printf("specIdEvent.numberOfAlgorithms %u greater than %u\n",
+		   specIdEvent.numberOfAlgorithms, HASH_COUNT);
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+    /* trace the specIdEvent event */
+    if ((rc == 0) && !nospec && !endOfFile && tssUtilsVerbose) {
+	TSS_SpecIdEvent_Trace(&specIdEvent);
+    }
+    /* Start a TSS context */
+    if ((rc == 0) && tpm) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* initialize simulated PCRs */
+    if ((rc == 0) && sim) {
+	if (specIdEvent.numberOfAlgorithms > HASH_COUNT) {
+	    printf("specIdEvent.numberOfAlgorithms %u greater than %u\n",
+		   specIdEvent.numberOfAlgorithms, HASH_COUNT);
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+    /* simulated BIOS PCRs start at zero at boot */
+    if ((rc == 0) && sim) {
+	for (bankNum = 0 ; bankNum < specIdEvent.numberOfAlgorithms ; bankNum++) {
+	    bootAggregates[bankNum].hashAlg = specIdEvent.digestSizes[bankNum].algorithmId;
+	    for (pcrNum = 0 ; pcrNum < IMPLEMENTATION_PCR ; pcrNum++) {
+		/* initialize each algorithm ID based on the specIdEvent */
+		simPcrs[bankNum][pcrNum].hashAlg = specIdEvent.digestSizes[bankNum].algorithmId;
+		memset(&simPcrs[bankNum][pcrNum].digest.tssmax, 0, sizeof(TPMU_HA));
+	    }
+	}
+    }
+    /* scan each measurement 'line' in the binary */
+    for (lineNum = 1 ; (rc == 0) && !endOfFile ; lineNum++) {
+
+	/* read a TPM 2.0 hash agile event line */
+	if (rc == 0) {
+	    rc = TSS_EVENT2_Line_Read(&event2, &endOfFile, infile);
+	}
+	/* debug tracing */
+	if ((rc == 0) && !endOfFile && tssUtilsVerbose) {
+	    printf("\neventextend: line %u\n", lineNum);
+	    TSS_EVENT2_Line_Trace(&event2);
+	}
+	/* don't extend no action events */
+	if ((rc == 0) && !endOfFile) {
+	    if (event2.eventType == EV_NO_ACTION) {
+		continue;
+	    }
+	}
+	if ((rc == 0) && !endOfFile && tpm) {	/* extend TPM */
+	    PCR_Extend_In 		in;
+	    PCR_Read_In 		pcrReadIn;
+	    PCR_Read_Out 		pcrReadOut;
+
+	    if (rc == 0) {
+		in.pcrHandle = event2.pcrIndex;
+		in.digests = event2.digests;
+		rc = TSS_Execute(tssContext,
+				 NULL, 
+				 (COMMAND_PARAMETERS *)&in,
+				 NULL,
+				 TPM_CC_PCR_Extend,
+				 TPM_RS_PW, NULL, 0,
+				 TPM_RH_NULL, NULL, 0);
+	    }
+	    /* for debug, read back and trace the PCR value after the extend */
+	    if ((rc == 0) && tssUtilsVerbose) {
+		pcrReadIn.pcrSelectionIn.count = 1;
+		pcrReadIn.pcrSelectionIn.pcrSelections[0].hash =
+		    event2.digests.digests[0].hashAlg;
+		pcrReadIn.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3;
+		pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0;
+		pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0;
+		pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0;
+		pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[event2.pcrIndex / 8] =
+		    1 << (event2.pcrIndex % 8);
+
+		rc = TSS_Execute(tssContext,
+				 (RESPONSE_PARAMETERS *)&pcrReadOut,
+				 (COMMAND_PARAMETERS *)&pcrReadIn,
+				 NULL,
+				 TPM_CC_PCR_Read,
+				 TPM_RH_NULL, NULL, 0);
+	    }
+	    if ((rc == 0) && tssUtilsVerbose) {
+		TSS_PrintAll("PCR digest",
+			     pcrReadOut.pcrValues.digests[0].t.buffer,
+			     pcrReadOut.pcrValues.digests[0].t.size);
+	    }
+	}
+	if ((rc == 0) && !endOfFile && sim) {	/* extend simulated PCRs */
+	    rc = TSS_EVENT2_PCR_Extend(simPcrs, &event2);
+	}
+    }
+    {
+	if (tpm) {
+	    TPM_RC rc1 = TSS_Delete(tssContext);
+	    if (rc == 0) {
+		rc = rc1;
+	    }
+	}
+    }
+    if ((rc == 0) && sim) {
+	for (bankNum = 0 ; (rc == 0) && (bankNum < specIdEvent.numberOfAlgorithms) ; bankNum++) {
+	    /* trace the virtual PCRs */
+	    if (rc == 0) {
+	        char pcrString[9];	/* PCR number */
+
+		printf("\n");
+		TSS_TPM_ALG_ID_Print("algorithmId", specIdEvent.digestSizes[bankNum].algorithmId, 0);
+		for (pcrNum = 0 ; pcrNum < IMPLEMENTATION_PCR ; pcrNum++) {
+		    sprintf(pcrString, "PCR %02u:", pcrNum);
+		    if (!noSpace) {
+			/* TSS_PrintAllLogLevel() with a log level of LOGLEVEL_INFO to print the byte
+			   array on one line with no length */
+			TSS_PrintAllLogLevel(LOGLEVEL_INFO, pcrString, 1,
+					     simPcrs[bankNum][pcrNum].digest.tssmax,
+					     specIdEvent.digestSizes[bankNum].digestSize);
+		    }
+		    else {	/* print with no spaces */
+			uint32_t bp;
+			printf("PCR %02u: ", pcrNum);
+			for (bp = 0 ; bp < specIdEvent.digestSizes[bankNum].digestSize ; bp++) {
+			    printf("%02x", simPcrs[bankNum][pcrNum].digest.tssmax[bp]);
+			}
+			printf("\n");
+		    }
+		}
+	    }
+	    /* calculate the boot aggregate, hash of PCR 0-7 */
+	    if (rc == 0) {
+		int length[IMPLEMENTATION_PCR];
+		size_t j;
+		for (j = 0 ; j < IMPLEMENTATION_PCR ; j++) {
+		    if (j <= pcrMax) {	/* include PCRs up to here */
+			length[j] = specIdEvent.digestSizes[bankNum].digestSize;
+		    }
+		    else {
+			length[j] = 0;	/* exclude PCRs after to here */
+		    }
+		}
+		rc = TSS_Hash_Generate(&bootAggregates[bankNum],
+				       length[0], &simPcrs[bankNum][0].digest.tssmax,
+				       length[1], &simPcrs[bankNum][1].digest.tssmax,
+				       length[2], &simPcrs[bankNum][2].digest.tssmax,
+				       length[3], &simPcrs[bankNum][3].digest.tssmax,
+				       length[4], &simPcrs[bankNum][4].digest.tssmax,
+				       length[5], &simPcrs[bankNum][5].digest.tssmax,
+				       length[6], &simPcrs[bankNum][6].digest.tssmax,
+				       length[7], &simPcrs[bankNum][7].digest.tssmax,
+				       length[8], &simPcrs[bankNum][8].digest.tssmax,
+				       length[9], &simPcrs[bankNum][9].digest.tssmax,
+				       length[10], &simPcrs[bankNum][10].digest.tssmax,
+				       length[11], &simPcrs[bankNum][11].digest.tssmax,
+				       length[12], &simPcrs[bankNum][12].digest.tssmax,
+				       length[13], &simPcrs[bankNum][13].digest.tssmax,
+				       length[14], &simPcrs[bankNum][14].digest.tssmax,
+				       length[15], &simPcrs[bankNum][15].digest.tssmax,
+				       length[16], &simPcrs[bankNum][16].digest.tssmax,
+				       length[17], &simPcrs[bankNum][17].digest.tssmax,
+				       length[18], &simPcrs[bankNum][18].digest.tssmax,
+				       length[19], &simPcrs[bankNum][19].digest.tssmax,
+				       length[20], &simPcrs[bankNum][20].digest.tssmax,
+				       length[21], &simPcrs[bankNum][21].digest.tssmax,
+				       length[22], &simPcrs[bankNum][22].digest.tssmax,
+				       length[23], &simPcrs[bankNum][23].digest.tssmax,
+				       0, NULL);
+	    }
+	    /* trace the boot aggregate */
+	    if (rc == 0) {
+		if (!noSpace) {
+		    TSS_PrintAllLogLevel(LOGLEVEL_INFO, "\nboot aggregate:", 1,
+					 bootAggregates[bankNum].digest.tssmax,
+					 specIdEvent.digestSizes[bankNum].digestSize);
+		}
+		else {	/* print with no spaces */
+		    uint32_t bp;
+		    printf("\nboot aggregate: ");
+		    for (bp = 0 ; bp < specIdEvent.digestSizes[bankNum].digestSize ; bp++) {
+			printf("%02x", bootAggregates[bankNum].digest.tssmax[bp]);
+		    }
+		    printf("\n");
+		}
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("eventextend: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("eventextend: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    if (infile != NULL) {
+	fclose(infile);
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("Usage: eventextend -if <measurement file> [-v]\n");
+    printf("\n");
+    printf("Extends a measurement file (binary) into a TPM or simulated PCRs\n");
+    printf("\n");
+    printf("\t-if\tfile containing the data to be extended\n");
+    printf("\t[-nospec\tfile does not contain spec ID header (useful for incremental test)]\n");
+    printf("\t[-tpm\textend TPM PCRs]\n");
+    printf("\t[-sim\tcalculate simulated PCRs and boot aggregate]\n");
+    printf("\t[-pcrmax\twith -sim, sets the highest PCR number to be used to calculate the\n"
+	   "\t\tboot aggregate (default 7)]\n");
+    printf("\t[-ns\tno space, no text, no newlines]\n");
+    printf("\n");
+   exit(-1);
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/eventlib.c b/libstb/tss2/ibmtpm20tss/utils/eventlib.c
new file mode 100644
index 0000000..b887e11
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/eventlib.c
@@ -0,0 +1,1095 @@
+/********************************************************************************/
+/*										*/
+/*		     	TPM2 Measurement Log Common Routines			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ibmtss/tssprint.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsserror.h>
+#ifndef TPM_TSS_NOCRYPTO
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+#endif /* TPM_TSS_NOCRYPTO */
+#include <ibmtss/tssutils.h>
+
+#include "eventlib.h"
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+static uint16_t Uint16_Convert(uint16_t in);
+#endif
+static uint32_t Uint32_Convert(uint32_t in);
+#endif /* TPM_TSS_NOFILE */
+static TPM_RC UINT16LE_Unmarshal(uint16_t *target, BYTE **buffer, uint32_t *size);
+static TPM_RC UINT32LE_Unmarshal(uint32_t *target, BYTE **buffer, uint32_t *size);
+
+static void TSS_EVENT_EventType_Trace(uint32_t eventType);
+static TPM_RC TSS_SpecIdEventAlgorithmSize_Unmarshal(TCG_EfiSpecIdEventAlgorithmSize *algSize,
+						     uint8_t **buffer,
+						     uint32_t *size);
+static void TSS_SpecIdEventAlgorithmSize_Trace(TCG_EfiSpecIdEventAlgorithmSize *algSize);
+static TPM_RC TSS_TPML_DIGEST_VALUES_LE_Unmarshalu(TPML_DIGEST_VALUES *target,
+						   BYTE **buffer,
+						   uint32_t *size);
+static TPM_RC TSS_TPMT_HA_LE_Unmarshalu(TPMT_HA *target, BYTE **buffer,
+					uint32_t *size, BOOL allowNull);
+static TPM_RC TSS_TPMI_ALG_HASH_LE_Unmarshalu(TPMI_ALG_HASH *target,
+					      BYTE **buffer, uint32_t *size,
+					      BOOL allowNull);
+static TPM_RC TSS_TPM_ALG_ID_LE_Unmarshalu(TPM_ALG_ID *target,
+					   BYTE **buffer, uint32_t *size);
+static TPM_RC TSS_TPMT_HA_LE_Marshalu(const TPMT_HA *source, uint16_t *written,
+				      BYTE **buffer, uint32_t *size);
+static TPM_RC TSS_TPML_DIGEST_VALUES_LE_Marshalu(const TPML_DIGEST_VALUES *source,
+						 uint16_t *written, BYTE **buffer,
+						 uint32_t *size);
+
+/* TSS_EVENT_Line_Read() reads a TPM 1.2 SHA-1 event line from a binary file inFile.
+
+ */
+
+#ifndef TPM_TSS_NOFILE
+int TSS_EVENT_Line_Read(TCG_PCR_EVENT *event,
+			int *endOfFile,
+			FILE *inFile)
+{
+    int rc = 0;
+    size_t readSize;
+    *endOfFile = FALSE;
+
+    /* read the PCR index */
+    if (rc == 0) {
+	readSize = fread(&(event->pcrIndex),
+			 sizeof(((TCG_PCR_EVENT *)NULL)->pcrIndex), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("TSS_EVENT_Line_Read: Error, could not read pcrIndex, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    /* do the endian conversion from stream to uint32_t */
+    if (!*endOfFile && (rc == 0)) {
+	event->pcrIndex = Uint32_Convert(event->pcrIndex);
+    }
+    /* read the event type */
+    if (!*endOfFile && (rc == 0)) {
+	readSize = fread(&(event->eventType),
+			 sizeof(((TCG_PCR_EVENT *)NULL)->eventType), 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT_Line_Read: Error, could not read eventType, returned %lu\n",
+		   (unsigned long) readSize);
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+    /* do the endian conversion from stream to uint32_t */
+    if (!*endOfFile && (rc == 0)) {
+	event->eventType = Uint32_Convert(event->eventType);
+    }
+    /* read the digest */
+    if (!*endOfFile && (rc == 0)) {
+	readSize = fread(&(event->digest),
+			 sizeof(((TCG_PCR_EVENT *)NULL)->digest), 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT_Line_Read: Error, could not read digest, returned %lu\n",
+		   (unsigned long)readSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* read the event data size */
+    if (!*endOfFile && (rc == 0)) {
+	readSize = fread(&(event->eventDataSize),
+			 sizeof(((TCG_PCR_EVENT *)NULL)->eventDataSize), 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT_Line_Read: Error, could not read event data size, returned %lu\n",
+		   (unsigned long)readSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* do the endian conversion from stream to uint32_t */
+    if (!*endOfFile && (rc == 0)) {
+	event->eventDataSize = Uint32_Convert(event->eventDataSize);
+    }
+    /* bounds check the event data length */
+    if (!*endOfFile && (rc == 0)) {
+	if (event->eventDataSize > sizeof(((TCG_PCR_EVENT *)NULL)->event)) {
+	    printf("TSS_EVENT_Line_Read: Error, event data length too big: %u\n",
+		   event->eventDataSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* read the event */
+    if (!*endOfFile && (rc == 0)) {
+	memset(event->event , 0, sizeof(((TCG_PCR_EVENT *)NULL)->event));
+	readSize = fread(&(event->event),
+			 event->eventDataSize, 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT_Line_Read: Error, could not read event, returned %lu\n",
+		   (unsigned long)readSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NOFILE */
+
+/* TSS_EVENT_Line_Marshal() marshals a TCG_PCR_EVENT structure */
+
+TPM_RC TSS_EVENT_Line_Marshal(TCG_PCR_EVENT *source,
+			      uint16_t *written, uint8_t **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->pcrIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->eventType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->digest, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->eventDataSize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->event, source->eventDataSize, written, buffer, size);
+    }
+    return rc;
+}
+
+/* TSS_EVENT_Line_Unmarshal() unmarshals a TCG_PCR_EVENT2 structure
+
+ */
+
+TPM_RC TSS_EVENT_Line_Unmarshal(TCG_PCR_EVENT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->pcrIndex, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->eventType, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu((uint8_t *)target->digest, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->eventDataSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->eventDataSize > sizeof(target->event)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu((uint8_t *)target->event, target->eventDataSize, buffer, size);
+    }
+    return rc;
+}
+
+/*
+ * TSS_EVENT_Line_LE_Unmarshal() Unmarshal LE buffer into a target TCG_PCR_EVENT
+*/
+TPM_RC TSS_EVENT_Line_LE_Unmarshal(TCG_PCR_EVENT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&target->pcrIndex, buffer, size);
+    }
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&target->eventType, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu((uint8_t *)target->digest, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&target->eventDataSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->eventDataSize > sizeof(target->event)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu((uint8_t *)target->event, target->eventDataSize, buffer, size);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCRYPTO
+/* TSS_EVENT_PCR_Extend() extends PCR digest with the digest from the TCG_PCR_EVENT event log
+   entry.
+*/
+
+TPM_RC TSS_EVENT_PCR_Extend(TPMT_HA pcrs[IMPLEMENTATION_PCR],
+			    TCG_PCR_EVENT *event)
+{
+    TPM_RC 		rc = 0;
+    
+    /* validate PCR number */
+    if (rc == 0) {
+	if (event->pcrIndex >= IMPLEMENTATION_PCR) {
+	    printf("ERROR: TSS_EVENT_PCR_Extend: PCR number %u out of range\n", event->pcrIndex);
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+    /* process each event hash algorithm */
+    if (rc == 0) {
+	pcrs[event->pcrIndex].hashAlg = TPM_ALG_SHA1;	/* should already be initialized */
+	if (rc == 0) {
+	    rc = TSS_Hash_Generate(&pcrs[event->pcrIndex],
+				   SHA1_DIGEST_SIZE, (uint8_t *)&pcrs[event->pcrIndex].digest,
+				   SHA1_DIGEST_SIZE, &event->digest,
+				   0, NULL);
+	}
+    }
+    return rc;
+}
+#endif /* TPM_TSS_NOCRYPTO */
+
+void TSS_EVENT_Line_Trace(TCG_PCR_EVENT *event)
+{
+    printf("TSS_EVENT_Line_Trace: PCR index %u\n", event->pcrIndex);
+    TSS_EVENT_EventType_Trace(event->eventType);
+    TSS_PrintAll("TSS_EVENT_Line_Trace: PCR",
+		 event->digest, sizeof(((TCG_PCR_EVENT *)NULL)->digest));
+    TSS_PrintAll("TSS_EVENT_Line_Trace: event",
+		 event->event, event->eventDataSize);
+    if (event->eventType == EV_IPL) {	/* this event appears to be printable strings */
+	printf(" %.*s\n", event->eventDataSize, event->event);
+    }
+    return;
+}
+
+/* TSS_SpecIdEvent_Unmarshal() unmarshals the TCG_EfiSpecIDEvent structure.
+
+   The size and buffer are not moved, since this is the only structure in the event.
+*/
+
+TPM_RC TSS_SpecIdEvent_Unmarshal(TCG_EfiSpecIDEvent *specIdEvent,
+				 uint32_t eventSize,
+				 uint8_t *event)
+{
+    TPM_RC	rc = 0;
+    uint32_t	size = eventSize;	/* copy, because size and buffer are not moved */
+    uint8_t	*buffer = event;
+    uint32_t 	i;
+
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(specIdEvent->signature, sizeof(specIdEvent->signature),
+			     &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&(specIdEvent->platformClass), &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&(specIdEvent->specVersionMinor), &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&(specIdEvent->specVersionMajor), &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&(specIdEvent->specErrata), &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&(specIdEvent->uintnSize), &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&(specIdEvent->numberOfAlgorithms), &buffer, &size);
+    }
+    for (i = 0 ; (rc == 0) && (i < specIdEvent->numberOfAlgorithms) ; i++) {
+	rc = TSS_SpecIdEventAlgorithmSize_Unmarshal(&(specIdEvent->digestSizes[i]),
+						    &buffer, &size);
+    }	    
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&(specIdEvent->vendorInfoSize), &buffer, &size);
+    }
+#if 0	/* NOTE: Can never fail because vendorInfoSize is uint8_t and vendorInfo is 0xff bytes */
+    if (rc == 0) {
+	if (specIdEvent->vendorInfoSize > sizeof(specIdEvent->vendorInfo)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+#endif
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(specIdEvent->vendorInfo, specIdEvent->vendorInfoSize,
+			     &buffer, &size);
+    }
+    return rc;
+}
+
+/* TSS_SpecIdEventAlgorithmSize_Unmarshal() unmarshals the TCG_EfiSpecIdEventAlgorithmSize
+   structure */
+
+static TPM_RC TSS_SpecIdEventAlgorithmSize_Unmarshal(TCG_EfiSpecIdEventAlgorithmSize *algSize,
+						     uint8_t **buffer,
+						     uint32_t *size)
+{
+    TPM_RC	rc = 0;
+
+    if (rc == 0) {
+	rc = UINT16LE_Unmarshal(&(algSize->algorithmId), buffer, size);
+    }
+    if (rc == 0) {
+	rc = UINT16LE_Unmarshal(&(algSize->digestSize), buffer, size);
+    } 
+    if (rc == 0) {
+	uint16_t mappedDigestSize = TSS_GetDigestSize(algSize->algorithmId);
+	if (mappedDigestSize != 0) {
+	    if (mappedDigestSize != algSize->digestSize) {
+		printf("TSS_SpecIdEventAlgorithmSize_Unmarshal: "
+		       "Error, inconsistent digest size, algorithm %04x size %u\n",
+		       algSize->algorithmId, algSize->digestSize);
+		rc = TSS_RC_BAD_PROPERTY_VALUE;
+	    }
+	}
+    }
+    return rc;
+}
+
+void TSS_SpecIdEvent_Trace(TCG_EfiSpecIDEvent *specIdEvent)
+{
+    uint32_t 	i;
+
+    /* normal case */
+    if (specIdEvent->signature[15] == '\0')  {
+	printf("TSS_SpecIdEvent_Trace: signature: %s\n", specIdEvent->signature);
+    }
+    /* error case */
+    else {
+	TSS_PrintAll("TSS_SpecIdEvent_Trace: signature",
+		     specIdEvent->signature, sizeof(specIdEvent->signature));
+    }
+    printf("TSS_SpecIdEvent_Trace: platformClass %08x\n", specIdEvent->platformClass);
+    printf("TSS_SpecIdEvent_Trace: specVersionMinor %02x\n", specIdEvent->specVersionMinor);
+    printf("TSS_SpecIdEvent_Trace: specVersionMajor %02x\n", specIdEvent->specVersionMajor);
+    printf("TSS_SpecIdEvent_Trace: specErrata %02x\n", specIdEvent->specErrata);
+    printf("TSS_SpecIdEvent_Trace: uintnSize %02x\n", specIdEvent->uintnSize);
+    printf("TSS_SpecIdEvent_Trace: numberOfAlgorithms %u\n", specIdEvent->numberOfAlgorithms);
+    for (i = 0 ; (i < specIdEvent->numberOfAlgorithms) ; i++) {
+	TSS_SpecIdEventAlgorithmSize_Trace(&(specIdEvent->digestSizes[i]));
+    }
+    /* try for a printable string */
+    if (specIdEvent->vendorInfo[specIdEvent->vendorInfoSize-1] == '\0')  {
+	printf("TSS_SpecIdEvent_Trace: vendorInfo: %s\n", specIdEvent->vendorInfo);
+    }
+    /* if not, trace the bytes */
+    else {
+	TSS_PrintAll("TSS_SpecIdEvent_Trace: vendorInfo",
+		     specIdEvent->vendorInfo, specIdEvent->vendorInfoSize);
+    }
+    return;
+}
+
+static void TSS_SpecIdEventAlgorithmSize_Trace(TCG_EfiSpecIdEventAlgorithmSize *algSize)
+{
+    printf("TSS_SpecIdEventAlgorithmSize_Trace: algorithmId %04x\n", algSize->algorithmId);
+    printf("TSS_SpecIdEventAlgorithmSize_Trace: digestSize %u\n", algSize->digestSize);
+    return;
+}
+
+#ifdef TPM_TPM20
+#ifndef TPM_TSS_NOFILE
+
+/* TSS_EVENT2_Line_Read() reads a TPM2 event line from a binary file inFile.
+
+*/
+
+int TSS_EVENT2_Line_Read(TCG_PCR_EVENT2 *event,
+			 int *endOfFile,
+			 FILE *inFile)
+{
+    int rc = 0;
+    size_t readSize;
+    uint32_t maxCount; 
+    uint32_t count;
+
+    *endOfFile = FALSE;
+    /* read the PCR index */
+    if (rc == 0) {
+	readSize = fread(&(event->pcrIndex),
+			 sizeof(((TCG_PCR_EVENT2 *)NULL)->pcrIndex), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("TSS_EVENT2_Line_Read: Error, could not read pcrIndex, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    /* do the endian conversion from stream to uint32_t */
+    if (!*endOfFile && (rc == 0)) {
+	event->pcrIndex = Uint32_Convert(event->pcrIndex);
+    }
+    /* read the event type */
+    if (!*endOfFile && (rc == 0)) {
+	readSize = fread(&(event->eventType),
+			 sizeof(((TCG_PCR_EVENT2 *)NULL)->eventType), 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT2_Line_Read: Error, could not read eventType, returned %lu\n",
+		   (unsigned long)readSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* do the endian conversion from stream to uint32_t */
+    if (!*endOfFile && (rc == 0)) {
+	event->eventType = Uint32_Convert(event->eventType);
+    }
+    /* read the TPML_DIGEST_VALUES count */
+    if (!*endOfFile && (rc == 0)) {
+	maxCount = sizeof((TPML_DIGEST_VALUES *)NULL)->digests / sizeof(TPMT_HA);
+	readSize = fread(&(event->digests.count),
+			 sizeof(((TPML_DIGEST_VALUES *)NULL)->count), 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT2_Line_Read: Error, could not read digest count, returned %lu\n",
+		   (unsigned long)readSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* do the endian conversion from stream to uint32_t */
+    if (!*endOfFile && (rc == 0)) {
+	event->digests.count = Uint32_Convert(event->digests.count);
+    }
+    /* range check the digest count */
+    if (!*endOfFile && (rc == 0)) {
+	if (event->digests.count > maxCount) {
+	    printf("TSS_EVENT2_Line_Read: Error, digest count %u is greater than structure %u\n",
+		   event->digests.count, maxCount);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else if (event->digests.count == 0) {
+	    printf("TSS_EVENT2_Line_Read: Error, digest count is zero\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* read all the TPMT_HA, loop through all the digest algorithms */
+    for (count = 0 ; !*endOfFile && (count < event->digests.count) ; count++) {
+	uint16_t digestSize;
+	/* read the digest algorithm */
+	if (rc == 0) {
+	    readSize = fread(&(event->digests.digests[count].hashAlg),
+			     sizeof((TPMT_HA *)NULL)->hashAlg, 1, inFile);
+	    if (readSize != 1) {
+		printf("TSS_EVENT2_Line_Read: "
+		       "Error, could not read digest algorithm, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	/* do the endian conversion of the hash algorithm from stream to uint16_t */
+	if (rc == 0) {
+	    event->digests.digests[count].hashAlg =
+		Uint16_Convert(event->digests.digests[count].hashAlg);
+	}
+	/* map from the digest algorithm to the digest length */
+	if (rc == 0) {
+	    digestSize = TSS_GetDigestSize(event->digests.digests[count].hashAlg);
+	    if (digestSize == 0) {
+		printf("TSS_EVENT2_Line_Read: Error, unknown digest algorithm %04x*\n",
+		       event->digests.digests[count].hashAlg);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	/* read the digest */
+	if (rc == 0) {
+	    readSize = fread((uint8_t *)&(event->digests.digests[count].digest),
+			     digestSize, 1, inFile);
+	    if (readSize != 1) {
+		printf("TSS_EVENT2_Line_Read: Error, could not read digest, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    /* read the event size */
+    if (!*endOfFile && (rc == 0)) {
+	readSize = fread(&(event->eventSize),
+			 sizeof(((TCG_PCR_EVENT2 *)NULL)->eventSize), 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT2_Line_Read: Error, could not read event size, returned %lu\n",
+		   (unsigned long)readSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* do the endian conversion from stream to uint32_t */
+    if (!*endOfFile && (rc == 0)) {
+	event->eventSize = Uint32_Convert(event->eventSize);
+    }
+    /* bounds check the event size */
+    if (!*endOfFile && (rc == 0)) {
+	if (event->eventSize > sizeof(((TCG_PCR_EVENT2 *)NULL)->event)) {
+	    printf("TSS_EVENT2_Line_Read: Error, event size too big: %u\n",
+		   event->eventSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* read the event */
+    if (!*endOfFile && (event->eventSize > 0) && (rc == 0)) {
+	memset(event->event , 0, sizeof(((TCG_PCR_EVENT2 *)NULL)->event));
+	readSize = fread(&(event->event),
+			 event->eventSize, 1, inFile);
+	if (readSize != 1) {
+	    printf("TSS_EVENT2_Line_Read: Error, could not read event, returned %lu\n",
+		   (unsigned long)readSize);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    return rc;
+}
+#endif /* TPM_TSS_NOFILE */
+
+/* TSS_EVENT2_Line_Marshal() marshals a TCG_PCR_EVENT2 structure */
+
+TPM_RC TSS_EVENT2_Line_Marshal(TCG_PCR_EVENT2 *source,
+			       uint16_t *written, uint8_t **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->pcrIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->eventType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_DIGEST_VALUES_Marshalu(&source->digests, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->eventSize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu((uint8_t *)source->event, source->eventSize, written, buffer, size);
+    }
+    return rc;
+}
+
+/*
+ * TSS_EVENT2_Line_LE_Marshal() Marshals a TSS_EVENT2 structure from HBO into LE
+ * and saves to buffer.
+ */
+TPM_RC TSS_EVENT2_Line_LE_Marshal(TCG_PCR_EVENT2 *source, uint16_t *written,
+				  uint8_t **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32LE_Marshal(&source->pcrIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32LE_Marshal(&source->eventType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_DIGEST_VALUES_LE_Marshalu(&source->digests, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32LE_Marshal(&source->eventSize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu((uint8_t *)source->event, source->eventSize, written, buffer, size);
+    }
+    return rc;
+}
+
+/* TSS_EVENT2_Line_Unmarshal() unmarshals a TCG_PCR_EVENT2 structure */
+
+
+TPM_RC TSS_EVENT2_Line_Unmarshal(TCG_PCR_EVENT2 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->pcrIndex, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->eventType, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_DIGEST_VALUES_Unmarshalu(&target->digests, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->eventSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->eventSize > sizeof(target->event)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu((uint8_t *)target->event, target->eventSize, buffer, size);
+    }
+    return rc;
+}
+
+/*
+ * TSS_EVENT2_Line_LE_Unmarshal() Unmarshals an LE eventlog buffer and save to
+ * the target TCG_PCR_EVENT2
+ */
+TPM_RC TSS_EVENT2_Line_LE_Unmarshal(TCG_PCR_EVENT2 *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&target->pcrIndex, buffer, size);
+    }
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&target->eventType, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_DIGEST_VALUES_LE_Unmarshalu(&target->digests, buffer, size);
+    }
+    if (rc == 0) {
+	rc = UINT32LE_Unmarshal(&target->eventSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->eventSize > sizeof(target->event)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu((uint8_t *)target->event, target->eventSize, buffer, size);
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCRYPTO
+/* TSS_EVENT2_PCR_Extend() extends PCR digests with the digest from the TCG_PCR_EVENT2 event log
+   entry.
+*/
+
+TPM_RC TSS_EVENT2_PCR_Extend(TPMT_HA pcrs[HASH_COUNT][IMPLEMENTATION_PCR],
+			     TCG_PCR_EVENT2 *event2)
+{
+    TPM_RC 		rc = 0;
+    uint32_t 		i;		/* iterator though hash algorithms */
+    uint32_t 		bankNum = 0;	/* iterator though PCR hash banks */
+    
+    /* validate PCR number */
+    if (rc == 0) {
+	if (event2->pcrIndex >= IMPLEMENTATION_PCR) {
+	    printf("ERROR: TSS_EVENT2_PCR_Extend: PCR number %u out of range\n", event2->pcrIndex);
+	    rc = 1;
+	}
+    }
+    /* validate event count */
+    if (rc == 0) {
+	uint32_t maxCount = sizeof(((TPML_DIGEST_VALUES *)NULL)->digests) / sizeof(TPMT_HA);
+	if (event2->digests.count > maxCount) {
+	    printf("ERROR: TSS_EVENT2_PCR_Extend: PCR count %u out of range, max %u\n",
+		   event2->digests.count, maxCount);
+	    rc = 1;
+	}	    
+    }
+    /* process each event hash algorithm */
+    for (i = 0; (rc == 0) && (i < event2->digests.count) ; i++) {
+	/* find the matching PCR bank */
+	for (bankNum = 0 ; (rc == 0) && (bankNum < event2->digests.count) ; bankNum++) {
+	    if (pcrs[bankNum][0].hashAlg == event2->digests.digests[i].hashAlg) {
+
+		uint16_t digestSize;
+		if (rc == 0) {
+		    digestSize = TSS_GetDigestSize(event2->digests.digests[i].hashAlg);
+		    if (digestSize == 0) {
+			printf("ERROR: TSS_EVENT2_PCR_Extend: hash algorithm %04hx unknown\n",
+			       event2->digests.digests[i].hashAlg);
+			rc = 1;
+		    }
+		}
+		if (rc == 0) {
+		    rc = TSS_Hash_Generate(&pcrs[bankNum][event2->pcrIndex],
+					   digestSize,
+					   (uint8_t *)&pcrs[bankNum][event2->pcrIndex].digest,
+					   digestSize,
+					   &event2->digests.digests[i].digest,
+					   0, NULL);
+		}
+	    }
+	}
+    }
+    return rc;
+}
+#endif /* TPM_TSS_NOCRYPTO */
+#endif	/* TPM_TPM20 */
+
+#ifndef TPM_TSS_NOFILE
+#ifdef TPM_TPM20
+
+/* Uint16_Convert() converts a little endian uint16_t (from an input stream) to host byte order
+ */
+
+static uint16_t Uint16_Convert(uint16_t in)
+{
+    uint16_t out = 0;
+    unsigned char *inb = (unsigned char *)&in;
+    
+    /* little endian input */
+    out = (inb[0] <<  0) |
+	  (inb[1] <<  8);
+    return out;
+}
+
+#endif
+
+/* Uint32_Convert() converts a little endian uint32_t (from an input stream) to host byte order
+ */
+
+static uint32_t Uint32_Convert(uint32_t in)
+{
+    uint32_t out = 0;
+    unsigned char *inb = (unsigned char *)&in;
+    
+    /* little endian input */
+    out = (inb[0] <<  0) |
+	  (inb[1] <<  8) |
+	  (inb[2] << 16) |
+	  (inb[3] << 24);
+    return out;
+}
+#endif /* TPM_TSS_NOFILE */
+
+/* UINT16LE_Unmarshal() unmarshals a little endian 2-byte array from buffer into a HBO uint16_t */
+
+static TPM_RC
+UINT16LE_Unmarshal(uint16_t *target, BYTE **buffer, uint32_t *size)
+{
+    if (*size < sizeof(uint16_t)) {
+	return TPM_RC_INSUFFICIENT;
+    }
+    *target = ((uint16_t)((*buffer)[0]) <<  0) |
+	      ((uint16_t)((*buffer)[1]) <<  8);
+    *buffer += sizeof(uint16_t);
+    *size -= sizeof(uint16_t);
+    return TPM_RC_SUCCESS;
+}
+
+/* UINT32LE_Unmarshal() unmarshals a little endian 4-byte array from buffer into a HBO uint32_t */
+
+static TPM_RC
+UINT32LE_Unmarshal(uint32_t *target, BYTE **buffer, uint32_t *size)
+{
+    if (*size < sizeof(uint32_t)) {
+	return TPM_RC_INSUFFICIENT;
+    }
+    *target = ((uint32_t)((*buffer)[0]) <<  0) |
+	      ((uint32_t)((*buffer)[1]) <<  8) |
+	      ((uint32_t)((*buffer)[2]) << 16) |
+	      ((uint32_t)((*buffer)[3]) << 24);
+    *buffer += sizeof(uint32_t);
+    *size -= sizeof(uint32_t);
+    return TPM_RC_SUCCESS;
+}
+
+
+void TSS_EVENT2_Line_Trace(TCG_PCR_EVENT2 *event)
+{
+    uint32_t count;
+    uint16_t digestSize;
+    printf("TSS_EVENT2_Line_Trace: PCR index %u\n", event->pcrIndex);
+    TSS_EVENT_EventType_Trace(event->eventType);
+    printf("TSS_EVENT2_Line_Trace: digest count %u\n", event->digests.count);
+    for (count = 0 ; count < event->digests.count ; count++) {
+	printf("TSS_EVENT2_Line_Trace: digest %u algorithm %04x\n",
+	       count, event->digests.digests[count].hashAlg);
+	digestSize = TSS_GetDigestSize(event->digests.digests[count].hashAlg);
+	TSS_PrintAll("TSS_EVENT2_Line_Trace: PCR",
+		     (uint8_t *)&event->digests.digests[count].digest, digestSize);
+    }
+    TSS_PrintAll("TSS_EVENT2_Line_Trace: event",
+		 event->event, event->eventSize);
+    return;
+}
+
+/* tables to map eventType to text */
+
+typedef struct {
+    uint32_t eventType;
+    const char *text;
+} EVENT_TYPE_TABLE;
+
+const EVENT_TYPE_TABLE eventTypeTable [] = {
+    {EV_PREBOOT_CERT, "EV_PREBOOT_CERT"},
+    {EV_POST_CODE, "EV_POST_CODE"},
+    {EV_UNUSED, "EV_UNUSED"},
+    {EV_NO_ACTION, "EV_NO_ACTION"},
+    {EV_SEPARATOR, "EV_SEPARATOR"},
+    {EV_ACTION, "EV_ACTION"},
+    {EV_EVENT_TAG, "EV_EVENT_TAG"},
+    {EV_S_CRTM_CONTENTS, "EV_S_CRTM_CONTENTS"},
+    {EV_S_CRTM_VERSION, "EV_S_CRTM_VERSION"},
+    {EV_CPU_MICROCODE, "EV_CPU_MICROCODE"},
+    {EV_PLATFORM_CONFIG_FLAGS, "EV_PLATFORM_CONFIG_FLAGS"},
+    {EV_TABLE_OF_DEVICES, "EV_TABLE_OF_DEVICES"},
+    {EV_COMPACT_HASH, "EV_COMPACT_HASH"},
+    {EV_IPL, "EV_IPL"},
+    {EV_IPL_PARTITION_DATA, "EV_IPL_PARTITION_DATA"},
+    {EV_NONHOST_CODE, "EV_NONHOST_CODE"},
+    {EV_NONHOST_CONFIG, "EV_NONHOST_CONFIG"},
+    {EV_NONHOST_INFO, "EV_NONHOST_INFO"},
+    {EV_OMIT_BOOT_DEVICE_EVENTS, "EV_OMIT_BOOT_DEVICE_EVENTS"},
+    {EV_EFI_EVENT_BASE, "EV_EFI_EVENT_BASE"},
+    {EV_EFI_VARIABLE_DRIVER_CONFIG, "EV_EFI_VARIABLE_DRIVER_CONFIG"},
+    {EV_EFI_VARIABLE_BOOT, "EV_EFI_VARIABLE_BOOT"},
+    {EV_EFI_BOOT_SERVICES_APPLICATION, "EV_EFI_BOOT_SERVICES_APPLICATION"},
+    {EV_EFI_BOOT_SERVICES_DRIVER, "EV_EFI_BOOT_SERVICES_DRIVER"},
+    {EV_EFI_RUNTIME_SERVICES_DRIVER, "EV_EFI_RUNTIME_SERVICES_DRIVER"},
+    {EV_EFI_GPT_EVENT, "EV_EFI_GPT_EVENT"},
+    {EV_EFI_ACTION, "EV_EFI_ACTION"},
+    {EV_EFI_PLATFORM_FIRMWARE_BLOB, "EV_EFI_PLATFORM_FIRMWARE_BLOB"},
+    {EV_EFI_HANDOFF_TABLES, "EV_EFI_HANDOFF_TABLES"},
+    {EV_EFI_HCRTM_EVENT, "EV_EFI_HCRTM_EVENT"},
+    {EV_EFI_VARIABLE_AUTHORITY, "EV_EFI_VARIABLE_AUTHORITY"}
+};
+
+static void TSS_EVENT_EventType_Trace(uint32_t eventType)
+{
+    size_t i;
+
+    for (i = 0 ; i < sizeof(eventTypeTable) / sizeof(EVENT_TYPE_TABLE) ; i++) {
+	if (eventTypeTable[i].eventType == eventType) {
+	    printf("TSS_EVENT_EventType_Trace: %08x %s\n",
+		   eventTypeTable[i].eventType, eventTypeTable[i].text);
+	    return;
+	}
+    }
+    printf("TSS_EVENT_EventType_Trace: %08x Unknown\n", eventType);
+    return;
+}
+
+const char *TSS_EVENT_EventTypeToString(uint32_t eventType)
+{
+    const char *crc = NULL;
+    size_t i;
+
+    for (i = 0 ; i < sizeof(eventTypeTable) / sizeof(EVENT_TYPE_TABLE) ; i++) {
+	if (eventTypeTable[i].eventType == eventType) {
+	    crc = eventTypeTable[i].text;
+	}
+    }
+    if (crc == NULL) {
+	crc = "Unknown event type";
+    }
+    return crc;
+}
+
+/*
+ * TSS_TPML_DIGEST_VALUES_LE_Unmarshalu() Unmarshals TPML_DIGEST_VALUES struct
+ * from a LE buffer into HBO data structure. This is similar to
+ * TSS_TPML_DIGEST_VALUES_Unmarshalu but it unrmarshals TPML_DIGEST_VALUES's
+ * count  and the digests array members from LE instead of HBO.
+ */
+
+static TPM_RC
+TSS_TPML_DIGEST_VALUES_LE_Unmarshalu(TPML_DIGEST_VALUES *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    uint32_t i;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = UINT32LE_Unmarshal(&target->count, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (target->count > HASH_COUNT) {
+	    rc = TPM_RC_SIZE;
+	}
+    }
+    for (i = 0 ; (rc == TPM_RC_SUCCESS) && (i < target->count) ; i++) {
+	rc = TSS_TPMT_HA_LE_Unmarshalu(&target->digests[i], buffer, size, NO);
+    }
+    return rc;
+}
+
+/*
+ * TSS_TPMT_HA_LE_Unmarshalu() Unmarshals a TPMT_HA data from LE to HBO. This is
+ * similar to TSS_TPMT_HA_Unmarshalu but differs specificaly for unmarshalling
+ * hashAlg member from LE instead of from HBO.
+ */
+static TPM_RC
+TSS_TPMT_HA_LE_Unmarshalu(TPMT_HA *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_ALG_HASH_LE_Unmarshalu(&target->hashAlg, buffer, size, allowNull);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMU_HA_Unmarshalu(&target->digest, buffer, size, target->hashAlg);
+    }
+    return rc;
+}
+
+/*
+ * TSS_TPMI_ALG_HASH_LE_Unmarshalu() Unmarshals TPMI_ALG_HASH from a LE buffer
+ * into HBO data structure. This is similar to TSS_TPMI_ALG_HASH_Unmarshalu but
+ * unmarshals TPMI_ALG_HASH from LE instead of HBO.
+ */
+static TPM_RC
+TSS_TPMI_ALG_HASH_LE_Unmarshalu(TPMI_ALG_HASH *target, BYTE **buffer, uint32_t *size, BOOL allowNull)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    allowNull = allowNull;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_ALG_ID_LE_Unmarshalu(target, buffer, size);
+    }
+    return rc;
+}
+
+/*
+ * TSS_TPM_ALG_ID_LE_Unmarshalu() Unrmarshals TPM_ALG_ID from LE buffer. This is
+ * simlar to TSS_TPM_ALG_ID_Unmarshalu but unmarshals from LE instead of HBO.
+ */
+static TPM_RC
+TSS_TPM_ALG_ID_LE_Unmarshalu(TPM_ALG_ID *target, BYTE **buffer,
+                                 uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = UINT16LE_Unmarshal(target, buffer, size);
+    }
+    return rc;
+}
+
+/* TSS_TPML_DIGEST_VALUES_LE_Marshalu() Similar to TSS_TPML_DIGEST_VALUES_Marshalu
+ * for TSS EVENT2 this marshals count to buffer in LE endianess.
+ */
+static TPM_RC
+TSS_TPML_DIGEST_VALUES_LE_Marshalu(const TPML_DIGEST_VALUES *source,
+                                       uint16_t *written, BYTE **buffer,
+                                       uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+
+    if (rc == 0) {
+	rc = TSS_UINT32LE_Marshal(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPMT_HA_LE_Marshalu(&source->digests[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* TSS_TPMT_HA_LE_Marshalu() Similar to TSS_TPMT_HA_Marshalu for TSS EVENT2,
+ * this saves hashAlg attr as little endian into buffer.
+ */
+static TPM_RC
+TSS_TPMT_HA_LE_Marshalu(const TPMT_HA *source, uint16_t *written,
+			BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16LE_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_HA_Marshalu(&source->digest, written, buffer, size,
+                                  source->hashAlg);
+    }
+    return rc;
+}
+
+/*
+ * TSS_UINT32LE_Marshal() Marshals uint32_t from HBO into LE in the given buffer.
+ */
+TPM_RC
+TSS_UINT32LE_Marshal(const UINT32 *source, uint16_t *written, BYTE **buffer,
+                 uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (buffer != NULL) {
+        if ((size == NULL) || (*size >= sizeof(uint32_t))) {
+            (*buffer)[0] = (BYTE)((*source >> 0) &  0xff);
+            (*buffer)[1] = (BYTE)((*source >> 8) & 0xff);
+            (*buffer)[2] = (BYTE)((*source >> 16) & 0xff);
+            (*buffer)[3] = (BYTE)((*source >> 24) & 0xff);
+
+            *buffer += sizeof(uint32_t);
+            if (size != NULL) {
+                *size -= sizeof(uint32_t);
+            }
+        }
+        else {
+            rc = TSS_RC_INSUFFICIENT_BUFFER;
+        }
+    }
+    *written += sizeof(uint32_t);
+    return rc;
+}
+
+/*
+ * UINT16LE_Marshal() Marshals uint16_t from HBO into LE in the given buffer.
+ */
+
+TPM_RC
+TSS_UINT16LE_Marshalu(const UINT16 *source, uint16_t *written, BYTE **buffer,
+                      uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (buffer != NULL) {
+        if ((size == NULL) || (*size >= sizeof(uint16_t))) {
+	    (*buffer)[0] = (BYTE)((*source >> 0) & 0xff);
+	    (*buffer)[1] = (BYTE)((*source >> 8) & 0xff);
+
+            *buffer += sizeof(uint16_t);
+
+            if (size != NULL) {
+                *size -= sizeof(uint16_t);
+            }
+        }
+        else {
+            rc = TSS_RC_INSUFFICIENT_BUFFER;
+        }
+    }
+    *written += sizeof(uint16_t);
+    return rc;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/eventlib.h b/libstb/tss2/ibmtpm20tss/utils/eventlib.h
new file mode 100644
index 0000000..fc69ef9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/eventlib.h
@@ -0,0 +1,212 @@
+/********************************************************************************/
+/*										*/
+/*		     	TPM2 Measurement Log Common Routines			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef EVENTLIB_H
+#define EVENTLIB_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/TPM_Types.h>
+
+#define TCG_EVENT_LEN_MAX	0x10000
+
+#define EV_PREBOOT_CERT	  			0x00
+#define EV_POST_CODE				0x01
+#define	EV_UNUSED				0x02
+#define EV_NO_ACTION				0x03
+#define EV_SEPARATOR				0x04
+#define EV_ACTION				0x05
+#define EV_EVENT_TAG				0x06
+#define EV_S_CRTM_CONTENTS			0x07
+#define EV_S_CRTM_VERSION			0x08
+#define EV_CPU_MICROCODE			0x09
+#define EV_PLATFORM_CONFIG_FLAGS		0x0A
+#define EV_TABLE_OF_DEVICES			0x0B
+#define EV_COMPACT_HASH				0x0C
+#define EV_IPL					0x0D
+#define EV_IPL_PARTITION_DATA			0x0E
+#define EV_NONHOST_CODE				0x0F
+#define EV_NONHOST_CONFIG			0x10
+#define EV_NONHOST_INFO				0x11
+#define EV_OMIT_BOOT_DEVICE_EVENTS		0x12
+#define EV_EFI_EVENT_BASE			0x80000000
+#define EV_EFI_VARIABLE_DRIVER_CONFIG		0x80000001
+#define EV_EFI_VARIABLE_BOOT			0x80000002
+#define EV_EFI_BOOT_SERVICES_APPLICATION	0x80000003
+#define EV_EFI_BOOT_SERVICES_DRIVER		0x80000004
+#define EV_EFI_RUNTIME_SERVICES_DRIVER		0x80000005
+#define EV_EFI_GPT_EVENT			0x80000006
+#define EV_EFI_ACTION				0x80000007
+#define EV_EFI_PLATFORM_FIRMWARE_BLOB		0x80000008
+#define EV_EFI_HANDOFF_TABLES			0x80000009
+#define EV_EFI_HCRTM_EVENT			0x80000010 
+#define EV_EFI_VARIABLE_AUTHORITY		0x800000E0
+
+/* PCR 0-7 are the BIOS / UEFI / firmware / pre-OS PCRs, set to 10 because a Lenovo TPM 1.2 firmware
+   extends PCR 0-9 */
+#define TPM_BIOS_PCR	10
+
+/* TCG_PCR_EVENT is the TPM 1.2 SHA-1 event log entry format.  It is defined in the TCG PC Client
+   Specific Implementation Specification for Conventional BIOS, where it is called
+   TCG_PCClientPCREventStruc.  In the PFP, it's called TCG_PCClientPCREvent.
+
+   I renamed it to be consistent with the TPM 2.0 naming.
+ */
+
+typedef struct tdTCG_PCR_EVENT {
+    uint32_t pcrIndex;
+    uint32_t eventType;	
+    uint8_t digest[SHA1_DIGEST_SIZE];
+    uint32_t eventDataSize;
+    uint8_t event[TCG_EVENT_LEN_MAX];				
+} TCG_PCR_EVENT;
+
+/* TCG_PCR_EVENT2 is the TPM 2.0 hash agile event log entry format.  It is defined in the PFP - TCG
+   PC Client Platform Firmware Profile Specification.
+
+ */
+
+typedef struct tdTCG_PCR_EVENT2 {
+    uint32_t 		pcrIndex;
+    uint32_t 		eventType;
+    TPML_DIGEST_VALUES	digests;
+    uint32_t 		eventSize; 
+    uint8_t 		event[TCG_EVENT_LEN_MAX];				
+} TCG_PCR_EVENT2;
+
+/* TCG_EfiSpecIdEventAlgorithmSize is a hash agile mapping of algorithmId to digestSize. It is part
+   of the first event log entry.  It permits a parser to unmarshal an event log that contains hash
+   algorithms that are unknown to the parser.  */
+		
+typedef struct tdTCG_EfiSpecIdEventAlgorithmSize {
+    uint16_t      algorithmId;
+    uint16_t      digestSize;
+} TCG_EfiSpecIdEventAlgorithmSize;
+
+/* TCG_EfiSpecIDEvent is the event field of the first TCG_PCR_EVENT entry in a hash agile TPM 2.0
+   format log.
+
+   NOTE: If vendorInfo is ever changed to less than 0xff, unmarshal needs a range check on
+   vendorInfoSize.
+*/
+
+typedef struct tdTCG_EfiSpecIdEvent {
+    uint8_t					signature[16];  
+    uint32_t					platformClass;
+    uint8_t					specVersionMinor;
+    uint8_t					specVersionMajor;
+    uint8_t					specErrata;
+    uint8_t					uintnSize;
+    uint32_t					numberOfAlgorithms;
+    TCG_EfiSpecIdEventAlgorithmSize		digestSizes[HASH_COUNT];
+    uint8_t					vendorInfoSize;
+    uint8_t 					vendorInfo[0xff]; 
+} TCG_EfiSpecIDEvent;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifndef TPM_TSS_NOFILE
+    int TSS_EVENT_Line_Read(TCG_PCR_EVENT *event,
+			    int *endOfFile,
+			    FILE *inFile);
+
+#endif /* TPM_TSS_NOFILE */
+    TPM_RC TSS_EVENT_Line_Marshal(TCG_PCR_EVENT *source,
+				  uint16_t *written, uint8_t **buffer, uint32_t *size);
+    
+    TPM_RC TSS_EVENT_Line_Unmarshal(TCG_PCR_EVENT *event, BYTE **buffer, uint32_t *size);
+
+    TPM_RC TSS_EVENT_Line_LE_Unmarshal(TCG_PCR_EVENT *target, BYTE **buffer, uint32_t *size);
+
+#ifndef TPM_TSS_NOCRYPTO                                                         
+
+    TPM_RC TSS_EVENT_PCR_Extend(TPMT_HA pcrs[IMPLEMENTATION_PCR],
+				TCG_PCR_EVENT *event);
+#endif /* TPM_TSS_NOCRYPTO */    
+
+    void TSS_EVENT_Line_Trace(TCG_PCR_EVENT *event);
+
+#ifndef TPM_TSS_NOFILE
+    int TSS_EVENT2_Line_Read(TCG_PCR_EVENT2 *event2,
+			     int *endOfFile,
+			     FILE *inFile);
+
+#endif /* TPM_TSS_NOFILE */
+    TPM_RC TSS_EVENT2_Line_Marshal(TCG_PCR_EVENT2 *source, uint16_t *written,
+				   uint8_t **buffer, uint32_t *size);
+
+    TPM_RC TSS_EVENT2_Line_LE_Marshal(TCG_PCR_EVENT2 *source, uint16_t *written,
+				   uint8_t **buffer, uint32_t *size);
+
+
+    TPM_RC TSS_EVENT2_Line_Unmarshal(TCG_PCR_EVENT2 *target, BYTE **buffer, uint32_t *size);
+
+    TPM_RC TSS_EVENT2_Line_LE_Unmarshal(TCG_PCR_EVENT2 *target, BYTE **buffer, uint32_t *size);
+
+
+#ifndef TPM_TSS_NOCRYPTO
+    TPM_RC TSS_EVENT2_PCR_Extend(TPMT_HA pcrs[HASH_COUNT][IMPLEMENTATION_PCR],
+				 TCG_PCR_EVENT2 *event2);
+#endif
+
+    void TSS_EVENT2_Line_Trace(TCG_PCR_EVENT2 *event);
+
+    TPM_RC TSS_SpecIdEvent_Unmarshal(TCG_EfiSpecIDEvent *specIdEvent,
+				     uint32_t eventSize,
+				     uint8_t *event);
+
+    void TSS_SpecIdEvent_Trace(TCG_EfiSpecIDEvent *specIdEvent);
+
+    const char *TSS_EVENT_EventTypeToString(uint32_t eventType);
+
+    TPM_RC TSS_UINT32LE_Marshal(const UINT32 *source, uint16_t *written,
+                                BYTE **buffer, uint32_t *size);
+
+    TPM_RC TSS_UINT16LE_Marshalu(const UINT16 *source, uint16_t *written,
+                                 BYTE **buffer, uint32_t *size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/eventsequencecomplete.c b/libstb/tss2/ibmtpm20tss/utils/eventsequencecomplete.c
new file mode 100644
index 0000000..a78bb96
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/eventsequencecomplete.c
@@ -0,0 +1,399 @@
+/********************************************************************************/
+/*										*/
+/*			    EventSequenceComplete				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    EventSequenceComplete_In 	in;
+    EventSequenceComplete_Out	out;
+    TPMI_DH_PCR 		pcrHandle = TPM_RH_NULL;
+    TPMI_DH_OBJECT		sequenceHandle = 0;
+    const char			*inFilename = NULL;
+    const char			*outFilename1 = NULL;	/* for sha1 */
+    const char			*outFilename2 = NULL;	/* for sha256 */
+    const char			*outFilename3 = NULL;	/* for sha384 */
+    const char			*outFilename5 = NULL;	/* for sha512 */
+    int				process1 = FALSE;	/* these catch the case */
+    int				process2 = FALSE;	/* where an output file was */
+    int				process3 = FALSE;	/* specified but the TPM did */
+    int				process5 = FALSE;	/* not return the algorithm */
+    const char			*sequencePassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &pcrHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sequenceHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwds") == 0) {
+	    i++;
+	    if (i < argc) {
+		sequencePassword = argv[i];
+	    }
+	    else {
+		printf("-pwds option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of1")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename1 = argv[i];
+		process1 = TRUE;
+	    } else {
+		printf("-of1 option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of2")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename2 = argv[i];
+		process2 = TRUE;
+	    } else {
+		printf("-of2 option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of3")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename3 = argv[i];
+		process3 = TRUE;
+	    } else {
+		printf("-of3 option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of5")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename5 = argv[i];
+		process5 = TRUE;
+	    } else {
+		printf("-of5 option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (sequenceHandle == 0) {
+	printf("Missing sequence handle parameter -hs\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	if (inFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.buffer.b,
+				 sizeof(in.buffer.t.buffer),
+				 inFilename);
+	}
+	else {
+	    in.buffer.b.size = 0;
+	}
+    }
+    if (rc == 0) {
+	in.pcrHandle = pcrHandle;
+	in.sequenceHandle = sequenceHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_EventSequenceComplete,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, sequencePassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint32_t c;
+	printf("eventsequencecomplete: success\n");
+	/* Table 100 - Definition of TPML_DIGEST_VALUES Structure */
+	/* Table 71 - Definition of TPMT_HA Structure <IN/OUT> digests[] */
+	/* Table 70 - Definition of TPMU_HA Union <IN/OUT, S> digests */
+	printf("eventsequencecomplete: count %u\n", out.results.count);
+
+	for (c = 0 ;  c < out.results.count ;c++) {
+	    switch (out.results.digests[c].hashAlg) {
+	      case TPM_ALG_SHA1:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-1\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.results.digests[c].digest.sha1,
+					  SHA1_DIGEST_SIZE);
+		if (outFilename1 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.results.digests[c].digest.sha1,
+						  SHA1_DIGEST_SIZE,
+						  outFilename1); 
+		    process1 = FALSE;
+		}
+		break;
+	      case TPM_ALG_SHA256:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-256\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.results.digests[c].digest.sha256,
+					  SHA256_DIGEST_SIZE);
+		if (outFilename2 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.results.digests[c].digest.sha256,
+						  SHA256_DIGEST_SIZE,
+						  outFilename2); 
+		    process2 = FALSE;
+		}
+		break;
+	      case TPM_ALG_SHA384:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-384\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.results.digests[c].digest.sha384,
+					  SHA384_DIGEST_SIZE);
+		if (outFilename3 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.results.digests[c].digest.sha384,
+						  SHA384_DIGEST_SIZE,
+						  outFilename3); 
+		    process3 = FALSE;
+		}
+		break;
+	      case TPM_ALG_SHA512:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-512\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.results.digests[c].digest.sha512,
+					  SHA512_DIGEST_SIZE);
+		if (outFilename5 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.results.digests[c].digest.sha512,
+						  SHA512_DIGEST_SIZE,
+						  outFilename5); 
+		    process5 = FALSE;
+		}
+		break;
+	      default:
+		printf("Hash algorithm %04x unknown\n", out.results.digests[c].hashAlg);
+		break;
+	    }
+	}
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("eventsequencecomplete: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    if (rc == 0) {
+	if (process1) {
+	    printf("-of1 specified but TPM did not return SHA-1\n");
+	    rc = EXIT_FAILURE;
+	}
+	if (process2) {
+	    printf("-of2 specified but TPM did not return SHA-256\n");
+	    rc = EXIT_FAILURE;
+	}
+	if (process3) {
+	    printf("-of3 specified but TPM did not return SHA-384\n");
+	    rc = EXIT_FAILURE;
+	}
+	if (process5) {
+	    printf("-of5 specified but TPM did not return SHA-512\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("eventsequencecomplete\n");
+    printf("\n");
+    printf("Runs TPM2_EventSequenceComplete\n");
+    printf("\n");
+    printf("\t[-ha\tpcr handle (default NULL)]\n");
+    printf("\t-hs\tsequence handle\n");
+    printf("\t[-pwds\tpassword for sequence (default empty)]\n");
+    printf("\t[-if\tinput file to be added (default no data)]\n");
+    printf("\t[-of1\tsha1 output digest file (default do not save)]\n");
+    printf("\t[-of2\tsha256 output digest file (default do not save)]\n");
+    printf("\t[-of3\tsha384 output digest file (default do not save)]\n");
+    printf("\t[-of5\tsha512 output digest file (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/evictcontrol.c b/libstb/tss2/ibmtpm20tss/utils/evictcontrol.c
new file mode 100644
index 0000000..fb43f9a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/evictcontrol.c
@@ -0,0 +1,279 @@
+/********************************************************************************/
+/*										*/
+/*			   EvictControl		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    TPMI_DH_OBJECT		objectHandle = 0;
+    TPMI_DH_PERSISTENT		persistentHandle = 0;
+    EvictControl_In 		in;
+    char 			authHandleChar = 0;
+    const char			*authPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		authHandleChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &objectHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &persistentHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (objectHandle == 0) {
+	printf("Missing handle parameter -ho\n");
+	printUsage();
+    }
+    if (persistentHandle == 0) {
+	printf("Missing handle parameter -hp\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	if (authHandleChar == 'o') {
+	    in.auth = TPM_RH_OWNER;
+	}
+	else if (authHandleChar == 'p') {
+	    in.auth = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.objectHandle = objectHandle;
+	in.persistentHandle = persistentHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_EvictControl,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("evictcontrol: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("evictcontrol: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("evictcontrol\n");
+    printf("\n");
+    printf("Runs TPM2_EvictControl\n");
+    printf("\n");
+    printf("\t-hi\tauthhandle hierarchy (o, p)\n");
+    printf("\t\to owner, p platform\n");
+    printf("\t-ho\tobject handle\n");
+    printf("\t\tif transient: make persistent, if persistent: flush\n");
+    printf("\t-hp\tpersistent handle\n");
+    printf("\t\towner    81000000 to 817FFFFF\n");
+    printf("\t\tplatform 81800000 to 81FFFFFF\n");
+    printf("\t-pwda\tauthorization password (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/flushcontext.c b/libstb/tss2/ibmtpm20tss/utils/flushcontext.c
new file mode 100644
index 0000000..bede6b7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/flushcontext.c
@@ -0,0 +1,143 @@
+/********************************************************************************/
+/*										*/
+/*			    Flush Context	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    uint32_t 			handle = 0;
+    FlushContext_In 		in;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&handle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (handle == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.flushHandle = handle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_FlushContext,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("flushcontext: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("flushcontext: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("flushcontext\n");
+    printf("\n");
+    printf("Runs TPM2_FlushContext\n");
+    printf("\n");
+    printf("\t-ha\thandle\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/getcapability.c b/libstb/tss2/ibmtpm20tss/utils/getcapability.c
new file mode 100644
index 0000000..c915b53
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/getcapability.c
@@ -0,0 +1,819 @@
+/********************************************************************************/
+/*										*/
+/*			    Get Capability	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(TPM_CAP capability);
+static TPM_RC printResponse(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    		/* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    TPM_CAP			capability = TPM_CAP_LAST + 1;	/* invalid */
+    uint32_t			property = 0;			/* default, start at first one */
+    uint32_t			propertyCount = 64;		/* default, return 64 values */
+    GetCapability_In 		in;
+    GetCapability_Out		out;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-cap") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &capability);
+	    }
+	    else {
+		printf("Missing parameter for -cap\n");
+		printUsage(capability);
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-pr") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &property);
+	    }
+	    else {
+		printf("Missing parameter for -pr\n");
+		printUsage(capability);
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-pc") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &propertyCount);
+	    }
+	    else {
+		printf("Missing parameter for -pc\n");
+		printUsage(capability);
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage(capability);
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage(capability);
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage(capability);
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage(capability);
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage(capability);
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage(capability);
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage(capability);
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage(capability);
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage(capability);
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage(capability);
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage(capability);
+	}
+    }
+    if (capability > TPM_CAP_LAST) {
+	printf("Missing or illegal parameter -cap\n");
+	printUsage(capability);
+    }
+    if (rc == 0) {
+	in.capability = capability;
+	in.property = property;
+	in.propertyCount = propertyCount;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_GetCapability,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (out.moreData > 0) {
+	    printf("moreData: %u\n", out.moreData);
+	}
+	rc = printResponse(&out.capabilityData, property);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("getcapability: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("getcapability: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+typedef void (* USAGE_FUNCTION)(void);
+typedef TPM_RC (* RESPONSE_FUNCTION)(TPMS_CAPABILITY_DATA *out, uint32_t property);
+
+typedef struct {
+    TPM_CAP capability;
+    USAGE_FUNCTION usageFunction;
+    RESPONSE_FUNCTION responseFunction;
+} CAPABILITY_TABLE;
+
+static void usageCapability(void);
+static void usageAlgs(void);
+static void usageHandles(void);
+static void usageCommands(void);
+static void usagePpCommands(void);
+static void usageAuditCommands(void);
+static void usagePcrs(void);
+static void usageTpmProperties(void);
+static void usagePcrProperties(void);
+static void usageEccCurves(void);
+static void usageAuthPolicies(void);
+
+static TPM_RC responseCapability(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responseAlgs(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responseHandles(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responseCommands(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responsePpCommands(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responseAuditCommands(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responsePcrs(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responseTpmProperties(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responsePcrProperties(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responseEccCurves(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+static TPM_RC responseAuthPolicies(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property);
+
+static const CAPABILITY_TABLE capabilityTable [] = {
+    {TPM_CAP_LAST + 1, usageCapability, responseCapability}, 
+    {TPM_CAP_ALGS, usageAlgs, responseAlgs} ,                 
+    {TPM_CAP_HANDLES, usageHandles, responseHandles} ,             
+    {TPM_CAP_COMMANDS, usageCommands, responseCommands} ,            
+    {TPM_CAP_PP_COMMANDS, usagePpCommands, responsePpCommands} ,         
+    {TPM_CAP_AUDIT_COMMANDS, usageAuditCommands, responseAuditCommands},      
+    {TPM_CAP_PCRS, usagePcrs, responsePcrs} ,                
+    {TPM_CAP_TPM_PROPERTIES, usageTpmProperties, responseTpmProperties},      
+    {TPM_CAP_PCR_PROPERTIES, usagePcrProperties, responsePcrProperties},      
+    {TPM_CAP_ECC_CURVES, usageEccCurves, responseEccCurves},          
+    {TPM_CAP_AUTH_POLICIES, usageAuthPolicies, responseAuthPolicies}          
+};
+
+static TPM_RC printResponse(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    size_t 	i;
+
+    /* call the response function in the capability table */
+    for (i = 0 ; i < (sizeof(capabilityTable) / sizeof(CAPABILITY_TABLE)) ; i++) {
+	if (capabilityTable[i].capability == capabilityData->capability) {
+	    rc = capabilityTable[i].responseFunction(capabilityData, property);
+	}
+    }
+    return rc;
+}
+
+static TPM_RC responseCapability(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC			rc = 0;
+    property = property;
+    printf("Cannot parse illegal response capability %08x\n", capabilityData->capability);
+    rc = TPM_RC_VALUE;
+    return rc;
+}
+
+static TPM_RC responseAlgs(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_ALG_PROPERTY *algorithms = (TPML_ALG_PROPERTY *)&(capabilityData->data);
+    property = property;
+
+    printf("%u algorithms \n", algorithms->count);
+    for (count = 0 ; count < algorithms->count ; count++) {
+	TPMS_ALG_PROPERTY *algProperties = &(algorithms->algProperties[count]);
+	TSS_TPM_ALG_ID_Print("", algProperties->alg, 2);
+	TSS_TPM_TPMA_ALGORITHM_Print(algProperties->algProperties, 4);
+    }
+    return rc;
+}
+
+static TPM_RC responseHandles(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_HANDLE	*handles = (TPML_HANDLE *)&(capabilityData->data);
+    property = property;
+
+    printf("%u handles\n", handles->count);
+    for (count = 0 ; count < handles->count ; count++) {
+	printf("\t%08x\n", handles->handle[count]);
+    }
+    return rc;
+}
+
+static TPM_RC responseCommands(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_CCA	*command = (TPML_CCA *)&(capabilityData->data);
+    property = property;
+
+    printf("%u commands\n", command->count);
+    for (count = 0 ; count < command->count ; count++) {
+	printf("\tcommand Attributes %08x\n", command->commandAttributes[count].val);
+    }
+    return rc;
+}
+
+static TPM_RC responsePpCommands(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_CC	*command = (TPML_CC *)&(capabilityData->data);
+    property = property;
+
+    printf("%u commands\n", command->count);
+    for (count = 0 ; count < command->count ; count++) {
+	printf("\tPP command %08x\n", command->commandCodes[count]);
+    }
+    return rc;
+}
+
+static TPM_RC responseAuditCommands(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_CC	*command = (TPML_CC *)&(capabilityData->data);
+    property = property;
+
+    printf("%u commands\n", command->count);
+    for (count = 0 ; count < command->count ; count++) {
+	printf("\tAudit command %08x\n", command->commandCodes[count]);
+    }
+    return rc;
+}
+
+static TPM_RC responsePcrs(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_PCR_SELECTION *pcrSelection = (TPML_PCR_SELECTION *)&(capabilityData->data);
+    property = property;
+
+    printf("%u PCR selections\n", pcrSelection->count);
+    for (count = 0 ; count < pcrSelection->count ; count++) {
+	TSS_TPMS_PCR_SELECTION_Print(&pcrSelection->pcrSelections[count], 2);
+    }
+    return rc;
+}
+
+typedef struct {
+    TPM_PT pt;
+    const char *ptText;
+} PT_TABLE;
+
+static PT_TABLE ptTable [] = {
+    {(PT_FIXED + 0),"TPM_PT_FAMILY_INDICATOR - a 4-octet character string containing the TPM Family value (TPM_SPEC_FAMILY)"},
+    {(PT_FIXED + 1), "TPM_PT_LEVEL - the level of the specification"},
+    {(PT_FIXED + 2), "TPM_PT_REVISION - the specification Revision times 100"},
+    {(PT_FIXED + 3), "TPM_PT_DAY_OF_YEAR - the specification day of year using TCG calendar"},
+    {(PT_FIXED + 4), "TPM_PT_YEAR - the specification year using the CE"},
+    {(PT_FIXED + 5), "TPM_PT_MANUFACTURER - the vendor ID unique to each TPM manufacturer "},
+    {(PT_FIXED + 6), "TPM_PT_VENDOR_STRING_1 - the first four characters of the vendor ID string"},
+    {(PT_FIXED + 7), "TPM_PT_VENDOR_STRING_2 - the second four characters of the vendor ID string "},
+    {(PT_FIXED + 8), "TPM_PT_VENDOR_STRING_3 - the third four characters of the vendor ID string "},
+    {(PT_FIXED + 9), "TPM_PT_VENDOR_STRING_4 - the fourth four characters of the vendor ID sting "},
+    {(PT_FIXED + 10), "TPM_PT_VENDOR_TPM_TYPE - vendor-defined value indicating the TPM model "},
+    {(PT_FIXED + 11), "TPM_PT_FIRMWARE_VERSION_1 - the most-significant 32 bits of a TPM vendor-specific value indicating the version number of the firmware"},
+    {(PT_FIXED + 12), "TPM_PT_FIRMWARE_VERSION_2 - the least-significant 32 bits of a TPM vendor-specific value indicating the version number of the firmware"},
+    {(PT_FIXED + 13), "TPM_PT_INPUT_BUFFER - the maximum size of a parameter (typically, a TPM2B_MAX_BUFFER)"},
+    {(PT_FIXED + 14), "TPM_PT_HR_TRANSIENT_MIN - the minimum number of transient objects that can be held in TPM RAM"},
+    {(PT_FIXED + 15), "TPM_PT_HR_PERSISTENT_MIN - the minimum number of persistent objects that can be held in TPM NV memory"},
+    {(PT_FIXED + 16), "TPM_PT_HR_LOADED_MIN - the minimum number of authorization sessions that can be held in TPM RAM"},
+    {(PT_FIXED + 17), "TPM_PT_ACTIVE_SESSIONS_MAX - the number of authorization sessions that may be active at a time"},
+    {(PT_FIXED + 18), "TPM_PT_PCR_COUNT - the number of PCR implemented"},
+    {(PT_FIXED + 19), "TPM_PT_PCR_SELECT_MIN - the minimum number of octets in a TPMS_PCR_SELECT.sizeOfSelect"},
+    {(PT_FIXED + 20), "TPM_PT_CONTEXT_GAP_MAX - the maximum allowed difference (unsigned) between the contextID values of two saved session contexts"},
+    {(PT_FIXED + 22), "TPM_PT_NV_COUNTERS_MAX - the maximum number of NV Indexes that are allowed to have the TPMA_NV_COUNTER attribute SET"},
+    {(PT_FIXED + 23), "TPM_PT_NV_INDEX_MAX - the maximum size of an NV Index data area"},
+    {(PT_FIXED + 24), "TPM_PT_MEMORY - a TPMA_MEMORY indicating the memory management method for the TPM"},
+    {(PT_FIXED + 25), "TPM_PT_CLOCK_UPDATE - interval, in milliseconds, between updates to the copy of TPMS_CLOCK_INFO.clock in NV"},
+    {(PT_FIXED + 26), "TPM_PT_CONTEXT_HASH - the algorithm used for the integrity HMAC on saved contexts and for hashing the fuData of TPM2_FirmwareRead()"},
+    {(PT_FIXED + 27), "TPM_PT_CONTEXT_SYM - TPM_ALG_ID, the algorithm used for encryption of saved contexts"},
+    {(PT_FIXED + 28), "TPM_PT_CONTEXT_SYM_SIZE - TPM_KEY_BITS, the size of the key used for encryption of saved contexts"},
+    {(PT_FIXED + 29), "TPM_PT_ORDERLY_COUNT - the modulus - 1 of the count for NV update of an orderly counter"},
+    {(PT_FIXED + 30), "TPM_PT_MAX_COMMAND_SIZE - the maximum value for commandSize in a command"},
+    {(PT_FIXED + 31), "TPM_PT_MAX_RESPONSE_SIZE - the maximum value for responseSize in a response"},
+    {(PT_FIXED + 32), "TPM_PT_MAX_DIGEST - the maximum size of a digest that can be produced by the TPM"},
+    {(PT_FIXED + 33), "TPM_PT_MAX_OBJECT_CONTEXT - the maximum size of an object context that will be returned by TPM2_ContextSave"},
+    {(PT_FIXED + 34), "TPM_PT_MAX_SESSION_CONTEXT - the maximum size of a session context that will be returned by TPM2_ContextSave"},
+    {(PT_FIXED + 35), "TPM_PT_PS_FAMILY_INDICATOR - platform-specific family (a TPM_PS value)(see Table 24)"},
+    {(PT_FIXED + 36), "TPM_PT_PS_LEVEL - the level of the platform-specific specification"},
+    {(PT_FIXED + 37), "TPM_PT_PS_REVISION - the specification Revision times 100 for the platform-specific specification"},
+    {(PT_FIXED + 38), "TPM_PT_PS_DAY_OF_YEAR - the platform-specific specification day of year using TCG calendar"},
+    {(PT_FIXED + 39), "TPM_PT_PS_YEAR - the platform-specific specification year using the CE"},
+    {(PT_FIXED + 40), "TPM_PT_SPLIT_MAX - the number of split signing operations supported by the TPM"},
+    {(PT_FIXED + 41), "TPM_PT_TOTAL_COMMANDS - total number of commands implemented in the TPM"},
+    {(PT_FIXED + 42), "TPM_PT_LIBRARY_COMMANDS - number of commands from the TPM library that are implemented"},
+    {(PT_FIXED + 43), "TPM_PT_VENDOR_COMMANDS - number of vendor commands that are implemented"},
+    {(PT_FIXED + 44), "TPM_PT_NV_BUFFER_MAX - the maximum data size in one NV write command"},
+    {(PT_FIXED + 45) ,"TPM_PT_MODES - a TPMA_MODES value, indicating that the TPM is designed for these modes"},
+    {(PT_FIXED + 46) ,"TPM_PT_MAX_CAP_BUFFER - the maximum size of a TPMS_CAPABILITY_DATA structure returned in TPM2_GetCapability"},
+    {(PT_VAR + 0), "TPM_PT_PERMANENT - TPMA_PERMANENT "},
+    {(PT_VAR + 1), "TPM_PT_STARTUP_CLEAR - TPMA_STARTUP_CLEAR "},
+    {(PT_VAR + 2), "TPM_PT_HR_NV_INDEX - the number of NV Indexes currently defined "},
+    {(PT_VAR + 3), "TPM_PT_HR_LOADED - the number of authorization sessions currently loaded into TPM RAM"},
+    {(PT_VAR + 4), "TPM_PT_HR_LOADED_AVAIL - the number of additional authorization sessions, of any type, that could be loaded into TPM RAM"},
+    {(PT_VAR + 5), "TPM_PT_HR_ACTIVE - the number of active authorization sessions currently being tracked by the TPM"},
+    {(PT_VAR + 6), "TPM_PT_HR_ACTIVE_AVAIL - the number of additional authorization sessions, of any type, that could be created"},
+    {(PT_VAR + 7), "TPM_PT_HR_TRANSIENT_AVAIL - estimate of the number of additional transient objects that could be loaded into TPM RAM"},
+    {(PT_VAR + 8), "TPM_PT_HR_PERSISTENT - the number of persistent objects currently loaded into TPM NV memory"},
+    {(PT_VAR + 9), "TPM_PT_HR_PERSISTENT_AVAIL - the number of additional persistent objects that could be loaded into NV memory"},
+    {(PT_VAR + 10), "TPM_PT_NV_COUNTERS - the number of defined NV Indexes that have NV TPMA_NV_COUNTER attribute SET"},
+    {(PT_VAR + 11), "TPM_PT_NV_COUNTERS_AVAIL - the number of additional NV Indexes that can be defined with their TPMA_NV_COUNTER and TPMA_NV_ORDERLY attribute SET"},
+    {(PT_VAR + 12), "TPM_PT_ALGORITHM_SET - code that limits the algorithms that may be used with the TPM"},
+    {(PT_VAR + 13), "TPM_PT_LOADED_CURVES - the number of loaded ECC curves "},
+    {(PT_VAR + 14), "TPM_PT_LOCKOUT_COUNTER - the current value of the lockout counter (failedTries) "},
+    {(PT_VAR + 15), "TPM_PT_MAX_AUTH_FAIL - the number of authorization failures before DA lockout is invoked"},
+    {(PT_VAR + 16), "TPM_PT_LOCKOUT_INTERVAL - the number of seconds before the value reported by TPM_PT_LOCKOUT_COUNTER is decremented"},
+    {(PT_VAR + 17), "TPM_PT_LOCKOUT_RECOVERY - the number of seconds after a lockoutAuth failure before use of lockoutAuth may be attempted again"},
+    {(PT_VAR + 18), "TPM_PT_NV_WRITE_RECOVERY - number of milliseconds before the TPM will accept another command that will modify NV"},
+    {(PT_VAR + 19), "TPM_PT_AUDIT_COUNTER_0 - the high-order 32 bits of the command audit counter "},
+    {(PT_VAR + 20), "TPM_PT_AUDIT_COUNTER_1 - the low-order 32 bits of the command audit counter"},
+};
+
+static char get8(uint32_t value32, size_t offset);
+static uint16_t get16(uint32_t value32, size_t offset);
+
+/* get8() gets a char from a uint32_t at offset */
+
+static char get8(uint32_t value32, size_t offset)
+{
+    char value8 = (uint8_t)((value32 >> ((3 - offset) * 8)) & 0xff);
+    return value8;
+}
+
+/* get16() gets a uint16_t from a uint32_t at offset */
+
+static uint16_t get16(uint32_t value32, size_t offset)
+{
+    uint16_t value16 = (uint16_t)((value32 >> ((1 - offset) * 16)) & 0xffff);
+    return value16;
+}
+
+static TPM_RC responseTpmProperties(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC		rc = 0;
+    uint32_t		count;
+    TPML_TAGGED_TPM_PROPERTY *tpmProperties = (TPML_TAGGED_TPM_PROPERTY *)&(capabilityData->data);
+    property = property;
+
+    printf("%u properties\n", tpmProperties->count);
+    for (count = 0 ; count < tpmProperties->count ; count++) {
+	TPMS_TAGGED_PROPERTY *tpmProperty = &(tpmProperties->tpmProperty[count]);
+	const char *ptText = NULL;
+	size_t i;
+	for  (i = 0 ; i < (sizeof(ptTable) / sizeof(PT_TABLE)) ; i++) {
+	    if (tpmProperty->property == ptTable[i].pt) {
+		ptText = ptTable[i].ptText;
+		break;
+	    }
+	}
+	if (ptText == NULL) {
+	    ptText = "PT unknown";
+	}
+	printf("TPM_PT %08x value %08x %s\n", tpmProperty->property, tpmProperty->value, ptText);
+	switch (tpmProperty->property) {
+	    char c;
+	  case TPM_PT_FAMILY_INDICATOR:
+	    printf("\tTPM ");
+	    for (i = 0 ; i < sizeof(uint32_t) ; i++) {
+		c = get8(tpmProperty->value, i);
+		printf("%c", c);
+	    }
+	    printf("\n");
+	    break;
+	  case TPM_PT_REVISION:
+	    printf("\trev %u\n", tpmProperty->value);
+	    break;
+	  case TPM_PT_DAY_OF_YEAR:
+	  case TPM_PT_YEAR:
+	  case TPM_PT_INPUT_BUFFER:
+	  case TPM_PT_ACTIVE_SESSIONS_MAX:
+	  case TPM_PT_PCR_COUNT:
+	  case TPM_PT_NV_INDEX_MAX:
+	  case TPM_PT_CLOCK_UPDATE:
+	  case TPM_PT_CONTEXT_SYM_SIZE:
+	  case TPM_PT_MAX_COMMAND_SIZE:
+	  case TPM_PT_MAX_RESPONSE_SIZE:
+	  case TPM_PT_MAX_DIGEST:
+	  case TPM_PT_MAX_OBJECT_CONTEXT:
+	  case TPM_PT_MAX_SESSION_CONTEXT:
+	  case TPM_PT_PS_DAY_OF_YEAR:
+	  case TPM_PT_PS_YEAR:
+	  case TPM_PT_SPLIT_MAX:
+	  case TPM_PT_TOTAL_COMMANDS:
+	  case TPM_PT_LIBRARY_COMMANDS:
+	  case TPM_PT_VENDOR_COMMANDS:
+	  case TPM_PT_NV_BUFFER_MAX:
+	  case TPM_PT_MAX_CAP_BUFFER:
+	    
+	  case TPM_PT_HR_ACTIVE_AVAIL:
+	  case TPM_PT_HR_PERSISTENT_AVAIL:
+	  case TPM_PT_NV_COUNTERS_AVAIL:
+ 	    printf("\t%u\n", tpmProperty->value);
+	    break;
+	  case TPM_PT_MANUFACTURER:
+	  case TPM_PT_VENDOR_STRING_1:
+	  case TPM_PT_VENDOR_STRING_2:
+	  case TPM_PT_VENDOR_STRING_3:
+	  case TPM_PT_VENDOR_STRING_4:
+	    printf("\t");
+	    for (i = 0 ; i < sizeof(uint32_t) ; i++) {
+		c = get8(tpmProperty->value, i);
+		printf("%c", c);
+	    }
+	    printf("\n");
+	    break;
+	  case TPM_PT_FIRMWARE_VERSION_1:
+	  case TPM_PT_FIRMWARE_VERSION_2:
+	    printf("\t%u.%u\n", get16(tpmProperty->value, 0), get16(tpmProperty->value, 1));
+	    break;
+	  case TPM_PT_PS_REVISION:
+	    printf("\t%u.%u.%u.%u\n",
+		   get8(tpmProperty->value, 0), get8(tpmProperty->value, 1),
+		   get8(tpmProperty->value, 2), get8(tpmProperty->value, 3));
+	    break;
+	  case TPM_PT_CONTEXT_HASH:
+	  case TPM_PT_CONTEXT_SYM:
+	    TSS_TPM_ALG_ID_Print("algorithm", tpmProperty->value, 4);
+	    break;
+	  case TPM_PT_MEMORY:
+	      {
+		  TPMA_MEMORY tmp;
+		  tmp.val = tpmProperty->value;
+		  TSS_TPMA_MEMORY_Print(tmp, 4);
+	      }
+	      break;
+	  case TPM_PT_MODES :
+	      {
+		  TPMA_MODES tmp;
+		  tmp.val = tpmProperty->value;
+		  TSS_TPMA_MODES_Print(tmp, 4);
+	      }
+	      break;
+	  case TPM_PT_PERMANENT:
+	      {
+		  TPMA_PERMANENT tmp;
+		  tmp.val = tpmProperty->value;
+		  TSS_TPMA_PERMANENT_Print(tmp, 4);
+	      }
+	      break;
+	  case TPM_PT_STARTUP_CLEAR:
+	      {
+		  TPMA_STARTUP_CLEAR tmp;
+		  tmp.val = tpmProperty->value;
+		  TSS_TPMA_STARTUP_CLEAR_Print(tmp, 4);
+	      }
+	      break; 
+	}
+    }
+    return rc;
+}
+
+typedef struct {
+    TPM_PT_PCR ptPcr;
+    const char *ptPcrText;
+} PT_PCR_TABLE;
+
+static PT_PCR_TABLE ptPcrTable [] = {
+    {TPM_PT_PCR_SAVE, "TPM_PT_PCR_SAVE - PCR is saved and restored by TPM_SU_STATE"},
+    {TPM_PT_PCR_EXTEND_L0, "TPM_PT_PCR_EXTEND_L0 - PCR may be extended from locality 0"},
+    {TPM_PT_PCR_RESET_L0, "TPM_PT_PCR_RESET_L0 - PCR may be reset by TPM2_PCR_Reset() from locality 0"},
+    {TPM_PT_PCR_EXTEND_L1, "TPM_PT_PCR_EXTEND_L1 - PCR may be extended from locality 1"},
+    {TPM_PT_PCR_RESET_L1, "TPM_PT_PCR_RESET_L1 - PCR may be reset by TPM2_PCR_Reset() from locality 1"},
+    {TPM_PT_PCR_EXTEND_L2, "TPM_PT_PCR_EXTEND_L2 - PCR may be extended from locality 2"},
+    {TPM_PT_PCR_RESET_L2, "TPM_PT_PCR_RESET_L2 - PCR may be reset by TPM2_PCR_Reset() from locality 2"},
+    {TPM_PT_PCR_EXTEND_L3, "TPM_PT_PCR_EXTEND_L3 - PCR may be extended from locality 3"},
+    {TPM_PT_PCR_RESET_L3, "TPM_PT_PCR_RESET_L3 - PCR may be reset by TPM2_PCR_Reset() from locality 3"},
+    {TPM_PT_PCR_EXTEND_L4, "TPM_PT_PCR_EXTEND_L4 - PCR may be extended from locality 4"},
+    {TPM_PT_PCR_RESET_L4, "TPM_PT_PCR_RESET_L4 - PCR may be reset by TPM2_PCR_Reset() from locality 4"},
+    {TPM_PT_PCR_NO_INCREMENT, "TPM_PT_PCR_NO_INCREMENT - modifications to this PCR (reset or Extend) will not increment the pcrUpdateCounter"},
+    {TPM_PT_PCR_RESET_L4, "TPM_PT_PCR_RESET_L4 - PCR may be reset by TPM2_PCR_Reset() from locality 4"},
+    {TPM_PT_PCR_DRTM_RESET, "TPM_PT_PCR_DRTM_RESET - PCR is reset by a DRTM event"},
+    {TPM_PT_PCR_POLICY, "TPM_PT_PCR_POLICY - PCR is controlled by policy"},
+    {TPM_PT_PCR_AUTH, "TPM_PT_PCR_AUTH - PCR is controlled by an authorization value"}
+};
+
+static TPM_RC responsePcrProperties(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC		rc = 0;
+    uint32_t		count;
+    TPML_TAGGED_PCR_PROPERTY *pcrProperties = (TPML_TAGGED_PCR_PROPERTY *)&(capabilityData->data);
+    property = property; 
+
+    printf("%u properties\n", pcrProperties->count);
+    for (count = 0 ; count < pcrProperties->count ; count++) {
+	
+
+	TPMS_TAGGED_PCR_SELECT *pcrProperty = &(pcrProperties->pcrProperty[count]);
+	const char *ptPcrText = NULL;
+	size_t i;
+	for  (i = 0 ; i < (sizeof(ptPcrTable) / sizeof(PT_PCR_TABLE)) ; i++) {
+	    if (pcrProperty->tag == ptPcrTable[i].ptPcr) {	/* the property identifier */
+		ptPcrText = ptPcrTable[i].ptPcrText;
+		break;
+	    }
+	}
+	if (ptPcrText == NULL) {
+	    ptPcrText = "PT unknown";
+	}
+	printf("TPM_PT_PCR %08x %s\n", pcrProperty->tag, ptPcrText);
+	for (i = 0 ; i < pcrProperty->sizeofSelect ; i++) {	/* the size in octets of the
+								   pcrSelect array */
+	    printf("PCR %u-%u  \tpcrSelect\t%02x\n",
+		   (unsigned int)i*8, (unsigned int)(i*8) + 7,
+		   pcrProperty->pcrSelect[i]); 
+	}
+    }
+    return rc;
+}
+
+static TPM_RC responseEccCurves(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_ECC_CURVE *eccCurves = (TPML_ECC_CURVE *)&(capabilityData->data);
+    TPM_ECC_CURVE curve;
+    property = property;
+
+    printf("%u curves\n", eccCurves->count);
+    for (count = 0 ; count < eccCurves->count ; count++) {
+	curve = eccCurves->eccCurves[count];
+	TSS_TPM_ECC_CURVE_Print("", curve, 4);
+    }
+    return rc;
+}
+
+static TPM_RC responseAuthPolicies(TPMS_CAPABILITY_DATA *capabilityData, uint32_t property)
+{
+    TPM_RC	rc = 0;
+    uint32_t	count;
+    TPML_TAGGED_POLICY *authPolicies = (TPML_TAGGED_POLICY *)&(capabilityData->data);
+    property = property;
+
+    printf("%u authPolicies\n", authPolicies->count);
+    for (count = 0 ; count < authPolicies->count ; count++) {
+	TSS_TPMS_TAGGED_POLICY_Print(&authPolicies->policies[count], 4);
+    }
+    return rc;
+}
+
+static void printUsage(TPM_CAP capability)
+{
+    size_t i;
+    
+    printf("\n");
+    printf("getcapability\n");
+    printf("\n");
+    printf("Runs TPM2_GetCapability\n");
+    printf("\n");
+    printf("\t-cap\tcapability\n");
+    printf("\t-pr\tproperty (defaults to 0)\n");
+    printf("\t-pc\tpropertyCount (defaults to 64)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t\t01\tcontinue\n");
+    printf("\t\t80\tcommand audit\n");
+    printf("\n");
+   
+    /* call the usage function in the capability table */
+    for (i = 0 ; i < (sizeof(capabilityTable) / sizeof(CAPABILITY_TABLE)) ; i++) {
+	if (capabilityTable[i].capability == capability) {
+	    capabilityTable[i].usageFunction();
+	    exit(1);
+	}
+    }
+    printf("unknown -cap %08x\n", capability);
+    usageCapability();
+    exit(1);
+}
+
+static void usageCapability(void)
+{
+    printf("\t-cap\tvalues\n"
+	   "\n"
+	   "\t\tTPM_CAP_ALGS                0\n"
+	   "\t\tTPM_CAP_HANDLES             1\n"
+	   "\t\tTPM_CAP_COMMANDS            2\n"
+	   "\t\tTPM_CAP_PP_COMMANDS         3\n"
+	   "\t\tTPM_CAP_AUDIT_COMMANDS      4\n"
+	   "\t\tTPM_CAP_PCRS                5\n"
+	   "\t\tTPM_CAP_TPM_PROPERTIES      6\n"
+	   "\t\tTPM_CAP_PCR_PROPERTIES      7\n"
+	   "\t\tTPM_CAP_ECC_CURVES          8\n"
+	   "\t\tTPM_CAP_AUTH_POLICIES       9\n"
+	   );
+    return;
+}
+
+static void usageAlgs(void)
+{
+    printf("TPM_CAP_ALGS -pr not used\n");
+    return;
+}
+
+static void usageHandles(void)
+{
+    printf("TPM_CAP_HANDLES -pr values\n"
+	   "\n"
+	   "TPM_HT_PCR                  00000000\n"
+	   "TPM_HT_NV_INDEX             01000000\n"
+	   "TPM_HT_LOADED_SESSION       02000000\n"
+	   "TPM_HT_SAVED_SESSION        03000000\n"
+	   "TPM_HT_PERMANENT            40000000\n"
+	   "TPM_HT_TRANSIENT            80000000\n"
+	   "TPM_HT_PERSISTENT           81000000\n"
+	   );
+    return;
+}
+
+static void usageCommands(void)
+{
+    printf("TPM_CAP_COMMANDS -pr is first command\n");
+    return;
+}
+
+;
+static void usagePpCommands(void)
+{
+    printf("TPM_CAP_PP_COMMANDS -pr is first command\n");
+    return;
+}
+
+static void usageAuditCommands(void)
+{
+    printf("TPM_CAP_AUDIT_COMMANDS -pr is first command\n");
+    return;
+}
+
+static void usagePcrs(void)
+{
+    printf("TPM_CAP_PCRS -pr is not used\n");
+    return;
+}
+
+static void usageTpmProperties(void)
+{
+    printf("TPM_CAP_TPM_PROPERTIES -pr is first property\n");
+    printf("\tPT_FIXED starts at %08x\n", PT_FIXED);	
+    printf("\tPT_VAR starts at %08x\n", PT_VAR);	
+    return;
+}
+
+static void usagePcrProperties(void)
+{
+    printf("TPM_CAP_PCR_PROPERTIES -pr is the first property\n");
+    return;
+}
+
+static void usageEccCurves(void)
+{
+    printf("TPM_CAP_ECC_CURVES -pr is the first curve\n");
+    return;
+}
+
+static void usageAuthPolicies(void)
+{
+    printf("TPM_CAP_AUTH_POLICIES -pr is the first handle in range 40000000\n");
+    return;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/getcommandauditdigest.c b/libstb/tss2/ibmtpm20tss/utils/getcommandauditdigest.c
new file mode 100644
index 0000000..a219785
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/getcommandauditdigest.c
@@ -0,0 +1,395 @@
+/********************************************************************************/
+/*										*/
+/*			    GetCommandAuditDigest				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    GetCommandAuditDigest_In 	in;
+    GetCommandAuditDigest_Out 	out;
+    const char			*privacyAdminPassword = NULL; 
+    TPMI_DH_OBJECT		signHandle = 0;
+    const char			*signPassword = NULL; 
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    const char			*signatureFilename = NULL;
+    const char			*attestInfoFilename = NULL;
+    const char			*qualifyingDataFilename = NULL;
+    TPM_ALG_ID			sigAlg = TPM_ALG_RSA;
+    TPMS_ATTEST 		tpmsAttest;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwde") == 0) {
+	    i++;
+	    if (i < argc) {
+		privacyAdminPassword = argv[i];
+	    }
+	    else {
+		printf("-pwde option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		signPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    sigAlg = TPM_ALG_RSA;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    sigAlg = TPM_ALG_ECDSA;
+		}
+		else if (strcmp(argv[i],"hmac") == 0) {
+		    sigAlg = TPM_ALG_HMAC;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		attestInfoFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-qd") == 0) {
+	    i++;
+	    if (i < argc) {
+		qualifyingDataFilename = argv[i];
+	    }
+	    else {
+		printf("-qd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+   if (signHandle == 0) {
+	printf("Missing sign handle parameter -hk\n");
+	printUsage();
+    }
+   if (rc == 0) {
+       /* Handle of key that authorized the audit */
+       in.privacyHandle = TPM_RH_ENDORSEMENT;
+       in.signHandle = signHandle;
+       if (sigAlg == TPM_ALG_RSA) {
+	   /* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	   in.inScheme.scheme = TPM_ALG_RSASSA;	
+	   /* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	   /* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	   /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	   in.inScheme.details.rsassa.hashAlg = halg;
+       }
+       else if (sigAlg == TPM_ALG_ECDSA) {
+	   in.inScheme.scheme = TPM_ALG_ECDSA;	
+	   in.inScheme.details.ecdsa.hashAlg = halg;
+       }
+       else {	/* HMAC */
+	   in.inScheme.scheme = TPM_ALG_HMAC;	
+	   in.inScheme.details.hmac.hashAlg = halg;
+       }
+    }
+    /* data supplied by the caller */
+    if (rc == 0) {
+	if (qualifyingDataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.qualifyingData.b,
+				 sizeof(in.qualifyingData.t.buffer),
+				 qualifyingDataFilename);
+	}
+	else {
+	    in.qualifyingData.t.size = 0;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_GetCommandAuditDigest,
+			 sessionHandle0, privacyAdminPassword, sessionAttributes0,
+			 sessionHandle1, signPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint8_t *tmpBuffer = out.auditInfo.t.attestationData;
+	uint32_t tmpSize = out.auditInfo.t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&tpmsAttest, &tmpBuffer, &tmpSize);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMS_ATTEST_Print(&tpmsAttest, 0);
+    }
+    if (rc == 0) {
+	int match;
+	match = TSS_TPM2B_Compare(&in.qualifyingData.b, &tpmsAttest.extraData.b);
+	if (!match) {
+	    printf("getcommandauditdigest: failed, extraData != qualifyingData\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+	
+
+    }
+    if ((rc == 0) && (attestInfoFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.auditInfo.t.attestationData,
+				      out.auditInfo.t.size,
+				      attestInfoFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+	if (tssUtilsVerbose) printf("getcommandauditdigest: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("getcommandauditdigest: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("getcommandauditdigest\n");
+    printf("\n");
+    printf("Runs TPM2_GetCommandAuditDigest\n");
+    printf("\n");
+    printf("\t[-pwde\tendorsement hierarchy password (default empty)]\n");
+    printf("\t-hk\tsigning key handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
+    printf("\t[-qd\tqualifying data file name]\n");
+    printf("\t[-os\tsignature file name (default do not save)]\n");
+    printf("\t[-oa\tattestation output file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/getcryptolibrary.c b/libstb/tss2/ibmtpm20tss/utils/getcryptolibrary.c
new file mode 100644
index 0000000..a42acde
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/getcryptolibrary.c
@@ -0,0 +1,76 @@
+/********************************************************************************/
+/*										*/
+/*		    Get Crypto Library Name	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019 - 2020					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC		rc = 0;
+    int			i;    /* argc iterator */
+    const char 		*name = NULL;
+
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+    }
+    getCryptoLibrary(&name);
+    printf("%s\n", name);
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("getcryptolibrary\n");
+    printf("\n");
+    printf("Returns a string indicating the crypto library compiled in.\n");
+    printf("\n");
+    printf("This is used within test scripts.\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/getrandom.c b/libstb/tss2/ibmtpm20tss/utils/getrandom.c
new file mode 100644
index 0000000..c6c3f31
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/getrandom.c
@@ -0,0 +1,295 @@
+/********************************************************************************/
+/*										*/
+/*			   GetRandom						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    GetRandom_In 		in;
+    GetRandom_Out 		out;
+    uint32_t			bytesRequested = 0;
+    uint32_t 			bytesCopied;
+    const char 			*outFilename = NULL;
+    unsigned char 		*randomBuffer = NULL;
+    int				noZeros = FALSE;
+    int				noSpace = FALSE;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-by") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &bytesRequested);
+	    }
+	    else {
+		printf("Missing parameter for -by\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-nz") == 0) {
+	    noZeros = TRUE;
+	}
+ 	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((bytesRequested == 0) ||
+	(bytesRequested > 0xffff)) {
+	printf("Missing or bad parameter -by\n");
+	printUsage();
+    }
+    /* allocate a buffer for the bytes requested, add 1 for optional nul terminator */
+    if (rc == 0) {
+	rc = TSS_Malloc(&randomBuffer, bytesRequested + 1);	/* freed @1 */
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* This is somewhat optimized, but if a zero byte is obtained in the last pass, an extra pass is
+       needed.  The trade-off is that, in general, asking for more random numbers than needed may slow
+       down the TPM.  In any case, needing non-zero values for random auth should not happen very
+       often.
+     */
+    for (bytesCopied = 0 ; (rc == 0) && (bytesCopied < bytesRequested) ; ) {
+	/* Request whatever is left */
+	if (rc == 0) {
+	    in.bytesRequested = bytesRequested - bytesCopied;
+	}
+	/* call TSS to execute the command */
+	if (rc == 0) {
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out, 
+			     (COMMAND_PARAMETERS *)&in,
+			     NULL,
+			     TPM_CC_GetRandom,
+			     sessionHandle0, NULL, sessionAttributes0,
+			     sessionHandle1, NULL, sessionAttributes1,
+			     sessionHandle2, NULL, sessionAttributes2,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	if (rc == 0) {
+	    size_t br;
+	    if (tssUtilsVerbose) TSS_PrintAll("randomBytes in pass",
+				      out.randomBytes.t.buffer, out.randomBytes.t.size);
+	    /* copy as many bytes as were received or until bytes requested */
+	    for (br = 0 ; (br < out.randomBytes.t.size) && (bytesCopied < bytesRequested) ; br++) {
+
+		if (!noZeros || (out.randomBytes.t.buffer[br] != 0)) {
+		    randomBuffer[bytesCopied] = out.randomBytes.t.buffer[br];
+		    bytesCopied++;
+		}
+	    }
+	}
+	if (rc == 0) {
+	    if (noZeros) {
+		randomBuffer[bytesCopied] = 0x00;
+	    }
+	}
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (outFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(randomBuffer, bytesRequested + (noZeros ? 1 : 0),
+				      outFilename);
+    }
+    if (rc == 0) {
+	/* machine readable format */
+	if (noSpace) {
+	    uint32_t bp;
+	    for (bp = 0 ; bp < bytesRequested ; bp++) {
+		printf("%02x", randomBuffer[bp]);
+	    }
+	    printf("\n");
+	}
+	/* human readable format */
+	else {
+	    TSS_PrintAll("randomBytes", randomBuffer, bytesRequested);
+	}
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("getrandom: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(randomBuffer);		/* @1 */
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("getrandom\n");
+    printf("\n");
+    printf("Runs TPM2_GetRandom\n");
+    printf("\n");
+    printf("\t-by\tbytes requested\n");
+    printf("\t[-of\toutput file, with -nz, appends nul terminator (default do not save)]\n");
+    printf("\t[-nz\tget random number with no zero bytes (for authorization value)]\n");
+    printf("\t[-ns\tno space, no text, no newlines]\n");
+    printf("\t\tjust a string of hexascii suitable for a symmetric key\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/getsessionauditdigest.c b/libstb/tss2/ibmtpm20tss/utils/getsessionauditdigest.c
new file mode 100644
index 0000000..61b12e6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/getsessionauditdigest.c
@@ -0,0 +1,391 @@
+/********************************************************************************/
+/*										*/
+/*			    GetSessionAuditDigest				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    GetSessionAuditDigest_In 	in;
+    GetSessionAuditDigest_Out 	out;
+    const char			*privacyAdminPassword = NULL; 
+    TPMI_DH_OBJECT		signHandle = TPM_RH_NULL;
+    const char			*signPassword = NULL; 
+    TPMI_SH_HMAC		sessionHandle = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    const char			*signatureFilename = NULL;
+    const char			*attestInfoFilename = NULL;
+    const char			*qualifyingDataFilename = NULL;
+    TPMS_ATTEST 		tpmsAttest;
+    const char			*sessionDigestFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwde") == 0) {
+	    i++;
+	    if (i < argc) {
+		privacyAdminPassword = argv[i];
+	    }
+	    else {
+		printf("-pwde option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		signPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&sessionHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hs\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		attestInfoFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-od") == 0) {
+	    i++;
+	    if (i < argc) {
+		sessionDigestFilename = argv[i];
+	    }
+	    else {
+		printf("-od option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-qd") == 0) {
+	    i++;
+	    if (i < argc) {
+		qualifyingDataFilename = argv[i];
+	    }
+	    else {
+		printf("-qd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (sessionHandle == 0) {
+	printf("Missing session handle parameter -hs\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* Handle of key that authorizes the audit */
+	in.privacyAdminHandle = TPM_RH_ENDORSEMENT;
+	in.signHandle = signHandle;
+	in.sessionHandle = sessionHandle;
+	/* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	in.inScheme.scheme = TPM_ALG_RSASSA;	
+	/* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	/* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	in.inScheme.details.rsassa.hashAlg = halg;
+    }
+    /* data supplied by the caller */
+    if (rc == 0) {
+	if (qualifyingDataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.qualifyingData.b,
+				 sizeof(in.qualifyingData.t.buffer),
+				 qualifyingDataFilename);
+	}
+	else {
+	    in.qualifyingData.t.size = 0;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_GetSessionAuditDigest,
+			 sessionHandle0, privacyAdminPassword, sessionAttributes0,
+			 sessionHandle1, signPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint8_t *tmpBuffer = out.auditInfo.t.attestationData;
+	uint32_t tmpSize = out.auditInfo.t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&tpmsAttest, &tmpBuffer, &tmpSize);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMS_ATTEST_Print(&tpmsAttest, 0);
+    }
+    if (rc == 0) {
+	int match;
+	match = TSS_TPM2B_Compare(&in.qualifyingData.b, &tpmsAttest.extraData.b);
+	if (!match) {
+	    printf("getsessionauditdigest: failed, extraData != qualifyingData\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+	
+
+    }
+    if ((rc == 0) && (attestInfoFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.auditInfo.t.attestationData,
+				      out.auditInfo.t.size,
+				      attestInfoFilename);
+    }
+    if ((rc == 0) && (sessionDigestFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(tpmsAttest.attested.sessionAudit.sessionDigest.t.buffer,	
+				      tpmsAttest.attested.sessionAudit.sessionDigest.t.size,
+				      sessionDigestFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+	if (tssUtilsVerbose) printf("getsessionauditdigest: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("getsessionauditdigest: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("getsessionauditdigest\n");
+    printf("\n");
+    printf("Runs TPM2_GetSessionAuditDigest\n");
+    printf("\n");
+    printf("\t[-pwde\tendorsement hierarchy password (default empty)]\n");
+    printf("\t[-hk\tsigning key handle]\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t-hs\taudit session handle\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-qd\tqualifying data file name]\n");
+    printf("\t[-os\tsignature file name (default do not save)]\n");
+    printf("\t[-oa\tattestation output file name (default do not save)]\n");
+    printf("\t[-od\tsession digest file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/gettestresult.c b/libstb/tss2/ibmtpm20tss/utils/gettestresult.c
new file mode 100644
index 0000000..de12845
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/gettestresult.c
@@ -0,0 +1,206 @@
+/********************************************************************************/
+/*										*/
+/*			   GetTestResult					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+/* #include <ibmtss/Unmarshal_fp.h> */
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    GetTestResult_Out 		out;
+    const char 			*msg;
+    const char 			*submsg;
+    const char 			*num;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 NULL,
+			 NULL,
+			 TPM_CC_GetTestResult,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	TSS_ResponseCode_toString(&msg, &submsg, &num, out.testResult);
+	printf("testResult %s%s%s\n", msg, submsg, num);
+	
+	if (tssUtilsVerbose) TSS_PrintAll("outData",
+				  out.outData.t.buffer, out.outData.t.size);
+    }
+    else {
+	printf("gettestresult: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("gettestresult\n");
+    printf("\n");
+    printf("Runs TPM2_GetTestResult\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/gettime.c b/libstb/tss2/ibmtpm20tss/utils/gettime.c
new file mode 100644
index 0000000..b07baf1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/gettime.c
@@ -0,0 +1,395 @@
+/********************************************************************************/
+/*										*/
+/*			    GetTime						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    GetTime_In 			in;
+    GetTime_Out 		out;
+    TPMI_DH_OBJECT		signHandle = 0;
+    const char			*keyPassword = NULL; 
+    const char			*endorsementPassword = NULL; 
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    const char			*signatureFilename = NULL;
+    const char			*attestInfoFilename = NULL;
+    const char			*qualifyingDataFilename = NULL;
+    TPM_ALG_ID			sigAlg = TPM_ALG_RSA;
+    TPMS_ATTEST 		tpmsAttest;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+ 
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwde") == 0) {
+	    i++;
+	    if (i < argc) {
+		endorsementPassword = argv[i];
+	    }
+	    else {
+		printf("-pwde option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    sigAlg = TPM_ALG_RSA;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    sigAlg = TPM_ALG_ECDSA;
+		}
+		else if (strcmp(argv[i],"hmac") == 0) {
+		    sigAlg = TPM_ALG_HMAC;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		attestInfoFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-qd") == 0) {
+	    i++;
+	    if (i < argc) {
+		qualifyingDataFilename = argv[i];
+	    }
+	    else {
+		printf("-qd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (signHandle == 0) {
+	printf("Missing sign handle parameter -hs\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* handle of the privacy administrator */
+	in.privacyAdminHandle = TPM_RH_ENDORSEMENT;
+	/* Handle of key that will perform signing */
+	in.signHandle = signHandle;
+	if (sigAlg == TPM_ALG_RSA) {
+	    /* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	    in.inScheme.scheme = TPM_ALG_RSASSA;	
+	    /* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	    /* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    in.inScheme.details.rsassa.hashAlg = halg;
+	}
+	else if (sigAlg == TPM_ALG_ECDSA) {
+	    in.inScheme.scheme = TPM_ALG_ECDSA;	
+	    in.inScheme.details.ecdsa.hashAlg = halg;
+	}
+	else {	/* HMAC */
+	    in.inScheme.scheme = TPM_ALG_HMAC;	
+	    in.inScheme.details.hmac.hashAlg = halg;
+	}
+    }
+    /* data supplied by the caller */
+    if (rc == 0) {
+	if (qualifyingDataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.qualifyingData.b,
+				 sizeof(in.qualifyingData.t.buffer),
+				 qualifyingDataFilename);
+	}
+	else {
+	    in.qualifyingData.t.size = 0;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_GetTime,
+			 sessionHandle0, endorsementPassword, sessionAttributes0,
+			 sessionHandle1, keyPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint8_t *tmpBuffer = out.timeInfo.t.attestationData;
+	uint32_t tmpSize = out.timeInfo.t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&tpmsAttest, &tmpBuffer, &tmpSize);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMS_ATTEST_Print(&tpmsAttest, 0);
+    }
+    if (rc == 0) {
+	int match;
+	match = TSS_TPM2B_Compare(&in.qualifyingData.b, &tpmsAttest.extraData.b);
+	if (!match) {
+	    printf("quote: failed, extraData != qualifyingData\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+    }    
+    if ((rc == 0) && (attestInfoFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.timeInfo.t.attestationData,
+				      out.timeInfo.t.size,
+				      attestInfoFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+	if (tssUtilsVerbose) printf("gettime: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("gettime: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("gettime\n");
+    printf("\n");
+    printf("Runs TPM2_GetTime\n");
+    printf("\n");
+    printf("\t-hk\tsigning key handle\n");
+    printf("\t[-pwdk\tpassword for signing key (default empty)]\n");
+    printf("\t[-pwde\tpassword for endorsement hierarchy (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
+    printf("\t[-qd\tqualifying data file name]\n");
+    printf("\t[-os\tsignature file name  (default do not save)]\n");
+    printf("\t[-oa\tattestation output file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/hash.c b/libstb/tss2/ibmtpm20tss/utils/hash.c
new file mode 100644
index 0000000..71b8a7c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/hash.c
@@ -0,0 +1,310 @@
+/********************************************************************************/
+/*										*/
+/*			    Hash						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+static void printHash(Hash_Out *out);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Hash_In 			in;
+    Hash_Out 			out;
+    char 			hierarchyChar = 'n';
+    TPMI_RH_HIERARCHY		hierarchy = TPM_RH_NULL;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    const char			*inFilename = NULL;
+    const char 			*inString = NULL;
+    const char			*hashFilename = NULL;
+    const char			*ticketFilename = NULL;
+    int				noSpace = FALSE;
+ 
+    size_t 			length = 0;
+    uint8_t			*buffer = NULL;	/* for the free */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		inString = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-oh") == 0) {
+	    i++;
+	    if (i < argc) {
+		hashFilename = argv[i];
+	    }
+	    else {
+		printf("-oh option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((inFilename == NULL) && (inString == NULL)) {
+	printf("Input file -if or input string -ic must be specified\n");
+	printUsage();
+    }
+    if ((inFilename != NULL) && (inString != NULL)) {
+	printf("Input file -if and input string -ic cannot both be specified\n");
+	printUsage();
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (hierarchyChar == 'e') {
+	    hierarchy = TPM_RH_ENDORSEMENT;
+	}
+	else if (hierarchyChar == 'o') {
+	    hierarchy = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    hierarchy = TPM_RH_PLATFORM;
+	}
+	else if (hierarchyChar == 'n') {
+	    hierarchy = TPM_RH_NULL;
+	}
+	else {
+	    printf("Bad parameter %c for -hi\n", hierarchyChar);
+	    printUsage();
+	}
+ 	in.hierarchy = hierarchy;
+    }
+    if (inFilename != NULL) {
+	if (rc == 0) {
+	    rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+					 &length,
+					 inFilename);
+	}
+	if (rc == 0) {
+	    if (length > sizeof(in.data.t.buffer)) {
+		printf("Input data too long %lu\n", (unsigned long)length);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	if (rc == 0) {
+	    /* data to be hashed */
+	    in.data.t.size = (uint16_t)length;	/* cast safe, range tested above */
+	    memcpy(in.data.t.buffer, buffer, length);
+	}
+    }
+    if (inString != NULL) {
+	if (rc == 0) {
+	    length = strlen(inString);
+	    if (length > sizeof(in.data.t.buffer)) {
+		printf("Input data too long %lu\n", (unsigned long)length);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    } 
+	}
+	if (rc == 0) {
+	    /* data to be hashed */
+	    in.data.t.size = (uint16_t)length;	/* cast safe, range tested above */
+	    memcpy(in.data.t.buffer, inString, length);
+	}
+    }
+    if (rc == 0) {
+	in.hashAlg = halg;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Hash,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (hashFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.outHash.t.buffer,
+				      out.outHash.t.size,
+				      hashFilename); 
+    }
+    if ((rc == 0) && (ticketFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.validation,
+				     (MarshalFunction_t)TSS_TPMT_TK_HASHCHECK_Marshalu,
+				     ticketFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printHash(&out);
+	if (noSpace) {
+	    uint32_t bp;
+	    for (bp = 0 ; bp < out.outHash.t.size ; bp++) {
+		printf("%02x", out.outHash.t.buffer[bp]);
+	    }
+	    printf("\n");
+	}
+	if (tssUtilsVerbose) printf("hash: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("hash: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+static void printHash(Hash_Out *out)
+{
+    TSS_PrintAll("Hash", out->outHash.t.buffer, out->outHash.t.size);
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("hash\n");
+    printf("\n");
+    printf("Runs TPM2_Hash\n");
+    printf("\n");
+    printf("\t[-hi\thierarchy (e, o, p, n) (default null)]\n");
+    printf("\t\te endorsement, o owner, p platform, n null\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t-if\tinput file to be hashed\n");
+    printf("\t-ic\tdata string to be hashed\n");
+    printf("\t[-ns\tno space, no text, no newlines]\n");
+    printf("\t[-oh\thash file name (default do not save)]\n");
+    printf("\t[-tk\tticket file name (default do not save)]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/hashsequencestart.c b/libstb/tss2/ibmtpm20tss/utils/hashsequencestart.c
new file mode 100644
index 0000000..d54fadd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/hashsequencestart.c
@@ -0,0 +1,253 @@
+/********************************************************************************/
+/*										*/
+/*			    HashSequenceStart					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    HashSequenceStart_In 	in;
+    HashSequenceStart_Out	out;
+    const char			*authPassword = NULL; 
+    TPMI_ALG_HASH		hashAlg = TPM_ALG_SHA256;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    hashAlg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    hashAlg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    hashAlg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    hashAlg = TPM_ALG_SHA512;
+		}
+		else if (strcmp(argv[i],"null") == 0) {
+		    hashAlg = TPM_ALG_NULL;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	/* auth value for sequence */
+	rc = TSS_TPM2B_StringCopy(&in.auth.b, authPassword, sizeof(in.auth.t.buffer));
+    }
+    if (rc == 0) {
+	in.hashAlg = hashAlg;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_HashSequenceStart,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("hashsequencestart: handle %08x\n", out.sequenceHandle);
+	if (tssUtilsVerbose) printf("hashsequencestart: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("hashsequencestart: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("hashsequencestart\n");
+    printf("\n");
+    printf("Runs TPM2_HashSequenceStart\n");
+    printf("\n");
+    printf("\t[-pwda\tpassword for sequence (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default sha256)]\n");
+    printf("\t\tnull is an event sequence\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/hierarchychangeauth.c b/libstb/tss2/ibmtpm20tss/utils/hierarchychangeauth.c
new file mode 100644
index 0000000..c184cc4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/hierarchychangeauth.c
@@ -0,0 +1,358 @@
+/********************************************************************************/
+/*										*/
+/*			    HierarchyChangeAuth	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    HierarchyChangeAuth_In 	in;
+    char 			hierarchyChar = 0;
+    const char			*newPassword = NULL; 
+    const char			*newPasswordFilename = NULL;
+    const char			*authPassword = NULL; 
+    const char			*authPasswordFilename = NULL;
+    /* authPasswordPtr is used as the command auth value.  It is either the supplied authPassword
+       string, the password read from the authPasswordFilename file, or NULL */
+    const char			*authPasswordPtr = NULL; 
+    uint8_t			*authPasswordBuffer = NULL;		/* for the free */
+    size_t 			authPasswordLength = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		newPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdni") == 0) {
+	    i++;
+	    if (i < argc) {
+		newPasswordFilename = argv[i];
+	    }
+	    else {
+		printf("pwdni -option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdai") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPasswordFilename = argv[i];
+	    }
+	    else {
+		printf("-pwdai option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (hierarchyChar == 'l') {
+	    in.authHandle = TPM_RH_LOCKOUT;
+	}
+	else if (hierarchyChar == 'e') {
+	    in.authHandle = TPM_RH_ENDORSEMENT;
+	}
+	else if (hierarchyChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	if ((newPassword != NULL) && (newPasswordFilename != NULL)) {
+	    printf("Cannot specify both -pwdn and -pwdni\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	if ((authPassword != NULL) && (authPasswordFilename != NULL)) {
+	    printf("Cannot specify both -pwda and -pwdai\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	/* new auth from string */
+	if (newPassword != NULL) {
+	    /* convert password string to TPM2B */
+	    rc = TSS_TPM2B_StringCopy(&in.newAuth.b,
+				      newPassword, sizeof(in.newAuth.t.buffer));
+	}
+	/* new auth from file */
+	else if (newPasswordFilename != NULL) {
+	    uint8_t			*buffer = NULL;		/* for the free */
+	    size_t 			length = 0;
+	    /* read new auth value from the file */
+	    if (rc == 0) {
+		rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+					     &length,
+					     newPasswordFilename);
+	    }
+	    /* convert password file string to TPM2B */
+	    if (rc == 0) {
+		rc = TSS_TPM2B_StringCopy(&in.newAuth.b,
+					  (const char *)buffer, sizeof(in.newAuth.t.buffer));
+	    }
+	    free(buffer);	/* @1 */
+	    buffer = NULL;
+	}
+	/* no new auth specified */
+	else {
+	    in.newAuth.t.size = 0;
+	}
+    }
+    if (rc == 0) {
+	/* command auth from string */
+	if (authPassword != NULL) {
+	    authPasswordPtr = authPassword; 
+	}
+	/* command auth from file */
+	else if (authPasswordFilename != NULL) {
+	    if (rc == 0) {
+		/* must be freed by caller */
+		rc = TSS_File_ReadBinaryFile(&authPasswordBuffer,
+					     &authPasswordLength,
+					     authPasswordFilename);
+	    }
+	    if (rc == 0) {
+		if (authPasswordLength > sizeof(TPMU_HA)) {
+		    printf("Password too long %u\n", (unsigned int)authPasswordLength);
+		    rc = TSS_RC_INSUFFICIENT_BUFFER;
+		}
+	    }
+	    if (rc == 0) {
+		authPasswordPtr = (const char *)authPasswordBuffer;
+	    }
+	}
+	/* no command auth specified */
+	else {
+	    authPasswordPtr = NULL;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_HierarchyChangeAuth,
+			 sessionHandle0, authPasswordPtr, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("hierarchychangeauth: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("hierarchychangeauth: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(authPasswordBuffer);
+    authPasswordBuffer = NULL;
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("hierarchychangeauth\n");
+    printf("\n");
+    printf("Runs TPM2_HierarchyChangeAuth\n");
+    printf("\n");
+    printf("\t-hi\thierarchy (l, e, o, p)\n");
+    printf("\t\tl lockout, e endorsement, o owner, p platform\n");
+    printf("\t-pwdn\tnew authorization password (default empty)\n");
+    printf("\t-pwdni\tnew authorization password file name (default empty)\n");
+    printf("\t-pwda\tauthorization password (default empty)\n");
+    printf("\t-pwdai\tauthorization password file name (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/hierarchycontrol.c b/libstb/tss2/ibmtpm20tss/utils/hierarchycontrol.c
new file mode 100644
index 0000000..662e979
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/hierarchycontrol.c
@@ -0,0 +1,291 @@
+/********************************************************************************/
+/*										*/
+/*			    HierarchyControl	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    HierarchyControl_In 	in;
+    char 			authHandleChar = 0;
+    char 			enableHandleChar = 0;
+    int				state = 1;
+    const char			*authPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		authHandleChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-he") == 0) {
+	    i++;
+	    if (i < argc) {
+		enableHandleChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -he\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-state") == 0) {
+	    i++;
+	    if (i < argc) {
+		state = atoi(argv[i]);
+	    }
+	    else {
+		printf("-state option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (authHandleChar == 'e') {
+	    in.authHandle = TPM_RH_ENDORSEMENT;
+	}
+	else if (authHandleChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;
+	}
+	else if (authHandleChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	if (enableHandleChar == 'e') {
+	    in.enable = TPM_RH_ENDORSEMENT;
+	}
+	else if (enableHandleChar == 'o') {
+	    in.enable = TPM_RH_OWNER;
+	}
+	else if (enableHandleChar == 'p') {
+	    in.enable = TPM_RH_PLATFORM;
+	}
+	else if (enableHandleChar == 'n') {
+	    in.enable = TPM_RH_PLATFORM_NV;
+	}
+	else {
+	    printf("Missing or illegal -he\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	if (state != 0) {
+	    in.state = YES;
+	}
+	else {
+	    in.state = NO;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_HierarchyControl,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("hierarchycontrol: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("hierarchycontrol: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("hierarchycontrol\n");
+    printf("\n");
+    printf("Runs TPM2_HierarchyControl\n");
+    printf("\n");
+    printf("\t-hi\tauthhandle hierarchy (e, o, p)\n");
+    printf("\t-he\tenable hierarchy (e, o, p, n)\n");
+    printf("\t\te\tendorsement, o owner, p platform, n null\n");
+    printf("\t[-pwda\tauthorization password (default empty)]\n");
+    printf("\t[-state\t(0 to disable, 1 to enable) (default enable)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/hmac.c b/libstb/tss2/ibmtpm20tss/utils/hmac.c
new file mode 100644
index 0000000..be63e1b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/hmac.c
@@ -0,0 +1,356 @@
+/********************************************************************************/
+/*										*/
+/*			    Hmac						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+static void printHmac(HMAC_Out *out);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    HMAC_In 			in;
+    HMAC_Out 			out;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    const char			*inFilename = NULL;
+    const char 			*inString = NULL;
+    const char			*hmacFilename = NULL;
+    const char			*keyPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    size_t 			length = 0;
+    uint8_t			*buffer = NULL;	/* for the free */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		inString = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		hmacFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if ((inFilename == NULL) && (inString == NULL)) {
+	printf("Input file -if or input string -ic must be specified\n");
+	printUsage();
+    }
+    if ((inFilename != NULL) && (inString != NULL)) {
+	printf("Input file -if and input string -ic cannot both be specified\n");
+	printUsage();
+    }
+    if (inFilename != NULL) {
+	if (rc == 0) {
+	    rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+					 &length,
+					 inFilename);
+	}
+	if (rc == 0) {
+	    if (length > sizeof(in.buffer.t.buffer)) {
+		printf("Input data too long %lu\n", (unsigned long)length);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	if (rc == 0) {
+	    /* data to be HMACed */
+	    in.buffer.t.size = (uint16_t)length;	/* cast safe, range tested above */
+	    memcpy(in.buffer.t.buffer, buffer, length);
+	}
+    }
+    if (inString != NULL) {
+	if (rc == 0) {
+	    length = strlen(inString);
+	    if (length > sizeof(in.buffer.t.buffer)) {
+		printf("Input data too long %lu\n", (unsigned long)length);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    } 
+	}
+	if (rc == 0) {
+	    /* data to be hashed */
+	    in.buffer.t.size =(uint16_t) length;	/* cast safe, range tested above */
+	    memcpy(in.buffer.t.buffer, inString, length);
+	}
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform hmac */
+	in.handle = keyHandle;
+	/* use key's hash algorithm */
+	in.hashAlg = halg;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_HMAC,
+			 sessionHandle0, keyPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (hmacFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.outHMAC.t.buffer,
+				      out.outHMAC.t.size,
+				      hmacFilename); 
+    }    
+    if (rc == 0) {
+	if (tssUtilsVerbose) printHmac(&out);
+	if (tssUtilsVerbose) printf("hmac: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("hmac: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+static void printHmac(HMAC_Out *out)
+{
+    TSS_PrintAll("HMAC", out->outHMAC.t.buffer, out->outHMAC.t.size);
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("hmac\n");
+    printf("\n");
+    printf("Runs TPM2_HMAC\n");
+    printf("\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t-if\tinput file to be HMACed\n");
+    printf("\t-ic\tdata string to be HMACed\n");
+    printf("\t[-os\thmac file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/hmacstart.c b/libstb/tss2/ibmtpm20tss/utils/hmacstart.c
new file mode 100644
index 0000000..3fdd0f9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/hmacstart.c
@@ -0,0 +1,278 @@
+/********************************************************************************/
+/*										*/
+/*			    HmacStart						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    HMAC_Start_In 		in;
+    HMAC_Start_Out 		out;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    const char			*keyPassword = NULL; 
+    const char			*authPassword = NULL; 
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform hmac */
+	in.handle = keyHandle;
+	/* auth value for sequence */
+	rc = TSS_TPM2B_StringCopy(&in.auth.b, authPassword, sizeof(in.auth.t.buffer));
+    }
+    if (rc == 0) {
+	in.hashAlg = halg;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_HMAC_Start,
+			 sessionHandle0, keyPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("hmacstart: handle %08x\n", out.sequenceHandle);
+	if (tssUtilsVerbose) printf("hmacstart: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("hmacstart: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("hmacstart\n");
+    printf("\n");
+    printf("Runs TPM2_Hmac_Start\n");
+    printf("\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t-pwdk\tpassword for key (default empty)\n");
+    printf("\t-pwda\tpassword for sequence (default empty)\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ActivateCredential_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ActivateCredential_fp.h
new file mode 100644
index 0000000..e2b6083
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ActivateCredential_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ActivateCredential_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef ACTIVATECREDENTIAL_FP_H
+#define ACTIVATECREDENTIAL_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		activateHandle;
+    TPMI_DH_OBJECT		keyHandle;
+    TPM2B_ID_OBJECT		credentialBlob;
+    TPM2B_ENCRYPTED_SECRET	secret;
+} ActivateCredential_In;
+
+#define RC_ActivateCredential_activateHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_ActivateCredential_keyHandle 	(TPM_RC_H + TPM_RC_2)
+#define RC_ActivateCredential_credentialBlob	(TPM_RC_P + TPM_RC_1)
+#define RC_ActivateCredential_secret 		(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM2B_DIGEST		certInfo;
+} ActivateCredential_Out;
+
+TPM_RC
+TPM2_ActivateCredential(
+			ActivateCredential_In   *in,            // IN: input parameter list
+			ActivateCredential_Out  *out            // OUT: output parameter list
+			);
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ActivateIdentity_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ActivateIdentity_fp.h
new file mode 100644
index 0000000..84b97b6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ActivateIdentity_fp.h
@@ -0,0 +1,64 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 ActivateIdentity				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: ActivateIdentity_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef ACTIVATEIDENTITY_FP_H
+#define ACTIVATEIDENTITY_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_KEY_HANDLE idKeyHandle;
+    UINT32 blobSize;
+    BYTE blob[MAX_RSA_KEY_BYTES];
+} ActivateIdentity_In;  
+
+typedef struct {
+    TPM_SYMMETRIC_KEY symmetricKey;
+} ActivateIdentity_Out;  
+
+TPM_RC
+TPM2_ActivateIdentity(
+		  ActivateIdentity_In *in,            // IN: input parameter buffer
+		  ActivateIdentity_Out *out           // OUT: output parameter buffer
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/BaseTypes.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/BaseTypes.h
new file mode 100644
index 0000000..c87663c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/BaseTypes.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: BaseTypes.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2016					*/
+/*										*/
+/********************************************************************************/
+
+/* 5.2	BaseTypes.h */
+
+#ifndef BASETYPES_H
+#define BASETYPES_H
+
+#include <stdint.h>
+
+/* NULL definition */
+
+#ifndef         NULL
+#define         NULL        (0)
+#endif
+typedef  uint8_t            UINT8;
+typedef  uint8_t            BYTE;
+typedef  int8_t             INT8;
+typedef  int                BOOL;
+typedef  uint16_t           UINT16;
+typedef  int16_t            INT16;
+typedef  uint32_t           UINT32;
+typedef  int32_t            INT32;
+typedef  uint64_t           UINT64;
+typedef  int64_t            INT64;
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/CertifyCreation_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CertifyCreation_fp.h
new file mode 100644
index 0000000..98c336b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CertifyCreation_fp.h
@@ -0,0 +1,95 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: CertifyCreation_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CERTIFYCREATION_FP_H
+#define CERTIFYCREATION_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	signHandle;
+    TPMI_DH_OBJECT	objectHandle;
+    TPM2B_DATA		qualifyingData;
+    TPM2B_DIGEST	creationHash;
+    TPMT_SIG_SCHEME	inScheme;
+    TPMT_TK_CREATION	creationTicket;
+} CertifyCreation_In;
+
+#define RC_CertifyCreation_signHandle 		(TPM_RC_H + TPM_RC_1)
+#define RC_CertifyCreation_objectHandle		(TPM_RC_H + TPM_RC_2)
+#define RC_CertifyCreation_qualifyingData	(TPM_RC_P + TPM_RC_1)
+#define RC_CertifyCreation_creationHash		(TPM_RC_P + TPM_RC_2)
+#define RC_CertifyCreation_inScheme 		(TPM_RC_P + TPM_RC_3)
+#define RC_CertifyCreation_creationTicket 	(TPM_RC_P + TPM_RC_4)
+
+typedef struct {
+    TPM2B_ATTEST	certifyInfo;
+    TPMT_SIGNATURE	signature;
+} CertifyCreation_Out;
+
+TPM_RC
+TPM2_CertifyCreation(
+		     CertifyCreation_In      *in,            // IN: input parameter list
+		     CertifyCreation_Out     *out            // OUT: output parameter list
+		     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/CertifyX509_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CertifyX509_fp.h
new file mode 100644
index 0000000..1fb36fe
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CertifyX509_fp.h
@@ -0,0 +1,91 @@
+/********************************************************************************/
+/*										*/
+/*		TPM2_CertifyX509 Command Header	     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2019					*/
+/*										*/
+/********************************************************************************/
+
+#ifndef CERTIFYX509_FP_H
+#define CERTIFYX509_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	objectHandle;
+    TPMI_DH_OBJECT	signHandle;
+    TPM2B_DATA		reserved;
+    TPMT_SIG_SCHEME	inScheme;
+    TPM2B_MAX_BUFFER	partialCertificate;
+} CertifyX509_In;
+
+#define RC_CertifyX509_objectHandle		(TPM_RC_H + TPM_RC_1)
+#define RC_CertifyX509_signHandle 		(TPM_RC_H + TPM_RC_2)
+#define RC_CertifyX509_reserved			(TPM_RC_P + TPM_RC_1)
+#define RC_CertifyX509_inScheme 		(TPM_RC_P + TPM_RC_2)
+#define RC_CertifyX509_partialCertificate	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM2B_MAX_BUFFER 	addedToCertificate;
+    TPM2B_DIGEST	tbsDigest;
+    TPMT_SIGNATURE	signature;
+} CertifyX509_Out;
+
+TPM_RC
+TPM2_CertifyX509(
+		 CertifyX509_In      *in,            // IN: input parameter list
+		 CertifyX509_Out     *out            // OUT: output parameter list
+		 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Certify_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Certify_fp.h
new file mode 100644
index 0000000..dc186e4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Certify_fp.h
@@ -0,0 +1,93 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Certify_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CERTIFY_FP_H
+#define CERTIFY_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	objectHandle;
+    TPMI_DH_OBJECT	signHandle;
+    TPM2B_DATA		qualifyingData;
+    TPMT_SIG_SCHEME	inScheme;
+} Certify_In;
+
+#define RC_Certify_objectHandle		(TPM_RC_H + TPM_RC_1)
+#define RC_Certify_signHandle 		(TPM_RC_H + TPM_RC_2)
+#define RC_Certify_qualifyingData	(TPM_RC_P + TPM_RC_1)
+#define RC_Certify_inScheme 		(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM2B_ATTEST	certifyInfo;
+    TPMT_SIGNATURE	signature;
+} Certify_Out;
+
+
+
+TPM_RC
+TPM2_Certify(
+	     Certify_In      *in,            // IN: input parameter list
+	     Certify_Out     *out            // OUT: output parameter list
+	     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ChangeEPS_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ChangeEPS_fp.h
new file mode 100644
index 0000000..0854730
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ChangeEPS_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ChangeEPS_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CHANGEEPS_FP_H
+#define CHANGEEPS_FP_H
+
+typedef struct {
+    TPMI_RH_PLATFORM	authHandle;
+} ChangeEPS_In;
+
+#define RC_ChangeEPS_authHandle	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_ChangeEPS(
+	       ChangeEPS_In    *in             // IN: input parameter list
+	       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ChangePPS_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ChangePPS_fp.h
new file mode 100644
index 0000000..566cfe7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ChangePPS_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ChangePPS_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CHANGEPPS_FP_H
+#define CHANGEPPS_FP_H
+
+typedef struct {
+    TPMI_RH_PLATFORM	authHandle;
+} ChangePPS_In;
+
+#define RC_ChangePPS_authHandle	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_ChangePPS(
+	       ChangePPS_In    *in             // IN: input parameter list
+	       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClearControl_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClearControl_fp.h
new file mode 100644
index 0000000..4ecd727
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClearControl_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ClearControl_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CLEARCONTROL_FP_H
+#define CLEARCONTROL_FP_H
+
+typedef struct {
+    TPMI_RH_CLEAR	auth;
+    TPMI_YES_NO		disable;
+} ClearControl_In;
+
+#define RC_ClearControl_auth	(TPM_RC_H + TPM_RC_1)
+#define RC_ClearControl_disable	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_ClearControl(
+		  ClearControl_In     *in             // IN: input parameter list
+		  );
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Clear_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Clear_fp.h
new file mode 100644
index 0000000..f12e6bc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Clear_fp.h
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Clear_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CLEAR_FP_H
+#define CLEAR_FP_H
+
+typedef struct {
+    TPMI_RH_CLEAR	authHandle;
+} Clear_In;
+
+#define RC_Clear_authHandle	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_Clear(
+	   Clear_In        *in             // IN: input parameter list
+	   );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClockRateAdjust_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClockRateAdjust_fp.h
new file mode 100644
index 0000000..e66d153
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClockRateAdjust_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ClockRateAdjust_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CLOCKRATEADJUST_FP_H
+#define CLOCKRATEADJUST_FP_H
+
+typedef struct {
+    TPMI_RH_PROVISION	auth;
+    TPM_CLOCK_ADJUST	rateAdjust;
+} ClockRateAdjust_In;
+
+#define RC_ClockRateAdjust_auth		(TPM_RC_H + TPM_RC_1)
+#define RC_ClockRateAdjust_rateAdjust	(TPM_RC_P + TPM_RC_1)
+
+
+TPM_RC
+TPM2_ClockRateAdjust(
+		     ClockRateAdjust_In  *in             // IN: input parameter list
+		     );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClockSet_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClockSet_fp.h
new file mode 100644
index 0000000..c62ea97
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ClockSet_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ClockSet_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CLOCKSET_FP_H
+#define CLOCKSET_FP_H
+
+typedef struct {
+    TPMI_RH_PROVISION	auth;
+    UINT64		newTime;
+} ClockSet_In;
+
+#define RC_ClockSet_auth	(TPM_RC_H + TPM_RC_1)
+#define RC_ClockSet_newTime	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_ClockSet(
+	      ClockSet_In     *in             // IN: input parameter list
+	      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Commit_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Commit_fp.h
new file mode 100644
index 0000000..653dd53
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Commit_fp.h
@@ -0,0 +1,94 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Commit_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef COMMIT_FP_H
+#define COMMIT_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		signHandle;
+    TPM2B_ECC_POINT		P1;
+    TPM2B_SENSITIVE_DATA	s2;
+    TPM2B_ECC_PARAMETER		y2;
+} Commit_In;
+
+#define RC_Commit_signHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_Commit_P1 		(TPM_RC_P + TPM_RC_1)
+#define RC_Commit_s2 		(TPM_RC_P + TPM_RC_2)
+#define RC_Commit_y2 		(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM2B_ECC_POINT	K;
+    TPM2B_ECC_POINT	L;
+    TPM2B_ECC_POINT	E;
+    UINT16		counter;
+} Commit_Out;
+
+TPM_RC
+TPM2_Commit(
+	    Commit_In       *in,            // IN: input parameter list
+	    Commit_Out      *out            // OUT: output parameter list
+	    );
+
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ContextLoad_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ContextLoad_fp.h
new file mode 100644
index 0000000..5742f7f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ContextLoad_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ContextLoad_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CONTEXTLOAD_FP_H
+#define CONTEXTLOAD_FP_H
+
+typedef struct {
+    TPMS_CONTEXT	context;
+} ContextLoad_In;
+
+#define RC_ContextLoad_context 	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPMI_DH_CONTEXT	loadedHandle;
+} ContextLoad_Out;
+
+TPM_RC
+TPM2_ContextLoad(
+		 ContextLoad_In      *in,            // IN: input parameter list
+		 ContextLoad_Out     *out            // OUT: output parameter list
+		 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ContextSave_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ContextSave_fp.h
new file mode 100644
index 0000000..bfb1711
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ContextSave_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ContextSave_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CONTEXTSAVE_FP_H
+#define CONTEXTSAVE_FP_H
+
+typedef struct {
+    TPMI_DH_CONTEXT	saveHandle;
+} ContextSave_In;
+
+#define RC_ContextSave_saveHandle	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPMS_CONTEXT	context;
+} ContextSave_Out;
+
+TPM_RC
+TPM2_ContextSave(
+		 ContextSave_In      *in,            // IN: input parameter list
+		 ContextSave_Out     *out            // OUT: output parameter list
+		 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateEndorsementKeyPair_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateEndorsementKeyPair_fp.h
new file mode 100644
index 0000000..a183ba0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateEndorsementKeyPair_fp.h
@@ -0,0 +1,64 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 CreateEndorsementKeyPair			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*      $Id: CreateEndorsementKeyPair_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef CREATEENDORSEMENTKEYPAIR_FP_H
+#define CREATEENDORSEMENTKEYPAIR_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_NONCE antiReplay;
+    TPM_KEY_PARMS keyInfo;
+} CreateEndorsementKeyPair_In;  
+
+typedef struct {
+    TPM_PUBKEY pubEndorsementKey;
+    TPM_DIGEST checksum;
+} CreateEndorsementKeyPair_Out;  
+
+TPM_RC
+TPM2_CreateEndorsementKeyPair(
+			      CreateEndorsementKeyPair_In *in,            // IN: input parameter buffer
+			      CreateEndorsementKeyPair_Out *out           // OUT: output parameter buffer
+			      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateLoaded_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateLoaded_fp.h
new file mode 100644
index 0000000..a6792c1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateLoaded_fp.h
@@ -0,0 +1,90 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: CreateLoaded_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+#ifndef CREATELOADED_FP_H
+#define CREATELOADED_FP_H
+
+/* rev 136 */
+
+typedef struct {
+    TPMI_DH_PARENT		parentHandle;
+    TPM2B_SENSITIVE_CREATE	inSensitive;
+    TPM2B_TEMPLATE		inPublic;
+} CreateLoaded_In;
+
+#define RC_CreateLoaded_parentHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_CreateLoaded_inSensitive 	(TPM_RC_P + TPM_RC_1)
+#define RC_CreateLoaded_inPublic 	(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM_HANDLE		objectHandle;
+    TPM2B_PRIVATE	outPrivate;
+    TPM2B_PUBLIC	outPublic;
+    TPM2B_NAME		name;
+} CreateLoaded_Out;
+
+TPM_RC
+TPM2_CreateLoaded(
+		  CreateLoaded_In       *in,            // IN: input parameter list
+		  CreateLoaded_Out      *out            // OUT: output parameter list
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreatePrimary_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreatePrimary_fp.h
new file mode 100644
index 0000000..958293b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreatePrimary_fp.h
@@ -0,0 +1,96 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: CreatePrimary_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef CREATEPRIMARY_FP_H
+#define CREATEPRIMARY_FP_H
+
+typedef struct {
+    TPMI_RH_HIERARCHY		primaryHandle;
+    TPM2B_SENSITIVE_CREATE	inSensitive;
+    TPM2B_PUBLIC		inPublic;
+    TPM2B_DATA			outsideInfo;
+    TPML_PCR_SELECTION		creationPCR;
+} CreatePrimary_In;
+
+#define RC_CreatePrimary_primaryHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_CreatePrimary_inSensitive 	(TPM_RC_P + TPM_RC_1)
+#define RC_CreatePrimary_inPublic 	(TPM_RC_P + TPM_RC_2)
+#define RC_CreatePrimary_outsideInfo	(TPM_RC_P + TPM_RC_3)
+#define RC_CreatePrimary_creationPCR	(TPM_RC_P + TPM_RC_4)
+
+typedef struct {
+    TPM_HANDLE		objectHandle;
+    TPM2B_PUBLIC	outPublic;
+    TPM2B_CREATION_DATA	creationData;
+    TPM2B_DIGEST	creationHash;
+    TPMT_TK_CREATION	creationTicket;
+    TPM2B_NAME		name;
+} CreatePrimary_Out;
+
+TPM_RC
+TPM2_CreatePrimary(
+		   CreatePrimary_In    *in,            // IN: input parameter list
+		   CreatePrimary_Out   *out            // OUT: output parameter list
+		   );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateWrapKey_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateWrapKey_fp.h
new file mode 100644
index 0000000..a078d22
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/CreateWrapKey_fp.h
@@ -0,0 +1,65 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 CreateWrapKey				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: CreateWrapKey_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef CREATEWRAPKEY_FP_H
+#define CREATEWRAPKEY_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_KEY_HANDLE parentHandle;
+    TPM_ENCAUTH dataUsageAuth;
+    TPM_ENCAUTH dataMigrationAuth;
+    TPM_KEY12 keyInfo;    
+} CreateWrapKey_In;  
+
+typedef struct {
+    TPM_KEY12 wrappedKey;
+} CreateWrapKey_Out;  
+
+TPM_RC
+TPM2_CreateWrapKey(
+		   CreateWrapKey_In *in,            // IN: input parameter buffer
+		   CreateWrapKey_Out *out           // OUT: output parameter buffer
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Create_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Create_fp.h
new file mode 100644
index 0000000..95eca61
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Create_fp.h
@@ -0,0 +1,96 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Create_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 137 */
+
+#ifndef CREATE_FP_H
+#define CREATE_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		parentHandle;
+    TPM2B_SENSITIVE_CREATE	inSensitive;
+    TPM2B_PUBLIC		inPublic;
+    TPM2B_DATA			outsideInfo;
+    TPML_PCR_SELECTION		creationPCR;
+} Create_In;     
+
+#define RC_Create_parentHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_Create_inSensitive 	(TPM_RC_P + TPM_RC_1)
+#define RC_Create_inPublic 	(TPM_RC_P + TPM_RC_2)
+#define RC_Create_outsideInfo	(TPM_RC_P + TPM_RC_3)
+#define RC_Create_creationPCR	(TPM_RC_P + TPM_RC_4)
+
+typedef struct {
+    TPM2B_PRIVATE	outPrivate;
+    TPM2B_PUBLIC	outPublic;
+    TPM2B_CREATION_DATA	creationData;
+    TPM2B_DIGEST	creationHash;
+    TPMT_TK_CREATION	creationTicket;
+} Create_Out;
+
+TPM_RC
+TPM2_Create(
+	    Create_In       *in,            // IN: input parameter list
+	    Create_Out      *out            // OUT: output parameter list
+	    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/DictionaryAttackLockReset_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/DictionaryAttackLockReset_fp.h
new file mode 100644
index 0000000..6ef8ea2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/DictionaryAttackLockReset_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: DictionaryAttackLockReset_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef DICTIONARYATTACKLOCKRESET_FP_H
+#define DICTIONARYATTACKLOCKRESET_FP_H
+
+typedef struct {
+    TPMI_RH_LOCKOUT	lockHandle;
+} DictionaryAttackLockReset_In;
+
+#define RC_DictionaryAttackLockReset_lockHandle	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_DictionaryAttackLockReset(
+			       DictionaryAttackLockReset_In    *in             // IN: input parameter list
+			       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/DictionaryAttackParameters_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/DictionaryAttackParameters_fp.h
new file mode 100644
index 0000000..86903c3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/DictionaryAttackParameters_fp.h
@@ -0,0 +1,86 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*   $Id: DictionaryAttackParameters_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef DICTIONARYATTACKPARAMETERS_FP_H
+#define DICTIONARYATTACKPARAMETERS_FP_H
+
+
+typedef struct {
+    TPMI_RH_LOCKOUT	lockHandle;
+    UINT32		newMaxTries;
+    UINT32		newRecoveryTime;
+    UINT32		lockoutRecovery;
+} DictionaryAttackParameters_In;
+
+#define RC_DictionaryAttackParameters_lockHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_DictionaryAttackParameters_newMaxTries	(TPM_RC_P + TPM_RC_1)
+#define RC_DictionaryAttackParameters_newRecoveryTime	(TPM_RC_P + TPM_RC_2)
+#define RC_DictionaryAttackParameters_lockoutRecovery	(TPM_RC_P + TPM_RC_3)
+
+TPM_RC
+TPM2_DictionaryAttackParameters(
+				DictionaryAttackParameters_In   *in             // IN: input parameter list
+				);
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Duplicate_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Duplicate_fp.h
new file mode 100644
index 0000000..97693be
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Duplicate_fp.h
@@ -0,0 +1,91 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Duplicate_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef DUPLICATE_FP_H
+#define DUPLICATE_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		objectHandle;
+    TPMI_DH_OBJECT		newParentHandle;
+    TPM2B_DATA			encryptionKeyIn;
+    TPMT_SYM_DEF_OBJECT		symmetricAlg;
+} Duplicate_In;
+
+typedef struct {
+    TPM2B_DATA			encryptionKeyOut;
+    TPM2B_PRIVATE		duplicate;
+    TPM2B_ENCRYPTED_SECRET	outSymSeed;
+} Duplicate_Out;
+
+#define RC_Duplicate_objectHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_Duplicate_newParentHandle 	(TPM_RC_H + TPM_RC_2)
+#define RC_Duplicate_encryptionKeyIn 	(TPM_RC_P + TPM_RC_1)
+#define RC_Duplicate_symmetricAlg 	(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_Duplicate(
+	       Duplicate_In    *in,            // IN: input parameter list
+	       Duplicate_Out   *out            // OUT: output parameter list
+	       );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECC_Parameters_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECC_Parameters_fp.h
new file mode 100644
index 0000000..18bc2a3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECC_Parameters_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ECC_Parameters_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef ECC_PARAMETERS_FP_H
+#define ECC_PARAMETERS_FP_H
+
+typedef struct {
+    TPMI_ECC_CURVE	curveID;
+} ECC_Parameters_In;
+
+#define RC_ECC_Parameters_curveID 	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPMS_ALGORITHM_DETAIL_ECC	parameters;
+} ECC_Parameters_Out;
+
+TPM_RC
+TPM2_ECC_Parameters(
+		    ECC_Parameters_In   *in,            // IN: input parameter list
+		    ECC_Parameters_Out  *out            // OUT: output parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECDH_KeyGen_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECDH_KeyGen_fp.h
new file mode 100644
index 0000000..9ff523f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECDH_KeyGen_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ECDH_KeyGen_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef ECDH_KEYGEN_FP_H
+#define ECDH_KEYGEN_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	keyHandle;
+} ECDH_KeyGen_In;
+
+#define RC_ECDH_KeyGen_keyHandle 	(TPM_RC_H + TPM_RC_1)
+
+typedef struct {
+    TPM2B_ECC_POINT	zPoint;
+    TPM2B_ECC_POINT	pubPoint;
+} ECDH_KeyGen_Out;
+
+TPM_RC
+TPM2_ECDH_KeyGen(
+		 ECDH_KeyGen_In      *in,            // IN: input parameter list
+		 ECDH_KeyGen_Out     *out            // OUT: output parameter list
+		 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECDH_ZGen_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECDH_ZGen_fp.h
new file mode 100644
index 0000000..f93fe15
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ECDH_ZGen_fp.h
@@ -0,0 +1,86 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ECDH_ZGen_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef ECDH_ZGEN_FP_H
+#define ECDH_ZGEN_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	keyHandle;
+    TPM2B_ECC_POINT	inPoint;
+} ECDH_ZGen_In;
+
+#define RC_ECDH_ZGen_keyHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_ECDH_ZGen_inPoint 	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPM2B_ECC_POINT	outPoint;
+} ECDH_ZGen_Out;
+
+TPM_RC
+TPM2_ECDH_ZGen(
+	       ECDH_ZGen_In    *in,            // IN: input parameter list
+	       ECDH_ZGen_Out   *out            // OUT: output parameter list
+	       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/EC_Ephemeral_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EC_Ephemeral_fp.h
new file mode 100644
index 0000000..6797623
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EC_Ephemeral_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: EC_Ephemeral_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef EC_EPHEMERAL_FP_H
+#define EC_EPHEMERAL_FP_H
+
+typedef struct {
+    TPMI_ECC_CURVE	curveID;
+} EC_Ephemeral_In;
+
+#define RC_EC_Ephemeral_curveID	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPM2B_ECC_POINT	Q;
+    UINT16		counter;
+} EC_Ephemeral_Out;
+
+TPM_RC
+TPM2_EC_Ephemeral(
+		  EC_Ephemeral_In     *in,            // IN: input parameter list
+		  EC_Ephemeral_Out    *out            // OUT: output parameter list
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/EncryptDecrypt2_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EncryptDecrypt2_fp.h
new file mode 100644
index 0000000..cff3a64
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EncryptDecrypt2_fp.h
@@ -0,0 +1,93 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: EncryptDecrypt2_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015, 2016				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 146*/
+
+#ifndef ENCRYPTDECRYPT2_FP_H
+#define ENCRYPTDECRYPT2_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		keyHandle;
+    TPM2B_MAX_BUFFER		inData;
+    TPMI_YES_NO			decrypt;
+    TPMI_ALG_CIPHER_MODE	mode;
+    TPM2B_IV			ivIn;
+} EncryptDecrypt2_In;
+
+#define RC_EncryptDecrypt2_keyHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_EncryptDecrypt2_inData 	(TPM_RC_P + TPM_RC_1)
+#define RC_EncryptDecrypt2_decrypt	(TPM_RC_P + TPM_RC_2)
+#define RC_EncryptDecrypt2_mode		(TPM_RC_P + TPM_RC_3)
+#define RC_EncryptDecrypt2_ivIn		(TPM_RC_P + TPM_RC_4)
+
+typedef struct {
+    TPM2B_MAX_BUFFER	outData;
+    TPM2B_IV		ivOut;
+} EncryptDecrypt2_Out;
+
+TPM_RC
+TPM2_EncryptDecrypt2(
+		     EncryptDecrypt2_In   *in,            // IN: input parameter list
+		     EncryptDecrypt2_Out  *out            // OUT: output parameter list
+		     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/EncryptDecrypt_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EncryptDecrypt_fp.h
new file mode 100644
index 0000000..57b0872
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EncryptDecrypt_fp.h
@@ -0,0 +1,93 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: EncryptDecrypt_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 146 */
+
+#ifndef ENCRYPTDECRYPT_FP_H
+#define ENCRYPTDECRYPT_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		keyHandle;
+    TPMI_YES_NO			decrypt;
+    TPMI_ALG_CIPHER_MODE	mode;
+    TPM2B_IV			ivIn;
+    TPM2B_MAX_BUFFER		inData;
+} EncryptDecrypt_In;
+
+#define RC_EncryptDecrypt_keyHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_EncryptDecrypt_decrypt	(TPM_RC_P + TPM_RC_1)
+#define RC_EncryptDecrypt_mode 		(TPM_RC_P + TPM_RC_2)
+#define RC_EncryptDecrypt_ivIn 		(TPM_RC_P + TPM_RC_3)
+#define RC_EncryptDecrypt_inData 	(TPM_RC_P + TPM_RC_4)
+
+typedef struct {
+    TPM2B_MAX_BUFFER	outData;
+    TPM2B_IV		ivOut;
+} EncryptDecrypt_Out;
+
+TPM_RC
+TPM2_EncryptDecrypt(
+		    EncryptDecrypt_In   *in,            // IN: input parameter list
+		    EncryptDecrypt_Out  *out            // OUT: output parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/EventSequenceComplete_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EventSequenceComplete_fp.h
new file mode 100644
index 0000000..e58837e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EventSequenceComplete_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: EventSequenceComplete_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef EVENTSEQUENCECOMPLETE_FP_H
+#define EVENTSEQUENCECOMPLETE_FP_H
+
+typedef struct {
+    TPMI_DH_PCR		pcrHandle;
+    TPMI_DH_OBJECT	sequenceHandle;
+    TPM2B_MAX_BUFFER	buffer;
+} EventSequenceComplete_In;
+
+#define RC_EventSequenceComplete_pcrHandle		(TPM_RC_H + TPM_RC_1)
+#define RC_EventSequenceComplete_sequenceHandle 	(TPM_RC_H + TPM_RC_2)
+#define RC_EventSequenceComplete_buffer			(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPML_DIGEST_VALUES	results;
+} EventSequenceComplete_Out;
+
+TPM_RC
+TPM2_EventSequenceComplete(
+			   EventSequenceComplete_In    *in,            // IN: input parameter list
+			   EventSequenceComplete_Out   *out            // OUT: output parameter list
+			   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/EvictControl_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EvictControl_fp.h
new file mode 100644
index 0000000..1b31c49
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/EvictControl_fp.h
@@ -0,0 +1,82 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: EvictControl_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef EVICTCONTROL_FP_H
+#define EVICTCONTROL_FP_H
+
+typedef struct {
+    TPMI_RH_PROVISION	auth;
+    TPMI_DH_OBJECT	objectHandle;
+    TPMI_DH_PERSISTENT	persistentHandle;
+} EvictControl_In;
+
+#define RC_EvictControl_auth			(TPM_RC_H + TPM_RC_1)
+#define RC_EvictControl_objectHandle 		(TPM_RC_H + TPM_RC_2)
+#define RC_EvictControl_persistentHandle 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_EvictControl(
+		  EvictControl_In     *in             // IN: input parameter list
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Extend_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Extend_fp.h
new file mode 100644
index 0000000..197e4c8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Extend_fp.h
@@ -0,0 +1,64 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 Extend					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: Extend_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef EXTEND_FP_H
+#define EXTEND_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+
+    TPM_PCRINDEX pcrNum;
+    TPM_DIGEST inDigest;
+} Extend_In;  
+
+typedef struct {
+    TPM_PCRVALUE outDigest;
+} Extend_Out;  
+
+TPM_RC
+TPM2_Extend(
+	    Extend_In *in,            // IN: input parameter buffer
+	    Extend_Out *out           // OUT: output parameter buffer
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/FlushContext_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/FlushContext_fp.h
new file mode 100644
index 0000000..97b22e5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/FlushContext_fp.h
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: FlushContext_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef FLUSHCONTEXT_FP_H
+#define FLUSHCONTEXT_FP_H
+
+typedef struct {
+    TPMI_DH_CONTEXT	flushHandle;
+} FlushContext_In;
+
+#define RC_FlushContext_flushHandle	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_FlushContext(
+		  FlushContext_In     *in             // IN: input parameter list
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/FlushSpecific_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/FlushSpecific_fp.h
new file mode 100644
index 0000000..59b6751
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/FlushSpecific_fp.h
@@ -0,0 +1,58 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 FlushSpecific				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: FlushSpecific_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef FLUSHSPECIFIC_FP_H
+#define FLUSHSPECIFIC_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_HANDLE handle;
+    TPM_RESOURCE_TYPE resourceType;
+} FlushSpecific_In;  
+
+TPM_RC
+TPM2_FlushSpecific(
+		   FlushSpecific_In *in            // IN: input parameter buffer
+		   );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCapability12_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCapability12_fp.h
new file mode 100644
index 0000000..a1c47a0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCapability12_fp.h
@@ -0,0 +1,65 @@
+/********************************************************************************/
+/*										*/
+/*			    Get Capability for TPM 1.2 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef GETCAPABILITY12_FP_H
+#define GETCAPABILITY12_FP_H
+
+typedef struct {
+    TPM_CAPABILITY_AREA	capArea;
+    UINT32		subCapSize;
+    uint8_t		subCap[MAX_RESPONSE_SIZE];
+} GetCapability12_In;
+
+#define RC_GetCapability12_capArea 	(TPM_RC_P + TPM_RC_1)
+#define RC_GetCapability12_subCapSize 	(TPM_RC_P + TPM_RC_2)
+#define RC_GetCapability12_subcap 	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    UINT32 		respSize;
+    uint8_t		resp[MAX_RESPONSE_SIZE];
+} GetCapability12_Out;
+
+
+TPM_RC
+TPM2_GetCapability12(
+		   GetCapability12_In    *in,            // IN: input parameter list
+		   GetCapability12_Out   *out            // OUT: output parameter list
+		   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCapability_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCapability_fp.h
new file mode 100644
index 0000000..7257613
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCapability_fp.h
@@ -0,0 +1,90 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: GetCapability_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef GETCAPABILITY_FP_H
+#define GETCAPABILITY_FP_H
+
+typedef struct {
+    TPM_CAP	capability;
+    UINT32	property;
+    UINT32	propertyCount;
+} GetCapability_In;
+
+#define RC_GetCapability_capability	(TPM_RC_P + TPM_RC_1)
+#define RC_GetCapability_property 	(TPM_RC_P + TPM_RC_2)
+#define RC_GetCapability_propertyCount	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPMI_YES_NO			moreData;
+    TPMS_CAPABILITY_DATA	capabilityData;
+} GetCapability_Out;
+
+
+TPM_RC
+TPM2_GetCapability(
+		   GetCapability_In    *in,            // IN: input parameter list
+		   GetCapability_Out   *out            // OUT: output parameter list
+		   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCommandAuditDigest_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCommandAuditDigest_fp.h
new file mode 100644
index 0000000..71a5f15
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetCommandAuditDigest_fp.h
@@ -0,0 +1,91 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: GetCommandAuditDigest_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef GETCOMMANDAUDITDIGEST_FP_H
+#define GETCOMMANDAUDITDIGEST_FP_H
+
+typedef struct {
+    TPMI_RH_ENDORSEMENT	privacyHandle;
+    TPMI_DH_OBJECT	signHandle;
+    TPM2B_DATA		qualifyingData;
+    TPMT_SIG_SCHEME	inScheme;
+} GetCommandAuditDigest_In;
+
+#define RC_GetCommandAuditDigest_privacyHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_GetCommandAuditDigest_signHandle 	(TPM_RC_H + TPM_RC_2)
+#define RC_GetCommandAuditDigest_qualifyingData	(TPM_RC_P + TPM_RC_1)
+#define RC_GetCommandAuditDigest_inScheme 	(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM2B_ATTEST	auditInfo;
+    TPMT_SIGNATURE	signature;
+} GetCommandAuditDigest_Out;
+
+TPM_RC
+TPM2_GetCommandAuditDigest(
+			   GetCommandAuditDigest_In    *in,            // IN: input parameter list
+			   GetCommandAuditDigest_Out   *out            // OUT: output parameter list
+			   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetRandom_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetRandom_fp.h
new file mode 100644
index 0000000..438da95
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetRandom_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: GetRandom_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef GETRANDOM_FP_H
+#define GETRANDOM_FP_H
+
+typedef struct {
+    UINT16	bytesRequested;
+} GetRandom_In;
+
+#define RC_GetRandom_bytesRequested	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPM2B_DIGEST	randomBytes;
+} GetRandom_Out;
+
+TPM_RC
+TPM2_GetRandom(
+	       GetRandom_In    *in,            // IN: input parameter list
+	       GetRandom_Out   *out            // OUT: output parameter list
+	       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetSessionAuditDigest_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetSessionAuditDigest_fp.h
new file mode 100644
index 0000000..b49c8cd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetSessionAuditDigest_fp.h
@@ -0,0 +1,93 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: GetSessionAuditDigest_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef GETSESSIONAUDITDIGEST_FP_H
+#define GETSESSIONAUDITDIGEST_FP_H
+
+typedef struct {
+    TPMI_RH_ENDORSEMENT		privacyAdminHandle;
+    TPMI_DH_OBJECT		signHandle;
+    TPMI_SH_HMAC		sessionHandle;
+    TPM2B_DATA			qualifyingData;
+    TPMT_SIG_SCHEME		inScheme;
+} GetSessionAuditDigest_In;
+
+#define RC_GetSessionAuditDigest_privacyAdminHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_GetSessionAuditDigest_signHandle		(TPM_RC_H + TPM_RC_2)
+#define RC_GetSessionAuditDigest_sessionHandle		(TPM_RC_H + TPM_RC_3)
+#define RC_GetSessionAuditDigest_qualifyingData		(TPM_RC_P + TPM_RC_1)
+#define RC_GetSessionAuditDigest_inScheme		(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM2B_ATTEST	auditInfo;
+    TPMT_SIGNATURE	signature;
+} GetSessionAuditDigest_Out;
+
+TPM_RC
+TPM2_GetSessionAuditDigest(
+			   GetSessionAuditDigest_In    *in,            // IN: input parameter list
+			   GetSessionAuditDigest_Out   *out            // OUT: output parameter list
+			   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetTestResult_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetTestResult_fp.h
new file mode 100644
index 0000000..4c4c716
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetTestResult_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: GetTestResult_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2016				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef GETTESTRESULT_FP_H
+#define GETTESTRESULT_FP_H
+
+typedef struct{
+    TPM2B_MAX_BUFFER	outData;
+    TPM_RC		testResult;
+} GetTestResult_Out;
+
+
+    TPM_RC
+TPM2_GetTestResult(
+		   GetTestResult_Out   *out            // OUT: output parameter list
+		   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetTime_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetTime_fp.h
new file mode 100644
index 0000000..75c5e6c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/GetTime_fp.h
@@ -0,0 +1,91 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: GetTime_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef GETTIME_FP_H
+#define GETTIME_FP_H
+
+typedef struct {
+    TPMI_RH_ENDORSEMENT	privacyAdminHandle;
+    TPMI_DH_OBJECT	signHandle;
+    TPM2B_DATA		qualifyingData;
+    TPMT_SIG_SCHEME	inScheme;
+} GetTime_In;
+
+#define RC_GetTime_privacyAdminHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_GetTime_signHandle 		(TPM_RC_H + TPM_RC_2)
+#define RC_GetTime_qualifyingData	(TPM_RC_P + TPM_RC_1)
+#define RC_GetTime_inScheme 		(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM2B_ATTEST	timeInfo;
+    TPMT_SIGNATURE	signature;
+} GetTime_Out;
+
+TPM_RC
+TPM2_GetTime(
+	     GetTime_In      *in,            // IN: input parameter list
+	     GetTime_Out     *out            // OUT: output parameter list
+	     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/HMAC_Start_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HMAC_Start_fp.h
new file mode 100644
index 0000000..b27b2e5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HMAC_Start_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: HMAC_Start_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef HMAC_START_FP_H
+#define HMAC_START_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	handle;
+    TPM2B_AUTH		auth;
+    TPMI_ALG_HASH	hashAlg;
+} HMAC_Start_In;
+
+typedef struct {
+    TPMI_DH_OBJECT	sequenceHandle;
+} HMAC_Start_Out;
+
+#define RC_HMAC_Start_handle	(TPM_RC_H + TPM_RC_1)
+#define RC_HMAC_Start_auth	(TPM_RC_P + TPM_RC_1)
+#define RC_HMAC_Start_hashAlg	(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_HMAC_Start(
+		HMAC_Start_In   *in,            // IN: input parameter list
+		HMAC_Start_Out  *out            // OUT: output parameter list
+		);
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/HMAC_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HMAC_fp.h
new file mode 100644
index 0000000..aace922
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HMAC_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: HMAC_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef HMAC_FP_H
+#define HMAC_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	handle;
+    TPM2B_MAX_BUFFER	buffer;
+    TPMI_ALG_HASH	hashAlg;
+} HMAC_In;
+
+#define RC_HMAC_handle 		(TPM_RC_H + TPM_RC_1)
+#define RC_HMAC_buffer		(TPM_RC_P + TPM_RC_1)
+#define RC_HMAC_hashAlg 	(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM2B_DIGEST	outHMAC;
+} HMAC_Out;
+
+TPM_RC
+TPM2_HMAC(
+	  HMAC_In         *in,            // IN: input parameter list
+	  HMAC_Out        *out            // OUT: output parameter list
+	  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/HashSequenceStart_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HashSequenceStart_fp.h
new file mode 100644
index 0000000..7a5bd11
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HashSequenceStart_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: HashSequenceStart_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef HASHSEQUENCESTART_FP_H
+#define HASHSEQUENCESTART_FP_H
+
+typedef struct {
+    TPM2B_AUTH		auth;
+    TPMI_ALG_HASH	hashAlg;
+} HashSequenceStart_In;
+
+#define RC_HashSequenceStart_auth	(TPM_RC_P + TPM_RC_1)
+#define RC_HashSequenceStart_hashAlg	(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPMI_DH_OBJECT	sequenceHandle;
+} HashSequenceStart_Out;
+
+
+
+TPM_RC
+TPM2_HashSequenceStart(
+		       HashSequenceStart_In    *in,            // IN: input parameter list
+		       HashSequenceStart_Out   *out            // OUT: output parameter list
+		       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Hash_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Hash_fp.h
new file mode 100644
index 0000000..7e3a009
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Hash_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Hash_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef HASH_FP_H
+#define HASH_FP_H
+
+typedef struct {
+    TPM2B_MAX_BUFFER	data;
+    TPMI_ALG_HASH	hashAlg;
+    TPMI_RH_HIERARCHY	hierarchy;
+} Hash_In;
+
+#define RC_Hash_data		(TPM_RC_P + TPM_RC_1)
+#define RC_Hash_hashAlg		(TPM_RC_P + TPM_RC_2)
+#define RC_Hash_hierarchy	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM2B_DIGEST	outHash;
+    TPMT_TK_HASHCHECK	validation;
+} Hash_Out;
+
+TPM_RC
+TPM2_Hash(
+	  Hash_In         *in,            // IN: input parameter list
+	  Hash_Out        *out            // OUT: output parameter list
+	  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/HierarchyChangeAuth_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HierarchyChangeAuth_fp.h
new file mode 100644
index 0000000..df6278a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HierarchyChangeAuth_fp.h
@@ -0,0 +1,80 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: HierarchyChangeAuth_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef HIERARCHYCHANGEAUTH_FP_H
+#define HIERARCHYCHANGEAUTH_FP_H
+
+typedef struct {
+    TPMI_RH_HIERARCHY_AUTH	authHandle;
+    TPM2B_AUTH			newAuth;
+} HierarchyChangeAuth_In;
+
+#define RC_HierarchyChangeAuth_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_HierarchyChangeAuth_newAuth 		(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_HierarchyChangeAuth(
+			 HierarchyChangeAuth_In  *in             // IN: input parameter list
+			 );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/HierarchyControl_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HierarchyControl_fp.h
new file mode 100644
index 0000000..e774f6d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/HierarchyControl_fp.h
@@ -0,0 +1,83 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: HierarchyControl_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef HIERARCHYCONTROL_FP_H
+#define HIERARCHYCONTROL_FP_H
+
+typedef struct {
+    TPMI_RH_HIERARCHY	authHandle;
+    TPMI_RH_ENABLES	enable;
+    TPMI_YES_NO		state;
+} HierarchyControl_In;
+
+#define RC_HierarchyControl_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_HierarchyControl_enable	(TPM_RC_P + TPM_RC_1)
+#define RC_HierarchyControl_state	(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_HierarchyControl(
+		      HierarchyControl_In     *in             // IN: input parameter list
+		      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Implementation.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Implementation.h
new file mode 100644
index 0000000..9d63da1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Implementation.h
@@ -0,0 +1,1446 @@
+/********************************************************************************/
+/*										*/
+/*		    TSS Implementation Specific Constants			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012 - 2019				*/
+/*										*/
+/********************************************************************************/
+
+/* #define TPM_TSS_SO_0 to get the libibmtss.so.0 values.  Leave it undefined to get the new
+   libibmtss.so.1 values.
+
+   The new values are required for a TPM with 4 or more hash algorithms.
+*/
+
+// A.2	Implementation.h
+
+#ifndef _IMPLEMENTATION_H_
+#define _IMPLEMENTATION_H_
+
+#include <ibmtss/TpmBuildSwitches.h>
+#include <ibmtss/BaseTypes.h>
+#include <ibmtss/TPMB.h>
+
+/* Constants for TPM_Types.h structures.  Changing these values is likely to break ABI
+   compatiblility.*/
+
+// From Vendor-Specific: Table 4 - Defines for Key Size Constants
+
+#ifdef TPM_TSS_SO_0
+#define  MAX_RSA_KEY_BYTES          256
+#else
+#define  MAX_RSA_KEY_BYTES          512
+#endif
+
+#ifdef TPM_TSS_SO_0
+#define  MAX_ECC_KEY_BYTES     48
+#else
+#define  MAX_ECC_KEY_BYTES     128
+#endif
+
+/* This is the PC Client minimum value, and should be used for applications. */
+#define IMPLEMENTATION_PCR		24
+
+#define MAX_HANDLE_NUM			3	/* the maximum number of handles in the handle
+						   area */
+#define MAX_ACTIVE_SESSIONS		64	/* the number of simultaneously active sessions that
+						   are supported by the TPM implementation */
+#define MAX_SESSION_NUM 		3	/* this is the current maximum value */
+
+#ifdef TPM_TSS_SO_0
+#define PCR_SELECT_MAX			((IMPLEMENTATION_PCR+7)/8)
+#else
+/* increased to 8 to handle up to 64 PCRs */
+#define PCR_SELECT_MAX			8
+#endif
+
+#ifdef TPM_TSS_SO_0
+#define MAX_CONTEXT_SIZE		2048
+#else
+#define MAX_CONTEXT_SIZE		5120
+#endif
+
+#define MAX_DIGEST_BUFFER		2048
+#define MAX_NV_BUFFER_SIZE		2048
+#define MAX_CAP_BUFFER                  2048
+
+#ifdef TPM_TSS_SO_0
+#define MAX_ALG_LIST_SIZE               64	/* number of algorithms that can be in a list */
+#else
+#define MAX_ALG_LIST_SIZE               128	/* number of algorithms that can be in a list */
+#endif
+
+#define MAX_COMMAND_SIZE		4096	/* maximum size of a command */
+#define MAX_RESPONSE_SIZE		4096	/* maximum size of a response */
+
+#ifdef TPM_TSS_SO_0
+#define MAX_SYM_DATA			128		/* this is the maximum number of octets that
+							   may be in a sealed blob. */
+#else
+#define MAX_SYM_DATA			256
+#endif
+
+#ifdef TPM_TSS_SO_0
+/* For the TSS .so.0, the number of digest and PCR banks was originally dependent on the number of
+   supported hash algoriths, using common TPM / TSS code. */
+#define HASH_COUNT 3
+#else
+/* For the TSS .so.1, the number was increased to support a SW TPM with 4 banks (unlikely for a HW
+   TPM) plus future expansion. */
+#define HASH_COUNT 16
+#endif
+
+/* value independent of supported hash algorithms */
+#define LABEL_MAX_BUFFER   48
+#if LABEL_MAX_BUFFER < 32
+#error "The size allowed for the label is not large enough for interoperability."
+#endif
+
+/* hard code maximum independent of the algorithms actually supported */
+#define MAX_SYM_KEY_BYTES 	32
+#define MAX_SYM_BLOCK_SIZE  	16
+
+#define RSA_DEFAULT_PUBLIC_EXPONENT	0x00010001	/* 2^^16 + 1 */
+
+#undef TRUE
+#undef FALSE
+
+// From TPM 2.0 Part 2: Table 4 - Defines for Logic Values
+
+#define  TRUE     1
+#define  FALSE    0
+#define  YES      1
+#define  NO       0
+#define  SET      1
+#define  CLEAR    0
+
+// Change these definitions to turn all algorithms or commands ON or OFF. That is, to turn all
+// algorithms on, set ALG_NO to YES. This is mostly useful as a debug feature.
+
+#define      ALG_YES      YES
+#define      ALG_NO       NO
+#define      CC_YES       YES
+#define      CC_NO        NO
+
+// From Vendor-Specific: Table 2 - Defines for Implemented Algorithms
+
+#ifndef ALG_RSA
+#define  ALG_RSA               ALG_YES
+#endif
+#ifndef ALG_SHA1
+#define  ALG_SHA1              ALG_YES
+#endif
+#define  ALG_HMAC              ALG_YES
+#ifndef ALG_TDES
+#define  ALG_TDES              ALG_YES
+#endif
+#define  ALG_AES               ALG_YES
+#define  ALG_MGF1              ALG_YES
+#define  ALG_XOR               ALG_YES
+#define  ALG_KEYEDHASH         ALG_YES
+#ifndef ALG_SHA256
+#define  ALG_SHA256            ALG_YES
+#endif
+#ifndef ALG_SHA384
+#define  ALG_SHA384            ALG_YES
+#endif
+#ifndef ALG_SHA512
+#define  ALG_SHA512            ALG_YES
+#endif
+#define  ALG_SHA3_256          ALG_NO
+#define  ALG_SHA3_384          ALG_NO
+#define  ALG_SHA3_512          ALG_NO
+#define  ALG_SM3_256           ALG_YES
+#define  ALG_SM4               ALG_NO
+#define  ALG_RSASSA            (ALG_YES*ALG_RSA)
+#define  ALG_RSAES             (ALG_YES*ALG_RSA)
+#define  ALG_RSAPSS            (ALG_YES*ALG_RSA)
+#define  ALG_OAEP              (ALG_YES*ALG_RSA)
+#ifndef ALG_ECC
+#define  ALG_ECC               ALG_YES
+#endif
+#define  ALG_ECDH              (ALG_YES*ALG_ECC)
+#define  ALG_ECDSA             (ALG_YES*ALG_ECC)
+#define  ALG_ECDAA             (ALG_YES*ALG_ECC)
+#define  ALG_SM2               (ALG_YES*ALG_ECC)
+#define  ALG_ECSCHNORR         (ALG_YES*ALG_ECC)
+#define  ALG_ECMQV             (ALG_NO*ALG_ECC)
+#define  ALG_SYMCIPHER         ALG_YES
+#define  ALG_KDF1_SP800_56A    (ALG_YES*ALG_ECC)
+#define  ALG_KDF2              ALG_NO
+#define  ALG_KDF1_SP800_108    ALG_YES
+#define  ALG_CTR               ALG_YES
+#define  ALG_OFB               ALG_YES
+#define  ALG_CBC               ALG_YES
+#define  ALG_CFB               ALG_YES
+#define  ALG_ECB               ALG_YES
+
+// From Vendor-Specific: Table 6 - Defines for Implemented Commands
+
+#define  CC_ActivateCredential            CC_YES
+#define  CC_Certify                       CC_YES
+#define  CC_CertifyCreation               CC_YES
+#define  CC_CertifyX509		          CC_YES
+#define  CC_ChangeEPS                     CC_YES
+#define  CC_ChangePPS                     CC_YES
+#define  CC_Clear                         CC_YES
+#define  CC_ClearControl                  CC_YES
+#define  CC_ClockRateAdjust               CC_YES
+#define  CC_ClockSet                      CC_YES
+#define  CC_Commit                        (CC_YES*ALG_ECC)
+#define  CC_ContextLoad                   CC_YES
+#define  CC_ContextSave                   CC_YES
+#define  CC_Create                        CC_YES
+#define  CC_CreatePrimary                 CC_YES
+#define  CC_DictionaryAttackLockReset     CC_YES
+#define  CC_DictionaryAttackParameters    CC_YES
+#define  CC_Duplicate                     CC_YES
+#define  CC_ECC_Parameters                (CC_YES*ALG_ECC)
+#define  CC_ECDH_KeyGen                   (CC_YES*ALG_ECC)
+#define  CC_ECDH_ZGen                     (CC_YES*ALG_ECC)
+#define  CC_EncryptDecrypt                CC_YES
+#define  CC_EventSequenceComplete         CC_YES
+#define  CC_EvictControl                  CC_YES
+#define  CC_FieldUpgradeData              CC_NO
+#define  CC_FieldUpgradeStart             CC_NO
+#define  CC_FirmwareRead                  CC_NO
+#define  CC_FlushContext                  CC_YES
+#define  CC_GetCapability                 CC_YES
+#define  CC_GetCommandAuditDigest         CC_YES
+#define  CC_GetRandom                     CC_YES
+#define  CC_GetSessionAuditDigest         CC_YES
+#define  CC_GetTestResult                 CC_YES
+#define  CC_GetTime                       CC_YES
+#define  CC_Hash                          CC_YES
+#define  CC_HashSequenceStart             CC_YES
+#define  CC_HierarchyChangeAuth           CC_YES
+#define  CC_HierarchyControl              CC_YES
+#define  CC_HMAC                          CC_YES
+#define  CC_HMAC_Start                    CC_YES
+#define  CC_Import                        CC_YES
+#define  CC_IncrementalSelfTest           CC_YES
+#define  CC_Load                          CC_YES
+#define  CC_LoadExternal                  CC_YES
+#define  CC_MakeCredential                CC_YES
+#define  CC_NV_Certify                    CC_YES
+#define  CC_NV_ChangeAuth                 CC_YES
+#define  CC_NV_DefineSpace                CC_YES
+#define  CC_NV_Extend                     CC_YES
+#define  CC_NV_GlobalWriteLock            CC_YES
+#define  CC_NV_Increment                  CC_YES
+#define  CC_NV_Read                       CC_YES
+#define  CC_NV_ReadLock                   CC_YES
+#define  CC_NV_ReadPublic                 CC_YES
+#define  CC_NV_SetBits                    CC_YES
+#define  CC_NV_UndefineSpace              CC_YES
+#define  CC_NV_UndefineSpaceSpecial       CC_YES
+#define  CC_NV_Write                      CC_YES
+#define  CC_NV_WriteLock                  CC_YES
+#define  CC_ObjectChangeAuth              CC_YES
+#define  CC_PCR_Allocate                  CC_YES
+#define  CC_PCR_Event                     CC_YES
+#define  CC_PCR_Extend                    CC_YES
+#define  CC_PCR_Read                      CC_YES
+#define  CC_PCR_Reset                     CC_YES
+#define  CC_PCR_SetAuthPolicy             CC_YES
+#define  CC_PCR_SetAuthValue              CC_YES
+#define  CC_PolicyAuthorize               CC_YES
+#define  CC_PolicyAuthorizeNV             CC_YES
+#define  CC_PolicyAuthValue               CC_YES
+#define  CC_PolicyCommandCode             CC_YES
+#define  CC_PolicyCounterTimer            CC_YES
+#define  CC_PolicyCpHash                  CC_YES
+#define  CC_PolicyDuplicationSelect       CC_YES
+#define  CC_PolicyGetDigest               CC_YES
+#define  CC_PolicyLocality                CC_YES
+#define  CC_PolicyNameHash                CC_YES
+#define  CC_PolicyNV                      CC_YES
+#define  CC_PolicyOR                      CC_YES
+#define  CC_PolicyPassword                CC_YES
+#define  CC_PolicyPCR                     CC_YES
+#define  CC_PolicyPhysicalPresence        CC_YES
+#define  CC_PolicyRestart                 CC_YES
+#define  CC_PolicySecret                  CC_YES
+#define  CC_PolicySigned                  CC_YES
+#define  CC_PolicyTicket                  CC_YES
+#define  CC_PP_Commands                   CC_YES
+#define  CC_Quote                         CC_YES
+#define  CC_ReadClock                     CC_YES
+#define  CC_ReadPublic                    CC_YES
+#define  CC_Rewrap                        CC_YES
+#define  CC_RSA_Decrypt                   (CC_YES*ALG_RSA)
+#define  CC_RSA_Encrypt                   (CC_YES*ALG_RSA)
+#define  CC_SelfTest                      CC_YES
+#define  CC_SequenceComplete              CC_YES
+#define  CC_SequenceUpdate                CC_YES
+#define  CC_SetAlgorithmSet               CC_YES
+#define  CC_SetCommandCodeAuditStatus     CC_YES
+#define  CC_SetPrimaryPolicy              CC_YES
+#define  CC_Shutdown                      CC_YES
+#define  CC_Sign                          CC_YES
+#define  CC_StartAuthSession              CC_YES
+#define  CC_Startup                       CC_YES
+#define  CC_StirRandom                    CC_YES
+#define  CC_TestParms                     CC_YES
+#define  CC_Unseal                        CC_YES
+#define  CC_VerifySignature               CC_YES
+#define  CC_ZGen_2Phase                   (CC_YES*ALG_ECC)
+#define  CC_EC_Ephemeral                  (CC_YES*ALG_ECC)
+#define  CC_PolicyNvWritten               CC_YES
+#define  CC_PolicyTemplate                CC_YES
+#define  CC_CreateLoaded                  CC_YES
+#define  CC_PolicyAuthorizeNV             CC_YES
+#define  CC_EncryptDecrypt2               CC_YES
+#define  CC_Vendor_TCG_Test               CC_YES
+
+#define  CC_NTC2_PreConfig                CC_YES
+#define  CC_NTC2_LockPreConfig            CC_YES
+#define  CC_NTC2_GetConfig                CC_YES
+
+// From TCG Algorithm Registry: Table 2 - Definition of TPM_ALG_ID Constants
+
+#define  ALG_ERROR_VALUE             0x0000
+#define  TPM_ALG_ERROR               (TPM_ALG_ID)(ALG_ERROR_VALUE)
+#define  ALG_RSA_VALUE               0x0001
+#if defined ALG_RSA && ALG_RSA == YES
+#define  TPM_ALG_RSA                 (TPM_ALG_ID)(ALG_RSA_VALUE)
+#endif
+#define  ALG_TDES_VALUE              0x0003
+#if defined ALG_TDES && ALG_TDES == YES
+#define  TPM_ALG_TDES                (TPM_ALG_ID)(ALG_TDES_VALUE)
+#endif
+#define  ALG_SHA_VALUE               0x0004
+#if defined ALG_SHA && ALG_SHA == YES
+#define  TPM_ALG_SHA                 (TPM_ALG_ID)(ALG_SHA_VALUE)
+#endif
+#define  ALG_SHA1_VALUE              0x0004
+#if defined ALG_SHA1 && ALG_SHA1 == YES
+#define  TPM_ALG_SHA1                (TPM_ALG_ID)(ALG_SHA1_VALUE)
+#endif
+#define  ALG_HMAC_VALUE              0x0005
+#if defined ALG_HMAC && ALG_HMAC == YES
+#define  TPM_ALG_HMAC                (TPM_ALG_ID)(ALG_HMAC_VALUE)
+#endif
+#define  ALG_AES_VALUE               0x0006
+#if defined ALG_AES && ALG_AES == YES
+#define  TPM_ALG_AES                 (TPM_ALG_ID)(ALG_AES_VALUE)
+#endif
+#define  ALG_MGF1_VALUE              0x0007
+#if defined ALG_MGF1 && ALG_MGF1 == YES
+#define  TPM_ALG_MGF1                (TPM_ALG_ID)(ALG_MGF1_VALUE)
+#endif
+#define  ALG_KEYEDHASH_VALUE         0x0008
+#if defined ALG_KEYEDHASH && ALG_KEYEDHASH == YES
+#define  TPM_ALG_KEYEDHASH           (TPM_ALG_ID)(ALG_KEYEDHASH_VALUE)
+#endif
+#define  ALG_XOR_VALUE               0x000A
+#if defined ALG_XOR && ALG_XOR == YES
+#define  TPM_ALG_XOR                 (TPM_ALG_ID)(ALG_XOR_VALUE)
+#endif
+#define  ALG_SHA256_VALUE            0x000B
+#if defined ALG_SHA256 && ALG_SHA256 == YES
+#define  TPM_ALG_SHA256              (TPM_ALG_ID)(ALG_SHA256_VALUE)
+#endif
+#define  ALG_SHA384_VALUE            0x000C
+#if defined ALG_SHA384 && ALG_SHA384 == YES
+#define  TPM_ALG_SHA384              (TPM_ALG_ID)(ALG_SHA384_VALUE)
+#endif
+#define  ALG_SHA512_VALUE            0x000D
+#if defined ALG_SHA512 && ALG_SHA512 == YES
+#define  TPM_ALG_SHA512              (TPM_ALG_ID)(ALG_SHA512_VALUE)
+#endif
+#define  ALG_NULL_VALUE              0x0010
+#define  TPM_ALG_NULL                (TPM_ALG_ID)(ALG_NULL_VALUE)
+#define  ALG_SM3_256_VALUE           0x0012
+#if defined ALG_SM3_256 && ALG_SM3_256 == YES
+#define  TPM_ALG_SM3_256             (TPM_ALG_ID)(ALG_SM3_256_VALUE)
+#endif
+#define  ALG_SM4_VALUE               0x0013
+#if defined ALG_SM4 && ALG_SM4 == YES
+#define  TPM_ALG_SM4                 (TPM_ALG_ID)(ALG_SM4_VALUE)
+#endif
+#define  ALG_RSASSA_VALUE            0x0014
+#if defined ALG_RSASSA && ALG_RSASSA == YES
+#define  TPM_ALG_RSASSA              (TPM_ALG_ID)(ALG_RSASSA_VALUE)
+#endif
+#define  ALG_RSAES_VALUE             0x0015
+#if defined ALG_RSAES && ALG_RSAES == YES
+#define  TPM_ALG_RSAES               (TPM_ALG_ID)(ALG_RSAES_VALUE)
+#endif
+#define  ALG_RSAPSS_VALUE            0x0016
+#if defined ALG_RSAPSS && ALG_RSAPSS == YES
+#define  TPM_ALG_RSAPSS              (TPM_ALG_ID)(ALG_RSAPSS_VALUE)
+#endif
+#define  ALG_OAEP_VALUE              0x0017
+#if defined ALG_OAEP && ALG_OAEP == YES
+#define  TPM_ALG_OAEP                (TPM_ALG_ID)(ALG_OAEP_VALUE)
+#endif
+#define  ALG_ECDSA_VALUE             0x0018
+#if defined ALG_ECDSA && ALG_ECDSA == YES
+#define  TPM_ALG_ECDSA               (TPM_ALG_ID)(ALG_ECDSA_VALUE)
+#endif
+#define  ALG_ECDH_VALUE              0x0019
+#if defined ALG_ECDH && ALG_ECDH == YES
+#define  TPM_ALG_ECDH                (TPM_ALG_ID)(ALG_ECDH_VALUE)
+#endif
+#define  ALG_ECDAA_VALUE             0x001A
+#if defined ALG_ECDAA && ALG_ECDAA == YES
+#define  TPM_ALG_ECDAA               (TPM_ALG_ID)(ALG_ECDAA_VALUE)
+#endif
+#define  ALG_SM2_VALUE               0x001B
+#if defined ALG_SM2 && ALG_SM2 == YES
+#define  TPM_ALG_SM2                 (TPM_ALG_ID)(ALG_SM2_VALUE)
+#endif
+#define  ALG_ECSCHNORR_VALUE         0x001C
+#if defined ALG_ECSCHNORR && ALG_ECSCHNORR == YES
+#define  TPM_ALG_ECSCHNORR           (TPM_ALG_ID)(ALG_ECSCHNORR_VALUE)
+#endif
+#define  ALG_ECMQV_VALUE             0x001D
+#if defined ALG_ECMQV && ALG_ECMQV == YES
+#define  TPM_ALG_ECMQV               (TPM_ALG_ID)(ALG_ECMQV_VALUE)
+#endif
+#define  ALG_KDF1_SP800_56A_VALUE    0x0020
+#if defined ALG_KDF1_SP800_56A && ALG_KDF1_SP800_56A == YES
+#define  TPM_ALG_KDF1_SP800_56A      (TPM_ALG_ID)(ALG_KDF1_SP800_56A_VALUE)
+#endif
+#define  ALG_KDF2_VALUE              0x0021
+#if defined ALG_KDF2 && ALG_KDF2 == YES
+#define  TPM_ALG_KDF2                (TPM_ALG_ID)(ALG_KDF2_VALUE)
+#endif
+#define  ALG_KDF1_SP800_108_VALUE    0x0022
+#if defined ALG_KDF1_SP800_108 && ALG_KDF1_SP800_108 == YES
+#define  TPM_ALG_KDF1_SP800_108      (TPM_ALG_ID)(ALG_KDF1_SP800_108_VALUE)
+#endif
+#define  ALG_ECC_VALUE               0x0023
+#if defined ALG_ECC && ALG_ECC == YES
+#define  TPM_ALG_ECC                 (TPM_ALG_ID)(ALG_ECC_VALUE)
+#endif
+#define  ALG_SYMCIPHER_VALUE         0x0025
+#if defined ALG_SYMCIPHER && ALG_SYMCIPHER == YES
+#define  TPM_ALG_SYMCIPHER           (TPM_ALG_ID)(ALG_SYMCIPHER_VALUE)
+#endif
+#define  ALG_CAMELLIA_VALUE          0x0026
+#if defined ALG_CAMELLIA && ALG_CAMELLIA == YES
+#define  TPM_ALG_CAMELLIA            (TPM_ALG_ID)(ALG_CAMELLIA_VALUE)
+#endif
+#define  ALG_SHA3_256_VALUE	     0x0027
+#if defined ALG_SHA3_256 && ALG_SHA3_256 == YES
+#define TPM_ALGSHA3_256              (TPM_ALG_ID)(ALG_SHA3_256_VALUE)
+#endif
+#define  ALG_SHA3_384_VALUE	     0x0028
+#if defined ALG_SHA3_384 && ALG_SHA3_384 == YES
+#define TPM_ALGSHA3_384              (TPM_ALG_ID)(ALG_SHA3_384_VALUE)
+#endif
+#define  ALG_SHA3_512_VALUE	     0x0029
+#if defined ALG_SHA3_512 && ALG_SHA3_512 == YES
+#define TPM_ALGSHA3_512              (TPM_ALG_ID)(ALG_SHA3_512_VALUE)
+#endif
+#define  ALG_CMAC_VALUE               0x003f
+#if defined ALG_CMAC && ALG_CMAC == YES
+#define  TPM_ALG_CMAC                 (TPM_ALG_ID)(ALG_CMAC_VALUE)
+#endif
+#define  ALG_CTR_VALUE               0x0040
+#if defined ALG_CTR && ALG_CTR == YES
+#define  TPM_ALG_CTR                 (TPM_ALG_ID)(ALG_CTR_VALUE)
+#endif
+#define  ALG_OFB_VALUE               0x0041
+#if defined ALG_OFB && ALG_OFB == YES
+#define  TPM_ALG_OFB                 (TPM_ALG_ID)(ALG_OFB_VALUE)
+#endif
+#define  ALG_CBC_VALUE               0x0042
+#if defined ALG_CBC && ALG_CBC == YES
+#define  TPM_ALG_CBC                 (TPM_ALG_ID)(ALG_CBC_VALUE)
+#endif
+#define  ALG_CFB_VALUE               0x0043
+#if defined ALG_CFB && ALG_CFB == YES
+#define  TPM_ALG_CFB                 (TPM_ALG_ID)(ALG_CFB_VALUE)
+#endif
+#define  ALG_ECB_VALUE               0x0044
+#if defined ALG_ECB && ALG_ECB == YES
+#define  TPM_ALG_ECB                 (TPM_ALG_ID)(ALG_ECB_VALUE)
+#endif
+
+//     From TCG Algorithm Registry: Table 3 - Definition of TPM_ECC_CURVE Constants
+
+#define  TPM_ECC_NONE         (TPM_ECC_CURVE)(0x0000)
+#define  TPM_ECC_NIST_P192    (TPM_ECC_CURVE)(0x0001)
+#define  TPM_ECC_NIST_P224    (TPM_ECC_CURVE)(0x0002)
+#define  TPM_ECC_NIST_P256    (TPM_ECC_CURVE)(0x0003)
+#define  TPM_ECC_NIST_P384    (TPM_ECC_CURVE)(0x0004)
+#define  TPM_ECC_NIST_P521    (TPM_ECC_CURVE)(0x0005)
+#define  TPM_ECC_BN_P256      (TPM_ECC_CURVE)(0x0010)
+#define  TPM_ECC_BN_P638      (TPM_ECC_CURVE)(0x0011)
+#define  TPM_ECC_SM2_P256     (TPM_ECC_CURVE)(0x0020)
+
+// From TCG Algorithm Registry: Table 12 - Defines for SHA1 Hash Values
+#define  SHA1_DIGEST_SIZE    20
+#define  SHA1_BLOCK_SIZE     64
+#define  SHA1_DER_SIZE       15
+#define  SHA1_DER							\
+    0x30,0x21,0x30,0x09,0x06,0x05,0x2B,0x0E,0x03,0x02,0x1A,0x05,0x00,0x04,0x14
+
+// From TCG Algorithm Registry: Table 13 - Defines for SHA256 Hash Values
+#define  SHA256_DIGEST_SIZE    32
+#define  SHA256_BLOCK_SIZE     64
+#define  SHA256_DER_SIZE       19
+#define  SHA256_DER							\
+    0x30,0x31,0x30,0x0D,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0x04,0x20
+
+// From TCG Algorithm Registry: Table 14 - Defines for SHA384 Hash Values
+#define  SHA384_DIGEST_SIZE    48
+#define  SHA384_BLOCK_SIZE     128
+#define  SHA384_DER_SIZE       19
+#define  SHA384_DER							\
+    0x30,0x41,0x30,0x0D,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02,0x05,0x00,0x04,0x30
+
+// From TCG Algorithm Registry: Table 15 - Defines for SHA512 Hash Values
+#define  SHA512_DIGEST_SIZE    64
+#define  SHA512_BLOCK_SIZE     128
+#define  SHA512_DER_SIZE       19
+#define  SHA512_DER							\
+    0x30,0x51,0x30,0x0D,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0x04,0x40
+
+// From TCG Algorithm Registry: Table 16 - Defines for SM3_256 Hash Values
+#define  SM3_256_DIGEST_SIZE    32
+#define  SM3_256_BLOCK_SIZE     64
+#define  SM3_256_DER_SIZE       18
+#define  SM3_256_DER							\
+    0x30,0x30,0x30,0x0C,0x06,0x08,0x2A,0x81,0x1C,0x81,0x45,0x01,0x83,0x11,0x05,0x00,0x04,0x20
+
+// From TCG Algorithm Registry: Table 17 - Defines for AES Symmetric Cipher Algorithm Constants
+#define  AES_128_BLOCK_SIZE_BYTES    16
+#define  AES_192_BLOCK_SIZE_BYTES    16
+#define  AES_256_BLOCK_SIZE_BYTES    16
+
+// From TCG Algorithm Registry: Table 18 - Defines for SM4 Symmetric Cipher Algorithm Constants
+#define  SM4_128_BLOCK_SIZE_BYTES    16
+
+// From TCG Algorithm Registry: Table 19 - Defines for CAMELLIA Symmetric Cipher Algorithm Constants
+#define  CAMELLIA_128_BLOCK_SIZE_BYTES    16
+#define  CAMELLIA_192_BLOCK_SIZE_BYTES    16
+#define  CAMELLIA_256_BLOCK_SIZE_BYTES    16
+
+// From TPM 2.0 Part 2: Table 12 - Definition of TPM_CC Constants
+
+typedef  UINT32             TPM_CC;
+
+#define TPM_CC_FIRST	0x0000011f	/* Compile variable. May decrease based on
+					   implementation. */
+
+#ifndef CC_NV_UndefineSpaceSpecial
+#   define CC_NV_UndefineSpaceSpecial NO
+#endif
+#if CC_NV_UndefineSpaceSpecial == YES
+#define  TPM_CC_NV_UndefineSpaceSpecial       (TPM_CC)(0x0000011f)
+#endif
+#ifndef CC_EvictControl
+#   define CC_EvictControl NO
+#endif
+#if CC_EvictControl == YES
+#define  TPM_CC_EvictControl                  (TPM_CC)(0x00000120)
+#endif
+#ifndef CC_HierarchyControl
+#   define CC_HierarchyControl NO
+#endif
+#if CC_HierarchyControl == YES
+#define  TPM_CC_HierarchyControl              (TPM_CC)(0x00000121)
+#endif
+#ifndef CC_NV_UndefineSpace
+#   define CC_NV_UndefineSpace NO
+#endif
+#if CC_NV_UndefineSpace == YES
+#define  TPM_CC_NV_UndefineSpace              (TPM_CC)(0x00000122)
+#endif
+#ifndef CC_ChangeEPS
+#   define CC_ChangeEPS NO
+#endif
+#if CC_ChangeEPS == YES
+#define  TPM_CC_ChangeEPS                     (TPM_CC)(0x00000124)
+#endif
+#ifndef CC_ChangePPS
+#   define CC_ChangePPS NO
+#endif
+#if CC_ChangePPS == YES
+#define  TPM_CC_ChangePPS                     (TPM_CC)(0x00000125)
+#endif
+#ifndef CC_Clear
+#   define CC_Clear NO
+#endif
+#if CC_Clear == YES
+#define  TPM_CC_Clear                         (TPM_CC)(0x00000126)
+#endif
+#ifndef CC_ClearControl
+#   define CC_ClearControl NO
+#endif
+#if CC_ClearControl == YES
+#define  TPM_CC_ClearControl                  (TPM_CC)(0x00000127)
+#endif
+#ifndef CC_ClockSet
+#   define CC_ClockSet NO
+#endif
+#if CC_ClockSet == YES
+#define  TPM_CC_ClockSet                      (TPM_CC)(0x00000128)
+#endif
+#ifndef CC_HierarchyChangeAuth
+#   define CC_HierarchyChangeAuth NO
+#endif
+#if CC_HierarchyChangeAuth == YES
+#define  TPM_CC_HierarchyChangeAuth           (TPM_CC)(0x00000129)
+#endif
+#ifndef CC_NV_DefineSpace
+#   define CC_NV_DefineSpace NO
+#endif
+#if CC_NV_DefineSpace == YES
+#define  TPM_CC_NV_DefineSpace                (TPM_CC)(0x0000012a)
+#endif
+#ifndef CC_PCR_Allocate
+#   define CC_PCR_Allocate NO
+#endif
+#if CC_PCR_Allocate == YES
+#define  TPM_CC_PCR_Allocate                  (TPM_CC)(0x0000012b)
+#endif
+#ifndef CC_PCR_SetAuthPolicy
+#   define CC_PCR_SetAuthPolicy NO
+#endif
+#if CC_PCR_SetAuthPolicy == YES
+#define  TPM_CC_PCR_SetAuthPolicy             (TPM_CC)(0x0000012c)
+#endif
+#ifndef CC_PP_Commands
+#   define CC_PP_Commands NO
+#endif
+#if CC_PP_Commands == YES
+#define  TPM_CC_PP_Commands                   (TPM_CC)(0x0000012d)
+#endif
+#ifndef CC_SetPrimaryPolicy
+#   define CC_SetPrimaryPolicy NO
+#endif
+#if CC_SetPrimaryPolicy == YES
+#define  TPM_CC_SetPrimaryPolicy              (TPM_CC)(0x0000012e)
+#endif
+#ifndef CC_FieldUpgradeStart
+#   define CC_FieldUpgradeStart NO
+#endif
+#if CC_FieldUpgradeStart == YES
+#define  TPM_CC_FieldUpgradeStart             (TPM_CC)(0x0000012f)
+#endif
+#ifndef CC_ClockRateAdjust
+#   define CC_ClockRateAdjust NO
+#endif
+#if CC_ClockRateAdjust == YES
+#define  TPM_CC_ClockRateAdjust               (TPM_CC)(0x00000130)
+#endif
+#ifndef CC_CreatePrimary
+#   define CC_CreatePrimary NO
+#endif
+#if CC_CreatePrimary == YES
+#define  TPM_CC_CreatePrimary                 (TPM_CC)(0x00000131)
+#endif
+#ifndef CC_NV_GlobalWriteLock
+#   define CC_NV_GlobalWriteLock NO
+#endif
+#if CC_NV_GlobalWriteLock == YES
+#define  TPM_CC_NV_GlobalWriteLock            (TPM_CC)(0x00000132)
+#endif
+#ifndef CC_GetCommandAuditDigest
+#   define CC_GetCommandAuditDigest NO
+#endif
+#if CC_GetCommandAuditDigest == YES
+#define  TPM_CC_GetCommandAuditDigest         (TPM_CC)(0x00000133)
+#endif
+#ifndef CC_NV_Increment
+#   define CC_NV_Increment NO
+#endif
+#if CC_NV_Increment == YES
+#define  TPM_CC_NV_Increment                  (TPM_CC)(0x00000134)
+#endif
+#ifndef CC_NV_SetBits
+#   define CC_NV_SetBits NO
+#endif
+#if CC_NV_SetBits == YES
+#define  TPM_CC_NV_SetBits                    (TPM_CC)(0x00000135)
+#endif
+#ifndef CC_NV_Extend
+#   define CC_NV_Extend NO
+#endif
+#if CC_NV_Extend == YES
+#define  TPM_CC_NV_Extend                     (TPM_CC)(0x00000136)
+#endif
+#ifndef CC_NV_Write
+#   define CC_NV_Write NO
+#endif
+#if CC_NV_Write == YES
+#define  TPM_CC_NV_Write                      (TPM_CC)(0x00000137)
+#endif
+#ifndef CC_NV_WriteLock
+#   define CC_NV_WriteLock NO
+#endif
+#if CC_NV_WriteLock == YES
+#define  TPM_CC_NV_WriteLock                  (TPM_CC)(0x00000138)
+#endif
+#ifndef CC_DictionaryAttackLockReset
+#   define CC_DictionaryAttackLockReset NO
+#endif
+#if CC_DictionaryAttackLockReset == YES
+#define  TPM_CC_DictionaryAttackLockReset     (TPM_CC)(0x00000139)
+#endif
+#ifndef CC_DictionaryAttackParameters
+#   define CC_DictionaryAttackParameters NO
+#endif
+#if CC_DictionaryAttackParameters == YES
+#define  TPM_CC_DictionaryAttackParameters    (TPM_CC)(0x0000013a)
+#endif
+#ifndef CC_NV_ChangeAuth
+#   define CC_NV_ChangeAuth NO
+#endif
+#if CC_NV_ChangeAuth == YES
+#define  TPM_CC_NV_ChangeAuth                 (TPM_CC)(0x0000013b)
+#endif
+#ifndef CC_PCR_Event
+#   define CC_PCR_Event NO
+#endif
+#if CC_PCR_Event == YES
+#define  TPM_CC_PCR_Event                     (TPM_CC)(0x0000013c)
+#endif
+#ifndef CC_PCR_Reset
+#   define CC_PCR_Reset NO
+#endif
+#if CC_PCR_Reset == YES
+#define  TPM_CC_PCR_Reset                     (TPM_CC)(0x0000013d)
+#endif
+#ifndef CC_SequenceComplete
+#   define CC_SequenceComplete NO
+#endif
+#if CC_SequenceComplete == YES
+#define  TPM_CC_SequenceComplete              (TPM_CC)(0x0000013e)
+#endif
+#ifndef CC_SetAlgorithmSet
+#   define CC_SetAlgorithmSet NO
+#endif
+#if CC_SetAlgorithmSet == YES
+#define  TPM_CC_SetAlgorithmSet               (TPM_CC)(0x0000013f)
+#endif
+#ifndef CC_SetCommandCodeAuditStatus
+#   define CC_SetCommandCodeAuditStatus NO
+#endif
+#if CC_SetCommandCodeAuditStatus == YES
+#define  TPM_CC_SetCommandCodeAuditStatus     (TPM_CC)(0x00000140)
+#endif
+#ifndef CC_FieldUpgradeData
+#   define CC_FieldUpgradeData NO
+#endif
+#if CC_FieldUpgradeData == YES
+#define  TPM_CC_FieldUpgradeData              (TPM_CC)(0x00000141)
+#endif
+#ifndef CC_IncrementalSelfTest
+#   define CC_IncrementalSelfTest NO
+#endif
+#if CC_IncrementalSelfTest == YES
+#define  TPM_CC_IncrementalSelfTest           (TPM_CC)(0x00000142)
+#endif
+#ifndef CC_SelfTest
+#   define CC_SelfTest NO
+#endif
+#if CC_SelfTest == YES
+#define  TPM_CC_SelfTest                      (TPM_CC)(0x00000143)
+#endif
+#ifndef CC_Startup
+#   define CC_Startup NO
+#endif
+#if CC_Startup == YES
+#define  TPM_CC_Startup                       (TPM_CC)(0x00000144)
+#endif
+#ifndef CC_Shutdown
+#   define CC_Shutdown NO
+#endif
+#if CC_Shutdown == YES
+#define  TPM_CC_Shutdown                      (TPM_CC)(0x00000145)
+#endif
+#ifndef CC_StirRandom
+#   define CC_StirRandom NO
+#endif
+#if CC_StirRandom == YES
+#define  TPM_CC_StirRandom                    (TPM_CC)(0x00000146)
+#endif
+#ifndef CC_ActivateCredential
+#   define CC_ActivateCredential NO
+#endif
+#if CC_ActivateCredential == YES
+#define  TPM_CC_ActivateCredential            (TPM_CC)(0x00000147)
+#endif
+#ifndef CC_Certify
+#   define CC_Certify NO
+#endif
+#if CC_Certify == YES
+#define  TPM_CC_Certify                       (TPM_CC)(0x00000148)
+#endif
+#ifndef CC_PolicyNV
+#   define CC_PolicyNV NO
+#endif
+#if CC_PolicyNV == YES
+#define  TPM_CC_PolicyNV                      (TPM_CC)(0x00000149)
+#endif
+#ifndef CC_CertifyCreation
+#   define CC_CertifyCreation NO
+#endif
+#if CC_CertifyCreation == YES
+#define  TPM_CC_CertifyCreation               (TPM_CC)(0x0000014a)
+#endif
+#ifndef CC_Duplicate
+#   define CC_Duplicate NO
+#endif
+#if CC_Duplicate == YES
+#define  TPM_CC_Duplicate                     (TPM_CC)(0x0000014b)
+#endif
+#ifndef CC_GetTime
+#   define CC_GetTime NO
+#endif
+#if CC_GetTime == YES
+#define  TPM_CC_GetTime                       (TPM_CC)(0x0000014c)
+#endif
+#ifndef CC_GetSessionAuditDigest
+#   define CC_GetSessionAuditDigest NO
+#endif
+#if CC_GetSessionAuditDigest == YES
+#define  TPM_CC_GetSessionAuditDigest         (TPM_CC)(0x0000014d)
+#endif
+#ifndef CC_NV_Read
+#   define CC_NV_Read NO
+#endif
+#if CC_NV_Read == YES
+#define  TPM_CC_NV_Read                       (TPM_CC)(0x0000014e)
+#endif
+#ifndef CC_NV_ReadLock
+#   define CC_NV_ReadLock NO
+#endif
+#if CC_NV_ReadLock == YES
+#define  TPM_CC_NV_ReadLock                   (TPM_CC)(0x0000014f)
+#endif
+#ifndef CC_ObjectChangeAuth
+#   define CC_ObjectChangeAuth NO
+#endif
+#if CC_ObjectChangeAuth == YES
+#define  TPM_CC_ObjectChangeAuth              (TPM_CC)(0x00000150)
+#endif
+#ifndef CC_PolicySecret
+#   define CC_PolicySecret NO
+#endif
+#if CC_PolicySecret == YES
+#define  TPM_CC_PolicySecret                  (TPM_CC)(0x00000151)
+#endif
+#ifndef CC_Rewrap
+#   define CC_Rewrap NO
+#endif
+#if CC_Rewrap == YES
+#define  TPM_CC_Rewrap                        (TPM_CC)(0x00000152)
+#endif
+#ifndef CC_Create
+#   define CC_Create NO
+#endif
+#if CC_Create == YES
+#define  TPM_CC_Create                        (TPM_CC)(0x00000153)
+#endif
+#ifndef CC_ECDH_ZGen
+#   define CC_ECDH_ZGen NO
+#endif
+#if CC_ECDH_ZGen == YES
+#define  TPM_CC_ECDH_ZGen                     (TPM_CC)(0x00000154)
+#endif
+#ifndef CC_HMAC
+#   define CC_HMAC NO
+#endif
+#if CC_HMAC == YES
+#define  TPM_CC_HMAC                          (TPM_CC)(0x00000155)
+#endif
+#ifndef CC_Import
+#   define CC_Import NO
+#endif
+#if CC_Import == YES
+#define  TPM_CC_Import                        (TPM_CC)(0x00000156)
+#endif
+#ifndef CC_Load
+#   define CC_Load NO
+#endif
+#if CC_Load == YES
+#define  TPM_CC_Load                          (TPM_CC)(0x00000157)
+#endif
+#ifndef CC_Quote
+#   define CC_Quote NO
+#endif
+#if CC_Quote == YES
+#define  TPM_CC_Quote                         (TPM_CC)(0x00000158)
+#endif
+#ifndef CC_RSA_Decrypt
+#   define CC_RSA_Decrypt NO
+#endif
+#if CC_RSA_Decrypt == YES
+#define  TPM_CC_RSA_Decrypt                   (TPM_CC)(0x00000159)
+#endif
+#ifndef CC_HMAC_Start
+#   define CC_HMAC_Start NO
+#endif
+#if CC_HMAC_Start == YES
+#define  TPM_CC_HMAC_Start                    (TPM_CC)(0x0000015b)
+#endif
+#ifndef CC_SequenceUpdate
+#   define CC_SequenceUpdate NO
+#endif
+#if CC_SequenceUpdate == YES
+#define  TPM_CC_SequenceUpdate                (TPM_CC)(0x0000015c)
+#endif
+#ifndef CC_Sign
+#   define CC_Sign NO
+#endif
+#if CC_Sign == YES
+#define  TPM_CC_Sign                          (TPM_CC)(0x0000015d)
+#endif
+#ifndef CC_Unseal
+#   define CC_Unseal NO
+#endif
+#if CC_Unseal == YES
+#define  TPM_CC_Unseal                        (TPM_CC)(0x0000015e)
+#endif
+#ifndef CC_PolicySigned
+#   define CC_PolicySigned NO
+#endif
+#if CC_PolicySigned == YES
+#define  TPM_CC_PolicySigned                  (TPM_CC)(0x00000160)
+#endif
+#ifndef CC_ContextLoad
+#   define CC_ContextLoad NO
+#endif
+#if CC_ContextLoad == YES
+#define  TPM_CC_ContextLoad                   (TPM_CC)(0x00000161)
+#endif
+#ifndef CC_ContextSave
+#   define CC_ContextSave NO
+#endif
+#if CC_ContextSave == YES
+#define  TPM_CC_ContextSave                   (TPM_CC)(0x00000162)
+#endif
+#ifndef CC_ECDH_KeyGen
+#   define CC_ECDH_KeyGen NO
+#endif
+#if CC_ECDH_KeyGen == YES
+#define  TPM_CC_ECDH_KeyGen                   (TPM_CC)(0x00000163)
+#endif
+#ifndef CC_EncryptDecrypt
+#   define CC_EncryptDecrypt NO
+#endif
+#if CC_EncryptDecrypt == YES
+#define  TPM_CC_EncryptDecrypt                (TPM_CC)(0x00000164)
+#endif
+#ifndef CC_FlushContext
+#   define CC_FlushContext NO
+#endif
+#if CC_FlushContext == YES
+#define  TPM_CC_FlushContext                  (TPM_CC)(0x00000165)
+#endif
+#ifndef CC_LoadExternal
+#   define CC_LoadExternal NO
+#endif
+#if CC_LoadExternal == YES
+#define  TPM_CC_LoadExternal                  (TPM_CC)(0x00000167)
+#endif
+#ifndef CC_MakeCredential
+#   define CC_MakeCredential NO
+#endif
+#if CC_MakeCredential == YES
+#define  TPM_CC_MakeCredential                (TPM_CC)(0x00000168)
+#endif
+#ifndef CC_NV_ReadPublic
+#   define CC_NV_ReadPublic NO
+#endif
+#if CC_NV_ReadPublic == YES
+#define  TPM_CC_NV_ReadPublic                 (TPM_CC)(0x00000169)
+#endif
+#ifndef CC_PolicyAuthorize
+#   define CC_PolicyAuthorize NO
+#endif
+#if CC_PolicyAuthorize == YES
+#define  TPM_CC_PolicyAuthorize               (TPM_CC)(0x0000016a)
+#endif
+#ifndef CC_PolicyAuthValue
+#   define CC_PolicyAuthValue NO
+#endif
+#if CC_PolicyAuthValue == YES
+#define  TPM_CC_PolicyAuthValue               (TPM_CC)(0x0000016b)
+#endif
+#ifndef CC_PolicyCommandCode
+#   define CC_PolicyCommandCode NO
+#endif
+#if CC_PolicyCommandCode == YES
+#define  TPM_CC_PolicyCommandCode             (TPM_CC)(0x0000016c)
+#endif
+#ifndef CC_PolicyCounterTimer
+#   define CC_PolicyCounterTimer NO
+#endif
+#if CC_PolicyCounterTimer == YES
+#define  TPM_CC_PolicyCounterTimer            (TPM_CC)(0x0000016d)
+#endif
+#ifndef CC_PolicyCpHash
+#   define CC_PolicyCpHash NO
+#endif
+#if CC_PolicyCpHash == YES
+#define  TPM_CC_PolicyCpHash                  (TPM_CC)(0x0000016e)
+#endif
+#ifndef CC_PolicyLocality
+#   define CC_PolicyLocality NO
+#endif
+#if CC_PolicyLocality == YES
+#define  TPM_CC_PolicyLocality                (TPM_CC)(0x0000016f)
+#endif
+#ifndef CC_PolicyNameHash
+#   define CC_PolicyNameHash NO
+#endif
+#if CC_PolicyNameHash == YES
+#define  TPM_CC_PolicyNameHash                (TPM_CC)(0x00000170)
+#endif
+#ifndef CC_PolicyOR
+#   define CC_PolicyOR NO
+#endif
+#if CC_PolicyOR == YES
+#define  TPM_CC_PolicyOR                      (TPM_CC)(0x00000171)
+#endif
+#ifndef CC_PolicyTicket
+#   define CC_PolicyTicket NO
+#endif
+#if CC_PolicyTicket == YES
+#define  TPM_CC_PolicyTicket                  (TPM_CC)(0x00000172)
+#endif
+#ifndef CC_ReadPublic
+#   define CC_ReadPublic NO
+#endif
+#if CC_ReadPublic == YES
+#define  TPM_CC_ReadPublic                    (TPM_CC)(0x00000173)
+#endif
+#ifndef CC_RSA_Encrypt
+#   define CC_RSA_Encrypt NO
+#endif
+#if CC_RSA_Encrypt == YES
+#define  TPM_CC_RSA_Encrypt                   (TPM_CC)(0x00000174)
+#endif
+#ifndef CC_StartAuthSession
+#   define CC_StartAuthSession NO
+#endif
+#if CC_StartAuthSession == YES
+#define  TPM_CC_StartAuthSession              (TPM_CC)(0x00000176)
+#endif
+#ifndef CC_VerifySignature
+#   define CC_VerifySignature NO
+#endif
+#if CC_VerifySignature == YES
+#define  TPM_CC_VerifySignature               (TPM_CC)(0x00000177)
+#endif
+#ifndef CC_ECC_Parameters
+#   define CC_ECC_Parameters NO
+#endif
+#if CC_ECC_Parameters == YES
+#define  TPM_CC_ECC_Parameters                (TPM_CC)(0x00000178)
+#endif
+#ifndef CC_FirmwareRead
+#   define CC_FirmwareRead NO
+#endif
+#if CC_FirmwareRead == YES
+#define  TPM_CC_FirmwareRead                  (TPM_CC)(0x00000179)
+#endif
+#ifndef CC_GetCapability
+#   define CC_GetCapability NO
+#endif
+#if CC_GetCapability == YES
+#define  TPM_CC_GetCapability                 (TPM_CC)(0x0000017a)
+#endif
+#ifndef CC_GetRandom
+#   define CC_GetRandom NO
+#endif
+#if CC_GetRandom == YES
+#define  TPM_CC_GetRandom                     (TPM_CC)(0x0000017b)
+#endif
+#ifndef CC_GetTestResult
+#   define CC_GetTestResult NO
+#endif
+#if CC_GetTestResult == YES
+#define  TPM_CC_GetTestResult                 (TPM_CC)(0x0000017c)
+#endif
+#ifndef CC_Hash
+#   define CC_Hash NO
+#endif
+#if CC_Hash == YES
+#define  TPM_CC_Hash                          (TPM_CC)(0x0000017d)
+#endif
+#ifndef CC_PCR_Read
+#   define CC_PCR_Read NO
+#endif
+#if CC_PCR_Read == YES
+#define  TPM_CC_PCR_Read                      (TPM_CC)(0x0000017e)
+#endif
+#ifndef CC_PolicyPCR
+#   define CC_PolicyPCR NO
+#endif
+#if CC_PolicyPCR == YES
+#define  TPM_CC_PolicyPCR                     (TPM_CC)(0x0000017f)
+#endif
+#ifndef CC_PolicyRestart
+#   define CC_PolicyRestart NO
+#endif
+#if CC_PolicyRestart == YES
+#define  TPM_CC_PolicyRestart                 (TPM_CC)(0x00000180)
+#endif
+#ifndef CC_ReadClock
+#   define CC_ReadClock NO
+#endif
+#if CC_ReadClock == YES
+#define  TPM_CC_ReadClock                     (TPM_CC)(0x00000181)
+#endif
+#ifndef CC_PCR_Extend
+#   define CC_PCR_Extend NO
+#endif
+#if CC_PCR_Extend == YES
+#define  TPM_CC_PCR_Extend                    (TPM_CC)(0x00000182)
+#endif
+#ifndef CC_PCR_SetAuthValue
+#   define CC_PCR_SetAuthValue NO
+#endif
+#if CC_PCR_SetAuthValue == YES
+#define  TPM_CC_PCR_SetAuthValue              (TPM_CC)(0x00000183)
+#endif
+#ifndef CC_NV_Certify
+#   define CC_NV_Certify NO
+#endif
+#if CC_NV_Certify == YES
+#define  TPM_CC_NV_Certify                    (TPM_CC)(0x00000184)
+#endif
+#ifndef CC_EventSequenceComplete
+#   define CC_EventSequenceComplete NO
+#endif
+#if CC_EventSequenceComplete == YES
+#define  TPM_CC_EventSequenceComplete         (TPM_CC)(0x00000185)
+#endif
+#ifndef CC_HashSequenceStart
+#   define CC_HashSequenceStart NO
+#endif
+#if CC_HashSequenceStart == YES
+#define  TPM_CC_HashSequenceStart             (TPM_CC)(0x00000186)
+#endif
+#ifndef CC_PolicyPhysicalPresence
+#   define CC_PolicyPhysicalPresence NO
+#endif
+#if CC_PolicyPhysicalPresence == YES
+#define  TPM_CC_PolicyPhysicalPresence        (TPM_CC)(0x00000187)
+#endif
+#ifndef CC_PolicyDuplicationSelect
+#   define CC_PolicyDuplicationSelect NO
+#endif
+#if CC_PolicyDuplicationSelect == YES
+#define  TPM_CC_PolicyDuplicationSelect       (TPM_CC)(0x00000188)
+#endif
+#ifndef CC_PolicyGetDigest
+#   define CC_PolicyGetDigest NO
+#endif
+#if CC_PolicyGetDigest == YES
+#define  TPM_CC_PolicyGetDigest               (TPM_CC)(0x00000189)
+#endif
+#ifndef CC_TestParms
+#   define CC_TestParms NO
+#endif
+#if CC_TestParms == YES
+#define  TPM_CC_TestParms                     (TPM_CC)(0x0000018a)
+#endif
+#ifndef CC_Commit
+#   define CC_Commit NO
+#endif
+#if CC_Commit == YES
+#define  TPM_CC_Commit                        (TPM_CC)(0x0000018b)
+#endif
+#ifndef CC_PolicyPassword
+#   define CC_PolicyPassword NO
+#endif
+#if CC_PolicyPassword == YES
+#define  TPM_CC_PolicyPassword                (TPM_CC)(0x0000018c)
+#endif
+#ifndef CC_ZGen_2Phase
+#   define CC_ZGen_2Phase NO
+#endif
+#if CC_ZGen_2Phase == YES
+#define  TPM_CC_ZGen_2Phase                   (TPM_CC)(0x0000018d)
+#endif
+#ifndef CC_EC_Ephemeral
+#   define CC_EC_Ephemeral NO
+#endif
+#if CC_EC_Ephemeral == YES
+#define  TPM_CC_EC_Ephemeral                  (TPM_CC)(0x0000018e)
+#endif
+#ifndef CC_PolicyNvWritten
+#   define CC_PolicyNvWritten NO
+#endif
+#if CC_PolicyNvWritten == YES
+#define  TPM_CC_PolicyNvWritten               (TPM_CC)(0x0000018f)
+#endif
+#ifndef CC_PolicyTemplate
+#   define CC_PolicyTemplate NO
+#endif
+#if CC_PolicyTemplate == YES
+#define  TPM_CC_PolicyTemplate                (TPM_CC)(0x00000190)
+#endif
+#ifndef CC_CreateLoaded
+#   define CC_CreateLoaded NO
+#endif
+#if CC_CreateLoaded == YES
+#define  TPM_CC_CreateLoaded                  (TPM_CC)(0x00000191)
+#endif
+#ifndef CC_PolicyAuthorizeNV
+#   define CC_PolicyAuthorizeNV NO
+#endif
+#if CC_PolicyAuthorizeNV == YES
+#define  TPM_CC_PolicyAuthorizeNV             (TPM_CC)(0x00000192)
+#endif
+#ifndef CC_EncryptDecrypt2
+#   define CC_EncryptDecrypt2 NO
+#endif
+#if CC_EncryptDecrypt2 == YES
+#define  TPM_CC_EncryptDecrypt2               (TPM_CC)(0x00000193)
+#endif
+#define  TPM_CC_AC_GetCapability	      (TPM_CC)(0x00000194)
+#define  TPM_CC_AC_Send			      (TPM_CC)(0x00000195)
+#define  TPM_CC_Policy_AC_SendSelect	      (TPM_CC)(0x00000196)
+#ifndef CC_CertifyX509
+#   define CC_CertifyX509 NO
+#endif
+#if CC_CertifyX509 == YES
+#define  TPM_CC_CertifyX509 		      (TPM_CC)(0x00000197)
+#endif
+
+/* Compile variable. May increase based on implementation. */
+#define  TPM_CC_LAST			      (TPM_CC)(0x00000197)
+
+#ifndef CC_Vendor_TCG_Test
+#   define CC_Vendor_TCG_Test NO
+#endif
+#if CC_Vendor_TCG_Test == YES
+#define  TPM_CC_Vendor_TCG_Test               (TPM_CC)(0x20000000)
+#endif
+
+#ifndef CC_NTC2_PreConfig                
+#   define CC_NTC2_PreConfig NO
+#endif
+#if CC_NTC2_PreConfig == YES
+#define NTC2_CC_PreConfig		      (TPM_CC)(0x20000211)
+#endif
+#ifndef CC_NTC2_LockPreConfig
+#   define CC_NTC2_LockPreConfig NO
+#endif
+#if CC_NTC2_LockPreConfig == YES
+#define  NTC2_CC_LockPreConfig                (TPM_CC)(0x20000212)
+#endif
+#ifndef CC_NTC2_GetConfig
+#   define CC_NTC2_GetConfig NO
+#endif
+#if CC_NTC2_GetConfig == YES
+#define  NTC2_CC_GetConfig                    (TPM_CC)(0x20000213)
+#endif
+
+#ifndef  COMPRESSED_LISTS
+#define ADD_FILL    1
+#else
+#define ADD_FILL   0
+#endif
+
+// Size the array of library commands based on whether or not the array is packed (only defined
+// commands) or dense (having entries for unimplemented commands)
+
+#define LIBRARY_COMMAND_ARRAY_SIZE       (0				\
+					  + (ADD_FILL || CC_NV_UndefineSpaceSpecial)    /* 0x0000011f */ \
+					  + (ADD_FILL || CC_EvictControl)               /* 0x00000120 */ \
+					  + (ADD_FILL || CC_HierarchyControl)           /* 0x00000121 */ \
+					  + (ADD_FILL || CC_NV_UndefineSpace)           /* 0x00000122 */ \
+					  + ADD_FILL                                    /* 0x00000123 */ \
+					  + (ADD_FILL || CC_ChangeEPS)                  /* 0x00000124 */ \
+					  + (ADD_FILL || CC_ChangePPS)                  /* 0x00000125 */ \
+					  + (ADD_FILL || CC_Clear)                      /* 0x00000126 */ \
+					  + (ADD_FILL || CC_ClearControl)               /* 0x00000127 */ \
+					  + (ADD_FILL || CC_ClockSet)                   /* 0x00000128 */ \
+					  + (ADD_FILL || CC_HierarchyChangeAuth)        /* 0x00000129 */ \
+					  + (ADD_FILL || CC_NV_DefineSpace)             /* 0x0000012a */ \
+					  + (ADD_FILL || CC_PCR_Allocate)               /* 0x0000012b */ \
+					  + (ADD_FILL || CC_PCR_SetAuthPolicy)          /* 0x0000012c */ \
+					  + (ADD_FILL || CC_PP_Commands)                /* 0x0000012d */ \
+					  + (ADD_FILL || CC_SetPrimaryPolicy)           /* 0x0000012e */ \
+					  + (ADD_FILL || CC_FieldUpgradeStart)          /* 0x0000012f */ \
+					  + (ADD_FILL || CC_ClockRateAdjust)            /* 0x00000130 */ \
+					  + (ADD_FILL || CC_CreatePrimary)              /* 0x00000131 */ \
+					  + (ADD_FILL || CC_NV_GlobalWriteLock)         /* 0x00000132 */ \
+					  + (ADD_FILL || CC_GetCommandAuditDigest)      /* 0x00000133 */ \
+					  + (ADD_FILL || CC_NV_Increment)               /* 0x00000134 */ \
+					  + (ADD_FILL || CC_NV_SetBits)                 /* 0x00000135 */ \
+					  + (ADD_FILL || CC_NV_Extend)                  /* 0x00000136 */ \
+					  + (ADD_FILL || CC_NV_Write)                   /* 0x00000137 */ \
+					  + (ADD_FILL || CC_NV_WriteLock)               /* 0x00000138 */ \
+					  + (ADD_FILL || CC_DictionaryAttackLockReset)  /* 0x00000139 */ \
+					  + (ADD_FILL || CC_DictionaryAttackParameters) /* 0x0000013a */ \
+					  + (ADD_FILL || CC_NV_ChangeAuth)              /* 0x0000013b */ \
+					  + (ADD_FILL || CC_PCR_Event)                  /* 0x0000013c */ \
+					  + (ADD_FILL || CC_PCR_Reset)                  /* 0x0000013d */ \
+					  + (ADD_FILL || CC_SequenceComplete)           /* 0x0000013e */ \
+					  + (ADD_FILL || CC_SetAlgorithmSet)            /* 0x0000013f */ \
+					  + (ADD_FILL || CC_SetCommandCodeAuditStatus)  /* 0x00000140 */ \
+					  + (ADD_FILL || CC_FieldUpgradeData)           /* 0x00000141 */ \
+					  + (ADD_FILL || CC_IncrementalSelfTest)        /* 0x00000142 */ \
+					  + (ADD_FILL || CC_SelfTest)                   /* 0x00000143 */ \
+					  + (ADD_FILL || CC_Startup)                    /* 0x00000144 */ \
+					  + (ADD_FILL || CC_Shutdown)                   /* 0x00000145 */ \
+					  + (ADD_FILL || CC_StirRandom)                 /* 0x00000146 */ \
+					  + (ADD_FILL || CC_ActivateCredential)         /* 0x00000147 */ \
+					  + (ADD_FILL || CC_Certify)                    /* 0x00000148 */ \
+					  + (ADD_FILL || CC_PolicyNV)                   /* 0x00000149 */ \
+					  + (ADD_FILL || CC_CertifyCreation)            /* 0x0000014a */ \
+					  + (ADD_FILL || CC_Duplicate)                  /* 0x0000014b */ \
+					  + (ADD_FILL || CC_GetTime)                    /* 0x0000014c */ \
+					  + (ADD_FILL || CC_GetSessionAuditDigest)      /* 0x0000014d */ \
+					  + (ADD_FILL || CC_NV_Read)                    /* 0x0000014e */ \
+					  + (ADD_FILL || CC_NV_ReadLock)                /* 0x0000014f */ \
+					  + (ADD_FILL || CC_ObjectChangeAuth)           /* 0x00000150 */ \
+					  + (ADD_FILL || CC_PolicySecret)               /* 0x00000151 */ \
+					  + (ADD_FILL || CC_Rewrap)                     /* 0x00000152 */ \
+					  + (ADD_FILL || CC_Create)                     /* 0x00000153 */ \
+					  + (ADD_FILL || CC_ECDH_ZGen)                  /* 0x00000154 */ \
+					  + (ADD_FILL || CC_HMAC)                       /* 0x00000155 */ \
+					  + (ADD_FILL || CC_Import)                     /* 0x00000156 */ \
+					  + (ADD_FILL || CC_Load)                       /* 0x00000157 */ \
+					  + (ADD_FILL || CC_Quote)                      /* 0x00000158 */ \
+					  + (ADD_FILL || CC_RSA_Decrypt)                /* 0x00000159 */ \
+					  + ADD_FILL                                    /* 0x0000015a */ \
+					  + (ADD_FILL || CC_HMAC_Start)                 /* 0x0000015b */ \
+					  + (ADD_FILL || CC_SequenceUpdate)             /* 0x0000015c */ \
+					  + (ADD_FILL || CC_Sign)                       /* 0x0000015d */ \
+					  + (ADD_FILL || CC_Unseal)                     /* 0x0000015e */ \
+					  + ADD_FILL                                    /* 0x0000015f */ \
+					  + (ADD_FILL || CC_PolicySigned)               /* 0x00000160 */ \
+					  + (ADD_FILL || CC_ContextLoad)                /* 0x00000161 */ \
+					  + (ADD_FILL || CC_ContextSave)                /* 0x00000162 */ \
+					  + (ADD_FILL || CC_ECDH_KeyGen)                /* 0x00000163 */ \
+					  + (ADD_FILL || CC_EncryptDecrypt)             /* 0x00000164 */ \
+					  + (ADD_FILL || CC_FlushContext)               /* 0x00000165 */ \
+					  + ADD_FILL                                    /* 0x00000166 */ \
+					  + (ADD_FILL || CC_LoadExternal)               /* 0x00000167 */ \
+					  + (ADD_FILL || CC_MakeCredential)             /* 0x00000168 */ \
+					  + (ADD_FILL || CC_NV_ReadPublic)              /* 0x00000169 */ \
+					  + (ADD_FILL || CC_PolicyAuthorize)            /* 0x0000016a */ \
+					  + (ADD_FILL || CC_PolicyAuthValue)            /* 0x0000016b */ \
+					  + (ADD_FILL || CC_PolicyCommandCode)          /* 0x0000016c */ \
+					  + (ADD_FILL || CC_PolicyCounterTimer)         /* 0x0000016d */ \
+					  + (ADD_FILL || CC_PolicyCpHash)               /* 0x0000016e */ \
+					  + (ADD_FILL || CC_PolicyLocality)             /* 0x0000016f */ \
+					  + (ADD_FILL || CC_PolicyNameHash)             /* 0x00000170 */ \
+					  + (ADD_FILL || CC_PolicyOR)                   /* 0x00000171 */ \
+					  + (ADD_FILL || CC_PolicyTicket)               /* 0x00000172 */ \
+					  + (ADD_FILL || CC_ReadPublic)                 /* 0x00000173 */ \
+					  + (ADD_FILL || CC_RSA_Encrypt)                /* 0x00000174 */ \
+					  + ADD_FILL                                    /* 0x00000175 */ \
+					  + (ADD_FILL || CC_StartAuthSession)           /* 0x00000176 */ \
+					  + (ADD_FILL || CC_VerifySignature)            /* 0x00000177 */ \
+					  + (ADD_FILL || CC_ECC_Parameters)             /* 0x00000178 */ \
+					  + (ADD_FILL || CC_FirmwareRead)               /* 0x00000179 */ \
+					  + (ADD_FILL || CC_GetCapability)              /* 0x0000017a */ \
+					  + (ADD_FILL || CC_GetRandom)                  /* 0x0000017b */ \
+					  + (ADD_FILL || CC_GetTestResult)              /* 0x0000017c */ \
+					  + (ADD_FILL || CC_Hash)                       /* 0x0000017d */ \
+					  + (ADD_FILL || CC_PCR_Read)                   /* 0x0000017e */ \
+					  + (ADD_FILL || CC_PolicyPCR)                  /* 0x0000017f */ \
+					  + (ADD_FILL || CC_PolicyRestart)              /* 0x00000180 */ \
+					  + (ADD_FILL || CC_ReadClock)                  /* 0x00000181 */ \
+					  + (ADD_FILL || CC_PCR_Extend)                 /* 0x00000182 */ \
+					  + (ADD_FILL || CC_PCR_SetAuthValue)           /* 0x00000183 */ \
+					  + (ADD_FILL || CC_NV_Certify)                 /* 0x00000184 */ \
+					  + (ADD_FILL || CC_EventSequenceComplete)      /* 0x00000185 */ \
+					  + (ADD_FILL || CC_HashSequenceStart)          /* 0x00000186 */ \
+					  + (ADD_FILL || CC_PolicyPhysicalPresence)     /* 0x00000187 */ \
+					  + (ADD_FILL || CC_PolicyDuplicationSelect)    /* 0x00000188 */ \
+					  + (ADD_FILL || CC_PolicyGetDigest)            /* 0x00000189 */ \
+					  + (ADD_FILL || CC_TestParms)                  /* 0x0000018a */ \
+					  + (ADD_FILL || CC_Commit)                     /* 0x0000018b */ \
+					  + (ADD_FILL || CC_PolicyPassword)             /* 0x0000018c */ \
+					  + (ADD_FILL || CC_ZGen_2Phase)                /* 0x0000018d */ \
+					  + (ADD_FILL || CC_EC_Ephemeral)               /* 0x0000018e */ \
+					  + (ADD_FILL || CC_PolicyTemplate)             /* 0x00000190 */ \
+					  + (ADD_FILL || CC_CreateLoaded)               /* 0x00000191 */ \
+					  + (ADD_FILL || CC_PolicyAuthorizeNV)          /* 0x00000192 */ \
+					  + (ADD_FILL || CC_EncryptDecrypt2)            /* 0x00000193 */ \
+					  + (ADD_FILL || CC_PolicyNvWritten)            /* 0x0000018f */ \
+					  + (ADD_FILL || CC_CertifyX509)                /* 0x00000197 */ \
+					  )
+#define VENDOR_COMMAND_ARRAY_SIZE   ( 0				\
+				      + CC_Vendor_TCG_Test	\
+				      + CC_NTC2_PreConfig	\
+				      + CC_NTC2_LockPreConfig	\
+				      + CC_NTC2_GetConfig	\
+				      )
+
+#define COMMAND_COUNT							\
+    (LIBRARY_COMMAND_ARRAY_SIZE + VENDOR_COMMAND_ARRAY_SIZE)
+    
+// Following typedef is for some old code
+
+#ifndef ALG_CAMELLIA
+#   define ALG_CAMELLIA         NO
+#endif
+
+#ifndef ALG_SM4
+#   define ALG_SM4         NO
+#endif
+
+#ifndef ALG_AES
+#   define ALG_AES         NO
+#endif
+
+#endif  // _IMPLEMENTATION_H_
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Import_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Import_fp.h
new file mode 100644
index 0000000..ac46b0b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Import_fp.h
@@ -0,0 +1,93 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Import_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef IMPORT_FP_H
+#define IMPORT_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		parentHandle;
+    TPM2B_DATA			encryptionKey;
+    TPM2B_PUBLIC		objectPublic;
+    TPM2B_PRIVATE		duplicate;
+    TPM2B_ENCRYPTED_SECRET	inSymSeed;
+    TPMT_SYM_DEF_OBJECT		symmetricAlg;
+} Import_In;
+
+#define RC_Import_parentHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_Import_encryptionKey	(TPM_RC_P + TPM_RC_1)
+#define RC_Import_objectPublic 	(TPM_RC_P + TPM_RC_2)
+#define RC_Import_duplicate 	(TPM_RC_P + TPM_RC_3)
+#define RC_Import_inSymSeed 	(TPM_RC_P + TPM_RC_4)
+#define RC_Import_symmetricAlg	(TPM_RC_P + TPM_RC_5)
+
+typedef struct {
+    TPM2B_PRIVATE	outPrivate;
+} Import_Out;
+
+TPM_RC
+TPM2_Import(
+	    Import_In       *in,            // IN: input parameter list
+	    Import_Out      *out            // OUT: output parameter list
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/IncrementalSelfTest_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/IncrementalSelfTest_fp.h
new file mode 100644
index 0000000..93275a4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/IncrementalSelfTest_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: IncrementalSelfTest_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef INCREMENTALSELFTEST_FP_H
+#define INCREMENTALSELFTEST_FP_H
+
+typedef struct{
+    TPML_ALG	toTest;
+} IncrementalSelfTest_In;
+
+typedef struct{
+    TPML_ALG	toDoList;
+} IncrementalSelfTest_Out;  
+
+#define RC_IncrementalSelfTest_toTest (TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_IncrementalSelfTest(
+			 IncrementalSelfTest_In      *in,            // IN: input parameter list
+			 IncrementalSelfTest_Out     *out            // OUT: output parameter list
+			 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/LoadExternal_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/LoadExternal_fp.h
new file mode 100644
index 0000000..bbf9f8e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/LoadExternal_fp.h
@@ -0,0 +1,87 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: LoadExternal_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef LOADEXTERNAL_FP_H
+#define LOADEXTERNAL_FP_H
+
+typedef struct {
+    TPM2B_SENSITIVE	inPrivate;
+    TPM2B_PUBLIC	inPublic;
+    TPMI_RH_HIERARCHY	hierarchy;
+} LoadExternal_In;    
+
+#define RC_LoadExternal_inPrivate	(TPM_RC_P + TPM_RC_1)
+#define RC_LoadExternal_inPublic 	(TPM_RC_P + TPM_RC_2)
+#define RC_LoadExternal_hierarchy 	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM_HANDLE		objectHandle;
+    TPM2B_NAME		name;
+} LoadExternal_Out;
+
+TPM_RC
+TPM2_LoadExternal(
+		  LoadExternal_In     *in,            // IN: input parameter list
+		  LoadExternal_Out    *out            // OUT: output parameter list
+		  );
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/LoadKey2_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/LoadKey2_fp.h
new file mode 100644
index 0000000..f8f9fad
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/LoadKey2_fp.h
@@ -0,0 +1,66 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 Load Key 2					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: LoadKey2_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef LOADKEY2_FP_H
+#define LOADKEY2_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_KEY_HANDLE parentHandle;
+    TPM_KEY12 inKey;
+} LoadKey2_In;  
+
+#define RC_LoadKey2_parentHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_LoadKey2_inKey	 	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPM_KEY_HANDLE	inkeyHandle;
+} LoadKey2_Out;  
+
+TPM_RC
+TPM2_Loadkey2(
+		  LoadKey2_In *in,            // IN: input parameter buffer
+		  LoadKey2_Out *out           // OUT: output parameter buffer
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Load_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Load_fp.h
new file mode 100644
index 0000000..20a7232
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Load_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Load_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef LOAD_FP_H
+#define LOAD_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	parentHandle;
+    TPM2B_PRIVATE	inPrivate;
+    TPM2B_PUBLIC	inPublic;
+} Load_In;
+
+#define RC_Load_parentHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_Load_inPrivate 	(TPM_RC_P + TPM_RC_1)
+#define RC_Load_inPublic	(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM_HANDLE	objectHandle;
+    TPM2B_NAME	name;
+} Load_Out;
+
+TPM_RC
+TPM2_Load(
+	  Load_In         *in,            // IN: input parameter list
+	  Load_Out        *out            // OUT: output parameter list
+	  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/MakeCredential_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/MakeCredential_fp.h
new file mode 100644
index 0000000..d6e5fb3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/MakeCredential_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: MakeCredential_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef MAKECREDENTIAL_FP_H
+#define MAKECREDENTIAL_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	handle;
+    TPM2B_DIGEST	credential;
+    TPM2B_NAME		objectName;
+} MakeCredential_In;
+
+#define RC_MakeCredential_handle 	(TPM_RC_H + TPM_RC_1)
+#define RC_MakeCredential_credential 	(TPM_RC_P + TPM_RC_1)
+#define RC_MakeCredential_objectName	(TPM_RC_P + TPM_RC_2)
+
+
+typedef struct {
+    TPM2B_ID_OBJECT	credentialBlob;
+    TPM2B_ENCRYPTED_SECRET	secret;
+} MakeCredential_Out;
+
+TPM_RC
+TPM2_MakeCredential(
+		    MakeCredential_In   *in,            // IN: input parameter list
+		    MakeCredential_Out  *out            // OUT: output parameter list
+		    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/MakeIdentity_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/MakeIdentity_fp.h
new file mode 100644
index 0000000..19dc3d4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/MakeIdentity_fp.h
@@ -0,0 +1,66 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 MakeIdentity				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: MakeIdentity_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef MAKEIDENTITY_FP_H
+#define MAKEIDENTITY_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_ENCAUTH identityAuth;
+    TPM_CHOSENID_HASH labelPrivCADigest;
+    TPM_KEY12 idKeyParams;
+} MakeIdentity_In;  
+
+typedef struct {
+    TPM_KEY12 idKey;
+    UINT32 identityBindingSize;
+    BYTE identityBinding[MAX_RSA_KEY_BYTES];
+} MakeIdentity_Out;  
+
+TPM_RC
+TPM2_MakeIdentity(
+		  MakeIdentity_In *in,            // IN: input parameter buffer
+		  MakeIdentity_Out *out           // OUT: output parameter buffer
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NTC_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NTC_fp.h
new file mode 100644
index 0000000..7cf353b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NTC_fp.h
@@ -0,0 +1,52 @@
+/********************************************************************************/
+/*										*/
+/*		     	Nuvoton Commands					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef NTC_FP_H
+#define NTC_FP_H
+
+typedef struct {
+    NTC2_CFG_STRUCT preConfig;
+} NTC2_PreConfig_In;     
+
+typedef struct {
+    NTC2_CFG_STRUCT preConfig;
+} NTC2_GetConfig_Out;     
+
+#define RC_NTC2_PreConfig_preConfig (TPM_RC_P + TPM_RC_1)
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Certify_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Certify_fp.h
new file mode 100644
index 0000000..d5f2913
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Certify_fp.h
@@ -0,0 +1,98 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_Certify_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_CERTIFY_FP_H
+#define NV_CERTIFY_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	signHandle;
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+    TPM2B_DATA		qualifyingData;
+    TPMT_SIG_SCHEME	inScheme;
+    UINT16		size;
+    UINT16		offset;
+} NV_Certify_In;
+
+#define RC_NV_Certify_signHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_Certify_authHandle	(TPM_RC_H + TPM_RC_2)
+#define RC_NV_Certify_nvIndex		(TPM_RC_H + TPM_RC_3)
+#define RC_NV_Certify_qualifyingData	(TPM_RC_P + TPM_RC_1)
+#define RC_NV_Certify_inScheme		(TPM_RC_P + TPM_RC_2)
+#define RC_NV_Certify_size		(TPM_RC_P + TPM_RC_3)
+#define RC_NV_Certify_offset		(TPM_RC_P + TPM_RC_4)
+
+
+typedef struct {
+    TPM2B_ATTEST	certifyInfo;
+    TPMT_SIGNATURE	signature;
+} NV_Certify_Out;
+
+TPM_RC
+TPM2_NV_Certify(
+		NV_Certify_In   *in,            // IN: input parameter list
+		NV_Certify_Out  *out            // OUT: output parameter list
+		);
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ChangeAuth_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ChangeAuth_fp.h
new file mode 100644
index 0000000..ed211bb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ChangeAuth_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_ChangeAuth_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_CHANGEAUTH_FP_H
+#define NV_CHANGEAUTH_FP_H
+
+typedef struct {
+    TPMI_RH_NV_INDEX	nvIndex;
+    TPM2B_AUTH		newAuth;
+} NV_ChangeAuth_In;
+
+#define RC_NV_ChangeAuth_nvIndex	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_ChangeAuth_newAuth 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_NV_ChangeAuth(
+		   NV_ChangeAuth_In    *in             // IN: input parameter list
+		   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_DefineSpace12_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_DefineSpace12_fp.h
new file mode 100644
index 0000000..8d6bc64
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_DefineSpace12_fp.h
@@ -0,0 +1,52 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 NV_DefineSpace				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef NVDEFINESPACE12_FP_H
+#define NVDEFINESPACE12_FP_H
+
+typedef struct {
+    TPM_NV_DATA_PUBLIC pubInfo;
+    TPM_ENCAUTH encAuth;
+} NV_DefineSpace12_In;
+
+TPM_RC
+TPM_NV_DefineSpace12(
+	      NV_DefineSpace12_In     *in            // IN: input parameter list
+	      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_DefineSpace_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_DefineSpace_fp.h
new file mode 100644
index 0000000..1769931
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_DefineSpace_fp.h
@@ -0,0 +1,83 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_DefineSpace_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_DEFINESPACE_FP_H
+#define NV_DEFINESPACE_FP_H
+
+typedef struct {
+    TPMI_RH_PROVISION	authHandle;
+    TPM2B_AUTH		auth;
+    TPM2B_NV_PUBLIC	publicInfo;
+} NV_DefineSpace_In;
+
+#define RC_NV_DefineSpace_authHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_DefineSpace_auth 		(TPM_RC_P + TPM_RC_1)
+#define RC_NV_DefineSpace_publicInfo 	(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_NV_DefineSpace(
+		    NV_DefineSpace_In   *in             // IN: input parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Extend_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Extend_fp.h
new file mode 100644
index 0000000..7fc9cf2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Extend_fp.h
@@ -0,0 +1,83 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_Extend_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_EXTEND_FP_H
+#define NV_EXTEND_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+    TPM2B_MAX_NV_BUFFER	data;
+} NV_Extend_In;
+
+#define RC_NV_Extend_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_Extend_nvIndex 	(TPM_RC_H + TPM_RC_2)
+#define RC_NV_Extend_data	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_NV_Extend(
+	       NV_Extend_In    *in             // IN: input parameter list
+	       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_GlobalWriteLock_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_GlobalWriteLock_fp.h
new file mode 100644
index 0000000..20b6377
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_GlobalWriteLock_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_GlobalWriteLock_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_GLOBALWRITELOCK_FP_H
+#define NV_GLOBALWRITELOCK_FP_H
+
+typedef struct {
+    TPMI_RH_PROVISION	authHandle;
+} NV_GlobalWriteLock_In;
+
+#define RC_NV_GlobalWriteLock_authHandle	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_NV_GlobalWriteLock(
+			NV_GlobalWriteLock_In   *in             // IN: input parameter list
+			);
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Increment_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Increment_fp.h
new file mode 100644
index 0000000..e6529cf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Increment_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_Increment_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_INCREMENT_FP_H
+#define NV_INCREMENT_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+} NV_Increment_In;;
+
+#define RC_NV_Increment_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_Increment_nvIndex 	(TPM_RC_H + TPM_RC_2)
+
+TPM_RC
+TPM2_NV_Increment(
+		  NV_Increment_In     *in             // IN: input parameter list
+		  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadLock_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadLock_fp.h
new file mode 100644
index 0000000..9f92915
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadLock_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_ReadLock_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_READLOCK_FP_H
+#define NV_READLOCK_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+} NV_ReadLock_In;
+
+#define RC_NV_ReadLock_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_ReadLock_nvIndex 		(TPM_RC_H + TPM_RC_2)
+
+TPM_RC
+TPM2_NV_ReadLock(
+		 NV_ReadLock_In  *in             // IN: input parameter list
+		 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadPublic_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadPublic_fp.h
new file mode 100644
index 0000000..35137e7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadPublic_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_ReadPublic_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_READPUBLIC_FP_H
+#define NV_READPUBLIC_FP_H
+
+typedef struct {
+    TPMI_RH_NV_INDEX	nvIndex;
+} NV_ReadPublic_In;
+
+#define RC_NV_ReadPublic_nvIndex	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPM2B_NV_PUBLIC	nvPublic;
+    TPM2B_NAME		nvName;
+} NV_ReadPublic_Out;
+
+TPM_RC
+TPM2_NV_ReadPublic(
+		   NV_ReadPublic_In    *in,            // IN: input parameter list
+		   NV_ReadPublic_Out   *out            // OUT: output parameter list
+		   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadValueAuth_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadValueAuth_fp.h
new file mode 100644
index 0000000..efc4ea1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadValueAuth_fp.h
@@ -0,0 +1,65 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 NV_ReadValueAuth				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: NV_ReadValueAuth_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef NVREADVALUEAUTH_FP_H
+#define NVREADVALUEAUTH_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM12_NV_INDEX nvIndex;
+    UINT32 offset;
+    UINT32 dataSize;
+} NV_ReadValueAuth_In;  
+
+typedef struct {
+    UINT32 dataSize;
+    BYTE data[MAX_NV_BUFFER_SIZE];
+} NV_ReadValueAuth_Out;  
+
+TPM_RC
+TPM2_NV_ReadValueAuth(
+		      NV_ReadValueAuth_In *in,            // IN: input parameter buffer
+		      NV_ReadValueAuth_Out *out           // OUT: output parameter buffer
+		      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadValue_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadValue_fp.h
new file mode 100644
index 0000000..8546a6f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_ReadValue_fp.h
@@ -0,0 +1,65 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 NV_ReadValue				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: NV_ReadValue_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef NVREADVALUE_FP_H
+#define NVREADVALUE_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM12_NV_INDEX nvIndex;
+    UINT32 offset;
+    UINT32 dataSize;
+} NV_ReadValue_In;  
+
+typedef struct {
+    UINT32 dataSize;
+    BYTE data[MAX_NV_BUFFER_SIZE];
+} NV_ReadValue_Out;  
+
+TPM_RC
+TPM2_NV_ReadValue(
+		      NV_ReadValue_In *in,            // IN: input parameter buffer
+		      NV_ReadValue_Out *out           // OUT: output parameter buffer
+		      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Read_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Read_fp.h
new file mode 100644
index 0000000..636fe81
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Read_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_Read_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_READ_FP_H
+#define NV_READ_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+    UINT16		size;
+    UINT16		offset;
+} NV_Read_In;
+
+#define RC_NV_Read_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_Read_nvIndex	(TPM_RC_H + TPM_RC_2)
+#define RC_NV_Read_size 	(TPM_RC_P + TPM_RC_1)
+#define RC_NV_Read_offset 	(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPM2B_MAX_NV_BUFFER	data;
+} NV_Read_Out;
+
+TPM_RC
+TPM2_NV_Read(
+	     NV_Read_In      *in,            // IN: input parameter list
+	     NV_Read_Out     *out            // OUT: output parameter list
+	     );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_SetBits_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_SetBits_fp.h
new file mode 100644
index 0000000..4b1c1a0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_SetBits_fp.h
@@ -0,0 +1,83 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_SetBits_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_SETBITS_FP_H
+#define NV_SETBITS_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+    UINT64		bits;
+} NV_SetBits_In;
+
+#define RC_NV_SetBits_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_SetBits_nvIndex 		(TPM_RC_H + TPM_RC_2)
+#define RC_NV_SetBits_bits		(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_NV_SetBits(
+		NV_SetBits_In   *in             // IN: input parameter list
+		);
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_UndefineSpaceSpecial_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_UndefineSpaceSpecial_fp.h
new file mode 100644
index 0000000..f58713c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_UndefineSpaceSpecial_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: NV_UndefineSpaceSpecial_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_UNDEFINESPACESPECIAL_FP_H
+#define NV_UNDEFINESPACESPECIAL_FP_H
+
+typedef struct {
+    TPMI_RH_NV_INDEX	nvIndex;
+    TPMI_RH_PLATFORM	platform;
+} NV_UndefineSpaceSpecial_In;
+
+#define RC_NV_UndefineSpaceSpecial_nvIndex 	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_UndefineSpaceSpecial_platform	(TPM_RC_H + TPM_RC_2)
+
+TPM_RC
+TPM2_NV_UndefineSpaceSpecial(
+			     NV_UndefineSpaceSpecial_In  *in             // IN: input parameter list
+			     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_UndefineSpace_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_UndefineSpace_fp.h
new file mode 100644
index 0000000..6b9ca92
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_UndefineSpace_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_UndefineSpace_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_UNDEFINESPACE_FP_H
+#define NV_UNDEFINESPACE_FP_H
+
+typedef struct {
+    TPMI_RH_PROVISION	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+} NV_UndefineSpace_In;
+
+#define RC_NV_UndefineSpace_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_UndefineSpace_nvIndex 	(TPM_RC_H + TPM_RC_2)
+
+TPM_RC
+TPM2_NV_UndefineSpace(
+		      NV_UndefineSpace_In     *in             // IN: input parameter list
+		      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteLock_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteLock_fp.h
new file mode 100644
index 0000000..471e1c9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteLock_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_WriteLock_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_WRITELOCK_FP_H
+#define NV_WRITELOCK_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+} NV_WriteLock_In;
+
+#define RC_NV_WriteLock_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_WriteLock_nvIndex 	(TPM_RC_H + TPM_RC_2)
+
+TPM_RC
+TPM2_NV_WriteLock(
+		  NV_WriteLock_In     *in             // IN: input parameter list
+		  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteValueAuth_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteValueAuth_fp.h
new file mode 100644
index 0000000..60b4bca
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteValueAuth_fp.h
@@ -0,0 +1,57 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 NV_WriteValueAuth				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: NV_WriteValueAuth_fp.h 1294 2018-08-09 19:08:34Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef NVWRITEVALUEAUTH_FP_H
+#define NVWRITEVALUEAUTH_FP_H
+
+typedef struct {
+    TPM12_NV_INDEX nvIndex;
+    UINT32 offset;
+    UINT32 dataSize;
+    BYTE data[MAX_NV_BUFFER_SIZE];
+} NV_WriteValueAuth_In;
+
+TPM_RC
+TPM_NV_WriteValueAuth(
+		      NV_WriteValueAuth_In     *in            // IN: input parameter list
+		      );
+
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteValue_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteValue_fp.h
new file mode 100644
index 0000000..489aa1d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_WriteValue_fp.h
@@ -0,0 +1,55 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 NV_WriteValue				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: NV_WriteValue_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef NVWRITEVALUE_FP_H
+#define NVWRITEVALUE_FP_H
+
+typedef struct {
+    TPM12_NV_INDEX nvIndex;
+    UINT32 offset;
+    UINT32 dataSize;
+    BYTE data[MAX_NV_BUFFER_SIZE];
+} NV_WriteValue_In;
+
+TPM_RC
+TPM_NV_WriteValue(
+		  NV_WriteValue_In     *in            // IN: input parameter list
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Write_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Write_fp.h
new file mode 100644
index 0000000..56b9a98
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/NV_Write_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: NV_Write_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef NV_WRITE_FP_H
+#define NV_WRITE_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+    TPM2B_MAX_NV_BUFFER	data;
+    UINT16		offset;
+} NV_Write_In;
+
+#define RC_NV_Write_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_NV_Write_nvIndex	(TPM_RC_H + TPM_RC_2)
+#define RC_NV_Write_data	(TPM_RC_P + TPM_RC_1)
+#define RC_NV_Write_offset 	(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_NV_Write(
+	      NV_Write_In     *in             // IN: input parameter list
+	      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/OIAP_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OIAP_fp.h
new file mode 100644
index 0000000..644b632
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OIAP_fp.h
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			     							*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: OIAP_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2018					*/
+/*										*/
+/********************************************************************************/
+
+#ifndef OIAP_FP_H
+#define OIAP_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+typedef struct {
+    TPM_AUTHHANDLE	authHandle;
+    TPM_NONCE		nonceEven;
+} OIAP_Out;  
+
+TPM_RC
+TPM2_OIAP(
+		      OIAP_Out    *out            // OUT: output parameter buffer
+		      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/OSAP_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OSAP_fp.h
new file mode 100644
index 0000000..1a6ee48
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OSAP_fp.h
@@ -0,0 +1,60 @@
+/********************************************************************************/
+/*										*/
+/*			TPM 1.2 OSAP		     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef OSAP_FP_H
+#define OSAP_FP_H
+
+typedef struct {
+    TPM_ENTITY_TYPE 	entityType;
+    UINT32 		entityValue;
+    TPM_NONCE 		nonceOddOSAP;
+} OSAP_In;  
+
+typedef struct {
+    TPM_AUTHHANDLE 	authHandle;
+    TPM_NONCE 		nonceEven;
+    TPM_NONCE 		nonceEvenOSAP;
+} OSAP_Out;  
+
+TPM_RC
+TPM2_OSAP(
+	  OSAP_In	*in,            // IN: input parameter buffer
+	  OSAP_Out    	*out            // OUT: output parameter buffer
+	  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ObjectChangeAuth_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ObjectChangeAuth_fp.h
new file mode 100644
index 0000000..1987da4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ObjectChangeAuth_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ObjectChangeAuth_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef OBJECTCHANGEAUTH_FP_H
+#define OBJECTCHANGEAUTH_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	objectHandle;
+    TPMI_DH_OBJECT	parentHandle;
+    TPM2B_AUTH		newAuth;
+} ObjectChangeAuth_In;
+
+#define RC_ObjectChangeAuth_objectHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_ObjectChangeAuth_parentHandle 	(TPM_RC_H + TPM_RC_2)
+#define RC_ObjectChangeAuth_newAuth	 	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPM2B_PRIVATE	outPrivate;
+} ObjectChangeAuth_Out;
+
+
+TPM_RC
+TPM2_ObjectChangeAuth(
+		      ObjectChangeAuth_In     *in,            // IN: input parameter list
+		      ObjectChangeAuth_Out    *out            // OUT: output parameter list
+		      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/OwnerReadInternalPub_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OwnerReadInternalPub_fp.h
new file mode 100644
index 0000000..d1f74cf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OwnerReadInternalPub_fp.h
@@ -0,0 +1,62 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 OwnerReadInternalPub			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*      $Id: OwnerReadInternalPub_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef OWNERREADINTERNALPUB_FP_H
+#define OWNERREADINTERNALPUB_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_KEY_HANDLE keyHandle;
+} OwnerReadInternalPub_In;  
+
+typedef struct {
+    TPM_PUBKEY publicPortion;
+} OwnerReadInternalPub_Out;  
+
+TPM_RC
+TPM2_OwnerReadInternalPub(
+			  OwnerReadInternalPub_In *in,            // IN: input parameter buffer
+			  OwnerReadInternalPub_Out *out           // OUT: output parameter buffer
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/OwnerSetDisable_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OwnerSetDisable_fp.h
new file mode 100644
index 0000000..f257f20
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/OwnerSetDisable_fp.h
@@ -0,0 +1,50 @@
+/********************************************************************************/
+/*                                                                              */
+/*                              		                                */
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*            $Id: OwnerSetDisable_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2018						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef OWNERSETDISABLE_FP_H
+#define OWNERSETDISABLE_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+
+typedef struct {
+    uint8_t disableState; 
+} OwnerSetDisable_In;
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Allocate_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Allocate_fp.h
new file mode 100644
index 0000000..509d7c0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Allocate_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PCR_Allocate_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef PCR_ALLOCATE_FP_H
+#define PCR_ALLOCATE_FP_H
+
+typedef struct {
+    TPMI_RH_PLATFORM	authHandle;
+    TPML_PCR_SELECTION	pcrAllocation;
+} PCR_Allocate_In;
+
+#define RC_PCR_Allocate_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_PCR_Allocate_pcrAllocation	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPMI_YES_NO	allocationSuccess;
+    UINT32	maxPCR;
+    UINT32	sizeNeeded;
+    UINT32	sizeAvailable;
+} PCR_Allocate_Out;
+
+TPM_RC
+TPM2_PCR_Allocate(
+		  PCR_Allocate_In     *in,            // IN: input parameter list
+		  PCR_Allocate_Out    *out            // OUT: output parameter list
+		  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Event_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Event_fp.h
new file mode 100644
index 0000000..2ccb82a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Event_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PCR_Event_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef PCR_EVENT_FP_H
+#define PCR_EVENT_FP_H
+
+typedef struct {
+    TPMI_DH_PCR		pcrHandle;
+    TPM2B_EVENT		eventData;
+} PCR_Event_In;
+
+#define RC_PCR_Event_pcrHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_PCR_Event_eventData	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPML_DIGEST_VALUES	digests;
+} PCR_Event_Out;
+
+TPM_RC
+TPM2_PCR_Event(
+	       PCR_Event_In    *in,            // IN: input parameter list
+	       PCR_Event_Out   *out            // OUT: output parameter list
+	       );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Extend_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Extend_fp.h
new file mode 100644
index 0000000..fc201a8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Extend_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PCR_Extend_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef PCR_EXTEND_FP_H
+#define PCR_EXTEND_FP_H
+
+typedef struct {
+    TPMI_DH_PCR		pcrHandle;
+    TPML_DIGEST_VALUES	digests;
+} PCR_Extend_In;
+
+#define RC_PCR_Extend_pcrHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_PCR_Extend_digests	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PCR_Extend(
+		PCR_Extend_In   *in             // IN: input parameter list
+		);
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Read_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Read_fp.h
new file mode 100644
index 0000000..4c38d3e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Read_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PCR_Read_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef PCR_READ_FP_H
+#define PCR_READ_FP_H
+
+typedef struct {
+    TPML_PCR_SELECTION	pcrSelectionIn;
+} PCR_Read_In;
+
+#define RC_PCR_Read_pcrSelectionIn	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    UINT32		pcrUpdateCounter;
+    TPML_PCR_SELECTION	pcrSelectionOut;
+    TPML_DIGEST		pcrValues;
+} PCR_Read_Out;
+
+TPM_RC
+TPM2_PCR_Read(
+	      PCR_Read_In     *in,            // IN: input parameter list
+	      PCR_Read_Out    *out            // OUT: output parameter list
+	      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Reset12_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Reset12_fp.h
new file mode 100644
index 0000000..995a1ba
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Reset12_fp.h
@@ -0,0 +1,51 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 PCR_Reset					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef PCRRESET12_FP_H
+#define PCRRESET12_FP_H
+
+typedef struct {
+    TPM_PCR_SELECTION pcrSelection;
+} PCR_Reset12_In;
+
+TPM_RC
+TPM_PCR_Reset12(
+		PCR_Reset12_In     *in            // IN: input parameter list
+		);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Reset_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Reset_fp.h
new file mode 100644
index 0000000..9825fc9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_Reset_fp.h
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PCR_Reset_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef PCR_RESET_FP_H
+#define PCR_RESET_FP_H
+
+typedef struct {
+    TPMI_DH_PCR	pcrHandle;
+} PCR_Reset_In;
+
+#define RC_PCR_Reset__pcrHandle	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_PCR_Reset(
+	       PCR_Reset_In    *in             // IN: input parameter list
+	       );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_SetAuthPolicy_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_SetAuthPolicy_fp.h
new file mode 100644
index 0000000..3146b5b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_SetAuthPolicy_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PCR_SetAuthPolicy_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef PCR_SETAUTHPOLICY_FP_H
+#define PCR_SETAUTHPOLICY_FP_H
+
+typedef struct {
+    TPMI_RH_PLATFORM	authHandle;
+    TPM2B_DIGEST	authPolicy;
+    TPMI_ALG_HASH	hashAlg;
+    TPMI_DH_PCR		pcrNum;
+} PCR_SetAuthPolicy_In;
+
+#define RC_PCR_SetAuthPolicy_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_PCR_SetAuthPolicy_authPolicy (TPM_RC_P + TPM_RC_1)
+#define RC_PCR_SetAuthPolicy_hashAlg	(TPM_RC_P + TPM_RC_2)
+#define RC_PCR_SetAuthPolicy_pcrNum 	(TPM_RC_P + TPM_RC_3)
+
+TPM_RC
+TPM2_PCR_SetAuthPolicy(
+		       PCR_SetAuthPolicy_In    *in             // IN: input parameter list
+		       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_SetAuthValue_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_SetAuthValue_fp.h
new file mode 100644
index 0000000..8351578
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PCR_SetAuthValue_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PCR_SetAuthValue_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef PCR_SETAUTHVALUE_FP_H
+#define PCR_SETAUTHVALUE_FP_H
+
+typedef struct {
+    TPMI_DH_PCR		pcrHandle;
+    TPM2B_DIGEST	auth;
+} PCR_SetAuthValue_In;
+
+#define RC_PCR_SetAuthValue_pcrHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_PCR_SetAuthValue_auth	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PCR_SetAuthValue(
+		      PCR_SetAuthValue_In     *in             // IN: input parameter list
+		      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PP_Commands_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PP_Commands_fp.h
new file mode 100644
index 0000000..f042b5a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PP_Commands_fp.h
@@ -0,0 +1,80 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PP_Commands_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2016					*/
+/*										*/
+/********************************************************************************/
+
+#ifndef PP_COMMANDS_FP_H
+#define PP_COMMANDS_FP_H
+
+typedef struct {
+    TPMI_RH_PLATFORM	auth;
+    TPML_CC		setList;
+    TPML_CC		clearList;
+} PP_Commands_In;
+
+#define RC_PP_Commands_auth		(TPM_RC_H + TPM_RC_1)
+#define RC_PP_Commands_setList		(TPM_RC_P + TPM_RC_1)
+#define RC_PP_Commands_clearList	(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_PP_Commands(
+		 PP_Commands_In  *in             // IN: input parameter list
+		 );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Parameters.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Parameters.h
new file mode 100644
index 0000000..98a04ff
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Parameters.h
@@ -0,0 +1,386 @@
+/********************************************************************************/
+/*										*/
+/*			  Command and Response Parameter Structures		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2019				*/
+/*										*/
+/********************************************************************************/
+
+/* TPM and TSS share thses structures */
+
+#ifndef PARAMETERS_H
+#define PARAMETERS_H
+
+#include "TPM_Types.h"
+
+#include "ActivateCredential_fp.h"
+#include "CertifyCreation_fp.h"
+#include "Certify_fp.h"
+#include "CertifyX509_fp.h"
+#include "ChangeEPS_fp.h"
+#include "ChangePPS_fp.h"
+#include "ClearControl_fp.h"
+#include "Clear_fp.h"
+#include "ClockRateAdjust_fp.h"
+#include "ClockSet_fp.h"
+#include "Commit_fp.h"
+#include "ContextLoad_fp.h"
+#include "ContextSave_fp.h"
+#include "CreatePrimary_fp.h"
+#include "Create_fp.h"
+#include "CreateLoaded_fp.h"
+#include "DictionaryAttackLockReset_fp.h"
+#include "DictionaryAttackParameters_fp.h"
+#include "Duplicate_fp.h"
+#include "ECC_Parameters_fp.h"
+#include "ECDH_KeyGen_fp.h"
+#include "ECDH_ZGen_fp.h"
+#include "EC_Ephemeral_fp.h"
+#include "EncryptDecrypt_fp.h"
+#include "EncryptDecrypt2_fp.h"
+#include "EventSequenceComplete_fp.h"
+#include "EvictControl_fp.h"
+#include "FlushContext_fp.h"
+#include "GetCapability_fp.h"
+#include "GetCommandAuditDigest_fp.h"
+#include "GetRandom_fp.h"
+#include "GetSessionAuditDigest_fp.h"
+#include "GetTestResult_fp.h"
+#include "GetTime_fp.h"
+#include "HMAC_Start_fp.h"
+#include "HMAC_fp.h"
+#include "HashSequenceStart_fp.h"
+#include "Hash_fp.h"
+#include "HierarchyChangeAuth_fp.h"
+#include "HierarchyControl_fp.h"
+#include "Import_fp.h"
+#include "IncrementalSelfTest_fp.h"
+#include "LoadExternal_fp.h"
+#include "Load_fp.h"
+#include "MakeCredential_fp.h"
+#include "NV_Certify_fp.h"
+#include "NV_ChangeAuth_fp.h"
+#include "NV_DefineSpace_fp.h"
+#include "NV_Extend_fp.h"
+#include "NV_GlobalWriteLock_fp.h"
+#include "NV_Increment_fp.h"
+#include "NV_ReadLock_fp.h"
+#include "NV_ReadPublic_fp.h"
+#include "NV_Read_fp.h"
+#include "NV_SetBits_fp.h"
+#include "NV_UndefineSpaceSpecial_fp.h"
+#include "NV_UndefineSpace_fp.h"
+#include "NV_WriteLock_fp.h"
+#include "NV_Write_fp.h"
+#include "ObjectChangeAuth_fp.h"
+#include "PCR_Allocate_fp.h"
+#include "PCR_Event_fp.h"
+#include "PCR_Extend_fp.h"
+#include "PCR_Read_fp.h"
+#include "PCR_Reset_fp.h"
+#include "PCR_SetAuthPolicy_fp.h"
+#include "PCR_SetAuthValue_fp.h"
+#include "PP_Commands_fp.h"
+#include "PolicyAuthValue_fp.h"
+#include "PolicyAuthorize_fp.h"
+#include "PolicyCommandCode_fp.h"
+#include "PolicyCounterTimer_fp.h"
+#include "PolicyCpHash_fp.h"
+#include "PolicyDuplicationSelect_fp.h"
+#include "PolicyGetDigest_fp.h"
+#include "PolicyLocality_fp.h"
+#include "PolicyNV_fp.h"
+#include "PolicyAuthorizeNV_fp.h"
+#include "PolicyNvWritten_fp.h"
+#include "PolicyNameHash_fp.h"
+#include "PolicyOR_fp.h"
+#include "PolicyPCR_fp.h"
+#include "PolicyPassword_fp.h"
+#include "PolicyPhysicalPresence_fp.h"
+#include "PolicyRestart_fp.h"
+#include "PolicySecret_fp.h"
+#include "PolicySigned_fp.h"
+#include "PolicyTemplate_fp.h"
+#include "PolicyTicket_fp.h"
+#include "Quote_fp.h"
+#include "RSA_Decrypt_fp.h"
+#include "RSA_Encrypt_fp.h"
+#include "ReadClock_fp.h"
+#include "ReadPublic_fp.h"
+#include "Rewrap_fp.h"
+#include "SelfTest_fp.h"
+#include "SequenceComplete_fp.h"
+#include "SequenceUpdate_fp.h"
+#include "SetAlgorithmSet_fp.h"
+#include "SetCommandCodeAuditStatus_fp.h"
+#include "SetPrimaryPolicy_fp.h"
+#include "Shutdown_fp.h"
+#include "Sign_fp.h"
+#include "StartAuthSession_fp.h"
+#include "Startup_fp.h"
+#include "StirRandom_fp.h"
+#include "TestParms_fp.h"
+#include "Unseal_fp.h"
+#include "VerifySignature_fp.h"
+#include "ZGen_2Phase_fp.h"
+#include "NTC_fp.h"
+
+#include <ibmtss/Parameters12.h>
+
+typedef union {
+    ActivateCredential_In         ActivateCredential;
+    CertifyCreation_In            CertifyCreation;
+    Certify_In                    Certify;
+    ChangeEPS_In                  ChangeEPS;
+    ChangePPS_In                  ChangePPS;
+    ClearControl_In               ClearControl;
+    Clear_In                      Clear;
+    ClockRateAdjust_In            ClockRateAdjust;
+    ClockSet_In                   ClockSet;
+    Commit_In                     Commit;
+    ContextLoad_In                ContextLoad;
+    ContextSave_In                ContextSave;
+    CreatePrimary_In              CreatePrimary;
+    Create_In                     Create;
+    DictionaryAttackLockReset_In  DictionaryAttackLockReset;
+    DictionaryAttackParameters_In DictionaryAttackParameters;
+    Duplicate_In                  Duplicate;
+    ECC_Parameters_In             ECC_Parameters;
+    ECDH_KeyGen_In                ECDH_KeyGen;
+    ECDH_ZGen_In                  ECDH_ZGen;
+    EC_Ephemeral_In               EC_Ephemeral;
+    EncryptDecrypt_In             EncryptDecrypt;
+    EventSequenceComplete_In      EventSequenceComplete;
+    EvictControl_In               EvictControl;
+    FlushContext_In               FlushContext;
+    GetCapability_In              GetCapability;
+    GetCommandAuditDigest_In      GetCommandAuditDigest;
+    GetRandom_In                  GetRandom;
+    GetSessionAuditDigest_In      GetSessionAuditDigest;
+    GetTime_In                    GetTime;
+    HMAC_In                       HMAC;
+    HMAC_Start_In                 HMAC_Start;
+    HashSequenceStart_In          HashSequenceStart;
+    Hash_In                       Hash;
+    HierarchyChangeAuth_In        HierarchyChangeAuth;
+    HierarchyControl_In           HierarchyControl;
+    Import_In                     Import;
+    IncrementalSelfTest_In        IncrementalSelfTest;
+    LoadExternal_In               LoadExternal;
+    Load_In                       Load;
+    MakeCredential_In             MakeCredential;
+    NV_Certify_In                 NV_Certify;
+    NV_ChangeAuth_In              NV_ChangeAuth;
+    NV_DefineSpace_In             NV_DefineSpace;
+    NV_Extend_In                  NV_Extend;
+    NV_GlobalWriteLock_In         NV_GlobalWriteLock;
+    NV_Increment_In               NV_Increment;
+    NV_ReadLock_In                NV_ReadLock;
+    NV_ReadPublic_In              NV_ReadPublic;
+    NV_Read_In                    NV_Read;
+    NV_SetBits_In                 NV_SetBits;
+    NV_UndefineSpaceSpecial_In    NV_UndefineSpaceSpecial;
+    NV_UndefineSpace_In           NV_UndefineSpace;
+    NV_WriteLock_In               NV_WriteLock;
+    NV_Write_In                   NV_Write;
+    ObjectChangeAuth_In           ObjectChangeAuth;
+    PCR_Allocate_In               PCR_Allocate;
+    PCR_Event_In                  PCR_Event;
+    PCR_Extend_In                 PCR_Extend;
+    PCR_Read_In                   PCR_Read;
+    PCR_Reset_In                  PCR_Reset;
+    PCR_SetAuthPolicy_In          PCR_SetAuthPolicy;
+    PCR_SetAuthValue_In           PCR_SetAuthValue;
+    PP_Commands_In                PP_Commands;
+    PolicyAuthValue_In            PolicyAuthValue;
+    PolicyAuthorize_In            PolicyAuthorize;
+    PolicyCommandCode_In          PolicyCommandCode;
+    PolicyCounterTimer_In         PolicyCounterTimer;
+    PolicyCpHash_In               PolicyCpHash;
+    PolicyDuplicationSelect_In    PolicyDuplicationSelect;
+    PolicyGetDigest_In            PolicyGetDigest;
+    PolicyLocality_In             PolicyLocality;
+    PolicyNV_In                   PolicyNV;
+    PolicyAuthorizeNV_In          PolicyAuthorizeNV;
+    PolicyNameHash_In             PolicyNameHash;
+    PolicyOR_In                   PolicyOR;
+    PolicyPCR_In                  PolicyPCR;
+    PolicyPassword_In             PolicyPassword;
+    PolicyPhysicalPresence_In     PolicyPhysicalPresence;
+    PolicyRestart_In              PolicyRestart;
+    PolicySecret_In               PolicySecret;
+    PolicySigned_In               PolicySigned;
+    PolicyTicket_In               PolicyTicket;
+    Quote_In                      Quote;
+    RSA_Decrypt_In                RSA_Decrypt;
+    RSA_Encrypt_In                RSA_Encrypt;
+    ReadPublic_In                 ReadPublic;
+    Rewrap_In                     Rewrap;
+    SelfTest_In                   SelfTest;
+    SequenceComplete_In           SequenceComplete;
+    SequenceUpdate_In             SequenceUpdate;
+    SetAlgorithmSet_In            SetAlgorithmSet;
+    SetCommandCodeAuditStatus_In  SetCommandCodeAuditStatus;
+    SetPrimaryPolicy_In           SetPrimaryPolicy;
+    Shutdown_In                   Shutdown;
+    Sign_In                       Sign;
+    StartAuthSession_In           StartAuthSession;
+    Startup_In                    Startup;
+    StirRandom_In                 StirRandom;
+    TestParms_In                  TestParms;
+    Unseal_In                     Unseal;
+    VerifySignature_In            VerifySignature;
+    ZGen_2Phase_In                ZGen_2Phase;
+
+    ActivateIdentity_In		ActivateIdentity;
+    CreateWrapKey_In		CreateWrapKey;
+    CreateEndorsementKeyPair_In	CreateEndorsementKeyPair;
+    Extend_In			Extend;
+    FlushSpecific_In		FlushSpecific;
+    GetCapability12_In		GetCapability12;
+    MakeIdentity_In		MakeIdentity;
+    NV_DefineSpace12_In		NV_DefineSpace12;
+    NV_ReadValue_In		NV_ReadValue;
+    NV_ReadValueAuth_In		NV_ReadValueAuth;
+    NV_WriteValue_In		NV_WriteValue;
+    NV_WriteValueAuth_In	NV_WriteValueAuth;
+    OSAP_In			OSAP;
+    OwnerReadInternalPub_In	OwnerReadInternalPub;
+    OwnerSetDisable_In		OwnerSetDisable;
+    LoadKey2_In			LoadKey2;
+    PcrRead12_In		PcrRead12;
+    PCR_Reset12_In		PCR_Reset12;
+    Quote2_In			Quote2;
+    ReadPubek_In		ReadPubek;
+    Sign12_In			Sign12;
+    Startup12_In		Startup12;
+    TakeOwnership_In		TakeOwnership;
+} COMMAND_PARAMETERS;
+
+typedef union
+{
+    ActivateCredential_Out         ActivateCredential;
+    CertifyCreation_Out            CertifyCreation;
+    Certify_Out                    Certify;
+    Commit_Out                     Commit;
+    ContextLoad_Out                ContextLoad;
+    ContextSave_Out                ContextSave;
+    CreatePrimary_Out              CreatePrimary;
+    Create_Out                     Create;
+    Duplicate_Out                  Duplicate;
+    ECC_Parameters_Out             ECC_Parameters;
+    ECDH_KeyGen_Out                ECDH_KeyGen;
+    ECDH_ZGen_Out                  ECDH_ZGen;
+    EC_Ephemeral_Out               EC_Ephemeral;
+    EncryptDecrypt_Out             EncryptDecrypt;
+    EventSequenceComplete_Out      EventSequenceComplete;
+    GetCapability_Out              GetCapability;
+    GetCommandAuditDigest_Out      GetCommandAuditDigest;
+    GetRandom_Out                  GetRandom;
+    GetSessionAuditDigest_Out      GetSessionAuditDigest;
+    GetTestResult_Out              GetTestResult;
+    GetTime_Out                    GetTime;
+    HMAC_Out                       HMAC;
+    HMAC_Start_Out                 HMAC_Start;
+    HashSequenceStart_Out          HashSequenceStart;
+    Hash_Out                       Hash;
+    Import_Out                     Import;
+    IncrementalSelfTest_Out        IncrementalSelfTest;
+    LoadExternal_Out               LoadExternal;
+    Load_Out                       Load;
+    MakeCredential_Out             MakeCredential;
+    NV_Certify_Out                 NV_Certify;
+    NV_ReadPublic_Out              NV_ReadPublic;
+    NV_Read_Out                    NV_Read;
+    ObjectChangeAuth_Out           ObjectChangeAuth;
+    PCR_Allocate_Out               PCR_Allocate;
+    PCR_Event_Out                  PCR_Event;
+    PCR_Read_Out                   PCR_Read;
+    PolicyGetDigest_Out            PolicyGetDigest;
+    PolicySecret_Out               PolicySecret;
+    PolicySigned_Out               PolicySigned;
+    Quote_Out                      Quote;
+    RSA_Decrypt_Out                RSA_Decrypt;
+    RSA_Encrypt_Out                RSA_Encrypt;
+    ReadClock_Out                  ReadClock;
+    ReadPublic_Out                 ReadPublic;
+    Rewrap_Out                     Rewrap;
+    SequenceComplete_Out           SequenceComplete;
+    Sign_Out                       Sign;
+    StartAuthSession_Out           StartAuthSession;
+    Unseal_Out                     Unseal;
+    VerifySignature_Out            VerifySignature;
+    ZGen_2Phase_Out                ZGen_2Phase;
+
+    ActivateIdentity_Out		ActivateIdentity;
+    CreateWrapKey_Out			CreateWrapKey;
+    CreateEndorsementKeyPair_Out	CreateEndorsementKeyPair;
+    Extend_Out				Extend;
+    GetCapability12_Out			GetCapability12;
+    MakeIdentity_Out			MakeIdentity;
+    NV_ReadValue_Out			NV_ReadValue;
+    NV_ReadValueAuth_Out		NV_ReadValueAuth;
+    OIAP_Out				OIAP;
+    OSAP_Out				OSAP;
+    OwnerReadInternalPub_Out		OwnerReadInternalPub;
+    LoadKey2_Out			LoadKey2;
+    PcrRead12_Out			PcrRead12;
+    Quote2_Out				Quote2;
+    ReadPubek_Out			ReadPubek;
+    Sign12_Out				Sign12;
+    TakeOwnership_Out			TakeOwnership;
+} RESPONSE_PARAMETERS;
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Parameters12.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Parameters12.h
new file mode 100644
index 0000000..90c9fa8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Parameters12.h
@@ -0,0 +1,68 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: Parameters12.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef PARAMETERS12_H
+#define PARAMETERS12_H
+
+#include <ibmtss/ActivateIdentity_fp.h>
+#include <ibmtss/CreateWrapKey_fp.h>
+#include <ibmtss/CreateEndorsementKeyPair_fp.h>
+#include <ibmtss/Extend_fp.h>
+#include <ibmtss/FlushSpecific_fp.h>
+#include <ibmtss/GetCapability12_fp.h>
+#include <ibmtss/MakeIdentity_fp.h>
+#include <ibmtss/NV_DefineSpace12_fp.h>
+#include <ibmtss/NV_ReadValue_fp.h>
+#include <ibmtss/NV_ReadValueAuth_fp.h>
+#include <ibmtss/NV_WriteValue_fp.h>
+#include <ibmtss/NV_WriteValueAuth_fp.h>
+#include <ibmtss/OIAP_fp.h>
+#include <ibmtss/OSAP_fp.h>
+#include <ibmtss/OwnerReadInternalPub_fp.h>
+#include <ibmtss/OwnerSetDisable_fp.h>
+#include <ibmtss/LoadKey2_fp.h>
+#include <ibmtss/PcrRead12_fp.h>
+#include <ibmtss/PCR_Reset12_fp.h>
+#include <ibmtss/Quote2_fp.h>
+#include <ibmtss/ReadPubek_fp.h>
+#include <ibmtss/Sign12_fp.h>
+#include <ibmtss/Startup12_fp.h>
+#include <ibmtss/TakeOwnership_fp.h>
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PcrRead12_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PcrRead12_fp.h
new file mode 100644
index 0000000..dcb2278
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PcrRead12_fp.h
@@ -0,0 +1,56 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 PcrRead					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef PCRREAD12_FP_H
+#define PCRREAD12_FP_H
+
+typedef struct {
+    TPM_PCRINDEX pcrIndex;
+} PcrRead12_In;
+
+typedef struct {
+    TPM_PCRVALUE outDigest;
+} PcrRead12_Out;
+
+TPM_RC
+TPM_PcrRead12(
+	      PcrRead12_In     *in,            // IN: input parameter list
+	      PcrRead12_Out    *out            // OUT: output parameter list
+	      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthValue_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthValue_fp.h
new file mode 100644
index 0000000..c09a57b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthValue_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyAuthValue_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYAUTHVALUE_FP_H
+#define POLICYAUTHVALUE_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+} PolicyAuthValue_In;
+
+#define RC_PolicyAuthValue_policySession	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyAuthValue(
+		     PolicyAuthValue_In  *in             // IN: input parameter list
+		     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthorizeNV_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthorizeNV_fp.h
new file mode 100644
index 0000000..9b70b5c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthorizeNV_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     	PolicyAuthorizeNV				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015, 2016				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 136 */
+
+#ifndef POLICYAUTHORIZENV_FP_H
+#define POLICYAUTHORIZENV_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+    TPMI_SH_POLICY	policySession;
+} PolicyAuthorizeNV_In;
+
+#define RC_PolicyAuthorizeNV_authHandle		(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyAuthorizeNV_nvIndex		(TPM_RC_H + TPM_RC_2)
+#define RC_PolicyAuthorizeNV_policySession	(TPM_RC_H + TPM_RC_3)
+
+TPM_RC
+TPM2_PolicyAuthorizeNV(
+		       PolicyAuthorizeNV_In     *in             // IN: input parameter list
+		       );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthorize_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthorize_fp.h
new file mode 100644
index 0000000..da1ddd7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyAuthorize_fp.h
@@ -0,0 +1,86 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyAuthorize_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYAUTHORIZE_FP_H
+#define POLICYAUTHORIZE_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_DIGEST	approvedPolicy;
+    TPM2B_NONCE		policyRef;
+    TPM2B_NAME		keySign;
+    TPMT_TK_VERIFIED	checkTicket;
+} PolicyAuthorize_In;
+
+#define RC_PolicyAuthorize_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyAuthorize_approvedPolicy 	(TPM_RC_P + TPM_RC_1)
+#define RC_PolicyAuthorize_policyRef		(TPM_RC_P + TPM_RC_2)
+#define RC_PolicyAuthorize_keySign 		(TPM_RC_P + TPM_RC_3)
+#define RC_PolicyAuthorize_checkTicket 		(TPM_RC_P + TPM_RC_4)
+
+TPM_RC
+TPM2_PolicyAuthorize(
+		     PolicyAuthorize_In  *in             // IN: input parameter list
+		     );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCommandCode_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCommandCode_fp.h
new file mode 100644
index 0000000..bc74c58
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCommandCode_fp.h
@@ -0,0 +1,80 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyCommandCode_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYCOMMANDCODE_FP_H
+#define POLICYCOMMANDCODE_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM_CC		code;
+} PolicyCommandCode_In;
+
+#define RC_PolicyCommandCode_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyCommandCode_code 		(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyCommandCode(
+		       PolicyCommandCode_In    *in             // IN: input parameter list
+		       );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCounterTimer_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCounterTimer_fp.h
new file mode 100644
index 0000000..605de79
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCounterTimer_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyCounterTimer_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYCOUNTERTIMER_FP_H
+#define POLICYCOUNTERTIMER_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_OPERAND	operandB;
+    UINT16		offset;
+    TPM_EO		operation;
+} PolicyCounterTimer_In;
+
+#define RC_PolicyCounterTimer_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyCounterTimer_operandB		(TPM_RC_P + TPM_RC_1)
+#define RC_PolicyCounterTimer_offset		(TPM_RC_P + TPM_RC_2)
+#define RC_PolicyCounterTimer_operation		(TPM_RC_P + TPM_RC_3)
+
+TPM_RC
+TPM2_PolicyCounterTimer(
+			PolicyCounterTimer_In   *in             // IN: input parameter list
+			);
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCpHash_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCpHash_fp.h
new file mode 100644
index 0000000..f239551
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyCpHash_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyCpHash_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYCPHASH_FP_H
+#define POLICYCPHASH_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_DIGEST	cpHashA;
+} PolicyCpHash_In;
+
+#define RC_PolicyCpHash_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyCpHash_cpHashA 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyCpHash(
+		  PolicyCpHash_In     *in             // IN: input parameter list
+		  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyDuplicationSelect_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyDuplicationSelect_fp.h
new file mode 100644
index 0000000..12a5d33
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyDuplicationSelect_fp.h
@@ -0,0 +1,85 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: PolicyDuplicationSelect_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYDUPLICATIONSELECT_FP_H
+#define POLICYDUPLICATIONSELECT_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_NAME		objectName;
+    TPM2B_NAME		newParentName;
+    TPMI_YES_NO		includeObject;
+} PolicyDuplicationSelect_In;
+
+#define RC_PolicyDuplicationSelect_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyDuplicationSelect_objectName		(TPM_RC_P + TPM_RC_1)
+#define RC_PolicyDuplicationSelect_newParentName	(TPM_RC_P + TPM_RC_2)
+#define RC_PolicyDuplicationSelect_includeObject	(TPM_RC_P + TPM_RC_3)
+
+TPM_RC
+TPM2_PolicyDuplicationSelect(
+			     PolicyDuplicationSelect_In  *in             // IN: input parameter list
+			     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyGetDigest_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyGetDigest_fp.h
new file mode 100644
index 0000000..0283ee1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyGetDigest_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyGetDigest_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYGETDIGEST_FP_H
+#define POLICYGETDIGEST_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+} PolicyGetDigest_In;
+
+#define RC_PolicyGetDigest_policySession	(TPM_RC_P + TPM_RC_1)
+
+typedef struct {
+    TPM2B_DIGEST	policyDigest;
+} PolicyGetDigest_Out;
+
+TPM_RC
+TPM2_PolicyGetDigest(
+		     PolicyGetDigest_In      *in,            // IN: input parameter list
+		     PolicyGetDigest_Out     *out            // OUT: output parameter list
+		     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyLocality_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyLocality_fp.h
new file mode 100644
index 0000000..f41fa65
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyLocality_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyLocality_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYLOCALITY_FP_H
+#define POLICYLOCALITY_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPMA_LOCALITY	locality;
+} PolicyLocality_In;
+
+#define RC_PolicyLocality_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyLocality_locality 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyLocality(
+		    PolicyLocality_In   *in             // IN: input parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNV_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNV_fp.h
new file mode 100644
index 0000000..580eeff
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNV_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyNV_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYNV_FP_H
+#define POLICYNV_FP_H
+
+typedef struct {
+    TPMI_RH_NV_AUTH	authHandle;
+    TPMI_RH_NV_INDEX	nvIndex;
+    TPMI_SH_POLICY	policySession;
+    TPM2B_OPERAND	operandB;
+    UINT16		offset;
+    TPM_EO		operation;
+} PolicyNV_In;
+
+#define RC_PolicyNV_authHandle		(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyNV_nvIndex		(TPM_RC_H + TPM_RC_2)
+#define RC_PolicyNV_policySession	(TPM_RC_H + TPM_RC_3)
+#define RC_PolicyNV_operandB 		(TPM_RC_P + TPM_RC_1)
+#define RC_PolicyNV_offset 		(TPM_RC_P + TPM_RC_2)
+#define RC_PolicyNV_operation		(TPM_RC_P + TPM_RC_3)
+
+TPM_RC
+TPM2_PolicyNV(
+	      PolicyNV_In     *in             // IN: input parameter list
+	      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNameHash_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNameHash_fp.h
new file mode 100644
index 0000000..39c73ee
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNameHash_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyNameHash_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYNAMEHASH_FP_H
+#define POLICYNAMEHASH_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_DIGEST	nameHash;
+} PolicyNameHash_In;
+
+#define RC_PolicyNameHash_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyNameHash_nameHash 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyNameHash(
+		    PolicyNameHash_In   *in             // IN: input parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNvWritten_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNvWritten_fp.h
new file mode 100644
index 0000000..afe514f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyNvWritten_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyNvWritten_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYNVWRITTEN_FP_H
+#define POLICYNVWRITTEN_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPMI_YES_NO		writtenSet;
+} PolicyNvWritten_In;
+
+#define RC_PolicyNvWritten_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyNvWritten_writtenSet 		(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyNvWritten(
+		     PolicyNvWritten_In  *in             // IN: input parameter list
+		     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyOR_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyOR_fp.h
new file mode 100644
index 0000000..cc1024a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyOR_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyOR_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYOR_FP_H
+#define POLICYOR_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPML_DIGEST		pHashList;
+} PolicyOR_In;
+
+#define RC_PolicyOR_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyOR_pHashList 		(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyOR(
+	      PolicyOR_In     *in             // IN: input parameter list
+	      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPCR_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPCR_fp.h
new file mode 100644
index 0000000..6d9f715
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPCR_fp.h
@@ -0,0 +1,82 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyPCR_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYPCR_FP_H
+#define POLICYPCR_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_DIGEST	pcrDigest;
+    TPML_PCR_SELECTION	pcrs;
+} PolicyPCR_In;
+
+#define RC_PolicyPCR_policySession 	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyPCR_pcrDigest		(TPM_RC_P + TPM_RC_1)
+#define RC_PolicyPCR_pcrs		(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_PolicyPCR(
+	       PolicyPCR_In    *in             // IN: input parameter list
+	       );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPassword_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPassword_fp.h
new file mode 100644
index 0000000..033578b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPassword_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyPassword_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYPASSWORD_FP_H
+#define POLICYPASSWORD_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+} PolicyPassword_In;
+
+#define RC_PolicyPassword_policySession	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyPassword(
+		    PolicyPassword_In   *in             // IN: input parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPhysicalPresence_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPhysicalPresence_fp.h
new file mode 100644
index 0000000..1386259
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyPhysicalPresence_fp.h
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: PolicyPhysicalPresence_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYPHYSICALPRESENCE_FP_H
+#define POLICYPHYSICALPRESENCE_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+} PolicyPhysicalPresence_In;
+
+#define RC_PolicyPhysicalPresence_policySession	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyPhysicalPresence(
+			    PolicyPhysicalPresence_In   *in             // IN: input parameter list
+			    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyRestart_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyRestart_fp.h
new file mode 100644
index 0000000..615d87f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyRestart_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyRestart_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYRESTART_FP_H
+#define POLICYRESTART_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	sessionHandle;
+} PolicyRestart_In;
+
+#define RC_PolicyRestart_sessionHandle	(TPM_RC_H + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyRestart(
+		   PolicyRestart_In    *in             // IN: input parameter list
+		   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicySecret_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicySecret_fp.h
new file mode 100644
index 0000000..f90378a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicySecret_fp.h
@@ -0,0 +1,95 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicySecret_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 124 */
+
+#ifndef POLICYSECRET_FP_H
+#define POLICYSECRET_FP_H
+
+typedef struct {
+    TPMI_DH_ENTITY	authHandle;
+    TPMI_SH_POLICY	policySession;
+    TPM2B_NONCE		nonceTPM;
+    TPM2B_DIGEST	cpHashA;
+    TPM2B_NONCE		policyRef;
+    INT32		expiration;
+} PolicySecret_In;
+
+#define RC_PolicySecret_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicySecret_policySession	(TPM_RC_H + TPM_RC_2)
+#define RC_PolicySecret_nonceTPM	(TPM_RC_P + TPM_RC_1)
+#define RC_PolicySecret_cpHashA		(TPM_RC_P + TPM_RC_2)
+#define RC_PolicySecret_policyRef	(TPM_RC_P + TPM_RC_3)
+#define RC_PolicySecret_expiration	(TPM_RC_P + TPM_RC_4)
+
+typedef struct {
+    TPM2B_TIMEOUT	timeout;
+    TPMT_TK_AUTH	policyTicket;
+} PolicySecret_Out;
+
+TPM_RC
+TPM2_PolicySecret(
+		  PolicySecret_In     *in,            // IN: input parameter list
+		  PolicySecret_Out    *out            // OUT: output parameter list
+		  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicySigned_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicySigned_fp.h
new file mode 100644
index 0000000..d51f7bc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicySigned_fp.h
@@ -0,0 +1,96 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicySigned_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYSIGNED_FP_H
+#define POLICYSIGNED_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	authObject;
+    TPMI_SH_POLICY	policySession;
+    TPM2B_NONCE		nonceTPM;
+    TPM2B_DIGEST	cpHashA;
+    TPM2B_NONCE		policyRef;
+    INT32		expiration;
+    TPMT_SIGNATURE	auth;
+} PolicySigned_In;
+
+#define RC_PolicySigned_authObject	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicySigned_policySession	(TPM_RC_H + TPM_RC_2)
+#define RC_PolicySigned_nonceTPM	(TPM_RC_P + TPM_RC_1)
+#define RC_PolicySigned_cpHashA		(TPM_RC_P + TPM_RC_2)
+#define RC_PolicySigned_policyRef	(TPM_RC_P + TPM_RC_3)
+#define RC_PolicySigned_expiration	(TPM_RC_P + TPM_RC_4)
+#define RC_PolicySigned_auth 		(TPM_RC_P + TPM_RC_5)
+
+typedef struct {
+    TPM2B_TIMEOUT	timeout;
+    TPMT_TK_AUTH	policyTicket;
+} PolicySigned_Out;
+
+TPM_RC
+TPM2_PolicySigned(
+		  PolicySigned_In     *in,            // IN: input parameter list
+		  PolicySigned_Out    *out            // OUT: output parameter list
+		  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyTemplate_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyTemplate_fp.h
new file mode 100644
index 0000000..23e40f4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyTemplate_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyTemplate_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015, 2016				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYTEMPLATE_FP_H
+#define POLICYTEMPLATE_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_DIGEST	templateHash;
+} PolicyTemplate_In;
+
+#define RC_PolicyTemplate_policySession	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyTemplate_templateHash 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_PolicyTemplate(
+		    PolicyTemplate_In     *in             // IN: input parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyTicket_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyTicket_fp.h
new file mode 100644
index 0000000..7c680a0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/PolicyTicket_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: PolicyTicket_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef POLICYTICKET_FP_H
+#define POLICYTICKET_FP_H
+
+typedef struct {
+    TPMI_SH_POLICY	policySession;
+    TPM2B_TIMEOUT	timeout;
+    TPM2B_DIGEST	cpHashA;
+    TPM2B_NONCE		policyRef;
+    TPM2B_NAME		authName;
+    TPMT_TK_AUTH	ticket;
+} PolicyTicket_In;
+
+#define RC_PolicyTicket_policySession 	(TPM_RC_H + TPM_RC_1)
+#define RC_PolicyTicket_timeout 	(TPM_RC_P + TPM_RC_1)
+#define RC_PolicyTicket_cpHashA 	(TPM_RC_P + TPM_RC_2)
+#define RC_PolicyTicket_policyRef	(TPM_RC_P + TPM_RC_3)
+#define RC_PolicyTicket_authName	(TPM_RC_P + TPM_RC_4)
+#define RC_PolicyTicket_ticket 		(TPM_RC_P + TPM_RC_5)
+
+TPM_RC
+TPM2_PolicyTicket(
+		  PolicyTicket_In     *in             // IN: input parameter list
+		  );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Quote2_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Quote2_fp.h
new file mode 100644
index 0000000..14e7175
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Quote2_fp.h
@@ -0,0 +1,69 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 Quote2					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: Quote2_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef QUOTE2_FP_H
+#define QUOTE2_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_KEY_HANDLE keyHandle;
+    TPM_NONCE externalData;
+    TPM_PCR_SELECTION targetPCR;
+    TPM_BOOL addVersion;
+} Quote2_In;  
+
+typedef struct {
+    TPM_PCR_INFO_SHORT pcrData;
+    UINT32 versionInfoSize;
+    TPM_CAP_VERSION_INFO versionInfo;
+    UINT32 sigSize;
+    BYTE  sig[MAX_RSA_KEY_BYTES];
+} Quote2_Out;  
+
+TPM_RC
+TPM2_Quote2(
+	    Quote2_In *in,            // IN: input parameter buffer
+	    Quote2_Out *out           // OUT: output parameter buffer
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Quote_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Quote_fp.h
new file mode 100644
index 0000000..75fcaa7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Quote_fp.h
@@ -0,0 +1,91 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Quote_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef QUOTE_FP_H
+#define QUOTE_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	signHandle;
+    TPM2B_DATA		qualifyingData;
+    TPMT_SIG_SCHEME	inScheme;
+    TPML_PCR_SELECTION	PCRselect;
+} Quote_In;
+
+#define RC_Quote_signHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_Quote_qualifyingData	(TPM_RC_P + TPM_RC_1)
+#define RC_Quote_inScheme	(TPM_RC_P + TPM_RC_2)
+#define RC_Quote_PCRselect	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM2B_ATTEST	quoted;
+    TPMT_SIGNATURE	signature;
+} Quote_Out;
+
+TPM_RC
+TPM2_Quote(
+	   Quote_In        *in,            // IN: input parameter list
+	   Quote_Out       *out            // OUT: output parameter list
+	   );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/RSA_Decrypt_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/RSA_Decrypt_fp.h
new file mode 100644
index 0000000..2c8a41f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/RSA_Decrypt_fp.h
@@ -0,0 +1,90 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: RSA_Decrypt_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef RSA_DECRYPT_FP_H
+#define RSA_DECRYPT_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		keyHandle;
+    TPM2B_PUBLIC_KEY_RSA	cipherText; 
+    TPMT_RSA_DECRYPT		inScheme;
+    TPM2B_DATA			label;
+} RSA_Decrypt_In;
+
+#define RC_RSA_Decrypt_keyHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_RSA_Decrypt_cipherText	(TPM_RC_P + TPM_RC_1)
+#define RC_RSA_Decrypt_inScheme 	(TPM_RC_P + TPM_RC_2)
+#define RC_RSA_Decrypt_label 		(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM2B_PUBLIC_KEY_RSA	message;
+} RSA_Decrypt_Out;
+
+TPM_RC
+TPM2_RSA_Decrypt(
+		 RSA_Decrypt_In      *in,            // IN: input parameter list
+		 RSA_Decrypt_Out     *out            // OUT: output parameter list
+		 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/RSA_Encrypt_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/RSA_Encrypt_fp.h
new file mode 100644
index 0000000..d7be590
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/RSA_Encrypt_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: RSA_Encrypt_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef RSA_ENCRYPT_FP_H
+#define RSA_ENCRYPT_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		keyHandle;
+    TPM2B_PUBLIC_KEY_RSA	message;
+    TPMT_RSA_DECRYPT		inScheme;
+    TPM2B_DATA			label;
+} RSA_Encrypt_In;
+
+#define RC_RSA_Encrypt_keyHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_RSA_Encrypt_message		(TPM_RC_P + TPM_RC_1)
+#define RC_RSA_Encrypt_inScheme 	(TPM_RC_P + TPM_RC_2)
+#define RC_RSA_Encrypt_label 		(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM2B_PUBLIC_KEY_RSA	outData;
+} RSA_Encrypt_Out;
+
+TPM_RC
+TPM2_RSA_Encrypt(
+		 RSA_Encrypt_In      *in,            // IN: input parameter list
+		 RSA_Encrypt_Out     *out            // OUT: output parameter list
+		 );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadClock_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadClock_fp.h
new file mode 100644
index 0000000..b0d7a68
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadClock_fp.h
@@ -0,0 +1,77 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ReadClock_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef READCLOCK_FP_H
+#define READCLOCK_FP_H
+
+typedef struct {
+    TPMS_TIME_INFO	currentTime;
+} ReadClock_Out;
+
+TPM_RC
+TPM2_ReadClock(
+	       ReadClock_Out   *out            // OUT: output parameter list
+	       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadPubek_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadPubek_fp.h
new file mode 100644
index 0000000..440fbef
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadPubek_fp.h
@@ -0,0 +1,63 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 ReadPubek					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: ReadPubek_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef READPUBEK_FP_H
+#define READPUBEK_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_NONCE antiReplay;
+} ReadPubek_In;  
+
+typedef struct {
+    TPM_PUBKEY pubEndorsementKey;
+    TPM_DIGEST checksum;
+} ReadPubek_Out;  
+
+TPM_RC
+TPM2_ReadPubek(
+	    ReadPubek_In *in,            // IN: input parameter buffer
+	    ReadPubek_Out *out           // OUT: output parameter buffer
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadPublic_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadPublic_fp.h
new file mode 100644
index 0000000..ad3fc2c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ReadPublic_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ReadPublic_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef READPUBLIC_FP_H
+#define READPUBLIC_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	objectHandle;
+} ReadPublic_In;
+
+#define RC_ReadPublic_objectHandle	(TPM_RC_H + TPM_RC_1)
+
+typedef struct {
+    TPM2B_PUBLIC	outPublic;
+    TPM2B_NAME		name;
+    TPM2B_NAME		qualifiedName;
+} ReadPublic_Out;
+
+TPM_RC
+TPM2_ReadPublic(
+		ReadPublic_In   *in,            // IN: input parameter list
+		ReadPublic_Out  *out            // OUT: output parameter list
+		);
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Rewrap_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Rewrap_fp.h
new file mode 100644
index 0000000..83b4b62
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Rewrap_fp.h
@@ -0,0 +1,92 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Rewrap_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef REWRAP_FP_H
+#define REWRAP_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		oldParent;
+    TPMI_DH_OBJECT		newParent;
+    TPM2B_PRIVATE		inDuplicate;
+    TPM2B_NAME			name;
+    TPM2B_ENCRYPTED_SECRET	inSymSeed;
+} Rewrap_In;
+
+#define RC_Rewrap_oldParent 	(TPM_RC_H + TPM_RC_1)
+#define RC_Rewrap_newParent 	(TPM_RC_H + TPM_RC_2)
+#define RC_Rewrap_inDuplicate 	(TPM_RC_P + TPM_RC_1)
+#define RC_Rewrap_name		(TPM_RC_P + TPM_RC_2)
+#define RC_Rewrap_inSymSeed 	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPM2B_PRIVATE		outDuplicate;
+    TPM2B_ENCRYPTED_SECRET	outSymSeed;
+} Rewrap_Out;
+
+TPM_RC
+TPM2_Rewrap(
+	    Rewrap_In       *in,            // IN: input parameter list
+	    Rewrap_Out      *out            // OUT: output parameter list
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/SelfTest_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SelfTest_fp.h
new file mode 100644
index 0000000..33d4c6b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SelfTest_fp.h
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: SelfTest_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef SELFTEST_FP_H
+#define SELFTEST_FP_H
+
+typedef struct{
+    TPMI_YES_NO	fullTest;
+} SelfTest_In;     
+
+#define RC_SelfTest_fullTest 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_SelfTest(
+	      SelfTest_In     *in             // IN: input parameter list
+	      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/SequenceComplete_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SequenceComplete_fp.h
new file mode 100644
index 0000000..9064c96
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SequenceComplete_fp.h
@@ -0,0 +1,92 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: SequenceComplete_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef SEQUENCECOMPLETE_FP_H
+#define SEQUENCECOMPLETE_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	sequenceHandle;
+    TPM2B_MAX_BUFFER	buffer;
+    TPMI_RH_HIERARCHY	hierarchy;
+} SequenceComplete_In;
+
+#define RC_SequenceComplete_sequenceHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_SequenceComplete_buffer		(TPM_RC_P + TPM_RC_1)
+#define RC_SequenceComplete_hierarchy		(TPM_RC_P + TPM_RC_2)
+
+
+typedef struct {
+    TPM2B_DIGEST	result;
+    TPMT_TK_HASHCHECK	validation;
+} SequenceComplete_Out;
+
+
+
+TPM_RC
+TPM2_SequenceComplete(
+		      SequenceComplete_In     *in,            // IN: input parameter list
+		      SequenceComplete_Out    *out            // OUT: output parameter list
+		      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/SequenceUpdate_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SequenceUpdate_fp.h
new file mode 100644
index 0000000..dd09417
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SequenceUpdate_fp.h
@@ -0,0 +1,82 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: SequenceUpdate_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef SEQUENCEUPDATE_FP_H
+#define SEQUENCEUPDATE_FP_H
+
+
+typedef struct {
+    TPMI_DH_OBJECT	sequenceHandle;
+    TPM2B_MAX_BUFFER	buffer;
+} SequenceUpdate_In;
+
+#define RC_SequenceUpdate_sequenceHandle 	(TPM_RC_P + TPM_RC_1)
+#define RC_SequenceUpdate_buffer		(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_SequenceUpdate(
+		    SequenceUpdate_In   *in             // IN: input parameter list
+		    );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetAlgorithmSet_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetAlgorithmSet_fp.h
new file mode 100644
index 0000000..c352f4d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetAlgorithmSet_fp.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: SetAlgorithmSet_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef SETALGORITHMSET_FP_H
+#define SETALGORITHMSET_FP_H
+
+typedef struct {
+    TPMI_RH_PLATFORM	authHandle;
+    UINT32		algorithmSet;
+} SetAlgorithmSet_In;
+
+#define RC_SetAlgorithmSet_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_SetAlgorithmSet_algorithmSet	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_SetAlgorithmSet(
+		     SetAlgorithmSet_In  *in             // IN: input parameter list
+		     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetCommandCodeAuditStatus_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetCommandCodeAuditStatus_fp.h
new file mode 100644
index 0000000..1ddb50f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetCommandCodeAuditStatus_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	$Id: SetCommandCodeAuditStatus_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef SETCOMMANDCODEAUDITSTATUS_FP_H
+#define SETCOMMANDCODEAUDITSTATUS_FP_H
+
+typedef struct {
+    TPMI_RH_PROVISION	auth;
+    TPMI_ALG_HASH	auditAlg;
+    TPML_CC		setList;
+    TPML_CC		clearList;
+} SetCommandCodeAuditStatus_In;
+
+#define RC_SetCommandCodeAuditStatus_auth	(TPM_RC_H + TPM_RC_1)
+#define RC_SetCommandCodeAuditStatus_auditAlg 	(TPM_RC_P + TPM_RC_1)
+#define RC_SetCommandCodeAuditStatus_setList	(TPM_RC_P + TPM_RC_2)
+#define RC_SetCommandCodeAuditStatus_clearList	(TPM_RC_P + TPM_RC_3)
+
+TPM_RC
+TPM2_SetCommandCodeAuditStatus(
+			       SetCommandCodeAuditStatus_In    *in             // IN: input parameter list
+			       );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetPrimaryPolicy_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetPrimaryPolicy_fp.h
new file mode 100644
index 0000000..ea7ce05
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/SetPrimaryPolicy_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*		TPM2_SetPrimaryPolicy Command Header   				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012 - 2019				*/
+/*										*/
+/********************************************************************************/
+
+#ifndef SETPRIMARYPOLICY_FP_H
+#define SETPRIMARYPOLICY_FP_H
+
+typedef struct {
+    TPMI_RH_HIERARCHY_POLICY	authHandle;
+    TPM2B_DIGEST		authPolicy;
+    TPMI_ALG_HASH		hashAlg;
+} SetPrimaryPolicy_In;
+
+#define RC_SetPrimaryPolicy_authHandle	(TPM_RC_H + TPM_RC_1)
+#define RC_SetPrimaryPolicy_authPolicy 	(TPM_RC_P + TPM_RC_1)
+#define RC_SetPrimaryPolicy_hashAlg	(TPM_RC_P + TPM_RC_2)
+
+TPM_RC
+TPM2_SetPrimaryPolicy(
+		      SetPrimaryPolicy_In     *in             // IN: input parameter list
+		      );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Shutdown_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Shutdown_fp.h
new file mode 100644
index 0000000..51c6bc3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Shutdown_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Shutdown_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef SHUTDOWN_FP_H
+#define SHUTDOWN_FP_H
+
+typedef struct{
+    TPM_SU shutdownType;
+} Shutdown_In;
+
+#define RC_Shutdown_shutdownType  (TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_Shutdown(
+	      Shutdown_In     *in             // IN: input parameter list
+	      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Sign12_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Sign12_fp.h
new file mode 100644
index 0000000..dfaa238
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Sign12_fp.h
@@ -0,0 +1,65 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 Sign12					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: Sign12_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef SIGN12_FP_H
+#define SIGN12_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_KEY_HANDLE keyHandle;
+    UINT32 areaToSignSize;
+    BYTE areaToSign[MAX_COMMAND_SIZE];
+} Sign12_In;  
+
+typedef struct {
+    UINT32 sigSize;
+    BYTE  sig[MAX_RSA_KEY_BYTES];
+} Sign12_Out;  
+
+TPM_RC
+TPM2_Sign12(
+	    Sign12_In *in,            // IN: input parameter buffer
+	    Sign12_Out *out           // OUT: output parameter buffer
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Sign_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Sign_fp.h
new file mode 100644
index 0000000..41feb75
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Sign_fp.h
@@ -0,0 +1,89 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Sign_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef SIGN_FP_H
+#define SIGN_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	keyHandle;
+    TPM2B_DIGEST	digest;
+    TPMT_SIG_SCHEME	inScheme;
+    TPMT_TK_HASHCHECK	validation;
+} Sign_In;
+
+#define RC_Sign_keyHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_Sign_digest 		(TPM_RC_P + TPM_RC_1)
+#define RC_Sign_inScheme 	(TPM_RC_P + TPM_RC_2)
+#define RC_Sign_validation 	(TPM_RC_P + TPM_RC_3)
+
+typedef struct {
+    TPMT_SIGNATURE	signature;
+} Sign_Out;
+
+TPM_RC
+TPM2_Sign(
+	  Sign_In         *in,            // IN: input parameter list
+	  Sign_Out        *out            // OUT: output parameter list
+	  );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/StartAuthSession_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/StartAuthSession_fp.h
new file mode 100644
index 0000000..03e8bb0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/StartAuthSession_fp.h
@@ -0,0 +1,97 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: StartAuthSession_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef STARTAUTHSESSION_FP_H
+#define STARTAUTHSESSION_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		tpmKey;
+    TPMI_DH_ENTITY		bind;
+    TPM2B_NONCE			nonceCaller;
+    TPM2B_ENCRYPTED_SECRET	encryptedSalt;
+    TPM_SE			sessionType;
+    TPMT_SYM_DEF		symmetric;
+    TPMI_ALG_HASH		authHash;
+} StartAuthSession_In;
+
+typedef struct {
+    TPMI_SH_AUTH_SESSION	sessionHandle;
+    TPM2B_NONCE			nonceTPM;
+} StartAuthSession_Out;  
+
+#define RC_StartAuthSession_tpmKey 		(TPM_RC_H + TPM_RC_1)
+#define RC_StartAuthSession_bind 		(TPM_RC_H + TPM_RC_2)
+#define RC_StartAuthSession_nonceCaller 	(TPM_RC_P + TPM_RC_1)
+#define RC_StartAuthSession_encryptedSalt 	(TPM_RC_P + TPM_RC_2)
+#define RC_StartAuthSession_sessionType 	(TPM_RC_P + TPM_RC_3)
+#define RC_StartAuthSession_symmetric 		(TPM_RC_P + TPM_RC_4)
+#define RC_StartAuthSession_authHash 		(TPM_RC_P + TPM_RC_5)
+
+TPM_RC
+TPM2_StartAuthSession(
+		      StartAuthSession_In     *in,            // IN: input parameter buffer
+		      StartAuthSession_Out    *out            // OUT: output parameter buffer
+		      );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Startup12_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Startup12_fp.h
new file mode 100644
index 0000000..4247810
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Startup12_fp.h
@@ -0,0 +1,50 @@
+/********************************************************************************/
+/*                                                                              */
+/*                              		                                */
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*            $Id: Startup12_fp.h 1257 2018-06-27 20:52:08Z kgoldman $         */
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2018						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef STARTUP12_FP_H
+#define STARTUP12_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+
+typedef struct {
+    TPM_STARTUP_TYPE startupType; 
+} Startup12_In;
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Startup_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Startup_fp.h
new file mode 100644
index 0000000..c5e409f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Startup_fp.h
@@ -0,0 +1,84 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Startup_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef STARTUP_FP_H
+#define STARTUP_FP_H
+
+void
+_TPM_Init(
+	  void
+	  );
+
+
+typedef struct {
+    TPM_SU startupType; 
+} Startup_In;
+
+#define RC_Startup_startupType 	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_Startup(
+	     Startup_In      *in             // IN: input parameter list
+	     );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/StirRandom_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/StirRandom_fp.h
new file mode 100644
index 0000000..bbfc411
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/StirRandom_fp.h
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: StirRandom_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef STIRRANDOM_FP_H
+#define STIRRANDOM_FP_H
+
+typedef struct {
+    TPM2B_SENSITIVE_DATA	inData;
+} StirRandom_In;
+
+#define RC_StirRandom_inData	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_StirRandom(
+		StirRandom_In   *in             // IN: input parameter list
+		);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/TPMB.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TPMB.h
new file mode 100644
index 0000000..ff15390
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TPMB.h
@@ -0,0 +1,104 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: TPMB.h 1257 2018-06-27 20:52:08Z kgoldman $			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2016					*/
+/*										*/
+/********************************************************************************/
+
+#ifndef TPMB_H
+#define TPMB_H
+
+/* 5.20	TPMB.h */
+/* This file contains extra TPM2B structures */
+#ifndef _TPMB_H
+#define _TPMB_H
+/* TPM2B Types */
+typedef struct {
+    UINT16          size;
+    BYTE            buffer[1];
+} TPM2B, *P2B;
+typedef const TPM2B     *PC2B;
+/* This macro helps avoid having to type in the structure in order to create a new TPM2B type that
+   is used in a function. */
+#define TPM2B_TYPE(name, bytes)			    \
+    typedef union {				    \
+	struct  {					    \
+	    UINT16  size;				    \
+	    BYTE    buffer[(bytes)];			    \
+	} t;						    \
+	TPM2B   b;					    \
+    } TPM2B_##name
+/* This macro defines a TPM2B with a constant character value. This macro sets the size of the
+   string to the size minus the terminating zero byte. This lets the user of the label add their
+   terminating 0. This method is chosen so that existing code that provides a label will continue to
+   work correctly. */
+#define TPM2B_STRING(name, value)		    \
+    static const union {				    \
+	struct  {					    \
+	    UINT16  size;				    \
+	    BYTE    buffer[sizeof(value)];		    \
+	} t;						    \
+	TPM2B   b;					    \
+    } name##_ = {{sizeof(value), {value}}};		    \
+    const TPM2B       *name = &name##_.b
+/* Macro to to instance and initialize a TPM2B value */
+#define TPM2B_INIT(TYPE, name)						\
+    TPM2B_##TYPE    name = {sizeof(name.t.buffer), {0}}
+#define TPM2B_BYTE_VALUE(bytes) TPM2B_TYPE(bytes##_BYTE_VALUE, bytes)
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/TPM_Types.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TPM_Types.h
new file mode 100644
index 0000000..855a3cd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TPM_Types.h
@@ -0,0 +1,2825 @@
+/********************************************************************************/
+/*										*/
+/*			 Headers from Part 2    				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012 - 2019				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 124 */
+
+#ifndef _TPM_TYPES_H
+#define _TPM_TYPES_H
+
+#include <stdint.h>
+
+#include <ibmtss/Implementation.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+  The C bit field is non-portable, but the TPM specification reference implementation uses them.
+
+  These two macros attempt to define the TPM specification bit fields for little and big endian
+  machines.  There is no guarantee that either will work with a specific compiler or tool chain.  If
+  not, the developer must create a custom structure.
+  
+  TPM_BITFIELD_LE - little endian
+  TPM_BITFIELD_BE - big endian
+
+  To access the structures as uint's for marshaling and unmarshaling, each bit field is a union with
+  an integral field called 'val'.
+
+  Yes, I know that this uses anonymous structs, but the alternative yields another level of
+  deferencing, and will likely break more code.  I hope your compiler supports this recent addition
+  to the standard.
+
+  For portable code:
+  
+  If neither macro is defined, this header defines the structures as uint32_t.  It defines constants
+  for the various bits, and can be used as:
+
+  variable & CONSTANT		(test for set)
+  !(variable & CONSTANT)	(test for clear)
+  variable &= CONSTANT		(to set)
+  variable |= ~CONSTANT		(to clear)
+
+  Although the portable structures are all uint32_t, some only use the least significant 8 bits and
+  are marshalled as a uint_8t.
+*/
+
+/* Table 3 - Definition of Base Types */
+/* In BaseTypes.h */
+
+/* Table 4 - Defines for Logic Values */
+// In Table 39 (Yes, NO)
+/* In bool.h (TRUE, FALSE) */
+#define SET	1
+#define CLEAR	0
+
+/* Part 4 5.5	Capabilities.h */
+
+#define    MAX_CAP_DATA         (MAX_CAP_BUFFER-sizeof(TPM_CAP)-sizeof(UINT32))
+#define    MAX_CAP_ALGS         (MAX_CAP_DATA/sizeof(TPMS_ALG_PROPERTY))
+#define    MAX_CAP_HANDLES      (MAX_CAP_DATA/sizeof(TPM_HANDLE))
+#define    MAX_CAP_CC           (MAX_CAP_DATA/sizeof(TPM_CC))
+#define    MAX_TPM_PROPERTIES   (MAX_CAP_DATA/sizeof(TPMS_TAGGED_PROPERTY))
+#define    MAX_PCR_PROPERTIES   (MAX_CAP_DATA/sizeof(TPMS_TAGGED_PCR_SELECT))
+#define    MAX_ECC_CURVES       (MAX_CAP_DATA/sizeof(TPM_ECC_CURVE))
+#define    MAX_TAGGED_POLICIES  (MAX_CAP_DATA/sizeof(TPMS_TAGGED_POLICY))
+    
+/* Table 5 - Definition of Types for Documentation Clarity */
+
+typedef UINT32	TPM_ALGORITHM_ID; 	/* this is the 1.2 compatible form of the TPM_ALG_ID */
+typedef UINT32	TPM_MODIFIER_INDICATOR;
+typedef UINT32	TPM_AUTHORIZATION_SIZE; /* the authorizationSize parameter in a command */
+typedef UINT32	TPM_PARAMETER_SIZE; 	/* the parameterSizeset parameter in a command */
+typedef UINT16	TPM_KEY_SIZE; 		/* a key size in octets */
+typedef UINT16	TPM_KEY_BITS; 		/* a key size in bits */
+
+/* Table 6 - Definition of (UINT32) TPM_SPEC Constants <> */
+
+typedef UINT32 TPM_SPEC;
+
+#define TPM_SPEC_FAMILY		0x322E3000	/* ASCII "2.0" with null terminator */
+#define TPM_SPEC_LEVEL		00		/* the level number for the specification */
+#define TPM_SPEC_VERSION	124		/* the version number of the spec (01.21 * 100) */
+#define TPM_SPEC_YEAR		2015		/* the year of the version */
+#define TPM_SPEC_DAY_OF_YEAR	191		/* the day of the year */
+
+
+/* Table 7 - Definition of (UINT32) TPM_GENERATED Constants <O> */
+
+typedef UINT32 TPM_GENERATED;
+
+#define TPM_GENERATED_VALUE	0xff544347	/* 0xFF 'TCG' (FF 54 43 47) */
+
+/* Table 9 - Definition of (UINT16) TPM_ALG_ID Constants <IN/OUT, S> */
+
+typedef UINT16 TPM_ALG_ID;
+
+/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants <IN/OUT, S> */
+
+typedef UINT16 TPM_ECC_CURVE;
+
+/* Table 16 - Definition of (UINT32) TPM_RC Constants (Actions) <OUT> */
+
+typedef UINT32 TPM_RC;
+
+#define TPM_RC_SUCCESS		0x000
+#define TPM_RC_BAD_TAG		0x01E			/* defined for compatibility with TPM 1.2 */
+
+#define RC_VER1			0x100			/* set for all format 0 response codes */
+
+#define TPM_RC_INITIALIZE 	(RC_VER1 + 0x000)	/* TPM not initialized by TPM2_Startup or already initialized */
+#define TPM_RC_FAILURE		(RC_VER1 + 0x001)	/* commands not being accepted because of a TPM failure */
+#define TPM_RC_SEQUENCE		(RC_VER1 + 0x003)	/* improper use of a sequence handle */
+#define TPM_RC_PRIVATE		(RC_VER1 + 0x00B)	/* not currently used */
+#define TPM_RC_HMAC		(RC_VER1 + 0x019)	/* not currently used */
+#define TPM_RC_DISABLED		(RC_VER1 + 0x020)	/* the command is disabled */
+#define TPM_RC_EXCLUSIVE	(RC_VER1 + 0x021)	/* command failed because audit sequence required exclusivity */
+#define TPM_RC_AUTH_TYPE	(RC_VER1 + 0x024)	/* authorization handle is not correct for command */
+#define TPM_RC_AUTH_MISSING	(RC_VER1 + 0x025)	/* command requires an authorization session
+							   for handle and it is not present. */
+#define TPM_RC_POLICY		(RC_VER1 + 0x026)	/* policy failure in math Operation or an invalid authPolicy value */
+#define TPM_RC_PCR		(RC_VER1 + 0x027)	/* PCR check fail */
+#define TPM_RC_PCR_CHANGED	(RC_VER1 + 0x028)	/* PCR have changed since checked. */
+#define TPM_RC_UPGRADE		(RC_VER1 + 0x02D)	/* for all commands other than
+							   TPM2_FieldUpgradeData(), this code
+							   indicates that the TPM is in field
+							   upgrade mode */
+#define TPM_RC_TOO_MANY_CONTEXTS (RC_VER1 + 0x02E)	/* context ID counter is at maximum. */
+#define TPM_RC_AUTH_UNAVAILABLE	(RC_VER1 + 0x02F)	/* authValue or authPolicy is not available for selected entity. */
+#define TPM_RC_REBOOT		(RC_VER1 + 0x030)	/* a _TPM_Init and Startup(CLEAR) is
+							   required before the TPM can resume
+							   operation. */
+#define TPM_RC_UNBALANCED	(RC_VER1 + 0x031)	/* the protection algorithms (hash and
+							   symmetric) are not reasonably balanced */
+#define TPM_RC_COMMAND_SIZE	(RC_VER1 + 0x042)	/* command commandSize value is inconsistent
+							   with contents of the command buffer */
+#define TPM_RC_COMMAND_CODE	(RC_VER1 + 0x043)	/* command code not supported */
+#define TPM_RC_AUTHSIZE		(RC_VER1 + 0x044)	/* the value of authorizationSize is out of range */
+#define TPM_RC_AUTH_CONTEXT	(RC_VER1 + 0x045)	/* use of an authorization session with a
+							   context command or another command that
+							   cannot have an authorization session.*/
+#define TPM_RC_NV_RANGE		(RC_VER1 + 0x046)	/* NV offset+size is out of range. */
+#define TPM_RC_NV_SIZE		(RC_VER1 + 0x047)	/* Requested allocation size is larger than allowed. */
+#define TPM_RC_NV_LOCKED	(RC_VER1 + 0x048)	/* NV access locked. */
+#define TPM_RC_NV_AUTHORIZATION	(RC_VER1 + 0x049)	/* NV access authorization fails in command
+							   actions (this failure does not affect
+							   lockout.action) */
+#define TPM_RC_NV_UNINITIALIZED	(RC_VER1 + 0x04A)	/* an NV Index is used before being
+							   initialized or the state saved by
+							   TPM2_Shutdown(STATE) could not be
+							   restored */
+#define TPM_RC_NV_SPACE		(RC_VER1 + 0x04B)	/* insufficient space for NV allocation */
+#define TPM_RC_NV_DEFINED	(RC_VER1 + 0x04C)	/* NV Index or persistent object already defined */
+#define TPM_RC_BAD_CONTEXT	(RC_VER1 + 0x050)	/* context in TPM2_ContextLoad() is not valid */
+#define TPM_RC_CPHASH		(RC_VER1 + 0x051)	/* cpHash value already set or not correct for use */
+#define TPM_RC_PARENT		(RC_VER1 + 0x052)	/* handle for parent is not a valid parent */
+#define TPM_RC_NEEDS_TEST	(RC_VER1 + 0x053)	/* some function needs testing. */
+#define TPM_RC_NO_RESULT	(RC_VER1 + 0x054)	/* returned when an internal function cannot
+							   process a request due to an unspecified
+							   problem. */
+#define TPM_RC_SENSITIVE	(RC_VER1 + 0x055)	/* the sensitive area did not unmarshal correctly after decryption */
+#define RC_MAX_FM0		(RC_VER1 + 0x07F)	/* largest version 1 code that is not a warning */
+
+/* The codes in this group may have a value added to them to indicate the handle, session, or
+   parameter to which they apply. */
+
+#define RC_FMT1			0x080			/* This bit is SET in all format 1 response codes */
+
+#define TPM_RC_ASYMMETRIC	(RC_FMT1 + 0x001)	/* asymmetric algorithm not supported or not correct */
+#define TPM_RC_ATTRIBUTES	(RC_FMT1 + 0x002)	/* inconsistent attributes */
+#define TPM_RC_HASH		(RC_FMT1 + 0x003)	/* hash algorithm not supported or not appropriate */
+#define TPM_RC_VALUE		(RC_FMT1 + 0x004)	/* value is out of range or is not correct for the context */
+#define TPM_RC_HIERARCHY	(RC_FMT1 + 0x005)	/* hierarchy is not enabled or is not correct for the use */
+#define TPM_RC_KEY_SIZE		(RC_FMT1 + 0x007)	/* key size is not supported */
+#define TPM_RC_MGF		(RC_FMT1 + 0x008)	/* mask generation function not supported */
+#define TPM_RC_MODE		(RC_FMT1 + 0x009)	/* mode of operation not supported */
+#define TPM_RC_TYPE		(RC_FMT1 + 0x00A)	/* the type of the value is not appropriate for the use */
+#define TPM_RC_HANDLE		(RC_FMT1 + 0x00B)	/* the handle is not correct for the use */
+#define TPM_RC_KDF		(RC_FMT1 + 0x00C)	/* unsupported key derivation function or
+							   function not appropriate for use */
+#define TPM_RC_RANGE		(RC_FMT1 + 0x00D)	/* value was out of allowed range. */
+#define TPM_RC_AUTH_FAIL	(RC_FMT1 + 0x00E)	/* the authorization HMAC check failed and DA counter incremented */
+#define TPM_RC_NONCE		(RC_FMT1 + 0x00F)	/* invalid nonce size or nonce value mismatch */
+#define TPM_RC_PP		(RC_FMT1 + 0x010)	/* authorization requires assertion of PP */
+#define TPM_RC_SCHEME		(RC_FMT1 + 0x012)	/* unsupported or incompatible scheme */
+#define TPM_RC_SIZE		(RC_FMT1 + 0x015)	/* structure is the wrong size */
+#define TPM_RC_SYMMETRIC	(RC_FMT1 + 0x016)	/* unsupported symmetric algorithm or key
+							   size, or not appropriate for instance */
+#define TPM_RC_TAG		(RC_FMT1 + 0x017)	/* incorrect structure tag */
+#define TPM_RC_SELECTOR		(RC_FMT1 + 0x018)	/* union selector is incorrect */
+#define TPM_RC_INSUFFICIENT	(RC_FMT1 + 0x01A)	/* the TPM was unable to unmarshal a value
+							   because there were not enough octets in
+							   the input buffer */
+#define TPM_RC_SIGNATURE	(RC_FMT1 + 0x01B)	/* the signature is not valid */
+#define TPM_RC_KEY		(RC_FMT1 + 0x01C)	/* key fields are not compatible with the selected use */
+#define TPM_RC_POLICY_FAIL	(RC_FMT1 + 0x01D)	/* a policy check failed */
+#define TPM_RC_INTEGRITY	(RC_FMT1 + 0x01F)	/* integrity check failed */
+#define TPM_RC_TICKET		(RC_FMT1 + 0x020)	/* invalid ticket */
+#define TPM_RC_RESERVED_BITS	(RC_FMT1 + 0x021)	/* reserved bits not set to zero as required */
+#define TPM_RC_BAD_AUTH		(RC_FMT1 + 0x022)	/* authorization failure without DA implications */
+#define TPM_RC_EXPIRED		(RC_FMT1 + 0x023)	/* the policy has expired */
+#define TPM_RC_POLICY_CC	(RC_FMT1 + 0x024) 	/* the commandCode in the policy is not the
+							   commandCode of the command */
+#define TPM_RC_BINDING		(RC_FMT1 + 0x025)	/* public and sensitive portions of an
+							   object are not cryptographically bound */
+#define TPM_RC_CURVE		(RC_FMT1 + 0x026)	/* curve not supported	 */
+#define TPM_RC_ECC_POINT	(RC_FMT1 + 0x027)	/* point is not on the required curve. */
+
+/* aliases for FMT1 commands when parameter number can be added */
+
+#define TPM_RCS_VALUE		TPM_RC_VALUE
+#define TPM_RCS_TYPE 		TPM_RC_TYPE
+#define TPM_RCS_HANDLE 		TPM_RC_HANDLE
+#define TPM_RCS_SIZE		TPM_RC_SIZE
+#define TPM_RCS_ATTRIBUTES	TPM_RC_ATTRIBUTES	
+#define TPM_RCS_NONCE		TPM_RC_NONCE
+#define TPM_RCS_SYMMETRIC	TPM_RC_SYMMETRIC
+#define TPM_RCS_MODE 		TPM_RC_MODE 
+#define TPM_RCS_SCHEME		TPM_RC_SCHEME
+#define TPM_RCS_KEY		TPM_RC_KEY
+#define TPM_RCS_ECC_POINT	TPM_RC_ECC_POINT
+#define TPM_RCS_HASH		TPM_RC_HASH
+#define TPM_RCS_HIERARCHY	TPM_RC_HIERARCHY
+#define TPM_RCS_TICKET		TPM_RC_TICKET
+#define TPM_RCS_RANGE		TPM_RC_RANGE
+#define TPM_RCS_INTEGRITY 	TPM_RC_INTEGRITY 
+#define TPM_RCS_POLICY_CC	TPM_RC_POLICY_CC
+#define TPM_RCS_EXPIRED		TPM_RC_EXPIRED
+
+#define RC_WARN			0x900			/* set for warning response codes */
+
+#define TPM_RC_CONTEXT_GAP	(RC_WARN + 0x001)	/* gap for context ID is too large */
+#define TPM_RC_OBJECT_MEMORY	(RC_WARN + 0x002)	/* out of memory for object contexts */
+#define TPM_RC_SESSION_MEMORY	(RC_WARN + 0x003)	/* out of memory for session contexts */
+#define TPM_RC_MEMORY		(RC_WARN + 0x004)	/* out of shared object/session memory or
+							   need space for internal operations */
+#define TPM_RC_SESSION_HANDLES	(RC_WARN + 0x005)	/* out of session handles - a session must
+							   be flushed before a new session may be
+							   created */
+#define TPM_RC_OBJECT_HANDLES	(RC_WARN + 0x006)	/* out of object handles - the handle space
+							   for objects is depleted and a reboot is
+							   required */
+#define TPM_RC_LOCALITY		(RC_WARN + 0x007)	/* bad locality */
+#define TPM_RC_YIELDED		(RC_WARN + 0x008)	/* the TPM has suspended operation on the
+							   command; forward progress was made and
+							   the command may be retried. */
+#define TPM_RC_CANCELED		(RC_WARN + 0x009)	/* the command was canceled */
+#define TPM_RC_CANCELLED	TPM_RC_CANCELED
+#define TPM_RC_TESTING		(RC_WARN + 0x00A)	/* TPM is performing self-tests */
+#define TPM_RC_REFERENCE_H0	(RC_WARN + 0x010)	/* the 1st handle in the handle area
+							   references a transient object or session
+							   that is not loaded */
+#define TPM_RC_REFERENCE_H1	(RC_WARN + 0x011)	/* the 2nd handle in the handle area
+							   references a transient object or session
+							   that is not loaded */
+#define TPM_RC_REFERENCE_H2	(RC_WARN + 0x012)	/* the 3rd handle in the handle area
+							   references a transient object or session
+							   that is not loaded */
+#define TPM_RC_REFERENCE_H3	(RC_WARN + 0x013)	/* the 4th handle in the handle area
+							   references a transient object or session
+							   that is not loaded */
+#define TPM_RC_REFERENCE_H4	(RC_WARN + 0x014)	/* the 5th handle in the handle area
+							   references a transient object or session
+							   that is not loaded */
+#define TPM_RC_REFERENCE_H5	(RC_WARN + 0x015)	/* the 6th handle in the handle area
+							   references a transient object or session
+							   that is not loaded */
+#define TPM_RC_REFERENCE_H6	(RC_WARN + 0x016)	/* the 7th handle in the handle area
+							   references a transient object or session
+							   that is not loaded */
+#define TPM_RC_REFERENCE_S0	(RC_WARN + 0x018)	/* the 1st authorization session handle
+							   references a session that is not
+							   loaded */
+#define TPM_RC_REFERENCE_S1	(RC_WARN + 0x019)	/* the 2nd authorization session handle
+							   references a session that is not
+							   loaded */
+#define TPM_RC_REFERENCE_S2	(RC_WARN + 0x01A)	/* the 3rd authorization session handle
+							   references a session that is not
+							   loaded */
+#define TPM_RC_REFERENCE_S3	(RC_WARN + 0x01B)	/* the 4th authorization session handle
+							   references a session that is not
+							   loaded */
+#define TPM_RC_REFERENCE_S4	(RC_WARN + 0x01C)	/* the 5th session handle references a
+							   session that is not loaded */
+#define TPM_RC_REFERENCE_S5	(RC_WARN + 0x01D)	/* the 6th session handle references a session that is not loaded */
+#define TPM_RC_REFERENCE_S6	(RC_WARN + 0x01E)	/* the 7th authorization session handle
+							   references a session that is not
+							   loaded */
+#define TPM_RC_NV_RATE		(RC_WARN + 0x020)	/* the TPM is rate-limiting accesses to prevent wearout of NV */
+#define TPM_RC_LOCKOUT		(RC_WARN + 0x021)	/* authorizations for objects subject to DA
+							   protection are not allowed at this time
+							   because the TPM is in DA lockout mode */
+#define TPM_RC_RETRY		(RC_WARN + 0x022)	/* the TPM was not able to start the command */
+#define TPM_RC_NV_UNAVAILABLE	(RC_WARN + 0x023)	/* the command may require writing of NV and
+							   NV is not current accessible */
+#define TPM_RC_NOT_USED		(RC_WARN + 0x07F)	/* this value is reserved and shall not be returned by the TPM */
+
+#define TPM_RC_H		0x000			/* add to a handle-related error */
+#define TPM_RC_P		0x040			/* add to a parameter-related error */
+#define TPM_RC_S		0x800			/* add to a session-related error */
+#define TPM_RC_1		0x100			/* add to a parameter-, handle-, or session-related error */
+#define TPM_RC_2		0x200			/* add to a parameter-, handle-, or session-related error */
+#define TPM_RC_3		0x300			/* add to a parameter-, handle-, or session-related error */
+#define TPM_RC_4		0x400			/* add to a parameter-, handle-, or session-related error */
+#define TPM_RC_5		0x500			/* add to a parameter-, handle-, or session-related error */
+#define TPM_RC_6		0x600			/* add to a parameter-, handle-, or session-related error */
+#define TPM_RC_7		0x700			/* add to a parameter-, handle-, or session-related error */
+#define TPM_RC_8		0x800			/* add to a parameter-related error */
+#define TPM_RC_9		0x900			/* add to a parameter-related error */
+#define TPM_RC_A		0xA00			/* add to a parameter-related error */
+#define TPM_RC_B		0xB00			/* add to a parameter-related error */
+#define TPM_RC_C		0xC00			/* add to a parameter-related error */
+#define TPM_RC_D		0xD00			/* add to a parameter-related error */
+#define TPM_RC_E		0xE00			/* add to a parameter-related error */
+#define TPM_RC_F		0xF00			/* add to a parameter-related error */
+#define TPM_RC_N_MASK		0xF00			/* number mask */
+
+/* Table 17 - Definition of (INT8) TPM_CLOCK_ADJUST Constants <IN> */
+
+typedef INT8 TPM_CLOCK_ADJUST;
+
+#define TPM_CLOCK_COARSE_SLOWER		-3	/* Slow the Clock update rate by one coarse adjustment step. */
+#define TPM_CLOCK_MEDIUM_SLOWER		-2	/* Slow the Clock update rate by one medium adjustment step. */
+#define TPM_CLOCK_FINE_SLOWER		-1	/* Slow the Clock update rate by one fine adjustment step. */
+#define TPM_CLOCK_NO_CHANGE		0	/* No change to the Clock update rate. */
+#define TPM_CLOCK_FINE_FASTER		1	/* Speed the Clock update rate by one fine adjustment step. */
+#define TPM_CLOCK_MEDIUM_FASTER		2	/* Speed the Clock update rate by one medium adjustment step. */
+#define TPM_CLOCK_COARSE_FASTER		3	/* Speed the Clock update rate by one coarse adjustment step. */
+
+/* Table 18 - Definition of (UINT16) TPM_EO Constants <IN/OUT> */
+
+typedef UINT16 TPM_EO;
+
+#define TPM_EO_EQ		0x0000	/* A = B */
+#define TPM_EO_NEQ		0x0001	/* A != B */
+#define TPM_EO_SIGNED_GT	0x0002	/* A > B signed	 */
+#define TPM_EO_UNSIGNED_GT	0x0003	/* A > B unsigned	 */
+#define TPM_EO_SIGNED_LT	0x0004	/* A < B signed	 */
+#define TPM_EO_UNSIGNED_LT	0x0005	/* A < B unsigned	 */
+#define TPM_EO_SIGNED_GE	0x0006	/* A = B signed	 */
+#define TPM_EO_UNSIGNED_GE	0x0007	/* A = B unsigned	 */
+#define TPM_EO_SIGNED_LE	0x0008	/* A = B signed	 */
+#define TPM_EO_UNSIGNED_LE	0x0009	/* A = B unsigned	 */
+#define TPM_EO_BITSET		0x000A	/* All bits SET in B are SET in A. ((A&B)=B)	 */
+#define TPM_EO_BITCLEAR		0x000B	/* All bits SET in B are CLEAR in A. ((A&B)=0) */
+
+/* Table 19 - Definition of (UINT16) TPM_ST Constants <IN/OUT, S> */
+
+typedef UINT16 TPM_ST;
+
+#define TPM_ST_RSP_COMMAND		0x00C4	/* tag value for a response */
+#define TPM_ST_NULL			0X8000	/* no structure type specified */
+#define TPM_ST_NO_SESSIONS		0x8001	/* command/response has no attached sessions*/
+#define TPM_ST_SESSIONS			0x8002	/* command/response has one or more attached sessions*/
+#define TPM_ST_ATTEST_NV		0x8014	/* tag for an attestation structure	 */
+#define TPM_ST_ATTEST_COMMAND_AUDIT	0x8015	/* tag for an attestation structure	 */
+#define TPM_ST_ATTEST_SESSION_AUDIT	0x8016	/* tag for an attestation structure	 */
+#define TPM_ST_ATTEST_CERTIFY		0x8017	/* tag for an attestation structure	 */
+#define TPM_ST_ATTEST_QUOTE		0x8018	/* tag for an attestation structure	 */
+#define TPM_ST_ATTEST_TIME		0x8019	/* tag for an attestation structure	 */
+#define TPM_ST_ATTEST_CREATION		0x801A	/* tag for an attestation structure	*/
+#define TPM_ST_ATTEST_NV_DIGEST	        0x801C	/* tag for an attestation structure	*/
+#define TPM_ST_CREATION			0x8021	/* tag for a ticket type	 */
+#define TPM_ST_VERIFIED			0x8022	/* tag for a ticket type	 */
+#define TPM_ST_AUTH_SECRET		0x8023	/* tag for a ticket type	 */
+#define TPM_ST_HASHCHECK		0x8024	/* tag for a ticket type	 */
+#define TPM_ST_AUTH_SIGNED		0x8025	/* tag for a ticket type	 */
+#define TPM_ST_FU_MANIFEST		0x8029	/* tag for a structure describing a Field Upgrade Policy */
+
+/* Table 20 - Definition of (UINT16) TPM_SU Constants <IN> */
+
+typedef UINT16 TPM_SU;
+
+#define TPM_SU_CLEAR	0x0000	/* on TPM2_Startup(), indicates that the TPM should perform TPM Reset or TPM Restart */
+#define TPM_SU_STATE	0x0001	/* on TPM2_Startup(), indicates that the TPM should restore the
+				   state saved by TPM2_Shutdown(TPM_SU_STATE) */
+/* Table 21 - Definition of (UINT8) TPM_SE Constants <IN> */
+
+typedef UINT8 TPM_SE;
+
+#define TPM_SE_HMAC	0x00
+#define TPM_SE_POLICY	0x01
+#define TPM_SE_TRIAL	0x03
+
+/* Table 22 - Definition of (UINT32) TPM_CAP Constants  */
+
+typedef UINT32 TPM_CAP;
+
+#define TPM_CAP_FIRST		0x00000000	/* 		*/
+#define TPM_CAP_ALGS		0x00000000	/* TPM_ALG_ID(1)	TPML_ALG_PROPERTY	*/
+#define TPM_CAP_HANDLES		0x00000001	/* TPM_HANDLE		TPML_HANDLE		*/
+#define TPM_CAP_COMMANDS	0x00000002	/* TPM_CC		TPML_CCA		*/
+#define TPM_CAP_PP_COMMANDS	0x00000003	/* TPM_CC		TPML_CC 		*/
+#define TPM_CAP_AUDIT_COMMANDS	0x00000004	/* TPM_CC		TPML_CC			*/
+#define TPM_CAP_PCRS		0x00000005	/* reserved		TPML_PCR_SELECTION	*/
+#define TPM_CAP_TPM_PROPERTIES	0x00000006	/* TPM_PT		TPML_TAGGED_TPM_PROPERTY	*/
+#define TPM_CAP_PCR_PROPERTIES	0x00000007	/* TPM_PT_PCR		TPML_TAGGED_PCR_PROPERTY	*/
+#define TPM_CAP_ECC_CURVES	0x00000008	/* TPM_ECC_CURVE(1)	TPML_ECC_CURVE		*/
+#define TPM_CAP_AUTH_POLICIES	0x00000009	/* 			TPML_TAGGED_POLICY 	*/
+#define TPM_CAP_LAST		0x00000009	/* */		
+#define TPM_CAP_VENDOR_PROPERTY	0x00000100	/* manufacturer specific	manufacturer-specific values */
+
+/* Table 23 - Definition of (UINT32) TPM_PT Constants <IN/OUT, S> */
+
+typedef UINT32 TPM_PT;
+		
+#define TPM_PT_NONE	0x00000000	/* indicates no property type */
+#define PT_GROUP	0x00000100	/* The number of properties in each group. */
+#define PT_FIXED	(PT_GROUP * 1)	/* the group of fixed properties returned as TPMS_TAGGED_PROPERTY */
+
+/* The values in this group are only changed due to a firmware change in the TPM. */
+
+#define TPM_PT_FAMILY_INDICATOR		(PT_FIXED + 0)	/* a 4-octet character string containing the
+							   TPM Family value (TPM_SPEC_FAMILY) */
+#define TPM_PT_LEVEL			(PT_FIXED + 1)	/* the level of the specification */
+#define TPM_PT_REVISION			(PT_FIXED + 2)	/* the specification Revision times 100 */
+#define TPM_PT_DAY_OF_YEAR		(PT_FIXED + 3)	/* the specification day of year using TCG calendar */
+#define TPM_PT_YEAR			(PT_FIXED + 4)	/* the specification year using the CE */
+#define TPM_PT_MANUFACTURER		(PT_FIXED + 5)	/* the vendor ID unique to each TPM manufacturer	 */
+#define TPM_PT_VENDOR_STRING_1		(PT_FIXED + 6)	/* the first four characters of the vendor ID string */
+#define TPM_PT_VENDOR_STRING_2		(PT_FIXED + 7)	/* the second four characters of the vendor ID string	 */
+#define TPM_PT_VENDOR_STRING_3		(PT_FIXED + 8)	/* the third four characters of the vendor ID string	 */
+#define TPM_PT_VENDOR_STRING_4		(PT_FIXED + 9)	/* the fourth four characters of the vendor ID sting	 */
+#define TPM_PT_VENDOR_TPM_TYPE		(PT_FIXED + 10)	/* vendor-defined value indicating the TPM model	 */
+#define TPM_PT_FIRMWARE_VERSION_1	(PT_FIXED + 11)	/* the most-significant 32 bits of a TPM
+							   vendor-specific value indicating the
+							   version number of the firmware */
+#define TPM_PT_FIRMWARE_VERSION_2	(PT_FIXED + 12)	/* the least-significant 32 bits of a TPM
+							   vendor-specific value indicating the
+							   version number of the firmware */
+#define TPM_PT_INPUT_BUFFER		(PT_FIXED + 13)	/* the maximum size of a parameter
+							   (typically, a TPM2B_MAX_BUFFER) */
+#define TPM_PT_HR_TRANSIENT_MIN		(PT_FIXED + 14)	/* the minimum number of transient objects
+							   that can be held in TPM RAM */
+#define TPM_PT_HR_PERSISTENT_MIN	(PT_FIXED + 15)	/* the minimum number of persistent objects
+							   that can be held in TPM NV memory */
+#define TPM_PT_HR_LOADED_MIN		(PT_FIXED + 16)	/* the minimum number of authorization
+							   sessions that can be held in TPM RAM */
+#define TPM_PT_ACTIVE_SESSIONS_MAX	(PT_FIXED + 17)	/* the number of authorization sessions that
+							   may be active at a time */
+#define TPM_PT_PCR_COUNT		(PT_FIXED + 18)	/* the number of PCR implemented */
+#define TPM_PT_PCR_SELECT_MIN		(PT_FIXED + 19)	/* the minimum number of octets in a
+							   TPMS_PCR_SELECT.sizeOfSelect */
+#define TPM_PT_CONTEXT_GAP_MAX		(PT_FIXED + 20)	/* the maximum allowed difference (unsigned)
+							   between the contextID values of two saved
+							   session contexts */
+#define TPM_PT_NV_COUNTERS_MAX		(PT_FIXED + 22)	/* the maximum number of NV Indexes that are
+							   allowed to have TPM_NV_COUNTER attribute SET */
+#define TPM_PT_NV_INDEX_MAX		(PT_FIXED + 23)	/* the maximum size of an NV Index data area */
+#define TPM_PT_MEMORY			(PT_FIXED + 24)	/* a TPMA_MEMORY indicating the memory
+							   management method for the TPM */
+#define TPM_PT_CLOCK_UPDATE		(PT_FIXED + 25)	/* interval, in milliseconds, between
+							   updates to the copy of
+							   TPMS_CLOCK_INFO.clock in NV */
+#define TPM_PT_CONTEXT_HASH		(PT_FIXED + 26)	/* the algorithm used for the integrity HMAC
+							   on saved contexts and for hashing the
+							   fuData of TPM2_FirmwareRead() */
+#define TPM_PT_CONTEXT_SYM		(PT_FIXED + 27)	/* TPM_ALG_ID, the algorithm used for
+							   encryption of saved contexts */
+#define TPM_PT_CONTEXT_SYM_SIZE		(PT_FIXED + 28)	/* TPM_KEY_BITS, the size of the key used
+							   for encryption of saved contexts */
+#define TPM_PT_ORDERLY_COUNT		(PT_FIXED + 29)	/* the modulus - 1 of the count for NV
+							   update of an orderly counter */
+#define TPM_PT_MAX_COMMAND_SIZE		(PT_FIXED + 30)	/* the maximum value for commandSize in a command */
+#define TPM_PT_MAX_RESPONSE_SIZE	(PT_FIXED + 31)	/* the maximum value for responseSize in a response */
+#define TPM_PT_MAX_DIGEST		(PT_FIXED + 32)	/* the maximum size of a digest that can be
+							   produced by the TPM */
+#define TPM_PT_MAX_OBJECT_CONTEXT	(PT_FIXED + 33)	/* the maximum size of an object context
+							   that will be returned by
+							   TPM2_ContextSave */
+#define TPM_PT_MAX_SESSION_CONTEXT	(PT_FIXED + 34)	/* the maximum size of a session context
+							   that will be returned by
+							   TPM2_ContextSave */
+#define TPM_PT_PS_FAMILY_INDICATOR	(PT_FIXED + 35)	/* platform-specific family (a TPM_PS
+							   value)(see Table 26) */
+#define TPM_PT_PS_LEVEL			(PT_FIXED + 36)	/* the level of the platform-specific specification */
+#define TPM_PT_PS_REVISION		(PT_FIXED + 37)	/* the specification Revision times 100 for
+							   the platform-specific specification */
+#define TPM_PT_PS_DAY_OF_YEAR		(PT_FIXED + 38)	/* the platform-specific specification day
+							   of year using TCG calendar */
+#define TPM_PT_PS_YEAR			(PT_FIXED + 39)	/* the platform-specific specification year
+							   using the CE */
+#define TPM_PT_SPLIT_MAX		(PT_FIXED + 40)	/* the number of split signing operations
+							   supported by the TPM */
+#define TPM_PT_TOTAL_COMMANDS		(PT_FIXED + 41)	/* total number of commands implemented in the TPM */
+#define TPM_PT_LIBRARY_COMMANDS		(PT_FIXED + 42)	/* number of commands from the TPM library
+							   that are implemented */
+#define TPM_PT_VENDOR_COMMANDS		(PT_FIXED + 43)	/* number of vendor commands that are implemented */
+#define TPM_PT_NV_BUFFER_MAX		(PT_FIXED + 44)	/* the maximum data size in one NV write command */
+#define TPM_PT_MODES			(PT_FIXED + 45)	/* a TPMA_MODES value, indicating that the
+							   TPM is designed for these modes. */
+#define TPM_PT_MAX_CAP_BUFFER		(PT_FIXED + 46)	/* the maximum size of a
+							   TPMS_CAPABILITY_DATA structure returned
+							   in TPM2_GetCapability(). */
+#define PT_VAR				(PT_GROUP * 2)	/* the group of variable properties returned
+							   as TPMS_TAGGED_PROPERTY */
+
+/* The properties in this group change because of a Protected Capability other than a firmware
+   update. The values are not necessarily persistent across all power transitions. */
+
+#define TPM_PT_PERMANENT		(PT_VAR + 0)	/* TPMA_PERMANENT */
+#define TPM_PT_STARTUP_CLEAR		(PT_VAR + 1)	/* TPMA_STARTUP_CLEAR */
+#define TPM_PT_HR_NV_INDEX		(PT_VAR + 2)	/* the number of NV Indexes currently defined */
+#define TPM_PT_HR_LOADED		(PT_VAR + 3)	/* the number of authorization sessions
+							   currently loaded into TPM RAM */
+#define TPM_PT_HR_LOADED_AVAIL		(PT_VAR + 4)	/* the number of additional authorization
+							   sessions, of any type, that could be
+							   loaded into TPM RAM */
+#define TPM_PT_HR_ACTIVE		(PT_VAR + 5)	/* the number of active authorization
+							   sessions currently being tracked by the
+							   TPM */
+#define TPM_PT_HR_ACTIVE_AVAIL		(PT_VAR + 6)	/* the number of additional authorization
+							   sessions, of any type, that could be
+							   created */
+#define TPM_PT_HR_TRANSIENT_AVAIL	(PT_VAR + 7)	/* estimate of the number of additional
+							   transient objects that could be loaded
+							   into TPM RAM */
+#define TPM_PT_HR_PERSISTENT		(PT_VAR + 8)	/* the number of persistent objects
+							   currently loaded into TPM NV memory */
+#define TPM_PT_HR_PERSISTENT_AVAIL	(PT_VAR + 9)	/* the number of additional persistent
+							   objects that could be loaded into NV
+							   memory */
+#define TPM_PT_NV_COUNTERS		(PT_VAR + 10)	/* the number of defined NV Indexes that
+							   have the NV TPM_NV_COUNTER attribute SET */
+#define TPM_PT_NV_COUNTERS_AVAIL	(PT_VAR + 11)	/* the number of additional NV Indexes that
+							   can be defined with their TPM_NT of TPM_NV_COUNTER
+							   and the TPM_NV_ORDERLY attribute SET */
+#define TPM_PT_ALGORITHM_SET		(PT_VAR + 12)	/* code that limits the algorithms that may
+							   be used with the TPM */
+#define TPM_PT_LOADED_CURVES		(PT_VAR + 13)	/* the number of loaded ECC curves	 */
+#define TPM_PT_LOCKOUT_COUNTER		(PT_VAR + 14)	/* the current value of the lockout counter (failedTries) */
+#define TPM_PT_MAX_AUTH_FAIL		(PT_VAR + 15)	/* the number of authorization failures
+							   before DA lockout is invoked */
+#define TPM_PT_LOCKOUT_INTERVAL		(PT_VAR + 16)	/* the number of seconds before the value
+							   reported by TPM_PT_LOCKOUT_COUNTER is
+							   decremented */
+#define TPM_PT_LOCKOUT_RECOVERY		(PT_VAR + 17)	/* the number of seconds after a lockoutAuth
+							   failure before use of lockoutAuth may be
+							   attempted again */
+#define TPM_PT_NV_WRITE_RECOVERY	(PT_VAR + 18)	/* number of milliseconds before the TPM
+							   will accept another command that will
+							   modify NV */
+#define TPM_PT_AUDIT_COUNTER_0		(PT_VAR + 19)	/* the high-order 32 bits of the command audit counter	 */
+#define TPM_PT_AUDIT_COUNTER_1		(PT_VAR + 20)	/* the low-order 32 bits of the command audit counter */
+
+/* Table 24 - Definition of (UINT32) TPM_PT_PCR Constants <IN/OUT, S> */
+
+typedef UINT32 TPM_PT_PCR;
+
+#define TPM_PT_PCR_FIRST	0x00000000	/* bottom of the range of TPM_PT_PCR properties */
+#define TPM_PT_PCR_SAVE		0x00000000	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR is saved and restored by TPM_SU_STATE */
+#define TPM_PT_PCR_EXTEND_L0	0x00000001	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be extended from locality 0 */
+#define TPM_PT_PCR_RESET_L0	0x00000002	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be reset by TPM2_PCR_Reset() from
+						   locality 0 */
+#define TPM_PT_PCR_EXTEND_L1	0x00000003	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be extended from locality 1 */
+#define TPM_PT_PCR_RESET_L1	0x00000004	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be reset by TPM2_PCR_Reset() from
+						   locality 1 */
+#define TPM_PT_PCR_EXTEND_L2	0x00000005	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be extended from locality 2 */
+#define TPM_PT_PCR_RESET_L2	0x00000006	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be reset by TPM2_PCR_Reset() from
+						   locality 2 */
+#define TPM_PT_PCR_EXTEND_L3	0x00000007	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be extended from locality 3 */
+#define TPM_PT_PCR_RESET_L3	0x00000008	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be reset by TPM2_PCR_Reset() from
+						   locality 3 */
+#define TPM_PT_PCR_EXTEND_L4	0x00000009	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be extended from locality 4 */
+#define TPM_PT_PCR_RESET_L4	0x0000000A	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be reset by TPM2_PCR_Reset() from
+						   locality 4 */
+#define TPM_PT_PCR_NO_INCREMENT	0x00000011	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   modifications to this PCR (reset or Extend) will
+						   not increment the pcrUpdateCounter */
+#define TPM_PT_PCR_RESET_L4	0x0000000A	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR may be reset by TPM2_PCR_Reset() from
+						   locality 4 */
+#define TPM_PT_PCR_DRTM_RESET	0x00000012	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR is reset by a DRTM event */
+#define TPM_PT_PCR_POLICY	0x00000013	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR is controlled by policy */
+#define TPM_PT_PCR_AUTH		0x00000014	/* a SET bit in the TPMS_PCR_SELECT indicates that
+						   the PCR is controlled by an authorization
+						   value */
+#define TPM_PT_PCR_LAST		0x00000014	/* top of the range of TPM_PT_PCR properties of the
+						   implementation */
+
+/* Table 25 - Definition of (UINT32) TPM_PS Constants <OUT> */
+
+typedef UINT32 TPM_PS;
+
+#define TPM_PS_MAIN		0x00000000	/* not platform specific 	*/
+#define TPM_PS_PC		0x00000001	/* PC Client	*/
+#define TPM_PS_PDA		0x00000002	/* PDA (includes all mobile devices that are not
+						   specifically cell phones) */
+#define TPM_PS_CELL_PHONE	0x00000003	/* Cell Phone 	*/
+#define TPM_PS_SERVER		0x00000004	/* Server WG	*/
+#define TPM_PS_PERIPHERAL	0x00000005	/* Peripheral WG	*/
+#define TPM_PS_TSS		0x00000006	/* TSS WG	*/
+#define TPM_PS_STORAGE		0x00000007	/* Storage WG	*/
+#define TPM_PS_AUTHENTICATION	0x00000008	/* Authentication WG	*/
+#define TPM_PS_EMBEDDED		0x00000009	/* Embedded WG	*/
+#define TPM_PS_HARDCOPY		0x0000000A	/* Hardcopy WG	*/
+#define TPM_PS_INFRASTRUCTURE	0x0000000B	/* Infrastructure WG	*/
+#define TPM_PS_VIRTUALIZATION	0x0000000C	/* Virtualization WG	*/
+#define TPM_PS_TNC		0x0000000D	/* Trusted Network Connect WG	*/
+#define TPM_PS_MULTI_TENANT	0x0000000E	/* Multi-tenant WG	*/
+#define TPM_PS_TC		0x0000000F	/* Technical Committee*/
+
+/* Table 26 - Definition of Types for Handles */
+
+typedef UINT32	TPM_HANDLE;	/* Handles may refer to objects (keys or data blobs), authorization
+				   sessions (HMAC and policy), NV Indexes, permanent TPM locations,
+				   and PCR. */
+
+/* Table 27 - Definition of (UINT8) TPM_HT Constants <S> */
+
+typedef UINT8 TPM_HT;
+
+#define TPM_HT_PCR		0x00	/* PCR - consecutive numbers, starting at 0, that reference the PCR registers */
+#define TPM_HT_NV_INDEX		0x01	/* NV Index - assigned by the caller	 */
+#define TPM_HT_HMAC_SESSION	0x02	/* HMAC Authorization Session - assigned by the TPM when the session is created	 */
+#define TPM_HT_LOADED_SESSION	0x02	/* Loaded Authorization Session - used only in the context of TPM2_GetCapability */
+#define TPM_HT_POLICY_SESSION	0x03	/* Policy Authorization Session - assigned by the TPM when the session is created */
+#define TPM_HT_SAVED_SESSION	0x03	/* Saved Authorization Session - used only in the context of TPM2_GetCapability */
+#define TPM_HT_PERMANENT	0x40	/* Permanent Values - assigned by this specification in Table 27	 */
+#define TPM_HT_TRANSIENT	0x80	/* Transient Objects - assigned by the TPM when an object is
+					   loaded into transient-object memory or when a persistent
+					   object is converted to a transient object */
+#define TPM_HT_PERSISTENT	0x81	/* Persistent Objects - assigned by the TPM when a loaded
+					   transient object is made persistent */
+
+/* Table 28 - Definition of (TPM_HANDLE) TPM_RH Constants <S> */
+
+typedef TPM_HANDLE TPM_RH;
+
+#define TPM_RH_FIRST		0x40000000	/* R		 */
+#define TPM_RH_SRK		0x40000000	/* R	not used1	 */
+#define TPM_RH_OWNER		0x40000001	/* K, A, P handle references the Storage Primary
+						   Seed (SPS), the ownerAuth, and the ownerPolicy */
+#define TPM_RH_REVOKE		0x40000002	/* R	not used1	 */
+#define TPM_RH_TRANSPORT	0x40000003	/* R	not used1	 */
+#define TPM_RH_OPERATOR		0x40000004	/* R	not used1	 */
+#define TPM_RH_ADMIN		0x40000005	/* R	not used1	 */
+#define TPM_RH_EK		0x40000006	/* R	not used1	 */
+#define TPM_RH_NULL		0x40000007	/* K, A, P a handle associated with the null
+						   hierarchy, an EmptyAuth authValue, and an Empty
+						   Policy authPolicy.  */
+#define TPM_RH_UNASSIGNED	0x40000008	/* R value reserved to the TPM to indicate a handle
+						   location that has not been initialized or
+						   assigned */
+#define TPM_RS_PW		0x40000009	/* S authorization value used to indicate a password
+						   authorization session */
+#define TPM_RH_LOCKOUT		0x4000000A	/* A references the authorization associated with
+						   the dictionary attack lockout reset */
+#define TPM_RH_ENDORSEMENT	0x4000000B	/* K, A, P references the Endorsement Primary Seed
+						   (EPS), endorsementAuth, and endorsementPolicy */
+#define TPM_RH_PLATFORM		0x4000000C	/* K, A, P references the Platform Primary Seed
+						   (PPS), platformAuth, and platformPolicy */
+#define TPM_RH_PLATFORM_NV	0x4000000D	/* C	for phEnableNV */
+#define TPM_RH_AUTH_00		0x40000010	/* A Start of a range of authorization values that
+						   are vendor-specific.  A TPM may support any of
+						   the values in this range as are needed for
+						   vendor-specific purposes. Disabled if ehEnable is CLEAR. */
+#define TPM_RH_AUTH_FF		0x4000010F	/* A End of the range of vendor-specific
+						   authorization values. */
+#define TPM_RH_LAST		0x4000010F	/* R	the top of the reserved handle area */
+
+/* Table 29 - Definition of (TPM_HANDLE) TPM_HC Constants <S> */
+
+typedef  TPM_HANDLE         TPM_HC;
+#define HR_HANDLE_MASK		0x00FFFFFF				/* to mask off the HR	 */
+#define HR_RANGE_MASK		0xFF000000				/* to mask off the variable part */
+#define HR_SHIFT		24		
+#define HR_PCR			((TPM_HT_PCR) << HR_SHIFT)		
+#define HR_HMAC_SESSION		(TPM_HT_HMAC_SESSION << HR_SHIFT)		
+#define HR_POLICY_SESSION	(TPM_HT_POLICY_SESSION << HR_SHIFT)		
+#define HR_TRANSIENT		(TPM_HC)((((UINT32)TPM_HT_TRANSIENT) << HR_SHIFT))
+#define HR_PERSISTENT           (TPM_HC)((((UINT32)TPM_HT_PERSISTENT) << HR_SHIFT))
+#define HR_NV_INDEX		(TPM_HT_NV_INDEX << HR_SHIFT)		
+#define HR_PERMANENT		(TPM_HT_PERMANENT << HR_SHIFT)		
+#define PCR_FIRST		(HR_PCR + 0)				/* first PCR */
+#define PCR_LAST		(HR_PCR | HR_HANDLE_MASK)		/* last PCR in range */
+#define HMAC_SESSION_FIRST	(HR_HMAC_SESSION + 0)			/* first HMAC session */
+#define HMAC_SESSION_LAST	(HMAC_SESSION_FIRST | HR_HANDLE_MASK)	/* last HMAC session */
+#define LOADED_SESSION_FIRST  	HMAC_SESSION_FIRST			/* used in GetCapability */
+#define LOADED_SESSION_LAST	HMAC_SESSION_LAST			/* used in GetCapability */
+#define POLICY_SESSION_FIRST	(HR_POLICY_SESSION + 0)			/* first policy session */
+#define POLICY_SESSION_LAST	(POLICY_SESSION_FIRST | HR_HANDLE_MASK)	/* last policy session */
+#define TRANSIENT_FIRST		((UINT32)(HR_TRANSIENT + 0))		/* first transient object */
+#define ACTIVE_SESSION_FIRST	POLICY_SESSION_FIRST			/* used in GetCapability */
+#define ACTIVE_SESSION_LAST	POLICY_SESSION_LAST			/* used in GetCapability */
+#define TRANSIENT_LAST		((UINT32)(TRANSIENT_FIRST | HR_HANDLE_MASK)) /* last transient object */
+#define PERSISTENT_FIRST	((UINT32)(HR_PERSISTENT + 0))			/* first persistent object */
+#define PERSISTENT_LAST		((UINT32)(PERSISTENT_FIRST | HR_HANDLE_MASK))	/* last persistent object */
+#define PLATFORM_PERSISTENT	(PERSISTENT_FIRST + 0x00800000)		/* first platform persistent object */
+#define NV_INDEX_FIRST		(HR_NV_INDEX + 0)			/* first allowed NV Index */
+#define NV_INDEX_LAST		(NV_INDEX_FIRST | HR_HANDLE_MASK)	/* last allowed NV Index */
+#define PERMANENT_FIRST		TPM_RH_FIRST		
+#define PERMANENT_LAST		TPM_RH_LAST
+
+/* Table 30 - Definition of (UINT32) TPMA_ALGORITHM Bits */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int asymmetric : 1;	/* 0 an asymmetric algorithm with public and private portions */
+	unsigned int symmetric  : 1;	/* 1 a symmetric block cipher */
+	unsigned int hash 	: 1;	/* a hash algorithm */
+ 	unsigned int object	: 1;	/* an algorithm that may be used as an object type */
+	unsigned int Reserved1	: 4; 	/* 7:4 */
+	unsigned int signing	: 1;	/* 8 a signing algorithm */
+	unsigned int encrypting	: 1;	/* 9 an encryption/decryption algorithm */
+	unsigned int method	: 1;	/* 10 a method such as a key derivative function (KDF) */
+	unsigned int Reserved2	: 21;	/* 31:11 */
+    };
+    UINT32 val;
+} TPMA_ALGORITHM;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int Reserved2	: 21;	/* 31:11 */
+	unsigned int method	: 1;	/* 10 a method such as a key derivative function (KDF) */
+	unsigned int encrypting	: 1;	/* 9 an encryption/decryption algorithm */
+	unsigned int signing	: 1;	/* 8 a signing algorithm */
+	unsigned int Reserved1	: 4; 	/* 7:4 */
+	unsigned int object	: 1;	/* an algorithm that may be used as an object type */
+	unsigned int hash 	: 1;	/* a hash algorithm */
+	unsigned int symmetric  : 1;	/* 1 a symmetric block cipher */
+	unsigned int asymmetric : 1;	/* 0 an asymmetric algorithm with public and private portions */
+    };
+    UINT32 val;
+} TPMA_ALGORITHM;
+
+#else
+
+typedef struct {
+    UINT32 val;
+} TPMA_ALGORITHM;
+
+#endif
+
+#define TPMA_ALGORITHM_ASYMMETRIC 	0x00000001
+#define TPMA_ALGORITHM_SYMMETRIC 	0x00000002
+#define TPMA_ALGORITHM_HASH		0x00000004
+#define TPMA_ALGORITHM_OBJECT		0x00000008
+#define TPMA_ALGORITHM_RESERVED1	0x000000f0
+#define TPMA_ALGORITHM_SIGNING		0x00000100
+#define TPMA_ALGORITHM_ENCRYPTING	0x00000200
+#define TPMA_ALGORITHM_METHOD		0x00000400
+#define TPMA_ALGORITHM_RESERVED2	0xfffff800
+
+#define TPMA_ALGORITHM_RESERVED ( 	\
+    TPMA_ALGORITHM_RESERVED1 |		\
+    TPMA_ALGORITHM_RESERVED2 )
+
+/* Table 31 - Definition of (UINT32) TPMA_OBJECT Bits */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int Reserved1 		: 1;	/* 0 shall be zero */
+	unsigned int fixedTPM 		: 1;	/* 1 The hierarchy of the object, as indicated by its Qualified Name, may not change. */
+	unsigned int stClear 		: 1;	/* 2 Previously saved contexts of this object may not be loaded after Startup(CLEAR). */
+	unsigned int Reserved2 		: 1;	/* 3 shall be zero */
+	unsigned int fixedParent 	: 1;	/* 4 The parent of the object may not change. */
+	unsigned int sensitiveDataOrigin : 1;	/* 5 the TPM generated all of the sensitive data other than the authValue. */
+	unsigned int userWithAuth 	: 1;	/* 6 HMAC session or with a password */ 
+	unsigned int adminWithPolicy 	: 1;	/* 7 policy session. */
+	unsigned int Reserved3 		: 2;	/* 9:8	shall be zero */
+	unsigned int noDA 		: 1;	/* 10	The object is not subject to dictionary attack protections. */
+	unsigned int encryptedDuplication : 1;	/* 11 */
+	unsigned int Reserved4 		: 4;	/* 15:12	shall be zero */
+	unsigned int restricted 	: 1;	/* 16	Key usage is restricted to manipulate structures of known format */
+	unsigned int decrypt 		: 1;	/* 17	The private portion of the key may be used to decrypt. */
+	unsigned int sign 		: 1;	/* 18 For a symmetric cipher object, the private
+						   portion of the key may be used to encrypt.  For
+						   other objects, the private portion of the key may
+						   be used to sign. */
+	unsigned int Reserved5		: 13;	/* 31:19 	shall be zero */
+    };
+    UINT32 val;
+} TPMA_OBJECT;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int Reserved5		: 13;	/* 31:19 	shall be zero */
+	unsigned int sign 		: 1;	/* 18 For a symmetric cipher object, the private
+						   portion of the key may be used to encrypt.  For
+						   other objects, the private portion of the key may
+						   be used to sign. */
+	unsigned int decrypt 		: 1;	/* 17	The private portion of the key may be used to decrypt. */
+	unsigned int restricted 	: 1;	/* 16	Key usage is restricted to manipulate structures of known format */
+	unsigned int Reserved4 		: 4;	/* 15:12	shall be zero */
+	unsigned int encryptedDuplication : 1;	/* 11 */
+	unsigned int noDA 		: 1;	/* 10	The object is not subject to dictionary attack protections. */
+	unsigned int Reserved3 		: 2;	/* 9:8	shall be zero */
+	unsigned int adminWithPolicy 	: 1;	/* 7 policy session. */
+	unsigned int userWithAuth 	: 1;	/* 6 HMAC session or with a password */ 
+	unsigned int sensitiveDataOrigin : 1;	/* 5 the TPM generated all of the sensitive data other than the authValue. */
+	unsigned int fixedParent 	: 1;	/* 4 The parent of the object may not change. */
+	unsigned int Reserved2 		: 1;	/* 3 shall be zero */
+	unsigned int stClear 		: 1;	/* 2 Previously saved contexts of this object may not be loaded after Startup(CLEAR). */
+	unsigned int fixedTPM 		: 1;	/* 1 The hierarchy of the object, as indicated by its Qualified Name, may not change. */
+	unsigned int Reserved1 		: 1;	/* 0 shall be zero */
+    };
+    UINT32 val;
+} TPMA_OBJECT;
+
+#else 
+
+typedef struct {
+    UINT32 val;
+} TPMA_OBJECT;
+
+#endif
+
+#define TPMA_OBJECT_RESERVED1			0x00000001
+#define TPMA_OBJECT_FIXEDTPM			0x00000002
+#define TPMA_OBJECT_STCLEAR			0x00000004
+#define TPMA_OBJECT_RESERVED2			0x00000008
+#define TPMA_OBJECT_FIXEDPARENT			0x00000010
+#define TPMA_OBJECT_SENSITIVEDATAORIGIN		0x00000020
+#define TPMA_OBJECT_USERWITHAUTH		0x00000040
+#define TPMA_OBJECT_ADMINWITHPOLICY		0x00000080
+#define TPMA_OBJECT_RESERVED3			0x00000300
+#define TPMA_OBJECT_NODA			0x00000400
+#define TPMA_OBJECT_ENCRYPTEDDUPLICATION	0x00000800
+#define TPMA_OBJECT_RESERVED4			0x0000f000
+#define TPMA_OBJECT_RESTRICTED			0x00010000
+#define TPMA_OBJECT_DECRYPT			0x00020000
+#define TPMA_OBJECT_SIGN			0x00040000
+#define TPMA_OBJECT_RESERVED5			0xfff80000
+
+#define TPMA_OBJECT_RESERVED ( \
+    TPMA_OBJECT_RESERVED1 |    \
+    TPMA_OBJECT_RESERVED2 |    \
+    TPMA_OBJECT_RESERVED3 |    \
+    TPMA_OBJECT_RESERVED4 |    \
+    TPMA_OBJECT_RESERVED5 )			
+
+/* Table 32 - Definition of (UINT8) TPMA_SESSION Bits <IN/OUT> */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int continueSession 	: 1;		/* 0	the session is to remain active after successful completion of the command */
+	unsigned int auditExclusive 	: 1;		/* 1	executed if the session is exclusive at the start of the command */
+	unsigned int auditReset 	: 1;		/* 2	audit digest of the session should be initialized  */
+	unsigned int Reserved 		: 2;		/* 4:3	shall be CLEAR */
+	unsigned int decrypt 		: 1;		/* 5	first parameter in the command is symmetrically encrypted */
+	unsigned int encrypt 		: 1;		/* 6	TPM should use this session to encrypt the first parameter in the response */
+	unsigned int audit 		: 1;		/* 7	session is for audit */
+    };
+    UINT8 val;
+} TPMA_SESSION;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int audit 		: 1;		/* 7	session is for audit */
+	unsigned int encrypt 		: 1;		/* 6	TPM should use this session to encrypt the first parameter in the response */
+	unsigned int decrypt 		: 1;		/* 5	first parameter in the command is symmetrically encrypted */
+	unsigned int Reserved 		: 2;		/* 4:3	shall be CLEAR */
+	unsigned int auditReset 	: 1;		/* 2	audit digest of the session should be initialized  */
+	unsigned int auditExclusive 	: 1;		/* 1	executed if the session is exclusive at the start of the command */
+	unsigned int continueSession 	: 1;		/* 0	the session is to remain active after successful completion of the command */
+    };
+    UINT8 val;
+} TPMA_SESSION;
+
+#else 
+
+typedef struct {
+    UINT8 val;
+} TPMA_SESSION;
+
+#endif
+
+#define TPMA_SESSION_CONTINUESESSION	0x01
+#define TPMA_SESSION_AUDITEXCLUSIVE	0x02
+#define TPMA_SESSION_AUDITRESET		0x04
+#define TPMA_SESSION_DECRYPT		0x20
+#define TPMA_SESSION_ENCRYPT		0x40
+#define TPMA_SESSION_AUDIT		0x80
+
+#define TPMA_SESSION_RESERVED		0x18
+
+/* Table 33 - Definition of (UINT8) TPMA_LOCALITY Bits <IN/OUT> */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int TPM_LOC_ZERO	: 1;	/* 0 */
+	unsigned int TPM_LOC_ONE	: 1;	/* 1 */
+	unsigned int TPM_LOC_TWO	: 1;	/* 2 */
+	unsigned int TPM_LOC_THREE	: 1;	/* 3 */
+	unsigned int TPM_LOC_FOUR	: 1;	/* 4 */
+	unsigned int Extended		: 3;	/* 7:5 */
+    };
+    UINT8 val;
+} TPMA_LOCALITY;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int Extended		: 3;	/* 7:5 */
+	unsigned int TPM_LOC_FOUR	: 1;	/* 4 */
+	unsigned int TPM_LOC_THREE	: 1;	/* 3 */
+	unsigned int TPM_LOC_TWO	: 1;	/* 2 */
+	unsigned int TPM_LOC_ONE	: 1;	/* 1 */
+	unsigned int TPM_LOC_ZERO	: 1;	/* 0 */
+    };
+    UINT8 val;
+} TPMA_LOCALITY;
+
+#else 
+
+typedef struct {
+    UINT8 val;
+} TPMA_LOCALITY;
+
+#endif
+
+#define TPMA_LOCALITY_ZERO		0x01
+#define TPMA_LOCALITY_ONE		0x02
+#define TPMA_LOCALITY_TWO		0x04
+#define TPMA_LOCALITY_THREE		0x08
+#define TPMA_LOCALITY_FOUR		0x10
+#define TPMA_LOCALITY_EXTENDED		0xe0
+
+/* Table 34 - Definition of (UINT32) TPMA_PERMANENT Bits <OUT> */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int ownerAuthSet	: 1;	/* 0	TPM2_HierarchyChangeAuth() with ownerAuth has been executed since the last TPM2_Clear(). */
+	unsigned int endorsementAuthSet	: 1;	/* 1	TPM2_HierarchyChangeAuth() with endorsementAuth has been executed since the last TPM2_Clear(). */
+	unsigned int lockoutAuthSet	: 1;	/* 2	TPM2_HierarchyChangeAuth() with lockoutAuth has been executed since the last TPM2_Clear(). */
+	unsigned int Reserved1		: 5;	/* 7:3	 */
+	unsigned int disableClear	: 1;	/* 8	TPM2_Clear() is disabled. */
+	unsigned int inLockout		: 1;	/* 9	The TPM is in lockout and commands that require authorization
+						   with other than Platform Authorization or Lockout Authorization will not succeed. */
+	unsigned int tpmGeneratedEPS	: 1;	/* 10	The EPS was created by the TPM. */
+	unsigned int Reserved2		: 21;	/* 31:11 */
+    };
+    UINT32 val;
+} TPMA_PERMANENT;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int Reserved2		: 21;	/* 31:11 */
+	unsigned int tpmGeneratedEPS	: 1;	/* 10	The EPS was created by the TPM. */
+	unsigned int inLockout		: 1;	/* 9	The TPM is in lockout and commands that require authorization with other than Platform Authorization will not succeed. */
+	unsigned int disableClear	: 1;	/* 8	TPM2_Clear() is disabled. */
+	unsigned int Reserved1		: 5;	/* 7:3	 */
+	unsigned int lockoutAuthSet	: 1;	/* 2	TPM2_HierarchyChangeAuth() with lockoutAuth has been executed since the last TPM2_Clear(). */
+	unsigned int endorsementAuthSet	: 1;	/* 1	TPM2_HierarchyChangeAuth() with endorsementAuth has been executed since the last TPM2_Clear(). */
+	unsigned int ownerAuthSet	: 1;	/* 0	TPM2_HierarchyChangeAuth() with ownerAuth has been executed since the last TPM2_Clear(). */
+    };
+    UINT32 val;
+} TPMA_PERMANENT;
+
+#else
+
+typedef struct {
+    UINT32 val;
+} TPMA_PERMANENT;
+
+#endif
+
+#define TPMA_PERMANENT_OWNERAUTHSET		0x00000001
+#define TPMA_PERMANENT_ENDORSEMENTAUTHSET	0x00000002
+#define TPMA_PERMANENT_LOCKOUTAUTHSET		0x00000004
+#define TPMA_PERMANENT_RESERVED1		0x000000f8
+#define TPMA_PERMANENT_DISABLECLEAR		0x00000100
+#define TPMA_PERMANENT_INLOCKOUT		0x00000200
+#define TPMA_PERMANENT_TPMGENERATEDEPS		0x00000400
+#define TPMA_PERMANENT_RESERVED2		0xfffff800
+
+/* Table 35 - Definition of (UINT32) TPMA_STARTUP_CLEAR Bits <OUT> */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int phEnable		: 1;	/* 0 The platform hierarchy is enabled and platformAuth or platformPolicy may be used for authorization. */
+	unsigned int shEnable		: 1;	/* 1 The Storage hierarchy is enabled and ownerAuth or ownerPolicy may be used for authorization. */
+	unsigned int ehEnable		: 1;	/* 2 The EPS hierarchy is enabled and endorsementAuth may be used to authorize commands. */
+	unsigned int phEnableNV		: 1;	/* 3 NV indices that have TPMA_PLATFORM_CREATE SET may be read or written.  */
+	unsigned int Reserved		: 27;	/* 30:4 shall be zero */
+	unsigned int orderly		: 1;	/* 31 The TPM received a TPM2_Shutdown() and a matching TPM2_Startup(). */
+    };
+    UINT32 val;
+} TPMA_STARTUP_CLEAR;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int orderly		: 1;	/* 31 The TPM received a TPM2_Shutdown() and a matching TPM2_Startup(). */
+	unsigned int Reserved		: 27;	/* 30:4 shall be zero */
+	unsigned int phEnableNV		: 1;	/* 3 NV indices that have TPMA_PLATFORM_CREATE SET may be read or written.  */
+	unsigned int ehEnable		: 1;	/* 2 The EPS hierarchy is enabled and endorsementAuth may be used to authorize commands. */
+	unsigned int shEnable		: 1;	/* 1 The Storage hierarchy is enabled and ownerAuth or ownerPolicy may be used for authorization. */
+	unsigned int phEnable		: 1;	/* 0 The platform hierarchy is enabled and platformAuth or platformPolicy may be used for authorization. */
+    };
+    UINT32 val;
+} TPMA_STARTUP_CLEAR;
+
+#else 
+
+typedef struct {
+    UINT32 val;
+} TPMA_STARTUP_CLEAR;
+
+#endif
+
+#define TPMA_STARTUP_CLEAR_PHENABLE		0x00000001
+#define TPMA_STARTUP_CLEAR_SHENABLE		0x00000002
+#define TPMA_STARTUP_CLEAR_EHENABLE		0x00000004
+#define TPMA_STARTUP_CLEAR_PHENABLENV		0x00000008
+#define TPMA_STARTUP_CLEAR_RESERVED		0x7ffffff0
+#define TPMA_STARTUP_CLEAR_ORDERLY		0x80000000
+
+/* Table 36 - Definition of (UINT32) TPMA_MEMORY Bits <Out> */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int sharedRAM		: 1;	/* 0	RAM memory used for authorization session contexts is shared with the memory used for transient objects */
+	unsigned int sharedNV		: 1;	/* 1	indicates that the NV memory used for persistent objects is shared with the NV memory used for NV Index values */
+	unsigned int objectCopiedToRam	: 1;	/* 2	indicates that the TPM copies persistent objects to a transient-object slot in RAM */
+	unsigned int Reserved		: 29;	/* 31:3	shall be zero */
+    };
+    UINT32 val;
+} TPMA_MEMORY;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int Reserved		: 29;	/* 31:3	shall be zero */
+	unsigned int objectCopiedToRam	: 1;	/* 2	indicates that the TPM copies persistent objects to a transient-object slot in RAM */
+	unsigned int sharedNV		: 1;	/* 1	indicates that the NV memory used for persistent objects is shared with the NV memory used for NV Index values */
+	unsigned int sharedRAM		: 1;	/* 0	RAM memory used for authorization session contexts is shared with the memory used for transient objects */
+    };
+    UINT32 val;
+} TPMA_MEMORY;
+
+#else 
+
+typedef struct {
+    UINT32 val;
+} TPMA_MEMORY;
+
+#endif
+
+#define TPMA_MEMORY_SHAREDRAM		0x00000001
+#define TPMA_MEMORY_SHAREDNV		0x00000002
+#define TPMA_MEMORY_OBJECTCOPIEDTORAM	0x00000004
+#define TPMA_MEMORY_RESERVED		0xfffffff8
+
+/* Table 37 - Definition of (TPM_CC) TPMA_CC Bits <OUT> */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int commandIndex : 16;	/* 15:0	indicates the command being selected */
+	unsigned int Reserved	: 6;	/* 21:16 shall be zero */
+	unsigned int nv		: 1;	/* 22 indicates that the command may write to NV */
+	unsigned int extensive	: 1;	/* 23 This command could flush any number of loaded contexts. */
+	unsigned int flushed	: 1;	/* 24 The context associated with any transient handle in the command will be flushed when this command completes. */
+	unsigned int cHandles	: 3;	/* 27:25 indicates the number of the handles in the handle area for this command */
+	unsigned int rHandle	: 1;	/* 28 indicates the presence of the handle area in the input */
+	unsigned int V		: 1;	/* 29 indicates that the command is vendor-specific */
+	unsigned int Res	: 2;	/* 31:30	allocated for software; shall be zero */
+    };
+    UINT32 val;
+} TPMA_CC;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int Res	: 2;	/* 31:30	allocated for software; shall be zero */
+	unsigned int V		: 1;	/* 29 indicates that the command is vendor-specific */
+	unsigned int rHandle	: 1;	/* 28 indicates the presence of the handle area in the input */
+	unsigned int cHandles	: 3;	/* 27:25 indicates the number of the handles in the handle area for this command */
+	unsigned int flushed	: 1;	/* 24 The context associated with any transient handle in the command will be flushed when this command completes. */
+	unsigned int extensive	: 1;	/* 23 This command could flush any number of loaded contexts. */
+	unsigned int nv		: 1;	/* 22 indicates that the command may write to NV */
+	unsigned int Reserved	: 6;	/* 21:16 shall be zero */
+	unsigned int commandIndex : 16;	/* 15:0	indicates the command being selected */
+    };
+    UINT32 val;
+} TPMA_CC;
+
+#else
+
+typedef union {
+    struct {
+	UINT32 val;
+    };
+} TPMA_CC;
+    
+#endif
+
+#define TPMA_CC_COMMANDINDEX	0x0000ffff
+#define TPMA_CC_RESERVED1	0x003f0000
+#define TPMA_CC_NV		0x00400000
+#define TPMA_CC_EXTENSIVE	0x00800000
+#define TPMA_CC_FLUSHED		0x01000000
+#define TPMA_CC_CHANDLES	0x0e000000
+#define TPMA_CC_RHANDLE		0x10000000
+#define TPMA_CC_V		0x20000000
+#define TPMA_CC_RES		0xc0000000
+#define TPMA_CC_RESERVED	(0x003f0000 | 0xc0000000)
+
+    /* Table 38 - Definition of (UINT32) TPMA_MODES Bits <Out> */
+
+#if defined TPM_BITFIELD_LE
+
+    typedef union {
+	struct {
+	    unsigned int FIPS_140_2	: 1;	/* 0 indicates that the TPM is designed to comply with all of the FIPS 140-2 requirements at Level 1 or higher */
+	    unsigned int Reserved	: 31;	/* 31:1	shall be zero */
+	};
+	UINT32 val;
+    } TPMA_MODES;
+    
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int Reserved	: 31;	/* 31:1	shall be zero */
+	unsigned int FIPS_140_2	: 1;	/* 0 indicates that the TPM is designed to comply with all of the FIPS 140-2 requirements at Level 1 or higher */
+    };
+    UINT32 val;
+} TPMA_MODES;
+    
+#else 
+
+    typedef struct {
+	UINT32 val;
+    } TPMA_MODES;
+
+#endif
+
+#define TPMA_MODES_FIPS_140_2	 0x00000001
+    
+/* Table 38 - Definition of (BYTE) TPMI_YES_NO Type */
+
+typedef BYTE TPMI_YES_NO;
+
+#define NO	0
+#define YES	1	
+
+/* Table 39 - Definition of (TPM_HANDLE) TPMI_DH_OBJECT Type */
+
+typedef TPM_HANDLE TPMI_DH_OBJECT;
+
+/* Table 41 - Definition of (TPM_HANDLE) TPMI_DH_PARENT Type */
+
+typedef TPM_HANDLE TPMI_DH_PARENT;
+    
+/* Table 40 - Definition of (TPM_HANDLE) TPMI_DH_PERSISTENT Type */
+
+typedef TPM_HANDLE TPMI_DH_PERSISTENT;
+
+/* Table 41 - Definition of (TPM_HANDLE) TPMI_DH_ENTITY Type <IN> */
+
+typedef TPM_HANDLE TPMI_DH_ENTITY;
+
+/* Table 42 - Definition of (TPM_HANDLE) TPMI_DH_PCR Type <IN> */
+
+typedef TPM_HANDLE TPMI_DH_PCR;
+
+/* Table 43 - Definition of (TPM_HANDLE) TPMI_SH_AUTH_SESSION Type <IN/OUT> */
+
+typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
+
+/* Table 44 - Definition of (TPM_HANDLE) TPMI_SH_HMAC Type <IN/OUT> */
+
+typedef TPM_HANDLE TPMI_SH_HMAC;
+
+/* Table 45 - Definition of (TPM_HANDLE) TPMI_SH_POLICY Type <IN/OUT> */
+
+typedef TPM_HANDLE TPMI_SH_POLICY;
+
+/* Table 46 - Definition of (TPM_HANDLE) TPMI_DH_CONTEXT Type  */
+
+typedef TPM_HANDLE TPMI_DH_CONTEXT;
+
+/* Table 49 - Definition of (TPM_HANDLE) TPMI_DH_SAVED Type */
+    
+typedef TPM_HANDLE TPMI_DH_SAVED;
+
+/* Table 47 - Definition of (TPM_HANDLE) TPMI_RH_HIERARCHY Type  */
+
+typedef TPM_HANDLE TPMI_RH_HIERARCHY;
+
+/* Table 48 - Definition of (TPM_HANDLE) TPMI_RH_ENABLES Type */
+
+typedef TPM_HANDLE TPMI_RH_ENABLES;
+
+/* Table 49 - Definition of (TPM_HANDLE) TPMI_RH_HIERARCHY_AUTH Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_HIERARCHY_AUTH;
+
+/* Table 2:55 - Definition of TPMI_RH_HIERARCHY_POLICY Type  */
+
+typedef  TPM_HANDLE         TPMI_RH_HIERARCHY_POLICY;
+
+/* Table 50 - Definition of (TPM_HANDLE) TPMI_RH_PLATFORM Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_PLATFORM;
+
+/* Table 51 - Definition of (TPM_HANDLE) TPMI_RH_OWNER Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_OWNER;
+
+/* Table 52 - Definition of (TPM_HANDLE) TPMI_RH_ENDORSEMENT Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_ENDORSEMENT;
+
+/* Table 53 - Definition of (TPM_HANDLE) TPMI_RH_PROVISION Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_PROVISION;
+
+/* Table 54 - Definition of (TPM_HANDLE) TPMI_RH_CLEAR Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_CLEAR;
+
+/* Table 55 - Definition of (TPM_HANDLE) TPMI_RH_NV_AUTH Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_NV_AUTH;
+
+/* Table 56 - Definition of (TPM_HANDLE) TPMI_RH_LOCKOUT Type <IN> */
+
+typedef TPM_HANDLE TPMI_RH_LOCKOUT;
+
+/* Table 57 - Definition of (TPM_HANDLE) TPMI_RH_NV_INDEX Type <IN/OUT> */
+
+typedef TPM_HANDLE TPMI_RH_NV_INDEX;
+
+/* Table 58 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
+
+typedef TPM_ALG_ID TPMI_ALG_HASH;
+
+/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_ASYM Type */
+
+typedef TPM_ALG_ID TPMI_ALG_ASYM;
+
+/* Table 60 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM Type */
+
+typedef TPM_ALG_ID TPMI_ALG_SYM;
+
+/* Table 61 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_OBJECT Type */
+
+typedef TPM_ALG_ID TPMI_ALG_SYM_OBJECT;
+
+/* Table 62 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_MODE Type */
+
+typedef TPM_ALG_ID TPMI_ALG_SYM_MODE;
+
+/* Table 63 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
+
+typedef TPM_ALG_ID TPMI_ALG_KDF;
+
+/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_SIG_SCHEME Type */
+
+typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME;
+
+/* Table 65 - Definition of (TPM_ALG_ID) TPMI_ECC_KEY_EXCHANGE Type */
+
+typedef TPM_ALG_ID TPMI_ECC_KEY_EXCHANGE;
+
+/* Table 66 - Definition of (TPM_ST) TPMI_ST_COMMAND_TAG Type */
+
+typedef TPM_ST TPMI_ST_COMMAND_TAG;
+
+/* Table 71 - Definition of (TPM_ALG_ID) TPMI_ALG_MAC_SCHEME Type */
+
+typedef TPM_ALG_ID TPMI_ALG_MAC_SCHEME;
+
+/* Table 72 - Definition of (TPM_ALG_ID) TPMI_ALG_CIPHER_MODE Type */
+
+typedef TPM_ALG_ID TPMI_ALG_CIPHER_MODE;    
+
+/* Table 67 - Definition of TPMS_EMPTY Structure <IN/OUT> */
+
+typedef struct {
+    /* a structure with no member */
+    BYTE empty[0];
+} TPMS_EMPTY;
+
+/* Table 68 - Definition of TPMS_ALGORITHM_DESCRIPTION Structure <OUT> */
+typedef struct {
+    TPM_ALG_ID		alg;		/* an algorithm	*/
+    TPMA_ALGORITHM 	attributes;	/* the attributes of the algorithm */
+} TPMS_ALGORITHM_DESCRIPTION;
+
+/* Table 69 - Definition of TPMU_HA Union <IN/OUT, S> */
+
+typedef union {
+    BYTE	sha1 [SHA1_DIGEST_SIZE];	/* TPM_ALG_SHA1 */
+    BYTE	sha256 [SHA256_DIGEST_SIZE]; 	/* TPM_ALG_SHA256 */
+    BYTE	sha384 [SHA384_DIGEST_SIZE];	/* TPM_ALG_SHA384 */
+    BYTE	sha512 [SHA512_DIGEST_SIZE];	/* TPM_ALG_SHA512 */
+    BYTE	sm3_256 [SM3_256_DIGEST_SIZE];	/* TPM_ALG_SM3_256 */
+    BYTE	tssmax [128];			/* to make union size larger */
+    
+} TPMU_HA;
+
+/* legacy, better to use (sizeof(TPMU_HA) */
+    
+#define MAX_DIGEST_SIZE (sizeof(TPMU_HA))    
+
+/* Table 70 - Definition of TPMT_HA Structure <IN/OUT> */
+
+typedef struct {
+    TPMI_ALG_HASH	hashAlg;	/* selector of the hash contained in the digest that implies the size of the digest */
+    TPMU_HA		digest;		/* the digest data */
+} TPMT_HA;
+
+/* Table 71 - Definition of TPM2B_DIGEST Structure */
+
+typedef struct {
+    UINT16    size;
+    BYTE      buffer[sizeof(TPMU_HA)];
+} DIGEST_2B;
+
+typedef union {
+    DIGEST_2B    t;
+    TPM2B        b;
+} TPM2B_DIGEST;
+
+/* Table 72 - Definition of TPM2B_DATA Structure */
+
+typedef struct {
+    UINT16	size;				/* size in octets of the buffer field; may be 0 */
+    BYTE	buffer[sizeof(TPMT_HA)];
+} DATA_2B;
+
+typedef union {
+    DATA_2B t;
+    TPM2B   b;
+} TPM2B_DATA;
+
+/* Table 73 - Definition of Types for TPM2B_NONCE */
+
+typedef TPM2B_DIGEST	TPM2B_NONCE;	/* size limited to the same as the digest structure */
+
+/* Table 74 - Definition of Types for TPM2B_AUTH */
+
+typedef TPM2B_DIGEST	TPM2B_AUTH;	/* size limited to the same as the digest structure */
+
+/* This is not in Part 2, but the concatenation of two digests to create an HMAC key is used often
+   enough that it's worth putting in a central location.
+
+   In Part 1 19.6.8 sessionKey Creation - authValue || salt.
+   In Part 1 19.6.5 HMAC Computation - sessionKey || authValue
+
+   I think both could be TPMU_HA, but the TPM reference code seems to use TPMT_HA.
+*/
+
+typedef struct {
+    UINT16    size;
+    BYTE      buffer[sizeof(TPMU_HA) +	/* TPM2B_AUTH authValue */
+		     sizeof(TPMT_HA)];	/* salt */
+} KEY_2B;
+
+typedef union {
+    KEY_2B    t;
+    TPM2B     b;
+} TPM2B_KEY;
+
+/* Table 75 - Definition of Types for TPM2B_OPERAND */
+
+typedef TPM2B_DIGEST	TPM2B_OPERAND;	/* size limited to the same as the digest structure */
+
+/* Table 76 - Definition of TPM2B_EVENT Structure */
+
+typedef struct {
+    UINT16	size;			/* size of the operand */
+    BYTE	buffer [1024];		/* the operand */
+} EVENT_2B;
+
+typedef union {
+    EVENT_2B t;
+    TPM2B    b;
+} TPM2B_EVENT;
+
+/* Table 77 - Definition of TPM2B_MAX_BUFFER Structure */
+
+/* MAX_DIGEST_BUFFER is TPM-dependent but is required to be at least 1,024. */
+
+typedef struct {
+    UINT16	size;				/* size of the buffer */
+    BYTE	buffer [MAX_DIGEST_BUFFER];	/* the operand  */
+} MAX_BUFFER_2B;
+
+typedef union {
+    MAX_BUFFER_2B t;
+    TPM2B         b;
+} TPM2B_MAX_BUFFER;
+
+/* Table 78 - Definition of TPM2B_MAX_NV_BUFFER Structure */
+
+typedef struct {
+    UINT16	size;				/* size of the buffer */
+    BYTE	buffer [MAX_NV_BUFFER_SIZE];	/* the operand  */
+} MAX_NV_BUFFER_2B;
+
+typedef union {
+    MAX_NV_BUFFER_2B t;
+    TPM2B            b;
+} TPM2B_MAX_NV_BUFFER;
+
+/* Table 79 - Definition of TPM2B_TIMEOUT Structure <IN/OUT> */
+
+typedef TPM2B_DIGEST	TPM2B_TIMEOUT;	/* size limited to the same as the digest structure */
+
+/* Table 80 - Definition of TPM2B_IV Structure <IN/OUT> */
+
+typedef struct {
+    UINT16	size;				/* size of the IV value */
+    BYTE	buffer [MAX_SYM_BLOCK_SIZE]; 	/* the IV value */
+} IV_2B;
+
+typedef union {
+    IV_2B t;
+    TPM2B b;
+} TPM2B_IV;
+
+/* Table 81 - Definition of TPMU_NAME Union <> */
+
+typedef union {
+    TPMT_HA	digest;		/* when the Name is a digest */
+    TPM_HANDLE	handle;		/* when the Name is a handle */
+} TPMU_NAME;
+
+/* Table 82 - Definition of TPM2B_NAME Structure */
+
+typedef struct {
+    UINT16	size;				/* size of the Name structure */
+    BYTE	name[sizeof(TPMU_NAME)];	/* the Name structure */
+} NAME_2B;
+
+typedef union {
+    NAME_2B t;
+    TPM2B   b;
+} TPM2B_NAME;
+
+/* Table 83 - Definition of TPMS_PCR_SELECT Structure */
+
+typedef struct {
+    UINT8	sizeofSelect;			/* the size in octets of the pcrSelect array */
+    BYTE 	pcrSelect [PCR_SELECT_MAX];	/* the bit map of selected PCR */
+} TPMS_PCR_SELECT;
+
+/* Table 84 - Definition of TPMS_PCR_SELECTION Structure */
+
+typedef struct {
+    TPMI_ALG_HASH	hash;				/* the hash algorithm associated with the selection */
+    UINT8		sizeofSelect;			/* the size in octets of the pcrSelect array */
+    BYTE 		pcrSelect [PCR_SELECT_MAX];	/* the bit map of selected PCR */
+} TPMS_PCR_SELECTION;
+
+/* Table 87 - Definition of TPMT_TK_CREATION Structure */
+
+typedef struct {
+    TPM_ST		tag;		/* ticket structure tag TPM_ST_CREATION */
+    TPMI_RH_HIERARCHY	hierarchy;	/* the hierarchy containing name */
+    TPM2B_DIGEST	digest;		/* This shall be the HMAC produced using a proof value of hierarchy. */
+} TPMT_TK_CREATION;
+
+/* Table 88 - Definition of TPMT_TK_VERIFIED Structure */
+
+typedef struct {
+    TPM_ST		tag;		/* ticket structure tag TPM_ST_VERIFIED */
+    TPMI_RH_HIERARCHY	hierarchy;	/* the hierarchy containing keyName */
+    TPM2B_DIGEST	digest;		/* This shall be the HMAC produced using a proof value of hierarchy. */
+} TPMT_TK_VERIFIED;
+
+/* Table 89 - Definition of TPMT_TK_AUTH Structure */
+
+typedef struct {
+    TPM_ST		tag;		/* ticket structure tag TPM_ST_AUTH_SIGNED, TPM_ST_AUTH_SECRET */
+    TPMI_RH_HIERARCHY	hierarchy;	/* the hierarchy of the object used to produce the ticket */
+    TPM2B_DIGEST	digest;		/* This shall be the HMAC produced using a proof value of hierarchy. */
+} TPMT_TK_AUTH;
+
+/* Table 90 - Definition of TPMT_TK_HASHCHECK Structure */
+
+typedef struct {
+    TPM_ST		tag;		/* ticket structure tag TPM_ST_HASHCHECK */
+    TPMI_RH_HIERARCHY	hierarchy;	/* the hierarchy */
+    TPM2B_DIGEST	digest;		/* This shall be the HMAC produced using a proof value of hierarchy. */
+} TPMT_TK_HASHCHECK;
+
+/* Table 91 - Definition of TPMS_ALG_PROPERTY Structure <OUT> */
+
+typedef struct {
+    TPM_ALG_ID		alg;		/* an algorithm identifier */
+    TPMA_ALGORITHM	algProperties;	/* the attributes of the algorithm */
+} TPMS_ALG_PROPERTY;
+
+/* Table 92 - Definition of TPMS_TAGGED_PROPERTY Structure <OUT> */
+
+typedef struct {
+    TPM_PT	property;	/* a property identifier */
+    UINT32	value;		/* the value of the property */
+} TPMS_TAGGED_PROPERTY;
+
+/* Table 93 - Definition of TPMS_TAGGED_PCR_SELECT Structure <OUT> */
+
+typedef struct {
+    TPM_PT_PCR	tag;				/* the property identifier */
+    UINT8	sizeofSelect;			/* the size in octets of the pcrSelect array */
+    BYTE 	pcrSelect [PCR_SELECT_MAX];	/* the bit map of PCR with the identified property */
+} TPMS_TAGGED_PCR_SELECT;
+
+/* Table 96 - Definition of TPMS_TAGGED_POLICY Structure  */
+
+typedef struct {
+    TPM_HANDLE              handle;
+    TPMT_HA                 policyHash;
+} TPMS_TAGGED_POLICY;
+
+/* Table 94 - Definition of TPML_CC Structure */
+
+typedef struct {
+    UINT32	count;				/* number of commands in the commandCode list; may be 0 */
+    TPM_CC	commandCodes[MAX_CAP_CC];	/* a list of command codes */
+} TPML_CC;
+
+/* Table 95 - Definition of TPML_CCA Structure <OUT> */
+
+typedef struct {
+    UINT32	count;				/* number of values in the commandAttributes list; may be 0 */
+    TPMA_CC	commandAttributes[MAX_CAP_CC];	/* a list of command codes attributes */
+} TPML_CCA;
+
+/* Table 96 - Definition of TPML_ALG Structure */
+
+typedef struct {
+    UINT32	count;				/* number of algorithms in the algorithms list; may be 0 */
+    TPM_ALG_ID	algorithms[MAX_ALG_LIST_SIZE];	/* a list of algorithm IDs */
+} TPML_ALG;
+
+/* Table 97 - Definition of TPML_HANDLE Structure <OUT> */
+
+typedef struct {
+    UINT32	count;				/* the number of handles in the list may have a value of 0 */
+    TPM_HANDLE 	handle[MAX_CAP_HANDLES];	/* an array of handles */
+} TPML_HANDLE;
+
+/* Table 98 - Definition of TPML_DIGEST Structure */
+
+typedef struct {
+    UINT32		count;		/* number of digests in the list, minimum is two for TPM2_PolicyOR(). */
+    TPM2B_DIGEST	digests[8];	/* a list of digests */
+} TPML_DIGEST;
+
+/* Table 99 - Definition of TPML_DIGEST_VALUES Structure */
+
+typedef struct {
+    UINT32	count;			/* number of digests in the list */
+    TPMT_HA	digests[HASH_COUNT];	/* a list of tagged digests */
+} TPML_DIGEST_VALUES;
+
+/* Table 100 - Definition of TPM2B_DIGEST_VALUES Structure */
+
+typedef struct {
+    UINT16	size;					/* size of the operand buffer */
+    BYTE	buffer [sizeof(TPML_DIGEST_VALUES)];	/* the operand */
+} TPM2B_DIGEST_VALUES;
+
+/* Table 101 - Definition of TPML_PCR_SELECTION Structure */
+
+typedef struct {
+    UINT32		count;				/* number of selection structures A value of zero is allowed. */
+    TPMS_PCR_SELECTION	pcrSelections[HASH_COUNT];	/* list of selections */
+} TPML_PCR_SELECTION;
+
+/* Table 102 - Definition of TPML_ALG_PROPERTY Structure <OUT> */
+
+typedef struct {
+    UINT32		count;				/* number of algorithm properties structures A value of zero is allowed. */
+    TPMS_ALG_PROPERTY	algProperties[MAX_CAP_ALGS];	/* list of properties */
+} TPML_ALG_PROPERTY;
+
+/* Table 103 - Definition of TPML_TAGGED_TPM_PROPERTY Structure <OUT> */
+
+typedef struct {
+    UINT32			count;					/* number of properties A value of zero is allowed. */
+    TPMS_TAGGED_PROPERTY	tpmProperty[MAX_TPM_PROPERTIES];	/* an array of tagged properties */
+} TPML_TAGGED_TPM_PROPERTY;
+
+/* Table 104 - Definition of TPML_TAGGED_PCR_PROPERTY Structure <OUT> */
+
+typedef struct {
+    UINT32			count;					/* number of properties A value of zero is allowed. */
+    TPMS_TAGGED_PCR_SELECT	pcrProperty[MAX_PCR_PROPERTIES];	/* a tagged PCR selection */
+} TPML_TAGGED_PCR_PROPERTY;
+
+/* Table 105 - Definition of {ECC} TPML_ECC_CURVE Structure <OUT> */
+
+typedef struct {
+    UINT32		count;				/* number of curves A value of zero is allowed. */
+    TPM_ECC_CURVE	eccCurves[MAX_ECC_CURVES];	/* array of ECC curve identifiers */
+} TPML_ECC_CURVE ;
+
+/* Table 109 - Definition of TPML_TAGGED_POLICY Structure */
+
+typedef struct {
+    UINT32                  count;
+    TPMS_TAGGED_POLICY      policies[MAX_TAGGED_POLICIES];
+} TPML_TAGGED_POLICY;
+
+/* Table 106 - Definition of TPMU_CAPABILITIES Union <OUT> */
+
+typedef union {
+    TPML_ALG_PROPERTY		algorithms;	/* TPM_CAP_ALGS */
+    TPML_HANDLE			handles;	/* TPM_CAP_HANDLES */
+    TPML_CCA			command;	/* TPM_CAP_COMMANDS */
+    TPML_CC			ppCommands;	/* TPM_CAP_PP_COMMANDS */
+    TPML_CC			auditCommands;	/* TPM_CAP_AUDIT_COMMANDS */
+    TPML_PCR_SELECTION		assignedPCR;	/* TPM_CAP_PCRS */
+    TPML_TAGGED_TPM_PROPERTY	tpmProperties;	/* TPM_CAP_TPM_PROPERTIES */
+    TPML_TAGGED_PCR_PROPERTY	pcrProperties;	/* TPM_CAP_PCR_PROPERTIES */
+    TPML_ECC_CURVE		eccCurves;	/* TPM_CAP_ECC_CURVES */
+    TPML_TAGGED_POLICY		authPolicies;	/* TPM_CAP_AUTH_POLICIES */
+} TPMU_CAPABILITIES;
+    
+/* Table 107 - Definition of TPMS_CAPABILITY_DATA Structure <OUT> */
+
+typedef struct {
+    TPM_CAP		capability;	/* the capability */
+    TPMU_CAPABILITIES	data;		/* the capability data */
+} TPMS_CAPABILITY_DATA;
+
+/* Table 108 - Definition of TPMS_CLOCK_INFO Structure */
+
+typedef struct {
+    UINT64	clock;		/* time in milliseconds during which the TPM has been powered */
+    UINT32	resetCount;	/* number of occurrences of TPM Reset since the last TPM2_Clear() */
+    UINT32	restartCount;	/* number of times that TPM2_Shutdown() or _TPM_Hash_Start have
+				   occurred since the last TPM Reset or TPM2_Clear(). */
+    TPMI_YES_NO	safe;		/* no value of Clock greater than the current value of Clock has
+				   been previously reported by the TPM */
+} TPMS_CLOCK_INFO;
+
+/* Table 109 - Definition of TPMS_TIME_INFO Structure */
+
+typedef struct {
+    UINT64		time;		/* time in milliseconds since the last _TPM_Init() or TPM2_Startup() */
+    TPMS_CLOCK_INFO	clockInfo;	/* a structure containing the clock information */
+} TPMS_TIME_INFO;
+
+/* Table 110 - Definition of TPMS_TIME_ATTEST_INFO Structure <OUT> */
+
+typedef struct {
+    TPMS_TIME_INFO	time;			/* the Time, clock, resetCount, restartCount, and
+						   Safe indicator */
+    UINT64		firmwareVersion;	/* a TPM vendor-specific value indicating the
+						   version number of the firmware */
+} TPMS_TIME_ATTEST_INFO;
+
+/* Table 111 - Definition of TPMS_CERTIFY_INFO Structure <OUT> */
+
+typedef struct {
+    TPM2B_NAME	name;		/* Name of the certified object */
+    TPM2B_NAME	qualifiedName;	/* Qualified Name of the certified object */
+} TPMS_CERTIFY_INFO;
+
+/* Table 112 - Definition of TPMS_QUOTE_INFO Structure <OUT> */
+
+typedef struct {
+    TPML_PCR_SELECTION	pcrSelect;	/* information on algID, PCR selected and digest */
+    TPM2B_DIGEST	pcrDigest;	/* digest of the selected PCR using the hash of the signing key */
+} TPMS_QUOTE_INFO;
+
+/* Table 113 - Definition of TPMS_COMMAND_AUDIT_INFO Structure <OUT> */
+
+typedef struct {
+    UINT64		auditCounter;	/* the monotonic audit counter */
+    TPM_ALG_ID		digestAlg;	/* hash algorithm used for the command audit */
+    TPM2B_DIGEST	auditDigest;	/* the current value of the audit digest */
+    TPM2B_DIGEST	commandDigest;	/* digest of the command codes being audited using digestAlg */
+} TPMS_COMMAND_AUDIT_INFO;
+
+/* Table 114 - Definition of TPMS_SESSION_AUDIT_INFO Structure <OUT> */
+
+typedef struct {
+    TPMI_YES_NO		exclusiveSession;	/* current exclusive status of the session  */
+    TPM2B_DIGEST	sessionDigest;		/* the current value of the session audit digest */
+} TPMS_SESSION_AUDIT_INFO;
+
+/* Table 115 - Definition of TPMS_CREATION_INFO Structure <OUT> */
+
+typedef struct {
+    TPM2B_NAME		objectName;	/* Name of the object */
+    TPM2B_DIGEST	creationHash;	/* creationHash */
+} TPMS_CREATION_INFO;
+
+/* Table 116 - Definition of TPMS_NV_CERTIFY_INFO Structure <OUT> */
+
+typedef struct {
+    TPM2B_NAME 		indexName;	/* Name of the NV Index */
+    UINT16 		offset;		/* the offset parameter of TPM2_NV_Certify() */
+    TPM2B_MAX_NV_BUFFER nvContents;	/* contents of the NV Index */
+} TPMS_NV_CERTIFY_INFO;
+
+/* Table 125 - Definition of TPMS_NV_DIGEST_CERTIFY_INFO Structure <OUT> */
+typedef struct {
+    TPM2B_NAME		indexName;
+    TPM2B_DIGEST	nvDigest;
+} TPMS_NV_DIGEST_CERTIFY_INFO; 
+
+typedef TPM_ST TPMI_ST_ATTEST;
+
+/* Table 118 - Definition of TPMU_ATTEST Union <OUT> */
+
+typedef union {
+    TPMS_CERTIFY_INFO		certify;	/* TPM_ST_ATTEST_CERTIFY */
+    TPMS_CREATION_INFO		creation;	/* TPM_ST_ATTEST_CREATION */
+    TPMS_QUOTE_INFO		quote;		/* TPM_ST_ATTEST_QUOTE */
+    TPMS_COMMAND_AUDIT_INFO	commandAudit;	/* TPM_ST_ATTEST_COMMAND_AUDIT */
+    TPMS_SESSION_AUDIT_INFO	sessionAudit;	/* TPM_ST_ATTEST_SESSION_AUDIT */
+    TPMS_TIME_ATTEST_INFO	time;		/* TPM_ST_ATTEST_TIME */
+    TPMS_NV_CERTIFY_INFO	nv;		/* TPM_ST_ATTEST_NV */
+    TPMS_NV_DIGEST_CERTIFY_INFO	nvDigest;	/* TPM_ST_ATTEST_NV_DIGEST */
+} TPMU_ATTEST;
+
+/* Table 119 - Definition of TPMS_ATTEST Structure <OUT> */
+
+typedef struct {
+    TPM_GENERATED	magic;			/* the indication that this structure was created by
+						   a TPM (always TPM_GENERATED_VALUE) */
+    TPMI_ST_ATTEST	type;			/* type of the attestation structure */
+    TPM2B_NAME		qualifiedSigner;	/* Qualified Name of the signing key */
+    TPM2B_DATA		extraData;		/* external information supplied by caller */
+    TPMS_CLOCK_INFO	clockInfo;		/* Clock, resetCount, restartCount, and Safe */
+    UINT64		firmwareVersion;	/* TPM-vendor-specific value identifying the version
+						   number of the firmware */
+    TPMU_ATTEST		attested;		/* the type-specific attestation information */
+} TPMS_ATTEST;
+
+/* Table 120 - Definition of TPM2B_ATTEST Structure <OUT> */
+
+typedef struct {
+    UINT16	size;					/* size of the attestationData structure */
+    BYTE	attestationData[sizeof(TPMS_ATTEST)];	/* the signed structure */
+} ATTEST_2B;
+
+typedef union {
+    ATTEST_2B t;
+    TPM2B     b;
+} TPM2B_ATTEST;
+
+/* Table 121 - Definition of TPMS_AUTH_COMMAND Structure <IN> */
+
+typedef struct {
+    TPMI_SH_AUTH_SESSION	sessionHandle;		/* the session handle */
+    TPM2B_NONCE			nonce;			/* the session nonce, may be the Empty Buffer */
+    TPMA_SESSION		sessionAttributes;	/* the session attributes */
+    TPM2B_AUTH			hmac;			/* either an HMAC, a password, or an EmptyAuth */
+} TPMS_AUTH_COMMAND;
+
+/* Table 126 - Definition of TPMS_AUTH_RESPONSE Structure <OUT> */
+
+typedef struct {
+    TPM2B_NONCE		nonce;			/* the session nonce, may be the Empty Buffer */
+    TPMA_SESSION	sessionAttributes;	/* the session attributes */
+    TPM2B_AUTH		hmac;			/* either an HMAC or an EmptyAuth */
+} TPMS_AUTH_RESPONSE;
+
+/* Table 127 - Definition of {AES} (TPM_KEY_BITS) TPMI_!ALG.S_KEY_BITS Type */
+
+typedef TPM_KEY_BITS TPMI_TDES_KEY_BITS;
+typedef TPM_KEY_BITS TPMI_AES_KEY_BITS;
+typedef TPM_KEY_BITS TPMI_SM4_KEY_BITS;
+typedef TPM_KEY_BITS TPMI_CAMELLIA_KEY_BITS;
+
+/* Table 128 - Definition of TPMU_SYM_KEY_BITS Union */
+
+typedef union {
+#ifdef      TPM_ALG_TDES
+    TPMI_TDES_KEY_BITS        	tdes;   /* TPM_ALG_TDES */
+#endif
+#ifdef TPM_ALG_AES
+    TPMI_AES_KEY_BITS		aes;	/* TPM_ALG_AES */
+#endif
+#ifdef TPM_ALG_SM4
+    TPMI_SM4_KEY_BITS		sm4;	/* TPM_ALG_SM4 */
+#endif
+#ifdef TPM_ALG_CAMELLIA
+    TPMI_CAMELLIA_KEY_BITS 	camellia;	/* TPM_ALG_CAMELLIA */
+#endif
+#ifdef TPM_ALG_XOR
+    TPMI_ALG_HASH		xorr;	/* TPM_ALG_XOR	overload for using xor */
+#endif
+    TPM_KEY_BITS		sym;	/* when selector may be any of the symmetric block ciphers */
+} TPMU_SYM_KEY_BITS;
+
+/* Table 129 - Definition of TPMU_SYM_MODE Union */
+
+typedef union {
+#ifdef TPM_ALG_TDES
+    TPMI_ALG_SYM_MODE   tdes;		/* TPM_ALG_TDES */
+#endif
+#ifdef TPM_ALG_AES
+    TPMI_ALG_SYM_MODE	aes;		/* TPM_ALG_AES */
+#endif
+#ifdef TPM_ALG_SM4
+    TPMI_ALG_SYM_MODE	sm4;		/* TPM_ALG_SM4 */
+#endif
+#ifdef TPM_ALG_CAMELLIA
+    TPMI_ALG_SYM_MODE	camellia;	/* TPM_ALG_CAMELLIA */
+#endif
+    TPMI_ALG_SYM_MODE	sym;		/* when selector may be any of the symmetric block ciphers */
+} TPMU_SYM_MODE;
+
+/* Table 126 - xDefinition of TPMU_SYM_DETAILS Union */
+
+/* Table 127 - Definition of TPMT_SYM_DEF Structure */
+
+typedef struct {
+    TPMI_ALG_SYM	algorithm;	/* indicates a symmetric algorithm */
+    TPMU_SYM_KEY_BITS 	keyBits;	/* a supported key size */
+    TPMU_SYM_MODE 	mode;		/* the mode for the key */
+} TPMT_SYM_DEF;
+
+/* Table 128 - Definition of TPMT_SYM_DEF_OBJECT Structure */
+
+typedef struct {
+    TPMI_ALG_SYM_OBJECT	algorithm;	/* selects a symmetric block cipher */
+    TPMU_SYM_KEY_BITS	keyBits;	/* the key size */
+    TPMU_SYM_MODE	mode;		/* default mode */
+} TPMT_SYM_DEF_OBJECT;
+
+/* Table 129 - Definition of TPM2B_SYM_KEY Structure */
+
+typedef struct {
+    UINT16	size;				/* size, in octets, of the buffer containing the key; may be zero */
+    BYTE	buffer [MAX_SYM_KEY_BYTES]; 	/* the key */
+} SYM_KEY_2B;
+
+typedef union {
+    SYM_KEY_2B t;
+    TPM2B      b;
+} TPM2B_SYM_KEY;
+
+/* Table 130 - Definition of TPMS_SYMCIPHER_PARMS Structure */
+
+typedef struct {
+    TPMT_SYM_DEF_OBJECT	sym;	/* a symmetric block cipher */
+} TPMS_SYMCIPHER_PARMS;
+
+/* Table 135 - Definition of TPM2B_LABEL Structure */
+
+typedef union {
+    struct {
+	UINT16                  size;
+	BYTE                    buffer[LABEL_MAX_BUFFER];
+    }            t;
+    TPM2B        b;
+} TPM2B_LABEL;
+
+/* Table 135 - Definition of TPMS_DERIVE Structure */
+
+typedef struct {
+    TPM2B_LABEL	label;
+    TPM2B_LABEL	context;
+} TPMS_DERIVE; 
+
+/* Table 131 - Definition of TPM2B_SENSITIVE_DATA Structure */
+
+typedef struct {
+    UINT16	size;
+    BYTE	buffer[MAX_SYM_DATA];	/* the keyed hash private data structure */
+} SENSITIVE_DATA_2B;
+
+typedef union {
+    SENSITIVE_DATA_2B t;
+    TPM2B             b;
+} TPM2B_SENSITIVE_DATA;
+
+/* Table 132 - Definition of TPMS_SENSITIVE_CREATE Structure <IN> */
+
+typedef struct {
+    TPM2B_AUTH			userAuth;	/* the USER auth secret value */
+    TPM2B_SENSITIVE_DATA	data;		/* data to be sealed */
+} TPMS_SENSITIVE_CREATE;
+
+/* Table 133 - Definition of TPM2B_SENSITIVE_CREATE Structure <IN, S> */
+
+typedef struct {
+    UINT16			size;		/* size of sensitive in octets (may not be zero) */
+    TPMS_SENSITIVE_CREATE	sensitive;	/* data to be sealed or a symmetric key value. */
+} TPM2B_SENSITIVE_CREATE;
+
+/* Table 134 - Definition of TPMS_SCHEME_HASH Structure */
+
+typedef struct {
+    TPMI_ALG_HASH	hashAlg;	/* the hash algorithm used to digest the message */
+} TPMS_SCHEME_HASH;
+
+/* Table 135 - Definition of {ECC} TPMS_SCHEME_ECDAA Structure */
+
+typedef struct {
+    TPMI_ALG_HASH	hashAlg;	/* the hash algorithm used to digest the message */
+    UINT16		count;		/* the counter value that is used between TPM2_Commit() and the sign operation */
+} TPMS_SCHEME_ECDAA;
+    
+/* Table 136 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
+
+typedef TPM_ALG_ID TPMI_ALG_KEYEDHASH_SCHEME;
+
+/* Table 137 - Definition of Types for HMAC_SIG_SCHEME */
+
+typedef TPMS_SCHEME_HASH	TPMS_SCHEME_HMAC;
+
+/* Table 138 - Definition of TPMS_SCHEME_XOR Structure */
+
+typedef struct {
+    TPMI_ALG_HASH	hashAlg;	/* the hash algorithm used to digest the message */
+    TPMI_ALG_KDF	kdf;		/* the key derivation function */
+} TPMS_SCHEME_XOR;
+
+/* Table 139 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
+
+typedef union {
+#ifdef TPM_ALG_HMAC
+    TPMS_SCHEME_HMAC	hmac;	/* TPM_ALG_HMAC	the "signing" scheme */
+#endif
+#ifdef TPM_ALG_XOR
+    TPMS_SCHEME_XOR	xorr;	/* TPM_ALG_XOR 	the "obfuscation" scheme */
+#endif
+} TPMU_SCHEME_KEYEDHASH;
+
+/* Table 140 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
+
+typedef struct {
+    TPMI_ALG_KEYEDHASH_SCHEME	scheme;		/* selects the scheme */
+    TPMU_SCHEME_KEYEDHASH	details;	/* the scheme parameters */
+} TPMT_KEYEDHASH_SCHEME;
+
+/* Table 141 - Definition of {RSA} Types for RSA Signature Schemes */
+
+typedef TPMS_SCHEME_HASH 	TPMS_SIG_SCHEME_RSASSA;			
+typedef TPMS_SCHEME_HASH 	TPMS_SIG_SCHEME_RSAPSS;
+
+/* Table 142 - Definition of {ECC} Types for ECC Signature Schemes */
+
+typedef TPMS_SCHEME_HASH 	TPMS_SIG_SCHEME_ECDSA;			
+typedef TPMS_SCHEME_HASH	TPMS_SIG_SCHEME_SM2;			
+typedef TPMS_SCHEME_HASH 	TPMS_SIG_SCHEME_ECSCHNORR;
+
+typedef TPMS_SCHEME_ECDAA	TPMS_SIG_SCHEME_ECDAA;
+
+/* Table 143 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+
+typedef union {
+#ifdef TPM_ALG_RSASSA
+    TPMS_SIG_SCHEME_RSASSA	rsassa;		/* TPM_ALG_RSASSA	the RSASSA-PKCS1v1_5 scheme */
+#endif
+#ifdef TPM_ALG_RSAPSS
+    TPMS_SIG_SCHEME_RSAPSS	rsapss;		/* TPM_ALG_RSAPSS	the RSASSA-PSS scheme */
+#endif
+#ifdef TPM_ALG_ECDSA
+    TPMS_SIG_SCHEME_ECDSA	ecdsa;		/* TPM_ALG_ECDSA	the ECDSA scheme */
+#endif
+#ifdef TPM_ALG_ECDAA
+    TPMS_SIG_SCHEME_ECDAA	ecdaa;		/* TPM_ALG_ECDAA	the ECDAA scheme */
+#endif
+#ifdef TPM_ALG_SM2
+    TPMS_SIG_SCHEME_SM2		sm2;		/* TPM_ALG_SM2		ECDSA from SM2 */
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+    TPMS_SIG_SCHEME_ECSCHNORR	ecSchnorr;	/* TPM_ALG_ECSCHNORR	the EC Schnorr */
+#endif
+#ifdef TPM_ALG_HMAC
+    TPMS_SCHEME_HMAC		hmac;		/* TPM_ALG_HMAC		the HMAC scheme */
+#endif
+    TPMS_SCHEME_HASH		any;		/* selector that allows access to digest for any signing scheme */
+} TPMU_SIG_SCHEME;
+
+/* Table 144 - Definition of TPMT_SIG_SCHEME Structure */
+
+typedef struct {
+    TPMI_ALG_SIG_SCHEME	scheme;		/* scheme selector */
+    TPMU_SIG_SCHEME	details;	/* scheme parameters */
+} TPMT_SIG_SCHEME;
+
+/* Table 145 - Definition of Types for {RSA} Encryption Schemes */
+
+typedef TPMS_SCHEME_HASH	TPMS_ENC_SCHEME_OAEP; 	/* schemes that only need a hash */ 
+
+typedef TPMS_EMPTY		TPMS_ENC_SCHEME_RSAES;	/* schemes that need nothing */
+
+/* Table 146 - Definition of Types for {ECC} ECC Key Exchange */
+
+typedef TPMS_SCHEME_HASH	TPMS_KEY_SCHEME_ECDH; 	/* schemes that only need a hash */ 
+typedef TPMS_SCHEME_HASH	TPMS_KEY_SCHEME_ECMQV; 	/* schemes that only need a hash */ 
+
+/* Table 147 - Definition of Types for KDF Schemes, hash-based key- or mask-generation functions */
+
+typedef TPMS_SCHEME_HASH	TPMS_SCHEME_MGF1; 
+typedef TPMS_SCHEME_HASH	TPMS_SCHEME_KDF1_SP800_56A;
+typedef TPMS_SCHEME_HASH	TPMS_SCHEME_KDF2;
+typedef TPMS_SCHEME_HASH	TPMS_SCHEME_KDF1_SP800_108;
+
+/* Table 148 - Definition of TPMU_KDF_SCHEME Union <IN/OUT, S> */
+
+typedef union {
+#ifdef TPM_ALG_MGF1
+    TPMS_SCHEME_MGF1		mgf1;		/* TPM_ALG_MGF1 */
+#endif
+#ifdef TPM_ALG_KDF1_SP800_56A
+    TPMS_SCHEME_KDF1_SP800_56A	kdf1_SP800_56a;	/* TPM_ALG_KDF1_SP800_56A */
+#endif
+#ifdef TPM_ALG_KDF2
+    TPMS_SCHEME_KDF2		kdf2;		/* TPM_ALG_KDF2 */
+#endif
+#ifdef TPM_ALG_KDF1_SP800_108
+    TPMS_SCHEME_KDF1_SP800_108	kdf1_sp800_108;	/* TPM_ALG_KDF1_SP800_108 */
+#endif
+} TPMU_KDF_SCHEME;
+
+/* Table 149 - Definition of TPMT_KDF_SCHEME Structure */
+
+typedef struct {
+    TPMI_ALG_KDF	scheme;		/* scheme selector */
+    TPMU_KDF_SCHEME	details;	/* scheme parameters */
+} TPMT_KDF_SCHEME;
+ 
+/* Table 150 - Definition of (TPM_ALG_ID) TPMI_ALG_ASYM_SCHEME Type <> */
+
+typedef TPM_ALG_ID 		TPMI_ALG_ASYM_SCHEME;
+
+/* Table 151 - Definition of TPMU_ASYM_SCHEME Union */
+
+typedef union {
+#ifdef TPM_ALG_ECDH
+    TPMS_KEY_SCHEME_ECDH	ecdh;		/* TPM_ALG_ECDH */
+#endif
+#ifdef TPM_ALG_ECMQV
+    TPMS_KEY_SCHEME_ECMQV	ecmqvh;		/* TPM_ALG_ECMQV */
+#endif
+#ifdef TPM_ALG_RSASSA
+    TPMS_SIG_SCHEME_RSASSA	rsassa;		/* TPM_ALG_RSASSA */
+#endif
+#ifdef TPM_ALG_RSAPSS
+    TPMS_SIG_SCHEME_RSAPSS	rsapss;		/* TPM_ALG_RSAPSS */
+#endif
+#ifdef TPM_ALG_ECDSA
+    TPMS_SIG_SCHEME_ECDSA	ecdsa;		/* TPM_ALG_ECDSA */
+#endif
+#ifdef TPM_ALG_ECDAA
+    TPMS_SIG_SCHEME_ECDAA	ecdaa;		/* TPM_ALG_ECDAA */
+#endif
+#ifdef TPM_ALG_SM2
+    TPMS_SIG_SCHEME_SM2		sm2;		/* TPM_ALG_SM2 */
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+    TPMS_SIG_SCHEME_ECSCHNORR	ecSchnorr;	/* TPM_ALG_ECSCHNORR */
+#endif
+#ifdef TPM_ALG_RSAES
+    TPMS_ENC_SCHEME_RSAES	rsaes;		/* TPM_ALG_RSAES */
+#endif
+#ifdef TPM_ALG_OAEP
+    TPMS_ENC_SCHEME_OAEP	oaep;		/* TPM_ALG_OAEP */
+#endif
+    TPMS_SCHEME_HASH		anySig;
+} TPMU_ASYM_SCHEME;
+
+/* Table 152 - Definition of TPMT_ASYM_SCHEME Structure <> */
+
+typedef struct {
+    TPMI_ALG_ASYM_SCHEME	scheme;		/* scheme selector */
+    TPMU_ASYM_SCHEME		details;	/* scheme parameters */
+} TPMT_ASYM_SCHEME;
+
+/* Table 153 - Definition of (TPM_ALG_ID) {RSA} TPMI_ALG_RSA_SCHEME Type */
+
+typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME;
+
+/* Table 154 - Definition of {RSA} TPMT_RSA_SCHEME Structure */
+
+typedef struct {
+    TPMI_ALG_RSA_SCHEME	scheme;		/* scheme selector */
+    TPMU_ASYM_SCHEME	details;	/* scheme parameters */
+} TPMT_RSA_SCHEME;
+    
+/* Table 155 - Definition of (TPM_ALG_ID) {RSA} TPMI_ALG_RSA_DECRYPT Type */
+
+typedef TPM_ALG_ID TPMI_ALG_RSA_DECRYPT;
+
+/* Table 156 - Definition of {RSA} TPMT_RSA_DECRYPT Structure */
+
+typedef struct {
+    TPMI_ALG_RSA_DECRYPT	scheme;		/* scheme selector */
+    TPMU_ASYM_SCHEME		details;	/* scheme parameters */
+} TPMT_RSA_DECRYPT;
+    
+/* Table 157 - Definition of {RSA} TPM2B_PUBLIC_KEY_RSA Structure */
+
+typedef struct {
+    UINT16	size;				/* size of the buffer */
+    BYTE	buffer[MAX_RSA_KEY_BYTES];	/* Value */
+} PUBLIC_KEY_RSA_2B;
+
+typedef union {
+    PUBLIC_KEY_RSA_2B t;
+    TPM2B             b;
+} TPM2B_PUBLIC_KEY_RSA;
+
+/* Table 158 - Definition of {RSA} (TPM_KEY_BITS) TPMI_RSA_KEY_BITS Type */
+
+typedef TPM_KEY_BITS TPMI_RSA_KEY_BITS;
+
+/* Table 159 - Definition of {RSA} TPM2B_PRIVATE_KEY_RSA Structure */
+
+typedef struct {
+    UINT16	size;
+    BYTE	buffer[MAX_RSA_KEY_BYTES/2];	
+} PRIVATE_KEY_RSA_2B;
+
+typedef union {
+    PRIVATE_KEY_RSA_2B t;
+    TPM2B              b;
+} TPM2B_PRIVATE_KEY_RSA;
+
+/* Table 160 - Definition of {ECC} TPM2B_ECC_PARAMETER Structure */
+
+typedef struct {
+    UINT16	size;				/* size of the buffer */
+    BYTE	buffer[MAX_ECC_KEY_BYTES];	/* the parameter data */
+} ECC_PARAMETER_2B;
+
+typedef union {
+    ECC_PARAMETER_2B t;
+    TPM2B	     b;
+} TPM2B_ECC_PARAMETER;
+
+/* Table 161 - Definition of {ECC} TPMS_ECC_POINT Structure */
+
+typedef struct {
+    TPM2B_ECC_PARAMETER	x;	/* X coordinate */
+    TPM2B_ECC_PARAMETER	y;	/* Y coordinate */
+} TPMS_ECC_POINT;
+    
+/* Table 162 - Definition of {ECC} TPM2B_ECC_POINT Structure */
+
+typedef struct {
+    UINT16		size;	/* size of the remainder of this structure */
+    TPMS_ECC_POINT	point;	/* coordinates */
+} TPM2B_ECC_POINT;
+
+/* Table 163 - Definition of (TPM_ALG_ID) {ECC} TPMI_ALG_ECC_SCHEME Type */
+
+typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME;
+
+/* Table 164 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
+
+typedef TPM_ECC_CURVE TPMI_ECC_CURVE;
+    
+/* Table 165 - Definition of (TPMT_SIG_SCHEME) {ECC} TPMT_ECC_SCHEME Structure */
+
+typedef struct {
+    TPMI_ALG_ECC_SCHEME 	scheme;		/* scheme selector */
+    TPMU_ASYM_SCHEME		details;	/* scheme parameters */
+} TPMT_ECC_SCHEME;
+   
+/* Table 166 - Definition of {ECC} TPMS_ALGORITHM_DETAIL_ECC Structure <OUT> */
+
+typedef struct {
+    TPM_ECC_CURVE	curveID;	/* identifier for the curve */
+    UINT16		keySize;	/* Size in bits of the key */
+    TPMT_KDF_SCHEME	kdf;		/* If not TPM_ALG_NULL, the required KDF and hash algorithm
+					   used in secret sharing operations */
+    TPMT_ECC_SCHEME	sign;		/* If not TPM_ALG_NULL, this is the mandatory signature
+					   scheme that is required to be used with this curve. */
+    TPM2B_ECC_PARAMETER	p;		/* Fp (the modulus) */
+    TPM2B_ECC_PARAMETER	a;		/* coefficient of the linear term in the curve equation */
+    TPM2B_ECC_PARAMETER	b;		/* constant term for curve equation */
+    TPM2B_ECC_PARAMETER	gX;		/* x coordinate of base point G */
+    TPM2B_ECC_PARAMETER	gY;		/* y coordinate of base point G */
+    TPM2B_ECC_PARAMETER	n;		/* order of G */
+    TPM2B_ECC_PARAMETER	h;		/* cofactor (a size of zero indicates a cofactor of 1) */
+} TPMS_ALGORITHM_DETAIL_ECC;
+    
+/* Table 167 - Definition of {RSA} TPMS_SIGNATURE_RSA Structure */
+
+typedef struct {
+    TPMI_ALG_HASH		hash;	/* the hash algorithm used to digest the message TPM_ALG_NULL is not allowed. */
+    TPM2B_PUBLIC_KEY_RSA	sig;	/* The signature is the size of a public key. */
+} TPMS_SIGNATURE_RSA;
+    
+/* Table 168 - Definition of Types for {RSA} Signature */
+
+typedef TPMS_SIGNATURE_RSA	TPMS_SIGNATURE_RSASSA;
+typedef TPMS_SIGNATURE_RSA	TPMS_SIGNATURE_RSAPSS;
+    
+/* Table 169  - Definition of {ECC} TPMS_SIGNATURE_ECC Structure */
+
+typedef struct {
+    TPMI_ALG_HASH	hash;	/* the hash algorithm used in the signature process TPM_ALG_NULL is not allowed. */
+    TPM2B_ECC_PARAMETER	signatureR;
+    TPM2B_ECC_PARAMETER	signatureS;
+} TPMS_SIGNATURE_ECC;
+    
+/* Table 170 - Definition of Types for {ECC} TPMS_SIGNATURE_ECC */
+
+typedef TPMS_SIGNATURE_ECC	TPMS_SIGNATURE_ECDSA;
+typedef TPMS_SIGNATURE_ECC	TPMS_SIGNATURE_ECDAA;
+typedef TPMS_SIGNATURE_ECC	TPMS_SIGNATURE_SM2;
+typedef TPMS_SIGNATURE_ECC	TPMS_SIGNATURE_ECSCHNORR;
+
+/* Table 171 - Definition of TPMU_SIGNATURE Union <IN/OUT, S> */
+
+typedef union {
+#ifdef TPM_ALG_RSASSA
+    TPMS_SIGNATURE_RSASSA	rsassa;			/* TPM_ALG_RSASSA */
+#endif
+#ifdef TPM_ALG_RSAPSS
+    TPMS_SIGNATURE_RSAPSS	rsapss;			/* TPM_ALG_RSAPSS */
+#endif
+#ifdef TPM_ALG_ECDSA
+    TPMS_SIGNATURE_ECDSA	ecdsa;			/* TPM_ALG_ECDSA */
+#endif
+#ifdef TPM_ALG_ECDAA
+    TPMS_SIGNATURE_ECDSA	ecdaa;			/* TPM_ALG_ECDAA */
+#endif
+#ifdef TPM_ALG_SM2
+    TPMS_SIGNATURE_ECDSA	sm2;			/* TPM_ALG_SM2 */
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+    TPMS_SIGNATURE_ECDSA	ecschnorr;		/* TPM_ALG_ECSCHNORR */
+#endif
+#ifdef TPM_ALG_HMAC
+    TPMT_HA			hmac;			/* TPM_ALG_HMAC */
+#endif
+    TPMS_SCHEME_HASH		any;			/* used to access the hash */
+} TPMU_SIGNATURE;
+
+/* Table 172 - Definition of TPMT_SIGNATURE Structure */
+
+typedef struct {
+    TPMI_ALG_SIG_SCHEME	sigAlg;		/* selector of the algorithm used to construct the signature */
+    TPMU_SIGNATURE	signature;	/* This shall be the actual signature information. */
+} TPMT_SIGNATURE;
+    
+/* Table 173 - Definition of TPMU_ENCRYPTED_SECRET Union <S> */
+
+typedef union {
+#ifdef TPM_ALG_ECC
+    BYTE	ecc[sizeof(TPMS_ECC_POINT)];		/* TPM_ALG_ECC */
+#endif
+#ifdef TPM_ALG_RSA
+    BYTE	rsa[MAX_RSA_KEY_BYTES];			/* TPM_ALG_RSA */
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+    BYTE	symmetric[sizeof(TPM2B_DIGEST)];	/* TPM_ALG_SYMCIPHER */
+#endif
+#ifdef TPM_ALG_KEYEDHASH
+    BYTE	keyedHash[sizeof(TPM2B_DIGEST)];	/* TPM_ALG_KEYEDHASH */
+#endif
+} TPMU_ENCRYPTED_SECRET;
+
+/* Table 174 - Definition of TPM2B_ENCRYPTED_SECRET Structure */
+
+typedef struct {
+    UINT16	size;					/* size of the secret value */
+    BYTE	secret[sizeof(TPMU_ENCRYPTED_SECRET)];	/* secret */
+} ENCRYPTED_SECRET_2B;
+
+typedef union {
+    ENCRYPTED_SECRET_2B t;
+    TPM2B               b;
+} TPM2B_ENCRYPTED_SECRET;
+
+/* Table 175 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
+
+typedef TPM_ALG_ID TPMI_ALG_PUBLIC;
+
+/* Table 176 - Definition of TPMU_PUBLIC_ID Union <IN/OUT, S> */
+
+typedef union {
+#ifdef TPM_ALG_KEYEDHASH
+    TPM2B_DIGEST		keyedHash;	/* TPM_ALG_KEYEDHASH */
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+    TPM2B_DIGEST		sym;		/* TPM_ALG_SYMCIPHER */
+#endif
+#ifdef TPM_ALG_RSA
+    TPM2B_PUBLIC_KEY_RSA	rsa;		/* TPM_ALG_RSA */
+#endif
+#ifdef TPM_ALG_ECC
+    TPMS_ECC_POINT		ecc;		/* TPM_ALG_ECC */
+#endif
+    TPMS_DERIVE			derive;		/* only allowed for TPM2_CreateLoaded when
+						   parentHandle is a Derivation Parent */
+} TPMU_PUBLIC_ID;
+
+/* Table 177 - Definition of TPMS_KEYEDHASH_PARMS Structure */
+
+typedef struct {
+    TPMT_KEYEDHASH_SCHEME	scheme;	/* Indicates the signing method used for a keyedHash signing object */
+} TPMS_KEYEDHASH_PARMS;
+ 
+/* Table 178 - Definition of TPMS_ASYM_PARMS Structure <> */
+
+typedef struct {
+    TPMT_SYM_DEF_OBJECT	symmetric;	/* the companion symmetric algorithm for a restricted decryption key */
+    TPMT_ASYM_SCHEME	scheme;		/* for a key with the sign attribute SET, a valid signing scheme for the key type */
+} TPMS_ASYM_PARMS;
+ 
+/* Table 179 - Definition of {RSA} TPMS_RSA_PARMS Structure */
+
+typedef struct {
+    TPMT_SYM_DEF_OBJECT	symmetric;	/* for a restricted decryption key, shall be set to a supported symmetric algorithm, key size, and mode. */
+    TPMT_RSA_SCHEME	scheme;		/* for an unrestricted signing key, shall be either TPM_ALG_RSAPSS TPM_ALG_RSASSA or TPM_ALG_NULL */
+    TPMI_RSA_KEY_BITS 	keyBits;	/* number of bits in the public modulus */
+    UINT32		exponent;	/* the public exponent  */
+} TPMS_RSA_PARMS;
+
+/* Table 180 - Definition of {ECC} TPMS_ECC_PARMS Structure */
+
+typedef struct {
+    TPMT_SYM_DEF_OBJECT	symmetric;	/* for a restricted decryption key, shall be set to a supported symmetric algorithm, key size. and mode. */
+    TPMT_ECC_SCHEME	scheme;		/* If the sign attribute of the key is SET, then this shall be a valid signing scheme. */
+    TPMI_ECC_CURVE	curveID;	/* ECC curve ID */
+    TPMT_KDF_SCHEME	kdf;		/* an optional key derivation scheme for generating a symmetric key from a Z value */
+} TPMS_ECC_PARMS;
+
+/* Table 181 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+
+typedef union {
+#ifdef TPM_ALG_KEYEDHASH
+    TPMS_KEYEDHASH_PARMS	keyedHashDetail;	/* TPM_ALG_KEYEDHASH */
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+    TPMS_SYMCIPHER_PARMS	symDetail;		/* TPM_ALG_SYMCIPHER */
+#endif
+#ifdef TPM_ALG_RSA
+    TPMS_RSA_PARMS		rsaDetail;		/* TPM_ALG_RSA */
+#endif
+#ifdef TPM_ALG_ECC
+    TPMS_ECC_PARMS		eccDetail;		/* TPM_ALG_ECC */
+#endif
+    TPMS_ASYM_PARMS		asymDetail;		/* common scheme structure for RSA and ECC keys */
+} TPMU_PUBLIC_PARMS;
+
+/* Table 182 - Definition of TPMT_PUBLIC_PARMS Structure */
+
+typedef struct {
+    TPMI_ALG_PUBLIC	type;		/* the algorithm to be tested */
+    TPMU_PUBLIC_PARMS	parameters;	/* the algorithm details */
+} TPMT_PUBLIC_PARMS;
+ 
+/* Table 183 - Definition of TPMT_PUBLIC Structure */
+
+typedef struct {
+    TPMI_ALG_PUBLIC	type;			/* "algorithm" associated with this object */
+    TPMI_ALG_HASH	nameAlg;		/* algorithm used for computing the Name of the object */
+    TPMA_OBJECT		objectAttributes;	/* attributes that, along with type, determine the manipulations of this object */
+    TPM2B_DIGEST	authPolicy;		/* optional policy for using this key */
+    TPMU_PUBLIC_PARMS	parameters;		/* the algorithm or structure details */
+    TPMU_PUBLIC_ID	unique;			/* the unique identifier of the structure */
+} TPMT_PUBLIC;
+ 
+/* Table 184 - Definition of TPM2B_PUBLIC Structure */
+
+typedef struct {
+    UINT16	size;		/* size of publicArea */
+    TPMT_PUBLIC	publicArea;	/* the public area  */
+} TPM2B_PUBLIC;
+
+/* Table 192 - Definition of TPM2B_TEMPLATE Structure */
+
+typedef union {
+    struct {
+	UINT16	size;				/* size of publicArea */
+	BYTE	buffer[sizeof(TPMT_PUBLIC)];	/* the public area  */
+    } t;
+    TPM2B       b;
+} TPM2B_TEMPLATE;
+
+/* Table 186 - Definition of TPMU_SENSITIVE_COMPOSITE Union <IN/OUT, S> */
+
+typedef union {
+#ifdef TPM_ALG_RSA
+    TPM2B_PRIVATE_KEY_RSA		rsa;	/* TPM_ALG_RSA a prime factor of the public key */
+#endif
+#ifdef TPM_ALG_ECC
+    TPM2B_ECC_PARAMETER			ecc;	/* TPM_ALG_ECC the integer private key */
+#endif
+#ifdef TPM_ALG_KEYEDHASH
+    TPM2B_SENSITIVE_DATA		bits;	/* TPM_ALG_KEYEDHASH the private data */
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+    TPM2B_SYM_KEY			sym;	/* TPM_ALG_SYMCIPHER the symmetric key */
+#endif
+} TPMU_SENSITIVE_COMPOSITE;
+
+/* Table 187 - Definition of TPMT_SENSITIVE Structure */
+
+typedef struct {
+    TPMI_ALG_PUBLIC		sensitiveType;	/* identifier for the sensitive area  */
+    TPM2B_AUTH			authValue;	/* user authorization data */
+    TPM2B_DIGEST		seedValue;	/* for asymmetric key object, the optional protection seed; for other objects, the obfuscation value */
+    TPMU_SENSITIVE_COMPOSITE	sensitive;	/* the type-specific private data */
+} TPMT_SENSITIVE;
+ 
+/* Table 188 - Definition of TPM2B_SENSITIVE Structure <IN/OUT> */
+
+typedef struct {
+    UINT16		size;		/* size of the private structure */
+    TPMT_SENSITIVE	sensitiveArea;	/* an unencrypted sensitive area */
+} SENSITIVE_2B;
+
+typedef union {
+    SENSITIVE_2B t;
+    TPM2B        b;
+} TPM2B_SENSITIVE;
+
+/* Table 189 - Definition of _PRIVATE Structure <> */
+
+typedef struct {
+    TPM2B_DIGEST	integrityOuter;
+    TPM2B_DIGEST	integrityInner;	/* could also be a TPM2B_IV */
+    TPM2B_SENSITIVE	sensitive;	/* the sensitive area */
+} _PRIVATE;
+ 
+/* Table 190 - Definition of TPM2B_PRIVATE Structure <IN/OUT, S> */
+
+typedef struct {
+    UINT16	size;				/* size of the private structure */
+    BYTE	buffer[sizeof(_PRIVATE)];	/* an encrypted private area */
+} PRIVATE_2B;
+
+typedef union {
+    PRIVATE_2B t;
+    TPM2B      b;
+} TPM2B_PRIVATE;
+
+/* Table 191 - Definition of _ID_OBJECT Structure <> */
+
+typedef struct {
+    TPM2B_DIGEST	integrityHMAC;	/* HMAC using the nameAlg of the storage key on the target TPM */
+    TPM2B_DIGEST	encIdentity;	/* credential protector information returned if name matches the referenced object */
+} _ID_OBJECT;
+ 
+/* Table 192 - Definition of TPM2B_ID_OBJECT Structure <IN/OUT> */
+
+typedef struct {
+    UINT16	size;				/* size of the credential structure */
+    BYTE	credential[sizeof(_ID_OBJECT)];	/* an encrypted credential area */
+} ID_OBJECT_2B;
+
+typedef union {
+    ID_OBJECT_2B t;
+    TPM2B        b;
+} TPM2B_ID_OBJECT;
+
+/* Table 193 - Definition of (UINT32) TPM_NV_INDEX Bits <> */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int index : 24;    	/* 23:0	 The Index of the NV location */
+	unsigned int RH_NV : 8;    	/* 31:24 constant value of TPM_HT_NV_INDEX indicating the NV Index range */
+    };
+    UINT32 val;
+} TPM_NV_INDEX;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int RH_NV : 8;    	/* 31:24 constant value of TPM_HT_NV_INDEX indicating the NV Index range */
+	unsigned int index : 24;    	/* 23:0	 The Index of the NV location */
+    };
+    UINT32 val;
+} TPM_NV_INDEX;
+
+#else 
+
+typedef struct {
+    UINT32 val;
+} TPM_NV_INDEX;
+
+#endif
+
+#define TPM_NV_INDEX_INDEX	0x00ffffff
+#define TPM_NV_INDEX_RH_NV	0xff000000
+
+/* Table 194 - Definition of TPM_NT Constants */
+
+#define TPM_NT_ORDINARY	0x0	/* Ordinary - contains data that is opaque to the TPM that can only be modified using TPM2_NV_Write(). */
+#define TPM_NT_COUNTER	0x1	/* Counter - contains an 8-octet value that is to be used as a
+				   counter and can only be modified with TPM2_NV_Increment() */
+#define TPM_NT_BITS	0x2	/* Bit Field - contains an 8-octet value to be used as a bit field
+				   and can only be modified with TPM2_NV_SetBits(). */
+#define TPM_NT_EXTEND	0x4	/* Extend - contains a digest-sized value used like a PCR. The Index
+				   can only be modified using TPM2_NV_Extend(). The extend will use
+				   the nameAlg of the Index. */
+#define TPM_NT_PIN_FAIL	0x8	/* PIN Fail - contains a PIN limit and a PIN count that increments on a PIN authorization failure */
+#define TPM_NT_PIN_PASS	0x9	/* PIN Pass - contains a PIN limit and a PIN count that increments on a PIN authorization success */
+
+/* Table 204 - Definition of TPMS_NV_PIN_COUNTER_PARAMETERS Structure */
+
+typedef struct {
+    uint32_t pinCount;	/* This counter shows the current number of successful authValue
+			   authorization attempts to access a TPM_NT_PIN_PASS index or the current
+			   number of unsuccessful authValue authorization attempts to access a
+			   TPM_NT_PIN_FAIL index. */
+    uint32_t pinLimit;	/* This threshold is the value of pinCount at which the authValue
+			   authorization of the host TPM_NT_PIN_PASS or TPM_NT_PIN_FAIL index is
+			   locked out. */
+} TPMS_NV_PIN_COUNTER_PARAMETERS;
+
+/* Table 205 - Definition of (UINT32) TPMA_NV Bits */
+
+#if defined TPM_BITFIELD_LE
+
+typedef union {
+    struct {
+	unsigned int TPMA_NV_PPWRITE		: 1; 	/* 0	The Index data can be written if Platform Authorization is provided. */
+	unsigned int TPMA_NV_OWNERWRITE		: 1;	/* 1	The Index data can be written if Owner Authorization is provided. */
+	unsigned int TPMA_NV_AUTHWRITE		: 1;	/* 2    Authorizations to change the Index contents that require USER role may be provided with an HMAC session or password. */
+	unsigned int TPMA_NV_POLICYWRITE	: 1;	/* 3    Authorizations to change the Index contents that require USER role may be provided with a policy session. */
+	unsigned int TPM_NT			: 4;	/* 7:4  The type of the index */
+	unsigned int Reserved1 			: 2;	/* 9:8	shall be zero reserved for future use */
+	unsigned int TPMA_NV_POLICY_DELETE	: 1;	/* 10	Index may not be deleted unless the authPolicy is satisfied. */
+	unsigned int TPMA_NV_WRITELOCKED	: 1;	/* 11	Index cannot be written. */
+	unsigned int TPMA_NV_WRITEALL		: 1;	/* 12   A partial write of the Index data is not allowed. The write size shall match the defined space size. */
+	unsigned int TPMA_NV_WRITEDEFINE	: 1;	/* 13   TPM2_NV_WriteLock() may be used to prevent further writes to this location. */
+	unsigned int TPMA_NV_WRITE_STCLEAR	: 1;	/* 14   TPM2_NV_WriteLock() may be used to prevent further writes to this location until the next TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_GLOBALLOCK		: 1;	/* 15   If TPM2_NV_GlobalLock() is successful, then further writes are not permitted until the next TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_PPREAD		: 1;	/* 16	The Index data can be read if Platform Authorization is provided. */
+	unsigned int TPMA_NV_OWNERREAD		: 1;	/* 17	The Index data can be read if Owner Authorization is provided. */
+	unsigned int TPMA_NV_AUTHREAD		: 1;	/* 18	The Index data may be read if the authValue is provided. */
+	unsigned int TPMA_NV_POLICYREAD		: 1;	/* 19	The Index data may be read if the authPolicy is satisfied. */
+	unsigned int Reserved2			: 5;	/* 24:20 shall be zero reserved for future use */
+	unsigned int TPMA_NV_NO_DA		: 1;	/* 25	Authorization failures of the Index do not affect the DA logic */
+	unsigned int TPMA_NV_ORDERLY		: 1;	/* 26	NV Index state is only required to be saved when the TPM performs an orderly shutdown */
+	unsigned int TPMA_NV_CLEAR_STCLEAR	: 1;	/* 27	TPMA_NV_WRITTEN for the Index is CLEAR by TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_READLOCKED		: 1;	/* 28	Reads of the Index are blocked until the next TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_WRITTEN		: 1;	/* 29	Index has been written. */
+	unsigned int TPMA_NV_PLATFORMCREATE	: 1;	/* 30	This Index may be undefined with Platform Authorization but not with Owner Authorization. */
+	unsigned int TPMA_NV_READ_STCLEAR	: 1;	/* 31	TPM2_NV_ReadLock() may be used to SET TPMA_NV_READLOCKED for this Index. */
+    };
+    UINT32 val;
+} TPMA_NV;
+
+#elif defined TPM_BITFIELD_BE
+
+typedef union {
+    struct {
+	unsigned int TPMA_NV_READ_STCLEAR	: 1;	/* 31	TPM2_NV_ReadLock() may be used to SET TPMA_NV_READLOCKED for this Index. */
+	unsigned int TPMA_NV_PLATFORMCREATE	: 1;	/* 30	This Index may be undefined with Platform Authorization but not with Owner Authorization. */
+	unsigned int TPMA_NV_WRITTEN		: 1;	/* 29	Index has been written. */
+	unsigned int TPMA_NV_READLOCKED		: 1;	/* 28	Reads of the Index are blocked until the next TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_CLEAR_STCLEAR	: 1;	/* 27	TPMA_NV_WRITTEN for the Index is CLEAR by TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_ORDERLY		: 1;	/* 26	NV Index state is only required to be saved when the TPM performs an orderly shutdown */
+	unsigned int TPMA_NV_NO_DA		: 1;	/* 25	Authorization failures of the Index do not affect the DA logic */
+	unsigned int Reserved2			: 5;	/* 24:20 shall be zero reserved for future use */
+	unsigned int TPMA_NV_POLICYREAD		: 1;	/* 19	The Index data may be read if the authPolicy is satisfied. */
+	unsigned int TPMA_NV_AUTHREAD		: 1;	/* 18	The Index data may be read if the authValue is provided. */
+	unsigned int TPMA_NV_OWNERREAD		: 1;	/* 17	The Index data can be read if Owner Authorization is provided. */
+	unsigned int TPMA_NV_PPREAD		: 1;	/* 16	The Index data can be read if Platform Authorization is provided. */
+	unsigned int TPMA_NV_GLOBALLOCK		: 1;	/* 15	If TPM2_NV_GlobalLock() is successful, then further writes are not permitted until the next TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_WRITE_STCLEAR	: 1;	/* 14	TPM2_NV_WriteLock() may be used to prevent further writes to this location until the next TPM Reset or TPM Restart. */
+	unsigned int TPMA_NV_WRITEDEFINE	: 1;	/* 13	TPM2_NV_WriteLock() may be used to prevent further writes to this location. */
+	unsigned int TPMA_NV_WRITEALL		: 1;	/* 12	A partial write of the Index data is not allowed. The write size shall match the defined space size. */
+	unsigned int TPMA_NV_WRITELOCKED	: 1;	/* 11	Index cannot be written. */
+	unsigned int TPMA_NV_POLICY_DELETE	: 1;	/* 10	Index may not be deleted unless the authPolicy is satisfied. */
+	unsigned int Reserved1 			: 2;	/* 9:8	shall be zero reserved for future use */
+	unsigned int TPM_NT			: 4;	/* 7:4  The type of the index */
+	unsigned int TPMA_NV_POLICYWRITE	: 1;	/* 3	Authorizations to change the Index contents that require USER role may be provided with a policy session. */
+	unsigned int TPMA_NV_AUTHWRITE		: 1;	/* 2	Authorizations to change the Index contents that require USER role may be provided with an HMAC session or password. */
+	unsigned int TPMA_NV_OWNERWRITE		: 1;	/* 1	The Index data can be written if Owner Authorization is provided. */
+	unsigned int TPMA_NV_PPWRITE		: 1; 	/* 0	The Index data can be written if Platform Authorization is provided. */
+    };
+    UINT32 val;
+} TPMA_NV;
+
+#else 
+
+typedef struct {
+    UINT32 val;
+} TPMA_NV;
+
+#endif
+
+#define TPMA_NVA_PPWRITE	0x00000001
+#define TPMA_NVA_OWNERWRITE	0x00000002
+#define TPMA_NVA_AUTHWRITE	0x00000004
+#define TPMA_NVA_POLICYWRITE	0x00000008
+#define TPMA_NVA_ORDINARY	0x00000000
+#define TPMA_NVA_COUNTER	0x00000010
+#define TPMA_NVA_BITS		0x00000020
+#define TPMA_NVA_EXTEND		0x00000040
+#define TPMA_NVA_PIN_FAIL	0x00000080
+#define TPMA_NVA_PIN_PASS	0x00000090
+#define TPMA_NVA_RESERVED1	0x00000300
+#define TPMA_NVA_POLICY_DELETE	0x00000400
+#define TPMA_NVA_WRITELOCKED	0x00000800
+#define TPMA_NVA_WRITEALL	0x00001000
+#define TPMA_NVA_WRITEDEFINE	0x00002000
+#define TPMA_NVA_WRITE_STCLEAR	0x00004000
+#define TPMA_NVA_GLOBALLOCK	0x00008000
+#define TPMA_NVA_PPREAD		0x00010000
+#define TPMA_NVA_OWNERREAD	0x00020000
+#define TPMA_NVA_AUTHREAD	0x00040000
+#define TPMA_NVA_POLICYREAD	0x00080000
+#define TPMA_NVA_RESERVED2	0x01f00000
+#define TPMA_NVA_NO_DA		0x02000000
+#define TPMA_NVA_ORDERLY	0x04000000
+#define TPMA_NVA_CLEAR_STCLEAR	0x08000000
+#define TPMA_NVA_READLOCKED	0x10000000
+#define TPMA_NVA_WRITTEN	0x20000000
+#define TPMA_NVA_PLATFORMCREATE	0x40000000
+#define TPMA_NVA_READ_STCLEAR	0x80000000
+
+#define TPMA_NVA_TPM_NT_MASK	0x000000f0
+#define TPMA_NV_RESERVED	(TPMA_NVA_RESERVED1 | TPMA_NVA_RESERVED2)
+
+/* Table 197 - Definition of TPMS_NV_PUBLIC Structure */
+
+typedef struct {
+    TPMI_RH_NV_INDEX	nvIndex;	/* the handle of the data area */
+    TPMI_ALG_HASH	nameAlg;	/* hash algorithm used to compute the name of the Index and used for the authPolicy */
+    TPMA_NV		attributes;	/* the Index attributes */
+    TPM2B_DIGEST	authPolicy;	/* optional access policy for the Index */
+    UINT16		dataSize;	/* the size of the data area */
+} TPMS_NV_PUBLIC;
+
+/* Table 198 - Definition of TPM2B_NV_PUBLIC Structure */
+
+typedef struct {
+    UINT16		size;		/* size of nvPublic */
+    TPMS_NV_PUBLIC	nvPublic;	/* the public area */
+} TPM2B_NV_PUBLIC;
+
+/* Table 199 - Definition of TPM2B_CONTEXT_SENSITIVE Structure <IN/OUT> */
+
+typedef struct {
+    UINT16	size;
+    BYTE	buffer[MAX_CONTEXT_SIZE];	/* the sensitive data */
+} CONTEXT_SENSITIVE_2B;
+
+typedef union {
+    CONTEXT_SENSITIVE_2B t;
+    TPM2B                b;
+} TPM2B_CONTEXT_SENSITIVE;
+
+/* Table 200 - Definition of TPMS_CONTEXT_DATA Structure <IN/OUT, S> */
+
+typedef struct {
+    TPM2B_DIGEST		integrity;	/* the integrity value */
+    TPM2B_CONTEXT_SENSITIVE	encrypted;	/* the sensitive area */
+} TPMS_CONTEXT_DATA;
+
+/* Table 201 - Definition of TPM2B_CONTEXT_DATA Structure <IN/OUT> */
+
+typedef struct {
+    UINT16		size;
+    BYTE		buffer[sizeof(TPMS_CONTEXT_DATA)];	
+} CONTEXT_DATA_2B;
+
+typedef union {
+    CONTEXT_DATA_2B t;
+    TPM2B           b;
+} TPM2B_CONTEXT_DATA;
+
+/* Table 202 - Definition of TPMS_CONTEXT Structure */
+
+typedef struct {
+    UINT64		sequence;	/* the sequence number of the context */
+    TPMI_DH_SAVED	savedHandle;	/* a handle indicating if the context is a session, object or sequence object */
+    TPMI_RH_HIERARCHY	hierarchy;	/* the hierarchy of the context */
+    TPM2B_CONTEXT_DATA	contextBlob;	/* the context data and integrity HMAC */
+} TPMS_CONTEXT;
+ 
+/* Table 203 - Context Handle Values */
+
+#define TPM_CONTEXT_HANDLE_HMAC			0x02000000	/* an HMAC session context */
+#define TPM_CONTEXT_HANDLE_POLICY_SESSION	0x03000000	/* a policy session context */
+#define TPM_CONTEXT_HANDLE_TRANSIENT		0x80000000	/* an ordinary transient object */
+#define TPM_CONTEXT_HANDLE_SEQUENCE		0x80000001	/* a sequence object */
+#define TPM_CONTEXT_HANDLE_STCLEAR		0x80000002	/* a transient object with the stClear attribute SET */
+
+/* Table 204 - Definition of TPMS_CREATION_DATA Structure <OUT> */
+
+typedef struct {
+    TPML_PCR_SELECTION	pcrSelect;		/* list indicating the PCR included in pcrDigest */
+    TPM2B_DIGEST	pcrDigest;		/* digest of the selected PCR using nameAlg of the object for which this structure is being created */
+    TPMA_LOCALITY	locality;		/* the locality at which the object was created */
+    TPM_ALG_ID		parentNameAlg;		/* nameAlg of the parent */
+    TPM2B_NAME		parentName;		/* Name of the parent at time of creation */
+    TPM2B_NAME		parentQualifiedName;	/* Qualified Name of the parent at the time of creation */
+    TPM2B_DATA		outsideInfo;		/* association with additional information added by the key creator */
+} TPMS_CREATION_DATA;
+ 
+/* Table 205 - Definition of TPM2B_CREATION_DATA Structure <OUT> */
+
+typedef struct {
+    UINT16		size;	/* size of the creation data */
+    TPMS_CREATION_DATA	creationData;
+} TPM2B_CREATION_DATA;
+
+typedef struct tdNTC2_CFG_STRUCT {
+    uint8_t i2cLoc1_2;
+    uint8_t i2cLoc3_4;
+    uint8_t AltCfg;
+    uint8_t Direction;
+    uint8_t PullUp;
+    uint8_t PushPull;
+    uint8_t CFG_A;
+    uint8_t CFG_B;
+    uint8_t CFG_C;
+    uint8_t CFG_D;
+    uint8_t CFG_E;
+    uint8_t CFG_F;
+    uint8_t CFG_G;
+    uint8_t CFG_H;
+    uint8_t CFG_I;
+    uint8_t CFG_J;
+    uint8_t IsValid;	/* Must be AAh */
+    uint8_t IsLocked;	/* Ignored on NTC2_PreConfig, NTC2_GetConfig returns AAh once configuration
+			   is locked. */
+} NTC2_CFG_STRUCT;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/TakeOwnership_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TakeOwnership_fp.h
new file mode 100644
index 0000000..20a8f66
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TakeOwnership_fp.h
@@ -0,0 +1,67 @@
+/********************************************************************************/
+/*										*/
+/*			    TPM 1.2 TakeOwnership				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: TakeOwnership_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TAKEOWNERSHIP_FP_H
+#define TAKEOWNERSHIP_FP_H
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#include <ibmtss/Implementation.h>
+
+typedef struct {
+    TPM_PROTOCOL_ID protocolID;
+    uint32_t encOwnerAuthSize;
+    uint8_t encOwnerAuth[MAX_RSA_KEY_BYTES];
+    uint32_t encSrkAuthSize;
+    uint8_t encSrkAuth[MAX_RSA_KEY_BYTES];
+    TPM_KEY12 srkParams;
+} TakeOwnership_In;  
+
+typedef struct {
+    TPM_KEY12 srkPub;
+} TakeOwnership_Out;  
+
+TPM_RC
+TPM2_TakeOwnership(
+		   TakeOwnership_In *in,            // IN: input parameter buffer
+		   TakeOwnership_Out *out           // OUT: output parameter buffer
+		   );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/TestParms_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TestParms_fp.h
new file mode 100644
index 0000000..1d0ca4d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TestParms_fp.h
@@ -0,0 +1,79 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: TestParms_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef TESTPARMS_FP_H
+#define TESTPARMS_FP_H
+
+typedef struct {
+    TPMT_PUBLIC_PARMS	parameters;
+} TestParms_In;
+
+#define RC_TestParms_parameters	(TPM_RC_P + TPM_RC_1)
+
+TPM_RC
+TPM2_TestParms(
+	       TestParms_In    *in             // IN: input parameter list
+	       );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/TpmBuildSwitches.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TpmBuildSwitches.h
new file mode 100644
index 0000000..e61d9ed
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/TpmBuildSwitches.h
@@ -0,0 +1,87 @@
+/********************************************************************************/
+/*										*/
+/*			TSS Compiler Build Switches    				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: TpmBuildSwitches.h 1294 2018-08-09 19:08:34Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2018				*/
+/*										*/
+/********************************************************************************/
+
+// 5.12	TpmBuildSwitches.h
+
+// This file contains the build switches.
+
+#ifndef _TPM_BUILD_SWITCHES_H
+#define _TPM_BUILD_SWITCHES_H
+
+// Switch added to support packed lists that leave out space associated with unimplemented
+// commands. Comment this out to use linear lists.  NOTE: if vendor specific commands are present,
+// the associated list is always in compressed form.
+#define COMPRESSED_LISTS
+
+#ifdef  _MSC_VER
+// This macro is used to handle LIB_EXPORT of function and variable names in lieu of a .def
+// file. Visual Studio requires that functions be explicity exported and imported.
+#   define LIB_EXPORT __declspec(dllexport) // VS compatible version
+#endif
+
+// The following definitions are used if they have not already been defined. The defaults for these
+// settings are compatible with ISO/IEC 9899:2011 (E)
+
+#ifndef LIB_EXPORT
+#   define LIB_EXPORT
+#endif
+
+#endif // _TPM_BUILD_SWITCHES_H
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unmarshal12_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unmarshal12_fp.h
new file mode 100644
index 0000000..60149e0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unmarshal12_fp.h
@@ -0,0 +1,94 @@
+/********************************************************************************/
+/*										*/
+/*			     Parameter Unmarshaling				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Unmarshal12_fp.h 1285 2018-07-27 18:33:41Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef UNMARSHAL12_FP_H
+#define UNMARSHAL12_FP_H
+
+#include "TPM_Types.h"
+#include "tpmtypes12.h"
+#include <ibmtss/tpmstructures12.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC
+    TSS_TPM_STARTUP_TYPE_Unmarshalu(TPM_STARTUP_TYPE *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_VERSION_Unmarshalu(TPM_VERSION *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_TAG_Unmarshalu(TPM_TAG *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_PCR_SELECTION_Unmarshalu(TPM_PCR_SELECTION *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM4B_TPM_PCR_INFO_LONG_Unmarshalu(TPM_PCR_INFO_LONG *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_PCR_INFO_LONG_Unmarshalu(TPM_PCR_INFO_LONG *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_PCR_INFO_SHORT_Unmarshalu(TPM_PCR_INFO_SHORT *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_SYMMETRIC_KEY_Unmarshalu(TPM_SYMMETRIC_KEY *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_RSA_KEY_PARMS_Unmarshalu(TPM_RSA_KEY_PARMS *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPMU_PARMS_Unmarshalu(TPMU_PARMS *target, BYTE **buffer, uint32_t *size, uint32_t selector);
+    TPM_RC
+    TSS_TPM4B_TPMU_PARMS_Unmarshalu(TPMU_PARMS *target, BYTE **buffer, uint32_t *size, uint32_t selector);
+    TPM_RC
+    TSS_TPM_KEY_PARMS_Unmarshalu(TPM_KEY_PARMS *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_KEY12_Unmarshalu(TPM_KEY12 *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_STORE_PUBKEY_Unmarshalu(TPM_STORE_PUBKEY *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_PUBKEY_Unmarshalu(TPM_PUBKEY *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_NV_ATTRIBUTES_Unmarshalu(TPM_NV_ATTRIBUTES *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_NV_DATA_PUBLIC_Unmarshalu(TPM_NV_DATA_PUBLIC *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_CAP_VERSION_INFO_Unmarshalu(TPM_CAP_VERSION_INFO *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_DA_INFO_Unmarshalu(TPM_DA_INFO *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_DA_INFO_LIMITED_Unmarshalu(TPM_DA_INFO_LIMITED *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_DA_ACTION_TYPE_Unmarshalu(TPM_DA_ACTION_TYPE *target, BYTE **buffer, uint32_t *size);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unmarshal_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unmarshal_fp.h
new file mode 100644
index 0000000..cd3062e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unmarshal_fp.h
@@ -0,0 +1,696 @@
+/********************************************************************************/
+/*										*/
+/*			   Unmarshal Functions  				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2019				*/
+/*										*/
+/********************************************************************************/
+
+/* The functions with the TSS_ prefix are preferred.  They use an unsigned size.  The functions
+   without the prefix are deprecated.  */
+
+#ifndef UNMARSHAL_FP_H
+#define UNMARSHAL_FP_H
+
+#include "TPM_Types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    LIB_EXPORT TPM_RC
+    TSS_UINT8_Unmarshalu(UINT8 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_INT8_Unmarshalu(INT8 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT16_Unmarshalu(UINT16 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT32_Unmarshalu(UINT32 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_INT32_Unmarshalu(INT32 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT64_Unmarshalu(UINT64 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_Array_Unmarshalu(BYTE *targetBuffer, UINT16 targetSize, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_Unmarshalu(TPM2B *target, UINT16 targetSize, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_KEY_BITS_Unmarshalu(TPM_KEY_BITS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_GENERATED_Unmarshalu(TPM_GENERATED *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ALG_ID_Unmarshalu(TPM_ALG_ID *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ECC_CURVE_Unmarshalu(TPM_ECC_CURVE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CC_Unmarshalu(TPM_RC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_RC_Unmarshalu(TPM_RC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CLOCK_ADJUST_Unmarshalu(TPM_CLOCK_ADJUST *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_EO_Unmarshalu(TPM_EO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ST_Unmarshalu(TPM_ST *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_SU_Unmarshalu(TPM_SU *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_SE_Unmarshalu(TPM_SE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CAP_Unmarshalu(TPM_CAP *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_PT_Unmarshalu(TPM_HANDLE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_PT_PCR_Unmarshalu(TPM_PT_PCR *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_HANDLE_Unmarshalu(TPM_HANDLE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_ALGORITHM_Unmarshalu(TPMA_ALGORITHM *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_OBJECT_Unmarshalu(TPMA_OBJECT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_SESSION_Unmarshalu(TPMA_SESSION *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_LOCALITY_Unmarshalu(TPMA_LOCALITY *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_CC_Unmarshalu(TPMA_CC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_YES_NO_Unmarshalu(TPMI_YES_NO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_OBJECT_Unmarshalu(TPMI_DH_OBJECT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_PARENT_Unmarshalu(TPMI_DH_PARENT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_PERSISTENT_Unmarshalu(TPMI_DH_PERSISTENT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_ENTITY_Unmarshalu(TPMI_DH_ENTITY *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_PCR_Unmarshalu(TPMI_DH_PCR *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_AUTH_SESSION_Unmarshalu(TPMI_SH_AUTH_SESSION *target, BYTE **buffer, uint32_t *size, BOOL allowPwd);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_HMAC_Unmarshalu(TPMI_SH_HMAC *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_POLICY_Unmarshalu(TPMI_SH_POLICY *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_CONTEXT_Unmarshalu(TPMI_DH_CONTEXT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_SAVED_Unmarshalu(TPMI_DH_SAVED *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_HIERARCHY_Unmarshalu(TPMI_RH_HIERARCHY *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_ENABLES_Unmarshalu(TPMI_RH_ENABLES *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_HIERARCHY_AUTH_Unmarshalu(TPMI_RH_HIERARCHY_AUTH *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_PLATFORM_Unmarshalu(TPMI_RH_PLATFORM *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_ENDORSEMENT_Unmarshalu(TPMI_RH_ENDORSEMENT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_PROVISION_Unmarshalu(TPMI_RH_PROVISION *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_CLEAR_Unmarshalu(TPMI_RH_CLEAR *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_NV_AUTH_Unmarshalu(TPMI_RH_NV_AUTH *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_LOCKOUT_Unmarshalu(TPMI_RH_LOCKOUT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_NV_INDEX_Unmarshalu(TPMI_RH_NV_INDEX *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_HASH_Unmarshalu(TPMI_ALG_HASH *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_Unmarshalu(TPMI_ALG_SYM *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_OBJECT_Unmarshalu(TPMI_ALG_SYM_OBJECT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_MODE_Unmarshalu(TPMI_ALG_SYM_MODE *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_KDF_Unmarshalu(TPMI_ALG_KDF *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SIG_SCHEME_Unmarshalu(TPMI_ALG_SIG_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ECC_KEY_EXCHANGE_Unmarshalu(TPMI_ECC_KEY_EXCHANGE *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ST_COMMAND_TAG_Unmarshalu(TPMI_ST_COMMAND_TAG *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_MAC_SCHEME_Unmarshalu(TPMI_ALG_MAC_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_CIPHER_MODE_Unmarshalu(TPMI_ALG_CIPHER_MODE *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_EMPTY_Unmarshalu(TPMS_EMPTY *target, BYTE **buffer, uint32_t *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_HA_Unmarshalu(TPMU_HA *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_HA_Unmarshalu(TPMT_HA *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_DIGEST_Unmarshalu(TPM2B_DIGEST *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_DATA_Unmarshalu(TPM2B_DATA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NONCE_Unmarshalu(TPM2B_NONCE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_AUTH_Unmarshalu(TPM2B_AUTH *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_OPERAND_Unmarshalu(TPM2B_OPERAND *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_EVENT_Unmarshalu(TPM2B_EVENT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_MAX_BUFFER_Unmarshalu(TPM2B_MAX_BUFFER *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_MAX_NV_BUFFER_Unmarshalu(TPM2B_MAX_NV_BUFFER *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_TIMEOUT_Unmarshalu(TPM2B_TIMEOUT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_IV_Unmarshalu(TPM2B_IV *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NAME_Unmarshalu(TPM2B_NAME *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_PCR_SELECTION_Unmarshalu(TPMS_PCR_SELECTION *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_CREATION_Unmarshalu(TPMT_TK_CREATION *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_VERIFIED_Unmarshalu(TPMT_TK_VERIFIED *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_AUTH_Unmarshalu(TPMT_TK_AUTH *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_HASHCHECK_Unmarshalu(TPMT_TK_HASHCHECK *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ALG_PROPERTY_Unmarshalu(TPMS_ALG_PROPERTY *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TAGGED_PROPERTY_Unmarshalu(TPMS_TAGGED_PROPERTY *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TAGGED_PCR_SELECT_Unmarshalu(TPMS_TAGGED_PCR_SELECT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_CC_Unmarshalu(TPML_CC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TAGGED_POLICY_Unmarshalu(TPMS_TAGGED_POLICY *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_CCA_Unmarshalu(TPML_CCA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ALG_Unmarshalu(TPML_ALG *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_HANDLE_Unmarshalu(TPML_HANDLE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_DIGEST_Unmarshalu(TPML_DIGEST *target, BYTE **buffer, uint32_t *size ,uint32_t minCount);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_DIGEST_VALUES_Unmarshalu(TPML_DIGEST_VALUES *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_PCR_SELECTION_Unmarshalu(TPML_PCR_SELECTION *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ALG_PROPERTY_Unmarshalu(TPML_ALG_PROPERTY *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_TAGGED_TPM_PROPERTY_Unmarshalu(TPML_TAGGED_TPM_PROPERTY  *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_TAGGED_PCR_PROPERTY_Unmarshalu(TPML_TAGGED_PCR_PROPERTY  *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ECC_CURVE_Unmarshalu(TPML_ECC_CURVE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_TAGGED_POLICY_Unmarshalu(TPML_TAGGED_POLICY *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_CAPABILITIES_Unmarshalu(TPMU_CAPABILITIES *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CLOCK_INFO_Unmarshalu(TPMS_CLOCK_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TIME_INFO_Unmarshalu(TPMS_TIME_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TIME_ATTEST_INFO_Unmarshalu(TPMS_TIME_ATTEST_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CERTIFY_INFO_Unmarshalu(TPMS_CERTIFY_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_QUOTE_INFO_Unmarshalu(TPMS_QUOTE_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_COMMAND_AUDIT_INFO_Unmarshalu(TPMS_COMMAND_AUDIT_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SESSION_AUDIT_INFO_Unmarshalu(TPMS_SESSION_AUDIT_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CREATION_INFO_Unmarshalu(TPMS_CREATION_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_NV_CERTIFY_INFO_Unmarshalu(TPMS_NV_CERTIFY_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_NV_DIGEST_CERTIFY_INFO_Unmarshalu(TPMS_NV_DIGEST_CERTIFY_INFO *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ST_ATTEST_Unmarshalu(TPMI_ST_ATTEST *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_ATTEST_Unmarshalu(TPMU_ATTEST *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ATTEST_Unmarshalu(TPMS_ATTEST *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ATTEST_Unmarshalu(TPM2B_ATTEST *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CAPABILITY_DATA_Unmarshalu(TPMS_CAPABILITY_DATA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_AUTH_RESPONSE_Unmarshalu(TPMS_AUTH_RESPONSE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_AES_KEY_BITS_Unmarshalu(TPMI_AES_KEY_BITS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SYM_KEY_BITS_Unmarshalu(TPMU_SYM_KEY_BITS *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SYM_MODE_Unmarshalu(TPMU_SYM_MODE *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SYM_DEF_Unmarshalu(TPMT_SYM_DEF *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SYM_DEF_OBJECT_Unmarshalu(TPMT_SYM_DEF_OBJECT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SYM_KEY_Unmarshalu(TPM2B_SYM_KEY *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SYMCIPHER_PARMS_Unmarshalu(TPMS_SYMCIPHER_PARMS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_LABEL_Unmarshalu(TPM2B_LABEL *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(TPM2B_SENSITIVE_DATA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SENSITIVE_CREATE_Unmarshalu(TPMS_SENSITIVE_CREATE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_CREATE_Unmarshalu(TPM2B_SENSITIVE_CREATE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_HASH_Unmarshalu(TPMS_SCHEME_HASH *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_ECDAA_Unmarshalu(TPMS_SCHEME_ECDAA *target, BYTE **buffer, uint32_t *size) ;
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_KEYEDHASH_SCHEME_Unmarshalu(TPMI_ALG_KEYEDHASH_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_HMAC_Unmarshalu(TPMS_SCHEME_HMAC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_XOR_Unmarshalu(TPMS_SCHEME_XOR *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SCHEME_KEYEDHASH_Unmarshalu(TPMU_SCHEME_KEYEDHASH *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_KEYEDHASH_SCHEME_Unmarshalu(TPMT_KEYEDHASH_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECDAA_Unmarshalu(TPMS_SIG_SCHEME_ECDAA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECDSA_Unmarshalu(TPMS_SIG_SCHEME_ECDSA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECSCHNORR_Unmarshalu(TPMS_SIG_SCHEME_ECSCHNORR *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_RSAPSS_Unmarshalu(TPMS_SIG_SCHEME_RSAPSS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_RSASSA_Unmarshalu(TPMS_SIG_SCHEME_RSASSA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_SM2_Unmarshalu(TPMS_SIG_SCHEME_SM2 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SIG_SCHEME_Unmarshalu(TPMU_SIG_SCHEME *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SIG_SCHEME_Unmarshalu(TPMT_SIG_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ENC_SCHEME_OAEP_Unmarshalu(TPMS_ENC_SCHEME_OAEP *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ENC_SCHEME_RSAES_Unmarshalu(TPMS_ENC_SCHEME_RSAES *target, BYTE **buffer, uint32_t *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEY_SCHEME_ECDH_Unmarshalu(TPMS_KEY_SCHEME_ECDH *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEY_SCHEME_ECMQV_Unmarshalu(TPMS_KEY_SCHEME_ECMQV *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF1_SP800_108_Unmarshalu(TPMS_SCHEME_KDF1_SP800_108 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF1_SP800_56A_Unmarshalu(TPMS_SCHEME_KDF1_SP800_56A *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF2_Unmarshalu(TPMS_SCHEME_KDF2 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_MGF1_Unmarshalu(TPMS_SCHEME_MGF1 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_KDF_SCHEME_Unmarshalu(TPMU_KDF_SCHEME *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_KDF_SCHEME_Unmarshalu(TPMT_KDF_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_ASYM_SCHEME_Unmarshalu(TPMI_ALG_ASYM_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_ASYM_SCHEME_Unmarshalu(TPMU_ASYM_SCHEME *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_ASYM_SCHEME_Unmarshalu(TPMT_ASYM_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_RSA_SCHEME_Unmarshalu(TPMI_ALG_RSA_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_RSA_SCHEME_Unmarshalu(TPMT_RSA_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_RSA_DECRYPT_Unmarshalu(TPMI_ALG_RSA_DECRYPT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_RSA_DECRYPT_Unmarshalu(TPMT_RSA_DECRYPT *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(TPM2B_PUBLIC_KEY_RSA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RSA_KEY_BITS_Unmarshalu(TPMI_RSA_KEY_BITS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PRIVATE_KEY_RSA_Unmarshalu(TPM2B_PRIVATE_KEY_RSA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ECC_PARAMETER_Unmarshalu(TPM2B_ECC_PARAMETER *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ECC_POINT_Unmarshalu(TPMS_ECC_POINT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ECC_POINT_Unmarshalu(TPM2B_ECC_POINT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_ECC_SCHEME_Unmarshalu(TPMI_ALG_ECC_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ECC_CURVE_Unmarshalu(TPMI_ECC_CURVE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_ECC_SCHEME_Unmarshalu(TPMT_ECC_SCHEME *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ALGORITHM_DETAIL_ECC_Unmarshalu(TPMS_ALGORITHM_DETAIL_ECC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSA_Unmarshalu(TPMS_SIGNATURE_RSA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSASSA_Unmarshalu(TPMS_SIGNATURE_RSASSA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSAPSS_Unmarshalu(TPMS_SIGNATURE_RSAPSS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECC_Unmarshalu(TPMS_SIGNATURE_ECC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECDSA_Unmarshalu(TPMS_SIGNATURE_ECDSA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECDAA_Unmarshalu(TPMS_SIGNATURE_ECDAA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_SM2_Unmarshalu(TPMS_SIGNATURE_SM2 *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECSCHNORR_Unmarshalu(TPMS_SIGNATURE_ECSCHNORR *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SIGNATURE_Unmarshalu(TPMU_SIGNATURE *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SIGNATURE_Unmarshalu(TPMT_SIGNATURE *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(TPM2B_ENCRYPTED_SECRET *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_PUBLIC_Unmarshalu(TPMI_ALG_PUBLIC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_PUBLIC_ID_Unmarshalu(TPMU_PUBLIC_ID *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEYEDHASH_PARMS_Unmarshalu(TPMS_KEYEDHASH_PARMS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ASYM_PARMS_Unmarshalu(TPMS_ASYM_PARMS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_RSA_PARMS_Unmarshalu(TPMS_RSA_PARMS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ECC_PARMS_Unmarshalu(TPMS_ECC_PARMS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_PUBLIC_PARMS_Unmarshalu(TPMU_PUBLIC_PARMS *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_PARMS_Unmarshalu(TPMT_PUBLIC_PARMS *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_Unmarshalu(TPMT_PUBLIC *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PUBLIC_Unmarshalu(TPM2B_PUBLIC *target, BYTE **buffer, uint32_t *size, BOOL allowNull);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_TEMPLATE_Unmarshalu(TPM2B_TEMPLATE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SENSITIVE_COMPOSITE_Unmarshalu(TPMU_SENSITIVE_COMPOSITE *target, BYTE **buffer, uint32_t *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SENSITIVE_Unmarshalu(TPMT_SENSITIVE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_Unmarshalu(TPM2B_SENSITIVE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PRIVATE_Unmarshalu(TPM2B_PRIVATE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ID_OBJECT_Unmarshalu(TPM2B_ID_OBJECT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_NV_Unmarshalu(TPMA_NV *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_NV_PUBLIC_Unmarshalu(TPMS_NV_PUBLIC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NV_PUBLIC_Unmarshalu(TPM2B_NV_PUBLIC *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CONTEXT_SENSITIVE_Unmarshalu(TPM2B_CONTEXT_SENSITIVE *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CONTEXT_DATA_Unmarshalu(TPMS_CONTEXT_DATA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CONTEXT_DATA_Unmarshalu(TPM2B_CONTEXT_DATA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CONTEXT_Unmarshalu(TPMS_CONTEXT *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CREATION_DATA_Unmarshalu(TPMS_CREATION_DATA *target, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CREATION_DATA_Unmarshalu(TPM2B_CREATION_DATA *target, BYTE **buffer, uint32_t *size);
+
+    /* These functions are deprecated.  They were adapted from the TPM side, but the signed size
+       caused static analysis tool warnings. */
+    
+    TPM_RC UINT8_Unmarshal(UINT8 *target, BYTE **buffer, INT32 *size);
+    TPM_RC INT8_Unmarshal(INT8 *target, BYTE **buffer, INT32 *size);
+    TPM_RC UINT16_Unmarshal(UINT16 *target, BYTE **buffer, INT32 *size);
+    TPM_RC UINT32_Unmarshal(UINT32 *target, BYTE **buffer, INT32 *size);
+    TPM_RC INT32_Unmarshal(INT32 *target, BYTE **buffer, INT32 *size);
+    TPM_RC UINT64_Unmarshal(UINT64 *target, BYTE **buffer, INT32 *size);
+    TPM_RC Array_Unmarshal(BYTE *targetBuffer, UINT16 targetSize, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_Unmarshal(TPM2B *target, UINT16 targetSize, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_KEY_BITS_Unmarshal(TPM_KEY_BITS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_GENERATED_Unmarshal(TPM_GENERATED *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_ALG_ID_Unmarshal(TPM_ALG_ID *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_ECC_CURVE_Unmarshal(TPM_ECC_CURVE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_CC_Unmarshal(TPM_RC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_RC_Unmarshal(TPM_RC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_CLOCK_ADJUST_Unmarshal(TPM_CLOCK_ADJUST *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_EO_Unmarshal(TPM_EO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_ST_Unmarshal(TPM_ST *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_SU_Unmarshal(TPM_SU *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_SE_Unmarshal(TPM_SE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_CAP_Unmarshal(TPM_CAP *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_PT_Unmarshal(TPM_HANDLE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_PT_PCR_Unmarshal(TPM_PT_PCR *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM_HANDLE_Unmarshal(TPM_HANDLE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMA_ALGORITHM_Unmarshal(TPMA_ALGORITHM *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMA_OBJECT_Unmarshal(TPMA_OBJECT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMA_SESSION_Unmarshal(TPMA_SESSION *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMA_LOCALITY_Unmarshal(TPMA_LOCALITY *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMA_CC_Unmarshal(TPMA_CC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_YES_NO_Unmarshal(TPMI_YES_NO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_DH_OBJECT_Unmarshal(TPMI_DH_OBJECT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_DH_PARENT_Unmarshal(TPMI_DH_PARENT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_DH_PERSISTENT_Unmarshal(TPMI_DH_PERSISTENT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_DH_ENTITY_Unmarshal(TPMI_DH_ENTITY *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_DH_PCR_Unmarshal(TPMI_DH_PCR *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_SH_AUTH_SESSION_Unmarshal(TPMI_SH_AUTH_SESSION *target, BYTE **buffer, INT32 *size, BOOL allowPwd);
+    TPM_RC TPMI_SH_HMAC_Unmarshal(TPMI_SH_HMAC *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_SH_POLICY_Unmarshal(TPMI_SH_POLICY *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_DH_CONTEXT_Unmarshal(TPMI_DH_CONTEXT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_HIERARCHY_Unmarshal(TPMI_RH_HIERARCHY *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_ENABLES_Unmarshal(TPMI_RH_ENABLES *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_HIERARCHY_AUTH_Unmarshal(TPMI_RH_HIERARCHY_AUTH *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_PLATFORM_Unmarshal(TPMI_RH_PLATFORM *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_ENDORSEMENT_Unmarshal(TPMI_RH_ENDORSEMENT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_PROVISION_Unmarshal(TPMI_RH_PROVISION *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_CLEAR_Unmarshal(TPMI_RH_CLEAR *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_NV_AUTH_Unmarshal(TPMI_RH_NV_AUTH *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_LOCKOUT_Unmarshal(TPMI_RH_LOCKOUT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_RH_NV_INDEX_Unmarshal(TPMI_RH_NV_INDEX *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_HASH_Unmarshal(TPMI_ALG_HASH *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_SYM_Unmarshal(TPMI_ALG_SYM *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_SYM_OBJECT_Unmarshal(TPMI_ALG_SYM_OBJECT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_SYM_MODE_Unmarshal(TPMI_ALG_SYM_MODE *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_KDF_Unmarshal(TPMI_ALG_KDF *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_SIG_SCHEME_Unmarshal(TPMI_ALG_SIG_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ECC_KEY_EXCHANGE_Unmarshal(TPMI_ECC_KEY_EXCHANGE *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ST_COMMAND_TAG_Unmarshal(TPMI_ST_COMMAND_TAG *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_ALG_MAC_SCHEME_Unmarshal(TPMI_ALG_MAC_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_CIPHER_MODE_Unmarshal(TPMI_ALG_CIPHER_MODE *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMS_EMPTY_Unmarshal(TPMS_EMPTY *target, BYTE **buffer, INT32 *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    TPM_RC TPMU_HA_Unmarshal(TPMU_HA *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_HA_Unmarshal(TPMT_HA *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPM2B_DIGEST_Unmarshal(TPM2B_DIGEST *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_DATA_Unmarshal(TPM2B_DATA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_NONCE_Unmarshal(TPM2B_NONCE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_AUTH_Unmarshal(TPM2B_AUTH *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_OPERAND_Unmarshal(TPM2B_OPERAND *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_EVENT_Unmarshal(TPM2B_EVENT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_MAX_BUFFER_Unmarshal(TPM2B_MAX_BUFFER *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_MAX_NV_BUFFER_Unmarshal(TPM2B_MAX_NV_BUFFER *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_TIMEOUT_Unmarshal(TPM2B_TIMEOUT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_IV_Unmarshal(TPM2B_IV *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_NAME_Unmarshal(TPM2B_NAME *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_PCR_SELECTION_Unmarshal(TPMS_PCR_SELECTION *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMT_TK_CREATION_Unmarshal(TPMT_TK_CREATION *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMT_TK_VERIFIED_Unmarshal(TPMT_TK_VERIFIED *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMT_TK_AUTH_Unmarshal(TPMT_TK_AUTH *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMT_TK_HASHCHECK_Unmarshal(TPMT_TK_HASHCHECK *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_ALG_PROPERTY_Unmarshal(TPMS_ALG_PROPERTY *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_TAGGED_PROPERTY_Unmarshal(TPMS_TAGGED_PROPERTY *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_TAGGED_PCR_SELECT_Unmarshal(TPMS_TAGGED_PCR_SELECT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_CC_Unmarshal(TPML_CC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_TAGGED_POLICY_Unmarshal(TPMS_TAGGED_POLICY *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_CCA_Unmarshal(TPML_CCA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_ALG_Unmarshal(TPML_ALG *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_HANDLE_Unmarshal(TPML_HANDLE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_DIGEST_Unmarshal(TPML_DIGEST *target, BYTE **buffer, INT32 *size,uint32_t minCount);
+    TPM_RC TPML_DIGEST_VALUES_Unmarshal(TPML_DIGEST_VALUES *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_PCR_SELECTION_Unmarshal(TPML_PCR_SELECTION *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_ALG_PROPERTY_Unmarshal(TPML_ALG_PROPERTY *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_TAGGED_TPM_PROPERTY_Unmarshal(TPML_TAGGED_TPM_PROPERTY  *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_TAGGED_PCR_PROPERTY_Unmarshal(TPML_TAGGED_PCR_PROPERTY  *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_ECC_CURVE_Unmarshal(TPML_ECC_CURVE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPML_TAGGED_POLICY_Unmarshal(TPML_TAGGED_POLICY *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_CAPABILITIES_Unmarshal(TPMU_CAPABILITIES *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMS_CLOCK_INFO_Unmarshal(TPMS_CLOCK_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_TIME_INFO_Unmarshal(TPMS_TIME_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_TIME_ATTEST_INFO_Unmarshal(TPMS_TIME_ATTEST_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_CERTIFY_INFO_Unmarshal(TPMS_CERTIFY_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_QUOTE_INFO_Unmarshal(TPMS_QUOTE_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_COMMAND_AUDIT_INFO_Unmarshal(TPMS_COMMAND_AUDIT_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SESSION_AUDIT_INFO_Unmarshal(TPMS_SESSION_AUDIT_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_CREATION_INFO_Unmarshal(TPMS_CREATION_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_NV_CERTIFY_INFO_Unmarshal(TPMS_NV_CERTIFY_INFO *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_ST_ATTEST_Unmarshal(TPMI_ST_ATTEST *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_ATTEST_Unmarshal(TPMU_ATTEST *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMS_ATTEST_Unmarshal(TPMS_ATTEST *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_ATTEST_Unmarshal(TPM2B_ATTEST *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_CAPABILITY_DATA_Unmarshal(TPMS_CAPABILITY_DATA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_AUTH_RESPONSE_Unmarshal(TPMS_AUTH_RESPONSE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_AES_KEY_BITS_Unmarshal(TPMI_AES_KEY_BITS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_SYM_KEY_BITS_Unmarshal(TPMU_SYM_KEY_BITS *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMU_SYM_MODE_Unmarshal(TPMU_SYM_MODE *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_SYM_DEF_Unmarshal(TPMT_SYM_DEF *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMT_SYM_DEF_OBJECT_Unmarshal(TPMT_SYM_DEF_OBJECT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPM2B_SYM_KEY_Unmarshal(TPM2B_SYM_KEY *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SYMCIPHER_PARMS_Unmarshal(TPMS_SYMCIPHER_PARMS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_LABEL_Unmarshal(TPM2B_LABEL *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_SENSITIVE_DATA_Unmarshal(TPM2B_SENSITIVE_DATA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SENSITIVE_CREATE_Unmarshal(TPMS_SENSITIVE_CREATE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_SENSITIVE_CREATE_Unmarshal(TPM2B_SENSITIVE_CREATE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SCHEME_HASH_Unmarshal(TPMS_SCHEME_HASH *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SCHEME_ECDAA_Unmarshal(TPMS_SCHEME_ECDAA *target, BYTE **buffer, INT32 *size) ;
+    TPM_RC TPMI_ALG_KEYEDHASH_SCHEME_Unmarshal(TPMI_ALG_KEYEDHASH_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMS_SCHEME_HMAC_Unmarshal(TPMS_SCHEME_HMAC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SCHEME_XOR_Unmarshal(TPMS_SCHEME_XOR *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_SCHEME_KEYEDHASH_Unmarshal(TPMU_SCHEME_KEYEDHASH *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_KEYEDHASH_SCHEME_Unmarshal(TPMT_KEYEDHASH_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMS_SIG_SCHEME_ECDAA_Unmarshal(TPMS_SIG_SCHEME_ECDAA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIG_SCHEME_ECDSA_Unmarshal(TPMS_SIG_SCHEME_ECDSA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIG_SCHEME_ECSCHNORR_Unmarshal(TPMS_SIG_SCHEME_ECSCHNORR *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIG_SCHEME_RSAPSS_Unmarshal(TPMS_SIG_SCHEME_RSAPSS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIG_SCHEME_RSASSA_Unmarshal(TPMS_SIG_SCHEME_RSASSA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIG_SCHEME_SM2_Unmarshal(TPMS_SIG_SCHEME_SM2 *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_SIG_SCHEME_Unmarshal(TPMU_SIG_SCHEME *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_SIG_SCHEME_Unmarshal(TPMT_SIG_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMS_ENC_SCHEME_OAEP_Unmarshal(TPMS_ENC_SCHEME_OAEP *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_ENC_SCHEME_RSAES_Unmarshal(TPMS_ENC_SCHEME_RSAES *target, BYTE **buffer, INT32 *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    TPM_RC TPMS_KEY_SCHEME_ECDH_Unmarshal(TPMS_KEY_SCHEME_ECDH *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_KEY_SCHEME_ECMQV_Unmarshal(TPMS_KEY_SCHEME_ECMQV *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SCHEME_KDF1_SP800_108_Unmarshal(TPMS_SCHEME_KDF1_SP800_108 *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SCHEME_KDF1_SP800_56A_Unmarshal(TPMS_SCHEME_KDF1_SP800_56A *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SCHEME_KDF2_Unmarshal(TPMS_SCHEME_KDF2 *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SCHEME_MGF1_Unmarshal(TPMS_SCHEME_MGF1 *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_KDF_SCHEME_Unmarshal(TPMU_KDF_SCHEME *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_KDF_SCHEME_Unmarshal(TPMT_KDF_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_ASYM_SCHEME_Unmarshal(TPMI_ALG_ASYM_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMU_ASYM_SCHEME_Unmarshal(TPMU_ASYM_SCHEME *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_ASYM_SCHEME_Unmarshal(TPMT_ASYM_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_RSA_SCHEME_Unmarshal(TPMI_ALG_RSA_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMT_RSA_SCHEME_Unmarshal(TPMT_RSA_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ALG_RSA_DECRYPT_Unmarshal(TPMI_ALG_RSA_DECRYPT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMT_RSA_DECRYPT_Unmarshal(TPMT_RSA_DECRYPT *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPM2B_PUBLIC_KEY_RSA_Unmarshal(TPM2B_PUBLIC_KEY_RSA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_RSA_KEY_BITS_Unmarshal(TPMI_RSA_KEY_BITS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_PRIVATE_KEY_RSA_Unmarshal(TPM2B_PRIVATE_KEY_RSA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_ECC_PARAMETER_Unmarshal(TPM2B_ECC_PARAMETER *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_ECC_POINT_Unmarshal(TPMS_ECC_POINT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_ECC_POINT_Unmarshal(TPM2B_ECC_POINT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_ALG_ECC_SCHEME_Unmarshal(TPMI_ALG_ECC_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMI_ECC_CURVE_Unmarshal(TPMI_ECC_CURVE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMT_ECC_SCHEME_Unmarshal(TPMT_ECC_SCHEME *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPMS_ALGORITHM_DETAIL_ECC_Unmarshal(TPMS_ALGORITHM_DETAIL_ECC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_RSA_Unmarshal(TPMS_SIGNATURE_RSA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_RSASSA_Unmarshal(TPMS_SIGNATURE_RSASSA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_RSAPSS_Unmarshal(TPMS_SIGNATURE_RSAPSS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_ECC_Unmarshal(TPMS_SIGNATURE_ECC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_ECDSA_Unmarshal(TPMS_SIGNATURE_ECDSA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_ECDAA_Unmarshal(TPMS_SIGNATURE_ECDAA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_SM2_Unmarshal(TPMS_SIGNATURE_SM2 *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_SIGNATURE_ECSCHNORR_Unmarshal(TPMS_SIGNATURE_ECSCHNORR *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_SIGNATURE_Unmarshal(TPMU_SIGNATURE *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_SIGNATURE_Unmarshal(TPMT_SIGNATURE *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPM2B_ENCRYPTED_SECRET_Unmarshal(TPM2B_ENCRYPTED_SECRET *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMI_ALG_PUBLIC_Unmarshal(TPMI_ALG_PUBLIC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_PUBLIC_ID_Unmarshal(TPMU_PUBLIC_ID *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMS_KEYEDHASH_PARMS_Unmarshal(TPMS_KEYEDHASH_PARMS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_ASYM_PARMS_Unmarshal(TPMS_ASYM_PARMS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_RSA_PARMS_Unmarshal(TPMS_RSA_PARMS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_ECC_PARMS_Unmarshal(TPMS_ECC_PARMS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_PUBLIC_PARMS_Unmarshal(TPMU_PUBLIC_PARMS *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_PUBLIC_PARMS_Unmarshal(TPMT_PUBLIC_PARMS *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMT_PUBLIC_Unmarshal(TPMT_PUBLIC *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPM2B_PUBLIC_Unmarshal(TPM2B_PUBLIC *target, BYTE **buffer, INT32 *size, BOOL allowNull);
+    TPM_RC TPM2B_TEMPLATE_Unmarshal(TPM2B_TEMPLATE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMU_SENSITIVE_COMPOSITE_Unmarshal(TPMU_SENSITIVE_COMPOSITE *target, BYTE **buffer, INT32 *size, UINT32 selector);
+    TPM_RC TPMT_SENSITIVE_Unmarshal(TPMT_SENSITIVE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_SENSITIVE_Unmarshal(TPM2B_SENSITIVE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_PRIVATE_Unmarshal(TPM2B_PRIVATE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_ID_OBJECT_Unmarshal(TPM2B_ID_OBJECT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMA_NV_Unmarshal(TPMA_NV *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_NV_PUBLIC_Unmarshal(TPMS_NV_PUBLIC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_NV_PUBLIC_Unmarshal(TPM2B_NV_PUBLIC *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_CONTEXT_SENSITIVE_Unmarshal(TPM2B_CONTEXT_SENSITIVE *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_CONTEXT_DATA_Unmarshal(TPMS_CONTEXT_DATA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_CONTEXT_DATA_Unmarshal(TPM2B_CONTEXT_DATA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_CONTEXT_Unmarshal(TPMS_CONTEXT *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPMS_CREATION_DATA_Unmarshal(TPMS_CREATION_DATA *target, BYTE **buffer, INT32 *size);
+    TPM_RC TPM2B_CREATION_DATA_Unmarshal(TPM2B_CREATION_DATA *target, BYTE **buffer, INT32 *size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unseal_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unseal_fp.h
new file mode 100644
index 0000000..87c720e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/Unseal_fp.h
@@ -0,0 +1,83 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: Unseal_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef UNSEAL_FP_H
+#define UNSEAL_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	itemHandle;
+} Unseal_In;
+
+#define RC_Unseal_itemHandle 	(TPM_RC_H + TPM_RC_1)
+
+typedef struct {
+    TPM2B_SENSITIVE_DATA	outData;
+} Unseal_Out;
+
+TPM_RC
+TPM2_Unseal(
+	    Unseal_In       *in,
+	    Unseal_Out      *out
+	    );
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/VerifySignature_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/VerifySignature_fp.h
new file mode 100644
index 0000000..19f36a2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/VerifySignature_fp.h
@@ -0,0 +1,88 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: VerifySignature_fp.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef VERIFYSIGNATURE_FP_H
+#define VERIFYSIGNATURE_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT	keyHandle;
+    TPM2B_DIGEST	digest;
+    TPMT_SIGNATURE	signature;
+} VerifySignature_In;
+
+#define RC_VerifySignature_keyHandle 	(TPM_RC_H + TPM_RC_1)
+#define RC_VerifySignature_digest	(TPM_RC_P + TPM_RC_1)
+#define RC_VerifySignature_signature 	(TPM_RC_P + TPM_RC_2)
+
+typedef struct {
+    TPMT_TK_VERIFIED	validation;
+} VerifySignature_Out;
+
+TPM_RC
+TPM2_VerifySignature(
+		     VerifySignature_In      *in,            // IN: input parameter list
+		     VerifySignature_Out     *out            // OUT: output parameter list
+		     );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/ZGen_2Phase_fp.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ZGen_2Phase_fp.h
new file mode 100644
index 0000000..efbf082
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/ZGen_2Phase_fp.h
@@ -0,0 +1,93 @@
+/********************************************************************************/
+/*										*/
+/*			     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: ZGen_2Phase_fp.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/*  Licenses and Notices							*/
+/*										*/
+/*  1. Copyright Licenses:							*/
+/*										*/
+/*  - Trusted Computing Group (TCG) grants to the user of the source code in	*/
+/*    this specification (the "Source Code") a worldwide, irrevocable, 		*/
+/*    nonexclusive, royalty free, copyright license to reproduce, create 	*/
+/*    derivative works, distribute, display and perform the Source Code and	*/
+/*    derivative works thereof, and to grant others the rights granted herein.	*/
+/*										*/
+/*  - The TCG grants to the user of the other parts of the specification 	*/
+/*    (other than the Source Code) the rights to reproduce, distribute, 	*/
+/*    display, and perform the specification solely for the purpose of 		*/
+/*    developing products based on such documents.				*/
+/*										*/
+/*  2. Source Code Distribution Conditions:					*/
+/*										*/
+/*  - Redistributions of Source Code must retain the above copyright licenses, 	*/
+/*    this list of conditions and the following disclaimers.			*/
+/*										*/
+/*  - Redistributions in binary form must reproduce the above copyright 	*/
+/*    licenses, this list of conditions	and the following disclaimers in the 	*/
+/*    documentation and/or other materials provided with the distribution.	*/
+/*										*/
+/*  3. Disclaimers:								*/
+/*										*/
+/*  - THE COPYRIGHT LICENSES SET FORTH ABOVE DO NOT REPRESENT ANY FORM OF	*/
+/*  LICENSE OR WAIVER, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, WITH	*/
+/*  RESPECT TO PATENT RIGHTS HELD BY TCG MEMBERS (OR OTHER THIRD PARTIES)	*/
+/*  THAT MAY BE NECESSARY TO IMPLEMENT THIS SPECIFICATION OR OTHERWISE.		*/
+/*  Contact TCG Administration (admin@trustedcomputinggroup.org) for 		*/
+/*  information on specification licensing rights available through TCG 	*/
+/*  membership agreements.							*/
+/*										*/
+/*  - THIS SPECIFICATION IS PROVIDED "AS IS" WITH NO EXPRESS OR IMPLIED 	*/
+/*    WARRANTIES WHATSOEVER, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR 	*/
+/*    FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, OR 		*/
+/*    NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS, OR ANY WARRANTY 		*/
+/*    OTHERWISE ARISING OUT OF ANY PROPOSAL, SPECIFICATION OR SAMPLE.		*/
+/*										*/
+/*  - Without limitation, TCG and its members and licensors disclaim all 	*/
+/*    liability, including liability for infringement of any proprietary 	*/
+/*    rights, relating to use of information in this specification and to the	*/
+/*    implementation of this specification, and TCG disclaims all liability for	*/
+/*    cost of procurement of substitute goods or services, lost profits, loss 	*/
+/*    of use, loss of data or any incidental, consequential, direct, indirect, 	*/
+/*    or special damages, whether under contract, tort, warranty or otherwise, 	*/
+/*    arising in any way out of use or reliance upon this specification or any 	*/
+/*    information herein.							*/
+/*										*/
+/*  (c) Copyright IBM Corp. and others, 2012-2015				*/
+/*										*/
+/********************************************************************************/
+
+/* rev 119 */
+
+#ifndef ZGEN_2PHASE_FP_H
+#define ZGEN_2PHASE_FP_H
+
+typedef struct {
+    TPMI_DH_OBJECT		keyA;
+    TPM2B_ECC_POINT		inQsB;
+    TPM2B_ECC_POINT		inQeB;
+    TPMI_ECC_KEY_EXCHANGE	inScheme;
+    UINT16			counter;
+} ZGen_2Phase_In;
+
+#define RC_ZGen_2Phase_keyA	(TPM_RC_H + TPM_RC_1)
+#define RC_ZGen_2Phase_inQsB	(TPM_RC_P + TPM_RC_1)
+#define RC_ZGen_2Phase_inQeB	(TPM_RC_P + TPM_RC_2)
+#define RC_ZGen_2Phase_inScheme	(TPM_RC_P + TPM_RC_3)
+#define RC_ZGen_2Phase_counter	(TPM_RC_P + TPM_RC_4)
+
+typedef struct {
+    TPM2B_ECC_POINT	outZ1;
+    TPM2B_ECC_POINT	outZ2;
+} ZGen_2Phase_Out;
+
+TPM_RC
+TPM2_ZGen_2Phase(
+		 ZGen_2Phase_In      *in,            // IN: input parameter list
+		 ZGen_2Phase_Out     *out            // OUT: output parameter list
+		 );
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmconstants12.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmconstants12.h
new file mode 100644
index 0000000..55574ba
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmconstants12.h
@@ -0,0 +1,1721 @@
+/********************************************************************************/
+/*                                                                              */
+/*                              TPM 1.2 Constants                               */
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2006, 2010.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TPMCONSTANTS12_H
+#define TPMCONSTANTS12_H
+
+#include <stdint.h>
+
+/*
+  NOTE implementation Specific
+*/
+
+/*
+  version, revision, specLevel, errataRev
+*/
+
+/* current for released specification revision 103 */
+
+#define TPM_REVISION_MAX 9999
+#ifndef TPM_REVISION
+#define TPM_REVISION TPM_REVISION_MAX
+#endif
+
+// #if  (TPM_REVISION >= 116) 
+
+// #define TPM_SPEC_LEVEL  0x0002          /* uint16_t The level of ordinals supported */
+// #define TPM_ERRATA_REV  0x03            /* specification errata level */
+
+// #elif  (TPM_REVISION >= 103) 
+
+// #define TPM_SPEC_LEVEL  0x0002          /* uint16_t The level of ordinals supported */
+// #define TPM_ERRATA_REV  0x02            /* specification errata level */
+
+// #elif (TPM_REVISION >= 94)
+
+// #define TPM_SPEC_LEVEL  0x0002          /* uint16_t The level of ordinals supported */
+// #define TPM_ERRATA_REV  0x01            /* specification errata level */
+
+// #elif (TPM_REVISION >= 85)
+
+// #define TPM_SPEC_LEVEL  0x0002          /* uint16_t The level of ordinals supported */
+// #define TPM_ERRATA_REV  0x00            /* specification errata level */
+
+// #else
+
+// #define TPM_SPEC_LEVEL  0x0001          /* uint16_t The level of ordinals supported */
+// #define TPM_ERRATA_REV  0x00            /* specification errata level */
+
+// #endif
+
+/* IBM specific */
+
+#if 0   /* at one time vendorID was the PCI vendor ID, this is the IBM code */
+#define TPM_VENDOR_ID   "\x00\x00\x10\x14"      /* BYTE[4], the vendor ID, obtained from the TCG,
+                                                   typically PCI vendor ID */
+#endif
+
+
+#ifdef TPM_VENDOR
+
+#define TPM_VENDOR_ID    "WEC"  /* 4 bytes, as of rev 99 vendorID and TPM_CAP_PROP_MANUFACTURER
+                                   return the same value */
+#define TPM_MANUFACTURER "WEC"  /* 4 characters, assigned by TCG, typically stock ticker symbol */
+
+#else
+
+#define TPM_VENDOR_ID    "IBM"  /* 4 bytes, as of rev 99 vendorID and TPM_CAP_PROP_MANUFACTURER
+                                   return the same value */
+#define TPM_MANUFACTURER "IBM"  /* 4 characters, assigned by TCG, typically stock ticker symbol */
+
+#endif
+
+/* Timeouts in microseconds.  These are for the platform specific interface (e.g. the LPC bus
+   registers in the PC Client TPM).  They are most likely not applicable to a software TPM.  */
+#define TPM_TIMEOUT_A   1000000
+#define TPM_TIMEOUT_B   1000000
+#define TPM_TIMEOUT_C   1000000
+#define TPM_TIMEOUT_D   1000000
+
+/* dictionary attack mitigation */
+
+#define TPM_LOCKOUT_THRESHOLD 5         /* successive failures to trigger lockout, must be greater
+                                           than 0 */
+
+/* Denotes the duration value in microseconds of the duration of the three classes of commands:
+   Small, Medium and Long.  The command types are in the Part 2 Ordinal Table.  Essentially:
+
+   Long - creating an RSA key pair
+   Medium - using an RSA key
+   Short  - anything else
+*/
+
+#ifndef TPM_SMALL_DURATION
+#define TPM_SMALL_DURATION      2000000
+#endif
+
+#ifndef TPM_MEDIUM_DURATION     
+#define TPM_MEDIUM_DURATION     5000000
+#endif
+
+#ifndef TPM_LONG_DURATION
+#define TPM_LONG_DURATION      60000000
+#endif
+
+/* startup effects */
+   
+#define    TPM_STARTUP_EFFECTS_VALUE   \
+(TPM_STARTUP_EFFECTS_ST_ANY_RT_KEY |    /* key resources init by TPM_Startup(ST_ANY) */ \
+ TPM_STARTUP_EFFECTS_ST_STATE_RT_HASH | /* hash resources are init by TPM_Startup(ST_STATE) */ \
+ TPM_STARTUP_EFFECTS_ST_CLEAR_AUDITDIGEST) /* auditDigest nulled on TPM_Startup(ST_CLEAR) */
+
+/*
+  TPM buffer limits
+*/
+
+/* This value is used to limit memory allocation to prevent resource overload. */
+
+#ifndef TPM_ALLOC_MAX
+#define TPM_ALLOC_MAX  0x10000  /* 64k bytes */
+#endif
+
+/* This is the increment by which the TPM_STORE_BUFFER grows.  A larger number saves realloc's.  A
+   smaller number saves memory.
+
+   TPM_ALLOC_MAX must be a multiple of this value.
+*/
+
+#define TPM_STORE_BUFFER_INCREMENT (TPM_ALLOC_MAX / 64)
+
+/* This is the maximum value of the TPM input and output packet buffer.  It should be large enough
+   to accommodate the largest TPM command or response, currently about 1200 bytes.  It should be
+   small enough to accommodate whatever software is driving the TPM.
+
+   NOTE: Some commands are somewhat open ended, and related to this parmater.  E.g., The input size
+   for the TPM_SHA1Init.  The output size for TPM_GetRandom.
+  
+   It is returned by TPM_GetCapability -> TPM_CAP_PROP_INPUT_BUFFER
+*/
+
+#ifndef TPM_BUFFER_MAX
+#define TPM_BUFFER_MAX  0x1000  /* 4k bytes */
+#endif
+
+/* Random number generator */
+
+/* maximum bytes in one TPM_GetRandom() call
+
+   Use maximum input buffer size minus tag, paramSize, returnCode, randomBytesSize.
+*/
+
+#define TPM_RANDOM_MAX  (TPM_BUFFER_MAX \
+                         - sizeof(TPM_TAG) - sizeof(uint32_t) \
+			 - sizeof(TPM_RESULT) - sizeof(uint32_t))
+
+/* Maximum number of bytes that can be sent to TPM_SHA1Update. Must be a multiple of 64 bytes.
+
+   Use maximum input buffer size minus tag, paramSize, ordinal, numBytes.
+*/
+
+#define TPM_SHA1_MAXNUMBYTES    (TPM_BUFFER_MAX - 64)
+
+/* extra audit status bits for TSC commands outside the normal ordinal range */
+#define TSC_PHYS_PRES_AUDIT     0x01
+#define TSC_RESET_ESTAB_AUDIT   0x02
+
+#ifdef TPM_VTPM
+/* ordinals for virtual TPM instance handling */
+/* NOTE must be contiguous, see TPM_PERMANENT_DATA -> instanceOrdinalAuditStatus */
+#define TPM_InstanceOrdinals_Start1     0x20000000
+#define TPM_InstanceOrdinals_End1       0x20000020
+#define TPM_InstanceOrdinals_Start2     0x20000020
+#define TPM_InstanceOrdinals_End2       0x20000040
+
+#define TPM_ORD_CreateInstance          0x20000001
+#define TPM_ORD_DeleteInstance          0x20000002
+#define TPM_ORD_LockInstance            0x20000003
+#define TPM_ORD_GetInstanceData         0x20000004
+#define TPM_ORD_SetInstanceData         0x20000005
+#define TPM_ORD_GetInstanceKey          0x20000009
+#define TPM_ORD_SetInstanceKey          0x2000000a
+#define TPM_ORD_TransportInstance       0x2000000b
+#define TPM_ORD_SetupInstance           0x2000000c
+#define TPM_ORD_UnlockInstance          0x2000000e
+#define TPM_ORD_ReportEnvironment       0x2000000f
+#define TPM_ORD_QuotePubEK              0x20000010
+
+/* actionMask for TPM_SetupInstance (bit mask) */
+
+#define TPM_INSTANCE_ACTIVATE           0x00000001
+#define TPM_INSTANCE_ENABLE             0x00000002
+#define TPM_INSTANCE_STARTUP            0x00000004
+#define TPM_INSTANCE_INIT               0x00000008
+
+#define TPM_INSTANCE_ACTION_MASK        0xfffffff0      /* ~ OR of all above bits */
+
+/* creationMask for TPM_CreateInstance (bit mask) */
+
+#define TPM_INSTANCE_PRIVILEGED         0x00000001
+#define TPM_INSTANCE_NO_MIGRATE         0x00000002
+#define TPM_INSTANCE_CREATION_MASK      0xfffffffc      /* ~ OR of all above bits */
+
+/* TPM_CAP_MFR capabilities */
+
+#define TPM_CAP_PROP_MAX_INSTANCES      0x00000001
+#define TPM_CAP_INSTANCE_HANDLE         0x00000002
+#define TPM_CAP_INSTANCE_PARENT         0x00000003
+#define TPM_CAP_INSTANCE_CHILDREN       0x00000004
+#define TPM_CAP_CREATION_MASK           0x00000005
+#define TPM_CAP_SETUP_PCRLIST           0x00000006
+#define TPM_CAP_NUMBER_PCR_MEAS         0x00000008 
+#define TPM_CAP_PCR_MEASUREMENTS        0x00000009
+#define TPM_CAP_PCR_SELECTIONS          0x0000000a
+
+/* TPM_SET_VENDOR Subcap */
+
+#define TPM_SETCAP_LOG_PCR_SELECTION            0x00000001
+#define TPM_SETCAP_SUBSCRIBE_PCR_SELECTION      0x00000002
+#define TPM_SETCAP_LOG_LOG_LENGTH_MAX           0x00000003
+
+/* VTPM Structure Tags */
+
+#define TPM_TAG_LOG_ENTRIES             0x8003
+
+#endif /* TPM_VTPM */
+
+/* TPM_CAP_MFR capabilities */
+#define TPM_CAP_PROCESS_ID              0x00000020
+
+#ifdef TPM_VENDOR
+
+#define WEC_ORD_PreConfig               0x2000000e
+#define WEC_ORD_LockPreConfig           0x2000000f
+#define WEC_ORD_GetTPMStatus            0x20000021
+
+#endif  /* TPM_VENDOR */
+
+/* define a value for an illegal instance handle */
+
+#define TPM_ILLEGAL_INSTANCE_HANDLE     0xffffffff
+
+/*
+  NOTE End Implementation Specific
+*/
+
+/* 3. Structure Tags rev 105
+
+   There have been some indications that knowing what structure is in use would be valuable
+   information in each structure. This new tag will be in each new structure that the TPM defines.
+   
+   The upper nibble of the value designates the purview of the structure tag.  0 is used for TPM
+   structures, 1 for platforms, and 2-F are reserved.
+*/
+
+/* 3.1 TPM_STRUCTURE_TAG */
+
+/*                                              Structure   */
+#define TPM_TAG_CONTEXTBLOB             0x0001 /*  TPM_CONTEXT_BLOB */
+#define TPM_TAG_CONTEXT_SENSITIVE       0x0002 /*  TPM_CONTEXT_SENSITIVE */
+#define TPM_TAG_CONTEXTPOINTER          0x0003 /*  TPM_CONTEXT_POINTER */
+#define TPM_TAG_CONTEXTLIST             0x0004 /*  TPM_CONTEXT_LIST */
+#define TPM_TAG_SIGNINFO                0x0005 /*  TPM_SIGN_INFO */
+#define TPM_TAG_PCR_INFO_LONG           0x0006 /*  TPM_PCR_INFO_LONG */
+#define TPM_TAG_PERSISTENT_FLAGS        0x0007 /*  TPM_PERSISTENT_FLAGS (deprecated 1.1 struct) */
+#define TPM_TAG_VOLATILE_FLAGS          0x0008 /*  TPM_VOLATILE_FLAGS (deprecated 1.1 struct) */
+#define TPM_TAG_PERSISTENT_DATA         0x0009 /*  TPM_PERSISTENT_DATA (deprecated 1.1 struct) */
+#define TPM_TAG_VOLATILE_DATA           0x000A /*  TPM_VOLATILE_DATA (deprecated 1.1 struct) */
+#define TPM_TAG_SV_DATA                 0x000B /*  TPM_SV_DATA */
+#define TPM_TAG_EK_BLOB                 0x000C /*  TPM_EK_BLOB */
+#define TPM_TAG_EK_BLOB_AUTH            0x000D /*  TPM_EK_BLOB_AUTH */
+#define TPM_TAG_COUNTER_VALUE           0x000E /*  TPM_COUNTER_VALUE */
+#define TPM_TAG_TRANSPORT_INTERNAL      0x000F /*  TPM_TRANSPORT_INTERNAL */
+#define TPM_TAG_TRANSPORT_LOG_IN        0x0010 /*  TPM_TRANSPORT_LOG_IN */
+#define TPM_TAG_TRANSPORT_LOG_OUT       0x0011 /*  TPM_TRANSPORT_LOG_OUT */
+#define TPM_TAG_AUDIT_EVENT_IN          0x0012 /*  TPM_AUDIT_EVENT_IN */
+#define TPM_TAG_AUDIT_EVENT_OUT         0X0013 /*  TPM_AUDIT_EVENT_OUT */
+#define TPM_TAG_CURRENT_TICKS           0x0014 /*  TPM_CURRENT_TICKS */
+#define TPM_TAG_KEY                     0x0015 /*  TPM_KEY */
+#define TPM_TAG_STORED_DATA12           0x0016 /*  TPM_STORED_DATA12 */
+#define TPM_TAG_NV_ATTRIBUTES           0x0017 /*  TPM_NV_ATTRIBUTES */
+#define TPM_TAG_NV_DATA_PUBLIC          0x0018 /*  TPM_NV_DATA_PUBLIC */
+#define TPM_TAG_NV_DATA_SENSITIVE       0x0019 /*  TPM_NV_DATA_SENSITIVE */
+#define TPM_TAG_DELEGATIONS             0x001A /*  TPM DELEGATIONS */
+#define TPM_TAG_DELEGATE_PUBLIC         0x001B /*  TPM_DELEGATE_PUBLIC */
+#define TPM_TAG_DELEGATE_TABLE_ROW      0x001C /*  TPM_DELEGATE_TABLE_ROW */
+#define TPM_TAG_TRANSPORT_AUTH          0x001D /*  TPM_TRANSPORT_AUTH */
+#define TPM_TAG_TRANSPORT_PUBLIC        0X001E /*  TPM_TRANSPORT_PUBLIC */
+#define TPM_TAG_PERMANENT_FLAGS         0X001F /*  TPM_PERMANENT_FLAGS */
+#define TPM_TAG_STCLEAR_FLAGS           0X0020 /*  TPM_STCLEAR_FLAGS */
+#define TPM_TAG_STANY_FLAGS             0X0021 /*  TPM_STANY_FLAGS */
+#define TPM_TAG_PERMANENT_DATA          0X0022 /*  TPM_PERMANENT_DATA */
+#define TPM_TAG_STCLEAR_DATA            0X0023 /*  TPM_STCLEAR_DATA */
+#define TPM_TAG_STANY_DATA              0X0024 /*  TPM_STANY_DATA */
+#define TPM_TAG_FAMILY_TABLE_ENTRY      0X0025 /*  TPM_FAMILY_TABLE_ENTRY */
+#define TPM_TAG_DELEGATE_SENSITIVE      0X0026 /*  TPM_DELEGATE_SENSITIVE */
+#define TPM_TAG_DELG_KEY_BLOB           0X0027 /*  TPM_DELG_KEY_BLOB */
+#define TPM_TAG_KEY12                   0x0028 /*  TPM_KEY12 */
+#define TPM_TAG_CERTIFY_INFO2           0X0029 /*  TPM_CERTIFY_INFO2 */
+#define TPM_TAG_DELEGATE_OWNER_BLOB     0X002A /*  TPM_DELEGATE_OWNER_BLOB */
+#define TPM_TAG_EK_BLOB_ACTIVATE        0X002B /*  TPM_EK_BLOB_ACTIVATE */
+#define TPM_TAG_DAA_BLOB                0X002C /*  TPM_DAA_BLOB */
+#define TPM_TAG_DAA_CONTEXT             0X002D /*  TPM_DAA_CONTEXT */
+#define TPM_TAG_DAA_ENFORCE             0X002E /*  TPM_DAA_ENFORCE */
+#define TPM_TAG_DAA_ISSUER              0X002F /*  TPM_DAA_ISSUER */
+#define TPM_TAG_CAP_VERSION_INFO        0X0030 /*  TPM_CAP_VERSION_INFO */
+#define TPM_TAG_DAA_SENSITIVE           0X0031 /*  TPM_DAA_SENSITIVE */
+#define TPM_TAG_DAA_TPM                 0X0032 /*  TPM_DAA_TPM */
+#define TPM_TAG_CMK_MIGAUTH             0X0033 /*  TPM_CMK_MIGAUTH */
+#define TPM_TAG_CMK_SIGTICKET           0X0034 /*  TPM_CMK_SIGTICKET */
+#define TPM_TAG_CMK_MA_APPROVAL         0X0035 /*  TPM_CMK_MA_APPROVAL */
+#define TPM_TAG_QUOTE_INFO2             0X0036 /*  TPM_QUOTE_INFO2 */
+#define TPM_TAG_DA_INFO                 0x0037 /*  TPM_DA_INFO */
+#define TPM_TAG_DA_INFO_LIMITED         0x0038 /*  TPM_DA_INFO_LIMITED */
+#define TPM_TAG_DA_ACTION_TYPE          0x0039 /*  TPM_DA_ACTION_TYPE */
+
+/*
+  SW TPM Tags
+*/
+
+/*
+  These tags are used to describe the format of serialized TPM non-volatile state
+*/
+
+/* These describe the overall format */
+
+/* V1 state is the sequence permanent data, permanent flags, owner evict keys, NV defined space */
+
+#define TPM_TAG_NVSTATE_V1		0x0001		/* svn revision 4078 */
+
+/* These tags describe the TPM_PERMANENT_DATA format */
+
+/* For the first release, use the standard TPM_TAG_PERMANENT_DATA tag.  Since this tag is never
+   visible outside the TPM, the tag value can be changed if the format changes.
+*/
+
+/* These tags describe the TPM_PERMANENT_FLAGS format */
+
+/* The TPM_PERMANENT_FLAGS structure changed from rev 94 to 103.  Unfortunately, the standard TPM
+   tag did not change.  Define distinguishing values here.
+*/
+
+#define TPM_TAG_NVSTATE_PF94		0x0001
+#define TPM_TAG_NVSTATE_PF103		0x0002
+
+/* This tag describes the owner evict key format */
+
+#define TPM_TAG_NVSTATE_OE_V1		0x0001
+
+/* This tag describes the NV defined space format */
+
+#define TPM_TAG_NVSTATE_NV_V1		0x0001
+
+/* V2 added the NV public optimization */
+
+#define TPM_TAG_NVSTATE_NV_V2		0x0002
+
+/*
+  These tags are used to describe the format of serialized TPM volatile state
+*/
+
+/* These describe the overall format */
+
+/* V1 state is the sequence TPM Parameters, TPM_STCLEAR_FLAGS, TPM_STANY_FLAGS, TPM_STCLEAR_DATA,
+   TPM_STANY_DATA, TPM_KEY_HANDLE_ENTRY, SHA1 context(s), TPM_TRANSHANDLE, testState, NV volatile
+   flags */
+
+#define TPM_TAG_VSTATE_V1		0x0001
+
+/* This tag defines the TPM Parameters format */
+
+#define TPM_TAG_TPM_PARAMETERS_V1	0x0001
+
+/* This tag defines the TPM_STCLEAR_FLAGS format */
+
+/* V1 is the TCG standard returned by the getcap.  It's unlikely that this will change */
+
+#define TPM_TAG_STCLEAR_FLAGS_V1	0x0001
+
+/* These tags describe the TPM_STANY_FLAGS format */
+
+/* For the first release, use the standard TPM_TAG_STANY_FLAGS tag.  Since this tag is never visible
+   outside the TPM, the tag value can be changed if the format changes.
+*/
+
+/* This tag defines the TPM_STCLEAR_DATA format */
+
+/* V2 deleted the ordinalResponse, responseCount */ 
+
+#define TPM_TAG_STCLEAR_DATA_V2         0X0024
+
+/* These tags describe the TPM_STANY_DATA format */
+
+/* For the first release, use the standard TPM_TAG_STANY_DATA tag.  Since this tag is never visible
+   outside the TPM, the tag value can be changed if the format changes.
+*/
+
+/* This tag defines the key handle entries format */
+
+#define TPM_TAG_KEY_HANDLE_ENTRIES_V1	0x0001
+
+/* This tag defines the SHA-1 context format */
+
+#define TPM_TAG_SHA1CONTEXT_OSSL_V1	0x0001		/* for openssl */
+
+#define TPM_TAG_SHA1CONTEXT_FREEBL_V1	0x0101		/* for freebl */
+
+/* This tag defines the NV index entries volatile format */
+
+#define TPM_TAG_NV_INDEX_ENTRIES_VOLATILE_V1	0x0001
+
+/* 4. Types
+ */
+
+/* 4.1 TPM_RESOURCE_TYPE rev 87 */
+
+#define TPM_RT_KEY      0x00000001  /* The handle is a key handle and is the result of a LoadKey
+                                       type operation */
+   
+#define TPM_RT_AUTH     0x00000002  /* The handle is an authorization handle. Auth handles come from
+                                       TPM_OIAP, TPM_OSAP and TPM_DSAP */
+   
+#define TPM_RT_HASH     0X00000003  /* Reserved for hashes */
+
+#define TPM_RT_TRANS    0x00000004  /* The handle is for a transport session. Transport handles come
+                                       from TPM_EstablishTransport */
+   
+#define TPM_RT_CONTEXT  0x00000005  /* Resource wrapped and held outside the TPM using the context
+                                       save/restore commands */
+
+#define TPM_RT_COUNTER  0x00000006  /* Reserved for counters */
+
+#define TPM_RT_DELEGATE 0x00000007  /* The handle is for a delegate row. These are the internal rows
+                                       held in NV storage by the TPM */
+   
+#define TPM_RT_DAA_TPM  0x00000008  /* The value is a DAA TPM specific blob */
+                                      
+#define TPM_RT_DAA_V0   0x00000009  /* The value is a DAA V0 parameter */
+                                     
+#define TPM_RT_DAA_V1   0x0000000A  /* The value is a DAA V1 parameter */
+                                     
+/* 4.2 TPM_PAYLOAD_TYPE rev 87
+
+   This structure specifies the type of payload in various messages. 
+*/
+
+#define TPM_PT_ASYM             0x01    /* The entity is an asymmetric key */
+#define TPM_PT_BIND             0x02    /* The entity is bound data */
+#define TPM_PT_MIGRATE          0x03    /* The entity is a migration blob */
+#define TPM_PT_MAINT            0x04    /* The entity is a maintenance blob */
+#define TPM_PT_SEAL             0x05    /* The entity is sealed data */
+#define TPM_PT_MIGRATE_RESTRICTED 0x06  /* The entity is a restricted-migration asymmetric key */
+#define TPM_PT_MIGRATE_EXTERNAL 0x07    /* The entity is a external migratable key */
+#define TPM_PT_CMK_MIGRATE      0x08    /* The entity is a CMK migratable blob */
+/* 0x09 - 0x7F Reserved for future use by TPM */
+/* 0x80 - 0xFF Vendor specific payloads */
+
+/* 4.3 TPM_ENTITY_TYPE rev 100
+
+   This specifies the types of entity that are supported by the TPM. 
+
+   The LSB is used to indicate the entity type.  The MSB is used to indicate the ADIP 
+   encryption scheme when applicable.
+
+   For compatibility with TPM 1.1, this mapping is maintained:
+
+   0x0001 specifies a keyHandle entity with XOR encryption
+   0x0002 specifies an owner entity with XOR encryption
+   0x0003 specifies some data entity with XOR encryption
+   0x0004 specifies the SRK entity with XOR encryption
+   0x0005 specifies a key entity with XOR encryption
+
+   When the entity is not being used for ADIP encryption, the MSB MUST be 0x00.
+*/
+
+/* TPM_ENTITY_TYPE LSB Values (entity type) */
+
+#define TPM_ET_KEYHANDLE        0x01    /* The entity is a keyHandle or key */
+#define TPM_ET_OWNER            0x02    /*0x40000001 The entity is the TPM Owner */
+#define TPM_ET_DATA             0x03    /* The entity is some data */
+#define TPM_ET_SRK              0x04    /*0x40000000 The entity is the SRK */
+#define TPM_ET_KEY              0x05    /* The entity is a key or keyHandle */
+#define TPM_ET_REVOKE           0x06    /*0x40000002 The entity is the RevokeTrust value */
+#define TPM_ET_DEL_OWNER_BLOB   0x07    /* The entity is a delegate owner blob */
+#define TPM_ET_DEL_ROW          0x08    /* The entity is a delegate row */
+#define TPM_ET_DEL_KEY_BLOB     0x09    /* The entity is a delegate key blob */
+#define TPM_ET_COUNTER          0x0A    /* The entity is a counter */
+#define TPM_ET_NV               0x0B    /* The entity is a NV index */
+#define TPM_ET_OPERATOR         0x0C    /* The entity is the operator */
+#define TPM_ET_RESERVED_HANDLE  0x40    /* Reserved. This value avoids collisions with the handle
+                                           MSB setting.*/
+
+/* TPM_ENTITY_TYPE MSB Values (ADIP encryption scheme) */
+
+#define TPM_ET_XOR              0x00    /* XOR  */
+#define TPM_ET_AES128_CTR       0x06    /* AES 128 bits in CTR mode */
+
+/* 4.4 Handles rev 88
+
+   Handles provides pointers to TPM internal resources. Handles should provide the ability to locate
+   a value without collision.
+
+   1. The TPM MAY order and set a handle to any value the TPM determines is appropriate
+
+   2. The handle value SHALL provide assurance that collisions SHOULD not occur in 2^24 handles
+
+   4.4.1 Reserved Key Handles 
+
+   The reserved key handles. These values specify specific keys or specific actions for the TPM. 
+*/
+
+/* 4.4.1 Reserved Key Handles rev 87
+
+   The reserved key handles. These values specify specific keys or specific actions for the TPM.
+
+   TPM_KH_TRANSPORT indicates to TPM_EstablishTransport that there is no encryption key, and that
+   the "secret" wrapped parameters are actually passed unencrypted.
+*/
+
+#define TPM_KH_SRK              0x40000000 /* The handle points to the SRK */
+#define TPM_KH_OWNER            0x40000001 /* The handle points to the TPM Owner */
+#define TPM_KH_REVOKE           0x40000002 /* The handle points to the RevokeTrust value */
+#define TPM_KH_TRANSPORT        0x40000003 /* The handle points to the TPM_EstablishTransport static
+                                              authorization */
+#define TPM_KH_OPERATOR         0x40000004 /* The handle points to the Operator auth */
+#define TPM_KH_ADMIN            0x40000005 /* The handle points to the delegation administration
+                                              auth */
+#define TPM_KH_EK               0x40000006 /* The handle points to the PUBEK, only usable with
+                                              TPM_OwnerReadInternalPub */
+
+/* 4.5 TPM_STARTUP_TYPE rev 87
+
+   To specify what type of startup is occurring.  
+*/
+
+#define TPM_ST_CLEAR            0x0001 /* The TPM is starting up from a clean state */
+#define TPM_ST_STATE            0x0002 /* The TPM is starting up from a saved state */
+#define TPM_ST_DEACTIVATED      0x0003 /* The TPM is to startup and set the deactivated flag to
+                                          TRUE */
+
+/* 4.6 TPM_STARTUP_EFFECTS rev 101
+
+   This structure lists for the various resources and sessions on a TPM the affect that TPM_Startup
+   has on the values.
+
+   There are three ST_STATE options for keys (restore all, restore non-volatile, or restore none)
+   and two ST_CLEAR options (restore non-volatile or restore none).  As bit 4 was insufficient to
+   describe the possibilities, it is deprecated.  Software should use TPM_CAP_KEY_HANDLE to
+   determine which keys are loaded after TPM_Startup.
+
+   31-9 No information and MUST be FALSE
+   
+   8 TPM_RT_DAA_TPM resources are initialized by TPM_Startup(ST_STATE)
+   7 TPM_Startup has no effect on auditDigest 
+   6 auditDigest is set to all zeros on TPM_Startup(ST_CLEAR) but not on other types of TPM_Startup 
+   5 auditDigest is set to all zeros on TPM_Startup(any)
+   4 TPM_RT_KEY Deprecated, as the meaning was subject to interpretation.  (Was:TPM_RT_KEY resources
+     are initialized by TPM_Startup(ST_ANY))
+   3 TPM_RT_AUTH resources are initialized by TPM_Startup(ST_STATE) 
+   2 TPM_RT_HASH resources are initialized by TPM_Startup(ST_STATE) 
+   1 TPM_RT_TRANS resources are initialized by TPM_Startup(ST_STATE) 
+   0 TPM_RT_CONTEXT session (but not key) resources are initialized by TPM_Startup(ST_STATE) 
+*/
+
+
+#define TPM_STARTUP_EFFECTS_ST_STATE_RT_DAA             0x00000100      /* bit 8 */
+#define TPM_STARTUP_EFFECTS_STARTUP_NO_AUDITDIGEST      0x00000080      /* bit 7 */
+#define TPM_STARTUP_EFFECTS_ST_CLEAR_AUDITDIGEST        0x00000040      /* bit 6 */
+#define TPM_STARTUP_EFFECTS_STARTUP_AUDITDIGEST         0x00000020      /* bit 5 */
+#define TPM_STARTUP_EFFECTS_ST_ANY_RT_KEY               0x00000010      /* bit 4 */
+#define TPM_STARTUP_EFFECTS_ST_STATE_RT_AUTH            0x00000008      /* bit 3 */
+#define TPM_STARTUP_EFFECTS_ST_STATE_RT_HASH            0x00000004      /* bit 2 */
+#define TPM_STARTUP_EFFECTS_ST_STATE_RT_TRANS           0x00000002      /* bit 1 */
+#define TPM_STARTUP_EFFECTS_ST_STATE_RT_CONTEXT         0x00000001      /* bit 0 */
+
+/* 4.7 TPM_PROTOCOL_ID rev 87 
+
+   This value identifies the protocol in use. 
+*/
+
+#define TPM_PID_NONE            0x0000  /* kgold - added */
+#define TPM_PID_OIAP            0x0001  /* The OIAP protocol. */
+#define TPM_PID_OSAP            0x0002  /* The OSAP protocol. */
+#define TPM_PID_ADIP            0x0003  /* The ADIP protocol. */
+#define TPM_PID_ADCP            0X0004  /* The ADCP protocol. */
+#define TPM_PID_OWNER           0X0005  /* The protocol for taking ownership of a TPM. */
+#define TPM_PID_DSAP            0x0006  /* The DSAP protocol */
+#define TPM_PID_TRANSPORT       0x0007  /*The transport protocol */
+
+/* 4.8 TPM_ALGORITHM_ID rev 99
+
+   This table defines the types of algorithms that may be supported by the TPM. 
+
+   The TPM MUST support the algorithms TPM_ALG_RSA, TPM_ALG_SHA, TPM_ALG_HMAC, and TPM_ALG_MGF1
+*/
+
+//#define TPM_ALG_RSA     0x00000001      /* The RSA algorithm. */
+/* #define TPM_ALG_DES  0x00000002         (was the DES algorithm) */
+/* #define TPM_ALG_3DES 0X00000003         (was the 3DES algorithm in EDE mode) */
+#define TPM_ALG_SHA     0x00000004      /* The SHA1 algorithm */
+//#define TPM_ALG_HMAC    0x00000005      /* The RFC 2104 HMAC algorithm */
+#define TPM_ALG_AES128  0x00000006      /* The AES algorithm, key size 128 */
+//#define TPM_ALG_MGF1    0x00000007      /* The XOR algorithm using MGF1 to create a string the size
+//of the encrypted block */
+#define TPM_ALG_AES192  0x00000008      /* AES, key size 192 */
+#define TPM_ALG_AES256  0x00000009      /* AES, key size 256 */
+//#define TPM_ALG_XOR     0x0000000A      /* XOR using the rolling nonces */
+
+/* 4.9 TPM_PHYSICAL_PRESENCE rev 87
+
+*/
+
+#define TPM_PHYSICAL_PRESENCE_HW_DISABLE        0x0200 /* Sets the physicalPresenceHWEnable to FALSE
+                                                        */
+#define TPM_PHYSICAL_PRESENCE_CMD_DISABLE       0x0100 /* Sets the physicalPresenceCMDEnable to
+                                                          FALSE */
+#define TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK     0x0080 /* Sets the physicalPresenceLifetimeLock to
+                                                          TRUE */
+#define TPM_PHYSICAL_PRESENCE_HW_ENABLE         0x0040 /* Sets the physicalPresenceHWEnable to TRUE
+                                                        */
+#define TPM_PHYSICAL_PRESENCE_CMD_ENABLE        0x0020 /* Sets the physicalPresenceCMDEnable to TRUE
+                                                        */
+#define TPM_PHYSICAL_PRESENCE_NOTPRESENT        0x0010 /* Sets PhysicalPresence = FALSE */
+#define TPM_PHYSICAL_PRESENCE_PRESENT           0x0008 /* Sets PhysicalPresence = TRUE */
+#define TPM_PHYSICAL_PRESENCE_LOCK              0x0004 /* Sets PhysicalPresenceLock = TRUE */
+
+#define TPM_PHYSICAL_PRESENCE_MASK              0xfc03  /* ~ OR of all above bits */
+
+/* 4.10 TPM_MIGRATE_SCHEME rev 103
+
+   The scheme indicates how the StartMigrate command should handle the migration of the encrypted
+   blob.
+*/
+
+#define TPM_MS_MIGRATE                  0x0001 /* A public key that can be used with all TPM
+                                                  migration commands other than 'ReWrap' mode. */
+#define TPM_MS_REWRAP                   0x0002 /* A public key that can be used for the ReWrap mode
+                                                  of TPM_CreateMigrationBlob. */
+#define TPM_MS_MAINT                    0x0003 /* A public key that can be used for the Maintenance
+                                                  commands */
+#define TPM_MS_RESTRICT_MIGRATE         0x0004 /* The key is to be migrated to a Migration
+                                                  Authority. */
+#define TPM_MS_RESTRICT_APPROVE         0x0005 /* The key is to be migrated to an entity approved by
+                                                  a Migration Authority using double wrapping */
+
+/* 4.11 TPM_EK_TYPE rev 87 
+
+   This structure indicates what type of information that the EK is dealing with.
+*/
+
+#define TPM_EK_TYPE_ACTIVATE    0x0001  /* The blob MUST be TPM_EK_BLOB_ACTIVATE */
+#define TPM_EK_TYPE_AUTH        0x0002  /* The blob MUST be TPM_EK_BLOB_AUTH */
+
+/* 4.12 TPM_PLATFORM_SPECIFIC rev 87
+
+   This enumerated type indicates the platform specific spec that the information relates to.
+*/
+
+#define TPM_PS_PC_11            0x0001  /* PC Specific version 1.1 */
+#define TPM_PS_PC_12            0x0002  /* PC Specific version 1.2 */
+#define TPM_PS_PDA_12           0x0003  /* PDA Specific version 1.2 */
+#define TPM_PS_Server_12        0x0004  /* Server Specific version 1.2 */
+#define TPM_PS_Mobile_12        0x0005  /* Mobil Specific version 1.2 */
+
+/* 5.8 TPM_KEY_USAGE rev 101
+
+   This table defines the types of keys that are possible.  Each value defines for what operation
+   the key can be used.  Most key usages can be CMKs.  See 4.2, TPM_PAYLOAD_TYPE.
+
+   Each key has a setting defining the encryption and signature scheme to use. The selection of a
+   key usage value limits the choices of encryption and signature schemes.
+*/
+
+#define TPM_KEY_UNINITIALIZED   0x0000  /* NOTE: Added.  This seems like a good place to indicate
+                                           that a TPM_KEY structure has not been initialized */
+
+#define TPM_KEY_SIGNING         0x0010  /* This SHALL indicate a signing key. The [private] key
+                                           SHALL be used for signing operations, only. This means
+                                           that it MUST be a leaf of the Protected Storage key
+                                           hierarchy. */
+
+#define TPM_KEY_STORAGE         0x0011  /* This SHALL indicate a storage key. The key SHALL be used
+                                           to wrap and unwrap other keys in the Protected Storage
+                                           hierarchy */
+
+#define TPM_KEY_IDENTITY        0x0012  /* This SHALL indicate an identity key. The key SHALL be
+                                           used for operations that require a TPM identity, only. */
+
+#define TPM_KEY_AUTHCHANGE      0X0013  /* This SHALL indicate an ephemeral key that is in use
+                                           during the ChangeAuthAsym process, only. */
+
+#define TPM_KEY_BIND            0x0014  /* This SHALL indicate a key that can be used for TPM_Bind
+                                           and TPM_Unbind operations only. */
+
+#define TPM_KEY_LEGACY          0x0015  /* This SHALL indicate a key that can perform signing and
+                                           binding operations. The key MAY be used for both signing
+                                           and binding operations. The TPM_KEY_LEGACY key type is to
+                                           allow for use by applications where both signing and
+                                           encryption operations occur with the same key. */
+
+#define TPM_KEY_MIGRATE         0x0016  /* This SHALL indicate a key in use for TPM_MigrateKey */
+
+/* 5.8.1 TPM_ENC_SCHEME Mandatory Key Usage Schemes rev 99
+
+   The TPM MUST check that the encryption scheme defined for use with the key is a valid scheme for
+   the key type, as follows:
+*/
+
+#define TPM_ES_NONE                     0x0001 
+#define TPM_ES_RSAESPKCSv15             0x0002 
+#define TPM_ES_RSAESOAEP_SHA1_MGF1      0x0003 
+#define TPM_ES_SYM_CTR                  0x0004 
+#define TPM_ES_SYM_OFB                  0x0005
+
+/* 5.8.1 TPM_SIG_SCHEME Mandatory Key Usage Schemes rev 99
+
+   The TPM MUST check that the signature scheme defined for use with the key is a valid scheme for
+   the key type, as follows:
+*/
+
+#define TPM_SS_NONE                     0x0001 
+#define TPM_SS_RSASSAPKCS1v15_SHA1      0x0002 
+#define TPM_SS_RSASSAPKCS1v15_DER       0x0003 
+#define TPM_SS_RSASSAPKCS1v15_INFO      0x0004 
+
+/* 5.9 TPM_AUTH_DATA_USAGE rev 110
+
+   The indication to the TPM when authorization sessions for an entity are required.  Future
+   versions may allow for more complex decisions regarding AuthData checking.
+*/
+
+#define TPM_AUTH_NEVER         0x00 /* This SHALL indicate that usage of the key without
+                                       authorization is permitted. */
+
+#define TPM_AUTH_ALWAYS        0x01 /* This SHALL indicate that on each usage of the key the
+                                       authorization MUST be performed. */
+
+#define TPM_NO_READ_PUBKEY_AUTH 0x03 /* This SHALL indicate that on commands that require the TPM to
+                                       use the the key, the authorization MUST be performed. For
+                                       commands that cause the TPM to read the public portion of the
+                                       key, but not to use the key (e.g. TPM_GetPubKey), the
+                                       authorization may be omitted. */
+
+/* 5.10 TPM_KEY_FLAGS rev 110
+
+   This table defines the meanings of the bits in a TPM_KEY_FLAGS structure, used in
+   TPM_STORE_ASYMKEY and TPM_CERTIFY_INFO.
+   
+   The value of TPM_KEY_FLAGS MUST be decomposed into individual mask values. The presence of a mask
+   value SHALL have the effect described in the above table
+   
+   On input, all undefined bits MUST be zero. The TPM MUST return an error if any undefined bit is
+   set. On output, the TPM MUST set all undefined bits to zero.
+*/
+
+#define TPM_KEY_FLAGS_MASK      0x0000001f
+
+#define TPM_REDIRECTION         0x00000001 /* This mask value SHALL indicate the use of redirected
+                                              output. */
+
+#define TPM_MIGRATABLE          0x00000002 /* This mask value SHALL indicate that the key is
+                                              migratable. */
+
+#define TPM_ISVOLATILE          0x00000004 /* This mask value SHALL indicate that the key MUST be
+                                              unloaded upon execution of the
+                                              TPM_Startup(ST_Clear). This does not indicate that a
+                                              non-volatile key will remain loaded across
+                                              TPM_Startup(ST_Clear) events. */
+
+#define TPM_PCRIGNOREDONREAD    0x00000008 /* When TRUE the TPM MUST NOT check digestAtRelease or
+                                              localityAtRelease for commands that read the public
+                                              portion of the key (e.g., TPM_GetPubKey) and MAY NOT
+                                              check digestAtRelease or localityAtRelease for
+                                              commands that use the public portion of the key
+                                              (e.g. TPM_Seal)
+
+                                              When FALSE the TPM MUST check digestAtRelease and
+                                              localityAtRelease for commands that read or use the
+                                              public portion of the key */
+
+#define TPM_MIGRATEAUTHORITY    0x00000010 /* When set indicates that the key is under control of a
+                                              migration authority. The TPM MUST only allow the
+                                              creation of a key with this flag in
+                                              TPM_MA_CreateKey */
+
+/* 5.17 TPM_CMK_DELEGATE values rev 89
+
+   The bits of TPM_CMK_DELEGATE are flags that determine how the TPM responds to delegated requests
+   to manipulate a certified-migration-key, a loaded key with payload type TPM_PT_MIGRATE_RESTRICTED
+   or TPM_PT_MIGRATE_EXTERNAL..
+
+   26:0 reserved MUST be 0
+
+   The default value of TPM_CMK_Delegate is zero (0)
+*/
+
+#define TPM_CMK_DELEGATE_SIGNING        0x80000000 /* When set to 1, this bit SHALL indicate that a
+                                                      delegated command may manipulate a CMK of
+                                                      TPM_KEY_USAGE == TPM_KEY_SIGNING */
+#define TPM_CMK_DELEGATE_STORAGE        0x40000000 /* When set to 1, this bit SHALL indicate that a
+                                                      delegated command may manipulate a CMK of
+                                                      TPM_KEY_USAGE == TPM_KEY_STORAGE */
+#define TPM_CMK_DELEGATE_BIND           0x20000000 /* When set to 1, this bit SHALL indicate that a
+                                                      delegated command may manipulate a CMK of
+                                                      TPM_KEY_USAGE == TPM_KEY_BIND */
+#define TPM_CMK_DELEGATE_LEGACY         0x10000000 /* When set to 1, this bit SHALL indicate that a
+                                                      delegated command may manipulate a CMK of
+                                                      TPM_KEY_USAGE == TPM_KEY_LEGACY */
+#define TPM_CMK_DELEGATE_MIGRATE        0x08000000 /* When set to 1, this bit SHALL indicate that a
+                                                      delegated command may manipulate a CMK of
+                                                      TPM_KEY_USAGE == TPM_KEY_MIGRATE */
+
+/* 6. TPM_TAG (Command and Response Tags) rev 100
+
+   These tags indicate to the TPM the construction of the command either as input or as output. The
+   AUTH indicates that there are one or more AuthData values that follow the command
+   parameters.
+*/
+
+#define TPM_TAG_RQU_COMMAND             0x00C1 /* A command with no authentication.  */
+#define TPM_TAG_RQU_AUTH1_COMMAND       0x00C2 /* An authenticated command with one authentication
+                                                  handle */
+#define TPM_TAG_RQU_AUTH2_COMMAND       0x00C3 /* An authenticated command with two authentication
+                                                  handles */
+#define TPM_TAG_RSP_COMMAND             0x00C4 /* A response from a command with no authentication
+                                                */
+#define TPM_TAG_RSP_AUTH1_COMMAND       0x00C5 /* An authenticated response with one authentication
+                                                  handle */
+#define TPM_TAG_RSP_AUTH2_COMMAND       0x00C6 /* An authenticated response with two authentication
+                                                  handles */
+
+/* TIS 7.2 PCR Attributes
+
+*/
+
+#define TPM_DEBUG_PCR 		16
+#define TPM_LOCALITY_4_PCR	17
+#define TPM_LOCALITY_3_PCR	18
+#define TPM_LOCALITY_2_PCR	19
+#define TPM_LOCALITY_1_PCR	20
+
+/* 10.9 TPM_KEY_CONTROL rev 87
+
+   Attributes that can control various aspects of key usage and manipulation.
+
+   Allows for controlling of the key when loaded and how to handle TPM_Startup issues.
+*/
+
+#define TPM_KEY_CONTROL_OWNER_EVICT     0x00000001      /* Owner controls when the key is evicted
+                                                           from the TPM. When set the TPM MUST
+                                                           preserve key the key across all TPM_Init
+                                                           invocations. */
+
+/* 13.1.1 TPM_TRANSPORT_ATTRIBUTES Definitions */
+
+#define TPM_TRANSPORT_ENCRYPT           0x00000001      /* The session will provide encryption using
+                                                           the internal encryption algorithm */
+#define TPM_TRANSPORT_LOG               0x00000002      /* The session will provide a log of all
+                                                           operations that occur in the session */
+#define TPM_TRANSPORT_EXCLUSIVE         0X00000004      /* The transport session is exclusive and
+                                                           any command executed outside the
+                                                           transport session causes the invalidation
+                                                           of the session */
+
+/* 21.1 TPM_CAPABILITY_AREA rev 115
+
+   To identify a capability to be queried. 
+*/
+
+#define TPM_CAP_ORD             0x00000001 /* Boolean value. TRUE indicates that the TPM supports
+                                              the ordinal. FALSE indicates that the TPM does not
+                                              support the ordinal.  Unimplemented optional ordinals
+                                              and unused (unassigned) ordinals return FALSE. */
+#define TPM_CAP_ALG             0x00000002 /* Boolean value. TRUE means that the TPM supports the
+                                              asymmetric algorithm for TPM_Sign, TPM_Seal,
+                                              TPM_UnSeal and TPM_UnBind and related commands. FALSE
+                                              indicates that the asymmetric algorithm is not
+                                              supported for these types of commands. The TPM MAY
+                                              return TRUE or FALSE for other than asymmetric
+                                              algoroithms that it supports. Unassigned and
+                                              unsupported algorithm IDs return FALSE.*/
+
+#define TPM_CAP_PID             0x00000003 /* Boolean value. TRUE indicates that the TPM supports
+                                              the protocol, FALSE indicates that the TPM does not
+                                              support the protocol.  */
+#define TPM_CAP_FLAG            0x00000004 /* Return the TPM_PERMANENT_FLAGS structure or Return the
+                                              TPM_STCLEAR_FLAGS structure */
+#define TPM_CAP_PROPERTY        0x00000005 /* See following table for the subcaps */
+#define TPM_CAP_VERSION         0x00000006 /* TPM_STRUCT_VER structure. The Major and Minor must
+                                              indicate 1.1. The firmware revision MUST indicate
+                                              0.0 */
+#define TPM_CAP_KEY_HANDLE      0x00000007 /* A TPM_KEY_HANDLE_LIST structure that enumerates all
+                                              key handles loaded on the TPM.  */
+#define TPM_CAP_CHECK_LOADED    0x00000008 /* A Boolean value. TRUE indicates that the TPM has
+                                              enough memory available to load a key of the type
+                                              specified by TPM_KEY_PARMS. FALSE indicates that the
+                                              TPM does not have enough memory.  */
+#define TPM_CAP_SYM_MODE        0x00000009 /* Subcap TPM_SYM_MODE
+                                              A Boolean value. TRUE indicates that the TPM supports
+                                              the TPM_SYM_MODE, FALSE indicates the TPM does not
+                                              support the mode. */
+#define TPM_CAP_KEY_STATUS      0x0000000C /* Boolean value of ownerEvict. The handle MUST point to
+                                              a valid key handle.*/
+#define TPM_CAP_NV_LIST         0x0000000D /* A list of TPM_NV_INDEX values that are currently
+                                              allocated NV storage through TPM_NV_DefineSpace. */
+#define TPM_CAP_MFR             0x00000010 /* Manufacturer specific. The manufacturer may provide
+                                              any additional information regarding the TPM and the
+                                              TPM state but MUST not expose any sensitive
+                                              information.  */
+#define TPM_CAP_NV_INDEX        0x00000011 /* A TPM_NV_DATA_PUBLIC structure that indicates the
+                                              values for the TPM_NV_INDEX.  Returns TPM_BADINDEX if
+                                              the index is not in the TPM_CAP_NV_LIST list. */
+#define TPM_CAP_TRANS_ALG       0x00000012 /* Boolean value. TRUE means that the TPM supports the
+                                              algorithm for TPM_EstablishTransport,
+                                              TPM_ExecuteTransport and
+                                              TPM_ReleaseTransportSigned. FALSE indicates that for
+                                              these three commands the algorithm is not supported."
+                                              */
+#define TPM_CAP_HANDLE          0x00000014 /* A TPM_KEY_HANDLE_LIST structure that enumerates all
+                                              handles currently loaded in the TPM for the given
+                                              resource type.  */
+#define TPM_CAP_TRANS_ES        0x00000015 /* Boolean value. TRUE means the TPM supports the
+                                              encryption scheme in a transport session for at least
+                                              one algorithm..  */
+#define TPM_CAP_AUTH_ENCRYPT    0x00000017 /* Boolean value. TRUE indicates that the TPM supports
+                                              the encryption algorithm in OSAP encryption of
+                                              AuthData values */
+#define TPM_CAP_SELECT_SIZE     0x00000018 /* Boolean value. TRUE indicates that the TPM supports
+                                              the size for the given version. For instance a request
+                                              could ask for version 1.1 size 2 and the TPM would
+                                              indicate TRUE. For 1.1 size 3 the TPM would indicate
+                                              FALSE. For 1.2 size 3 the TPM would indicate TRUE. */
+#define TPM_CAP_DA_LOGIC        0x00000019 /* (OPTIONAL)
+                                              A TPM_DA_INFO or TPM_DA_INFO_LIMITED structure that
+                                              returns data according to the selected entity type
+                                              (e.g., TPM_ET_KEYHANDLE, TPM_ET_OWNER, TPM_ET_SRK,
+                                              TPM_ET_COUNTER, TPM_ET_OPERATOR, etc.). If the
+                                              implemented dictionary attack logic does not support
+                                              different secret types, the entity type can be
+                                              ignored. */
+#define TPM_CAP_VERSION_VAL     0x0000001A /* TPM_CAP_VERSION_INFO structure. The TPM fills in the
+                                              structure and returns the information indicating what
+                                              the TPM currently supports. */
+
+#define TPM_CAP_FLAG_PERMANENT  0x00000108 /* Return the TPM_PERMANENT_FLAGS structure */
+#define TPM_CAP_FLAG_VOLATILE   0x00000109 /* Return the TPM_STCLEAR_FLAGS structure */
+
+/* 21.2 CAP_PROPERTY Subcap values for CAP_PROPERTY rev 105
+
+   The TPM_CAP_PROPERTY capability has numerous subcap values.  The definition for all subcap values
+   occurs in this table.
+
+   TPM_CAP_PROP_MANUFACTURER returns a vendor ID unique to each manufacturer. The same value is
+   returned as the TPM_CAP_VERSION_INFO -> tpmVendorID.  A company abbreviation such as a null
+   terminated stock ticker is a typical choice. However, there is no requirement that the value
+   contain printable characters.  The document "TCG Vendor Naming" lists the vendor ID values.
+
+   TPM_CAP_PROP_MAX_xxxSESS is a constant.  At TPM_Startup(ST_CLEAR) TPM_CAP_PROP_xxxSESS ==
+   TPM_CAP_PROP_MAX_xxxSESS.  As sessions are created on the TPM, TPM_CAP_PROP_xxxSESS decreases
+   toward zero.  As sessions are terminated, TPM_CAP_PROP_xxxSESS increases toward
+   TPM_CAP_PROP_MAX_xxxSESS.
+
+   There is a similar relationship between the constants TPM_CAP_PROP_MAX_COUNTERS and
+   TPM_CAP_PROP_MAX_CONTEXT and the varying TPM_CAP_PROP_COUNTERS and TPM_CAP_PROP_CONTEXT.
+   
+   In one typical implementation where authorization and transport sessions reside in separate
+   pools, TPM_CAP_PROP_SESSIONS will be the sum of TPM_CAP_PROP_AUTHSESS and TPM_CAP_PROP_TRANSESS.
+   In another typical implementation where authorization and transport sessions share the same pool,
+   TPM_CAP_PROP_SESSIONS, TPM_CAP_PROP_AUTHSESS, and TPM_CAP_PROP_TRANSESS will all be equal.
+*/
+
+#define TPM_CAP_PROP_PCR                0x00000101    /* uint32_t value. Returns the number of PCR
+                                                         registers supported by the TPM */
+#define TPM_CAP_PROP_DIR                0x00000102    /* uint32_t. Deprecated. Returns the number of
+                                                         DIR, which is now fixed at 1 */
+#define TPM_CAP_PROP_MANUFACTURER       0x00000103    /* uint32_t value.  Returns the vendor ID
+                                                         unique to each TPM manufacturer. */
+#define TPM_CAP_PROP_KEYS               0x00000104    /* uint32_t value. Returns the number of 2048-
+                                                         bit RSA keys that can be loaded. This may
+                                                         vary with time and circumstances. */
+#define TPM_CAP_PROP_MIN_COUNTER        0x00000107    /* uint32_t. The minimum amount of time in
+                                                         10ths of a second that must pass between
+                                                         invocations of incrementing the monotonic
+                                                         counter. */
+#define TPM_CAP_PROP_AUTHSESS           0x0000010A    /* uint32_t. The number of available
+                                                         authorization sessions. This may vary with
+                                                         time and circumstances. */
+#define TPM_CAP_PROP_TRANSESS           0x0000010B    /* uint32_t. The number of available transport
+                                                         sessions. This may vary with time and
+                                                         circumstances.  */
+#define TPM_CAP_PROP_COUNTERS           0x0000010C    /* uint32_t. The number of available monotonic
+                                                         counters. This may vary with time and
+                                                         circumstances. */
+#define TPM_CAP_PROP_MAX_AUTHSESS       0x0000010D    /* uint32_t. The maximum number of loaded
+                                                         authorization sessions the TPM supports */
+#define TPM_CAP_PROP_MAX_TRANSESS       0x0000010E    /* uint32_t. The maximum number of loaded
+                                                         transport sessions the TPM supports. */
+#define TPM_CAP_PROP_MAX_COUNTERS       0x0000010F    /* uint32_t. The maximum number of monotonic
+                                                         counters under control of TPM_CreateCounter
+                                                         */
+#define TPM_CAP_PROP_MAX_KEYS           0x00000110    /* uint32_t. The maximum number of 2048 RSA
+                                                         keys that the TPM can support. The number
+                                                         does not include the EK or SRK. */
+#define TPM_CAP_PROP_OWNER              0x00000111    /* BOOL. A value of TRUE indicates that the
+                                                         TPM has successfully installed an owner. */
+#define TPM_CAP_PROP_CONTEXT            0x00000112    /* uint32_t. The number of available saved
+                                                         session slots. This may vary with time and
+                                                         circumstances. */
+#define TPM_CAP_PROP_MAX_CONTEXT        0x00000113    /* uint32_t. The maximum number of saved
+                                                         session slots. */
+#define TPM_CAP_PROP_FAMILYROWS         0x00000114    /* uint32_t. The maximum number of rows in the
+                                                         family table */
+#define TPM_CAP_PROP_TIS_TIMEOUT        0x00000115    /* A 4 element array of uint32_t values each
+                                                         denoting the timeout value in microseconds
+                                                         for the following in this order:
+                                                         
+                                                         TIMEOUT_A, TIMEOUT_B, TIMEOUT_C, TIMEOUT_D 
+
+                                                         Where these timeouts are to be used is
+                                                         determined by the platform specific TPM
+                                                         Interface Specification. */
+#define TPM_CAP_PROP_STARTUP_EFFECT     0x00000116    /* The TPM_STARTUP_EFFECTS structure */
+#define TPM_CAP_PROP_DELEGATE_ROW       0x00000117    /* uint32_t. The maximum size of the delegate
+                                                         table in rows. */
+#define TPM_CAP_PROP_MAX_DAASESS        0x00000119    /* uint32_t. The maximum number of loaded DAA
+                                                         sessions (join or sign) that the TPM
+                                                         supports */
+#define TPM_CAP_PROP_DAASESS            0x0000011A    /* uint32_t. The number of available DAA
+                                                         sessions. This may vary with time and
+                                                         circumstances */
+#define TPM_CAP_PROP_CONTEXT_DIST       0x0000011B    /* uint32_t. The maximum distance between
+                                                         context count values. This MUST be at least
+                                                         2^16-1. */
+#define TPM_CAP_PROP_DAA_INTERRUPT      0x0000011C    /* BOOL. A value of TRUE indicates that the
+                                                         TPM will accept ANY command while executing
+                                                         a DAA Join or Sign.
+
+                                                         A value of FALSE indicates that the TPM
+                                                         will invalidate the DAA Join or Sign upon
+                                                         the receipt of any command other than the
+                                                         next join/sign in the session or a
+                                                         TPM_SaveContext */
+#define TPM_CAP_PROP_SESSIONS           0X0000011D    /* uint32_t. The number of available sessions
+                                                         from the pool. This MAY vary with time and
+                                                         circumstances. Pool sessions include
+                                                         authorization and transport sessions. */
+#define TPM_CAP_PROP_MAX_SESSIONS       0x0000011E    /* uint32_t. The maximum number of sessions
+                                                         the TPM supports. */
+#define TPM_CAP_PROP_CMK_RESTRICTION    0x0000011F    /* uint32_t TPM_Permanent_Data ->
+                                                         restrictDelegate
+                                                       */
+#define TPM_CAP_PROP_DURATION           0x00000120    /* A 3 element array of uint32_t values each
+                                                         denoting the duration value in microseconds
+                                                         of the duration of the three classes of
+                                                         commands: Small, Medium and Long in the
+                                                         following in this order: SMALL_DURATION,
+                                                         MEDIUM_DURATION, LONG_DURATION */
+#define TPM_CAP_PROP_ACTIVE_COUNTER     0x00000122      /* TPM_COUNT_ID. The id of the current
+                                                           counter. 0xff..ff if no counter is active
+                                                        */
+#define TPM_CAP_PROP_MAX_NV_AVAILABLE   0x00000123      /*uint32_t. Deprecated.  The maximum number
+                                                          of NV space that can be allocated, MAY
+                                                          vary with time and circumstances.  This
+                                                          capability was not implemented
+                                                          consistently, and is replaced by
+                                                          TPM_NV_INDEX_TRIAL. */
+#define TPM_CAP_PROP_INPUT_BUFFER       0x00000124      /* uint32_t. The maximum size of the TPM
+                                                           input buffer or output buffer in
+                                                           bytes. */
+
+/* 21.4 Set_Capability Values rev 107
+ */
+   
+#define TPM_SET_PERM_FLAGS      0x00000001      /* The ability to set a value is field specific and
+                                                   a review of the structure will disclose the
+                                                   ability and requirements to set a value */
+#define TPM_SET_PERM_DATA       0x00000002      /* The ability to set a value is field specific and
+                                                   a review of the structure will disclose the
+                                                   ability and requirements to set a value */
+#define TPM_SET_STCLEAR_FLAGS   0x00000003      /* The ability to set a value is field specific and
+                                                   a review of the structure will disclose the
+                                                   ability and requirements to set a value */
+#define TPM_SET_STCLEAR_DATA    0x00000004      /* The ability to set a value is field specific and
+                                                   a review of the structure will disclose the
+                                                   ability and requirements to set a value */
+#define TPM_SET_STANY_FLAGS     0x00000005      /* The ability to set a value is field specific and
+                                                   a review of the structure will disclose the
+                                                   ability and requirements to set a value */
+#define TPM_SET_STANY_DATA      0x00000006      /* The ability to set a value is field specific and
+                                                   a review of the structure will disclose the
+                                                   ability and requirements to set a value */
+#define TPM_SET_VENDOR          0x00000007      /* This area allows the vendor to set specific areas
+                                                   in the TPM according to the normal shielded
+                                                   location requirements */
+
+/* Set Capability sub caps */
+
+/* TPM_PERMANENT_FLAGS */
+
+#define  TPM_PF_DISABLE                         1
+#define  TPM_PF_OWNERSHIP                       2
+#define  TPM_PF_DEACTIVATED                     3
+#define  TPM_PF_READPUBEK                       4
+#define  TPM_PF_DISABLEOWNERCLEAR               5
+#define  TPM_PF_ALLOWMAINTENANCE                6
+#define  TPM_PF_PHYSICALPRESENCELIFETIMELOCK    7
+#define  TPM_PF_PHYSICALPRESENCEHWENABLE        8
+#define  TPM_PF_PHYSICALPRESENCECMDENABLE       9
+#define  TPM_PF_CEKPUSED                        10
+#define  TPM_PF_TPMPOST                         11
+#define  TPM_PF_TPMPOSTLOCK                     12
+#define  TPM_PF_FIPS                            13
+#define  TPM_PF_OPERATOR                        14
+#define  TPM_PF_ENABLEREVOKEEK                  15
+#define  TPM_PF_NV_LOCKED                       16
+#define  TPM_PF_READSRKPUB                      17
+#define  TPM_PF_TPMESTABLISHED                  18
+#define  TPM_PF_MAINTENANCEDONE                 19
+#define  TPM_PF_DISABLEFULLDALOGICINFO          20
+
+/* TPM_STCLEAR_FLAGS */
+
+#define  TPM_SF_DEACTIVATED                     1
+#define  TPM_SF_DISABLEFORCECLEAR               2
+#define  TPM_SF_PHYSICALPRESENCE                3
+#define  TPM_SF_PHYSICALPRESENCELOCK            4
+#define  TPM_SF_BGLOBALLOCK                     5
+                                                
+/* TPM_STANY_FLAGS */                           
+                                                
+#define  TPM_AF_POSTINITIALISE                  1
+#define  TPM_AF_LOCALITYMODIFIER                2
+#define  TPM_AF_TRANSPORTEXCLUSIVE              3
+#define  TPM_AF_TOSPRESENT                      4
+                                                
+/* TPM_PERMANENT_DATA */                        
+                                                
+#define  TPM_PD_REVMAJOR                        1
+#define  TPM_PD_REVMINOR                        2
+#define  TPM_PD_TPMPROOF                        3
+#define  TPM_PD_OWNERAUTH                       4
+#define  TPM_PD_OPERATORAUTH                    5
+#define  TPM_PD_MANUMAINTPUB                    6
+#define  TPM_PD_ENDORSEMENTKEY                  7
+#define  TPM_PD_SRK                             8
+#define  TPM_PD_DELEGATEKEY                     9
+#define  TPM_PD_CONTEXTKEY                      10
+#define  TPM_PD_AUDITMONOTONICCOUNTER           11
+#define  TPM_PD_MONOTONICCOUNTER                12
+#define  TPM_PD_PCRATTRIB                       13
+#define  TPM_PD_ORDINALAUDITSTATUS              14
+#define  TPM_PD_AUTHDIR                         15
+#define  TPM_PD_RNGSTATE                        16
+#define  TPM_PD_FAMILYTABLE                     17
+#define  TPM_DELEGATETABLE                      18
+#define  TPM_PD_EKRESET                         19
+#define  TPM_PD_LASTFAMILYID                    21
+#define  TPM_PD_NOOWNERNVWRITE                  22
+#define  TPM_PD_RESTRICTDELEGATE                23
+#define  TPM_PD_TPMDAASEED                      24
+#define  TPM_PD_DAAPROOF                        25
+                                                
+/* TPM_STCLEAR_DATA */                          
+                                                
+#define  TPM_SD_CONTEXTNONCEKEY                 1
+#define  TPM_SD_COUNTID                         2
+#define  TPM_SD_OWNERREFERENCE                  3
+#define  TPM_SD_DISABLERESETLOCK                4
+#define  TPM_SD_PCR                             5
+#define  TPM_SD_DEFERREDPHYSICALPRESENCE        6
+
+/* TPM_STCLEAR_DATA -> deferredPhysicalPresence bits */
+
+#define  TPM_DPP_UNOWNED_FIELD_UPGRADE  0x00000001      /* bit 0 TPM_FieldUpgrade */
+                                
+/* TPM_STANY_DATA */                            
+                                                
+#define  TPM_AD_CONTEXTNONCESESSION             1
+#define  TPM_AD_AUDITDIGEST                     2
+#define  TPM_AD_CURRENTTICKS                    3
+#define  TPM_AD_CONTEXTCOUNT                    4
+#define  TPM_AD_CONTEXTLIST                     5
+#define  TPM_AD_SESSIONS                        6
+
+/*  17. Ordinals rev 110
+
+    Ordinals are 32 bit values of type TPM_COMMAND_CODE. The upper byte contains values that serve
+    as flag indicators, the next byte contains values indicating what committee designated the
+    ordinal, and the final two bytes contain the Command Ordinal Index.
+
+       3                   2                   1 
+     1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |P|C|V| Reserved|    Purview    |     Command Ordinal Index     |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
+
+    Where: 
+
+    P is Protected/Unprotected command. When 0 the command is a Protected command, when 1 the
+    command is an Unprotected command.
+
+    C is Non-Connection/Connection related command. When 0 this command passes through to either the
+    protected (TPM) or unprotected (TSS) components.
+
+    V is TPM/Vendor command. When 0 the command is TPM defined, when 1 the command is vendor
+    defined.
+
+    All reserved area bits are set to 0. 
+*/
+
+/* The following masks are created to allow for the quick definition of the commands */
+
+#define TPM_PROTECTED_COMMAND   0x00000000 /* TPM protected command, specified in main specification
+                                            */
+#define TPM_UNPROTECTED_COMMAND 0x80000000 /* TSS command, specified in the TSS specification */
+#define TPM_CONNECTION_COMMAND  0x40000000 /* TSC command, protected connection commands are
+                                              specified in the main specification Unprotected
+                                              connection commands are specified in the TSS */
+#define TPM_VENDOR_COMMAND      0x20000000 /* Command that is vendor specific for a given TPM or
+                                              TSS.  */
+
+
+/* The following Purviews have been defined: */
+
+#define TPM_MAIN        0x00 /* Command is from the main specification  */
+#define TPM_PC          0x01 /* Command is specific to the PC  */
+#define TPM_PDA         0x02 /* Command is specific to a PDA  */
+#define TPM_CELL_PHONE  0x03 /* Command is specific to a cell phone  */
+#define TPM_SERVER      0x04 /* Command is specific to servers  */
+#define TPM_PERIPHERAL  0x05 /* Command is specific to peripherals */
+//#define TPM_TSS         0x06 /* Command is specific to TSS */
+
+/* Combinations for the main specification would be:   */
+
+#define TPM_PROTECTED_ORDINAL   (TPM_PROTECTED_COMMAND   | TPM_MAIN)
+#define TPM_UNPROTECTED_ORDINAL (TPM_UNPROTECTED_COMMAND | TPM_MAIN)
+#define TPM_CONNECTION_ORDINAL  (TPM_CONNECTION_COMMAND  | TPM_MAIN)
+
+/* Command ordinals */
+
+#define TPM_ORD_ActivateIdentity                0x0000007A
+#define TPM_ORD_AuthorizeMigrationKey           0x0000002B
+#define TPM_ORD_CertifyKey                      0x00000032
+#define TPM_ORD_CertifyKey2                     0x00000033
+#define TPM_ORD_CertifySelfTest                 0x00000052
+#define TPM_ORD_ChangeAuth                      0x0000000C
+#define TPM_ORD_ChangeAuthAsymFinish            0x0000000F
+#define TPM_ORD_ChangeAuthAsymStart             0x0000000E
+#define TPM_ORD_ChangeAuthOwner                 0x00000010
+#define TPM_ORD_CMK_ApproveMA                   0x0000001D
+#define TPM_ORD_CMK_ConvertMigration            0x00000024
+#define TPM_ORD_CMK_CreateBlob                  0x0000001B
+#define TPM_ORD_CMK_CreateKey                   0x00000013
+#define TPM_ORD_CMK_CreateTicket                0x00000012
+#define TPM_ORD_CMK_SetRestrictions             0x0000001C
+#define TPM_ORD_ContinueSelfTest                0x00000053
+#define TPM_ORD_ConvertMigrationBlob            0x0000002A
+#define TPM_ORD_CreateCounter                   0x000000DC
+#define TPM_ORD_CreateEndorsementKeyPair        0x00000078
+#define TPM_ORD_CreateMaintenanceArchive        0x0000002C
+#define TPM_ORD_CreateMigrationBlob             0x00000028
+#define TPM_ORD_CreateRevocableEK               0x0000007F
+#define TPM_ORD_CreateWrapKey                   0x0000001F
+#define TPM_ORD_DAA_Join                        0x00000029
+#define TPM_ORD_DAA_Sign                        0x00000031
+#define TPM_ORD_Delegate_CreateKeyDelegation    0x000000D4
+#define TPM_ORD_Delegate_CreateOwnerDelegation  0x000000D5
+#define TPM_ORD_Delegate_LoadOwnerDelegation    0x000000D8
+#define TPM_ORD_Delegate_Manage                 0x000000D2
+#define TPM_ORD_Delegate_ReadTable              0x000000DB
+#define TPM_ORD_Delegate_UpdateVerification     0x000000D1
+#define TPM_ORD_Delegate_VerifyDelegation       0x000000D6
+#define TPM_ORD_DirRead                         0x0000001A
+#define TPM_ORD_DirWriteAuth                    0x00000019
+#define TPM_ORD_DisableForceClear               0x0000005E
+#define TPM_ORD_DisableOwnerClear               0x0000005C
+#define TPM_ORD_DisablePubekRead                0x0000007E
+#define TPM_ORD_DSAP                            0x00000011
+#define TPM_ORD_EstablishTransport              0x000000E6
+#define TPM_ORD_EvictKey                        0x00000022
+#define TPM_ORD_ExecuteTransport                0x000000E7
+#define TPM_ORD_Extend                          0x00000014
+#define TPM_ORD_FieldUpgrade                    0x000000AA
+#define TPM_ORD_FlushSpecific                   0x000000BA
+#define TPM_ORD_ForceClear                      0x0000005D
+#define TPM_ORD_GetAuditDigest                  0x00000085
+#define TPM_ORD_GetAuditDigestSigned            0x00000086
+#define TPM_ORD_GetAuditEvent                   0x00000082
+#define TPM_ORD_GetAuditEventSigned             0x00000083
+#define TPM_ORD_GetCapability                   0x00000065
+#define TPM_ORD_GetCapabilityOwner              0x00000066
+#define TPM_ORD_GetCapabilitySigned             0x00000064
+#define TPM_ORD_GetOrdinalAuditStatus           0x0000008C
+#define TPM_ORD_GetPubKey                       0x00000021
+#define TPM_ORD_GetRandom                       0x00000046
+#define TPM_ORD_GetTestResult                   0x00000054
+#define TPM_ORD_GetTicks                        0x000000F1
+#define TPM_ORD_IncrementCounter                0x000000DD
+#define TPM_ORD_Init                            0x00000097
+#define TPM_ORD_KeyControlOwner                 0x00000023
+#define TPM_ORD_KillMaintenanceFeature          0x0000002E
+#define TPM_ORD_LoadAuthContext                 0x000000B7
+#define TPM_ORD_LoadContext                     0x000000B9
+#define TPM_ORD_LoadKey                         0x00000020
+#define TPM_ORD_LoadKey2                        0x00000041
+#define TPM_ORD_LoadKeyContext                  0x000000B5
+#define TPM_ORD_LoadMaintenanceArchive          0x0000002D
+#define TPM_ORD_LoadManuMaintPub                0x0000002F
+#define TPM_ORD_MakeIdentity                    0x00000079
+#define TPM_ORD_MigrateKey                      0x00000025
+#define TPM_ORD_NV_DefineSpace                  0x000000CC
+#define TPM_ORD_NV_ReadValue                    0x000000CF
+#define TPM_ORD_NV_ReadValueAuth                0x000000D0
+#define TPM_ORD_NV_WriteValue                   0x000000CD
+#define TPM_ORD_NV_WriteValueAuth               0x000000CE
+#define TPM_ORD_OIAP                            0x0000000A
+#define TPM_ORD_OSAP                            0x0000000B
+#define TPM_ORD_OwnerClear                      0x0000005B
+#define TPM_ORD_OwnerReadInternalPub            0x00000081
+#define TPM_ORD_OwnerReadPubek                  0x0000007D
+#define TPM_ORD_OwnerSetDisable                 0x0000006E
+#define TPM_ORD_PCR_Reset                       0x000000C8
+#define TPM_ORD_PcrRead                         0x00000015
+#define TPM_ORD_PhysicalDisable                 0x00000070
+#define TPM_ORD_PhysicalEnable                  0x0000006F
+#define TPM_ORD_PhysicalSetDeactivated          0x00000072
+#define TPM_ORD_Quote                           0x00000016
+#define TPM_ORD_Quote2                          0x0000003E
+#define TPM_ORD_ReadCounter                     0x000000DE
+#define TPM_ORD_ReadManuMaintPub                0x00000030
+#define TPM_ORD_ReadPubek                       0x0000007C
+#define TPM_ORD_ReleaseCounter                  0x000000DF
+#define TPM_ORD_ReleaseCounterOwner             0x000000E0
+#define TPM_ORD_ReleaseTransportSigned          0x000000E8
+#define TPM_ORD_Reset                           0x0000005A
+#define TPM_ORD_ResetLockValue                  0x00000040
+#define TPM_ORD_RevokeTrust                     0x00000080
+#define TPM_ORD_SaveAuthContext                 0x000000B6
+#define TPM_ORD_SaveContext                     0x000000B8
+#define TPM_ORD_SaveKeyContext                  0x000000B4
+#define TPM_ORD_SaveState                       0x00000098
+#define TPM_ORD_Seal                            0x00000017
+#define TPM_ORD_Sealx                           0x0000003D
+#define TPM_ORD_SelfTestFull                    0x00000050
+#define TPM_ORD_SetCapability                   0x0000003F
+#define TPM_ORD_SetOperatorAuth                 0x00000074
+#define TPM_ORD_SetOrdinalAuditStatus           0x0000008D
+#define TPM_ORD_SetOwnerInstall                 0x00000071
+#define TPM_ORD_SetOwnerPointer                 0x00000075
+#define TPM_ORD_SetRedirection                  0x0000009A
+#define TPM_ORD_SetTempDeactivated              0x00000073
+#define TPM_ORD_SHA1Complete                    0x000000A2
+#define TPM_ORD_SHA1CompleteExtend              0x000000A3
+#define TPM_ORD_SHA1Start                       0x000000A0
+#define TPM_ORD_SHA1Update                      0x000000A1
+#define TPM_ORD_Sign                            0x0000003C
+#define TPM_ORD_Startup                         0x00000099
+#define TPM_ORD_StirRandom                      0x00000047
+#define TPM_ORD_TakeOwnership                   0x0000000D
+#define TPM_ORD_Terminate_Handle                0x00000096
+#define TPM_ORD_TickStampBlob                   0x000000F2
+#define TPM_ORD_UnBind                          0x0000001E
+#define TPM_ORD_Unseal                          0x00000018
+
+#define TSC_ORD_PhysicalPresence                0x4000000A
+#define TSC_ORD_ResetEstablishmentBit           0x4000000B
+
+/* 19. NV storage structures */
+
+/* 19.1 TPM_NV_INDEX rev 110
+
+     The index provides the handle to identify the area of storage. The reserved bits allow for a
+     segregation of the index name space to avoid name collisions.
+
+     The TPM may check the resvd bits for zero.  Thus, applications should set the bits to zero.
+
+     The TCG defines the space where the high order bits (T, P, U) are 0. The other spaces are
+     controlled by the indicated entity.
+
+     T is the TPM manufacturer reserved bit. 0 indicates a TCG defined value. 1 indicates a TPM
+     manufacturer specific value.
+
+     P is the platform manufacturer reserved bit. 0 indicates a TCG defined value. 1 indicates that
+     the index is controlled by the platform manufacturer.
+
+     U is for the platform user. 0 indicates a TCG defined value. 1 indicates that the index is
+     controlled by the platform user.
+
+     The TPM_NV_INDEX is a 32-bit value.
+     3                   2                   1
+     1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |T|P|U|D| resvd |   Purview      |         Index                |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+     Where:
+
+     1. The TPM MAY return an error if the reserved area bits are not set to 0.
+
+     2. The TPM MUST accept all values for T, P, and U
+
+     3. D indicates defined. 1 indicates that the index is permanently defined and that any
+        TPM_NV_DefineSpace operation will fail after nvLocked is set TRUE.
+
+     a. TCG reserved areas MAY have D set to 0 or 1
+        
+     4. Purview is the value used to indicate the platform specific area. This value is the
+     same as used for command ordinals.
+
+     a. The TPM MUST reject purview values that the TPM cannot support. This means that an
+     index value for a PDA MUST be rejected by a TPM designed to work only on the PC Client.
+*/
+
+#define TPM_NV_INDEX_T_BIT              0x80000000
+#define TPM_NV_INDEX_P_BIT              0x40000000
+#define TPM_NV_INDEX_U_BIT              0x20000000
+#define TPM_NV_INDEX_D_BIT              0x10000000
+/* added kgold */
+#define TPM_NV_INDEX_RESVD              0x0f000000
+#define TPM_NV_INDEX_PURVIEW_BIT        16
+#define TPM_NV_INDEX_PURVIEW_MASK       0x00ff0000
+
+/* 19.1.1 Required TPM_NV_INDEX values rev 97
+
+   The required index values must be found on each TPM regardless of platform. These areas are
+   always present and do not require a TPM_DefineSpace command to allocate.
+
+   A platform specific specification may add additional required index values for the platform.
+
+   The TPM MUST reserve the space as indicated for the required index values
+*/
+
+#define TPM_NV_INDEX_LOCK  0xFFFFFFFF   /* This value turns on the NV authorization
+                                           protections. Once executed all NV areas use the
+                                           protections as defined. This value never resets.
+
+                                           Attempting to execute TPM_NV_DefineSpace on this value
+                                           with non-zero size MAY result in a TPM_BADINDEX
+                                           response.
+                                        */
+
+#define TPM_NV_INDEX0      0x00000000   /* This value allows for the setting of the bGlobalLock
+                                           flag, which is only reset on TPM_Startup(ST_Clear)
+
+                                           Attempting to execute TPM_NV_WriteValue with a size other
+                                           than zero MAY result in the TPM_BADINDEX error code.
+                                        */
+
+#define TPM_NV_INDEX_DIR   0x10000001   /* Size MUST be 20. This index points to the deprecated DIR
+                                           command area from 1.1.  The TPM MUST map this reserved
+                                           space to be the area operated on by the 1.1 DIR commands.
+                                           */
+
+/* 19.1.2 Reserved Index values rev 116
+
+  The reserved values are defined to avoid index collisions. These values are not in each and every
+  TPM.
+
+  1. The reserved index values are to avoid index value collisions. 
+  2. These index values require a TPM_DefineSpace to have the area for the index allocated 
+  3. A platform specific specification MAY indicate that reserved values are required. 
+  4. The reserved index values MAY have their D bit set by the TPM vendor to permanently
+*/
+
+#define TPM_NV_INDEX_TPM                0x0000Fxxx      /* Reserved for TPM use */
+#define TPM_NV_INDEX_EKCert             0x1000F000      /* The Endorsement credential */
+
+#define TPM_NV_INDEX_TPM_CC             0x0000F001      /* The TPM Conformance credential */
+#define TPM_NV_INDEX_PlatformCert       0x0000F002      /* The platform credential */
+#define TPM_NV_INDEX_Platform_CC        0x0000F003      /* The Platform conformance credential */
+#define TPM_NV_INDEX_TRIAL              0x0000F004      /* To try TPM_NV_DefineSpace without
+                                                           actually allocating NV space */
+
+#if 0
+#define TPM_NV_INDEX_PC                 0x0001xxxx      /* Reserved for PC Client use */
+#define TPM_NV_INDEX_GPIO_xx            0x000116xx      /* Reserved for GPIO pins */
+#define TPM_NV_INDEX_PDA                0x0002xxxx      /* Reserved for PDA use */
+#define TPM_NV_INDEX_MOBILE             0x0003xxxx      /* Reserved for mobile use */
+#define TPM_NV_INDEX_SERVER             0x0004xxxx      /* Reserved for Server use */
+#define TPM_NV_INDEX_PERIPHERAL         0x0005xxxx      /* Reserved for peripheral use */
+#define TPM_NV_INDEX_TSS                0x0006xxxx      /* Reserved for TSS use */
+#define TPM_NV_INDEX_GROUP_RESV         0x00xxxxxx      /* Reserved for TCG WG use */
+#endif                                 
+
+#define TPM_NV_INDEX_GPIO_00            0x00011600      /* GPIO-Express-00 */
+
+#define TPM_NV_INDEX_GPIO_START         0x00011600      /* Reserved for GPIO pins */
+#define TPM_NV_INDEX_GPIO_END           0x000116ff      /* Reserved for GPIO pins */
+
+/* 19.2 TPM_NV_ATTRIBUTES rev 99
+
+   The attributes TPM_NV_PER_AUTHREAD and TPM_NV_PER_OWNERREAD cannot both be set to TRUE.
+   Similarly, the attributes TPM_NV_PER_AUTHWRITE and TPM_NV_PER_OWNERWRITE cannot both be set to
+   TRUE.
+*/
+
+#define TPM_NV_PER_READ_STCLEAR         0x80000000 /* 31: The value can be read until locked by a
+                                                      read with a data size of 0.  It can only be
+                                                      unlocked by TPM_Startup(ST_Clear) or a
+                                                      successful write. Lock held for each area in
+                                                      bReadSTClear. */
+/* #define 30:19 Reserved */
+#define TPM_NV_PER_AUTHREAD             0x00040000 /* 18: The value requires authorization to read
+                                                      */
+#define TPM_NV_PER_OWNERREAD            0x00020000 /* 17: The value requires TPM Owner authorization
+                                                      to read. */
+#define TPM_NV_PER_PPREAD               0x00010000 /* 16: The value requires physical presence to
+                                                      read */
+#define TPM_NV_PER_GLOBALLOCK           0x00008000 /* 15: The value is writable until a write to
+                                                      index 0 is successful. The lock of this
+                                                      attribute is reset by
+                                                      TPM_Startup(ST_CLEAR). Lock held by SF ->
+                                                      bGlobalLock */
+#define TPM_NV_PER_WRITE_STCLEAR        0x00004000 /* 14: The value is writable until a write to
+                                                      the specified index with a datasize of 0 is
+                                                      successful. The lock of this attribute is
+                                                      reset by TPM_Startup(ST_CLEAR). Lock held for
+                                                      each area in bWriteSTClear. */
+#define TPM_NV_PER_WRITEDEFINE          0x00002000 /* 13: Lock set by writing to the index with a
+                                                      datasize of 0. Lock held for each area in
+                                                      bWriteDefine.  This is a persistent lock. */
+#define TPM_NV_PER_WRITEALL             0x00001000 /* 12: The value must be written in a single
+                                                      operation */
+/* #define 11:3 Reserved for write additions */
+#define TPM_NV_PER_AUTHWRITE            0x00000004 /* 2: The value requires authorization to write
+                                                      */
+#define TPM_NV_PER_OWNERWRITE           0x00000002 /* 1: The value requires TPM Owner authorization
+                                                      to write */
+#define TPM_NV_PER_PPWRITE              0x00000001 /* 0: The value requires physical presence to
+                                                      write */
+
+/* 20.2.1 Owner Permission Settings rev 87 */
+
+/* Per1 bits */
+
+#define TPM_DELEGATE_PER1_MASK                          0xffffffff      /* mask of legal bits */
+#define TPM_DELEGATE_KeyControlOwner                    31
+#define TPM_DELEGATE_SetOrdinalAuditStatus              30
+#define TPM_DELEGATE_DirWriteAuth                       29
+#define TPM_DELEGATE_CMK_ApproveMA                      28
+#define TPM_DELEGATE_NV_WriteValue                      27
+#define TPM_DELEGATE_CMK_CreateTicket                   26
+#define TPM_DELEGATE_NV_ReadValue                       25
+#define TPM_DELEGATE_Delegate_LoadOwnerDelegation       24
+#define TPM_DELEGATE_DAA_Join                           23
+#define TPM_DELEGATE_AuthorizeMigrationKey              22
+#define TPM_DELEGATE_CreateMaintenanceArchive           21
+#define TPM_DELEGATE_LoadMaintenanceArchive             20
+#define TPM_DELEGATE_KillMaintenanceFeature             19
+#define TPM_DELEGATE_OwnerReadInternalPub               18
+#define TPM_DELEGATE_ResetLockValue                     17
+#define TPM_DELEGATE_OwnerClear                         16
+#define TPM_DELEGATE_DisableOwnerClear                  15
+#define TPM_DELEGATE_NV_DefineSpace                     14
+#define TPM_DELEGATE_OwnerSetDisable                    13
+#define TPM_DELEGATE_SetCapability                      12
+#define TPM_DELEGATE_MakeIdentity                       11
+#define TPM_DELEGATE_ActivateIdentity                   10
+#define TPM_DELEGATE_OwnerReadPubek                     9 
+#define TPM_DELEGATE_DisablePubekRead                   8 
+#define TPM_DELEGATE_SetRedirection                     7 
+#define TPM_DELEGATE_FieldUpgrade                       6 
+#define TPM_DELEGATE_Delegate_UpdateVerification        5 
+#define TPM_DELEGATE_CreateCounter                      4 
+#define TPM_DELEGATE_ReleaseCounterOwner                3 
+#define TPM_DELEGATE_Delegate_Manage                    2 
+#define TPM_DELEGATE_Delegate_CreateOwnerDelegation     1 
+#define TPM_DELEGATE_DAA_Sign                           0 
+
+/* Per2 bits */
+#define TPM_DELEGATE_PER2_MASK                          0x00000000      /* mask of legal bits */
+/* All reserved */
+
+/* 20.2.3 Key Permission settings rev 85 */
+
+/* Per1 bits */
+
+#define TPM_KEY_DELEGATE_PER1_MASK                      0x1fffffff      /* mask of legal bits */
+#define TPM_KEY_DELEGATE_CMK_ConvertMigration           28
+#define TPM_KEY_DELEGATE_TickStampBlob                  27
+#define TPM_KEY_DELEGATE_ChangeAuthAsymStart            26
+#define TPM_KEY_DELEGATE_ChangeAuthAsymFinish           25
+#define TPM_KEY_DELEGATE_CMK_CreateKey                  24
+#define TPM_KEY_DELEGATE_MigrateKey                     23
+#define TPM_KEY_DELEGATE_LoadKey2                       22
+#define TPM_KEY_DELEGATE_EstablishTransport             21
+#define TPM_KEY_DELEGATE_ReleaseTransportSigned         20
+#define TPM_KEY_DELEGATE_Quote2                         19
+#define TPM_KEY_DELEGATE_Sealx                          18
+#define TPM_KEY_DELEGATE_MakeIdentity                   17
+#define TPM_KEY_DELEGATE_ActivateIdentity               16
+#define TPM_KEY_DELEGATE_GetAuditDigestSigned           15
+#define TPM_KEY_DELEGATE_Sign                           14
+#define TPM_KEY_DELEGATE_CertifyKey2                    13
+#define TPM_KEY_DELEGATE_CertifyKey                     12
+#define TPM_KEY_DELEGATE_CreateWrapKey                  11
+#define TPM_KEY_DELEGATE_CMK_CreateBlob                 10
+#define TPM_KEY_DELEGATE_CreateMigrationBlob            9 
+#define TPM_KEY_DELEGATE_ConvertMigrationBlob           8 
+#define TPM_KEY_DELEGATE_Delegate_CreateKeyDelegation   7 
+#define TPM_KEY_DELEGATE_ChangeAuth                     6 
+#define TPM_KEY_DELEGATE_GetPubKey                      5 
+#define TPM_KEY_DELEGATE_UnBind                         4 
+#define TPM_KEY_DELEGATE_Quote                          3 
+#define TPM_KEY_DELEGATE_Unseal                         2 
+#define TPM_KEY_DELEGATE_Seal                           1 
+#define TPM_KEY_DELEGATE_LoadKey                        0 
+
+/* Per2 bits */
+#define TPM_KEY_DELEGATE_PER2_MASK                      0x00000000      /* mask of legal bits */
+/* All reserved */
+
+/* 20.3 TPM_FAMILY_FLAGS rev 87
+
+   These flags indicate the operational state of the delegation and family table. These flags
+   are additions to TPM_PERMANENT_FLAGS and are not stand alone values.
+*/
+
+#define TPM_DELEGATE_ADMIN_LOCK 0x00000002 /* TRUE: Some TPM_Delegate_XXX commands are locked and
+                                              return TPM_DELEGATE_LOCK
+                                             
+                                              FALSE: TPM_Delegate_XXX commands are available
+
+                                              Default is FALSE */
+#define TPM_FAMFLAG_ENABLED     0x00000001 /* When TRUE the table is enabled. The default value is
+                                              FALSE.  */
+
+/* 20.14 TPM_FAMILY_OPERATION Values rev 87
+
+   These are the opFlag values used by TPM_Delegate_Manage.
+*/
+
+#define TPM_FAMILY_CREATE       0x00000001      /* Create a new family */
+#define TPM_FAMILY_ENABLE       0x00000002      /* Set or reset the enable flag for this family. */
+#define TPM_FAMILY_ADMIN        0x00000003      /* Prevent administration of this family. */
+#define TPM_FAMILY_INVALIDATE   0x00000004      /* Invalidate a specific family row. */
+
+/* 21.9 TPM_DA_STATE rev 100
+   
+   TPM_DA_STATE enumerates the possible states of the dictionary attack mitigation logic.
+*/
+
+#define TPM_DA_STATE_INACTIVE   0x00    /* The dictionary attack mitigation logic is currently
+                                           inactive */
+#define TPM_DA_STATE_ACTIVE     0x01    /* The dictionary attack mitigation logic is
+                                           active. TPM_DA_ACTION_TYPE (21.10) is in progress. */
+
+/* 21.10 TPM_DA_ACTION_TYPE rev 100
+ */
+
+/* 31-4 Reserved  No information and MUST be FALSE */
+
+#define TPM_DA_ACTION_FAILURE_MODE      0x00000008 /* bit 3: The TPM is in failure mode. */
+#define TPM_DA_ACTION_DEACTIVATE        0x00000004 /* bit 2: The TPM is in the deactivated state. */
+#define TPM_DA_ACTION_DISABLE           0x00000002 /* bit 1: The TPM is in the disabled state. */
+#define TPM_DA_ACTION_TIMEOUT           0x00000001 /* bit 0: The TPM will be in a locked state for
+                                                      TPM_DA_INFO -> actionDependValue seconds. This
+                                                      value is dynamic, depending on the time the
+                                                      lock has been active.  */
+
+/* 22. DAA Structures rev 91
+   
+   All byte and bit areas are byte arrays treated as large integers
+*/
+
+#define DAA_SIZE_r0             43
+#define DAA_SIZE_r1             43
+#define DAA_SIZE_r2             128
+#define DAA_SIZE_r3             168
+#define DAA_SIZE_r4             219
+#define DAA_SIZE_NT             20
+#define DAA_SIZE_v0             128
+#define DAA_SIZE_v1             192
+#define DAA_SIZE_NE             256
+#define DAA_SIZE_w              256
+#define DAA_SIZE_issuerModulus  256
+
+/* check that DAA_SIZE_issuerModulus will fit in DAA_scratch */
+#if (DAA_SIZE_issuerModulus != 256)
+#error "DAA_SIZE_issuerModulus must be 256"
+#endif
+
+/* 22.2 Constant definitions rev 91 */
+
+#define DAA_power0      104  
+#define DAA_power1      1024  
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmstructures12.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmstructures12.h
new file mode 100644
index 0000000..2d8169b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmstructures12.h
@@ -0,0 +1,2482 @@
+/********************************************************************************/
+/*                                                                              */
+/*                              TPM 1.2 Structures                              */
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TPMSTRUCTURES12_H
+#define TPMSTRUCTURES12_H
+
+#include <limits.h>
+#include "tpmconstants12.h"
+#include "tpmtypes12.h"
+
+/* Sanity check on build macros are centralized here, since any TPM will use this header */
+
+#if !defined (TPM_POSIX) && !defined (TPM_WINDOWS) && !defined(TPM_SKIBOOT)
+#error "Must define either TPM_POSIX TPM_SKIBOOT or TPM_WINDOWS"
+#endif
+
+#define TPM_REVISION_MAX 9999
+#ifndef TPM_REVISION
+#define TPM_REVISION TPM_REVISION_MAX
+#endif
+
+/* 5.1 TPM_STRUCT_VER rev 100
+
+   This indicates the version of the structure or TPM. 
+
+   Version 1.2 deprecates the use of this structure in all other structures. The structure is not
+   deprecated as many of the structures that contain this structure are not deprecated.
+*/
+
+typedef struct tdTPM_STRUCT_VER { 
+    BYTE major;         /* This SHALL indicate the major version of the structure. MUST be 0x01 */
+    BYTE minor;         /* This SHALL indicate the minor version of the structure. MUST be 0x01 */
+    BYTE revMajor;      /* This MUST be 0x00 on output, ignored on input */
+    BYTE revMinor;      /* This MUST be 0x00 on output, ignored on input */
+} TPM_STRUCT_VER; 
+
+/* 5.2 TPM_VERSION_BYTE rev 87
+
+   Allocating a byte for the version information is wasteful of space. The current allocation does
+   not provide sufficient resolution to indicate completely the version of the TPM. To allow for
+   backwards compatibility the size of the structure does not change from 1.1.
+   
+   To enable minor version, or revision, numbers with 2-digit resolution, the byte representing a
+   version splits into two BDC encoded nibbles. The ordering of the low and high order provides
+   backwards compatibility with existing numbering.
+   
+   An example of an implementation of this is; a version of 1.23 would have the value 2 in bit
+   positions 3-0 and the value 3 in bit positions 7-4.
+
+   TPM_VERSION_BYTE is a byte. The byte is broken up according to the following rule
+
+   7-4 leastSigVer Least significant nibble of the minor version. MUST be values within the range of
+        0000-1001
+   3-0 mostSigVer Most significant nibble of the minor version. MUST be values within the range of
+        0000-1001
+*/
+
+/* 5.3 TPM_VERSION rev 116
+
+   This structure provides information relative the version of the TPM. This structure should only
+   be in use by TPM_GetCapability to provide the information relative to the TPM.
+*/
+
+typedef struct tdTPM_VERSION { 
+    TPM_VERSION_BYTE major;     /* This SHALL indicate the major version of the TPM, mostSigVer MUST
+                                   be 0x1, leastSigVer MUST be 0x0 */
+    TPM_VERSION_BYTE minor;     /* This SHALL indicate the minor version of the TPM, mostSigVer MUST
+                                   be 0x1 or 0x2, leastSigVer MUST be 0x0 */
+    BYTE revMajor;              /* This SHALL be the value of the TPM_PERMANENT_DATA -> revMajor */
+    BYTE revMinor;              /* This SHALL be the value of the TPM_PERMANENT_DATA -> revMinor */
+} TPM_VERSION; 
+
+/* 5.4 TPM_DIGEST rev 111
+
+   The digest value reports the result of a hash operation.
+
+   In version 1 the hash algorithm is SHA-1 with a resulting hash result being 20 bytes or 160 bits.
+
+   It is understood that algorithm agility is lost due to fixing the hash at 20 bytes and on
+   SHA-1. The reason for fixing is due to the internal use of the digest. It is the authorization
+   values, it provides the secrets for the HMAC and the size of 20 bytes determines the values that
+   can be stored and encrypted. For this reason, the size is fixed and any changes to this value
+   require a new version of the specification.
+
+   The digestSize parameter MUST indicate the block size of the algorithm and MUST be 20 or greater.
+
+   For all TPM v1 hash operations, the hash algorithm MUST be SHA-1 and the digestSize parameter is
+   therefore equal to 20.
+*/
+
+#define TPM_DIGEST_SIZE 20
+typedef BYTE TPM_DIGEST[TPM_DIGEST_SIZE];
+
+/* Redefinitions */
+
+typedef TPM_DIGEST TPM_CHOSENID_HASH;   /* This SHALL be the digest of the chosen identityLabel and
+                                           privacyCA for a new TPM identity.*/
+
+typedef TPM_DIGEST TPM_COMPOSITE_HASH;  /* This SHALL be the hash of a list of PCR indexes and PCR
+                                           values that a key or data is bound to. */
+
+typedef TPM_DIGEST TPM_DIRVALUE;        /* This SHALL be the value of a DIR register */
+
+typedef TPM_DIGEST TPM_HMAC;            /* This shall be the output of the HMAC algorithm */
+
+typedef TPM_DIGEST TPM_PCRVALUE;        /* The value inside of the PCR */
+
+typedef TPM_DIGEST TPM_AUDITDIGEST;     /* This SHALL be the value of the current internal audit
+                                           state */
+
+/* 5.5 TPM_NONCE rev 99
+
+   A nonce is a random value that provides protection from replay and other attacks.  Many of the
+   commands and protocols in the specification require a nonce. This structure provides a consistent
+   view of what a nonce is.
+*/
+
+#define TPM_NONCE_SIZE 20
+typedef BYTE TPM_NONCE[TPM_NONCE_SIZE];
+
+typedef TPM_NONCE TPM_DAA_TPM_SEED;     /* This SHALL be a random value generated by a TPM
+                                           immediately after the EK is installed in that TPM,
+                                           whenever an EK is installed in that TPM */
+typedef TPM_NONCE TPM_DAA_CONTEXT_SEED; /* This SHALL be a random value */
+
+/* 5.6 TPM_AUTHDATA rev 87
+
+   The authorization data is the information that is saved or passed to provide proof of ownership
+   of an entity.  For version 1 this area is always 20 bytes.
+*/
+
+#define TPM_AUTHDATA_SIZE 20
+typedef BYTE TPM_AUTHDATA[TPM_AUTHDATA_SIZE];
+
+#define TPM_SECRET_SIZE 20
+typedef BYTE TPM_SECRET[TPM_SECRET_SIZE];
+
+typedef TPM_AUTHDATA TPM_ENCAUTH; /* A cipher text (encrypted) version of authorization data. The
+                                     encryption mechanism depends on the context. */
+
+#if 0	/* FIXME */
+/* 5.11 TPM_CHANGEAUTH_VALIDATE rev 87
+
+   This structure provides an area that will stores the new authorization data and the challenger's
+   nonce.
+*/
+
+typedef struct tdTPM_CHANGEAUTH_VALIDATE { 
+    TPM_SECRET newAuthSecret;   /* This SHALL be the new authorization data for the target entity */
+    TPM_NONCE n1;               /* This SHOULD be a nonce, to enable the caller to verify that the
+                                   target TPM is on-line. */
+} TPM_CHANGEAUTH_VALIDATE; 
+
+#endif
+
+
+/* PCR */
+
+/* NOTE: The TPM requires and the code assumes a multiple of CHAR_BIT (8).  48 registers (6 bytes)
+   may be a bad number, as it makes TPM_PCR_INFO and TPM_PCR_INFO_LONG indistinguishable in the
+   first two bytes. */
+
+#define TPM_NUM_PCR 24          /* Use PC Client specification values */
+
+#if (CHAR_BIT != 8)
+#error "CHAR_BIT must be 8"
+#endif
+
+#if ((TPM_NUM_PCR % 8) != 0)
+#error "TPM_NUM_PCR must be a multiple of 8"
+#endif
+
+#define TPM_DEBUG_PCR 16
+
+/* 8.1 TPM_PCR_SELECTION rev 110
+
+   This structure provides a standard method of specifying a list of PCR registers.
+*/
+
+typedef struct tdTPM_PCR_SELECTION { 
+    uint16_t sizeOfSelect;			/* The size in bytes of the pcrSelect structure */
+    BYTE pcrSelect[TPM_NUM_PCR/CHAR_BIT];       /* This SHALL be a bit map that indicates if a PCR
+                                                   is active or not */
+} TPM_PCR_SELECTION; 
+
+#if 0
+/* 8.2 TPM_PCR_COMPOSITE rev 97
+
+   The composite structure provides the index and value of the PCR register to be used when creating
+   the value that SEALS an entity to the composite.
+*/
+
+typedef struct tdTPM_PCR_COMPOSITE { 
+    TPM_PCR_SELECTION select;   /* This SHALL be the indication of which PCR values are active */
+#if 0
+    uint32_t valueSize;           /* This SHALL be the size of the pcrValue field (not the number of
+				     PCR's) */
+    TPM_PCRVALUE *pcrValue;     /* This SHALL be an array of TPM_PCRVALUE structures. The values
+                                   come in the order specified by the select parameter and are
+                                   concatenated into a single blob */
+#endif
+    TPM_SIZED_BUFFER pcrValue;
+} TPM_PCR_COMPOSITE; 
+
+/* 8.3 TPM_PCR_INFO rev 87 
+
+   The TPM_PCR_INFO structure contains the information related to the wrapping of a key or the
+   sealing of data, to a set of PCRs.
+*/
+
+typedef struct tdTPM_PCR_INFO { 
+    TPM_PCR_SELECTION pcrSelection;             /* This SHALL be the selection of PCRs to which the
+                                                   data or key is bound. */
+    TPM_COMPOSITE_HASH digestAtRelease;         /* This SHALL be the digest of the PCR indices and
+                                                   PCR values to verify when revealing Sealed Data
+                                                   or using a key that was wrapped to PCRs.  NOTE:
+                                                   This is passed in by the host, and used as
+                                                   authorization to use the key */
+    TPM_COMPOSITE_HASH digestAtCreation;        /* This SHALL be the composite digest value of the
+                                                   PCR values, at the time when the sealing is
+                                                   performed. NOTE: This is generated at key
+                                                   creation, but is just informative to the host,
+                                                   not used for authorization */
+} TPM_PCR_INFO; 
+
+#endif
+
+/* 8.6 TPM_LOCALITY_SELECTION rev 87 
+
+   When used with localityAtCreation only one bit is set and it corresponds to the locality of the
+   command creating the structure.
+
+   When used with localityAtRelease the bits indicate which localities CAN perform the release.
+*/
+
+typedef BYTE TPM_LOCALITY_SELECTION;
+
+#define TPM_LOC_FOUR    0x10    /* Locality 4 */
+#define TPM_LOC_THREE   0x08    /* Locality 3  */
+#define TPM_LOC_TWO     0x04    /* Locality 2  */
+#define TPM_LOC_ONE     0x02    /* Locality 1  */
+#define TPM_LOC_ZERO    0x01    /* Locality 0. This is the same as the legacy interface.  */
+
+#define TPM_LOC_ALL     0x1f    /* kgold - added all localities */
+#define TPM_LOC_MAX     4       /* kgold - maximum value for TPM_MODIFIER_INDICATOR */
+
+/* 8.4 TPM_PCR_INFO_LONG rev 109
+
+   The TPM_PCR_INFO structure contains the information related to the wrapping of a key or the
+   sealing of data, to a set of PCRs.
+
+   The LONG version includes information necessary to properly define the configuration that creates
+   the blob using the PCR selection.
+*/
+
+/* Marshaled  TPM_PCR_INFO_LONG */
+
+typedef struct tdTPM_PCR_INFO_LONG { 
+    TPM_STRUCTURE_TAG tag;                      /* This SHALL be TPM_TAG_PCR_INFO_LONG  */
+    TPM_LOCALITY_SELECTION localityAtCreation;  /* This SHALL be the locality modifier of the
+                                                   function that creates the PCR info structure */
+    TPM_LOCALITY_SELECTION localityAtRelease;   /* This SHALL be the locality modifier required to
+                                                   reveal Sealed Data or use a key that was wrapped
+                                                   to PCRs */
+    TPM_PCR_SELECTION creationPCRSelection;     /* This SHALL be the selection of PCRs active when
+                                                   the blob is created */
+    TPM_PCR_SELECTION releasePCRSelection;      /* This SHALL be the selection of PCRs to which the
+                                                   data or key is bound. */
+    TPM_COMPOSITE_HASH digestAtCreation;        /* This SHALL be the composite digest value of the
+                                                   PCR values, at the time when the sealing is
+                                                   performed. */
+    TPM_COMPOSITE_HASH digestAtRelease;         /* This SHALL be the digest of the PCR indices and
+                                                   PCR values to verify when revealing Sealed Data
+                                                   or using a key that was wrapped to PCRs. */
+} TPM_PCR_INFO_LONG; 
+
+#if 0
+typedef struct {
+    UINT32		PCRInfoSize;
+    TPM_PCR_INFO_LONG 	PCRInfo;
+} TPM4B_TPM_PCR_INFO_LONG;
+
+#endif
+
+/* 8.5 TPM_PCR_INFO_SHORT rev 87
+
+   This structure is for defining a digest at release when the only information that is necessary is
+   the release configuration.
+*/
+
+typedef struct tdTPM_PCR_INFO_SHORT { 
+    TPM_PCR_SELECTION pcrSelection;     /* This SHALL be the selection of PCRs that specifies the
+                                           digestAtRelease */
+    TPM_LOCALITY_SELECTION localityAtRelease;   /* This SHALL be the locality modifier required to
+                                                   release the information.  This value must not be
+                                                   zero (0). */
+    TPM_COMPOSITE_HASH digestAtRelease;         /* This SHALL be the digest of the PCR indices and
+                                                   PCR values to verify when revealing auth data */
+} TPM_PCR_INFO_SHORT; 
+
+#if 0
+/* 8.8 TPM_PCR_ATTRIBUTES rev 107
+
+   These attributes are available on a per PCR basis.
+
+   The TPM is not required to maintain this structure internally to the TPM.
+
+   When a challenger evaluates a PCR an understanding of this structure is vital to the proper
+   understanding of the platform configuration. As this structure is static for all platforms of the
+   same type the structure does not need to be reported with each quote.
+*/
+
+typedef struct tdTPM_PCR_ATTRIBUTES { 
+    TPM_BOOL pcrReset;          /* A value of TRUE SHALL indicate that the PCR register can be reset
+                                   using the TPM_PCR_RESET command. */
+    TPM_LOCALITY_SELECTION pcrExtendLocal;      /* An indication of which localities can perform
+                                                   extends on the PCR. */
+    TPM_LOCALITY_SELECTION pcrResetLocal;       /* An indication of which localities can reset the
+                                                   PCR */
+} TPM_PCR_ATTRIBUTES; 
+
+/*
+  9. Storage Structures 
+*/
+
+/* 9.1 TPM_STORED_DATA rev 87 
+
+   The definition of this structure is necessary to ensure the enforcement of security properties.
+   
+   This structure is in use by the TPM_Seal and TPM_Unseal commands to identify the PCR index and
+   values that must be present to properly unseal the data.
+
+   This structure only provides 1.1 data store and uses PCR_INFO
+
+   1. This structure is created during the TPM_Seal process. The confidential data is encrypted
+   using a nonmigratable key. When the TPM_Unseal decrypts this structure the TPM_Unseal uses the
+   public information in the structure to validate the current configuration and release the
+   decrypted data
+
+   2. When sealInfoSize is not 0 sealInfo MUST be TPM_PCR_INFO
+*/
+
+typedef struct tdTPM_STORED_DATA { 
+    TPM_STRUCT_VER ver;         /* This MUST be 1.1.0.0  */
+    TPM_SIZED_BUFFER sealInfo;
+#if 0
+    uint32_t sealInfoSize;	/* Size of the sealInfo parameter */
+    BYTE* sealInfo;             /* This SHALL be a structure of type TPM_PCR_INFO or a 0 length
+                                   array if the data is not bound to PCRs. */
+#endif
+    TPM_SIZED_BUFFER encData;
+#if 0
+    uint32_t encDataSize;	/* This SHALL be the size of the encData parameter */
+    BYTE* encData;              /* This shall be an encrypted TPM_SEALED_DATA structure containing
+                                   the confidential part of the data. */
+#endif
+    /* NOTE: kgold - Added this structure, a cache of PCRInfo when not NULL */
+    TPM_PCR_INFO *tpm_seal_info;
+} TPM_STORED_DATA; 
+
+
+/* 9.2 TPM_STORED_DATA12 rev 101
+
+   The definition of this structure is necessary to ensure the enforcement of security properties.
+   This structure is in use by the TPM_Seal and TPM_Unseal commands to identify the PCR index and
+   values that must be present to properly unseal the data.
+
+   1. This structure is created during the TPM_Seal process. The confidential data is encrypted
+   using a nonmigratable key. When the TPM_Unseal decrypts this structure the TPM_Unseal uses the
+   public information in the structure to validate the current configuration and release the
+   decrypted data.
+
+   2. If sealInfoSize is not 0 then sealInfo MUST be TPM_PCR_INFO_LONG
+*/
+
+typedef struct tdTPM_STORED_DATA12 { 
+    TPM_STRUCTURE_TAG tag;      /* This SHALL be TPM_TAG_STORED_DATA12 */
+    TPM_ENTITY_TYPE et;         /* The type of blob */
+    TPM_SIZED_BUFFER sealInfo;
+#if 0
+    uint32_t sealInfoSize;	/* Size of the sealInfo parameter */
+    BYTE* sealInfo;             /* This SHALL be a structure of type TPM_PCR_INFO_LONG or a 0 length
+                                   array if the data is not bound to PCRs. */
+#endif
+    TPM_SIZED_BUFFER encData;
+#if 0
+    uint32_t encDataSize;	/* This SHALL be the size of the encData parameter */
+    BYTE* encData;              /* This shall be an encrypted TPM_SEALED_DATA structure containing
+                                   the confidential part of the data. */
+#endif
+    /* NOTE: kgold - Added this structure, a cache of PCRInfo when not NULL */
+    TPM_PCR_INFO_LONG *tpm_seal_info_long;
+} TPM_STORED_DATA12; 
+
+/* 9.3 TPM_SEALED_DATA rev 87 
+
+   This structure contains confidential information related to sealed data, including the data
+   itself.
+
+   1. To tie the TPM_STORED_DATA structure to the TPM_SEALED_DATA structure this structure contains
+   a digest of the containing TPM_STORED_DATA structure.
+
+   2. The digest calculation does not include the encDataSize and encData parameters.
+*/
+
+typedef struct tdTPM_SEALED_DATA { 
+    TPM_PAYLOAD_TYPE payload;   /* This SHALL indicate the payload type of TPM_PT_SEAL */
+    TPM_SECRET authData;        /* This SHALL be the authorization data for this value */
+    TPM_SECRET tpmProof;        /* This SHALL be a copy of TPM_PERMANENT_FLAGS -> tpmProof */
+    TPM_DIGEST storedDigest;    /* This SHALL be a digest of the TPM_STORED_DATA structure,
+                                   excluding the fields TPM_STORED_DATA -> encDataSize and
+                                   TPM_STORED_DATA -> encData.  */
+    TPM_SIZED_BUFFER data;      /* This SHALL be the data to be sealed */
+#if 0
+    uint32_t dataSize;		/* This SHALL be the size of the data parameter */
+    BYTE* data;                 /* This SHALL be the data to be sealed */
+#endif
+} TPM_SEALED_DATA; 
+
+#endif
+
+
+/* 9.4 TPM_SYMMETRIC_KEY rev 87 
+
+   This structure describes a symmetric key, used during the process "Collating a Request for a
+   Trusted Platform Module Identity".
+*/
+
+typedef struct tdTPM_SYMMETRIC_KEY { 
+    TPM_ALGORITHM_ID algId;     /* This SHALL be the algorithm identifier of the symmetric key. */
+    TPM_ENC_SCHEME encScheme;   /* This SHALL fully identify the manner in which the key will be
+                                   used for encryption operations.  */
+    uint16_t size;		/* This SHALL be the size of the data parameter in bytes */
+    BYTE data[MAX_SYM_KEY_BYTES];	/* This SHALL be the symmetric key data */
+} TPM_SYMMETRIC_KEY; 
+
+#if 0
+
+/* 9.5 TPM_BOUND_DATA rev 87 
+
+   This structure is defined because it is used by a TPM_UnBind command in a consistency check.
+
+   The intent of TCG is to promote "best practice" heuristics for the use of keys: a signing key
+   shouldn't be used for storage, and so on. These heuristics are used because of the potential
+   threats that arise when the same key is used in different ways. The heuristics minimize the
+   number of ways in which a given key can be used.
+
+   One such heuristic is that a key of type TPM_KEY_BIND, and no other type of key, should always be
+   used to create the blob that is unwrapped by TPM_UnBind. Binding is not a TPM function, so the
+   only choice is to perform a check for the correct payload type when a blob is unwrapped by a key
+   of type TPM_KEY_BIND. This requires the blob to have internal structure.
+
+   Even though payloadData has variable size, TPM_BOUND_DATA deliberately does not include the size
+   of payloadData. This is to maximise the size of payloadData that can be encrypted when
+   TPM_BOUND_DATA is encrypted in a single block. When using TPM-UnBind to obtain payloadData, the
+   size of payloadData is deduced as a natural result of the (RSA) decryption process.
+
+   1. This structure MUST be used for creating data when (wrapping with a key of type TPM_KEY_BIND)
+   or (wrapping using the encryption algorithm TPM_ES_RSAESOAEP_SHA1_MGF1). If it is not, the
+   TPM_UnBind command will fail.
+*/
+
+typedef struct tdTPM_BOUND_DATA { 
+    TPM_STRUCT_VER ver;                 /* This MUST be 1.1.0.0  */
+    TPM_PAYLOAD_TYPE payload;           /* This SHALL be the value TPM_PT_BIND  */
+    uint32_t payloadDataSize;		/* NOTE: added, not part of serialization */
+    BYTE *payloadData;                  /* The bound data */
+} TPM_BOUND_DATA; 
+
+#endif
+
+/*
+  10. TPM_KEY Complex
+*/
+
+/* 10.1.1 TPM_RSA_KEY_PARMS rev 87 
+
+   This structure describes the parameters of an RSA key.
+*/
+
+typedef struct tdTPM_RSA_KEY_PARMS { 
+    uint32_t keyLength;   /* This specifies the size of the RSA key in bits */
+    uint32_t numPrimes;   /* This specifies the number of prime factors used by this RSA key. */
+    uint32_t exponentSize;	/* This SHALL be the size of the exponent. If the key is using the
+				   the default public exponent then the exponentSize MUST be 0. */
+    uint8_t exponent[4];    	/* The public exponent of this key */
+} TPM_RSA_KEY_PARMS; 
+
+/* 10.1.2 TPM_SYMMETRIC_KEY_PARMS rev 87
+
+   This structure describes the parameters for symmetric algorithms 
+*/
+
+typedef struct tdTPM_SYMMETRIC_KEY_PARMS { 
+    uint32_t keyLength;	/* This SHALL indicate the length of the key in bits */
+    uint32_t blockSize;	/* This SHALL indicate the block size of the algorithm*/
+    TPM2B_IV iv;	/* The initialization vector */
+} TPM_SYMMETRIC_KEY_PARMS; 
+
+/* 10.1 TPM_KEY_PARMS rev 87
+
+   This provides a standard mechanism to define the parameters used to generate a key pair, and to
+   store the parts of a key shared between the public and private key parts.
+*/
+
+typedef union {
+    TPM_RSA_KEY_PARMS		rsaParms;
+    TPM_SYMMETRIC_KEY_PARMS	symParms;
+} TPMU_PARMS;
+
+/* Marshaled TPMU_PARMS */
+
+#if 0
+typedef struct {
+    UINT32		parmSize;
+    TPMU_PARMS		parms;
+} TPM4B_PARMS;
+#endif
+
+typedef struct { 
+    TPM_ALGORITHM_ID algorithmID;       /* This SHALL be the key algorithm in use */
+    TPM_ENC_SCHEME encScheme;   /* This SHALL be the encryption scheme that the key uses to encrypt
+                                   information */
+    TPM_SIG_SCHEME sigScheme;   /* This SHALL be the signature scheme that the key uses to perform
+                                   digital signatures */
+    TPMU_PARMS parms;	
+} TPM_KEY_PARMS; 
+
+#if 0
+
+/* 10.7 TPM_STORE_PRIVKEY rev 87
+
+   This structure can be used in conjunction with a corresponding TPM_PUBKEY to construct a private
+   key which can be unambiguously used.
+*/
+
+#if 0
+typedef struct tdTPM_STORE_PRIVKEY { 
+    uint32_t keyLength;	/* This SHALL be the length of the key field. */
+    BYTE* key;          /* This SHALL be a structure interpreted according to the algorithm Id in
+                           the corresponding TPM_KEY structure. */
+} TPM_STORE_PRIVKEY; 
+#endif
+
+/* NOTE: Hard coded for RSA keys.  This will change if other algorithms are supported */
+
+typedef struct tdTPM_STORE_PRIVKEY { 
+    TPM_SIZED_BUFFER d_key;             /* private key */
+    TPM_SIZED_BUFFER p_key;             /* private prime factor */
+    TPM_SIZED_BUFFER q_key;             /* private prime factor */
+} TPM_STORE_PRIVKEY; 
+
+/* 10.6 TPM_STORE_ASYMKEY rev 87
+
+   The TPM_STORE_ASYMKEY structure provides the area to identify the confidential information
+   related to a key.  This will include the private key factors for an asymmetric key.
+
+   The structure is designed so that encryption of a TPM_STORE_ASYMKEY structure containing a 2048
+   bit RSA key can be done in one operation if the encrypting key is 2048 bits.
+
+   Using typical RSA notation the structure would include P, and when loading the key include the
+   unencrypted P*Q which would be used to recover the Q value.
+
+   To accommodate the future use of multiple prime RSA keys the specification of additional prime
+   factors is an optional capability.
+
+   This structure provides the basis of defining the protection of the private key.  Changes in this
+   structure MUST be reflected in the TPM_MIGRATE_ASYMKEY structure (section 10.8).
+*/
+
+typedef struct tdTPM_STORE_ASYMKEY {    
+    TPM_PAYLOAD_TYPE payload;           /* This SHALL set to TPM_PT_ASYM to indicate an asymmetric
+                                           key. If used in TPM_CMK_ConvertMigration the value SHALL
+                                           be TPM_PT_MIGRATE_EXTERNAL. If used in TPM_CMK_CreateKey
+                                           the value SHALL be TPM_PT_MIGRATE_RESTRICTED  */
+    TPM_SECRET usageAuth;               /* This SHALL be the authorization data necessary to
+                                           authorize the use of this value */
+    TPM_SECRET migrationAuth;           /* This SHALL be the migration authorization data for a
+                                           migratable key, or the TPM secret value tpmProof for a
+                                           non-migratable key created by the TPM.
+
+                                           If the TPM sets this parameter to the value tpmProof,
+                                           then the TPM_KEY.keyFlags.migratable of the corresponding
+                                           TPM_KEY structure MUST be set to 0.
+
+                                           If this parameter is set to the migration authorization
+                                           data for the key in parameter PrivKey, then the
+                                           TPM_KEY.keyFlags.migratable of the corresponding TPM_KEY
+                                           structure SHOULD be set to 1. */
+    TPM_DIGEST pubDataDigest;           /* This SHALL be the digest of the corresponding TPM_KEY
+                                           structure, excluding the fields TPM_KEY.encSize and
+                                           TPM_KEY.encData.
+
+                                           When TPM_KEY -> pcrInfoSize is 0 then the digest
+                                           calculation has no input from the pcrInfo field. The
+                                           pcrInfoSize field MUST always be part of the digest
+                                           calculation.
+                                        */
+    TPM_STORE_PRIVKEY privKey;          /* This SHALL be the private key data. The privKey can be a
+                                           variable length which allows for differences in the key
+                                           format. The maximum size of the area would be 151
+                                           bytes. */
+} TPM_STORE_ASYMKEY;            
+
+/* 10.8 TPM_MIGRATE_ASYMKEY rev 87
+
+   The TPM_MIGRATE_ASYMKEY structure provides the area to identify the private key factors of a
+   asymmetric key while the key is migrating between TPM's.
+
+   This structure provides the basis of defining the protection of the private key.
+
+   k1k2 - 132 privkey.key (128 + 4)
+   k1 - 20, OAEP seed
+   k2 - 112, partPrivKey
+   TPM_STORE_PRIVKEY 4 partPrivKey.keyLength
+                     108 partPrivKey.key (128 - 20)
+*/
+
+typedef struct tdTPM_MIGRATE_ASYMKEY {
+    TPM_PAYLOAD_TYPE payload;   /* This SHALL set to TPM_PT_MIGRATE or TPM_PT_CMK_MIGRATE to
+                                   indicate an migrating asymmetric key or TPM_PT_MAINT to indicate
+                                   a maintenance key. */
+    TPM_SECRET usageAuth;       /* This SHALL be a copy of the usageAuth from the TPM_STORE_ASYMKEY
+                                   structure. */
+    TPM_DIGEST pubDataDigest;   /* This SHALL be a copy of the pubDataDigest from the
+                                   TPM_STORE_ASYMKEY structure. */
+#if 0
+    uint32_t partPrivKeyLen;	/* This SHALL be the size of the partPrivKey field */
+    BYTE *partPrivKey;          /* This SHALL be the k2 area as described in TPM_CreateMigrationBlob
+                                   */
+#endif
+    TPM_SIZED_BUFFER partPrivKey;
+} TPM_MIGRATE_ASYMKEY; 
+
+#endif
+
+/* 10.4 TPM_STORE_PUBKEY
+
+   This structure can be used in conjunction with a corresponding TPM_KEY_PARMS to 1382 construct a
+   public key which can be unambiguously used.
+*/
+
+typedef struct tdTPM_STORE_PUBKEY {
+    UINT32 keyLength;			/* This SHALL be the length of the key field. */
+    BYTE key[MAX_RSA_KEY_BYTES]; 	/* This SHALL be a structure interpreted according to the
+					   algorithm Id in the corresponding TPM_KEY_PARMS
+					   structure. */
+} TPM_STORE_PUBKEY;
+
+/* 10.3 TPM_KEY12 rev 87
+
+   This provides the same functionality as TPM_KEY but uses the new PCR_INFO_LONG structures and the
+   new structure tagging. In all other aspects this is the same structure.
+*/
+
+typedef struct tdTPM_KEY12 { 
+    TPM_STRUCTURE_TAG tag;      /* MUST be TPM_TAG_KEY12 */
+    uint16_t fill;		/* MUST be 0x0000 */
+    TPM_KEY_USAGE keyUsage;     /* This SHALL be the TPM key usage that determines the operations
+                                   permitted with this key */
+    TPM_KEY_FLAGS keyFlags;     /* This SHALL be the indication of migration, redirection etc. */
+    TPM_AUTH_DATA_USAGE authDataUsage;  /* This SHALL Indicate the conditions where it is required
+                                           that authorization be presented. */
+    TPM_KEY_PARMS algorithmParms;       /* This SHALL be the information regarding the algorithm for
+                                           this key */
+    TPM_PCR_INFO_LONG PCRInfo;
+    TPM_STORE_PUBKEY pubKey;    /* This SHALL be the public portion of the key */
+    TPM_STORE_PUBKEY encData;	/* This SHALL be an encrypted TPM_STORE_ASYMKEY structure
+					   TPM_MIGRATE_ASYMKEY structure */
+} TPM_KEY12; 
+
+/* 10.5 TPM_PUBKEY rev 99
+
+   The TPM_PUBKEY structure contains the public portion of an asymmetric key pair. It contains all
+   the information necessary for its unambiguous usage. It is possible to construct this structure
+   from a TPM_KEY, using the algorithmParms and pubKey fields.
+
+   The pubKey member of this structure shall contain the public key for a specific algorithm.
+*/
+
+typedef struct tdTPM_PUBKEY { 
+    TPM_KEY_PARMS algorithmParms;       /* This SHALL be the information regarding this key */
+    TPM_STORE_PUBKEY pubKey;            /* This SHALL be the public key information */
+} TPM_PUBKEY; 
+
+#if 0
+
+/* 5.b. The TPM must support a minimum of 2 key slots. */
+
+#define TPM_KEY_HANDLES         16     /* entries in global TPM_KEY_HANDLE_ENTRY array */
+
+/* TPM_GetCapability uses a uint_16 for the number of key slots */
+
+#if (TPM_KEY_HANDLES > 0xffff)
+#error "TPM_KEY_HANDLES must be less than 0x10000"
+#endif
+
+/* The TPM does not have to support any minumum number of owner evict keys.  Adjust this value to
+   match the amount of NV space available.  An owner evict key consumes about 512 bytes.
+
+   A value greater than (TPM_KEY_HANDLES - 2) is useless, as the TPM reserves 2 key slots for
+   non-owner evict keys to avoid blocking.
+*/
+
+#define TPM_OWNER_EVICT_KEY_HANDLES 	2
+#if (TPM_OWNER_EVICT_KEY_HANDLES > (TPM_KEY_HANDLES - 2))
+#error "TPM_OWNER_EVICT_KEY_HANDLES too large for TPM_KEY_HANDLES"
+#endif
+
+/* This is the version used by the TPM implementation.  It is part of the global TPM state */
+
+/* kgold: Added TPM_KEY member.  There needs to be a mapping between a key handle
+   and the pointer to TPM_KEY objects, and this seems to be the right place for it. */
+
+typedef struct tdTPM_KEY_HANDLE_ENTRY {
+    TPM_KEY_HANDLE handle;      /* Handles for a key currently loaded in the TPM */
+    TPM_KEY *key;               /* Pointer to the key object */
+    TPM_BOOL parentPCRStatus;   /* TRUE if parent of this key uses PCR's */
+    TPM_KEY_CONTROL keyControl; /* Attributes that can control various aspects of key usage and
+                                   manipulation. */
+} TPM_KEY_HANDLE_ENTRY; 
+
+/* 5.12 TPM_MIGRATIONKEYAUTH rev 87
+
+   This structure provides the proof that the associated public key has TPM Owner authorization to
+   be a migration key.
+*/
+
+typedef struct tdTPM_MIGRATIONKEYAUTH { 
+    TPM_PUBKEY migrationKey;            /* This SHALL be the public key of the migration facility */
+    TPM_MIGRATE_SCHEME migrationScheme; /* This shall be the type of migration operation.*/
+    TPM_DIGEST digest;                  /* This SHALL be the digest value of the concatenation of
+                                           migration key, migration scheme and tpmProof */
+} TPM_MIGRATIONKEYAUTH; 
+
+/* 5.13 TPM_COUNTER_VALUE rev 87
+
+   This structure returns the counter value. For interoperability, the value size should be 4 bytes.
+*/
+
+#define TPM_COUNTER_LABEL_SIZE  4
+#define TPM_COUNT_ID_NULL 0xffffffff    /* unused value TPM_CAP_PROP_ACTIVE_COUNTER expects this
+                                           value if no counter is active */
+#define TPM_COUNT_ID_ILLEGAL 0xfffffffe /* after releasing an active counter */
+
+typedef struct tdTPM_COUNTER_VALUE {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* TPM_TAG_COUNTER_VALUE */
+#endif
+    BYTE label[TPM_COUNTER_LABEL_SIZE]; /* The label for the counter */
+    TPM_ACTUAL_COUNT counter;           /* The 32-bit counter value. */
+    /* NOTE: Added.  TPMWG email says the specification structure is the public part, but these are
+       vendor specific private members. */
+    TPM_SECRET authData;                /* Authorization secret for counter */
+    TPM_BOOL valid;
+    TPM_DIGEST digest;                  /* for OSAP comparison */
+} TPM_COUNTER_VALUE; 
+
+/* 5.14 TPM_SIGN_INFO Structure rev 102
+
+   This is an addition in 1.2 and is the structure signed for certain commands (e.g.,
+   TPM_ReleaseTransportSigned).  Some commands have a structure specific to that command (e.g.,
+   TPM_Quote uses TPM_QUOTE_INFO) and do not use TPM_SIGN_INFO.
+
+   TPM_Sign uses this structure when the signature scheme is TPM_SS_RSASSAPKCS1v15_INFO.
+*/
+
+#define TPM_SIGN_INFO_FIXED_SIZE 4
+
+typedef struct tdTPM_SIGN_INFO { 
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_SIGNINFO */
+#endif
+    BYTE fixed[TPM_SIGN_INFO_FIXED_SIZE];       /* The ASCII text that identifies what function was
+                                                   performing the signing operation*/
+    TPM_NONCE replay;           /* Nonce provided by caller to prevent replay attacks */
+#if 0
+    uint32_t dataLen;		/* The length of the data area */
+    BYTE* data;                 /* The data that is being signed */
+#endif
+    TPM_SIZED_BUFFER data;      /* The data that is being signed */
+} TPM_SIGN_INFO; 
+
+/* 5.15 TPM_MSA_COMPOSITE Structure rev 87
+
+   TPM_MSA_COMPOSITE contains an arbitrary number of digests of public keys belonging to Migration
+   Authorities. An instance of TPM_MSA_COMPOSITE is incorporated into the migrationAuth value of a
+   certified-migration-key (CMK), and any of the Migration Authorities specified in that instance is
+   able to approve the migration of that certified-migration-key.
+   
+   TPMs MUST support TPM_MSA_COMPOSITE structures with MSAlist of four (4) or less, and MAY support
+   larger values of MSAlist.
+*/
+
+typedef struct tdTPM_MSA_COMPOSITE {
+    uint32_t MSAlist;			/* The number of migAuthDigests. MSAlist MUST be one (1) or
+                                           greater. */
+    TPM_DIGEST *migAuthDigest;          /* An arbitrary number of digests of public keys belonging
+                                           to Migration Authorities. */
+} TPM_MSA_COMPOSITE;
+
+/* 5.16 TPM_CMK_AUTH 
+
+   The signed digest of TPM_CMK_AUTH is a ticket to prove that the entity with public key
+   "migrationAuthority" has approved the public key "destination Key" as a migration destination for
+   the key with public key "sourceKey".
+
+   Normally the digest of TPM_CMK_AUTH is signed by the private key corresponding to
+   "migrationAuthority".
+
+   To reduce data size, TPM_CMK_AUTH contains just the digests of "migrationAuthority",
+   "destinationKey" and "sourceKey".
+*/
+
+typedef struct tdTPM_CMK_AUTH { 
+    TPM_DIGEST migrationAuthorityDigest;        /* The digest of the public key of a Migration
+                                                   Authority */
+    TPM_DIGEST destinationKeyDigest;            /* The digest of a TPM_PUBKEY structure that is an
+                                                   approved destination key for the private key
+                                                   associated with "sourceKey"*/
+    TPM_DIGEST sourceKeyDigest;                 /* The digest of a TPM_PUBKEY structure whose
+                                                   corresponding private key is approved by the
+                                                   Migration Authority to be migrated as a child to
+                                                   the destinationKey.  */
+} TPM_CMK_AUTH;
+
+#endif
+
+/* 5.18 TPM_SELECT_SIZE rev 87
+
+  This structure provides the indication for the version and sizeOfSelect structure in GetCapability
+*/
+
+typedef struct tdTPM_SELECT_SIZE {
+    BYTE major;         /* This SHALL indicate the major version of the TPM. This MUST be 0x01 */
+    BYTE minor;         /* This SHALL indicate the minor version of the TPM. This MAY be 0x01 or
+                           0x02 */
+    uint16_t reqSize;	/* This SHALL indicate the value for a sizeOfSelect field in the
+                           TPM_SELECTION structure */
+} TPM_SELECT_SIZE;
+
+#if 0
+
+/* 5.19 TPM_CMK_MIGAUTH rev 89
+
+   Structure to keep track of the CMK migration authorization
+*/
+
+typedef struct tdTPM_CMK_MIGAUTH {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* Set to TPM_TAG_CMK_MIGAUTH */
+#endif
+    TPM_DIGEST msaDigest;       /* The digest of a TPM_MSA_COMPOSITE structure containing the
+                                   migration authority public key and parameters. */
+    TPM_DIGEST pubKeyDigest;    /* The hash of the associated public key */
+} TPM_CMK_MIGAUTH;
+
+/* 5.20 TPM_CMK_SIGTICKET rev 87
+
+   Structure to keep track of the CMK migration authorization
+*/
+
+typedef struct tdTPM_CMK_SIGTICKET {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* Set to TPM_TAG_CMK_SIGTICKET */
+#endif
+    TPM_DIGEST verKeyDigest;    /* The hash of a TPM_PUBKEY structure containing the public key and
+                                   parameters of the key that can verify the ticket */
+    TPM_DIGEST signedData;      /* The ticket data */
+} TPM_CMK_SIGTICKET;
+
+/* 5.21 TPM_CMK_MA_APPROVAL rev 87
+    
+   Structure to keep track of the CMK migration authorization
+*/
+
+typedef struct tdTPM_CMK_MA_APPROVAL {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;                      /* Set to TPM_TAG_CMK_MA_APPROVAL */
+#endif
+    TPM_DIGEST migrationAuthorityDigest;        /* The hash of a TPM_MSA_COMPOSITE structure
+                                                   containing the hash of one or more migration
+                                                   authority public keys and parameters. */
+} TPM_CMK_MA_APPROVAL;
+
+/* 20.2 Delegate Definitions rev 101
+
+   The delegations are in a 64-bit field. Each bit describes a capability that the TPM Owner can
+   delegate to a trusted process by setting that bit. Each delegation bit setting is independent of
+   any other delegation bit setting in a row.
+
+   If a TPM command is not listed in the following table, then the TPM Owner cannot delegate that
+   capability to a trusted process. For the TPM commands that are listed in the following table, if
+   the bit associated with a TPM command is set to zero in the row of the table that identifies a
+   trusted process, then that process has not been delegated to use that TPM command.
+
+   The minimum granularity for delegation is at the ordinal level. It is not possible to delegate an
+   option of an ordinal. This implies that if the options present a difficulty and there is a need
+   to separate the delegations then there needs to be a split into two separate ordinals.
+*/
+
+#define TPM_DEL_OWNER_BITS 0x00000001 
+#define TPM_DEL_KEY_BITS   0x00000002 
+
+typedef struct tdTPM_DELEGATIONS { 
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* This SHALL be TPM_TAG_DELEGATIONS */
+#endif
+    uint32_t delegateType;        /* Owner or key */
+    uint32_t per1;                /* The first block of permissions */
+    uint32_t per2;                /* The second block of permissions */
+} TPM_DELEGATIONS; 
+
+/* 20.4 TPM_FAMILY_LABEL rev 85
+
+   Used in the family table to hold a one-byte numeric value (sequence number) that software can map
+   to a string of bytes that can be displayed or used by applications.
+
+   This is not sensitive data. 
+*/
+
+#if 0
+typedef struct tdTPM_FAMILY_LABEL { 
+    BYTE label;         /* A sequence number that software can map to a string of bytes that can be
+                           displayed or used by the applications. This MUST not contain sensitive
+                           information. */
+} TPM_FAMILY_LABEL; 
+#endif
+
+typedef BYTE TPM_FAMILY_LABEL;  /* NOTE: No need for a structure here */
+
+/* 20.5 TPM_FAMILY_TABLE_ENTRY rev 101
+
+   The family table entry is an individual row in the family table. There are no sensitive values in
+   a family table entry.
+
+   Each family table entry contains values to facilitate table management: the familyID sequence
+   number value that associates a family table row with one or more delegate table rows, a
+   verification sequence number value that identifies when rows in the delegate table were last
+   verified, and BYTE family label value that software can map to an ASCII text description of the
+   entity using the family table entry
+*/
+
+typedef struct tdTPM_FAMILY_TABLE_ENTRY { 
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* This SHALL be TPM_TAG_FAMILY_TABLE_ENTRY */
+#endif
+    TPM_FAMILY_LABEL familyLabel;       /* A sequence number that software can map to a string of
+                                           bytes that can be displayed of used by the applications.
+                                           This MUST not contain sensitive informations. */
+    TPM_FAMILY_ID familyID;             /* The family ID in use to tie values together. This is not
+                                           a sensitive value. */
+    TPM_FAMILY_VERIFICATION verificationCount;  /* The value inserted into delegation rows to
+                                                   indicate that they are the current generation of
+                                                   rows. Used to identify when a row in the delegate
+                                                   table was last verified. This is not a sensitive
+                                                   value. */
+    TPM_FAMILY_FLAGS flags;             /* See section on TPM_FAMILY_FLAGS. */
+    /* NOTE Added */
+    TPM_BOOL valid;
+} TPM_FAMILY_TABLE_ENTRY;
+
+/* 20.6 TPM_FAMILY_TABLE rev 87
+
+   The family table is stored in a TPM shielded location. There are no confidential values in the
+   family table.  The family table contains a minimum of 8 rows.
+*/
+
+#define TPM_NUM_FAMILY_TABLE_ENTRY_MIN 8 
+
+typedef struct tdTPM_FAMILY_TABLE { 
+    TPM_FAMILY_TABLE_ENTRY famTableRow[TPM_NUM_FAMILY_TABLE_ENTRY_MIN]; 
+} TPM_FAMILY_TABLE;
+
+/* 20.7 TPM_DELEGATE_LABEL rev 87
+
+   Used in both the delegate table and the family table to hold a string of bytes that can be
+   displayed or used by applications. This is not sensitive data.
+*/
+
+#if 0
+typedef struct tdTPM_DELEGATE_LABEL { 
+    BYTE label;         /* A byte that can be displayed or used by the applications. This MUST not
+                           contain sensitive information.  */
+} TPM_DELEGATE_LABEL; 
+#endif
+
+typedef BYTE TPM_DELEGATE_LABEL;        /* NOTE: No need for structure */
+
+/* 20.8 TPM_DELEGATE_PUBLIC rev 101
+
+   The information of a delegate row that is public and does not have any sensitive information.
+
+   PCR_INFO_SHORT is appropriate here as the command to create this is done using owner
+   authorization, hence the owner authorized the command and the delegation. There is no need to
+   validate what configuration was controlling the platform during the blob creation.
+*/
+
+typedef struct tdTPM_DELEGATE_PUBLIC { 
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* This SHALL be TPM_TAG_DELEGATE_PUBLIC  */
+#endif
+    TPM_DELEGATE_LABEL rowLabel;        /* This SHALL be the label for the row. It
+                                           MUST not contain any sensitive information. */
+    TPM_PCR_INFO_SHORT pcrInfo;         /* This SHALL be the designation of the process that can use
+                                           the permission. This is a not sensitive
+                                           value. PCR_SELECTION may be NULL.
+
+                                           If selected the pcrInfo MUST be checked on each use of
+                                           the delegation. Use of the delegation is where the
+                                           delegation is passed as an authorization handle. */
+    TPM_DELEGATIONS permissions;        /* This SHALL be the permissions that are allowed to the
+                                           indicated process. This is not a sensitive value. */
+    TPM_FAMILY_ID familyID;             /* This SHALL be the family ID that identifies which family
+                                           the row belongs to. This is not a sensitive value. */
+    TPM_FAMILY_VERIFICATION verificationCount;  /* A copy of verificationCount from the associated
+                                                   family table. This is not a sensitive value. */
+} TPM_DELEGATE_PUBLIC; 
+
+
+/* 20.9 TPM_DELEGATE_TABLE_ROW rev 101
+
+   A row of the delegate table. 
+*/
+
+typedef struct tdTPM_DELEGATE_TABLE_ROW { 
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* This SHALL be TPM_TAG_DELEGATE_TABLE_ROW */
+#endif
+    TPM_DELEGATE_PUBLIC pub;    /* This SHALL be the public information for a table row. */
+    TPM_SECRET authValue;       /* This SHALL be the authorization value that can use the
+                                   permissions. This is a sensitive value. */
+    /* NOTE Added */
+    TPM_BOOL valid;
+} TPM_DELEGATE_TABLE_ROW; 
+
+/* 20.10 TPM_DELEGATE_TABLE rev 87
+
+   This is the delegate table. The table contains a minimum of 2 rows.
+
+   This will be an entry in the TPM_PERMANENT_DATA structure.
+*/
+
+#define TPM_NUM_DELEGATE_TABLE_ENTRY_MIN 2 
+
+typedef struct tdTPM_DELEGATE_TABLE { 
+    TPM_DELEGATE_TABLE_ROW delRow[TPM_NUM_DELEGATE_TABLE_ENTRY_MIN]; /* The array of delegations */
+} TPM_DELEGATE_TABLE; 
+
+/* 20.11 TPM_DELEGATE_SENSITIVE rev 115
+
+   The TPM_DELEGATE_SENSITIVE structure is the area of a delegate blob that contains sensitive
+   information.
+
+   This structure is normative for loading unencrypted blobs before there is an owner.  It is
+   informative for TPM_CreateOwnerDelegation and TPM_LoadOwnerDelegation after there is an owner and
+   encrypted blobs are used, since the structure is under complete control of the TPM.
+*/
+
+typedef struct tdTPM_DELEGATE_SENSITIVE {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* This MUST be TPM_TAG_DELEGATE_SENSITIVE */
+#endif
+    TPM_SECRET authValue;       /* AuthData value */
+} TPM_DELEGATE_SENSITIVE;
+
+/* 20.12 TPM_DELEGATE_OWNER_BLOB rev 87
+
+   This data structure contains all the information necessary to externally store a set of owner
+   delegation rights that can subsequently be loaded or used by this TPM.
+   
+   The encryption mechanism for the sensitive area is a TPM choice. The TPM may use asymmetric
+   encryption and the SRK for the key. The TPM may use symmetric encryption and a secret key known
+   only to the TPM.
+*/
+
+typedef struct tdTPM_DELEGATE_OWNER_BLOB {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* This MUST be TPM_TAG_DELG_OWNER_BLOB */
+#endif
+    TPM_DELEGATE_PUBLIC pub;    /* The public information for this blob */
+    TPM_DIGEST integrityDigest; /* The HMAC to guarantee the integrity of the entire structure */
+    TPM_SIZED_BUFFER additionalArea;    /* An area that the TPM can add to the blob which MUST NOT
+                                           contain any sensitive information. This would include any
+                                           IV material for symmetric encryption */
+    TPM_SIZED_BUFFER sensitiveArea;     /* The area that contains the encrypted
+                                           TPM_DELEGATE_SENSITIVE */
+} TPM_DELEGATE_OWNER_BLOB;
+
+/* 20.13 TPM_DELEGATE_KEY_BLOB rev 87
+    
+   A structure identical to TPM_DELEGATE_OWNER_BLOB but which stores delegation information for user
+   keys.  As compared to TPM_DELEGATE_OWNER_BLOB, it adds a hash of the corresponding public key
+   value to the public information.
+*/
+
+typedef struct tdTPM_DELEGATE_KEY_BLOB {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* This MUST be TPM_TAG_DELG_KEY_BLOB */
+#endif
+    TPM_DELEGATE_PUBLIC pub;            /* The public information for this blob */
+    TPM_DIGEST integrityDigest;         /* The HMAC to guarantee the integrity of the entire
+                                           structure */
+    TPM_DIGEST pubKeyDigest;            /* The digest, that uniquely identifies the key for which
+                                           this usage delegation applies.  */
+    TPM_SIZED_BUFFER additionalArea;    /* An area that the TPM can add to the blob which MUST NOT
+                                           contain any sensitive information. This would include any
+                                           IV material for symmetric encryption */
+    TPM_SIZED_BUFFER sensitiveArea;     /* The area that contains the encrypted
+                                           TPM_DELEGATE_SENSITIVE */
+} TPM_DELEGATE_KEY_BLOB;
+
+/* 15.1 TPM_CURRENT_TICKS rev 110
+
+   This structure holds the current number of time ticks in the TPM. The value is the number of time
+   ticks from the start of the current session. Session start is a variable function that is
+   platform dependent. Some platforms may have batteries or other power sources and keep the TPM
+   clock session across TPM initialization sessions.
+   
+   The <tickRate> element of the TPM_CURRENT_TICKS structure provides the number of microseconds per
+   tick.  The platform manufacturer must satisfy input clock requirements set by the TPM vendor to
+   ensure the accuracy of the tickRate.
+   
+   No external entity may ever set the current number of time ticks held in TPM_CURRENT_TICKS. This
+   value is always reset to 0 when a new clock session starts and increments under control of the
+   TPM.
+   
+   Maintaining the relationship between the number of ticks counted by the TPM and some real world
+   clock is a task for external software.
+*/
+
+/* This is not a true UINT64, but a special structure to hold currentTicks */
+
+typedef struct tdTPM_UINT64 {
+    uint32_t sec;
+    uint32_t usec;
+} TPM_UINT64;
+
+typedef struct tdTPM_CURRENT_TICKS {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_CURRENT_TICKS */
+#endif
+    TPM_UINT64 currentTicks;    /* The number of ticks since the start of this tick session */
+    /* upper is seconds, lower is useconds */
+    uint16_t tickRate;		/* The number of microseconds per tick. The maximum resolution of
+                                   the TPM tick counter is thus 1 microsecond. The minimum
+                                   resolution SHOULD be 1 millisecond. */
+    TPM_NONCE tickNonce;        /* TPM_NONCE tickNonce The nonce created by the TPM when resetting
+                                   the currentTicks to 0.  This indicates the beginning of a time
+                                   session.  This value MUST be valid before the first use of
+                                   TPM_CURRENT_TICKS. The value can be set at TPM_Startup or just
+                                   prior to first use. */
+    /* NOTE Added */
+    TPM_UINT64 initialTime;     /* Time from TPM_GetTimeOfDay() */
+} TPM_CURRENT_TICKS;
+
+/*
+  13. Transport Structures
+*/
+
+/* 13.1 TPM _TRANSPORT_PUBLIC rev 87
+
+   The public information relative to a transport session
+*/
+
+typedef struct tdTPM_TRANSPORT_PUBLIC {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG   tag;                    /* TPM_TAG_TRANSPORT_PUBLIC */
+#endif
+    TPM_TRANSPORT_ATTRIBUTES transAttributes;   /* The attributes of this session */
+    TPM_ALGORITHM_ID algId;                     /* This SHALL be the algorithm identifier of the
+                                                   symmetric key. */
+    TPM_ENC_SCHEME encScheme;                   /* This SHALL fully identify the manner in which the
+                                                   key will be used for encryption operations. */
+} TPM_TRANSPORT_PUBLIC;
+
+/* 13.2 TPM_TRANSPORT_INTERNAL rev 88
+
+   The internal information regarding transport session
+*/
+
+#define TPM_MIN_TRANS_SESSIONS 3
+
+typedef struct tdTPM_TRANSPORT_INTERNAL {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* TPM_TAG_TRANSPORT_INTERNAL */
+#endif
+    TPM_AUTHDATA authData;              /* The shared secret for this session */
+    TPM_TRANSPORT_PUBLIC transPublic;   /* The public information of this session */
+    TPM_TRANSHANDLE transHandle;        /* The handle for this session */
+    TPM_NONCE transNonceEven;           /* The even nonce for the rolling protocol */
+    TPM_DIGEST transDigest;             /* The log of transport events */
+    /* added kgold */
+    TPM_BOOL valid;                     /* entry is valid */
+} TPM_TRANSPORT_INTERNAL;
+
+/* 13.3 TPM_TRANSPORT_LOG_IN rev 87
+
+   The logging of transport commands occurs in two steps, before execution with the input 
+   parameters and after execution with the output parameters.
+   
+   This structure is in use for input log calculations.
+*/
+
+typedef struct tdTPM_TRANSPORT_LOG_IN {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG   tag;    /* TPM_TAG_TRANSPORT_LOG_IN */
+#endif
+    TPM_DIGEST parameters;      /* The actual parameters contained in the digest are subject to the
+                                   rules of the command using this structure. To find the exact
+                                   calculation refer to the actions in the command using this
+                                   structure. */
+    TPM_DIGEST pubKeyHash;      /* The hash of any keys in the transport command */
+} TPM_TRANSPORT_LOG_IN;
+
+/* 13.4 TPM_TRANSPORT_LOG_OUT rev 88
+
+   The logging of transport commands occurs in two steps, before execution with the input parameters
+   and after execution with the output parameters.
+   
+   This structure is in use for output log calculations. 
+   
+   This structure is in use for the INPUT logging during releaseTransport.
+*/
+
+typedef struct tdTPM_TRANSPORT_LOG_OUT {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* TPM_TAG_TRANSPORT_LOG_OUT */
+#endif
+    TPM_CURRENT_TICKS currentTicks;     /* The current tick count. This SHALL be the value of the
+                                           current TPM tick counter.  */
+    TPM_DIGEST parameters;              /* The actual parameters contained in the digest are subject
+                                           to the rules of the command using this structure. To find
+                                           the exact calculation refer to the actions in the command
+                                           using this structure. */
+    TPM_MODIFIER_INDICATOR locality;    /* The locality that called TPM_ExecuteTransport */
+} TPM_TRANSPORT_LOG_OUT;
+
+/* 13.5 TPM_TRANSPORT_AUTH structure rev 87
+
+   This structure provides the validation for the encrypted AuthData value.
+*/
+
+typedef struct tdTPM_TRANSPORT_AUTH {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG   tag;    /* TPM_TAG_TRANSPORT_AUTH */
+#endif
+    TPM_AUTHDATA authData;      /* The AuthData value */
+} TPM_TRANSPORT_AUTH;
+
+/* 22.3 TPM_DAA_ISSUER rev 91
+
+   This structure is the abstract representation of non-secret settings controlling a DAA
+   context. The structure is required when loading public DAA data into a TPM.  TPM_DAA_ISSUER
+   parameters are normally held outside the TPM as plain text data, and loaded into a TPM when a DAA
+   session is required. A TPM_DAA_ISSUER structure contains no integrity check: the TPM_DAA_ISSUER
+   structure at time of JOIN is indirectly verified by the issuer during the JOIN process, and a
+   digest of the verified TPM_DAA_ISSUER structure is held inside the TPM_DAA_TPM structure created
+   by the JOIN process.  Parameters DAA_digest_X are digests of public DAA_generic_X parameters, and
+   used to verify that the correct value of DAA_generic_X has been loaded. DAA_generic_q is stored
+   in its native form to reduce command complexity.
+*/
+
+typedef struct tdTPM_DAA_ISSUER {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG   tag;    /* MUST be TPM_TAG_DAA_ISSUER */
+#endif
+    TPM_DIGEST  DAA_digest_R0;  /* A digest of the parameter "R0", which is not secret and may be
+                                   common to many TPMs.  */
+    TPM_DIGEST  DAA_digest_R1;  /* A digest of the parameter "R1", which is not secret and may be
+                                   common to many TPMs.  */
+    TPM_DIGEST  DAA_digest_S0;  /* A digest of the parameter "S0", which is not secret and may be
+                                   common to many TPMs.  */
+    TPM_DIGEST  DAA_digest_S1;  /* A digest of the parameter "S1", which is not secret and may be
+                                   common to many TPMs. */
+    TPM_DIGEST  DAA_digest_n;   /* A digest of the parameter "n", which is not secret and may be
+                                   common to many TPMs.  */
+    TPM_DIGEST  DAA_digest_gamma;       /* A digest of the parameter "gamma", which is not secret
+                                           and may be common to many TPMs.  */
+    BYTE        DAA_generic_q[26];      /* The parameter q, which is not secret and may be common to
+                                           many TPMs. Note that q is slightly larger than a digest,
+                                           but is stored in its native form to simplify the
+                                           TPM_DAA_join command. Otherwise, JOIN requires 3 input
+                                           parameters. */
+} TPM_DAA_ISSUER;
+
+/* 22.4 TPM_DAA_TPM rev 91
+
+   This structure is the abstract representation of TPM specific parameters used during a DAA 
+   context. TPM-specific DAA parameters may be stored outside the TPM, and hence this 
+   structure is needed to save private DAA data from a TPM, or load private DAA data into a 
+   TPM.
+   
+   If a TPM_DAA_TPM structure is stored outside the TPM, it is stored in a confidential format that
+   can be interpreted only by the TPM created it. This is to ensure that secret parameters are
+   rendered confidential, and that both secret and non-secret data in TPM_DAA_TPM form a
+   self-consistent set.
+  
+   TPM_DAA_TPM includes a digest of the public DAA parameters that were used during creation of the
+   TPM_DAA_TPM structure. This is needed to verify that a TPM_DAA_TPM is being used with the public
+   DAA parameters used to create the TPM_DAA_TPM structure.  Parameters DAA_digest_v0 and
+   DAA_digest_v1 are digests of public DAA_private_v0 and DAA_private_v1 parameters, and used to
+   verify that the correct private parameters have been loaded.
+   
+   Parameter DAA_count is stored in its native form, because it is smaller than a digest, and is
+   required to enforce consistency.
+*/
+
+typedef struct tdTPM_DAA_TPM {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* MUST be TPM_TAG_DAA_TPM */
+#endif
+    TPM_DIGEST  DAA_digestIssuer;       /* A digest of a TPM_DAA_ISSUER structure that contains the
+                                           parameters used to generate this TPM_DAA_TPM
+                                           structure. */
+    TPM_DIGEST  DAA_digest_v0;  /* A digest of the parameter "v0", which is secret and specific to
+                                   this TPM. "v0" is generated during a JOIN phase.  */
+    TPM_DIGEST  DAA_digest_v1;  /* A digest of the parameter "v1", which is secret and specific to
+                                   this TPM. "v1" is generated during a JOIN phase.  */
+    TPM_DIGEST  DAA_rekey;      /* A digest related to the rekeying process, which is not secret but
+                                   is specific to this TPM, and must be consistent across JOIN/SIGN
+                                   sessions. "rekey" is generated during a JOIN phase. */
+    uint32_t      DAA_count;	/* The parameter "count", which is not secret but must be consistent
+                                   across JOIN/SIGN sessions. "count" is an input to the TPM from
+                                   the host system. */
+} TPM_DAA_TPM;
+
+/* 22.5 TPM_DAA_CONTEXT rev 91
+
+   TPM_DAA_CONTEXT structure is created and used inside a TPM, and never leaves the TPM.  This
+   entire section is informative as the TPM does not expose this structure.  TPM_DAA_CONTEXT
+   includes a digest of the public and private DAA parameters that were used during creation of the
+   TPM_DAA_CONTEXT structure. This is needed to verify that a TPM_DAA_CONTEXT is being used with the
+   public and private DAA parameters used to create the TPM_DAA_CONTEXT structure.
+*/
+
+typedef struct tdTPM_DAA_CONTEXT {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG   tag;    /* MUST be TPM_TAG_DAA_CONTEXT */
+#endif
+    TPM_DIGEST  DAA_digestContext;      /* A digest of parameters used to generate this
+                                           structure. The parameters vary, depending on whether the
+                                           session is a JOIN session or a SIGN session. */
+    TPM_DIGEST  DAA_digest;     /* A running digest of certain parameters generated during DAA
+                                   computation; operationally the same as a PCR (which holds a
+                                   running digest of integrity metrics). */
+    TPM_DAA_CONTEXT_SEED        DAA_contextSeed;        /* The seed used to generate other DAA
+                                                           session parameters */
+    BYTE        DAA_scratch[256];       /* Memory used to hold different parameters at different
+                                           times of DAA computation, but only one parameter at a
+                                           time.  The maximum size of this field is 256 bytes */
+    BYTE        DAA_stage;      /* A counter, indicating the stage of DAA computation that was most
+                                   recently completed. The value of the counter is zero if the TPM
+                                   currently contains no DAA context.
+
+                                   When set to zero (0) the TPM MUST clear all other fields in this
+                                   structure.
+
+                                   The TPM MUST set DAA_stage to 0 on TPM_Startup(ANY) */
+    TPM_BOOL    DAA_scratch_null;       
+} TPM_DAA_CONTEXT;
+
+/* 22.6 TPM_DAA_JOINDATA rev 91
+
+   This structure is the abstract representation of data that exists only during a specific JOIN
+   session.
+*/
+
+typedef struct tdTPM_DAA_JOINDATA {
+    BYTE        DAA_join_u0[128];       /* A TPM-specific secret "u0", used during the JOIN phase,
+                                           and discarded afterwards.  */
+    BYTE        DAA_join_u1[138];       /* A TPM-specific secret "u1", used during the JOIN phase,
+                                           and discarded afterwards.  */
+    TPM_DIGEST  DAA_digest_n0;  /* A digest of the parameter "n0", which is an RSA public key with
+                                   exponent 2^16 +1 */
+} TPM_DAA_JOINDATA;
+
+/* DAA Session structure
+
+*/
+
+#define TPM_MIN_DAA_SESSIONS 2
+
+typedef struct tdTPM_DAA_SESSION_DATA {
+    TPM_DAA_ISSUER      DAA_issuerSettings;     /* A set of DAA issuer parameters controlling a DAA
+                                                   session. (non-secret) */
+    TPM_DAA_TPM         DAA_tpmSpecific;        /* A set of DAA parameters associated with a
+                                                   specific TPM. (secret) */
+    TPM_DAA_CONTEXT     DAA_session;            /* A set of DAA parameters associated with a DAA
+                                                   session. (secret) */
+    TPM_DAA_JOINDATA    DAA_joinSession;        /* A set of DAA parameters used only during the JOIN
+                                                   phase of a DAA session, and generated by the
+                                                   TPM. (secret) */
+    /* added kgold */
+    TPM_HANDLE          daaHandle;              /* DAA session handle */
+    TPM_BOOL            valid;                  /* array entry is valid */
+    /* FIXME should have handle type Join or Sign */
+} TPM_DAA_SESSION_DATA;
+
+/* 22.8 TPM_DAA_BLOB rev 98
+
+   The structure passed during the join process
+*/
+
+typedef struct tdTPM_DAA_BLOB {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* MUST be TPM_TAG_DAA_BLOB */
+#endif
+    TPM_RESOURCE_TYPE resourceType;     /* The resource type: enc(DAA_tpmSpecific) or enc(v0) or
+                                           enc(v1) */
+    BYTE label[16];                     /* Label for identification of the blob. Free format
+                                           area. */
+    TPM_DIGEST blobIntegrity;           /* The integrity of the entire blob including the sensitive
+                                           area. This is a HMAC calculation with the entire
+                                           structure (including sensitiveData) being the hash and
+                                           daaProof is the secret */
+    TPM_SIZED_BUFFER additionalData;    /* Additional information set by the TPM that helps define
+                                           and reload the context. The information held in this area
+                                           MUST NOT expose any information held in shielded
+                                           locations. This should include any IV for symmetric
+                                           encryption */
+    TPM_SIZED_BUFFER sensitiveData;     /* A TPM_DAA_SENSITIVE structure */
+#if 0
+    uint32_t additionalSize;              
+    [size_is(additionalSize)] BYTE* additionalData;
+    uint32_t sensitiveSize;
+    [size_is(sensitiveSize)] BYTE* sensitiveData;
+#endif
+} TPM_DAA_BLOB;
+
+/* 22.9 TPM_DAA_SENSITIVE rev 91
+   
+   The encrypted area for the DAA parameters
+*/
+
+typedef struct tdTPM_DAA_SENSITIVE {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* MUST be TPM_TAG_DAA_SENSITIVE */
+#endif
+    TPM_SIZED_BUFFER internalData;      /* DAA_tpmSpecific or DAA_private_v0 or DAA_private_v1 */
+#if 0
+    uint32_t internalSize;
+    [size_is(internalSize)] BYTE* internalData;
+#endif
+} TPM_DAA_SENSITIVE;
+
+#endif
+
+/* 7.1 TPM_PERMANENT_FLAGS rev 110
+
+   These flags maintain state information for the TPM. The values are not affected by any
+   TPM_Startup command.
+
+   The flag history includes:
+
+   Rev 62 specLevel 1 errataRev 0:  15 BOOLs
+   Rev 85 specLevel 2 errataRev 0:  19 BOOLs
+        Added: nvLocked, readSRKPub, tpmEstablished, maintenanceDone
+   Rev 94 specLevel 2 errataRev 1:  19 BOOLs
+   Rev 103 specLevel 2 errataRev 2:  20 BOOLs
+        Added: disableFullDALogicInfo
+*/
+
+typedef struct tdTPM_PERMANENT_FLAGS { 
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_PERMANENT_FLAGS */
+    TPM_BOOL disable;           /* disable The state of the disable flag. The default state is TRUE
+                                   */
+    TPM_BOOL ownership;         /* The ability to install an owner. The default state is TRUE. */
+    TPM_BOOL deactivated;       /* The state of the inactive flag. The default state is TRUE. */
+    TPM_BOOL readPubek;         /* The ability to read the PUBEK without owner authorization. The
+                                   default state is TRUE.
+
+                                   set TRUE on owner clear
+                                   set FALSE on take owner, disablePubekRead
+                                */
+    TPM_BOOL disableOwnerClear; /* Whether the owner authorized clear commands are active. The
+                                   default state is FALSE. */
+    TPM_BOOL allowMaintenance;  /* Whether the TPM Owner may create a maintenance archive. The
+                                   default state is TRUE. */
+    TPM_BOOL physicalPresenceLifetimeLock; /* This bit can only be set to TRUE; it cannot be set to
+                                           FALSE except during the manufacturing process.
+
+                                           FALSE: The state of either physicalPresenceHWEnable or
+                                           physicalPresenceCMDEnable MAY be changed. (DEFAULT)
+
+                                           TRUE: The state of either physicalPresenceHWEnable or
+                                           physicalPresenceCMDEnable MUST NOT be changed for the
+                                           life of the TPM. */
+    TPM_BOOL physicalPresenceHWEnable;  /* FALSE: Disable the hardware signal indicating physical
+                                           presence. (DEFAULT)
+
+                                           TRUE: Enables the hardware signal indicating physical
+                                           presence. */
+    TPM_BOOL physicalPresenceCMDEnable;         /* FALSE: Disable the command indicating physical
+                                           presence. (DEFAULT)
+
+                                           TRUE: Enables the command indicating physical
+                                           presence. */
+    TPM_BOOL CEKPUsed;          /* TRUE: The PRIVEK and PUBEK were created using
+                                   TPM_CreateEndorsementKeyPair.
+
+                                   FALSE: The PRIVEK and PUBEK were created using a manufacturer's
+                                   process.  NOTE: This flag has no default value as the key pair
+                                   MUST be created by one or the other mechanism. */
+    TPM_BOOL TPMpost;           /* TRUE: After TPM_Startup, if there is a call to
+                                   TPM_ContinueSelfTest the TPM MUST execute the actions of
+                                   TPM_SelfTestFull
+
+                                   FALSE: After TPM_Startup, if there is a call to
+                                   TPM_ContinueSelfTest the TPM MUST execute TPM_ContinueSelfTest
+
+                                   If the TPM supports the implicit invocation of
+                                   TPM_ContinueSelftTest upon the use of an untested resource, the
+                                   TPM MUST use the TPMPost flag to call either TPM_ContinueSelfTest
+                                   or TPM_SelfTestFull
+
+                                   The TPM manufacturer sets this bit during TPM manufacturing and
+                                   the bit is unchangeable after shipping the TPM
+
+                                   The default state is FALSE */
+    TPM_BOOL TPMpostLock;       /* With the clarification of TPMPost TPMpostLock is now 
+                                   unnecessary. 
+                                   This flag is now deprecated */
+    TPM_BOOL FIPS;              /* TRUE: This TPM operates in FIPS mode 
+                                   FALSE: This TPM does NOT operate in FIPS mode */
+    TPM_BOOL tpmOperator;       /* TRUE: The operator authorization value is valid 
+                                   FALSE: the operator authorization value is not set */
+    TPM_BOOL enableRevokeEK;    /* TRUE: The TPM_RevokeTrust command is active 
+                                   FALSE: the TPM RevokeTrust command is disabled */
+    TPM_BOOL nvLocked;          /* TRUE: All NV area authorization checks are active
+                                   FALSE: No NV area checks are performed, except for maxNVWrites.
+                                   FALSE is the default value */
+    TPM_BOOL readSRKPub;        /* TRUE: GetPubKey will return the SRK pub key
+                                   FALSE: GetPubKey will not return the SRK pub key
+                                   Default SHOULD be FALSE */
+    TPM_BOOL tpmEstablished;    /* TRUE: TPM_HASH_START has been executed at some time
+                                   FALSE: TPM_HASH_START has not been executed at any time
+                                   Default is FALSE - resets using TPM_ResetEstablishmentBit */
+    TPM_BOOL maintenanceDone;   /* TRUE: A maintenance archive has been created for the current
+                                   SRK */
+    TPM_BOOL disableFullDALogicInfo; /* TRUE: The full dictionary attack TPM_GetCapability info is
+                                        deactivated.  The returned structure is TPM_DA_INFO_LIMITED.
+                                        FALSE: The full dictionary attack TPM_GetCapability info is
+                                        activated.  The returned structure is TPM_DA_INFO.
+                                        Default is FALSE.
+                                     */
+    /* NOTE: Cannot add vendor specific flags here, since TPM_GetCapability() returns the serialized
+       structure */
+} TPM_PERMANENT_FLAGS; 
+
+/* 7.2 TPM_STCLEAR_FLAGS rev 109
+
+   These flags maintain state that is reset on each TPM_Startup(ST_Clear) command. The values are
+   not affected by TPM_Startup(ST_State) commands.
+*/
+
+typedef struct tdTPM_STCLEAR_FLAGS { 
+    TPM_STRUCTURE_TAG tag;              /* TPM_TAG_STCLEAR_FLAGS */
+    TPM_BOOL deactivated;               /* Prevents the operation of most capabilities. There is no
+                                           default state. It is initialized by TPM_Startup to the
+                                           same value as TPM_PERMANENT_FLAGS ->
+                                           deactivated. TPM_SetTempDeactivated sets it to TRUE. */
+    TPM_BOOL disableForceClear;         /* Prevents the operation of TPM_ForceClear when TRUE. The
+                                           default state is FALSE.  TPM_DisableForceClear sets it to
+                                           TRUE. */
+    TPM_BOOL physicalPresence;          /* Command assertion of physical presence. The default state
+                                           is FALSE.  This flag is affected by the
+                                           TSC_PhysicalPresence command but not by the hardware
+                                           signal.  */
+    TPM_BOOL physicalPresenceLock;      /* Indicates whether changes to the TPM_STCLEAR_FLAGS ->
+                                           physicalPresence flag are permitted.
+                                           TPM_Startup(ST_CLEAR) sets PhysicalPresenceLock to its
+                                           default state of FALSE (allow changes to the
+                                           physicalPresence flag). When TRUE, the physicalPresence
+                                           flag is FALSE. TSC_PhysicalPresence can change the state
+                                           of physicalPresenceLock.  */
+    TPM_BOOL bGlobalLock;               /* Set to FALSE on each TPM_Startup(ST_CLEAR). Set to TRUE
+                                           when a write to NV_Index =0 is successful */
+    /* NOTE: Cannot add vendor specific flags here, since TPM_GetCapability() returns the serialized
+       structure */
+} TPM_STCLEAR_FLAGS; 
+
+#if 0
+
+
+/* 7.3 TPM_STANY_FLAGS rev 87
+
+   These flags reset on any TPM_Startup command. 
+*/
+
+typedef struct tdTPM_STANY_FLAGS {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_STANY_FLAGS   */
+#endif
+    TPM_BOOL postInitialise;    /* Prevents the operation of most capabilities. There is no default
+                                   state. It is initialized by TPM_Init to TRUE. TPM_Startup sets it
+                                   to FALSE.  */
+    TPM_MODIFIER_INDICATOR localityModifier; /*This SHALL indicate for each command the presence of
+                                               a locality modifier for the command. It MUST be set
+                                               to NULL after the TPM executes each command.  */
+#if 0
+    TPM_BOOL transportExclusive; /* Defaults to FALSE. TRUE when there is an exclusive transport
+                                    session active. Execution of ANY command other than
+                                    TPM_ExecuteTransport or TPM_ReleaseTransportSigned MUST
+                                    invalidate the exclusive transport session.
+                                */    
+#endif
+    TPM_TRANSHANDLE transportExclusive; /* Defaults to 0x00000000, Set to the handle when an
+                                           exclusive transport session is active */
+    TPM_BOOL TOSPresent;        /* Defaults to FALSE
+                                   Set to TRUE on TPM_HASH_START
+                                   set to FALSE using setCapability */
+    /* NOTE: Added kgold */
+    TPM_BOOL stateSaved;        /* Defaults to FALSE
+                                   Set to TRUE on TPM_SaveState
+                                   Set to FALSE on any other ordinal
+
+                                   This is an optimization flag, so the file need not be deleted if
+                                   it does not exist.
+                                */
+} TPM_STANY_FLAGS;
+
+/* 7.4 TPM_PERMANENT_DATA rev 105
+
+   This structure contains the data fields that are permanently held in the TPM and not affected by
+   TPM_Startup(any).
+
+   Many of these fields contain highly confidential and privacy sensitive material. The TPM must
+   maintain the protections around these fields.
+*/
+
+#define TPM_MIN_COUNTERS 4 /* the minimum number of counters is 4 */
+#define TPM_DELEGATE_KEY TPM_KEY 
+#define TPM_MAX_NV_WRITE_NOOWNER 64 
+
+/* Although the ordinal is 32 bits, only the lower 8 bits seem to be used.  So for now, define an
+   array of 256/8 bytes for ordinalAuditStatus - kgold */
+
+#define TPM_ORDINALS_MAX        256     /* assumes a multiple of CHAR_BIT */
+#define TPM_AUTHDIR_SIZE        1       /* Number of DIR registers */
+
+#ifdef TPM_VTPM
+
+/* Substructure of TPM_PERMANENT_DATA for VTPM instance data
+
+ */
+
+typedef struct tdTPM_PERMANENT_INSTANCE_DATA {
+    uint32_t creationMask;		/* creationMask from TPM_CreateInstance */
+    TPM_INSTANCE_HANDLE parentHandle;   /* instance handle of this instance's parent instance */
+    TPM_SIZED_BUFFER childHandles;      /* instance handle list of this instance's children */
+    TPM_NONCE migrationNonce;           /* Controls state import using TPM_SetInstanceData */
+    TPM_DIGEST migrationDigest;         /* Digest of all migrated data structures */
+    TPM_BOOL sourceLock;                /* Lock instance before export migration */
+    TPM_BOOL destinationLock;           /* Lock instance before import migration */
+    
+} TPM_PERMANENT_INSTANCE_DATA;
+
+#endif /* TPM_VTPM */ 
+
+#ifdef TPM_VENDOR
+
+/*
+  WEC_CFG_STRUCT
+*/
+
+/* Winbond preconfiguration */
+
+typedef struct tdTPM_WEC_CFG_STRUCT {
+    BYTE lowBaseAddress;        /* reserved - keep FFh value */
+    BYTE highBaseAddress;       /* reserved - keep FFh value */
+    BYTE altCfg;                /* GPIO alternate configuration */
+    BYTE direction;             /* direction (input/output) of GPIO pins */
+    BYTE pullUp;                /* pull-up of GPIO input pins */
+    BYTE pushPull;              /* push-pull of open drain of GPIO output pins */
+    BYTE cfg_a;                 /* hardware physical presence, 32 khz clock */
+    BYTE cfg_b;                 /* reserved - keep FFh value */         
+    BYTE cfg_c;                 /* reserved - keep FFh value */
+    BYTE cfg_d;                 /* reserved - keep FFh value */
+    BYTE cfg_e;                 /* reserved - keep FFh value */
+    BYTE cfg_f;                 /* software binding */
+    BYTE cfg_g;                 /* tplPost flagm N_FAILS and WEC_GetTpmStatus */
+    BYTE cfg_h;                 /* LpcSelfTest and FIPS flags */
+    BYTE cfg_i;                 /* reserved - keep FFh value */
+    BYTE cfg_j;                 /* reserved - keep FFh value */
+}  TPM_WEC_CFG_STRUCT;
+
+#endif /*TPM_VENDOR */ 
+
+
+typedef struct tdTPM_PERMANENT_DATA {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_PERMANENT_DATA */
+#endif
+    BYTE revMajor;              /* This is the TPM major revision indicator. This SHALL be set by
+                                   the TPME, only. The default value is manufacturer-specific. */
+    BYTE revMinor;              /* This is the TPM minor revision indicator. This SHALL be set by
+                                   the TPME, only. The default value is manufacturer-specific. */
+    TPM_SECRET tpmProof;        /* This is a random number that each TPM maintains to validate blobs
+                                   in the SEAL and other processes. The default value is
+                                   manufacturer-specific. */
+    TPM_NONCE EKReset;          /* Nonce held by TPM to validate TPM_RevokeTrust. This value is set
+                                   as the next 20 bytes from the TPM RNG when the EK is set
+                                   (was fipsReset - kgold) */
+    TPM_SECRET ownerAuth;       /* This is the TPM-Owner's authorization data. The default value is
+                                   manufacturer-specific. */
+    TPM_SECRET operatorAuth;    /* The value that allows the execution of the SetTempDeactivated
+                                   command */
+    TPM_DIRVALUE authDIR;       /* The array of TPM Owner authorized DIR. Points to the same
+                                   location as the NV index value. (kgold - was array of 1) */
+#ifndef TPM_NOMAINTENANCE
+    TPM_PUBKEY manuMaintPub;    /* This is the manufacturer's public key to use in the maintenance
+                                   operations. The default value is manufacturer-specific. */
+#endif
+    TPM_KEY endorsementKey;     /* This is the TPM's endorsement key pair. */
+    TPM_KEY srk;                /* This is the TPM's StorageRootKey. */
+    TPM_SYMMETRIC_KEY_TOKEN contextKey;  /* This is the key in use to perform context saves. The key
+					    may be symmetric or asymmetric. The key size is
+					    predicated by the algorithm in use. */
+    TPM_SYMMETRIC_KEY_TOKEN delegateKey;	/* This key encrypts delegate rows that are stored
+						   outside the TPM. */
+    TPM_COUNTER_VALUE auditMonotonicCounter;    /* This SHALL be the audit monotonic counter for the
+                                                   TPM. This value starts at 0 and increments
+                                                   according to the rules of auditing */
+    TPM_COUNTER_VALUE monotonicCounter[TPM_MIN_COUNTERS];       /* This SHALL be the monotonic
+                                                                   counters for the TPM. The
+                                                                   individual counters start and
+                                                                   increment according to the rules
+                                                                   of monotonic counters. */
+    TPM_PCR_ATTRIBUTES pcrAttrib[TPM_NUM_PCR];  /* The attributes for all of the PCR registers
+                                                   supported by the TPM. */
+    BYTE ordinalAuditStatus[TPM_ORDINALS_MAX/CHAR_BIT]; /* Table indicating which ordinals are being
+                                                           audited. */
+#if 0
+    /* kgold - The xcrypto RNG is good enough that this is not needed */
+    BYTE* rngState;                     /* State information describing the random number
+                                           generator. */
+#endif
+    TPM_FAMILY_TABLE familyTable;       /* The family table in use for delegations */
+    TPM_DELEGATE_TABLE delegateTable;   /* The delegate table */
+    uint32_t lastFamilyID;	/* A value that sets the high water mark for family ID's. Set to 0
+                                   during TPM manufacturing and never reset. */
+    uint32_t noOwnerNVWrite;	/* The count of NV writes that have occurred when there is no TPM
+                                   Owner.
+
+                                   This value starts at 0 in manufacturing and after each
+                                   TPM_OwnerClear. If the value exceeds 64 the TPM returns
+                                   TPM_MAXNVWRITES to any command attempting to manipulate the NV
+                                   storage. */
+    TPM_CMK_DELEGATE restrictDelegate;  /* The settings that allow for the delegation and
+                                           use on CMK keys.  Default value is false. */
+    TPM_DAA_TPM_SEED tpmDAASeed;        /* This SHALL be a random value generated after generation
+                                           of the EK.
+
+                                           tpmDAASeed does not change during TPM Owner changes.  If
+                                           the EK is removed (RevokeTrust) then the TPM MUST
+                                           invalidate the tpmDAASeed. The owner can force a change
+                                           in the value through TPM_SetCapability.
+
+                                           (linked to daaProof) */
+    TPM_NONCE daaProof;         /* This is a random number that each TPM maintains to validate blobs
+                                   in the DAA processes. The default value is manufacturer-specific.
+
+                                   The value is not changed when the owner is changed.  It is
+                                   changed when the EK changes.  The owner can force a change in the
+                                   value through TPM_SetCapability. */
+    unsigned char *daaBlobKey;  /* This is the key in use to perform DAA encryption and decryption.
+				   The key may be symmetric or asymmetric. The key size is
+				   predicated by the algorithm in use.
+
+				   This value MUST be changed when daaProof changes.
+
+				   This key MUST NOT be a copy of the EK or SRK.
+
+				   (linked to daaProof) */
+    /* NOTE: added kgold */
+    TPM_BOOL ownerInstalled;            /* TRUE: The TPM has an owner installed.
+                                           FALSE: The TPM has no owner installed. (default) */
+    BYTE tscOrdinalAuditStatus;         /* extra byte to track TSC ordinals */
+#ifdef TPM_VTPM		/* VTPM specific ordinals */
+    uint32_t instanceOrdinalAuditStatus1; /* extra longs to track vendor specific ordinals */
+    uint32_t instanceOrdinalAuditStatus2;
+#endif
+    TPM_BOOL allowLoadMaintPub;         /* TRUE allows the TPM_LoadManuMaintPub command */
+    
+#ifdef TPM_VTPM
+    TPM_PERMANENT_INSTANCE_DATA instanceData;   /* substructure for VTPM instance data */
+#endif
+#ifdef TPM_VENDOR
+    TPM_WEC_CFG_STRUCT  wecPreConfig;   /* Winbond preconfiguration data */
+    TPM_BOOL preConfigSet;              /* TRUE if the structure has been set through
+                                           WEC_PreConfig */
+#endif
+} TPM_PERMANENT_DATA; 
+
+#define TPM_MIN_AUTH_SESSIONS 3 
+
+/* NOTE: Vendor specific */
+
+typedef struct tdTPM_AUTH_SESSION_DATA {
+    /* vendor specific */
+    TPM_AUTHHANDLE handle;      /* Handle for a session */
+    TPM_PROTOCOL_ID protocolID; /* TPM_PID_OIAP, TPM_PID_OSAP, TPM_PID_DSAP */
+    TPM_ENT_TYPE entityTypeByte;        /* The type of entity in use (TPM_ET_SRK, TPM_ET_OWNER,
+                                           TPM_ET_KEYHANDLE ... */
+    TPM_ADIP_ENC_SCHEME adipEncScheme;  /* ADIP encryption scheme */
+    TPM_NONCE nonceEven;        /* OIAP, OSAP, DSAP */
+    TPM_SECRET sharedSecret;    /* OSAP */
+    TPM_DIGEST entityDigest;    /* OSAP tracks which entity established the OSAP session */
+    TPM_DELEGATE_PUBLIC pub;    /* DSAP */
+    TPM_BOOL valid;             /* added kgold: array entry is valid */
+} TPM_AUTH_SESSION_DATA;
+
+#ifdef TPM_VTPM
+/* 3.3.2 TPM_PCR_LIST
+
+   TPM_PCR_LIST is a structure saved by TPM_SetupInstance and returned by TPM_GetCapability.
+*/
+
+typedef struct tdTPM_PCR_LIST {
+    TPM_PCRINDEX pcrIndex;      /* Index to a PCR register */
+    TPM_DIGEST inDigest;        /* The digest representing the event to be recorded. */
+    BYTE eventID;               /* Identifier for measurements */
+#if 0
+    uint32_t nameSize;		/* The size of the name area */
+    BYTE* name;                 /* Name of an initial measurement */
+#endif
+    TPM_SIZED_BUFFER name;
+} TPM_PCR_LIST;
+
+/* TPM_PCR_LIST_TIMESTAMP
+
+   TPM_PCR_LIST_TIMESTAMP is a structure saved by the TPM when logging PCR extensions and returned
+   by TPM_GetCapability.
+*/
+
+typedef struct tdTPM_PCR_LIST_TIMESTAMP {
+    TPM_COMMAND_CODE ordinal;   /* The ordinal that altered the PCR */
+    TPM_PCRINDEX pcrIndex;      /* Index to a PCR register */
+    TPM_DIGEST digest;          /* The digest representing the recorded PCR Extension */
+    uint32_t timestamp_hi;	/* time of the log entry */
+    uint32_t timestamp_lo;
+} TPM_PCR_LIST_TIMESTAMP;
+
+/* TPM_PCR_LIST_TIMESTAMP_INST
+
+   TPM_PCR_LIST_TIMESTAMP_INST is a structure created by the TPM when notifying clients of PCR
+   extensions.
+*/
+
+typedef struct tdTPM_PCR_LIST_TIMESTAMP_INST {
+    TPM_INSTANCE_HANDLE instance;       /* instance handle */
+    TPM_COMMAND_CODE ordinal;           /* The ordinal that altered the PCR */
+    TPM_PCRINDEX pcrIndex;              /* Index to a PCR register */
+    TPM_DIGEST digest;                  /* The digest representing the recorded PCR Extensions. */
+    uint32_t timestamp_hi;		/* time of the log entry */
+    uint32_t timestamp_lo;
+} TPM_PCR_LIST_TIMESTAMP_INST;
+
+/* Added for virtual TPM support */
+
+typedef struct tdTPM_VTPM_INSTANCE {
+    TPM_SYMMETRIC_KEY_TOKEN instanceEncKey;	/* symmetric key to encrypt instance migration
+                                                   blobs */
+    TPM_SECRET instanceHmacKey;         /* secret used to MAC instance migration blobs */
+    TPM_SIZED_BUFFER pcrList;           /* PCR lists from TPM_SetupInstance */
+    TPM_PCR_SELECTION logPCRSelection; 	/* Indices of PCRs that should be saved for logging */
+    TPM_PCR_SELECTION subscribePCRSelection;    /* Indices of PCRs that should be reported to a
+                                                   subscriber */
+    uint32_t logLengthMax;		/* Upper limit on the length of the buffer (number of
+                                           measurements) used for logging of measurements */
+    uint32_t logLength;			/* number of measurements in the log */
+    TPM_BOOL logOverflow;               /* pcrMeasurementLog has overflowed */
+    uint32_t subscribeSequenceNumber;	/* count of measurements sent to subscriber */
+} TPM_VTPM_INSTANCE;
+
+#endif  /* TPM_VTPM */
+
+/* 3.   contextList MUST support a minimum of 16 entries, it MAY support more. */
+#define TPM_MIN_SESSION_LIST 16
+
+/* 7.5 TPM_STCLEAR_DATA rev 101
+
+   This is an informative structure and not normative. It is purely for convenience of writing the
+   spec.
+
+   Most of the data in this structure resets on TPM_Startup(ST_Clear). A TPM may implement rules
+   that provide longer-term persistence for the data. The TPM reflects how it handles the data in
+   various TPM_GetCapability fields including startup effects.
+*/
+
+typedef struct tdTPM_STCLEAR_DATA {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_STCLEAR_DATA */
+#endif
+    TPM_NONCE contextNonceKey;  /* This is the nonce in use to properly identify saved key context
+                                   blobs This SHALL be set to all zeros on each TPM_Startup
+                                   (ST_Clear).
+                                */
+    TPM_COUNT_ID countID;       /* This is the handle for the current monotonic counter.  This SHALL
+                                   be set to zero on each TPM_Startup(ST_Clear). */
+    uint32_t ownerReference;	/* Points to where to obtain the owner secret in OIAP and OSAP
+                                   commands. This allows a TSS to manage 1.1 applications on a 1.2
+                                   TPM where delegation is in operation. */
+    TPM_BOOL disableResetLock;  /* Disables TPM_ResetLockValue upon authorization failure.
+                                   The value remains TRUE for the timeout period.
+
+                                   Default is FALSE.
+
+                                   The value is in the STCLEAR_DATA structure as the
+                                   implementation of this flag is TPM vendor specific. */
+    TPM_PCRVALUE PCRS[TPM_NUM_PCR];     /* Platform configuration registers */
+#if  (TPM_REVISION >= 103)      /* added for rev 103 */
+    uint32_t deferredPhysicalPresence;	/* The value can save the assertion of physicalPresence.
+                                           Individual bits indicate to its ordinal that
+                                           physicalPresence was previously asserted when the
+                                           software state is such that it can no longer be asserted.
+                                           Set to zero on each TPM_Startup(ST_Clear). */
+#endif
+    /* NOTE: Added for dictionary attack mitigation */
+    uint32_t authFailCount;	/* number of authorization failures without a TPM_ResetLockValue */
+    uint32_t authFailTime;	/* time of threshold failure in seconds */
+    /* NOTE: Moved from TPM_STANY_DATA.  Saving this state is optional.  This implementation
+       does. */
+    TPM_AUTH_SESSION_DATA authSessions[TPM_MIN_AUTH_SESSIONS];  /* List of current
+                                                                   sessions. Sessions can be OSAP,
+                                                                   OIAP, DSAP and Transport */
+    /* NOTE: Added for transport */
+    TPM_TRANSPORT_INTERNAL transSessions[TPM_MIN_TRANS_SESSIONS];
+    /* 22.7 TPM_STANY_DATA Additions (for DAA) - moved to TPM_STCLEAR_DATA for startup state */
+    TPM_DAA_SESSION_DATA daaSessions[TPM_MIN_DAA_SESSIONS];
+    /* 1. The group of contextNonceSession, contextCount, contextList MUST reset at the same
+       time. */
+    TPM_NONCE contextNonceSession;      /* This is the nonce in use to properly identify saved
+                                           session context blobs.  This MUST be set to all zeros on
+                                           each TPM_Startup (ST_Clear).  The nonce MAY be set to
+                                           null on TPM_Startup( any). */
+    uint32_t contextCount;		/* This is the counter to avoid session context blob replay
+                                           attacks.  This MUST be set to 0 on each TPM_Startup
+                                           (ST_Clear).  The value MAY be set to 0 on TPM_Startup
+                                           (any). */
+    uint32_t contextList[TPM_MIN_SESSION_LIST];	/* This is the list of outstanding session blobs.
+                                                   All elements of this array MUST be set to 0 on
+                                                   each TPM_Startup (ST_Clear).  The values MAY be
+                                                   set to 0 on TPM_Startup (any). */
+    /* NOTE Added auditDigest effect, saved with ST_STATE */
+    TPM_DIGEST auditDigest;             /* This is the extended value that is the audit log. This
+                                           SHALL be set to all zeros at the start of each audit
+                                           session. */
+    /* NOTE Storage for the ordinal response */
+    TPM_STORE_BUFFER ordinalResponse;           /* outgoing response buffer for this ordinal */
+    uint32_t responseCount;			/* increments after each response */
+} TPM_STCLEAR_DATA; 
+
+/* 7.6 TPM_STANY_DATA rev 87
+
+   This is an informative structure and not normative. It is purely for convenience of writing the
+   spec.
+    
+   Most of the data in this structure resets on TPM_Startup(ST_State). A TPM may implement rules
+   that provide longer-term persistence for the data. The TPM reflects how it handles the data in
+   various getcapability fields including startup effects.
+*/
+
+typedef struct tdTPM_STANY_DATA {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* TPM_TAG_STANY_DATA */
+#endif
+    TPM_CURRENT_TICKS currentTicks;     /* This is the current tick counter.  This is reset to 0
+                                           according to the rules when the TPM can tick. See the
+                                           section on the tick counter for details. */
+} TPM_STANY_DATA;
+
+/* 11. Signed Structures  */
+
+/* 11.1 TPM_CERTIFY_INFO rev 101
+
+   When the TPM certifies a key, it must provide a signature with a TPM identity key on information
+   that describes that key. This structure provides the mechanism to do so.
+
+   Key usage and keyFlags must have their upper byte set to zero to avoid collisions with the other
+   signature headers.
+*/
+
+typedef struct tdTPM_CERTIFY_INFO { 
+    TPM_STRUCT_VER version;             /* This MUST be 1.1.0.0  */
+    TPM_KEY_USAGE keyUsage;             /* This SHALL be the same value that would be set in a
+                                           TPM_KEY representation of the key to be certified. The
+                                           upper byte MUST be zero */
+    TPM_KEY_FLAGS keyFlags;             /* This SHALL be set to the same value as the corresponding
+                                           parameter in the TPM_KEY structure that describes the
+                                           public key that is being certified. The upper byte MUST
+                                           be zero */
+    TPM_AUTH_DATA_USAGE authDataUsage;  /* This SHALL be the same value that would be set in a
+                                           TPM_KEY representation of the key to be certified */
+    TPM_KEY_PARMS algorithmParms;       /* This SHALL be the same value that would be set in a
+                                           TPM_KEY representation of the key to be certified */
+    TPM_DIGEST pubkeyDigest;            /* This SHALL be a digest of the value TPM_KEY -> pubKey ->
+                                           key in a TPM_KEY representation of the key to be
+                                           certified */
+    TPM_NONCE data;                     /* This SHALL be externally provided data.  */
+    TPM_BOOL parentPCRStatus;           /* This SHALL indicate if any parent key was wrapped to a
+                                           PCR */
+    TPM_SIZED_BUFFER pcrInfo;           /*  */
+#if 0
+    uint32_t PCRInfoSize;		/* This SHALL be the size of the pcrInfo parameter. A value
+                                           of zero indicates that the key is not wrapped to a PCR */
+    BYTE* PCRInfo;                      /* This SHALL be the TPM_PCR_INFO structure.  */
+#endif
+    /* NOTE: kgold - Added this structure, a cache of PCRInfo when not NULL */
+    TPM_PCR_INFO *tpm_pcr_info;
+} TPM_CERTIFY_INFO;
+
+/* 11.2 TPM_CERTIFY_INFO2 rev 101
+
+   When the TPM certifies a key, it must provide a signature with a TPM identity key on information
+   that describes that key. This structure provides the mechanism to do so.
+
+   Key usage and keyFlags must have their upper byte set to zero to avoid collisions with the other
+   signature headers.
+*/
+
+typedef struct tdTPM_CERTIFY_INFO2 { 
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* MUST be TPM_TAG_CERTIFY_INFO2  */
+#endif
+    BYTE fill;                          /* MUST be 0x00  */
+    TPM_PAYLOAD_TYPE payloadType;       /* This SHALL be the same value that would be set in a
+                                           TPM_KEY representation of the key to be certified */
+    TPM_KEY_USAGE keyUsage;             /* This SHALL be the same value that would be set in a
+                                           TPM_KEY representation of the key to be certified. The
+                                           upper byte MUST be zero */
+    TPM_KEY_FLAGS keyFlags;             /* This SHALL be set to the same value as the corresponding
+                                           parameter in the TPM_KEY structure that describes the
+                                           public key that is being certified. The upper byte MUST
+                                           be zero.  */
+    TPM_AUTH_DATA_USAGE authDataUsage;  /* This SHALL be the same value that would be set in a
+                                           TPM_KEY representation of the key to be certified */
+    TPM_KEY_PARMS algorithmParms;       /* This SHALL be the same value that would be set in a
+                                           TPM_KEY representation of the key to be certified */
+    TPM_DIGEST pubkeyDigest;            /* This SHALL be a digest of the value TPM_KEY -> pubKey ->
+                                           key in a TPM_KEY representation of the key to be
+                                           certified */
+    TPM_NONCE data;                     /* This SHALL be externally provided data.  */
+    TPM_BOOL parentPCRStatus;           /* This SHALL indicate if any parent key was wrapped to a
+                                           PCR */
+#if 0
+    uint32_t PCRInfoSize;		/* This SHALL be the size of the pcrInfo parameter. A value
+                                           of zero indicates that the key is not wrapped to a PCR */
+    BYTE* PCRInfo;                      /* This SHALL be the TPM_PCR_INFO_SHORT structure.  */
+#endif
+    TPM_SIZED_BUFFER pcrInfo;
+#if 0
+    uint32_t migrationAuthoritySize;	/* This SHALL be the size of migrationAuthority */
+    BYTE *migrationAuthority;           /* If the key to be certified has [payload ==
+                                           TPM_PT_MIGRATE_RESTRICTED or payload
+                                           ==TPM_PT_MIGRATE_EXTERNAL], migrationAuthority is the
+                                           digest of the TPM_MSA_COMPOSITE and has TYPE ==
+                                           TPM_DIGEST. Otherwise it is NULL. */
+#endif
+    TPM_SIZED_BUFFER migrationAuthority;
+    /* NOTE: kgold - Added this structure, a cache of PCRInfo when not NULL */
+    TPM_PCR_INFO_SHORT *tpm_pcr_info_short;
+} TPM_CERTIFY_INFO2;
+
+/* 11.3 TPM_QUOTE_INFO rev 87
+
+   This structure provides the mechanism for the TPM to quote the current values of a list of PCRs.
+*/
+
+typedef struct tdTPM_QUOTE_INFO { 
+    TPM_STRUCT_VER version;             /* This MUST be 1.1.0.0 */
+    BYTE fixed[4];                      /* This SHALL always be the string 'QUOT' */
+    TPM_COMPOSITE_HASH digestValue;     /* This SHALL be the result of the composite hash algorithm
+                                           using the current values of the requested PCR indices. */
+    TPM_NONCE externalData;             /* 160 bits of externally supplied data */
+} TPM_QUOTE_INFO;
+
+#endif
+
+/* 11.4 TPM_QUOTE_INFO2 rev 87
+
+   This structure provides the mechanism for the TPM to quote the current values of a list of PCRs.
+*/
+
+typedef struct tdTPM_QUOTE_INFO2 {
+    TPM_STRUCTURE_TAG tag;              /* This SHALL be TPM_TAG_QUOTE_INFO2 */
+    BYTE fixed[4];                      /* This SHALL always be the string 'QUT2' */
+    TPM_NONCE externalData;             /* 160 bits of externally supplied data  */
+    TPM_PCR_INFO_SHORT infoShort;       /*  */
+} TPM_QUOTE_INFO2;
+
+/* 12.1 TPM_EK_BLOB rev 87
+  
+  This structure provides a wrapper to each type of structure that will be in use when the
+  endorsement key is in use.
+*/
+
+typedef struct tdTPM_EK_BLOB {
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_EK_BLOB */
+    TPM_EK_TYPE ekType;         /* This SHALL be set to reflect the type of blob in use */
+    uint32_t blobSize;    	/* The size of the blob field */
+    BYTE blob[MAX_COMMAND_SIZE]; /* The blob of information depending on the type */
+} TPM_EK_BLOB;
+
+/* 12.2 TPM_EK_BLOB_ACTIVATE rev 87
+
+   This structure contains the symmetric key to encrypt the identity credential.  This structure
+   always is contained in a TPM_EK_BLOB.
+*/
+
+typedef struct tdTPM_EK_BLOB_ACTIVATE {
+    TPM_STRUCTURE_TAG tag;              /* TPM_TAG_EK_BLOB_ACTIVATE */
+    TPM_SYMMETRIC_KEY sessionKey;       /* This SHALL be the session key used by the CA to encrypt
+                                           the TPM_IDENTITY_CREDENTIAL */
+    TPM_DIGEST idDigest;                /* This SHALL be the digest of the TPM identity public key
+                                           that is being certified by the CA */
+    TPM_PCR_INFO_SHORT pcrInfo;         /* This SHALL indicate the PCR's and localities */
+} TPM_EK_BLOB_ACTIVATE;
+
+#if 0
+
+/* 12.3 TPM_EK_BLOB_AUTH rev 87
+
+   This structure contains the symmetric key to encrypt the identity credential.  This structure
+   always is contained in a TPM_EK_BLOB.
+*/
+
+typedef struct tdTPM_EK_BLOB_AUTH {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_EK_BLOB_AUTH */
+#endif
+    TPM_SECRET authValue;       /* This SHALL be the authorization value */
+} TPM_EK_BLOB_AUTH;
+
+/* 12.5 TPM_IDENTITY_CONTENTS rev 87
+
+   TPM_MakeIdentity uses this structure and the signature of this structure goes to a privacy CA
+   during the certification process.
+*/
+
+typedef struct tdTPM_IDENTITY_CONTENTS {
+    TPM_STRUCT_VER ver;                 /* This MUST be 1.1.0.0 */
+    uint32_t ordinal;			/* This SHALL be the ordinal of the TPM_MakeIdentity
+                                           command. */
+    TPM_CHOSENID_HASH labelPrivCADigest;        /* This SHALL be the result of hashing the chosen
+                                                   identityLabel and privacyCA for the new TPM
+                                                   identity */
+    TPM_PUBKEY identityPubKey;          /* This SHALL be the public key structure of the identity
+                                           key */
+} TPM_IDENTITY_CONTENTS; 
+
+/* 12.8 TPM_ASYM_CA_CONTENTS rev 87
+
+   This structure contains the symmetric key to encrypt the identity credential.
+*/
+
+typedef struct tdTPM_ASYM_CA_CONTENTS {
+    TPM_SYMMETRIC_KEY sessionKey;       /* This SHALL be the session key used by the CA to encrypt
+                                           the TPM_IDENTITY_CREDENTIAL */
+    TPM_DIGEST idDigest;                /* This SHALL be the digest of the TPM_PUBKEY of the key
+                                           that is being certified by the CA */
+} TPM_ASYM_CA_CONTENTS;
+
+/*
+  14. Audit Structures
+*/
+
+/* 14.1 TPM_AUDIT_EVENT_IN rev 87
+
+   This structure provides the auditing of the command upon receipt of the command. It provides the
+   information regarding the input parameters.
+*/
+
+typedef struct tdTPM_AUDIT_EVENT_IN {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG   tag;            /* TPM_TAG_AUDIT_EVENT_IN */
+#endif
+    TPM_DIGEST inputParms;              /* Digest value according to the HMAC digest rules of the
+                                           "above the line" parameters (i.e. the first HMAC digest
+                                           calculation). When there are no HMAC rules, the input
+                                           digest includes all parameters including and after the
+                                           ordinal. */
+    TPM_COUNTER_VALUE auditCount;       /* The current value of the audit monotonic counter */
+} TPM_AUDIT_EVENT_IN;
+
+/* 14.2 TPM_AUDIT_EVENT_OUT rev 87
+
+  This structure reports the results of the command execution. It includes the return code and the
+  output parameters.
+*/
+
+typedef struct tdTPM_AUDIT_EVENT_OUT {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* TPM_TAG_AUDIT_EVENT_OUT */
+#endif
+    TPM_DIGEST outputParms;             /* Digest value according to the HMAC digest rules of the
+                                           "above the line" parameters (i.e. the first HMAC digest
+                                           calculation). When there are no HMAC rules, the output
+                                           digest includes the return code, the ordinal, and all
+                                           parameters after the return code. */
+    TPM_COUNTER_VALUE auditCount;       /* The current value of the audit monotonic counter */
+} TPM_AUDIT_EVENT_OUT;
+
+/*
+  18. Context structures
+*/
+
+/* 18.1 TPM_CONTEXT_BLOB rev 102
+
+   This is the header for the wrapped context. The blob contains all information necessary to reload
+   the context back into the TPM.
+   
+   The additional data is used by the TPM manufacturer to save information that will assist in the
+   reloading of the context. This area must not contain any shielded data. For instance, the field
+   could contain some size information that allows the TPM more efficient loads of the context. The
+   additional area could not contain one of the primes for a RSA key.
+   
+   To ensure integrity of the blob when using symmetric encryption the TPM vendor could use some
+   valid cipher chaining mechanism. To ensure the integrity without depending on correct
+   implementation, the TPM_CONTEXT_BLOB structure uses a HMAC of the entire structure using tpmProof
+   as the secret value.
+
+   Since both additionalData and sensitiveData are informative, any or all of additionalData 
+   could be moved to sensitiveData.
+*/
+
+#define TPM_CONTEXT_LABEL_SIZE 16
+
+typedef struct tdTPM_CONTEXT_BLOB {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* MUST be TPM_TAG_CONTEXTBLOB */
+#endif
+    TPM_RESOURCE_TYPE resourceType;     /* The resource type */
+    TPM_HANDLE handle;                  /* Previous handle of the resource */
+    BYTE label[TPM_CONTEXT_LABEL_SIZE]; /* Label for identification of the blob. Free format
+                                           area. */
+    uint32_t contextCount;		/* MUST be TPM_STANY_DATA -> contextCount when creating the
+                                           structure.  This value is ignored for context blobs that
+                                           reference a key. */
+    TPM_DIGEST integrityDigest;         /* The integrity of the entire blob including the sensitive
+                                           area. This is a HMAC calculation with the entire
+                                           structure (including sensitiveData) being the hash and
+                                           tpmProof is the secret */
+#if 0
+    uint32_t additionalSize;
+    [size_is(additionalSize)] BYTE* additionalData;
+    uint32_t sensitiveSize;
+    [size_is(sensitiveSize)] BYTE* sensitiveData;
+#endif
+    TPM_SIZED_BUFFER additionalData;    /* Additional information set by the TPM that helps define
+                                           and reload the context. The information held in this area
+                                           MUST NOT expose any information held in shielded
+                                           locations. This should include any IV for symmetric
+                                           encryption */
+    TPM_SIZED_BUFFER sensitiveData;     /* The normal information for the resource that can be
+                                           exported */
+} TPM_CONTEXT_BLOB;
+
+/* 18.2 TPM_CONTEXT_SENSITIVE rev 87
+
+   The internal areas that the TPM needs to encrypt and store off the TPM.
+
+   This is an informative structure and the TPM can implement in any manner they wish.
+*/
+
+typedef struct tdTPM_CONTEXT_SENSITIVE {
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;              /* MUST be TPM_TAG_CONTEXT_SENSITIVE */
+#endif
+    TPM_NONCE contextNonce;             /* On context blobs other than keys this MUST be
+                                           TPM_STANY_DATA - > contextNonceSession For keys the value
+                                           is TPM_STCLEAR_DATA -> contextNonceKey */
+#if 0
+    uint32_t internalSize;
+    [size_is(internalSize)] BYTE* internalData;
+#endif
+    TPM_SIZED_BUFFER internalData;      /* The internal data area */
+} TPM_CONTEXT_SENSITIVE;
+
+#endif
+
+/* 19.2 TPM_NV_ATTRIBUTES rev 99
+
+   This structure allows the TPM to keep track of the data and permissions to manipulate the area. 
+*/
+
+typedef struct tdTPM_NV_ATTRIBUTES { 
+    TPM_STRUCTURE_TAG tag;      /* TPM_TAG_NV_ATTRIBUTES */
+    uint32_t attributes;	/* The attribute area */
+} TPM_NV_ATTRIBUTES; 
+
+/* 19.3 TPM_NV_DATA_PUBLIC rev 110
+
+   This structure represents the public description and controls on the NV area.
+
+   bReadSTClear and bWriteSTClear are volatile, in that they are set FALSE at TPM_Startup(ST_Clear).
+   bWriteDefine is persistent, in that it remains TRUE through startup.
+
+   A pcrSelect of 0 indicates that the digestAsRelease is not checked.  In this case, the TPM is not
+   required to consume NVRAM space to store the digest, although it may do so.  When
+   TPM_GetCapability (TPM_CAP_NV_INDEX) returns the structure, a TPM that does not store the digest
+   can return zero.  A TPM that does store the digest may return either the digest or zero.
+*/
+
+typedef struct tdTPM_NV_DATA_PUBLIC { 
+    TPM_STRUCTURE_TAG tag;              /* This SHALL be TPM_TAG_NV_DATA_PUBLIC */
+    TPM12_NV_INDEX nvIndex;               /* The index of the data area */
+    TPM_PCR_INFO_SHORT pcrInfoRead;     /* The PCR selection that allows reading of the area */
+    TPM_PCR_INFO_SHORT pcrInfoWrite;    /* The PCR selection that allows writing of the area */
+    TPM_NV_ATTRIBUTES permission;       /* The permissions for manipulating the area */
+    TPM_BOOL bReadSTClear;              /* Set to FALSE on each TPM_Startup(ST_Clear) and set to
+                                           TRUE after a ReadValuexxx with datasize of 0 */
+    TPM_BOOL bWriteSTClear;             /* Set to FALSE on each TPM_Startup(ST_CLEAR) and set to
+                                           TRUE after a WriteValuexxx with a datasize of 0. */
+    TPM_BOOL bWriteDefine;              /* Set to FALSE after TPM_NV_DefineSpace and set to TRUE
+                                           after a successful WriteValuexxx with a datasize of 0 */
+    uint32_t dataSize;			/* The size of the data area in bytes */
+} TPM_NV_DATA_PUBLIC; 
+
+#if 0
+
+/*  19.4 TPM_NV_DATA_SENSITIVE rev 101
+  
+    This is an internal structure that the TPM uses to keep the actual NV data and the controls
+    regarding the area.
+*/
+
+typedef struct tdTPM_NV_DATA_SENSITIVE { 
+#ifdef TPM_USE_TAG_IN_STRUCTURE
+    TPM_STRUCTURE_TAG tag;      /* This SHALL be TPM_TAG_NV_DATA_SENSITIVE */
+#endif
+    TPM_NV_DATA_PUBLIC pubInfo; /* The public information regarding this area */
+    TPM_AUTHDATA authValue;     /* The authorization value to manipulate the value */
+    BYTE *data;                 /* The data area. This MUST not contain any sensitive information as
+                                   the TPM does not provide any confidentiality on the data. */
+    /* NOTE Added kg */
+    TPM_DIGEST digest;          /* for OSAP comparison */
+} TPM_NV_DATA_SENSITIVE;
+
+typedef struct tdTPM_NV_INDEX_ENTRIES {
+    uint32_t nvIndexCount;			/* number of entries */
+    TPM_NV_DATA_SENSITIVE *tpm_nvindex_entry;	/* array of TPM_NV_DATA_SENSITIVE */
+} TPM_NV_INDEX_ENTRIES;
+
+/* TPM_NV_DATA_ST
+
+   This is a cache of the the NV defined space volatile flags, used during error rollback
+*/
+
+typedef struct tdTPM_NV_DATA_ST {
+    TPM12_NV_INDEX nvIndex;               /* The index of the data area */
+    TPM_BOOL bReadSTClear;
+    TPM_BOOL bWriteSTClear;
+} TPM_NV_DATA_ST;
+
+#endif
+
+/*
+  21. Capability areas
+*/
+
+/* 21.6 TPM_CAP_VERSION_INFO rev 99
+
+   This structure is an output from a TPM_GetCapability -> TPM_CAP_VERSION_VAL request.  TPM returns
+   the current version and revision of the TPM.
+
+   The specLevel and errataRev are defined in the document "Specification and File Naming
+   Conventions"
+
+   The tpmVendorID is a value unique to each vendor. It is defined in the document "TCG Vendor
+   Naming".
+
+   The vendor specific area allows the TPM vendor to provide support for vendor options. The TPM
+   vendor may define the area to the TPM vendor's needs.
+*/
+
+typedef struct tdTPM_CAP_VERSION_INFO {
+    TPM_STRUCTURE_TAG tag;      /* MUST be TPM_TAG_CAP_VERSION_INFO */
+    TPM_VERSION version;        /* The version and revision */
+    uint16_t specLevel;		/* A number indicating the level of ordinals supported */
+    BYTE errataRev;             /* A number indicating the errata version of the specification */
+    BYTE tpmVendorID[4];        /* The vendor ID unique to each TPM manufacturer. */
+    uint16_t vendorSpecificSize;  		/* The size of the vendor specific area */
+    BYTE vendorSpecific[MAX_COMMAND_SIZE];      /* Vendor specific information */
+} TPM_CAP_VERSION_INFO;
+
+/* 21.10 TPM_DA_ACTION_TYPE rev 100
+
+   This structure indicates the action taken when the dictionary attack mitigation logic is active,
+   when TPM_DA_STATE is TPM_DA_STATE_ACTIVE.
+*/   
+
+typedef struct tdTPM_DA_ACTION_TYPE {
+    TPM_STRUCTURE_TAG tag;      /* MUST be TPM_TAG_DA_ACTION_TYPE */
+    uint32_t actions;		/* The action taken when TPM_DA_STATE is TPM_DA_STATE_ACTIVE. */
+} TPM_DA_ACTION_TYPE;
+
+/* 21.7  TPM_DA_INFO rev 100
+   
+   This structure is an output from a TPM_GetCapability -> TPM_CAP_DA_LOGIC request if
+   TPM_PERMANENT_FLAGS -> disableFullDALogicInfo is FALSE.
+   
+   It returns static information describing the TPM response to authorization failures that might
+   indicate a dictionary attack and dynamic information regarding the current state of the
+   dictionary attack mitigation logic.
+*/
+
+typedef struct tdTPM_DA_INFO {
+    TPM_STRUCTURE_TAG tag;      /* MUST be TPM_TAG_DA_INFO */
+    TPM_DA_STATE state;         /* Dynamic.  The actual state of the dictionary attack mitigation
+                                   logic.  See 21.9. */
+    uint16_t currentCount;	/* Dynamic.  The actual count of the authorization failure counter
+                                   for the selected entity type */
+    uint16_t thresholdCount;	/* Static.  Dictionary attack mitigation threshold count for the
+                                   selected entity type */
+    TPM_DA_ACTION_TYPE actionAtThreshold;       /* Static Action of the TPM when currentCount passes
+                                                   thresholdCount. See 21.10. */
+    uint32_t actionDependValue;	/* Dynamic.  Action being taken when the dictionary attack
+                                   mitigation logic is active.  E.g., when actionAtThreshold is
+                                   TPM_DA_ACTION_TIMEOUT, this is the lockout time remaining in
+                                   seconds. */
+    uint32_t vendorDataSize;
+    uint8_t vendorData[2048];   /* Vendor specific data field */
+} TPM_DA_INFO;
+
+/* 21.8 TPM_DA_INFO_LIMITED rev 100
+
+   This structure is an output from a TPM_GetCapability -> TPM_CAP_DA_LOGIC request if
+   TPM_PERMANENT_FLAGS -> disableFullDALogicInfo is TRUE.
+   
+   It returns static information describing the TPM response to authorization failures that might
+   indicate a dictionary attack and dynamic information regarding the current state of the
+   dictionary attack mitigation logic. This structure omits information that might aid an attacker.
+*/
+
+typedef struct tdTPM_DA_INFO_LIMITED {
+    TPM_STRUCTURE_TAG tag;	/*  MUST be TPM_TAG_DA_INFO_LIMITED */
+    TPM_DA_STATE state;         /* Dynamic.  The actual state of the dictionary attack mitigation
+                                   logic.  See 21.9. */
+    TPM_DA_ACTION_TYPE actionAtThreshold;       /* Static Action of the TPM when currentCount passes
+                                                   thresholdCount. See 21.10. */
+    uint32_t vendorDataSize;
+    uint8_t vendorData[2048];   /* Vendor specific data field */
+} TPM_DA_INFO_LIMITED;
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmtypes12.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmtypes12.h
new file mode 100644
index 0000000..0b1ed08
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tpmtypes12.h
@@ -0,0 +1,148 @@
+/********************************************************************************/
+/*                                                                              */
+/*                              TPM Types                                       */
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*            $Id: tpmtypes12.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2006, 2018.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TPMTYPES12_H
+#define TPMTYPES12_H
+
+#include <stdint.h>
+
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#include <windows.h>
+#endif
+#if defined (TPM_POSIX) || defined (TPM_SYSTEM_P)
+#include <netinet/in.h>         /* for byte order conversions */
+#endif
+
+#include <ibmtss/BaseTypes.h>
+
+/* 2.2.1 Basic data types rev 87 */
+//typedef unsigned char  BYTE;            /* Basic byte used to transmit all character fields.  */
+typedef unsigned char  TPM_BOOL;        /* TRUE/FALSE field. TRUE = 0x01, FALSE = 0x00 Use TPM_BOOL
+					   because MS VC++ defines BOOL on Windows */
+
+/* 2.2.2 Boolean types rev 107 */
+
+#undef TRUE
+#define TRUE   0x01  /* Assertion   */
+#undef FALSE
+#define FALSE  0x00  /* Contradiction   */
+
+/* 2.2.3 Helper redefinitions rev 101
+
+   The following definitions are to make the definitions more explicit and easier to read.
+
+   NOTE: They cannot be changed without breaking the serialization.
+*/
+
+typedef BYTE  TPM_AUTH_DATA_USAGE;      /* Indicates the conditions where it is required that
+                                           authorization be presented.  */
+typedef BYTE  TPM_PAYLOAD_TYPE;         /* The information as to what the payload is in an encrypted
+                                           structure */
+typedef BYTE  TPM_VERSION_BYTE;         /* The version info breakdown */
+typedef BYTE  TPM_DA_STATE;             /* The state of the dictionary attack mitigation logic */
+
+/* added kgold */
+typedef BYTE  TPM_ENT_TYPE;             /* LSB of TPM_ENTITY_TYPE */
+typedef BYTE  TPM_ADIP_ENC_SCHEME;      /* MSB of TPM_ENTITY_TYPE */
+
+typedef uint16_t  TPM_PROTOCOL_ID;	/* The protocol in use.  */
+typedef uint16_t  TPM_STARTUP_TYPE;	/* Indicates the start state.  */
+typedef uint16_t  TPM_ENC_SCHEME;	/* The definition of the encryption scheme. */
+typedef uint16_t  TPM_SIG_SCHEME;	/* The definition of the signature scheme. */
+typedef uint16_t  TPM_MIGRATE_SCHEME;	/* The definition of the migration scheme */
+typedef uint16_t  TPM_PHYSICAL_PRESENCE; /* Sets the state of the physical presence mechanism. */
+typedef uint16_t  TPM_ENTITY_TYPE;	/* Indicates the types of entity that are supported by the
+                                           TPM. */
+typedef uint16_t  TPM_KEY_USAGE;	/* Indicates the permitted usage of the key.  */
+typedef uint16_t  TPM_EK_TYPE;		/* The type of asymmetric encrypted structure in use by the
+                                           endorsement key  */
+typedef uint16_t  TPM_STRUCTURE_TAG;	/* The tag for the structure */
+typedef uint16_t  TPM_PLATFORM_SPECIFIC; /* The platform specific spec to which the information
+                                           relates to */
+typedef uint32_t  TPM_COMMAND_CODE;	/* The command ordinal. */
+typedef uint32_t  TPM_CAPABILITY_AREA;	/* Identifies a TPM capability area. */
+typedef uint32_t  TPM_KEY_FLAGS;	/* Indicates information regarding a key. */
+//typedef uint32_t  TPM_ALGORITHM_ID;	/* Indicates the type of algorithm.  */
+//typedef uint32_t  TPM_MODIFIER_INDICATOR; /* The locality modifier  */
+typedef uint32_t  TPM_ACTUAL_COUNT;	/* The actual number of a counter.  */
+typedef uint32_t  TPM_TRANSPORT_ATTRIBUTES;	/* Attributes that define what options are in use
+                                                   for a transport session */
+typedef uint32_t  TPM_AUTHHANDLE;	/* Handle to an authorization session  */
+typedef uint32_t  TPM_DIRINDEX;		/* Index to a DIR register  */
+typedef uint32_t  TPM_KEY_HANDLE;	/* The area where a key is held assigned by the TPM.  */
+typedef uint32_t  TPM_PCRINDEX;		/* Index to a PCR register  */
+typedef uint32_t  TPM_RESULT;		/* The return code from a function  */
+typedef uint32_t  TPM_RESOURCE_TYPE;	/* The types of resources that a TPM may have using internal
+                                           resources */
+typedef uint32_t  TPM_KEY_CONTROL;	/* Allows for controlling of the key when loaded and how to
+                                           handle TPM_Startup issues  */
+typedef uint32_t  TPM12_NV_INDEX;	/* The index into the NV storage area  */
+typedef uint32_t  TPM_FAMILY_ID;	/* The family ID. Families ID's are automatically assigned a
+                                           sequence number by the TPM. A trusted process can set the
+                                           FamilyID value in an individual row to zero, which
+                                           invalidates that row. The family ID resets to zero on
+                                           each change of TPM Owner.  */
+typedef uint32_t  TPM_FAMILY_VERIFICATION;	/* A value used as a label for the most recent
+						   verification of this family. Set to zero when not
+						   in use.  */
+typedef uint32_t  TPM_STARTUP_EFFECTS;	/* How the TPM handles var  */
+typedef uint32_t  TPM_SYM_MODE;		/* The mode of a symmetric encryption  */
+typedef uint32_t  TPM_FAMILY_FLAGS;	/* The family flags  */
+typedef uint32_t  TPM_DELEGATE_INDEX;	/* The index value for the delegate NV table  */
+typedef uint32_t  TPM_CMK_DELEGATE;	/* The restrictions placed on delegation of CMK
+                                           commands */
+typedef uint32_t  TPM_COUNT_ID;		/* The ID value of a monotonic counter  */
+typedef uint32_t  TPM_REDIT_COMMAND;	/* A command to execute  */
+typedef uint32_t  TPM_TRANSHANDLE;	/* A transport session handle  */
+//typedef uint32_t  TPM_HANDLE;		/* A generic handle could be key, transport etc.  */
+typedef uint32_t  TPM_FAMILY_OPERATION;	/* What operation is happening  */
+#ifdef TPM_VTPM
+typedef uint32_t  TPM_INSTANCE_HANDLE;	/* Handle to a virtual TPM instance */
+typedef uint32_t  TPM_CREATION_MASK;	/* TPM_CreateInstance creation mask */
+#endif
+
+/* Not in specification */
+
+typedef uint16_t  TPM_TAG;		/* The command and response tags */
+
+typedef unsigned char *	TPM_SYMMETRIC_KEY_TOKEN;	/* abstract symmetric key token */
+typedef unsigned char *	TPM_BIGNUM;			/* abstract bignum */
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tss.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tss.h
new file mode 100644
index 0000000..36816d6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tss.h
@@ -0,0 +1,112 @@
+/********************************************************************************/
+/*										*/
+/*			   TSS Primary API 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSS_H
+#define TSS_H
+
+#include <ibmtss/TPM_Types.h>
+#include <ibmtss/Parameters.h>
+#include <ibmtss/Parameters12.h>
+
+/* include this as a convenience to applications */
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+
+typedef struct TSS_CONTEXT TSS_CONTEXT; 
+   
+#define TPM_TRACE_LEVEL		1
+#define TPM_DATA_DIR		2
+#define TPM_COMMAND_PORT	3
+#define TPM_PLATFORM_PORT	4
+#define TPM_SERVER_NAME		5
+#define TPM_INTERFACE_TYPE	6
+#define TPM_DEVICE		7
+#define TPM_ENCRYPT_SESSIONS	8
+#define TPM_SERVER_TYPE		9
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    /* extra parameters as required */
+
+    /* TPM 2.0 */
+
+    typedef struct {
+	const char 		*bindPassword;
+	TPM2B_DIGEST 		salt;
+    } StartAuthSession_Extra;
+	
+    typedef union {
+	StartAuthSession_Extra 	StartAuthSession;
+    } EXTRA_PARAMETERS;
+
+    /* TPM 1.2 */
+
+    typedef struct {
+	const char 	*usagePassword;
+    } OSAP_Extra;
+	
+    typedef union {
+	OSAP_Extra 	OSAP;
+    } EXTRA12_PARAMETERS;
+    
+    LIB_EXPORT
+    TPM_RC TSS_Create(TSS_CONTEXT **tssContext);
+
+    LIB_EXPORT
+    TPM_RC TSS_Delete(TSS_CONTEXT *tssContext);
+
+    LIB_EXPORT
+    TPM_RC TSS_Execute(TSS_CONTEXT *tssContext,
+		       RESPONSE_PARAMETERS *out,	
+		       COMMAND_PARAMETERS *in,
+		       EXTRA_PARAMETERS *extra,
+		       TPM_CC commandCode,
+		       ...);
+
+    LIB_EXPORT
+    TPM_RC TSS_SetProperty(TSS_CONTEXT *tssContext,
+			   int property,
+			   const char *value);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsscrypto.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsscrypto.h
new file mode 100644
index 0000000..5bf5591
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsscrypto.h
@@ -0,0 +1,164 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Library Dependent Crypto Support		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API should be stable, but is less guaranteed.
+
+   It is useful for applications that need some basic crypto functions.
+*/
+
+#ifndef TSSCRYPTO_H
+#define TSSCRYPTO_H
+
+#include <stdint.h>
+#include <stdio.h>
+
+#ifndef TPM_TSS_NORSA
+#include <openssl/rsa.h>
+#endif
+#ifndef TPM_TSS_NOECC
+#include <openssl/ec.h>
+#endif
+
+#include <ibmtss/tss.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    LIB_EXPORT
+    TPM_RC TSS_Crypto_Init(void);
+
+    LIB_EXPORT
+    TPM_RC TSS_Hash_Generate_valist(TPMT_HA *digest,
+				    va_list ap);
+    LIB_EXPORT
+    TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,
+				    const TPM2B_KEY *hmacKey,
+				    va_list ap);
+    LIB_EXPORT void TSS_XOR(unsigned char *out,
+			    const unsigned char *in1,
+			    const unsigned char *in2,
+			    size_t length);
+    LIB_EXPORT
+    TPM_RC TSS_RandBytes(unsigned char *buffer, uint32_t size);
+
+    LIB_EXPORT
+    TPM_RC TSS_RSA_padding_add_PKCS1_OAEP(unsigned char *em, uint32_t emLen,
+					  const unsigned char *from, uint32_t fLen,
+					  const unsigned char *p,
+					  int plen,
+					  TPMI_ALG_HASH halg);	
+#ifndef TPM_TSS_NORSA
+    LIB_EXPORT
+    void TSS_RsaFree(void *rsaKey);
+
+    LIB_EXPORT
+    TPM_RC TSS_RSAPublicEncrypt(unsigned char* encrypt_data,
+				size_t encrypt_data_size,
+				const unsigned char *decrypt_data,
+				size_t decrypt_data_size,
+				unsigned char *narr,
+				uint32_t nbytes,
+				unsigned char *earr,
+				uint32_t ebytes,
+				unsigned char *p,
+				int pl,
+				TPMI_ALG_HASH halg);
+    /*
+      deprecated OpenSSL specific functions
+    */
+#ifndef TPM_TSS_NO_OPENSSL
+
+    LIB_EXPORT
+    TPM_RC TSS_RsaNew(void **rsaKey);
+
+    LIB_EXPORT
+    TPM_RC TSS_RSAGeneratePublicToken(RSA **rsa_pub_key,		/* freed by caller */
+				      const unsigned char *narr,   	/* public modulus */
+				      uint32_t nbytes,
+				      const unsigned char *earr,   	/* public exponent */
+				      uint32_t ebytes);
+#endif /* TPM_TSS_NO_OPENSSL */
+
+    /* crypto library independent */
+    LIB_EXPORT
+    TPM_RC TSS_RSAGeneratePublicTokenI(void **rsa_pub_key,		/* freed by caller */
+				       const unsigned char *narr,   	/* public modulus */
+				       uint32_t nbytes,
+				       const unsigned char *earr,   	/* public exponent */
+				       uint32_t ebytes);
+
+#endif
+#ifndef TPM_TSS_NOECC
+    TPM_RC TSS_ECC_Salt(TPM2B_DIGEST 		*salt,
+			TPM2B_ENCRYPTED_SECRET	*encryptedSalt,
+			TPMT_PUBLIC		*publicArea);
+
+#endif
+    TPM_RC TSS_AES_GetEncKeySize(size_t *tssSessionEncKeySize);
+    TPM_RC TSS_AES_GetDecKeySize(size_t *tssSessionDecKeySize);
+    TPM_RC TSS_AES_KeyGenerate(void *tssSessionEncKey,
+			       void *tssSessionDecKey);
+    TPM_RC TSS_AES_Encrypt(void *tssSessionEncKey,
+			   unsigned char **encrypt_data,
+			   uint32_t *encrypt_length,
+			   const unsigned char *decrypt_data,
+			   uint32_t decrypt_length);
+    TPM_RC TSS_AES_Decrypt(void *tssSessionDecKey,
+			   unsigned char **decrypt_data,
+			   uint32_t *decrypt_length,
+			   const unsigned char *encrypt_data,
+			   uint32_t encrypt_length);
+    TPM_RC TSS_AES_EncryptCFB(uint8_t	*dOut,
+			      uint32_t	keySizeInBits,
+			      uint8_t 	*key,
+			      uint8_t 	*iv,
+			      uint32_t	dInSize,
+			      uint8_t 	*dIn);
+    TPM_RC TSS_AES_DecryptCFB(uint8_t *dOut,
+			      uint32_t keySizeInBits,
+			      uint8_t *key,
+			      uint8_t *iv,
+			      uint32_t dInSize,
+			      uint8_t *dIn);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsscryptoh.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsscryptoh.h
new file mode 100644
index 0000000..1628d77
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsscryptoh.h
@@ -0,0 +1,100 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Library Independent Crypto Support		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API should be stable, but is less guaranteed.
+
+   It is useful for applications that need some basic crypto functions.
+*/
+
+#ifndef TSSCRYPTOH_H
+#define TSSCRYPTOH_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    LIB_EXPORT
+    uint16_t TSS_GetDigestBlockSize(TPM_ALG_ID hashAlg)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+
+    LIB_EXPORT
+    TPM_RC TSS_Hash_Generate(TPMT_HA *digest,
+			     ...);
+
+    LIB_EXPORT
+    TPM_RC TSS_HMAC_Generate(TPMT_HA *digest,
+			     const TPM2B_KEY *hmacKey,
+			     ...);
+    LIB_EXPORT
+    TPM_RC TSS_HMAC_Verify(TPMT_HA *expect,
+			   const TPM2B_KEY *hmacKey,
+			   UINT32 sizeInBytes,
+			   ...);
+    LIB_EXPORT
+    TPM_RC TSS_KDFA(uint8_t          *keyStream,
+		    TPM_ALG_ID       hashAlg,
+		    const TPM2B     *key,
+		    const char      *label,
+		    const TPM2B     *contextU,
+		    const TPM2B     *contextV,
+		    uint32_t         sizeInBits);
+
+    LIB_EXPORT
+    TPM_RC TSS_KDFE(uint8_t          *keyStream,
+		    TPM_ALG_ID       hashAlg,
+		    const TPM2B     *key,
+		    const char      *label,
+		    const TPM2B     *contextU,
+		    const TPM2B     *contextV,
+		    uint32_t         sizeInBits);
+
+    uint16_t TSS_Sym_GetBlockSize(TPM_ALG_ID	symmetricAlg, 
+				  uint16_t	keySizeInBits)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsserror.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsserror.h
new file mode 100644
index 0000000..a530744
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsserror.h
@@ -0,0 +1,115 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Error Codes					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a public header. That defines TSS error codes.
+
+   tss.h includes it for convenience.
+*/
+
+#ifndef TSSERROR_H
+#define TSSERROR_H
+
+/* the base for these errors is 11 << 16 = 000bxxxx */
+
+#define	TSS_RC_OUT_OF_MEMORY		0x000b0001	/* Out of memory,(malloc failed) */
+#define	TSS_RC_ALLOC_INPUT		0x000b0002	/* The input to an allocation is not NULL */
+#define	TSS_RC_MALLOC_SIZE		0x000b0003	/* The malloc size is too large or zero */
+#define	TSS_RC_INSUFFICIENT_BUFFER	0x000b0004	/* A buffer was insufficient for a copy */
+#define TSS_RC_BAD_PROPERTY		0x000b0005	/* The property parameter is out of range */
+#define TSS_RC_BAD_PROPERTY_VALUE	0x000b0006	/* The property value is invalid */
+#define TSS_RC_INSUPPORTED_INTERFACE	0x000b0007	/* The TPM interface type is not supported */
+#define TSS_RC_NO_CONNECTION		0x000b0008	/* Failure connecting to lower layer */
+#define TSS_RC_BAD_CONNECTION		0x000b0009	/* Failure communicating with lower layer */
+#define TSS_RC_MALFORMED_RESPONSE	0x000b000a	/* A response packet was fundamentally malformed */
+#define TSS_RC_NULL_PARAMETER		0x000b000b	/* A required parameter was NULL */
+#define TSS_RC_NOT_IMPLEMENTED		0x000b000c	/* TSS function is not implemented */
+#define TSS_RC_BAD_READ_VALUE		0x000b000d	/* Actual read value different from expected */
+#define	TSS_RC_FILE_OPEN		0x000b0010	/* The file could not be opened */
+#define	TSS_RC_FILE_SEEK		0x000b0011	/* A file seek failed */
+#define	TSS_RC_FILE_FTELL		0x000b0012	/* A file ftell failed */
+#define	TSS_RC_FILE_READ		0x000b0013	/* A file read failed */
+#define	TSS_RC_FILE_CLOSE		0x000b0014	/* A file close failed */
+#define	TSS_RC_FILE_WRITE		0x000b0015	/* A file write failed */
+#define	TSS_RC_FILE_REMOVE		0x000b0016	/* A file remove failed */
+#define	TSS_RC_RNG_FAILURE		0x000b0020	/* Random number generator failed */
+#define TSS_RC_BAD_PWAP_NONCE		0x000b0030	/* Bad PWAP response nonce */
+#define TSS_RC_BAD_PWAP_ATTRIBUTES	0x000b0031	/* Bad PWAP response attributes */
+#define	TSS_RC_BAD_PWAP_HMAC		0x000b0032	/* Bad PWAP response HMAC */
+#define	TSS_RC_NAME_NOT_IMPLEMENTED	0x000b0040	/* Name calculation not implemented for handle type */
+#define	TSS_RC_MALFORMED_NV_PUBLIC	0x000b0041	/* The NV public structure does not match the name */
+#define TSS_RC_NAME_FILENAME		0x000b0042	/* The name filename function has inconsistent arguments */
+#define TSS_RC_MALFORMED_PUBLIC		0x000b0043	/* The public structure does not match the name */
+#define	TSS_RC_DECRYPT_SESSIONS		0x000b0050	/* More than one command decrypt session */
+#define	TSS_RC_ENCRYPT_SESSIONS		0x000b0051	/* More than one response encrypt session */
+#define	TSS_RC_NO_DECRYPT_PARAMETER	0x000b0052	/* Command has no decrypt parameter */
+#define	TSS_RC_NO_ENCRYPT_PARAMETER	0x000b0053	/* Response has no encrypt parameter */
+#define	TSS_RC_BAD_DECRYPT_ALGORITHM	0x000b0054	/* Session had an unimplemented decrypt symmetric algorithm */
+#define	TSS_RC_BAD_ENCRYPT_ALGORITHM	0x000b0055	/* Session had an unimplemented encrypt symmetric algorithm */
+#define	TSS_RC_AES_ENCRYPT_FAILURE	0x000b0056	/* AES encryption failed */
+#define	TSS_RC_AES_DECRYPT_FAILURE	0x000b0057	/* AES decryption failed */
+#define TSS_RC_BAD_ENCRYPT_SIZE		0x000b0058	/* Parameter encryption size mismatch */
+#define TSS_RC_AES_KEYGEN_FAILURE	0x000b0059	/* AES key generation failed */
+#define TSS_RC_SESSION_NUMBER		0x000b005a	/* session number out of range */
+#define	TSS_RC_BAD_SALT_KEY		0x000b0060	/* tpmKey is unsuitable for salt */
+#define	TSS_RC_KDFA_FAILED		0x000b0070	/* KDFa function failed */
+#define	TSS_RC_HMAC			0x000b0071	/* An HMAC calculation failed */
+#define	TSS_RC_HMAC_SIZE		0x000b0072	/* Response HMAC is the wrong size */
+#define	TSS_RC_HMAC_VERIFY		0x000b0073	/* HMAC does not verify */
+#define	TSS_RC_BAD_HASH_ALGORITHM	0x000b0074	/* Unimplemented hash algorithm */
+#define	TSS_RC_HASH			0x000b0075	/* A hash calculation failed */
+#define TSS_RC_RSA_KEY_CONVERT		0x000b0076	/* RSA key conversion failed */
+#define TSS_RC_RSA_PADDING		0x000b0077	/* RSA add padding failed */
+#define TSS_RC_RSA_ENCRYPT		0x000b0078	/* RSA public encrypt failed */
+#define TSS_RC_BIGNUM			0x000b0079	/* BIGNUM operation failed */
+#define TSS_RC_RSA_SIGNATURE		0x000b007a	/* RSA signature is bad */
+#define TSS_RC_EC_SIGNATURE		0x000b007b	/* EC signature is bad */
+#define TSS_RC_EC_KEY_CONVERT		0x000b007c	/* EC key conversion failed */
+#define TSS_RC_BAD_SIGNATURE_ALGORITHM	0x000b007d	/* Unimplemented signature algorithm */
+#define TSS_RC_X509_ERROR		0x000b007e	/* X509 parse error */
+#define TSS_RC_PEM_ERROR		0x000b007f	/* PEM parse error */
+#define TSS_RC_COMMAND_UNIMPLEMENTED	0x000b0080	/* Unimplemented command */
+#define TSS_RC_IN_PARAMETER		0x000b0081	/* Bad in parameter to TSS_Execute */
+#define TSS_RC_OUT_PARAMETER		0x000b0082	/* Bad out parameter to TSS_Execute */
+#define TSS_RC_BAD_HANDLE_NUMBER	0x000b0083	/* Bad handle number for this command */
+#define TSS_RC_KDFE_FAILED              0x000b0084      /* KDFe function failed */
+#define TSS_RC_EC_EPHEMERAL_FAILURE     0x000b0085      /* Failed while making or using EC ephemeral key */
+#define TSS_RC_FAIL			0x000b0086	/* TSS internal failure */
+#define TSS_RC_NO_SESSION_SLOT		0x000b0090	/* TSS context has no session slot for handle */
+#define TSS_RC_NO_OBJECTPUBLIC_SLOT	0x000b0091	/* TSS context has no object public slot for handle */
+#define TSS_RC_NO_NVPUBLIC_SLOT		0x000b0092	/* TSS context has no NV public slot for handle */
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsserror12.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsserror12.h
new file mode 100644
index 0000000..46d2e3f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsserror12.h
@@ -0,0 +1,248 @@
+/********************************************************************************/
+/*                                                                              */
+/*                          TPM 1.2 Error Response                              */
+/*                           Written by Ken Goldman                             */
+/*                     IBM Thomas J. Watson Research Center                     */
+/*                                                                              */
+/* (c) Copyright IBM Corporation 2006, 2010.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TPM_ERROR_H
+#define TPM_ERROR_H
+
+/* 16. Return codes rev 99
+
+   The TPM has five types of return code. One indicates successful operation and four indicate 
+   failure. TPM_SUCCESS (00000000) indicates successful execution. The failure reports are: 
+   TPM defined fatal errors (00000001 to 000003FF), vendor defined fatal errors (00000400 to 
+   000007FF), TPM defined non-fatal errors (00000800 to 00000BFF), and vendor defined 
+   non-fatal errors (00000C00 to 00000FFF).
+   
+   The range of vendor defined non-fatal errors was determined by the TSS-WG, which defined 
+   XXXX YCCC with XXXX as OS specific and Y defining the TSS SW stack layer (0: TPM layer)
+   
+   All failure cases return only a non-authenticated fixed set of information. This is because 
+   the failure may have been due to authentication or other factors, and there is no possibility 
+   of producing an authenticated response.
+   
+   Fatal errors also terminate any authorization sessions. This is a result of returning only the 
+   error code, as there is no way to return the nonces necessary to maintain an authorization 
+   session. Non-fatal errors do not terminate authorization sessions.
+
+   The return code MUST use the following base. The return code MAY be TCG defined or vendor
+   defined. */
+
+#define TPM_BASE                0x0             /*  The start of TPM return codes */
+#define TPM_SUCCESS             TPM_BASE        /* Successful completion of the operation */
+#define TPM_VENDOR_ERROR        TPM_Vendor_Specific32   /* Mask to indicate that the error code is
+                                                           vendor specific for vendor specific
+                                                           commands. */
+#define TPM_NON_FATAL           0x00000800 /* Mask to indicate that the error code is a non-fatal
+                                              failure. */
+
+/* TPM-defined fatal error codes */
+
+#define TPM_AUTHFAIL            TPM_BASE + 1  /* Authentication failed */
+#define TPM_BADINDEX            TPM_BASE + 2  /* The index to a PCR, DIR or other register is
+                                                 incorrect */
+#define TPM_BAD_PARAMETER       TPM_BASE + 3  /* One or more parameter is bad */
+#define TPM_AUDITFAILURE        TPM_BASE + 4  /* An operation completed successfully but the auditing
+                                                 of that operation failed.  */
+#define TPM_CLEAR_DISABLED      TPM_BASE + 5  /* The clear disable flag is set and all clear
+                                                 operations now require physical access */
+#define TPM_DEACTIVATED         TPM_BASE + 6  /* The TPM is deactivated */
+#define TPM_DISABLED            TPM_BASE + 7  /* The TPM is disabled */
+#define TPM_DISABLED_CMD        TPM_BASE + 8  /* The target command has been disabled */
+#define TPM_FAIL                TPM_BASE + 9  /* The operation failed */
+#define TPM_BAD_ORDINAL         TPM_BASE + 10 /* The ordinal was unknown or inconsistent */
+#define TPM_INSTALL_DISABLED    TPM_BASE + 11 /* The ability to install an owner is disabled */
+#define TPM_INVALID_KEYHANDLE   TPM_BASE + 12 /* The key handle presented was invalid */
+#define TPM_KEYNOTFOUND         TPM_BASE + 13 /* The target key was not found */
+#define TPM_INAPPROPRIATE_ENC   TPM_BASE + 14 /* Unacceptable encryption scheme */
+#define TPM_MIGRATEFAIL         TPM_BASE + 15 /* Migration authorization failed */
+#define TPM_INVALID_PCR_INFO    TPM_BASE + 16 /* PCR information could not be interpreted */
+#define TPM_NOSPACE             TPM_BASE + 17 /* No room to load key.  */
+#define TPM_NOSRK               TPM_BASE + 18 /* There is no SRK set */
+#define TPM_NOTSEALED_BLOB      TPM_BASE + 19 /* An encrypted blob is invalid or was not created by
+                                                 this TPM */
+#define TPM_OWNER_SET           TPM_BASE + 20 /* There is already an Owner */
+#define TPM_RESOURCES           TPM_BASE + 21 /* The TPM has insufficient internal resources to
+                                                 perform the requested action.  */
+#define TPM_SHORTRANDOM         TPM_BASE + 22 /* A random string was too short */
+#define TPM_SIZE                TPM_BASE + 23 /* The TPM does not have the space to perform the
+                                                 operation. */
+#define TPM_WRONGPCRVAL         TPM_BASE + 24 /* The named PCR value does not match the current PCR
+                                                 value. */
+#define TPM_BAD_PARAM_SIZE      TPM_BASE + 25 /* The paramSize argument to the command has the
+                                                 incorrect value */
+#define TPM_SHA_THREAD          TPM_BASE + 26 /* There is no existing SHA-1 thread.  */
+#define TPM_SHA_ERROR           TPM_BASE + 27 /* The calculation is unable to proceed because the
+                                                 existing SHA-1 thread has already encountered an
+                                                 error.  */
+#define TPM_FAILEDSELFTEST      TPM_BASE + 28 /* Self-test has failed and the TPM has shutdown.  */
+#define TPM_AUTH2FAIL           TPM_BASE + 29 /* The authorization for the second key in a 2 key
+                                                 function failed authorization */
+#define TPM_BADTAG              TPM_BASE + 30 /* The tag value sent to for a command is invalid */
+#define TPM_IOERROR             TPM_BASE + 31 /* An IO error occurred transmitting information to
+                                                 the TPM */
+#define TPM_ENCRYPT_ERROR       TPM_BASE + 32 /* The encryption process had a problem.  */
+#define TPM_DECRYPT_ERROR       TPM_BASE + 33 /* The decryption process did not complete.  */
+#define TPM_INVALID_AUTHHANDLE  TPM_BASE + 34 /* An invalid handle was used.  */
+#define TPM_NO_ENDORSEMENT      TPM_BASE + 35 /* The TPM does not a EK installed */
+#define TPM_INVALID_KEYUSAGE    TPM_BASE + 36 /* The usage of a key is not allowed */
+#define TPM_WRONG_ENTITYTYPE    TPM_BASE + 37 /* The submitted entity type is not allowed */
+#define TPM_INVALID_POSTINIT    TPM_BASE + 38 /* The command was received in the wrong sequence
+                                                 relative to TPM_Init and a subsequent TPM_Startup
+                                                 */
+#define TPM_INAPPROPRIATE_SIG   TPM_BASE + 39 /* Signed data cannot include additional DER
+                                                 information */
+#define TPM_BAD_KEY_PROPERTY    TPM_BASE + 40 /* The key properties in TPM_KEY_PARMs are not
+                                                 supported by this TPM */
+#define TPM_BAD_MIGRATION       TPM_BASE + 41 /* The migration properties of this key are incorrect.
+                                               */
+#define TPM_BAD_SCHEME          TPM_BASE + 42 /* The signature or encryption scheme for this key is
+                                                 incorrect or not permitted in this situation.  */
+#define TPM_BAD_DATASIZE        TPM_BASE + 43 /* The size of the data (or blob) parameter is bad or
+                                                 inconsistent with the referenced key */
+#define TPM_BAD_MODE            TPM_BASE + 44 /* A mode parameter is bad, such as capArea or
+                                                 subCapArea for TPM_GetCapability, physicalPresence
+                                                 parameter for TPM_PhysicalPresence, or
+                                                 migrationType for TPM_CreateMigrationBlob.  */
+#define TPM_BAD_PRESENCE        TPM_BASE + 45 /* Either the physicalPresence or physicalPresenceLock
+                                                 bits have the wrong value */
+#define TPM_BAD_VERSION         TPM_BASE + 46 /* The TPM cannot perform this version of the
+                                                 capability */
+#define TPM_NO_WRAP_TRANSPORT   TPM_BASE + 47 /* The TPM does not allow for wrapped transport
+                                                 sessions */
+#define TPM_AUDITFAIL_UNSUCCESSFUL TPM_BASE + 48 /* TPM audit construction failed and the
+                                                    underlying command was returning a failure
+                                                    code also */
+#define TPM_AUDITFAIL_SUCCESSFUL   TPM_BASE + 49 /* TPM audit construction failed and the underlying
+                                                    command was returning success */
+#define TPM_NOTRESETABLE        TPM_BASE + 50 /* Attempt to reset a PCR register that does not have
+                                                 the resettable attribute */
+#define TPM_NOTLOCAL            TPM_BASE + 51 /* Attempt to reset a PCR register that requires
+                                                 locality and locality modifier not part of command
+                                                 transport */
+#define TPM_BAD_TYPE            TPM_BASE + 52 /* Make identity blob not properly typed */
+#define TPM_INVALID_RESOURCE    TPM_BASE + 53 /* When saving context identified resource type does
+                                                 not match actual resource */
+#define TPM_NOTFIPS             TPM_BASE + 54 /* The TPM is attempting to execute a command only
+                                                 available when in FIPS mode */
+#define TPM_INVALID_FAMILY      TPM_BASE + 55 /* The command is attempting to use an invalid family
+                                                 ID */
+#define TPM_NO_NV_PERMISSION    TPM_BASE + 56 /* The permission to manipulate the NV storage is not
+                                                 available */
+#define TPM_REQUIRES_SIGN       TPM_BASE + 57 /* The operation requires a signed command */
+#define TPM_KEY_NOTSUPPORTED    TPM_BASE + 58 /* Wrong operation to load an NV key */
+#define TPM_AUTH_CONFLICT       TPM_BASE + 59 /* NV_LoadKey blob requires both owner and blob
+                                                 authorization */
+#define TPM_AREA_LOCKED         TPM_BASE + 60 /* The NV area is locked and not writable */
+#define TPM_BAD_LOCALITY        TPM_BASE + 61 /* The locality is incorrect for the attempted
+                                                 operation */
+#define TPM_READ_ONLY           TPM_BASE + 62 /* The NV area is read only and can't be written to
+                                               */
+#define TPM_PER_NOWRITE         TPM_BASE + 63 /* There is no protection on the write to the NV area
+                                               */
+#define TPM_FAMILYCOUNT         TPM_BASE + 64 /* The family count value does not match */
+#define TPM_WRITE_LOCKED        TPM_BASE + 65 /* The NV area has already been written to */
+#define TPM_BAD_ATTRIBUTES      TPM_BASE + 66 /* The NV area attributes conflict */
+#define TPM_INVALID_STRUCTURE   TPM_BASE + 67 /* The structure tag and version are invalid or
+                                                 inconsistent */
+#define TPM_KEY_OWNER_CONTROL   TPM_BASE + 68 /* The key is under control of the TPM Owner and can
+                                                 only be evicted by the TPM Owner.  */
+#define TPM_BAD_COUNTER         TPM_BASE + 69 /* The counter handle is incorrect */
+#define TPM_NOT_FULLWRITE       TPM_BASE + 70 /* The write is not a complete write of the area */
+#define TPM_CONTEXT_GAP         TPM_BASE + 71 /* The gap between saved context counts is too large
+                                               */
+#define TPM_MAXNVWRITES         TPM_BASE + 72 /* The maximum number of NV writes without an owner
+                                                 has been exceeded */
+#define TPM_NOOPERATOR          TPM_BASE + 73 /* No operator authorization value is set */
+#define TPM_RESOURCEMISSING     TPM_BASE + 74 /* The resource pointed to by context is not loaded
+                                               */
+#define TPM_DELEGATE_LOCK       TPM_BASE + 75 /* The delegate administration is locked */
+#define TPM_DELEGATE_FAMILY     TPM_BASE + 76 /* Attempt to manage a family other then the delegated
+                                                 family */
+#define TPM_DELEGATE_ADMIN      TPM_BASE + 77 /* Delegation table management not enabled */
+#define TPM_TRANSPORT_NOTEXCLUSIVE TPM_BASE + 78 /* There was a command executed outside of an
+                                                 exclusive transport session */
+#define TPM_OWNER_CONTROL       TPM_BASE + 79 /* Attempt to context save a owner evict controlled
+                                                 key */
+#define TPM_DAA_RESOURCES       TPM_BASE + 80 /* The DAA command has no resources available to
+                                                 execute the command */
+#define TPM_DAA_INPUT_DATA0     TPM_BASE + 81 /* The consistency check on DAA parameter inputData0
+                                                 has failed. */
+#define TPM_DAA_INPUT_DATA1     TPM_BASE + 82 /* The consistency check on DAA parameter inputData1
+                                                 has failed. */
+#define TPM_DAA_ISSUER_SETTINGS TPM_BASE + 83 /* The consistency check on DAA_issuerSettings has
+                                                 failed. */
+#define TPM_DAA_TPM_SETTINGS    TPM_BASE + 84 /* The consistency check on DAA_tpmSpecific has
+                                                 failed. */
+#define TPM_DAA_STAGE           TPM_BASE + 85 /* The atomic process indicated by the submitted DAA
+                                                 command is not the expected process. */
+#define TPM_DAA_ISSUER_VALIDITY TPM_BASE + 86 /* The issuer's validity check has detected an
+                                                 inconsistency */
+#define TPM_DAA_WRONG_W         TPM_BASE + 87 /* The consistency check on w has failed. */
+#define TPM_BAD_HANDLE          TPM_BASE + 88 /* The handle is incorrect */
+#define TPM_BAD_DELEGATE        TPM_BASE + 89 /* Delegation is not correct */
+#define TPM_BADCONTEXT          TPM_BASE + 90 /* The context blob is invalid */
+#define TPM_TOOMANYCONTEXTS     TPM_BASE + 91 /* Too many contexts held by the TPM */
+#define TPM_MA_TICKET_SIGNATURE TPM_BASE + 92 /* Migration authority signature validation failure
+                                               */
+#define TPM_MA_DESTINATION      TPM_BASE + 93 /* Migration destination not authenticated */
+#define TPM_MA_SOURCE           TPM_BASE + 94 /* Migration source incorrect */
+#define TPM_MA_AUTHORITY        TPM_BASE + 95 /* Incorrect migration authority */
+#define TPM_PERMANENTEK         TPM_BASE + 97 /* Attempt to revoke the EK and the EK is not revocable */
+#define TPM_BAD_SIGNATURE       TPM_BASE + 98 /* Bad signature of CMK ticket */ 
+#define TPM_NOCONTEXTSPACE      TPM_BASE + 99 /* There is no room in the context list for additional
+                                                 contexts */
+
+/* As error codes are added here, they should also be added to lib/miscfunc.c */
+
+/* TPM-defined non-fatal errors */
+
+#define TPM_RETRY               TPM_BASE + TPM_NON_FATAL /* The TPM is too busy to respond to the
+                                                            command immediately, but the command
+                                                            could be submitted at a later time */
+#define TPM_NEEDS_SELFTEST      TPM_BASE + TPM_NON_FATAL + 1 /* TPM_ContinueSelfTest has has not
+                                                                been run*/
+#define TPM_DOING_SELFTEST      TPM_BASE + TPM_NON_FATAL + 2 /* The TPM is currently executing the
+                                                                actions of TPM_ContinueSelfTest
+                                                                because the ordinal required
+                                                                resources that have not been
+                                                                tested. */
+#define TPM_DEFEND_LOCK_RUNNING TPM_BASE + TPM_NON_FATAL + 3
+                                                        /* The TPM is defending against dictionary
+                                                           attacks and is in some time-out
+                                                           period. */
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssfile.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssfile.h
new file mode 100644
index 0000000..a75a4ed
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssfile.h
@@ -0,0 +1,95 @@
+/********************************************************************************/
+/*										*/
+/*			TSS and Application File Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssfile.h 1324 2018-08-31 16:36:12Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2018.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API is subject to change.
+
+   It is useful rapid application development, and as sample code.  It is risky for production code.
+
+*/
+
+#ifndef TSSFILE_H
+#define TSSFILE_H
+
+#include <stdio.h>
+
+#include <ibmtss/TPM_Types.h>
+#include <ibmtss/tssutils.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    LIB_EXPORT
+    int TSS_File_Open(FILE **file,
+		      const char *filename,
+		      const char* mode);
+    LIB_EXPORT
+    TPM_RC TSS_File_ReadBinaryFile(unsigned char **data,
+				   size_t *length,
+				   const char *filename); 
+    LIB_EXPORT 
+    TPM_RC TSS_File_WriteBinaryFile(const unsigned char *data,
+				    size_t length,
+				    const char *filename); 
+    
+    LIB_EXPORT 
+    TPM_RC TSS_File_ReadStructure(void 			*structure,
+				  UnmarshalFunction_t 	unmarshalFunction,
+				  const char 		*filename);
+    LIB_EXPORT 
+    TPM_RC TSS_File_ReadStructureFlag(void 			*structure,
+				      UnmarshalFunctionFlag_t 	unmarshalFunction,
+				      BOOL 			allowNull,
+				      const char 		*filename);
+    LIB_EXPORT 
+    TPM_RC TSS_File_WriteStructure(void 			*structure,
+				   MarshalFunction_t 	marshalFunction,
+				   const char 		*filename);
+    LIB_EXPORT 
+    TPM_RC TSS_File_Read2B(TPM2B 		*tpm2b,
+			   uint16_t 	targetSize,
+			   const char 	*filename);
+    LIB_EXPORT 
+    TPM_RC TSS_File_DeleteFile(const char *filename); 
+    
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssmarshal.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssmarshal.h
new file mode 100644
index 0000000..52227a8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssmarshal.h
@@ -0,0 +1,1628 @@
+/********************************************************************************/
+/*										*/
+/*			 TSS Marshal and Unmarshal    				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API should be stable, but is less guaranteed.
+
+   It is useful for applications that have to marshal / unmarshal
+   structures for file save / load.
+*/
+
+#ifndef TSSMARSHAL_H
+#define TSSMARSHAL_H
+
+#include "BaseTypes.h"
+#include <ibmtss/TPM_Types.h>
+
+#include "ActivateCredential_fp.h"
+#include "CertifyCreation_fp.h"
+#include "CertifyX509_fp.h"
+#include "Certify_fp.h"
+#include "ChangeEPS_fp.h"
+#include "ChangePPS_fp.h"
+#include "ClearControl_fp.h"
+#include "Clear_fp.h"
+#include "ClockRateAdjust_fp.h"
+#include "ClockSet_fp.h"
+#include "Commit_fp.h"
+#include "Commit_fp.h"
+#include "ContextLoad_fp.h"
+#include "ContextSave_fp.h"
+#include "CreatePrimary_fp.h"
+#include "Create_fp.h"
+#include "CreateLoaded_fp.h"
+#include "DictionaryAttackLockReset_fp.h"
+#include "DictionaryAttackParameters_fp.h"
+#include "Duplicate_fp.h"
+#include "ECC_Parameters_fp.h"
+#include "ECDH_KeyGen_fp.h"
+#include "ECDH_ZGen_fp.h"
+#include "EC_Ephemeral_fp.h"
+#include "EncryptDecrypt_fp.h"
+#include "EncryptDecrypt2_fp.h"
+#include "EventSequenceComplete_fp.h"
+#include "EvictControl_fp.h"
+#include "FlushContext_fp.h"
+#include "GetCapability_fp.h"
+#include "GetCommandAuditDigest_fp.h"
+#include "GetRandom_fp.h"
+#include "GetSessionAuditDigest_fp.h"
+#include "GetTestResult_fp.h"
+#include "GetTime_fp.h"
+#include "HMAC_Start_fp.h"
+#include "HMAC_fp.h"
+#include "HashSequenceStart_fp.h"
+#include "Hash_fp.h"
+#include "HierarchyChangeAuth_fp.h"
+#include "HierarchyControl_fp.h"
+#include "Import_fp.h"
+#include "IncrementalSelfTest_fp.h"
+#include "LoadExternal_fp.h"
+#include "Load_fp.h"
+#include "MakeCredential_fp.h"
+#include "NV_Certify_fp.h"
+#include "NV_ChangeAuth_fp.h"
+#include "NV_DefineSpace_fp.h"
+#include "NV_Extend_fp.h"
+#include "NV_GlobalWriteLock_fp.h"
+#include "NV_Increment_fp.h"
+#include "NV_ReadLock_fp.h"
+#include "NV_ReadPublic_fp.h"
+#include "NV_Read_fp.h"
+#include "NV_SetBits_fp.h"
+#include "NV_UndefineSpaceSpecial_fp.h"
+#include "NV_UndefineSpace_fp.h"
+#include "NV_WriteLock_fp.h"
+#include "NV_Write_fp.h"
+#include "ObjectChangeAuth_fp.h"
+#include "PCR_Allocate_fp.h"
+#include "PCR_Event_fp.h"
+#include "PCR_Extend_fp.h"
+#include "PCR_Read_fp.h"
+#include "PCR_Reset_fp.h"
+#include "PCR_SetAuthPolicy_fp.h"
+#include "PCR_SetAuthValue_fp.h"
+#include "PP_Commands_fp.h"
+#include "PolicyAuthValue_fp.h"
+#include "PolicyAuthorize_fp.h"
+#include "PolicyAuthorizeNV_fp.h"
+#include "PolicyCommandCode_fp.h"
+#include "PolicyCounterTimer_fp.h"
+#include "PolicyCpHash_fp.h"
+#include "PolicyDuplicationSelect_fp.h"
+#include "PolicyGetDigest_fp.h"
+#include "PolicyLocality_fp.h"
+#include "PolicyNV_fp.h"
+#include "PolicyAuthorizeNV_fp.h"
+#include "PolicyNvWritten_fp.h"
+#include "PolicyNameHash_fp.h"
+#include "PolicyOR_fp.h"
+#include "PolicyPCR_fp.h"
+#include "PolicyPassword_fp.h"
+#include "PolicyPhysicalPresence_fp.h"
+#include "PolicyRestart_fp.h"
+#include "PolicySecret_fp.h"
+#include "PolicySigned_fp.h"
+#include "PolicyTemplate_fp.h"
+#include "PolicyTicket_fp.h"
+#include "Quote_fp.h"
+#include "RSA_Decrypt_fp.h"
+#include "RSA_Encrypt_fp.h"
+#include "ReadClock_fp.h"
+#include "ReadPublic_fp.h"
+#include "Rewrap_fp.h"
+#include "SelfTest_fp.h"
+#include "SequenceComplete_fp.h"
+#include "SequenceUpdate_fp.h"
+#include "SetAlgorithmSet_fp.h"
+#include "SetCommandCodeAuditStatus_fp.h"
+#include "SetPrimaryPolicy_fp.h"
+#include "Shutdown_fp.h"
+#include "Sign_fp.h"
+#include "StartAuthSession_fp.h"
+#include "Startup_fp.h"
+#include "StirRandom_fp.h"
+#include "TestParms_fp.h"
+#include "Unseal_fp.h"
+#include "VerifySignature_fp.h"
+#include "ZGen_2Phase_fp.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    /* Recommended functions */
+    
+    TPM_RC
+    TSS_Startup_In_Marshalu(const Startup_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Shutdown_In_Marshalu(const Shutdown_In  *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_SelfTest_In_Marshalu(const SelfTest_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_IncrementalSelfTest_In_Marshalu(const IncrementalSelfTest_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_StartAuthSession_In_Marshalu(const StartAuthSession_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyRestart_In_Marshalu(const PolicyRestart_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Create_In_Marshalu(const Create_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Load_In_Marshalu(const Load_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_LoadExternal_In_Marshalu(const LoadExternal_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ReadPublic_In_Marshalu(const ReadPublic_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ActivateCredential_In_Marshalu(const ActivateCredential_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_MakeCredential_In_Marshalu(const MakeCredential_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Unseal_In_Marshalu(const Unseal_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ObjectChangeAuth_In_Marshalu(const ObjectChangeAuth_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreateLoaded_In_Marshalu(const CreateLoaded_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Duplicate_In_Marshalu(const Duplicate_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Rewrap_In_Marshalu(const Rewrap_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Import_In_Marshalu(const Import_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_RSA_Encrypt_In_Marshalu(const RSA_Encrypt_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_RSA_Decrypt_In_Marshalu(const RSA_Decrypt_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ECDH_KeyGen_In_Marshalu(const ECDH_KeyGen_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ECDH_ZGen_In_Marshalu(const ECDH_ZGen_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ECC_Parameters_In_Marshalu(const ECC_Parameters_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ZGen_2Phase_In_Marshalu(const ZGen_2Phase_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EncryptDecrypt_In_Marshalu(const EncryptDecrypt_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EncryptDecrypt2_In_Marshalu(const EncryptDecrypt2_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Hash_In_Marshalu(const Hash_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HMAC_In_Marshalu(const HMAC_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetRandom_In_Marshalu(const GetRandom_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_StirRandom_In_Marshalu(const StirRandom_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HMAC_Start_In_Marshalu(const HMAC_Start_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HashSequenceStart_In_Marshalu(const HashSequenceStart_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_SequenceUpdate_In_Marshalu(const SequenceUpdate_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_SequenceComplete_In_Marshalu(const SequenceComplete_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EventSequenceComplete_In_Marshalu(const EventSequenceComplete_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Certify_In_Marshalu(const Certify_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CertifyCreation_In_Marshalu(const CertifyCreation_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CertifyX509_In_Marshalu(const CertifyX509_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Quote_In_Marshalu(const Quote_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetSessionAuditDigest_In_Marshalu(const GetSessionAuditDigest_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetCommandAuditDigest_In_Marshalu(const GetCommandAuditDigest_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetTime_In_Marshalu(const GetTime_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Commit_In_Marshalu(const Commit_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EC_Ephemeral_In_Marshalu(const EC_Ephemeral_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_VerifySignature_In_Marshalu(const VerifySignature_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Sign_In_Marshalu(const Sign_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_SetCommandCodeAuditStatus_In_Marshalu(const SetCommandCodeAuditStatus_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Extend_In_Marshalu(const PCR_Extend_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Event_In_Marshalu(const PCR_Event_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Read_In_Marshalu(const PCR_Read_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Allocate_In_Marshalu(const PCR_Allocate_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_SetAuthPolicy_In_Marshalu(const PCR_SetAuthPolicy_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_SetAuthValue_In_Marshalu(const PCR_SetAuthValue_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Reset_In_Marshalu(const PCR_Reset_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicySigned_In_Marshalu(const PolicySigned_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicySecret_In_Marshalu(const PolicySecret_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyTicket_In_Marshalu(const PolicyTicket_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyOR_In_Marshalu(const PolicyOR_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyPCR_In_Marshalu(const PolicyPCR_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyLocality_In_Marshalu(const PolicyLocality_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyNV_In_Marshalu(const PolicyNV_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyAuthorizeNV_In_Marshalu(const PolicyAuthorizeNV_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyCounterTimer_In_Marshalu(const PolicyCounterTimer_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyCommandCode_In_Marshalu(const PolicyCommandCode_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyPhysicalPresence_In_Marshalu(const PolicyPhysicalPresence_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyCpHash_In_Marshalu(const PolicyCpHash_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyNameHash_In_Marshalu(const PolicyNameHash_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyDuplicationSelect_In_Marshalu(const PolicyDuplicationSelect_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyAuthorize_In_Marshalu(const PolicyAuthorize_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyAuthValue_In_Marshalu(const PolicyAuthValue_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyPassword_In_Marshalu(const PolicyPassword_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyGetDigest_In_Marshalu(const PolicyGetDigest_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyNvWritten_In_Marshalu(const PolicyNvWritten_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyTemplate_In_Marshalu(const PolicyTemplate_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreatePrimary_In_Marshalu(const CreatePrimary_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HierarchyControl_In_Marshalu(const HierarchyControl_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_SetPrimaryPolicy_In_Marshalu(const SetPrimaryPolicy_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ChangePPS_In_Marshalu(const ChangePPS_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ChangeEPS_In_Marshalu(const ChangeEPS_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Clear_In_Marshalu(const Clear_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ClearControl_In_Marshalu(const ClearControl_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HierarchyChangeAuth_In_Marshalu(const HierarchyChangeAuth_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_DictionaryAttackLockReset_In_Marshalu(const DictionaryAttackLockReset_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_DictionaryAttackParameters_In_Marshalu(const DictionaryAttackParameters_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PP_Commands_In_Marshalu(const PP_Commands_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_SetAlgorithmSet_In_Marshalu(const SetAlgorithmSet_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ContextSave_In_Marshalu(const ContextSave_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ContextLoad_In_Marshalu(const ContextLoad_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_FlushContext_In_Marshalu(const FlushContext_In *source, UINT16 *written, BYTE **buffer, uint32_t *size) ;
+    TPM_RC
+    TSS_EvictControl_In_Marshalu(const EvictControl_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ClockSet_In_Marshalu(const ClockSet_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ClockRateAdjust_In_Marshalu(const ClockRateAdjust_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetCapability_In_Marshalu(const GetCapability_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TestParms_In_Marshalu(const TestParms_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_DefineSpace_In_Marshalu(const NV_DefineSpace_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_UndefineSpace_In_Marshalu(const NV_UndefineSpace_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_UndefineSpaceSpecial_In_Marshalu(const NV_UndefineSpaceSpecial_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ReadPublic_In_Marshalu(const NV_ReadPublic_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_Write_In_Marshalu(const NV_Write_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_Increment_In_Marshalu(const NV_Increment_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_Extend_In_Marshalu(const NV_Extend_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_SetBits_In_Marshalu(const NV_SetBits_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_WriteLock_In_Marshalu(const NV_WriteLock_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_GlobalWriteLock_In_Marshalu(const NV_GlobalWriteLock_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_Read_In_Marshalu(const NV_Read_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ReadLock_In_Marshalu(const NV_ReadLock_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ChangeAuth_In_Marshalu(const NV_ChangeAuth_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_Certify_In_Marshalu(const NV_Certify_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+
+    /* Deprecated functions */
+    
+    TPM_RC
+    TSS_Startup_In_Marshal(const Startup_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Shutdown_In_Marshal(const Shutdown_In  *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_SelfTest_In_Marshal(const SelfTest_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_IncrementalSelfTest_In_Marshal(const IncrementalSelfTest_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_StartAuthSession_In_Marshal(const StartAuthSession_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyRestart_In_Marshal(const PolicyRestart_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Create_In_Marshal(const Create_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Load_In_Marshal(const Load_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_LoadExternal_In_Marshal(const LoadExternal_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ReadPublic_In_Marshal(const ReadPublic_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ActivateCredential_In_Marshal(const ActivateCredential_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_MakeCredential_In_Marshal(const MakeCredential_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Unseal_In_Marshal(const Unseal_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ObjectChangeAuth_In_Marshal(const ObjectChangeAuth_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_CreateLoaded_In_Marshal(const CreateLoaded_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Duplicate_In_Marshal(const Duplicate_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Rewrap_In_Marshal(const Rewrap_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Import_In_Marshal(const Import_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_RSA_Encrypt_In_Marshal(const RSA_Encrypt_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_RSA_Decrypt_In_Marshal(const RSA_Decrypt_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ECDH_KeyGen_In_Marshal(const ECDH_KeyGen_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ECDH_ZGen_In_Marshal(const ECDH_ZGen_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ECC_Parameters_In_Marshal(const ECC_Parameters_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ZGen_2Phase_In_Marshal(const ZGen_2Phase_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EncryptDecrypt_In_Marshal(const EncryptDecrypt_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EncryptDecrypt2_In_Marshal(const EncryptDecrypt2_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Hash_In_Marshal(const Hash_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HMAC_In_Marshal(const HMAC_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetRandom_In_Marshal(const GetRandom_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_StirRandom_In_Marshal(const StirRandom_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HMAC_Start_In_Marshal(const HMAC_Start_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HashSequenceStart_In_Marshal(const HashSequenceStart_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_SequenceUpdate_In_Marshal(const SequenceUpdate_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_SequenceComplete_In_Marshal(const SequenceComplete_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EventSequenceComplete_In_Marshal(const EventSequenceComplete_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Certify_In_Marshal(const Certify_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_CertifyCreation_In_Marshal(const CertifyCreation_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_CertifyX509_In_Marshal(const CertifyX509_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Quote_In_Marshal(const Quote_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetSessionAuditDigest_In_Marshal(const GetSessionAuditDigest_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetCommandAuditDigest_In_Marshal(const GetCommandAuditDigest_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetTime_In_Marshal(const GetTime_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Commit_In_Marshal(const Commit_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EC_Ephemeral_In_Marshal(const EC_Ephemeral_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_VerifySignature_In_Marshal(const VerifySignature_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Sign_In_Marshal(const Sign_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_SetCommandCodeAuditStatus_In_Marshal(const SetCommandCodeAuditStatus_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Extend_In_Marshal(const PCR_Extend_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Event_In_Marshal(const PCR_Event_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Read_In_Marshal(const PCR_Read_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Allocate_In_Marshal(const PCR_Allocate_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_SetAuthPolicy_In_Marshal(const PCR_SetAuthPolicy_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_SetAuthValue_In_Marshal(const PCR_SetAuthValue_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Reset_In_Marshal(const PCR_Reset_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicySigned_In_Marshal(const PolicySigned_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicySecret_In_Marshal(const PolicySecret_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyTicket_In_Marshal(const PolicyTicket_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyOR_In_Marshal(const PolicyOR_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyPCR_In_Marshal(const PolicyPCR_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyLocality_In_Marshal(const PolicyLocality_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyNV_In_Marshal(const PolicyNV_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyAuthorizeNV_In_Marshal(const PolicyAuthorizeNV_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyCounterTimer_In_Marshal(const PolicyCounterTimer_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyCommandCode_In_Marshal(const PolicyCommandCode_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyPhysicalPresence_In_Marshal(const PolicyPhysicalPresence_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyCpHash_In_Marshal(const PolicyCpHash_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyNameHash_In_Marshal(const PolicyNameHash_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyDuplicationSelect_In_Marshal(const PolicyDuplicationSelect_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyAuthorize_In_Marshal(const PolicyAuthorize_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyAuthValue_In_Marshal(const PolicyAuthValue_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyPassword_In_Marshal(const PolicyPassword_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyGetDigest_In_Marshal(const PolicyGetDigest_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyNvWritten_In_Marshal(const PolicyNvWritten_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyTemplate_In_Marshal(const PolicyTemplate_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_CreatePrimary_In_Marshal(const CreatePrimary_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HierarchyControl_In_Marshal(const HierarchyControl_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_SetPrimaryPolicy_In_Marshal(const SetPrimaryPolicy_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ChangePPS_In_Marshal(const ChangePPS_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ChangeEPS_In_Marshal(const ChangeEPS_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Clear_In_Marshal(const Clear_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ClearControl_In_Marshal(const ClearControl_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HierarchyChangeAuth_In_Marshal(const HierarchyChangeAuth_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_DictionaryAttackLockReset_In_Marshal(const DictionaryAttackLockReset_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_DictionaryAttackParameters_In_Marshal(const DictionaryAttackParameters_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PP_Commands_In_Marshal(const PP_Commands_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_SetAlgorithmSet_In_Marshal(const SetAlgorithmSet_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ContextSave_In_Marshal(const ContextSave_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ContextLoad_In_Marshal(const ContextLoad_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_FlushContext_In_Marshal(const FlushContext_In *source, UINT16 *written, BYTE **buffer, INT32 *size) ;
+    TPM_RC
+    TSS_EvictControl_In_Marshal(const EvictControl_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ClockSet_In_Marshal(const ClockSet_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ClockRateAdjust_In_Marshal(const ClockRateAdjust_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetCapability_In_Marshal(const GetCapability_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_TestParms_In_Marshal(const TestParms_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_DefineSpace_In_Marshal(const NV_DefineSpace_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_UndefineSpace_In_Marshal(const NV_UndefineSpace_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_UndefineSpaceSpecial_In_Marshal(const NV_UndefineSpaceSpecial_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_ReadPublic_In_Marshal(const NV_ReadPublic_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_Write_In_Marshal(const NV_Write_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_Increment_In_Marshal(const NV_Increment_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_Extend_In_Marshal(const NV_Extend_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_SetBits_In_Marshal(const NV_SetBits_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_WriteLock_In_Marshal(const NV_WriteLock_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_GlobalWriteLock_In_Marshal(const NV_GlobalWriteLock_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_Read_In_Marshal(const NV_Read_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_ReadLock_In_Marshal(const NV_ReadLock_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_ChangeAuth_In_Marshal(const NV_ChangeAuth_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_Certify_In_Marshal(const NV_Certify_In *source, UINT16 *written, BYTE **buffer, INT32 *size);
+
+    /* Recommended functions */
+    
+    TPM_RC
+    TSS_IncrementalSelfTest_Out_Unmarshalu(IncrementalSelfTest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetTestResult_Out_Unmarshalu(GetTestResult_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_StartAuthSession_Out_Unmarshalu(StartAuthSession_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Create_Out_Unmarshalu(Create_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Load_Out_Unmarshalu(Load_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_LoadExternal_Out_Unmarshalu(LoadExternal_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ReadPublic_Out_Unmarshalu(ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ActivateCredential_Out_Unmarshalu(ActivateCredential_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_MakeCredential_Out_Unmarshalu(MakeCredential_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Unseal_Out_Unmarshalu(Unseal_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ObjectChangeAuth_Out_Unmarshalu(ObjectChangeAuth_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreateLoaded_Out_Unmarshalu(CreateLoaded_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Duplicate_Out_Unmarshalu(Duplicate_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Rewrap_Out_Unmarshalu(Rewrap_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Import_Out_Unmarshalu(Import_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_RSA_Encrypt_Out_Unmarshalu(RSA_Encrypt_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_RSA_Decrypt_Out_Unmarshalu(RSA_Decrypt_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ECDH_KeyGen_Out_Unmarshalu(ECDH_KeyGen_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ECDH_ZGen_Out_Unmarshalu(ECDH_ZGen_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ECC_Parameters_Out_Unmarshalu(ECC_Parameters_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ZGen_2Phase_Out_Unmarshalu(ZGen_2Phase_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EncryptDecrypt_Out_Unmarshalu(EncryptDecrypt_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EncryptDecrypt2_Out_Unmarshalu(EncryptDecrypt2_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Hash_Out_Unmarshalu(Hash_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HMAC_Out_Unmarshalu(HMAC_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetRandom_Out_Unmarshalu(GetRandom_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HMAC_Start_Out_Unmarshalu(HMAC_Start_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_HashSequenceStart_Out_Unmarshalu(HashSequenceStart_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_SequenceComplete_Out_Unmarshalu(SequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EventSequenceComplete_Out_Unmarshalu(EventSequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Certify_Out_Unmarshalu(Certify_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CertifyCreation_Out_Unmarshalu(CertifyCreation_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CertifyX509_Out_Unmarshalu(CertifyX509_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Quote_Out_Unmarshalu(Quote_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetSessionAuditDigest_Out_Unmarshalu(GetSessionAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetCommandAuditDigest_Out_Unmarshalu(GetCommandAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetTime_Out_Unmarshalu(GetTime_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Commit_Out_Unmarshalu(Commit_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_EC_Ephemeral_Out_Unmarshalu(EC_Ephemeral_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_VerifySignature_Out_Unmarshalu(VerifySignature_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Sign_Out_Unmarshalu(Sign_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Event_Out_Unmarshalu(PCR_Event_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Read_Out_Unmarshalu(PCR_Read_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Allocate_Out_Unmarshalu(PCR_Allocate_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicySigned_Out_Unmarshalu(PolicySigned_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicySecret_Out_Unmarshalu(PolicySecret_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PolicyGetDigest_Out_Unmarshalu(PolicyGetDigest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreatePrimary_Out_Unmarshalu(CreatePrimary_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ContextSave_Out_Unmarshalu(ContextSave_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ContextLoad_Out_Unmarshalu(ContextLoad_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ReadClock_Out_Unmarshalu(ReadClock_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetCapability_Out_Unmarshalu(GetCapability_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ReadPublic_Out_Unmarshalu(NV_ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_Read_Out_Unmarshalu(NV_Read_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_Certify_Out_Unmarshalu(NV_Certify_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+
+    /* Deprecated functions */
+    
+    TPM_RC
+    TSS_IncrementalSelfTest_Out_Unmarshal(IncrementalSelfTest_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetTestResult_Out_Unmarshal(GetTestResult_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_StartAuthSession_Out_Unmarshal(StartAuthSession_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Create_Out_Unmarshal(Create_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Load_Out_Unmarshal(Load_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_LoadExternal_Out_Unmarshal(LoadExternal_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ReadPublic_Out_Unmarshal(ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ActivateCredential_Out_Unmarshal(ActivateCredential_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_MakeCredential_Out_Unmarshal(MakeCredential_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Unseal_Out_Unmarshal(Unseal_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ObjectChangeAuth_Out_Unmarshal(ObjectChangeAuth_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_CreateLoaded_Out_Unmarshal(CreateLoaded_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Duplicate_Out_Unmarshal(Duplicate_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Rewrap_Out_Unmarshal(Rewrap_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Import_Out_Unmarshal(Import_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_RSA_Encrypt_Out_Unmarshal(RSA_Encrypt_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_RSA_Decrypt_Out_Unmarshal(RSA_Decrypt_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ECDH_KeyGen_Out_Unmarshal(ECDH_KeyGen_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ECDH_ZGen_Out_Unmarshal(ECDH_ZGen_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ECC_Parameters_Out_Unmarshal(ECC_Parameters_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ZGen_2Phase_Out_Unmarshal(ZGen_2Phase_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EncryptDecrypt_Out_Unmarshal(EncryptDecrypt_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EncryptDecrypt2_Out_Unmarshal(EncryptDecrypt2_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Hash_Out_Unmarshal(Hash_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HMAC_Out_Unmarshal(HMAC_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetRandom_Out_Unmarshal(GetRandom_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HMAC_Start_Out_Unmarshal(HMAC_Start_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_HashSequenceStart_Out_Unmarshal(HashSequenceStart_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_SequenceComplete_Out_Unmarshal(SequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EventSequenceComplete_Out_Unmarshal(EventSequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Certify_Out_Unmarshal(Certify_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_CertifyCreation_Out_Unmarshal(CertifyCreation_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Quote_Out_Unmarshal(Quote_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetSessionAuditDigest_Out_Unmarshal(GetSessionAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetCommandAuditDigest_Out_Unmarshal(GetCommandAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetTime_Out_Unmarshal(GetTime_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Commit_Out_Unmarshal(Commit_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_EC_Ephemeral_Out_Unmarshal(EC_Ephemeral_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_VerifySignature_Out_Unmarshal(VerifySignature_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_Sign_Out_Unmarshal(Sign_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Event_Out_Unmarshal(PCR_Event_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Read_Out_Unmarshal(PCR_Read_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PCR_Allocate_Out_Unmarshal(PCR_Allocate_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicySigned_Out_Unmarshal(PolicySigned_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicySecret_Out_Unmarshal(PolicySecret_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_PolicyGetDigest_Out_Unmarshal(PolicyGetDigest_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_CreatePrimary_Out_Unmarshal(CreatePrimary_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ContextSave_Out_Unmarshal(ContextSave_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ContextLoad_Out_Unmarshal(ContextLoad_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_ReadClock_Out_Unmarshal(ReadClock_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_GetCapability_Out_Unmarshal(GetCapability_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_ReadPublic_Out_Unmarshal(NV_ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_Read_Out_Unmarshal(NV_Read_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+    TPM_RC
+    TSS_NV_Certify_Out_Unmarshal(NV_Certify_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+
+    /* Recommended functions */
+    
+    LIB_EXPORT TPM_RC
+    TSS_UINT8_Marshalu(const UINT8 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_INT8_Marshalu(const INT8 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT16_Marshalu(const UINT16 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT32_Marshalu(const uint32_t *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_INT32_Marshalu(const INT32 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT64_Marshalu(const UINT64 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_Array_Marshalu(const BYTE *source, UINT16 sourceSize, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_Marshalu(const TPM2B *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_KEY_BITS_Marshalu(const TPM_KEY_BITS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_GENERATED_Marshalu(const TPM_GENERATED *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ALG_ID_Marshalu(const TPM_ALG_ID *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ECC_CURVE_Marshalu(const TPM_ECC_CURVE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_RC_Marshalu(const TPM_RC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CLOCK_ADJUST_Marshalu(const TPM_CLOCK_ADJUST *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_EO_Marshalu(const TPM_EO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ST_Marshalu(const TPM_ST *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_SU_Marshalu(const TPM_ST *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_SE_Marshalu(const TPM_SE  *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CAP_Marshalu(const TPM_CAP *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_PT_Marshalu(const TPM_PT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_PT_PCR_Marshalu(const TPM_PT_PCR *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_HANDLE_Marshalu(const TPM_HANDLE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_ALGORITHM_Marshalu(const TPMA_ALGORITHM *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_OBJECT_Marshalu(const TPMA_OBJECT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_SESSION_Marshalu(const TPMA_SESSION *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_LOCALITY_Marshalu(const TPMA_LOCALITY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CC_Marshalu(const TPM_CC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_CC_Marshalu(const TPMA_CC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_YES_NO_Marshalu(const TPMI_YES_NO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_OBJECT_Marshalu(const TPMI_DH_OBJECT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_PERSISTENT_Marshalu(const TPMI_DH_PERSISTENT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_ENTITY_Marshalu(const TPMI_DH_ENTITY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_PCR_Marshalu(const TPMI_DH_PCR  *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_AUTH_SESSION_Marshalu(const TPMI_SH_AUTH_SESSION *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_HMAC_Marshalu(const TPMI_SH_HMAC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_POLICY_Marshalu(const TPMI_SH_POLICY*source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_CONTEXT_Marshalu(const TPMI_DH_CONTEXT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_SAVED_Marshalu(const TPMI_DH_SAVED *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_HIERARCHY_Marshalu(const TPMI_RH_HIERARCHY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_ENABLES_Marshalu(const TPMI_RH_ENABLES *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_HIERARCHY_AUTH_Marshalu(const TPMI_RH_HIERARCHY_AUTH *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_HIERARCHY_POLICY_Marshalu(const TPMI_RH_HIERARCHY_POLICY *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_PLATFORM_Marshalu(const TPMI_RH_PLATFORM *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_ENDORSEMENT_Marshalu(const TPMI_RH_ENDORSEMENT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_PROVISION_Marshalu(const TPMI_RH_PROVISION *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_CLEAR_Marshalu(const TPMI_RH_CLEAR *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_NV_AUTH_Marshalu(const TPMI_RH_NV_AUTH *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_LOCKOUT_Marshalu(const TPMI_RH_LOCKOUT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_NV_INDEX_Marshalu(const TPMI_RH_NV_INDEX *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_HASH_Marshalu(const TPMI_ALG_HASH *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_Marshalu(const TPMI_ALG_SYM *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_OBJECT_Marshalu(const TPMI_ALG_SYM_OBJECT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_MODE_Marshalu(const TPMI_ALG_SYM_MODE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_KDF_Marshalu(const TPMI_ALG_KDF *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SIG_SCHEME_Marshalu(const TPMI_ALG_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ECC_KEY_EXCHANGE_Marshalu(const TPMI_ECC_KEY_EXCHANGE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ST_COMMAND_TAG_Marshalu(const TPMI_ST_COMMAND_TAG *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_MAC_SCHEME_Marshalu(const TPMI_ALG_MAC_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_CIPHER_MODE_Marshalu(const TPMI_ALG_CIPHER_MODE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_HA_Marshalu(const TPMU_HA *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_HA_Marshalu(const TPMT_HA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_DIGEST_Marshalu(const TPM2B_DIGEST *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_DATA_Marshalu(const TPM2B_DATA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NONCE_Marshalu(const TPM2B_NONCE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_AUTH_Marshalu(const TPM2B_AUTH *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_OPERAND_Marshalu(const TPM2B_OPERAND *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_EVENT_Marshalu(const TPM2B_EVENT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_MAX_BUFFER_Marshalu(const TPM2B_MAX_BUFFER *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_MAX_NV_BUFFER_Marshalu(const TPM2B_MAX_NV_BUFFER *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_TIMEOUT_Marshalu(const TPM2B_TIMEOUT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_IV_Marshalu(const TPM2B_IV *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NAME_Marshalu(const TPM2B_NAME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_PCR_SELECTION_Marshalu(const TPMS_PCR_SELECTION *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_CREATION_Marshalu(const TPMT_TK_CREATION *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_VERIFIED_Marshalu(const TPMT_TK_VERIFIED *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_AUTH_Marshalu(const TPMT_TK_AUTH *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_HASHCHECK_Marshalu(const TPMT_TK_HASHCHECK *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ALG_PROPERTY_Marshalu(const TPMS_ALG_PROPERTY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TAGGED_PROPERTY_Marshalu(const TPMS_TAGGED_PROPERTY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TAGGED_PCR_SELECT_Marshalu(const TPMS_TAGGED_PCR_SELECT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_CC_Marshalu(const TPML_CC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_CCA_Marshalu(const TPML_CCA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ALG_Marshalu(const TPML_ALG *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_HANDLE_Marshalu(const TPML_HANDLE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_DIGEST_Marshalu(const TPML_DIGEST *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_DIGEST_VALUES_Marshalu(const TPML_DIGEST_VALUES *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_PCR_SELECTION_Marshalu(const TPML_PCR_SELECTION *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ALG_PROPERTY_Marshalu(const TPML_ALG_PROPERTY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_TAGGED_TPM_PROPERTY_Marshalu(const TPML_TAGGED_TPM_PROPERTY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_TAGGED_PCR_PROPERTY_Marshalu(const TPML_TAGGED_PCR_PROPERTY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ECC_CURVE_Marshalu(const TPML_ECC_CURVE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_CAPABILITIES_Marshalu(const TPMU_CAPABILITIES *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CAPABILITY_DATA_Marshalu(const TPMS_CAPABILITY_DATA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CLOCK_INFO_Marshalu(const TPMS_CLOCK_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TIME_INFO_Marshalu(const TPMS_TIME_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TIME_ATTEST_INFO_Marshalu(const TPMS_TIME_ATTEST_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CERTIFY_INFO_Marshalu(const TPMS_CERTIFY_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_QUOTE_INFO_Marshalu(const TPMS_QUOTE_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_COMMAND_AUDIT_INFO_Marshalu(const TPMS_COMMAND_AUDIT_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SESSION_AUDIT_INFO_Marshalu(const TPMS_SESSION_AUDIT_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CREATION_INFO_Marshalu(const TPMS_CREATION_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_NV_CERTIFY_INFO_Marshalu(const TPMS_NV_CERTIFY_INFO *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ST_ATTEST_Marshalu(const TPMI_ST_ATTEST *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_ATTEST_Marshalu(const TPMU_ATTEST  *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ATTEST_Marshalu(const TPMS_ATTEST  *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ATTEST_Marshalu(const TPM2B_ATTEST *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_AUTH_COMMAND_Marshalu(const TPMS_AUTH_COMMAND *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_AES_KEY_BITS_Marshalu(const TPMI_AES_KEY_BITS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SYM_KEY_BITS_Marshalu(const TPMU_SYM_KEY_BITS *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SYM_MODE_Marshalu(const TPMU_SYM_MODE *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SYM_DEF_Marshalu(const TPMT_SYM_DEF *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SYM_DEF_OBJECT_Marshalu(const TPMT_SYM_DEF_OBJECT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SYM_KEY_Marshalu(const TPM2B_SYM_KEY *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_LABEL_Marshalu(const TPM2B_LABEL *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_DERIVE_Marshalu(const TPMS_DERIVE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SYMCIPHER_PARMS_Marshalu(const TPMS_SYMCIPHER_PARMS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_DATA_Marshalu(const TPM2B_SENSITIVE_DATA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SENSITIVE_CREATE_Marshalu(const TPMS_SENSITIVE_CREATE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_CREATE_Marshalu(const TPM2B_SENSITIVE_CREATE  *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_HASH_Marshalu(const TPMS_SCHEME_HASH *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_ECDAA_Marshalu(const TPMS_SCHEME_ECDAA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_KEYEDHASH_SCHEME_Marshalu(const TPMI_ALG_KEYEDHASH_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_HMAC_Marshalu(const TPMS_SCHEME_HMAC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_XOR_Marshalu(const TPMS_SCHEME_XOR *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SCHEME_KEYEDHASH_Marshalu(const TPMU_SCHEME_KEYEDHASH *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_KEYEDHASH_SCHEME_Marshalu(const TPMT_KEYEDHASH_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_RSASSA_Marshalu(const TPMS_SIG_SCHEME_RSASSA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_RSAPSS_Marshalu(const TPMS_SIG_SCHEME_RSAPSS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECDSA_Marshalu(const TPMS_SIG_SCHEME_ECDSA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_SM2_Marshalu(const TPMS_SIG_SCHEME_SM2 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECSCHNORR_Marshalu(const TPMS_SIG_SCHEME_ECSCHNORR *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECDAA_Marshalu(const TPMS_SIG_SCHEME_ECDAA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SIG_SCHEME_Marshalu(const TPMU_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SIG_SCHEME_Marshalu(const TPMT_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ENC_SCHEME_OAEP_Marshalu(const TPMS_ENC_SCHEME_OAEP *source, UINT16 *written, BYTE **buffer, uint32_t *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ENC_SCHEME_RSAES_Marshalu(const TPMS_ENC_SCHEME_RSAES *source, UINT16 *written, BYTE **buffer, uint32_t *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEY_SCHEME_ECDH_Marshalu(const TPMS_KEY_SCHEME_ECDH *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEY_SCHEME_ECMQV_Marshalu(const TPMS_KEY_SCHEME_ECMQV *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_MGF1_Marshalu(const TPMS_SCHEME_MGF1 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF1_SP800_56A_Marshalu(const TPMS_SCHEME_KDF1_SP800_56A *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF2_Marshalu(const TPMS_SCHEME_KDF2 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF1_SP800_108_Marshalu(const TPMS_SCHEME_KDF1_SP800_108 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_KDF_SCHEME_Marshalu(const TPMU_KDF_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_KDF_SCHEME_Marshalu(const TPMT_KDF_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_ASYM_SCHEME_Marshalu(const TPMU_ASYM_SCHEME  *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_RSA_SCHEME_Marshalu(const TPMI_ALG_RSA_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_RSA_SCHEME_Marshalu(const TPMT_RSA_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_RSA_DECRYPT_Marshalu(const TPMI_ALG_RSA_DECRYPT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_RSA_DECRYPT_Marshalu(const TPMT_RSA_DECRYPT  *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu(const TPM2B_PUBLIC_KEY_RSA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RSA_KEY_BITS_Marshalu(const TPMI_RSA_KEY_BITS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PRIVATE_KEY_RSA_Marshalu(const TPM2B_PRIVATE_KEY_RSA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ECC_PARAMETER_Marshalu(const TPM2B_ECC_PARAMETER *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ECC_POINT_Marshalu(const TPMS_ECC_POINT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ECC_POINT_Marshalu(const TPM2B_ECC_POINT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_ECC_SCHEME_Marshalu(const TPMI_ALG_ECC_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ECC_CURVE_Marshalu(const TPMI_ECC_CURVE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_ECC_SCHEME_Marshalu(const TPMT_ECC_SCHEME *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ALGORITHM_DETAIL_ECC_Marshalu(const TPMS_ALGORITHM_DETAIL_ECC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSA_Marshalu(const TPMS_SIGNATURE_RSA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSASSA_Marshalu(const TPMS_SIGNATURE_RSASSA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSAPSS_Marshalu(const TPMS_SIGNATURE_RSAPSS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECC_Marshalu(const TPMS_SIGNATURE_ECC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECDSA_Marshalu(const TPMS_SIGNATURE_ECDSA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECDAA_Marshalu(const TPMS_SIGNATURE_ECDAA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_SM2_Marshalu(const TPMS_SIGNATURE_SM2 *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECSCHNORR_Marshalu(const TPMS_SIGNATURE_ECSCHNORR *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SIGNATURE_Marshalu(const TPMU_SIGNATURE *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SIGNATURE_Marshalu(const TPMT_SIGNATURE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ENCRYPTED_SECRET_Marshalu(const TPM2B_ENCRYPTED_SECRET *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_PUBLIC_Marshalu(const TPMI_ALG_PUBLIC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_PUBLIC_ID_Marshalu(const TPMU_PUBLIC_ID *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEYEDHASH_PARMS_Marshalu(const TPMS_KEYEDHASH_PARMS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_RSA_PARMS_Marshalu(const TPMS_RSA_PARMS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ECC_PARMS_Marshalu(const TPMS_ECC_PARMS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_PUBLIC_PARMS_Marshalu(const TPMU_PUBLIC_PARMS *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_PARMS_Marshalu(const TPMT_PUBLIC_PARMS *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_Marshalu(const TPMT_PUBLIC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_D_Marshalu(const TPMT_PUBLIC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PUBLIC_Marshalu(const TPM2B_PUBLIC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_TEMPLATE_Marshalu(const TPM2B_TEMPLATE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SENSITIVE_COMPOSITE_Marshalu(const TPMU_SENSITIVE_COMPOSITE *source, UINT16 *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SENSITIVE_Marshalu(const TPMT_SENSITIVE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_Marshalu(const TPM2B_SENSITIVE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PRIVATE_Marshalu(const TPM2B_PRIVATE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ID_OBJECT_Marshalu(const TPM2B_ID_OBJECT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_NV_Marshalu(const TPMA_NV *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_NV_PUBLIC_Marshalu(const TPMS_NV_PUBLIC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NV_PUBLIC_Marshalu(const TPM2B_NV_PUBLIC *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CONTEXT_SENSITIVE_Marshalu(const TPM2B_CONTEXT_SENSITIVE *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CONTEXT_DATA_Marshalu(const TPM2B_CONTEXT_DATA  *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CONTEXT_Marshalu(const TPMS_CONTEXT *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CREATION_DATA_Marshalu(const TPMS_CREATION_DATA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CREATION_DATA_Marshalu(const TPM2B_CREATION_DATA *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+
+    /* Deprecated functions */
+    
+    LIB_EXPORT TPM_RC
+    TSS_UINT8_Marshal(const UINT8 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_INT8_Marshal(const INT8 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT16_Marshal(const UINT16 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT32_Marshal(const UINT32 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_INT32_Marshal(const INT32 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_UINT64_Marshal(const UINT64 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_Array_Marshal(const BYTE *source, UINT16 sourceSize, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_Marshal(const TPM2B *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_KEY_BITS_Marshal(const TPM_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_GENERATED_Marshal(const TPM_GENERATED *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ALG_ID_Marshal(const TPM_ALG_ID *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ECC_CURVE_Marshal(const TPM_ECC_CURVE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_RC_Marshal(const TPM_RC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CLOCK_ADJUST_Marshal(const TPM_CLOCK_ADJUST *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_EO_Marshal(const TPM_EO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_ST_Marshal(const TPM_ST *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_SU_Marshal(const TPM_ST *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_SE_Marshal(const TPM_SE  *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CAP_Marshal(const TPM_CAP *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_PT_Marshal(const TPM_PT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_PT_PCR_Marshal(const TPM_PT_PCR *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_HANDLE_Marshal(const TPM_HANDLE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_ALGORITHM_Marshal(const TPMA_ALGORITHM *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_OBJECT_Marshal(const TPMA_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_SESSION_Marshal(const TPMA_SESSION *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_LOCALITY_Marshal(const TPMA_LOCALITY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM_CC_Marshal(const TPM_CC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_CC_Marshal(const TPMA_CC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_YES_NO_Marshal(const TPMI_YES_NO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_OBJECT_Marshal(const TPMI_DH_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_PERSISTENT_Marshal(const TPMI_DH_PERSISTENT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_ENTITY_Marshal(const TPMI_DH_ENTITY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_PCR_Marshal(const TPMI_DH_PCR  *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_AUTH_SESSION_Marshal(const TPMI_SH_AUTH_SESSION *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_HMAC_Marshal(const TPMI_SH_HMAC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_SH_POLICY_Marshal(const TPMI_SH_POLICY*source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_DH_CONTEXT_Marshal(const TPMI_DH_CONTEXT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_HIERARCHY_Marshal(const TPMI_RH_HIERARCHY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_ENABLES_Marshal(const TPMI_RH_ENABLES *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_HIERARCHY_AUTH_Marshal(const TPMI_RH_HIERARCHY_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_PLATFORM_Marshal(const TPMI_RH_PLATFORM *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_ENDORSEMENT_Marshal(const TPMI_RH_ENDORSEMENT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_PROVISION_Marshal(const TPMI_RH_PROVISION *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_CLEAR_Marshal(const TPMI_RH_CLEAR *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_NV_AUTH_Marshal(const TPMI_RH_NV_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_LOCKOUT_Marshal(const TPMI_RH_LOCKOUT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RH_NV_INDEX_Marshal(const TPMI_RH_NV_INDEX *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_HASH_Marshal(const TPMI_ALG_HASH *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_Marshal(const TPMI_ALG_SYM *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_OBJECT_Marshal(const TPMI_ALG_SYM_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SYM_MODE_Marshal(const TPMI_ALG_SYM_MODE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_KDF_Marshal(const TPMI_ALG_KDF *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_SIG_SCHEME_Marshal(const TPMI_ALG_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ECC_KEY_EXCHANGE_Marshal(const TPMI_ECC_KEY_EXCHANGE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ST_COMMAND_TAG_Marshal(const TPMI_ST_COMMAND_TAG *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_MAC_SCHEME_Marshal(const TPMI_ALG_MAC_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_CIPHER_MODE_Marshal(const TPMI_ALG_CIPHER_MODE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_HA_Marshal(const TPMU_HA *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_HA_Marshal(const TPMT_HA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_DIGEST_Marshal(const TPM2B_DIGEST *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_DATA_Marshal(const TPM2B_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NONCE_Marshal(const TPM2B_NONCE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_AUTH_Marshal(const TPM2B_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_OPERAND_Marshal(const TPM2B_OPERAND *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_EVENT_Marshal(const TPM2B_EVENT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_MAX_BUFFER_Marshal(const TPM2B_MAX_BUFFER *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_MAX_NV_BUFFER_Marshal(const TPM2B_MAX_NV_BUFFER *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_TIMEOUT_Marshal(const TPM2B_TIMEOUT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_IV_Marshal(const TPM2B_IV *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NAME_Marshal(const TPM2B_NAME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_PCR_SELECTION_Marshal(const TPMS_PCR_SELECTION *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_CREATION_Marshal(const TPMT_TK_CREATION *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_VERIFIED_Marshal(const TPMT_TK_VERIFIED *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_AUTH_Marshal(const TPMT_TK_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_TK_HASHCHECK_Marshal(const TPMT_TK_HASHCHECK *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ALG_PROPERTY_Marshal(const TPMS_ALG_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TAGGED_PROPERTY_Marshal(const TPMS_TAGGED_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TAGGED_PCR_SELECT_Marshal(const TPMS_TAGGED_PCR_SELECT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_CC_Marshal(const TPML_CC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_CCA_Marshal(const TPML_CCA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ALG_Marshal(const TPML_ALG *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_HANDLE_Marshal(const TPML_HANDLE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_DIGEST_Marshal(const TPML_DIGEST *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_DIGEST_VALUES_Marshal(const TPML_DIGEST_VALUES *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_PCR_SELECTION_Marshal(const TPML_PCR_SELECTION *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ALG_PROPERTY_Marshal(const TPML_ALG_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_TAGGED_TPM_PROPERTY_Marshal(const TPML_TAGGED_TPM_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_TAGGED_PCR_PROPERTY_Marshal(const TPML_TAGGED_PCR_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPML_ECC_CURVE_Marshal(const TPML_ECC_CURVE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_CAPABILITIES_Marshal(const TPMU_CAPABILITIES *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CAPABILITY_DATA_Marshal(const TPMS_CAPABILITY_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CLOCK_INFO_Marshal(const TPMS_CLOCK_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TIME_INFO_Marshal(const TPMS_TIME_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_TIME_ATTEST_INFO_Marshal(const TPMS_TIME_ATTEST_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CERTIFY_INFO_Marshal(const TPMS_CERTIFY_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_QUOTE_INFO_Marshal(const TPMS_QUOTE_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_COMMAND_AUDIT_INFO_Marshal(const TPMS_COMMAND_AUDIT_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SESSION_AUDIT_INFO_Marshal(const TPMS_SESSION_AUDIT_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CREATION_INFO_Marshal(const TPMS_CREATION_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_NV_CERTIFY_INFO_Marshal(const TPMS_NV_CERTIFY_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ST_ATTEST_Marshal(const TPMI_ST_ATTEST *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_ATTEST_Marshal(const TPMU_ATTEST  *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ATTEST_Marshal(const TPMS_ATTEST  *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ATTEST_Marshal(const TPM2B_ATTEST *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_AUTH_COMMAND_Marshal(const TPMS_AUTH_COMMAND *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_AES_KEY_BITS_Marshal(const TPMI_AES_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SYM_KEY_BITS_Marshal(const TPMU_SYM_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SYM_MODE_Marshal(const TPMU_SYM_MODE *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SYM_DEF_Marshal(const TPMT_SYM_DEF *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SYM_DEF_OBJECT_Marshal(const TPMT_SYM_DEF_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SYM_KEY_Marshal(const TPM2B_SYM_KEY *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_LABEL_Marshal(const TPM2B_LABEL *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_DERIVE_Marshal(const TPMS_DERIVE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SYMCIPHER_PARMS_Marshal(const TPMS_SYMCIPHER_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_DATA_Marshal(const TPM2B_SENSITIVE_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SENSITIVE_CREATE_Marshal(const TPMS_SENSITIVE_CREATE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_CREATE_Marshal(const TPM2B_SENSITIVE_CREATE  *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_HASH_Marshal(const TPMS_SCHEME_HASH *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_ECDAA_Marshal(const TPMS_SCHEME_ECDAA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_KEYEDHASH_SCHEME_Marshal(const TPMI_ALG_KEYEDHASH_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_HMAC_Marshal(const TPMS_SCHEME_HMAC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_XOR_Marshal(const TPMS_SCHEME_XOR *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SCHEME_KEYEDHASH_Marshal(const TPMU_SCHEME_KEYEDHASH *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_KEYEDHASH_SCHEME_Marshal(const TPMT_KEYEDHASH_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_RSASSA_Marshal(const TPMS_SIG_SCHEME_RSASSA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_RSAPSS_Marshal(const TPMS_SIG_SCHEME_RSAPSS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECDSA_Marshal(const TPMS_SIG_SCHEME_ECDSA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_SM2_Marshal(const TPMS_SIG_SCHEME_SM2 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECSCHNORR_Marshal(const TPMS_SIG_SCHEME_ECSCHNORR *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIG_SCHEME_ECDAA_Marshal(const TPMS_SIG_SCHEME_ECDAA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SIG_SCHEME_Marshal(const TPMU_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SIG_SCHEME_Marshal(const TPMT_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ENC_SCHEME_OAEP_Marshal(const TPMS_ENC_SCHEME_OAEP *source, UINT16 *written, BYTE **buffer, INT32 *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ENC_SCHEME_RSAES_Marshal(const TPMS_ENC_SCHEME_RSAES *source, UINT16 *written, BYTE **buffer, INT32 *size)
+#ifdef __ULTRAVISOR__
+	__attribute__ ((const))
+#endif
+	;
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEY_SCHEME_ECDH_Marshal(const TPMS_KEY_SCHEME_ECDH *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEY_SCHEME_ECMQV_Marshal(const TPMS_KEY_SCHEME_ECMQV *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_MGF1_Marshal(const TPMS_SCHEME_MGF1 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF1_SP800_56A_Marshal(const TPMS_SCHEME_KDF1_SP800_56A *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF2_Marshal(const TPMS_SCHEME_KDF2 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SCHEME_KDF1_SP800_108_Marshal(const TPMS_SCHEME_KDF1_SP800_108 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_KDF_SCHEME_Marshal(const TPMU_KDF_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_KDF_SCHEME_Marshal(const TPMT_KDF_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_ASYM_SCHEME_Marshal(const TPMU_ASYM_SCHEME  *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_RSA_SCHEME_Marshal(const TPMI_ALG_RSA_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_RSA_SCHEME_Marshal(const TPMT_RSA_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_RSA_DECRYPT_Marshal(const TPMI_ALG_RSA_DECRYPT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_RSA_DECRYPT_Marshal(const TPMT_RSA_DECRYPT  *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PUBLIC_KEY_RSA_Marshal(const TPM2B_PUBLIC_KEY_RSA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_RSA_KEY_BITS_Marshal(const TPMI_RSA_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PRIVATE_KEY_RSA_Marshal(const TPM2B_PRIVATE_KEY_RSA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ECC_PARAMETER_Marshal(const TPM2B_ECC_PARAMETER *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ECC_POINT_Marshal(const TPMS_ECC_POINT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ECC_POINT_Marshal(const TPM2B_ECC_POINT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_ECC_SCHEME_Marshal(const TPMI_ALG_ECC_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ECC_CURVE_Marshal(const TPMI_ECC_CURVE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_ECC_SCHEME_Marshal(const TPMT_ECC_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ALGORITHM_DETAIL_ECC_Marshal(const TPMS_ALGORITHM_DETAIL_ECC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSA_Marshal(const TPMS_SIGNATURE_RSA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSASSA_Marshal(const TPMS_SIGNATURE_RSASSA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_RSAPSS_Marshal(const TPMS_SIGNATURE_RSAPSS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECC_Marshal(const TPMS_SIGNATURE_ECC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECDSA_Marshal(const TPMS_SIGNATURE_ECDSA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECDAA_Marshal(const TPMS_SIGNATURE_ECDAA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_SM2_Marshal(const TPMS_SIGNATURE_SM2 *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_SIGNATURE_ECSCHNORR_Marshal(const TPMS_SIGNATURE_ECSCHNORR *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SIGNATURE_Marshal(const TPMU_SIGNATURE *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SIGNATURE_Marshal(const TPMT_SIGNATURE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ENCRYPTED_SECRET_Marshal(const TPM2B_ENCRYPTED_SECRET *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMI_ALG_PUBLIC_Marshal(const TPMI_ALG_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_PUBLIC_ID_Marshal(const TPMU_PUBLIC_ID *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_KEYEDHASH_PARMS_Marshal(const TPMS_KEYEDHASH_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_RSA_PARMS_Marshal(const TPMS_RSA_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_ECC_PARMS_Marshal(const TPMS_ECC_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_PUBLIC_PARMS_Marshal(const TPMU_PUBLIC_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_PARMS_Marshal(const TPMT_PUBLIC_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_Marshal(const TPMT_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_PUBLIC_D_Marshal(const TPMT_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PUBLIC_Marshal(const TPM2B_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_TEMPLATE_Marshal(const TPM2B_TEMPLATE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMU_SENSITIVE_COMPOSITE_Marshal(const TPMU_SENSITIVE_COMPOSITE *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector);
+    LIB_EXPORT TPM_RC
+    TSS_TPMT_SENSITIVE_Marshal(const TPMT_SENSITIVE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_SENSITIVE_Marshal(const TPM2B_SENSITIVE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_PRIVATE_Marshal(const TPM2B_PRIVATE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_ID_OBJECT_Marshal(const TPM2B_ID_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMA_NV_Marshal(const TPMA_NV *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_NV_PUBLIC_Marshal(const TPMS_NV_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_NV_PUBLIC_Marshal(const TPM2B_NV_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CONTEXT_SENSITIVE_Marshal(const TPM2B_CONTEXT_SENSITIVE *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CONTEXT_DATA_Marshal(const TPM2B_CONTEXT_DATA  *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CONTEXT_Marshal(const TPMS_CONTEXT *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPMS_CREATION_DATA_Marshal(const TPMS_CREATION_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+    LIB_EXPORT TPM_RC
+    TSS_TPM2B_CREATION_DATA_Marshal(const TPM2B_CREATION_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssmarshal12.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssmarshal12.h
new file mode 100644
index 0000000..b2f21d4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssmarshal12.h
@@ -0,0 +1,192 @@
+/********************************************************************************/
+/*										*/
+/*			 TSS Marshal and Unmarshal    				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssmarshal12.h 1286 2018-07-27 19:20:16Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API should be stable, but is less guaranteed.
+
+   It is useful for applications that have to marshal / unmarshal
+   structures for file save / load.
+*/
+
+#ifndef TSSMARSHAL12_H
+#define TSSMARSHAL12_H
+
+#include "BaseTypes.h"
+#include <ibmtss/TPM_Types.h>
+
+#include <ibmtss/Parameters12.h>
+#include <ibmtss/tpmstructures12.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC
+    TSS_ActivateIdentity_In_Marshalu(const ActivateIdentity_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreateEndorsementKeyPair_In_Marshalu(const CreateEndorsementKeyPair_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreateWrapKey_In_Marshalu(const CreateWrapKey_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Extend_In_Marshalu(const Extend_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_FlushSpecific_In_Marshalu(const FlushSpecific_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetCapability12_In_Marshalu(const GetCapability12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_LoadKey2_In_Marshalu(const LoadKey2_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_MakeIdentity_In_Marshalu(const MakeIdentity_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_DefineSpace12_In_Marshalu(const NV_DefineSpace12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ReadValueAuth_In_Marshalu(const NV_ReadValueAuth_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ReadValue_In_Marshalu(const NV_ReadValue_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_WriteValue_In_Marshalu(const NV_WriteValue_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_WriteValueAuth_In_Marshalu(const NV_WriteValueAuth_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_OwnerReadInternalPub_In_Marshalu(const OwnerReadInternalPub_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_OwnerSetDisable_In_Marshalu(const OwnerSetDisable_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_OSAP_In_Marshalu(const OSAP_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PcrRead12_In_Marshalu(const PcrRead12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PCR_Reset12_In_Marshalu(const PCR_Reset12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Quote2_In_Marshalu(const Quote2_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ReadPubek_In_Marshalu(const ReadPubek_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Sign12_In_Marshalu(const Sign12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Startup12_In_Marshalu(const Startup12_In *source, UINT16 *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TakeOwnership_In_Marshalu(const TakeOwnership_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+
+    TPM_RC
+    TSS_ActivateIdentity_Out_Unmarshalu(ActivateIdentity_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreateEndorsementKeyPair_Out_Unmarshalu(CreateEndorsementKeyPair_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_CreateWrapKey_Out_Unmarshalu(CreateWrapKey_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Extend_Out_Unmarshalu(Extend_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_GetCapability12_Out_Unmarshalu(GetCapability12_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_LoadKey2_Out_Unmarshalu(LoadKey2_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_MakeIdentity_Out_Unmarshalu(MakeIdentity_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ReadValueAuth_Out_Unmarshalu(NV_ReadValueAuth_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NV_ReadValue_Out_Unmarshalu(NV_ReadValue_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_OIAP_Out_Unmarshalu(OIAP_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_OSAP_Out_Unmarshalu(OSAP_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_OwnerReadInternalPub_Out_Unmarshalu(OwnerReadInternalPub_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_PcrRead12_Out_Unmarshalu(PcrRead12_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Quote2_Out_Unmarshalu(Quote2_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_ReadPubek_Out_Unmarshalu(ReadPubek_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_Sign12_Out_Unmarshalu(Sign12_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TakeOwnership_Out_Unmarshalu(TakeOwnership_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+
+    TPM_RC
+    TSS_TPM_STARTUP_TYPE_Marshalu(const TPM_STARTUP_TYPE *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+
+    TPM_RC
+    TSS_TPM_VERSION_Marshalu(const TPM_VERSION*source, uint16_t *written, BYTE **buffer, uint32_t *size);
+
+    TPM_RC
+    TSS_TPM_PCR_SELECTION_Marshalu(const TPM_PCR_SELECTION *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_PCR_INFO_SHORT_Marshalu(const TPM_PCR_INFO_SHORT *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM4B_TPM_PCR_INFO_LONG_Marshalu(const TPM_PCR_INFO_LONG *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_PCR_INFO_LONG_Marshalu(const TPM_PCR_INFO_LONG *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+
+    TPM_RC
+    TSS_TPM_SYMMETRIC_KEY_Marshalu(const TPM_SYMMETRIC_KEY *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+
+    TPM_RC
+    TSS_TPM_RSA_KEY_PARMS_Marshalu(const TPM_RSA_KEY_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPMU_PARMS_Marshalu(const TPMU_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    TPM_RC
+    TSS_TPM4B_TPMU_PARMS_Marshalu(const TPMU_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector);
+    TPM_RC
+    TSS_TPM_KEY_PARMS_Marshalu(const TPM_KEY_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_STORE_PUBKEY_Marshalu(const TPM_STORE_PUBKEY *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_KEY12_PUBKEY_Marshalu(const TPM_KEY12 *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_PUBKEY_Marshalu(const TPM_PUBKEY *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_KEY12_Marshalu(const TPM_KEY12 *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_QUOTE_INFO2_Marshalu(const TPM_QUOTE_INFO2 *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_EK_BLOB_Marshalu(const TPM_EK_BLOB *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_EK_BLOB_ACTIVATE_Marshalu(const TPM_EK_BLOB_ACTIVATE *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_NV_ATTRIBUTES_Marshalu(const TPM_NV_ATTRIBUTES *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_NV_DATA_PUBLIC_Marshalu(const TPM_NV_DATA_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_TPM_CAP_VERSION_INFO_Marshalu(const TPM_CAP_VERSION_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssprint.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssprint.h
new file mode 100644
index 0000000..46d9e87
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssprint.h
@@ -0,0 +1,290 @@
+/********************************************************************************/
+/*										*/
+/*			     Structure Print Utilities				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API is not guaranteed to be stable, and the format of the
+   output is subject to change
+
+   It is useful for application debug.
+*/
+
+#ifndef TSSPRINT_H
+#define TSSPRINT_H
+
+#include <stdint.h>
+#include <stdio.h>
+
+#include <ibmtss/TPM_Types.h>
+
+#define LOGLEVEL_INFO 6		/* LOGLEVEL_INFO prints a concise output */
+#define LOGLEVEL_DEBUG 7	/* LOGLEVEL_DEBUG prints a verbose output */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    #ifdef TPM_TSS_NO_PRINT
+
+    /* return code to eliminate "statement has no effect" compiler warning */
+    extern int tssSwallowRc;
+    /* function prototype to match the printf prototype */
+    int TSS_SwallowPrintf(const char *format, ...);
+    /* macro to compile out printf */
+#define printf tssSwallowRc = 0 && TSS_SwallowPrintf
+
+    #endif
+    
+    LIB_EXPORT 
+    uint32_t TSS_Array_Scan(unsigned char **data, size_t *len, const char *string);
+    LIB_EXPORT 
+    void TSS_PrintAll(const char *string, const unsigned char* buff, uint32_t length);
+    LIB_EXPORT 
+    void TSS_PrintAlli(const char *string, unsigned int indent,
+		       const unsigned char* buff, uint32_t length);
+    LIB_EXPORT
+    void TSS_PrintAllLogLevel(uint32_t log_level, const char *string, unsigned int indent,
+			      const unsigned char* buff, uint32_t length);
+    LIB_EXPORT
+    void TSS_TPM2B_Print(const char *string, unsigned int indent, TPM2B *source);
+    LIB_EXPORT
+    void TSS_TPM_ALG_ID_Print(const char *string, TPM_ALG_ID source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_ECC_CURVE_Print(const char *string, TPM_ECC_CURVE source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_TAGGED_POLICY_Print(TPMS_TAGGED_POLICY *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_CC_Print(const char *string, TPM_CC source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_TPMA_ALGORITHM_Print(TPMA_ALGORITHM source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_CLOCK_ADJUST_Print(const char *string, TPM_CLOCK_ADJUST source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_EO_Print(const char *string, TPM_EO source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_ST_Print(const char *string, TPM_ST source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_SU_Print(const char *string, TPM_SU source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_SE_Print(const char *string, TPM_SE source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_CAP_Print(const char *string, TPM_CAP source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_HANDLE_Print(const char *string, TPM_HANDLE source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_TPMA_ALGORITHM_Print(TPMA_ALGORITHM source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_OBJECT_Print(const char *string, TPMA_OBJECT source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_LOCALITY_Print(TPMA_LOCALITY source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_SESSION_Print(TPMA_SESSION source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_PERMANENT_Print(TPMA_PERMANENT source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_STARTUP_CLEAR_Print(TPMA_STARTUP_CLEAR source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_MEMORY_Print(TPMA_MEMORY source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_MODES_Print(TPMA_MODES source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMI_YES_NO_Print(const char *string, TPMI_YES_NO source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_HA_Print(TPMU_HA *source, uint32_t selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_HA_Print(TPMT_HA *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_PCR_SELECT_Print(TPMS_PCR_SELECT *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_PCR_SELECTION_Print(TPMS_PCR_SELECTION *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPML_PCR_SELECTION_Print(TPML_PCR_SELECTION *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_TK_CREATION_Print(TPMT_TK_CREATION *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_TK_VERIFIED_Print(TPMT_TK_VERIFIED *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_TK_AUTH_Print(TPMT_TK_AUTH *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_TK_HASHCHECK_Print(TPMT_TK_HASHCHECK *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPML_CC_Print(TPML_CC *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPML_ALG_Print(TPML_ALG *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPML_DIGEST_Print(TPML_DIGEST *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPML_DIGEST_VALUES_Print(TPML_DIGEST_VALUES *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_CLOCK_INFO_Print(TPMS_CLOCK_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_TIME_INFO_Print(TPMS_TIME_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_TIME_ATTEST_INFO_Print(TPMS_TIME_ATTEST_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_CERTIFY_INFO_Print(TPMS_CERTIFY_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_QUOTE_INFO_Print(TPMS_QUOTE_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_COMMAND_AUDIT_INFO_Print(TPMS_COMMAND_AUDIT_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_SESSION_AUDIT_INFO_Print(TPMS_SESSION_AUDIT_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_CREATION_INFO_Print(TPMS_CREATION_INFO *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_NV_CERTIFY_INFO_Print(TPMS_NV_CERTIFY_INFO  *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_NV_DIGEST_CERTIFY_INFO_Print(TPMS_NV_DIGEST_CERTIFY_INFO  *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMI_ST_ATTEST_Print(const char *string, TPMI_ST_ATTEST selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_ATTEST_Print(TPMU_ATTEST *source, TPMI_ST_ATTEST selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_ATTEST_Print(TPMS_ATTEST *source, unsigned int indent);
+#if 0
+    LIB_EXPORT
+    void TSS_TPM2B_ATTEST_Print(TPM2B_ATTEST *source, unsigned int indent);
+#endif
+    LIB_EXPORT
+    void TSS_TPMS_AUTH_COMMAND_Print(TPMS_AUTH_COMMAND *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_AUTH_RESPONSE_Print(TPMS_AUTH_RESPONSE *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_SYM_KEY_BITS_Print(TPMU_SYM_KEY_BITS *source, TPMI_ALG_SYM selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM_KEY_BITS_Print(TPM_KEY_BITS source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_SYM_DEF_Print(TPMT_SYM_DEF *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_SYM_DEF_OBJECT_Print(TPMT_SYM_DEF_OBJECT *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_DERIVE_Print(TPMS_DERIVE *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_SENSITIVE_CREATE_Print(TPMS_SENSITIVE_CREATE *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM2B_SENSITIVE_CREATE_Print(const char *string, TPM2B_SENSITIVE_CREATE *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_SCHEME_ECDAA_Print(TPMS_SCHEME_ECDAA *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_SCHEME_XOR_Print(TPMS_SCHEME_XOR *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_SCHEME_KEYEDHASH_Print(TPMU_SCHEME_KEYEDHASH *source, TPMI_ALG_KEYEDHASH_SCHEME selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_KEYEDHASH_SCHEME_Print(TPMT_KEYEDHASH_SCHEME  *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_SIG_SCHEME_Print(TPMU_SIG_SCHEME *source, TPMI_ALG_SIG_SCHEME selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_SIG_SCHEME_Print(TPMT_SIG_SCHEME *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_KDF_SCHEME_Print(TPMT_KDF_SCHEME *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_ASYM_SCHEME_Print(TPMU_ASYM_SCHEME *source, TPMI_ALG_ASYM_SCHEME selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_ASYM_SCHEME_Print(TPMT_ASYM_SCHEME *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_RSA_SCHEME_Print(TPMT_RSA_SCHEME *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_RSA_DECRYPT_Print(TPMT_RSA_DECRYPT *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMI_RSA_KEY_BITS_Print(TPMI_RSA_KEY_BITS source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_ECC_POINT_Print(TPMS_ECC_POINT *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM2B_ECC_POINT_Print(const char *string, TPM2B_ECC_POINT *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMI_ECC_CURVE_Print(const char *string, TPMI_ECC_CURVE source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_ECC_SCHEME_Print(TPMT_ECC_SCHEME *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_ALGORITHM_DETAIL_ECC_Print(TPMS_ALGORITHM_DETAIL_ECC *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_SIGNATURE_RSA_Print(TPMS_SIGNATURE_RSA *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_SIGNATURE_RSASSA_Print(TPMS_SIGNATURE_RSASSA *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_SIGNATURE_ECC_Print(TPMS_SIGNATURE_ECC *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_SIGNATURE_Print(TPMU_SIGNATURE *source, TPMI_ALG_SIG_SCHEME selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_SIGNATURE_Print(TPMT_SIGNATURE *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_PUBLIC_ID_Print(TPMU_PUBLIC_ID *source, TPMI_ALG_PUBLIC selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMI_ALG_PUBLIC_Print(const char *string, TPMI_ALG_PUBLIC source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_ECC_PARMS_Print(TPMS_ECC_PARMS *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_RSA_PARMS_Print(TPMS_RSA_PARMS *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_KEYEDHASH_PARMS_Print(TPMS_KEYEDHASH_PARMS *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_ASYM_PARMS_Print(TPMS_ASYM_PARMS *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_PUBLIC_PARMS_Print(TPMU_PUBLIC_PARMS *source, UINT32 selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_PUBLIC_PARMS_Print(TPMT_PUBLIC_PARMS *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_PUBLIC_Print(TPMT_PUBLIC *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM2B_PUBLIC_Print(const char *string, TPM2B_PUBLIC *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMU_SENSITIVE_COMPOSITE_Print(TPMU_SENSITIVE_COMPOSITE *source, uint32_t selector, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMT_SENSITIVE_Print(TPMT_SENSITIVE *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM2B_SENSITIVE_Print(TPM2B_SENSITIVE *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_NV_PIN_COUNTER_PARAMETERS_Print(TPMS_NV_PIN_COUNTER_PARAMETERS *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMA_NV_Print(TPMA_NV source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_NV_PUBLIC_Print(TPMS_NV_PUBLIC *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM2B_NV_PUBLIC_Print(TPM2B_NV_PUBLIC *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_CONTEXT_DATA_Print(TPMS_CONTEXT_DATA *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_CONTEXT_Print(TPMS_CONTEXT *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPMS_CREATION_DATA_Print(TPMS_CREATION_DATA *source, unsigned int indent);
+    LIB_EXPORT
+    void TSS_TPM2B_CREATION_DATA_Print(TPM2B_CREATION_DATA *source, unsigned int indent);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssprintcmd.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssprintcmd.h
new file mode 100644
index 0000000..eb717ba
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssprintcmd.h
@@ -0,0 +1,172 @@
+/********************************************************************************/
+/*										*/
+/*			     Structure Print Utilities				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API is not guaranteed to be stable, and the format of the
+   output is subject to change
+
+   It is useful for application debug.
+*/
+
+#ifndef TSSPRINTCMD_H
+#define TSSPRINTCMD_H
+
+#include <ibmtss/tss.h>
+
+#include <stdint.h>
+#include <stdio.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    void ActivateCredential_In_Print(ActivateCredential_In *in, unsigned int indent);
+    void CertifyCreation_In_Print(CertifyCreation_In *in, unsigned int indent);
+    void CertifyX509_In_Print(CertifyX509_In *in, unsigned int indent);
+    void Certify_In_Print(Certify_In *in, unsigned int indent);
+    void ChangeEPS_In_Print(ChangeEPS_In *in, unsigned int indent);
+    void ChangePPS_In_Print(ChangePPS_In *in, unsigned int indent);
+    void ClearControl_In_Print(ClearControl_In *in, unsigned int indent);
+    void Clear_In_Print(Clear_In *in, unsigned int indent);
+    void ClockRateAdjust_In_Print(ClockRateAdjust_In *in, unsigned int indent);
+    void ClockSet_In_Print(ClockSet_In *in, unsigned int indent);
+    void Commit_In_Print(Commit_In *in, unsigned int indent);
+    void ContextLoad_In_Print(ContextLoad_In *in, unsigned int indent);
+    void ContextSave_In_Print(ContextSave_In *in, unsigned int indent);
+    void Create_In_Print(Create_In *in, unsigned int indent);
+    void CreateLoaded_In_Print(CreateLoaded_In *in, unsigned int indent);
+    void CreatePrimary_In_Print(CreatePrimary_In *in, unsigned int indent);
+    void DictionaryAttackLockReset_In_Print(DictionaryAttackLockReset_In *in, unsigned int indent);
+    void DictionaryAttackParameters_In_Print(DictionaryAttackParameters_In *in, unsigned int indent);
+    void Duplicate_In_Print(Duplicate_In *in, unsigned int indent);
+    void ECC_Parameters_In_Print(ECC_Parameters_In *in, unsigned int indent);
+    void ECDH_KeyGen_In_Print(ECDH_KeyGen_In *in, unsigned int indent);
+    void ECDH_ZGen_In_Print(ECDH_ZGen_In *in, unsigned int indent);
+    void EC_Ephemeral_In_Print(EC_Ephemeral_In *in, unsigned int indent);
+    void EncryptDecrypt_In_Print(EncryptDecrypt_In *in, unsigned int indent);
+    void EncryptDecrypt2_In_Print(EncryptDecrypt2_In *in, unsigned int indent);
+    void EventSequenceComplete_In_Print(EventSequenceComplete_In *in, unsigned int indent);
+    void EvictControl_In_Print(EvictControl_In *in, unsigned int indent);
+    void FlushContext_In_Print(FlushContext_In *in, unsigned int indent);
+    void GetCapability_In_Print(GetCapability_In *in, unsigned int indent);
+    void GetCommandAuditDigest_In_Print(GetCommandAuditDigest_In *in, unsigned int indent);
+    void GetRandom_In_Print(GetRandom_In *in, unsigned int indent);
+    void GetSessionAuditDigest_In_Print(GetSessionAuditDigest_In *in, unsigned int indent);
+    void GetTime_In_Print(GetTime_In *in, unsigned int indent);
+    void HMAC_Start_In_Print(HMAC_Start_In *in, unsigned int indent);
+    void HMAC_In_Print(HMAC_In *in, unsigned int indent);
+    void HashSequenceStart_In_Print(HashSequenceStart_In *in, unsigned int indent);
+    void Hash_In_Print(Hash_In *in, unsigned int indent);
+    void HierarchyChangeAuth_In_Print(HierarchyChangeAuth_In *in, unsigned int indent);
+    void HierarchyControl_In_Print(HierarchyControl_In *in, unsigned int indent);
+    void Import_In_Print(Import_In *in, unsigned int indent);
+    void IncrementalSelfTest_In_Print(IncrementalSelfTest_In *in, unsigned int indent);
+    void LoadExternal_In_Print(LoadExternal_In *in, unsigned int indent);
+    void Load_In_Print(Load_In *in, unsigned int indent);
+    void MakeCredential_In_Print(MakeCredential_In *in, unsigned int indent);
+    void NTC2_PreConfig_In_Print(NTC2_PreConfig_In *in, unsigned int indent);
+    void NV_Certify_In_Print(NV_Certify_In *in, unsigned int indent);
+    void NV_ChangeAuth_In_Print(NV_ChangeAuth_In *in, unsigned int indent);
+    void NV_DefineSpace_In_Print(NV_DefineSpace_In *in, unsigned int indent);
+    void NV_Extend_In_Print(NV_Extend_In *in, unsigned int indent);
+    void NV_GlobalWriteLock_In_Print(NV_GlobalWriteLock_In *in, unsigned int indent);
+    void NV_Increment_In_Print(NV_Increment_In *in, unsigned int indent);
+    void NV_ReadLock_In_Print(NV_ReadLock_In *in, unsigned int indent);
+    void NV_ReadPublic_In_Print(NV_ReadPublic_In *in, unsigned int indent);
+    void NV_Read_In_Print(NV_Read_In *in, unsigned int indent);
+    void NV_SetBits_In_Print(NV_SetBits_In *in, unsigned int indent);
+    void NV_UndefineSpaceSpecial_In_Print(NV_UndefineSpaceSpecial_In *in, unsigned int indent);
+    void NV_UndefineSpace_In_Print(NV_UndefineSpace_In *in, unsigned int indent);
+    void NV_WriteLock_In_Print(NV_WriteLock_In *in, unsigned int indent);
+    void NV_Write_In_Print(NV_Write_In *in, unsigned int indent);
+    void ObjectChangeAuth_In_Print(ObjectChangeAuth_In *in, unsigned int indent);
+    void PCR_Allocate_In_Print(PCR_Allocate_In *in, unsigned int indent);
+    void PCR_Event_In_Print(PCR_Event_In *in, unsigned int indent);
+    void PCR_Extend_In_Print(PCR_Extend_In *in, unsigned int indent);
+    void PCR_Read_In_Print(PCR_Read_In *in, unsigned int indent);
+    void PCR_Reset_In_Print(PCR_Reset_In *in, unsigned int indent);
+    void PCR_SetAuthPolicy_In_Print(PCR_SetAuthPolicy_In *in, unsigned int indent);
+    void PCR_SetAuthValue_In_Print(PCR_SetAuthValue_In *in, unsigned int indent);
+    void PP_Commands_In_Print(PP_Commands_In *in, unsigned int indent);
+    void PolicyAuthValue_In_Print(PolicyAuthValue_In *in, unsigned int indent);
+    void PolicyAuthorizeNV_In_Print(PolicyAuthorizeNV_In *in, unsigned int indent);
+    void PolicyAuthorize_In_Print(PolicyAuthorize_In *in, unsigned int indent);
+    void PolicyCommandCode_In_Print(PolicyCommandCode_In *in, unsigned int indent);
+    void PolicyCounterTimer_In_Print(PolicyCounterTimer_In *in, unsigned int indent);
+    void PolicyCpHash_In_Print(PolicyCpHash_In *in, unsigned int indent);
+    void PolicyDuplicationSelect_In_Print(PolicyDuplicationSelect_In *in, unsigned int indent);
+    void PolicyGetDigest_In_Print(PolicyGetDigest_In *in, unsigned int indent);
+    void PolicyLocality_In_Print(PolicyLocality_In *in, unsigned int indent);
+    void PolicyNV_In_Print(PolicyNV_In *in, unsigned int indent);
+    void PolicyNameHash_In_Print(PolicyNameHash_In *in, unsigned int indent);
+    void PolicyNvWritten_In_Print(PolicyNvWritten_In *in, unsigned int indent);
+    void PolicyOR_In_Print(PolicyOR_In *in, unsigned int indent);
+    void PolicyPCR_In_Print(PolicyPCR_In *in, unsigned int indent);
+    void PolicyPassword_In_Print(PolicyPassword_In *in, unsigned int indent);
+    void PolicyPhysicalPresence_In_Print(PolicyPhysicalPresence_In *in, unsigned int indent);
+    void PolicyRestart_In_Print(PolicyRestart_In *in, unsigned int indent);
+    void PolicySecret_In_Print(PolicySecret_In *in, unsigned int indent);
+    void PolicySigned_In_Print(PolicySigned_In *in, unsigned int indent);
+    void PolicyTemplate_In_Print(PolicyTemplate_In *in, unsigned int indent);
+    void PolicyTicket_In_Print(PolicyTicket_In *in, unsigned int indent);
+    void Quote_In_Print(Quote_In *in, unsigned int indent);
+    void RSA_Decrypt_In_Print(RSA_Decrypt_In *in, unsigned int indent);
+    void RSA_Encrypt_In_Print(RSA_Encrypt_In *in, unsigned int indent);
+    void ReadPublic_In_Print(ReadPublic_In *in, unsigned int indent);
+    void Rewrap_In_Print(Rewrap_In *in, unsigned int indent);
+    void SelfTest_In_Print(SelfTest_In *in, unsigned int indent);
+    void SequenceComplete_In_Print(SequenceComplete_In *in, unsigned int indent);
+    void SequenceUpdate_In_Print(SequenceUpdate_In *in, unsigned int indent);
+    void SetAlgorithmSet_In_Print(SetAlgorithmSet_In *in, unsigned int indent);
+    void SetCommandCodeAuditStatus_In_Print(SetCommandCodeAuditStatus_In *in, unsigned int indent);
+    void SetPrimaryPolicy_In_Print(SetPrimaryPolicy_In *in, unsigned int indent);
+    void Shutdown_In_Print(Shutdown_In *in, unsigned int indent);
+    void Sign_In_Print(Sign_In *in, unsigned int indent);
+    void StartAuthSession_In_Print(StartAuthSession_In *in, unsigned int indent);
+    void Startup_In_Print(Startup_In *in, unsigned int indent);
+    void StirRandom_In_Print(StirRandom_In *in, unsigned int indent);
+    void TestParms_In_Print(TestParms_In *in, unsigned int indent);
+    void Unseal_In_Print(Unseal_In *in, unsigned int indent);
+    void VerifySignature_In_Print(VerifySignature_In *in, unsigned int indent);
+    void ZGen_2Phase_In_Print(ZGen_2Phase_In *in, unsigned int indent);
+    
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssresponsecode.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssresponsecode.h
new file mode 100644
index 0000000..b3de0e8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssresponsecode.h
@@ -0,0 +1,62 @@
+/********************************************************************************/
+/*										*/
+/*			  TSS Response Code Printer  				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssresponsecode.h 1257 2018-06-27 20:52:08Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2018.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API likely to be stable, but the format and text output are
+   subject to change
+
+   It is useful for application debug.
+*/
+
+#ifndef TSSRESPONSECODE_H
+#define TSSRESPONSECODE_H
+
+#include <ibmtss/TPM_Types.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    LIB_EXPORT 
+    void TSS_ResponseCode_toString(const char **msg, const char **submsg,  const char **num, TPM_RC rc);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsstransmit.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsstransmit.h
new file mode 100644
index 0000000..de35d92
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tsstransmit.h
@@ -0,0 +1,80 @@
+/********************************************************************************/
+/*										*/
+/*			   TSS Transmit		   				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tsstransmit.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2017, 2018				*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSSTRANSMIT_H
+#define TSSTRANSMIT_H
+
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+
+/* copy of TpmTcpProtocol.h.  These are only used with the SW TPM. */
+#define TPM_SIGNAL_POWER_ON         1
+#define TPM_SIGNAL_POWER_OFF        2
+#define TPM_SIGNAL_NV_ON            11
+
+/* copy of TpmTcpProtocol.h.  These are only used with the SW TPM, but they may be used with a
+   resource manager in the future. */
+#define TPM_SEND_COMMAND            8
+#define TPM_SESSION_END             20
+#define TPM_STOP                    21
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+    LIB_EXPORT TPM_RC
+    TSS_TransmitPlatform(TSS_CONTEXT *tssContext,
+			 uint32_t command, const char *message);
+    LIB_EXPORT TPM_RC
+    TSS_TransmitCommand(TSS_CONTEXT *tssContext,
+			uint32_t command, const char *message);
+    LIB_EXPORT TPM_RC
+    TSS_Transmit(TSS_CONTEXT *tssContext,
+		 uint8_t *responseBuffer, uint32_t *read,
+		 const uint8_t *commandBuffer, uint32_t written,
+		 const char *message);
+
+    LIB_EXPORT TPM_RC
+    TSS_Close(TSS_CONTEXT *tssContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssutils.h b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssutils.h
new file mode 100644
index 0000000..e0800d1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ibmtss/tssutils.h
@@ -0,0 +1,101 @@
+/********************************************************************************/
+/*										*/
+/*			TSS and Application Utilities				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssutils.h 1324 2018-08-31 16:36:12Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2018.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is a semi-public header. The API is subject to change.
+
+   It is useful rapid application development, and as sample code.  It is risky for production code.
+
+*/
+
+#ifndef TSSUTILS_H
+#define TSSUTILS_H
+
+#include <stdio.h>
+
+#include <ibmtss/TPM_Types.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    typedef TPM_RC (*UnmarshalFunction_t)(void *target, uint8_t **buffer, uint32_t *size);
+    typedef TPM_RC (*UnmarshalFunctionFlag_t)(void *target, uint8_t **buffer, uint32_t *size, BOOL allowNull);
+    typedef TPM_RC (*MarshalFunction_t)(void *source, uint16_t *written, uint8_t **buffer, uint32_t *size);
+
+    LIB_EXPORT
+    TPM_RC TSS_Malloc(unsigned char **buffer, uint32_t size);
+    LIB_EXPORT
+    TPM_RC TSS_Realloc(unsigned char **buffer, uint32_t size);
+
+    LIB_EXPORT
+    TPM_RC TSS_Structure_Marshal(uint8_t		**buffer,
+				 uint16_t		*written,
+				 void 		*structure,
+				 MarshalFunction_t 	marshalFunction);
+
+    LIB_EXPORT 
+    TPM_RC TSS_TPM2B_Copy(TPM2B *target, TPM2B *source, uint16_t targetSize);
+    
+    LIB_EXPORT 
+    TPM_RC TSS_TPM2B_Append(TPM2B *target, TPM2B *source, uint16_t targetSize);
+    
+    LIB_EXPORT 
+    TPM_RC TSS_TPM2B_Create(TPM2B *target, uint8_t *buffer, uint16_t size, uint16_t targetSize);
+    
+    LIB_EXPORT 
+    TPM_RC TSS_TPM2B_CreateUint32(TPM2B *target, uint32_t source, uint16_t targetSize);
+    
+    LIB_EXPORT 
+    TPM_RC TSS_TPM2B_StringCopy(TPM2B *target, const char *source, uint16_t targetSize);
+    
+    LIB_EXPORT 
+    BOOL TSS_TPM2B_Compare(TPM2B *expect, TPM2B *actual);
+
+    LIB_EXPORT
+    uint16_t TSS_GetDigestSize(TPM_ALG_ID hashAlg);
+
+#ifdef __cplusplus
+}
+#endif
+
+#ifndef TPM_TSS_NOFILE
+#include <ibmtss/tssfile.h>
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/imaextend.c b/libstb/tss2/ibmtpm20tss/utils/imaextend.c
new file mode 100644
index 0000000..d685631
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/imaextend.c
@@ -0,0 +1,437 @@
+/********************************************************************************/
+/*										*/
+/*		      Extend an IMA measurement list into PCRs			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2014 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* imaextend is test/demo code.  It parses a TPM 1.2 IMA event log file and extends the measurements
+   into TPM PCRs.  This simulates the actions that would be performed by the Linux kernel IMA in a
+   hardware platform.
+
+   To test incremental attestations, the caller can optionally specify a beginning event number and
+   ending event number.
+
+   To test a platform without a TPM or TPM device driver, but where IMA is creating an event log,
+   the caller can optionally specify a sleep time.  The program will then incrementally extend after
+   each sleep.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <unistd.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tssutils.h>
+
+#include "imalib.h"
+
+/* local prototypes */
+
+static TPM_RC copyDigest(PCR_Extend_In 	*in,
+			 ImaEvent 	*imaEvent);
+static TPM_RC pcrread(TSS_CONTEXT *tssContext,
+		      TPMI_DH_PCR pcrHandle);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+int vverbose = FALSE;
+
+int main(int argc, char * argv[])
+{
+    TPM_RC 		rc = 0;
+    int 		i = 0;
+    TSS_CONTEXT		*tssContext = NULL;
+    PCR_Extend_In 	in;
+    const char 		*infilename = NULL;
+    FILE 		*infile = NULL;
+    int 		littleEndian = FALSE;
+    int			sim = FALSE;			/* extend into simulated PCRs */
+    uint32_t 		bankNum = 0;			/* PCR hash bank, 0 is SHA-1, 1 is
+							   SHA-256 */
+    unsigned int 	pcrNum = 0;			/* PCR number iterator */
+    TPMT_HA 		simPcrs[IMA_PCR_BANKS][IMPLEMENTATION_PCR];
+    unsigned long	beginEvent = 0;			/* default beginning of log */
+    unsigned long	endEvent = 0xffffffff;		/* default end of log */
+    unsigned int	loopTime = 0;			/* default no loop */
+    ImaEvent 		imaEvent;
+    unsigned int 	lineNum;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; i<argc ; i++) {
+	if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		infilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+		exit(2);
+	    }
+	}
+	else if (strcmp(argv[i],"-sim") == 0) {
+	    sim = TRUE;
+	}
+	else if (strcmp(argv[i],"-le") == 0) {
+	    littleEndian = TRUE; 
+	}
+	else if (strcmp(argv[i],"-b") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%lu", &beginEvent);
+	    }
+	    else {
+		printf("Missing parameter for -b\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-e") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%lu", &endEvent);
+	    }
+	    else {
+		printf("Missing parameter for -e\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-l") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &loopTime);
+	    }
+	    else {
+		printf("Missing parameter for -e\n");
+		printUsage();
+	    }
+	}
+	else if (!strcmp(argv[i], "-h")) {
+	    printUsage();
+	}
+	else if (!strcmp(argv[i], "-v")) {
+	    tssUtilsVerbose = TRUE;
+	    vverbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (infilename == NULL) {
+	printf("Missing -if argument\n");
+	printUsage();
+    }
+    if (!sim) {
+	/* Start a TSS context */
+	if (rc == 0) {
+	    rc = TSS_Create(&tssContext);
+	}
+	if (rc == 0) {
+	    uint32_t algs;				/* hash algorithm iterator */
+	    in.digests.count = 2;			/* extend SHA-1 and SHA-256 banks */
+	    in.digests.digests[0].hashAlg = TPM_ALG_SHA1;
+	    in.digests.digests[1].hashAlg = TPM_ALG_SHA256;
+	    /* IMA zero extends into the SHA-256 bank */
+	    for (algs = 0 ; algs < in.digests.count ; algs++) {
+		memset((uint8_t *)&in.digests.digests[algs].digest, 0, sizeof(TPMU_HA));
+	    }
+	}
+	if ((rc == 0) && tssUtilsVerbose) {
+	    printf("Initial PCR 10 value\n");
+	    rc = pcrread(tssContext, 10);
+	}
+    }
+    else {	/* sim TRUE */
+	/* simulated PCRs start at zero at boot */
+	if (rc == 0) {
+	    for (pcrNum = 0 ; pcrNum < IMPLEMENTATION_PCR ; pcrNum++) {
+		/* initialize each algorithm ID */
+		simPcrs[0][pcrNum].hashAlg = TPM_ALG_SHA1;
+		simPcrs[1][pcrNum].hashAlg = TPM_ALG_SHA256;
+		memset(&simPcrs[0][pcrNum].digest.tssmax, 0, SHA1_DIGEST_SIZE);
+		memset(&simPcrs[1][pcrNum].digest.tssmax, 0, SHA256_DIGEST_SIZE);
+	    }
+	}
+    }
+    /*
+      scan each measurement 'line' in the binary
+    */
+    do {
+	/* read the IMA event log file */
+	int endOfFile = FALSE;
+	if (rc == 0) {
+	    infile = fopen(infilename,"rb");
+	    if (infile == NULL) {
+		printf("Unable to open input file '%s'\n", infilename);
+		rc = TSS_RC_FILE_OPEN;
+	    }
+	}
+	for (lineNum = 0 ; (rc == 0) && !endOfFile ; lineNum++) {
+	    /* read an IMA event line */
+	    IMA_Event_Init(&imaEvent);
+	    if (rc == 0) {
+		rc = IMA_Event_ReadFile(&imaEvent, &endOfFile, infile,
+					littleEndian);
+	    }
+	    /*
+	      if the event line is in range
+	    */
+	    if ((rc == 0) && (lineNum >= beginEvent) && (lineNum <= endEvent) && !endOfFile) {
+		/* debug tracing */
+		if (rc == 0) {
+		    ImaTemplateData imaTemplateData;
+		    if (tssUtilsVerbose) printf("\n");
+		    printf("imaextend: line %u\n", lineNum);
+		    if (tssUtilsVerbose) {
+			IMA_Event_Trace(&imaEvent, FALSE);
+			/* unmarshal the template data */
+			if (rc == 0) {
+			    rc = IMA_TemplateData_ReadBuffer(&imaTemplateData,
+							     &imaEvent,
+							     littleEndian);
+			}
+			if (rc == 0) {
+			    IMA_TemplateData_Trace(&imaTemplateData,
+						   imaEvent.nameInt);
+			}
+			else {
+			    printf("imaextend: Error parsing template data, event %u\n", lineNum);
+			    rc = 0;		/* not a fatal error */
+			}
+		    }
+		}
+		if (!sim) {
+		    if (rc == 0) {
+			in.pcrHandle = imaEvent.pcrIndex;		/* normally PCR 10 */
+		    }
+		    /* copy the SHA-1 digest to be extended into the SHA-1 and SHA-256 banks */
+		    if (rc == 0) {
+			rc = copyDigest(&in, &imaEvent);
+		    }	
+		    if (rc == 0) {
+			rc = TSS_Execute(tssContext,
+					 NULL, 
+					 (COMMAND_PARAMETERS *)&in,
+					 NULL,
+					 TPM_CC_PCR_Extend,
+					 TPM_RS_PW, NULL, 0,
+					 TPM_RH_NULL, NULL, 0);
+		    }
+		    if (rc == 0 && tssUtilsVerbose) {
+			rc = pcrread(tssContext, imaEvent.pcrIndex);
+		    }
+		}
+		else {		/* sim */
+		    /* even though IMA_Event_ReadFile() range checks the PCR index, range check it
+		       again here to silence the static analysis tool */
+		    if (rc == 0) {
+			if (imaEvent.pcrIndex >= IMPLEMENTATION_PCR) {
+			    printf("imaextend: PCR index %u %08x out of range\n",
+				   imaEvent.pcrIndex, imaEvent.pcrIndex);
+			    rc = TSS_RC_BAD_PROPERTY_VALUE;
+			}
+		    }
+		    if (rc == 0) {
+			rc = IMA_Event_PcrExtend(simPcrs, &imaEvent);
+		    }
+		    if (rc == 0 && tssUtilsVerbose) {
+			TSS_PrintAll("PCR digest SHA-1",
+				     simPcrs[0][imaEvent.pcrIndex].digest.tssmax,
+				     SHA1_DIGEST_SIZE);
+			TSS_PrintAll("PCR digest SHA-256",
+				     simPcrs[1][imaEvent.pcrIndex].digest.tssmax,
+				     SHA256_DIGEST_SIZE);
+			
+			
+		    }
+		}
+	    }	/* for each IMA event in range */
+	    IMA_Event_Free(&imaEvent);
+	}	/* for each IMA event line */
+	if (tssUtilsVerbose && (loopTime != 0)) printf("set beginEvent to %u\n", lineNum-1);
+	beginEvent = lineNum-1;		/* remove the last increment at EOF */
+	if (infile != NULL) {
+	    fclose(infile);
+	}
+#ifdef TPM_POSIX
+	sleep(loopTime);
+#endif
+#ifdef TPM_WINDOWS
+	Sleep(loopTime * 1000);
+#endif
+	
+    } while ((rc == 0) && (loopTime != 0)); 		/* sleep loop */
+    if (!sim) {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    else {	/* sim */
+	for (bankNum = 0 ; (rc == 0) && (bankNum < IMA_PCR_BANKS) ; bankNum++) {
+	    TSS_TPM_ALG_ID_Print("algorithmId", simPcrs[bankNum][0].hashAlg, 0);
+	    for (pcrNum = 0 ; pcrNum < IMPLEMENTATION_PCR ; pcrNum++) {
+	        char 		pcrString[9];	/* PCR number */
+		uint16_t 	digestSize;
+		sprintf(pcrString, "PCR %02u:", pcrNum);
+		/* TSS_PrintAllLogLevel() with a log level of LOGLEVEL_INFO to print the byte
+		   array on one line with no length */
+		digestSize = TSS_GetDigestSize(simPcrs[bankNum][pcrNum].hashAlg);
+		TSS_PrintAllLogLevel(LOGLEVEL_INFO, pcrString, 1,
+				     simPcrs[bankNum][pcrNum].digest.tssmax,
+				     digestSize);
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("imaextend: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("imaextend: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static TPM_RC copyDigest(PCR_Extend_In 	*in,
+			 ImaEvent 	*imaEvent)
+{
+    TPM_RC 		rc = 0;
+    unsigned char 	zeroDigest[SHA1_DIGEST_SIZE];
+    int 		notAllZero;
+    if (rc == 0) {
+	memset(zeroDigest, 0, SHA1_DIGEST_SIZE);
+	notAllZero = memcmp(imaEvent->digest, zeroDigest, SHA1_DIGEST_SIZE);
+	/* the SHA-256 bank has already been 0 extended, so only the first 20 bytes need be
+	   copied */
+	if (notAllZero) {
+	    memcpy((uint8_t *)&in->digests.digests[0].digest, imaEvent->digest, SHA1_DIGEST_SIZE);
+	    memcpy((uint8_t *)&in->digests.digests[1].digest, imaEvent->digest, SHA1_DIGEST_SIZE);
+	}
+	/* IMA has a quirk where some measurements store a zero digest in the event log, but
+	   extend ones into PCR 10 */
+	else {
+	    memset((uint8_t *)&in->digests.digests[0].digest, 0xff, SHA1_DIGEST_SIZE);
+	    memset((uint8_t *)&in->digests.digests[1].digest, 0xff, SHA1_DIGEST_SIZE);
+	}
+    }
+    return rc;
+}	
+
+static TPM_RC pcrread(TSS_CONTEXT *tssContext,
+		      TPMI_DH_PCR pcrHandle)
+{
+    TPM_RC 		rc = 0;
+    /* for debug, read back and trace the PCR value after the extend */
+    PCR_Read_In 		pcrReadIn;
+    PCR_Read_Out 		pcrReadOut;
+
+    if (rc == 0) {
+	pcrReadIn.pcrSelectionIn.count = 2;
+	pcrReadIn.pcrSelectionIn.pcrSelections[0].hash = TPM_ALG_SHA1;
+	pcrReadIn.pcrSelectionIn.pcrSelections[1].hash = TPM_ALG_SHA256;
+	pcrReadIn.pcrSelectionIn.pcrSelections[0].sizeofSelect = 3;
+	pcrReadIn.pcrSelectionIn.pcrSelections[1].sizeofSelect = 3;
+	pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[0] = 0;
+	pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[1] = 0;
+	pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[2] = 0;
+	pcrReadIn.pcrSelectionIn.pcrSelections[1].pcrSelect[0] = 0;
+	pcrReadIn.pcrSelectionIn.pcrSelections[1].pcrSelect[1] = 0;
+	pcrReadIn.pcrSelectionIn.pcrSelections[1].pcrSelect[2] = 0;
+	pcrReadIn.pcrSelectionIn.pcrSelections[0].pcrSelect[pcrHandle / 8] =
+	    1 << (pcrHandle % 8);
+	pcrReadIn.pcrSelectionIn.pcrSelections[1].pcrSelect[pcrHandle / 8] =
+	    1 << (pcrHandle % 8);
+    }
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&pcrReadOut,
+			 (COMMAND_PARAMETERS *)&pcrReadIn,
+			 NULL,
+			 TPM_CC_PCR_Read,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    if (rc == 0) {
+	TSS_PrintAll("PCR digest SHA-1",
+		     pcrReadOut.pcrValues.digests[0].t.buffer,
+		     pcrReadOut.pcrValues.digests[0].t.size);
+	TSS_PrintAll("PCR digest SHA-256",
+		     pcrReadOut.pcrValues.digests[1].t.buffer,
+		     pcrReadOut.pcrValues.digests[1].t.size);
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("imaextend\n");
+    printf("\n");
+    printf("Runs TPM2_PCR_Extend to Extend a SHA-1 IMA measurement file (binary) into TPM PCRs\n");
+    printf("The IMA measurement is directly extended into the SHA-1 bank, and a zero padded\n");
+    printf("measurement is extended into the SHA-256 bank\n");
+    printf("\n");
+    printf("This handles the case where a zero measurement extends ones into the IMA PCR\n");
+    printf("\n");
+    printf("If -sim is specified, TPM PCRs are not extended.  Rather, imaextend extends into\n");
+    printf("simluated PCRs and traces the result.\n");
+    printf("\n");
+    printf("\t-if\tIMA event log file name\n");
+    printf("\t[-le\tinput file is little endian (default big endian)]\n");
+    printf("\t[-sim\tcalculate simulated PCRs]\n");
+    printf("\t[-b\tbeginning entry (default 0, beginning of log)]\n");
+    printf("\t\tA beginning entry after the end of the log becomes a noop\n");
+    printf("\t[-e\tending entry (default end of log)]\n");
+    printf("\t\tE.g., -b 0 -e 0 sends one entry\n");
+    printf("\t[-l\ttime - run in a continuous loop, with a sleep of 'time' seconds betwteen loops]\n");
+    printf("\t\tThe intent is that this be run without specifying -b and -e\n");
+    printf("\t\tAfer each pass, the next beginning entry is set to the last entry +1\n");
+    printf("\n");
+    exit(1);
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/imalib.c b/libstb/tss2/ibmtpm20tss/utils/imalib.c
new file mode 100644
index 0000000..06373c5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/imalib.c
@@ -0,0 +1,1832 @@
+/********************************************************************************/
+/*										*/
+/*			     IMA Routines					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* imalib is a set of utility functions to handle IMA (Integrity Measurement Architecture) event
+   logs.
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#ifdef TPM_POSIX
+#include <arpa/inet.h>
+#endif
+
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <openssl/x509.h>
+#include <openssl/bio.h>
+
+#include <ibmtss/TPM_Types.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tsserror.h>
+
+#include "imalib.h"
+
+#define IMA_PARSE_FUNCTIONS_MAX 128
+
+static uint32_t IMA_Uint32_Convert(const uint8_t *stream,
+				   int littleEndian);
+static uint32_t IMA_Strn2cpy(char *dest, const uint8_t *src,
+			     size_t destLength, size_t srcLength);
+static void IMA_Event_ParseName(ImaEvent *imaEvent);
+
+static uint32_t IMA_TemplateData_ReadFile(ImaEvent *imaEvent,
+					  int *endOfFile,
+					  FILE *inFile,
+					  int littleEndian);
+static uint32_t IMA_TemplateDataIma_ReadFile(ImaEvent *imaEvent,
+					     int *endOfFile,
+					     FILE *inFile,
+					     int littleEndian);
+
+/* callback to parse a template data field */
+
+typedef uint32_t (*TemplateDataParseFunction_t)(ImaTemplateData	*imaTemplateData,
+						uint8_t 	**buffer,
+						size_t 		*length,
+						int 		littleEndian);
+static uint32_t IMA_TemplateName_Parse(TemplateDataParseFunction_t templateDataParseFunctions[],
+				       size_t templateDataParseFunctionsSize,
+				       ImaEvent *imaEvent);
+static uint32_t
+IMA_TemplateName_ParseCustom(TemplateDataParseFunction_t templateDataParseFunctions[],
+			     size_t templateDataParseFunctionsSize,
+			     ImaEvent *imaEvent);
+static uint32_t IMA_ParseD(ImaTemplateData	*imaTemplateData,
+			   uint8_t 		**buffer,
+			   size_t 		*length,
+			   int 		littleEndian);
+static uint32_t IMA_ParseDNG(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian);
+static uint32_t IMA_ParseNNG(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian);
+static uint32_t IMA_ParseSIG(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian);
+static uint32_t IMA_ParseDMODSIG(ImaTemplateData	*imaTemplateData,
+				 uint8_t 		**buffer,
+				 size_t 		*length,
+				 int 			littleEndian);
+static uint32_t IMA_ParseMODSIG(ImaTemplateData	*imaTemplateData,
+				uint8_t 	**buffer,
+				size_t 		*length,
+				int 		littleEndian);
+static uint32_t IMA_ParseBUF(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian);
+
+extern int tssUtilsVerbose;
+
+/* IMA_Event_Init() initializes the ImaEvent structure so that IMA_Event_Free() is safe.
+
+ */
+
+void IMA_Event_Init(ImaEvent *imaEvent)
+{
+    if (imaEvent != NULL) {
+	imaEvent->nameInt = IMA_UNSUPPORTED;
+	imaEvent->template_data = NULL;
+    }
+    return;
+}
+
+/* IMA_Event_Free() frees any memory allocated for the ImaEvent structure.
+
+ */
+
+void IMA_Event_Free(ImaEvent *imaEvent)
+{
+    if (imaEvent != NULL) {
+	free(imaEvent->template_data);
+	imaEvent->template_data = NULL;
+    }
+    return;
+}
+
+/* IMA_Event_Trace() traces the ImaEvent structure.
+
+   If traceTemplate is FALSE, template data is not traced.  This handles the case where template
+   data is not unmarshaled.
+
+*/
+
+void IMA_Event_Trace(ImaEvent *imaEvent, int traceTemplate)
+{
+    printf("IMA_Event_Trace: PCR index %u\n", imaEvent->pcrIndex);
+    TSS_PrintAll("IMA_Event_Trace: hash",
+		 imaEvent->digest, sizeof(((ImaEvent *)NULL)->digest));
+
+    printf("IMA_Event_Trace: name length %u\n", imaEvent->name_len);
+    printf("IMA_Event_Trace: name %s\n", imaEvent->name);
+    printf("IMA_Event_Trace: name integer %u\n", imaEvent->nameInt);
+    printf("IMA_Event_Trace: template data length %u\n", imaEvent->template_data_len);
+    /* in some use cases, the template_data field is not populated.  In those cases, do not trace
+       it. */
+    if (traceTemplate) {
+	TSS_PrintAll("IMA_Event_Trace: template data",
+		     imaEvent->template_data, imaEvent->template_data_len);
+    }
+    return;
+}
+
+/* IMA_Event_ParseName() parses the Template Name and sets the nameInt field */
+
+static void IMA_Event_ParseName(ImaEvent *imaEvent)
+{
+    if (strcmp(imaEvent->name, "ima-ng") == 0) {
+	imaEvent->nameInt = IMA_FORMAT_IMA_NG;
+    }
+    else if (strcmp(imaEvent->name, "ima-sig") == 0) {
+	imaEvent->nameInt = IMA_FORMAT_IMA_SIG;
+    }
+    else if (strcmp(imaEvent->name, "ima") == 0) {
+	imaEvent->nameInt = IMA_FORMAT_IMA;
+    }
+    else if (strcmp(imaEvent->name, "ima-modsig") == 0) {
+	imaEvent->nameInt = IMA_FORMAT_MODSIG;
+    }
+    else if (strcmp(imaEvent->name, "ima-buf") == 0) {
+	imaEvent->nameInt = IMA_FORMAT_BUF;
+    }
+    /* the template data parser currently supports only these formats. */
+    else {
+	imaEvent->nameInt = IMA_UNSUPPORTED;
+    }
+    return;
+}
+
+void IMA_TemplateData_Init(ImaTemplateData *imaTemplateData)
+{
+    imaTemplateData->imaTemplateDNG.hashLength = 0;
+    imaTemplateData->imaTemplateDNG.fileDataHashLength = 0;
+    imaTemplateData->imaTemplateNNG.fileNameLength = 0;
+    imaTemplateData->imaTemplateNNG.fileName[0] = '\0';
+    imaTemplateData->imaTemplateSIG.sigLength = 0;
+    imaTemplateData->imaTemplateSIG.sigHeaderLength = 0;
+    imaTemplateData->imaTemplateSIG.signatureSize = 0;
+    imaTemplateData->imaTemplateDMODSIG.dModSigHashLength = 0;
+    imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength = 0;
+    imaTemplateData->imaTemplateMODSIG.modSigLength = 0;
+    imaTemplateData->imaTemplateBUF.bufLength = 0;
+    return;
+}
+
+/* IMA_TemplateData_Trace() traces the ImaTemplateData  structure.
+
+   nameInt maps to the template name.
+
+*/
+  
+void IMA_TemplateData_Trace(ImaTemplateData *imaTemplateData,
+			    unsigned int nameInt)
+{
+    nameInt = nameInt;	/* obsolete now that custom templates are supported */
+    /* d-ng */
+    printf("IMA_TemplateData_Trace: DNG hashLength %u\n", imaTemplateData->imaTemplateDNG.hashLength); 
+    printf("IMA_TemplateData_Trace: DNG hashAlg %s\n", imaTemplateData->imaTemplateDNG.hashAlg);
+    TSS_PrintAll("IMA_Template_Trace: DNG file data hash",
+		 imaTemplateData->imaTemplateDNG.fileDataHash,
+		 imaTemplateData->imaTemplateDNG.fileDataHashLength);
+    /* n-ng */
+    printf("IMA_TemplateData_Trace: NNG fileNameLength %u\n",
+	   imaTemplateData->imaTemplateNNG.fileNameLength);
+    if (imaTemplateData->imaTemplateNNG.fileNameLength > 0) {
+	printf("IMA_TemplateData_Trace: NNG fileName %s\n", imaTemplateData->imaTemplateNNG.fileName);
+    }
+    /* sig */
+    printf("IMA_TemplateData_Trace: SIG sigLength %u\n", imaTemplateData->imaTemplateSIG.sigLength);
+    if (imaTemplateData->imaTemplateSIG.sigLength != 0) {
+	TSS_PrintAll("IMA_TemplateData_Trace: sigHeader",
+		     imaTemplateData->imaTemplateSIG.sigHeader,
+		     imaTemplateData->imaTemplateSIG.sigHeaderLength);
+	printf("IMA_TemplateData_Trace: SIG signatureSize %u\n",
+	       imaTemplateData->imaTemplateSIG.signatureSize);
+	TSS_PrintAll("IMA_TemplateData_Trace: SIG signature",
+		     imaTemplateData->imaTemplateSIG.signature,
+		     imaTemplateData->imaTemplateSIG.signatureSize);
+    }
+    /* d-modsig */
+    printf("IMA_TemplateData_Trace: DMODSIG dModSigHashLength %u\n",
+	   imaTemplateData->imaTemplateDMODSIG.dModSigHashLength);
+    if (imaTemplateData->imaTemplateDMODSIG.dModSigHashLength != 0) {
+	printf("IMA_TemplateData_Trace: DMODSIG dModSigHashAlg %s\n",
+	       imaTemplateData->imaTemplateDMODSIG.dModSigHashAlg);
+	TSS_PrintAll("IMA_Template_Trace: DMODSIG file data hash",
+		     imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHash,
+		     imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength);
+    }
+    /* modsig */
+    printf("IMA_TemplateData_Trace: MODSIG modSigLength %u\n",
+	   imaTemplateData->imaTemplateMODSIG.modSigLength);
+    if (imaTemplateData->imaTemplateMODSIG.modSigLength != 0) {
+	TSS_PrintAll("IMA_TemplateData_Trace: MODSIG modSigData",
+		     imaTemplateData->imaTemplateMODSIG.modSigData,
+		     imaTemplateData->imaTemplateMODSIG.modSigLength);
+#ifndef TPM_TSS_MBEDTLS
+	{
+	    PKCS7 		*pkcs7 = NULL;
+	    unsigned char 	*tmpData = NULL; 
+	    /* tmp pointer because d2i moves the pointer */
+	    tmpData = imaTemplateData->imaTemplateMODSIG.modSigData;
+	    pkcs7 = d2i_PKCS7(NULL,				/* freed @1 */
+			    (const unsigned char **)&tmpData,
+			      imaTemplateData->imaTemplateMODSIG.modSigLength);
+	    if (pkcs7 != NULL) {
+		BIO *bio = NULL;
+		bio = BIO_new_fd(fileno(stdout), BIO_NOCLOSE);	/* freed @2 */
+		if (bio != NULL) {
+		    PKCS7_print_ctx(bio, pkcs7, 4, NULL);
+		    BIO_free(bio);	/* @2 */
+		}
+		else {
+		    printf("IMA_TemplateData_Trace: MODSIG Could not create BIO for PKCS7\n");
+		}
+		PKCS7_free(pkcs7);	/* @1 */
+	    }
+	    else {
+		printf("IMA_TemplateData_Trace: MODSIG Could not trace modSigData as PKCS7\n");
+	    }
+	}
+#endif /* TPM_TSS_MBEDTLS */
+    }
+    /* buf */
+    printf("IMA_TemplateData_Trace: BUF bufLength %u\n", imaTemplateData->imaTemplateBUF.bufLength);
+    if (imaTemplateData->imaTemplateBUF.bufLength != 0) {
+	TSS_PrintAll("IMA_TemplateData_Trace: BUF bufData",
+		     imaTemplateData->imaTemplateBUF.bufData, imaTemplateData->imaTemplateBUF.bufLength);
+#ifndef TPM_TSS_MBEDTLS
+	if ((strcmp((const char *)imaTemplateData->imaTemplateNNG.fileName, ".builtin_trusted_keys") == 0) ||
+	    (strcmp((const char *)imaTemplateData->imaTemplateNNG.fileName, ".ima") == 0)) {
+	    {
+		X509 		*x509 = NULL;
+		unsigned char 	*tmpData = NULL; 
+		/* tmp pointer because d2i moves the pointer */
+		tmpData = imaTemplateData->imaTemplateBUF.bufData;
+		x509 = d2i_X509(NULL,				/* freed @1 */
+				  (const unsigned char **)&tmpData,
+				imaTemplateData->imaTemplateBUF.bufLength);
+		if (x509 != NULL) {
+		    X509_print_fp(stdout, x509);
+		    X509_free(x509);	/* @1 */
+		}
+		else {
+		    printf("IMA_TemplateData_Trace: BUF Could not trace bufData as X509\n");
+		}
+	    }
+	    
+	}
+#endif /* TPM_TSS_MBEDTLS */
+    }
+    return;    
+}
+
+/* IMA_Event_ReadFile() reads one IMA event from a file.
+
+   It currently supports these template formats:  ima, ima-ng, ima-sig.
+
+   This is typically used at the client, reading from the pseudofile.
+*/
+
+uint32_t IMA_Event_ReadFile(ImaEvent *imaEvent,	/* freed by caller */
+			    int *endOfFile,
+			    FILE *inFile,
+			    int littleEndian)
+{
+    int rc = 0;
+    size_t readSize;
+    *endOfFile = FALSE;
+    
+    imaEvent->template_data = NULL;		/* for free */
+
+    /* read the IMA PCR index */
+    if ((rc == 0) && !(*endOfFile)) {
+	readSize = fread(&(imaEvent->pcrIndex),
+			 sizeof(((ImaEvent *)NULL)->pcrIndex), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_Event_ReadFile: could not read pcrIndex, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    /* PCR index endian convert */
+    if ((rc == 0) && !(*endOfFile)) {
+	imaEvent->pcrIndex = IMA_Uint32_Convert((uint8_t *)&imaEvent->pcrIndex, littleEndian);
+	/* range check the PCR index */
+	if (imaEvent->pcrIndex >= IMPLEMENTATION_PCR) {
+	    printf("ERROR: IMA_Event_ReadFile: PCR index %u %08x out of range\n",
+		   imaEvent->pcrIndex, imaEvent->pcrIndex);
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }	
+    /* read the IMA digest, this is hard coded to SHA-1 */
+    if ((rc == 0) && !(*endOfFile)) {
+	readSize = fread(&(imaEvent->digest),
+			 sizeof(((ImaEvent *)NULL)->digest), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_Event_ReadFile: could not read digest, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    /* read the IMA name length */
+    if ((rc == 0) && !(*endOfFile)) {
+	readSize = fread(&(imaEvent->name_len),
+			 sizeof(((ImaEvent *)NULL)->name_len), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_Event_ReadFile: could not read name_len, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	imaEvent->name_len = IMA_Uint32_Convert((uint8_t *)&imaEvent->name_len, littleEndian);
+    }
+    /* bounds check the name length, leave a byte for the nul terminator */
+    if ((rc == 0) && !(*endOfFile)) {
+	if (imaEvent->name_len > (sizeof(((ImaEvent *)NULL)->name)) -1) {
+	    printf("ERROR: IMA_Event_ReadFile: template name length too big: %u\n",
+		   imaEvent->name_len);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* read the template name */
+    if ((rc == 0) && !(*endOfFile)) {
+	/* nul terminate first */
+	memset(imaEvent->name, 0, sizeof(((ImaEvent *)NULL)->name));
+	readSize = fread(&(imaEvent->name),
+			 imaEvent->name_len, 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_Event_ReadFile: could not read template name, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    /* record the template name as an int */
+    if ((rc == 0) && !(*endOfFile)) {
+	IMA_Event_ParseName(imaEvent);
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	if (imaEvent->nameInt != IMA_FORMAT_IMA) {	/* standard format */
+	    rc = IMA_TemplateData_ReadFile(imaEvent, endOfFile, inFile, littleEndian);
+	}
+	else {						/* unique 'ima' format */
+	    rc = IMA_TemplateDataIma_ReadFile(imaEvent, endOfFile, inFile, littleEndian);
+	}
+    }
+    return rc;
+}
+
+/* IMA_TemplateData_ReadFile() reads the template data as a pure array.  It handles the normal case
+   of template data length plus template data.
+*/
+
+static uint32_t IMA_TemplateData_ReadFile(ImaEvent *imaEvent,	/* freed by caller */
+					  int *endOfFile,
+					  FILE *inFile,
+					  int littleEndian)
+{
+    int rc = 0;
+    size_t readSize;
+
+    /* read template data length */
+    if ((rc == 0) && !(*endOfFile)) {
+	readSize = fread(&(imaEvent->template_data_len),
+			 sizeof(((ImaEvent *)NULL)->template_data_len ), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_TemplateData_ReadFile: could not read template_data_len, "
+		       " returned %lu\n", (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	imaEvent->template_data_len =
+	    IMA_Uint32_Convert((uint8_t *)&imaEvent->template_data_len,
+			       littleEndian);
+    }
+    /* bounds check the template data length */
+    if ((rc == 0) && !(*endOfFile)) {
+	if (imaEvent->template_data_len > TCG_TEMPLATE_DATA_LEN_MAX) {
+	    printf("ERROR: IMA_TemplateData_ReadFile: template data length too big: %u\n",
+		   imaEvent->template_data_len);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	imaEvent->template_data = malloc(imaEvent->template_data_len);
+	if (imaEvent->template_data == NULL) {
+	    printf("ERROR: IMA_TemplateData_ReadFile: "
+		   "could not allocate template data, size %u\n",
+		   imaEvent->template_data_len);
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	readSize = fread(imaEvent->template_data,
+			 imaEvent->template_data_len, 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_Event_ReadFile: could not read template_data, "
+		       "returned %lu\n", (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    return rc;
+}
+
+/* IMA_TemplateDataIma_ReadFile() reads the template data.  It handles the special case of the
+   template name 'ima', which does not have a template data length.  'ima' has a 20 byte file data
+   hash, a 4 byte file name length, and a file name.
+*/
+
+static uint32_t IMA_TemplateDataIma_ReadFile(ImaEvent *imaEvent,	/* freed by caller */
+					     int *endOfFile,
+					     FILE *inFile,
+					     int littleEndian)
+{
+    int 	rc = 0;
+    size_t 	readSize;
+    uint8_t 	fileDataHash[SHA1_DIGEST_SIZE];		/* IMA hard coded to SHA-1 */
+    uint32_t 	fileNameLengthIbo;			/* ima log byte order */
+    uint32_t 	fileNameLength;				/* host byte order */
+
+    /* read the fileDataHash digest, this is hard coded to SHA-1 */
+    if ((rc == 0) && !(*endOfFile)) {
+	readSize = fread(&fileDataHash,
+			 sizeof(fileDataHash), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_TemplateDataIma_ReadFile: "
+		       "could not read fileDataHash, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    /* read the IMA name length */
+    if ((rc == 0) && !(*endOfFile)) {
+	readSize = fread(&fileNameLengthIbo,
+			 sizeof(fileNameLength), 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_TemplateDataIma_ReadFile: "
+		       "could not read fileNameLength, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	fileNameLength = IMA_Uint32_Convert((uint8_t *)&fileNameLengthIbo, littleEndian);
+	/* should check for addition overflowing a uint32_t */
+	if (fileNameLength > (0xffffffff - (uint32_t)(sizeof(fileDataHash) + sizeof(fileNameLength)))) {
+	    printf("ERROR: IMA_TemplateDataIma_ReadFile: file name length too big: %u\n",
+		   fileNameLength);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	/* addition is safe because of above check */
+	imaEvent->template_data_len = sizeof(fileDataHash) + sizeof(fileNameLength) + fileNameLength;
+    }
+    /* bounds check the template data length */
+    if ((rc == 0) && !(*endOfFile)) {
+	if (imaEvent->template_data_len > TCG_TEMPLATE_DATA_LEN_MAX) {
+	    printf("ERROR: IMA_TemplateDataIma_ReadFile: template data length too big: %u\n",
+		   imaEvent->template_data_len);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if ((rc == 0) && !(*endOfFile)) {
+	imaEvent->template_data = malloc(imaEvent->template_data_len);
+	if (imaEvent->template_data == NULL) {
+	    printf("ERROR: IMA_TemplateData_ReadFile: "
+		   "could not allocate template data, size %u\n",
+		   imaEvent->template_data_len);
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* copy results to template_data */
+    if ((rc == 0) && !(*endOfFile)) {
+	/* copy file data hash */
+	memcpy(imaEvent->template_data, fileDataHash, sizeof(fileDataHash));
+	/* copy file name length */
+	memcpy(imaEvent->template_data + sizeof(fileDataHash),
+	       &fileNameLength, sizeof(fileNameLength));
+	/* read and copy the file name */
+	readSize = fread(imaEvent->template_data + sizeof(fileDataHash) + sizeof(fileNameLength),
+			 fileNameLength, 1, inFile);
+	if (readSize != 1) {
+	    if (feof(inFile)) {
+		*endOfFile = TRUE;
+	    }
+	    else {
+		printf("ERROR: IMA_TemplateDataIma_ReadFile: "
+		       "could not read fileNameLength, returned %lu\n",
+		       (unsigned long)readSize);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+    }
+    return rc;
+}
+ 
+/* IMA_Event_ReadBuffer()  reads one IMA event from a buffer.
+
+   This is typically used at the server, reading from a client connection.
+
+   Although the raw IMA event log 'ima' template does not have a template data length, this function
+   at the server assumes it has been inserted by the client.
+
+   If getTemplate is TRUE, the template data is copied to a malloced imaEvent->template_data.  If
+   FALSE, template data is skipped. FALSE is used for the first pass, where the template data is not
+   needed until the hash is validated.
+
+*/
+
+uint32_t IMA_Event_ReadBuffer(ImaEvent *imaEvent,	/* freed by caller */
+			      size_t *length,
+			      uint8_t **buffer,
+			      int *endOfBuffer,
+			      int littleEndian,
+			      int getTemplate)
+{
+    int rc = 0;
+    
+    imaEvent->template_data = NULL;		/* for free */
+    if (*length == 0) {
+	*endOfBuffer = 1;
+    }
+    else {
+	/* read the IMA pcr index */
+	if (rc == 0) {
+	    /* bounds check the length */
+	    if (*length < sizeof(uint32_t)) {
+		printf("ERROR: IMA_Event_ReadBuffer: buffer too small for PCR index\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		imaEvent->pcrIndex = IMA_Uint32_Convert(*buffer, littleEndian);
+		*buffer += sizeof(uint32_t);
+		*length -= sizeof(uint32_t);
+	    }
+	}
+	/* sanity check the PCR index */
+	if (rc == 0) {
+	    if (imaEvent->pcrIndex != IMA_PCR) {
+		printf("ERROR: IMA_Event_ReadBuffer: PCR index %u not PCR %u\n",
+		       IMA_PCR, imaEvent->pcrIndex);
+		rc = TSS_RC_BAD_PROPERTY_VALUE;
+	    }
+	}	
+	/* read the IMA digest, this is hard coded to SHA-1 */
+	if (rc == 0) {
+	    /* bounds check the length */
+	    if (*length < sizeof(((ImaEvent *)NULL)->digest)) {
+		printf("ERROR: IMA_Event_ReadBuffer: buffer too small for IMA digest\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		memcpy(&(imaEvent->digest), *buffer, sizeof(((ImaEvent *)NULL)->digest));
+		*buffer += sizeof(((ImaEvent *)NULL)->digest);
+		*length -= sizeof(((ImaEvent *)NULL)->digest);
+	    }
+	}
+	/* read the IMA name length */
+	if (rc == 0) {
+	    /* bounds check the length */
+	    if (*length < sizeof(uint32_t)) {
+		printf("ERROR: IMA_Event_ReadBuffer: "
+		       "buffer too small for IMA template name length\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		imaEvent->name_len = IMA_Uint32_Convert(*buffer, littleEndian);
+		*buffer += sizeof(uint32_t);
+		*length -= sizeof(uint32_t);
+	    }
+	}
+	/* read the template name */
+	if (rc == 0) {
+	    /* bounds check the name length */
+	    if (imaEvent->name_len > TCG_EVENT_NAME_LEN_MAX) {
+		printf("ERROR: IMA_Event_ReadBuffer: Error, template name length too big: %u\n",
+		       imaEvent->name_len);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else if (*length < imaEvent->name_len) {
+		printf("ERROR: IMA_Event_ReadBuffer: buffer too small for template name\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		/* nul terminate first */
+		memset(imaEvent->name, 0, sizeof(((ImaEvent *)NULL)->name));
+		memcpy(&(imaEvent->name), *buffer, imaEvent->name_len);
+		*buffer += imaEvent->name_len;
+		*length -= imaEvent->name_len;
+	    }
+	}
+	/* record the template name as an int */
+	if (rc == 0) {
+	    IMA_Event_ParseName(imaEvent);
+	}
+	/* read the template data length */
+	if (rc == 0) {
+	    /* bounds check the length */
+	    if (*length < sizeof(uint32_t)) {
+		printf("ERROR: IMA_Event_ReadBuffer: buffer too small for template data length\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		imaEvent->template_data_len = IMA_Uint32_Convert(*buffer, littleEndian);
+		*buffer += sizeof(uint32_t);
+		*length -= sizeof(uint32_t);
+	    }
+	}
+	/* allocate for the template data */
+	if (rc == 0) {
+	    if (getTemplate) {
+		/* bounds check the template data length */
+		if (imaEvent->template_data_len > TCG_TEMPLATE_DATA_LEN_MAX) {
+		    printf("ERROR: IMA_Event_ReadBuffer: template data length too big: %u\n",
+			   imaEvent->template_data_len);
+		    rc = TSS_RC_INSUFFICIENT_BUFFER;
+		}
+		else if (*length < imaEvent->template_data_len) {
+		    printf("ERROR: IMA_Event_ReadBuffer: buffer too small for template data\n");
+		    rc = TSS_RC_INSUFFICIENT_BUFFER;
+		}
+		else {
+		    if (rc == 0) {
+			imaEvent->template_data = malloc(imaEvent->template_data_len);
+			if (imaEvent->template_data == NULL) {
+			    printf("ERROR: IMA_Event_ReadBuffer: "
+				   "could not allocate template data, size %u\n",
+				   imaEvent->template_data_len);
+			    rc = TSS_RC_OUT_OF_MEMORY;
+			}
+		    }
+		    if (rc == 0) {
+			memcpy(imaEvent->template_data, *buffer, imaEvent->template_data_len);
+		    }
+		}
+	    }
+	    /* move the buffer even if getTemplate is false */
+	    if (rc == 0) {
+		*buffer += imaEvent->template_data_len;
+		*length -= imaEvent->template_data_len;
+	    }
+	}
+    }
+    return rc;
+}
+
+/* IMA_TemplateName_Parse() parses the template name and registers the template data callbacks */
+
+static uint32_t IMA_TemplateName_Parse(TemplateDataParseFunction_t templateDataParseFunctions[],
+				       size_t templateDataParseFunctionsSize,
+				       ImaEvent *imaEvent)
+{
+    uint32_t 	rc = 0;
+    size_t	i;
+    
+    /* initialize all the function pointers to NULL */
+    for (i = 0 ; (rc == 0) && (i < templateDataParseFunctionsSize) ; i++) {
+	templateDataParseFunctions[i] = NULL;
+    }
+    /* parse the name into the callback structure */
+    if (rc == 0) {
+	switch (imaEvent->nameInt) {
+	    /* these are the pre-defined formats */
+	  case IMA_FORMAT_IMA_NG:
+	    /* d-ng | n-ng */
+	    templateDataParseFunctions[0] = (TemplateDataParseFunction_t)IMA_ParseDNG;
+	    templateDataParseFunctions[1] = (TemplateDataParseFunction_t)IMA_ParseNNG;
+	    break;
+	  case IMA_FORMAT_IMA_SIG:
+	    /* d-ng | n-ng | sig */
+	    templateDataParseFunctions[0] = (TemplateDataParseFunction_t)IMA_ParseDNG;
+	    templateDataParseFunctions[1] = (TemplateDataParseFunction_t)IMA_ParseNNG;
+	    templateDataParseFunctions[2] = (TemplateDataParseFunction_t)IMA_ParseSIG;
+	    break;
+	  case IMA_FORMAT_IMA:
+	    templateDataParseFunctions[0] = (TemplateDataParseFunction_t)IMA_ParseD;
+	    templateDataParseFunctions[1] = (TemplateDataParseFunction_t)IMA_ParseNNG;
+	    break;
+	  case IMA_FORMAT_MODSIG:
+	    /* d-ng | n-ng | sig | d-modsig | modsig */
+	    templateDataParseFunctions[0] = (TemplateDataParseFunction_t)IMA_ParseDNG;
+	    templateDataParseFunctions[1] = (TemplateDataParseFunction_t)IMA_ParseNNG;
+	    templateDataParseFunctions[2] = (TemplateDataParseFunction_t)IMA_ParseSIG;
+	    templateDataParseFunctions[3] = (TemplateDataParseFunction_t)IMA_ParseDMODSIG;
+	    templateDataParseFunctions[4] = (TemplateDataParseFunction_t)IMA_ParseMODSIG;
+	    break;
+	  case IMA_FORMAT_BUF:
+	    /* d-ng | n-ng | buf */
+	    templateDataParseFunctions[0] = (TemplateDataParseFunction_t)IMA_ParseDNG;
+	    templateDataParseFunctions[1] = (TemplateDataParseFunction_t)IMA_ParseNNG;
+	    templateDataParseFunctions[2] = (TemplateDataParseFunction_t)IMA_ParseBUF;
+	    break;
+	    /* these are potentially the custom templates */
+	  default:
+	    rc = IMA_TemplateName_ParseCustom(templateDataParseFunctions,
+					      templateDataParseFunctionsSize,
+					      imaEvent);
+	}	    
+    }
+    return rc;
+}
+
+/* the mapping between a format string and the template data parse function */
+
+typedef struct {
+    const char *formatString;
+    TemplateDataParseFunction_t parseFunction;
+} ImaFormatMap; 
+
+static ImaFormatMap imaFormatMap[] = {
+    {"d", (TemplateDataParseFunction_t)IMA_ParseD},
+    {"n", (TemplateDataParseFunction_t)IMA_ParseNNG},
+    {"d-ng", (TemplateDataParseFunction_t)IMA_ParseDNG},
+    {"n-ng", (TemplateDataParseFunction_t)IMA_ParseNNG},
+    {"sig", (TemplateDataParseFunction_t)IMA_ParseSIG},
+    {"d-modsig", (TemplateDataParseFunction_t)IMA_ParseDMODSIG},
+    {"modsig", (TemplateDataParseFunction_t)IMA_ParseMODSIG},
+    {"buf", (TemplateDataParseFunction_t)IMA_ParseBUF}
+};
+	 
+static uint32_t
+IMA_TemplateName_ParseCustom(TemplateDataParseFunction_t templateDataParseFunctions[],
+			     size_t templateDataParseFunctionsSize,
+			     ImaEvent *imaEvent)
+{
+    uint32_t 	rc = 0;
+    size_t	i;		/* index into templateDataParseFunctions table */
+    size_t	j;		/* index into imaFormatMap table */
+    char 	*startName;
+    char	*endName;
+    char 	templateName[TCG_EVENT_NAME_LEN_MAX + 1];	/* one | separated item with nul */
+
+    /* parse the custom templates */
+    strcpy(templateName, imaEvent->name);	/* modify'able */
+    startName = templateName;
+
+    for (i = 0 ; (rc == 0) && (i < templateDataParseFunctionsSize) ; i++) {
+	endName = strchr(startName, '|');
+	if (endName != NULL) {	/* found a | character */
+	    *endName = '\0';	/* nul terminate the next format string */
+	}
+	printf("item %lu : %s\n", (unsigned long)i, startName);
+	/* search the table for the format string */
+	for (j = 0 ; j < (sizeof(imaFormatMap) / sizeof(ImaFormatMap)) ; j++) {
+	    int irc;
+	    irc = strcmp(startName, imaFormatMap[j].formatString);
+	    if (irc == 0) {
+		templateDataParseFunctions[i] = imaFormatMap[j].parseFunction;
+	    }
+	}
+	/* if no format string found */
+	if (templateDataParseFunctions[i] == NULL) {
+	    printf("ERROR: IMA_TemplateName_ParseCustom: unknown format string %s\n",
+		   startName);
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+	/* if found an item, move the pointer */
+	if (rc == 0) {
+	    startName = endName + 1;
+	}
+	if (endName == NULL) {	/* no | character, last entry */
+	    break;
+	}
+    }
+    return rc;
+}
+
+/*
+  template data callbacks
+*/
+
+/* IMA_ParseD() parses a d : digest (no length or algorithm) */
+
+static uint32_t IMA_ParseD(ImaTemplateData	*imaTemplateData,
+			   uint8_t 		**buffer,
+			   size_t 		*length,
+			   int 			littleEndian)
+{
+    uint32_t 	rc = 0;
+    littleEndian = littleEndian;	/* unised */
+    /* fileDataHash */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < SHA1_DIGEST_SIZE) {
+	    printf("ERROR: IMA_ParseD: buffer too small for file data hash\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    imaTemplateData->imaTemplateDNG.fileDataHashLength = SHA1_DIGEST_SIZE;
+	    memcpy(&(imaTemplateData->imaTemplateDNG.fileDataHash), *buffer, SHA1_DIGEST_SIZE);
+	    *buffer += SHA1_DIGEST_SIZE;
+	    *length -= SHA1_DIGEST_SIZE;
+	}
+    }
+    return rc;
+}
+
+/* IMA_ParseDNG parses a d-ng : hash length + hash algorithm string + digest
+
+   The digest is a file data hash.
+ */
+
+static uint32_t IMA_ParseDNG(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian)
+{
+    uint32_t 	rc = 0;
+    size_t 	hashAlgSize;
+    /* read the hash length, algorithm + hash */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < sizeof(uint32_t)) {
+	    printf("ERROR: IMA_ParseDNG: buffer too small for hash length\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    imaTemplateData->imaTemplateDNG.hashLength = IMA_Uint32_Convert(*buffer, littleEndian);
+	    *buffer += sizeof(uint32_t);
+	    *length -= sizeof(uint32_t);
+	}
+    }
+    /* read the hash algorithm, nul terminated string */
+    if (rc == 0) {
+    	/* NUL terminate first */
+	memset(imaTemplateData->imaTemplateDNG.hashAlg, 0,
+	       sizeof(((ImaTemplateData *)NULL)->imaTemplateDNG.hashAlg));
+	rc = IMA_Strn2cpy(imaTemplateData->imaTemplateDNG.hashAlg, *buffer,
+			  sizeof(((ImaTemplateData *)NULL)->imaTemplateDNG.hashAlg),	/* destLength */
+			  imaTemplateData->imaTemplateDNG.hashLength);			/* srcLength */
+	if (rc != 0) {
+	    printf("ERROR: IMA_ParseDNG: buffer too small for hash algorithm\n"
+		   "\tor hash algorithm exceeds maximum size\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    hashAlgSize = strlen(imaTemplateData->imaTemplateDNG.hashAlg) + 1;
+	    *buffer += hashAlgSize;
+	    *length -= hashAlgSize;
+	}
+    }
+    /* fileDataHashLength */
+    if (rc == 0) {
+	if (strcmp(imaTemplateData->imaTemplateDNG.hashAlg, "sha1:") == 0) {
+	    imaTemplateData->imaTemplateDNG.fileDataHashLength = SHA1_DIGEST_SIZE;
+	    imaTemplateData->imaTemplateDNG.hashAlgId = TPM_ALG_SHA1;
+	}
+	else if (strcmp(imaTemplateData->imaTemplateDNG.hashAlg, "sha256:") == 0) {
+	    imaTemplateData->imaTemplateDNG.fileDataHashLength = SHA256_DIGEST_SIZE;
+	    imaTemplateData->imaTemplateDNG.hashAlgId = TPM_ALG_SHA256;
+	}
+	else {
+	    printf("ERROR: IMA_ParseDNG: Unknown file data hash algorithm: %s\n",
+		   imaTemplateData->imaTemplateDNG.hashAlg);
+	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+	}
+    }
+    /* consistency check hashLength vs contents */
+    if (rc == 0) {
+	if ((hashAlgSize + imaTemplateData->imaTemplateDNG.fileDataHashLength) !=
+	    imaTemplateData->imaTemplateDNG.hashLength) {
+	    printf("ERROR: IMA_ParseDNG: "
+		   "hashLength %u inconsistent with hashAlgSize %lu and fileDataHashLength %u\n",
+		   imaTemplateData->imaTemplateDNG.hashLength, (unsigned long)hashAlgSize,
+		   imaTemplateData->imaTemplateDNG.fileDataHashLength);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* fileDataHash */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < imaTemplateData->imaTemplateDNG.fileDataHashLength) {
+	    printf("ERROR: IMA_ParseDNG: buffer too small for file data hash\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else if (imaTemplateData->imaTemplateDNG.fileDataHashLength >
+		 sizeof(((ImaTemplateData *)NULL)->imaTemplateDNG.fileDataHash)) {
+	    printf("ERROR: IMA_ParseDNG: "
+		   "file data hash length exceeds maximum size\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	} 
+	else {
+	    memcpy(&(imaTemplateData->imaTemplateDNG.fileDataHash), *buffer,
+		   imaTemplateData->imaTemplateDNG.fileDataHashLength);
+	    *buffer += imaTemplateData->imaTemplateDNG.fileDataHashLength;
+	    *length -= imaTemplateData->imaTemplateDNG.fileDataHashLength;
+	    /* FIXME remove */
+	    TSS_PrintAll("IMA_ParseDNG: file data hash",
+			 imaTemplateData->imaTemplateDNG.fileDataHash,
+			 imaTemplateData->imaTemplateDNG.fileDataHashLength);
+	}
+    }
+    return rc;
+}
+
+/* IMA_ParseNNG() parses a n-ng : length + filename */
+
+static uint32_t IMA_ParseNNG(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian)
+{
+    uint32_t 	rc = 0;
+    /* fileNameLength (length includes the nul terminator) */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < sizeof(uint32_t)) {
+	    printf("ERROR: IMA_ParseNNG: buffer too small for file name length\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    imaTemplateData->imaTemplateNNG.fileNameLength = IMA_Uint32_Convert(*buffer, littleEndian);
+	    *buffer += sizeof(uint32_t);
+	    *length -= sizeof(uint32_t);
+	}
+    }
+    /* fileName */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < imaTemplateData->imaTemplateNNG.fileNameLength) {
+	    printf("ERROR: IMA_ParseNNG: buffer too small for file name\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	/* leave one byte for the nul terminator */
+	else if (imaTemplateData->imaTemplateNNG.fileNameLength >
+		 (sizeof(imaTemplateData->imaTemplateNNG.fileName)-1)) {
+	    printf("ERROR: IMA_ParseNNG: file name length exceeds maximum size\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    memcpy(&(imaTemplateData->imaTemplateNNG.fileName), *buffer,
+		   imaTemplateData->imaTemplateNNG.fileNameLength);
+	    /* ima template does not nul terminate the file name */
+	    imaTemplateData->imaTemplateNNG.fileName[imaTemplateData->imaTemplateNNG.fileNameLength] = '\0';
+	    *buffer += imaTemplateData->imaTemplateNNG.fileNameLength;
+	    *length -= imaTemplateData->imaTemplateNNG.fileNameLength;
+	}
+    }
+    return rc;
+}
+
+/* IMA_ParseSIG() parses a sig : signature header + signature */
+
+static uint32_t IMA_ParseSIG(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian)
+{
+    uint32_t 	rc = 0;
+    /* sigLength */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < sizeof(uint32_t)) {
+	    printf("ERROR: IMA_ParseSIG: "
+		   "buffer too small for signature length\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    imaTemplateData->imaTemplateSIG.sigLength = IMA_Uint32_Convert(*buffer, littleEndian);
+	    *buffer += sizeof(uint32_t);
+	    *length -= sizeof(uint32_t);
+	    /* FIXME remove */
+	    printf("IMA_ParseSIG: sigLength %u\n", imaTemplateData->imaTemplateSIG.sigLength);
+	}
+    }
+    /* sigHeader - only parsed if its length is not zero */
+    if (imaTemplateData->imaTemplateSIG.sigLength != 0) {
+	if (rc == 0) {
+	    imaTemplateData->imaTemplateSIG.sigHeaderLength =
+		sizeof((ImaTemplateData *)NULL)->imaTemplateSIG.sigHeader;
+	    /* bounds check the length */
+	    if (*length < imaTemplateData->imaTemplateSIG.sigHeaderLength) {
+		printf("ERROR: IMA_ParseSIG: "
+		       "buffer too small for signature header\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		memcpy(&(imaTemplateData->imaTemplateSIG.sigHeader), *buffer,
+		       imaTemplateData->imaTemplateSIG.sigHeaderLength);
+		*buffer += imaTemplateData->imaTemplateSIG.sigHeaderLength;
+		*length -= imaTemplateData->imaTemplateSIG.sigHeaderLength;
+	    }
+	}
+	/* get signature length from last two bytes */
+	if (rc == 0) {
+	    /* magic number for offset: type(1) version(1) hash alg (1) pubkey id (4) */
+	    imaTemplateData->imaTemplateSIG.signatureSize =
+		ntohs(*(uint16_t *)(imaTemplateData->imaTemplateSIG.sigHeader + 7));
+	}
+	/* consistency check signature header contents */
+	if (rc == 0) {
+	    int goodHashAlgo = (((imaTemplateData->imaTemplateSIG.sigHeader[2] == HASH_ALGO_SHA1) &&
+				 (imaTemplateData->imaTemplateDNG.hashAlgId == TPM_ALG_SHA1)) ||
+				((imaTemplateData->imaTemplateSIG.sigHeader[2] == HASH_ALGO_SHA256) &&
+				 (imaTemplateData->imaTemplateDNG.hashAlgId == TPM_ALG_SHA256)));
+	    int goodSigSize = ((imaTemplateData->imaTemplateSIG.signatureSize == 128) ||
+			       (imaTemplateData->imaTemplateSIG.signatureSize == 256));
+	    /* xattr type */
+	    if (
+		(imaTemplateData->imaTemplateSIG.sigHeader[0] != EVM_IMA_XATTR_DIGSIG) || /* [0] type */
+		(imaTemplateData->imaTemplateSIG.sigHeader[1] != 2) ||		/* [1] version */
+		!goodHashAlgo ||				/* [2] hash algorithm */
+		/* [3]-[6] are the public key fingerprint.  Any value is legal. */
+		!goodSigSize 					/* [7][8] sig size */
+		) {
+		printf("ERROR: IMA_ParseSIG: invalid sigHeader\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	/* signature */
+	if (rc == 0) {
+	    /* bounds check the length */
+	    if (*length < imaTemplateData->imaTemplateSIG.signatureSize) {
+		printf("ERROR: IMA_ParseSIG: "
+		       "buffer too small for signature \n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    /* sanity check the signatureSize against the sigLength */
+	    else if (imaTemplateData->imaTemplateSIG.sigLength !=
+		     (sizeof((ImaTemplateData *)NULL)->imaTemplateSIG.sigHeader +
+		      imaTemplateData->imaTemplateSIG.signatureSize)) {
+		printf("ERROR: IMA_ParseSIG: "
+		       "sigLength inconsistent with signatureSize\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		memcpy(&(imaTemplateData->imaTemplateSIG.signature), *buffer,
+		       imaTemplateData->imaTemplateSIG.signatureSize);
+		*buffer += imaTemplateData->imaTemplateSIG.signatureSize;
+		*length -= imaTemplateData->imaTemplateSIG.signatureSize;
+		/* FIXME remove */
+		TSS_PrintAll("IMA_ParseSIG: file data hash",
+			     imaTemplateData->imaTemplateSIG.signature,
+			     imaTemplateData->imaTemplateSIG.signatureSize);
+
+	    }
+	}
+    }
+    return rc;
+}
+
+/* IMA_ParseDMODSIG parses a d-ng : hash length + hash algorithm string + digest
+
+   The digest is a file data hash omitting the appended modsig signature.
+
+   NOTE: This is currently thre same as IMA_ParseDNG but may have different processing in the
+   future.
+*/
+
+static uint32_t IMA_ParseDMODSIG(ImaTemplateData	*imaTemplateData,
+				 uint8_t 		**buffer,
+				 size_t 		*length,
+				 int 			littleEndian)
+{
+    uint32_t 	rc = 0;
+    size_t 	hashAlgSize;
+    
+    /* read the hash length, algorithm + hash */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < sizeof(uint32_t)) {
+	    printf("ERROR: IMA_ParseDMODSIG: buffer too small for hash length\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    imaTemplateData->imaTemplateDMODSIG.dModSigHashLength = IMA_Uint32_Convert(*buffer, littleEndian);
+	    *buffer += sizeof(uint32_t);
+	    *length -= sizeof(uint32_t);
+	}
+    }
+    /* FIXME is zero length an error? */
+    if (imaTemplateData->imaTemplateDMODSIG.dModSigHashLength != 0) {
+
+	/* read the hash algorithm, nul terminated string */
+	if (rc == 0) {
+	    /* NUL terminate first */
+	    memset(imaTemplateData->imaTemplateDMODSIG.dModSigHashAlg, 0,
+		   sizeof(((ImaTemplateData *)NULL)->imaTemplateDMODSIG.dModSigHashAlgId));
+	    rc = IMA_Strn2cpy(imaTemplateData->imaTemplateDMODSIG.dModSigHashAlg, *buffer,
+			      /* destLength */
+			      sizeof(((ImaTemplateData *)NULL)->imaTemplateDMODSIG.dModSigHashAlg),
+			      /* srcLength */
+			      imaTemplateData->imaTemplateDMODSIG.dModSigHashLength);
+	    if (rc != 0) {
+		printf("ERROR: IMA_ParseDMODSIG: buffer too small for hash algorithm\n"
+		       "\tor hash algorithm exceeds maximum size\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else {
+		hashAlgSize = strlen(imaTemplateData->imaTemplateDMODSIG.dModSigHashAlg) + 1;
+		*buffer += hashAlgSize;
+		*length -= hashAlgSize;
+	    }
+	}
+	/* dModSigFileDataHashLength */
+	if (rc == 0) {
+	    if (strcmp(imaTemplateData->imaTemplateDMODSIG.dModSigHashAlg, "sha1:") == 0) {
+		imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength = SHA1_DIGEST_SIZE;
+		imaTemplateData->imaTemplateDMODSIG.dModSigHashAlgId = TPM_ALG_SHA1;
+	    }
+	    else if (strcmp(imaTemplateData->imaTemplateDMODSIG.dModSigHashAlg, "sha256:") == 0) {
+		imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength = SHA256_DIGEST_SIZE;
+		imaTemplateData->imaTemplateDMODSIG.dModSigHashAlgId = TPM_ALG_SHA256;
+	    }
+	    else {
+		printf("ERROR: IMA_ParseDMODSIG: Unknown file data hash algorithm: %s\n",
+		       imaTemplateData->imaTemplateDMODSIG.dModSigHashAlg);
+		rc = TSS_RC_BAD_HASH_ALGORITHM;
+	    }
+	}
+	/* consistency check dModSigFileDataHashLength vs contents */
+	if (rc == 0) {
+	    if ((hashAlgSize + imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength) !=
+		imaTemplateData->imaTemplateDMODSIG.dModSigHashLength) {
+		printf("ERROR: IMA_ParseDMODSIG: "
+		       "dModSigFileDataHashLength %u inconsistent with hashAlgSize %lu "
+		       "and dModSigFileDataHashLength %u\n",
+		       imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength,
+		       (unsigned long)hashAlgSize,
+		       imaTemplateData->imaTemplateDMODSIG.dModSigHashLength);
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	/* dModSigFileDataHashLength */
+	if (rc == 0) {
+	    /* bounds check the length */
+	    if (*length < imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength ) {
+		printf("ERROR: IMA_ParseDMODSIG: buffer too small for file data hash\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	    else if (imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength >
+		     sizeof(((ImaTemplateData *)NULL)->imaTemplateDMODSIG.dModSigFileDataHash)) {
+		printf("ERROR: IMA_ParseDMODSIG: "
+		       "file data hash length exceeds maximum size\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    } 
+	    else {
+		memcpy(&(imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHash),
+		       *buffer, imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength);
+		*buffer += imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength ;
+		*length -= imaTemplateData->imaTemplateDMODSIG.dModSigFileDataHashLength ;
+	    }
+	}
+    }
+    return rc;
+}
+
+/* IMA_ParseMODSIG parses a modsig : 4 byte length + DER encoded CMS document, RFC 5652 */
+
+static uint32_t IMA_ParseMODSIG(ImaTemplateData	*imaTemplateData,
+				uint8_t 	**buffer,
+				size_t 		*length,
+				int 		littleEndian)
+{
+    uint32_t 	rc = 0;
+
+    /* read the length */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < sizeof(uint32_t)) {
+	    printf("ERROR: IMA_ParseMODSIG: buffer too small for length\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    imaTemplateData->imaTemplateMODSIG.modSigLength = IMA_Uint32_Convert(*buffer, littleEndian);
+	    *buffer += sizeof(uint32_t);
+	    *length -= sizeof(uint32_t);
+	}
+    }
+    /* read the DER */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length  < imaTemplateData->imaTemplateMODSIG.modSigLength) {
+	    printf("ERROR: IMA_ParseMODSIG: buffer too small for modSig data\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else if (imaTemplateData->imaTemplateMODSIG.modSigLength >
+		 sizeof(((ImaTemplateData *)NULL)->imaTemplateMODSIG.modSigData)) {
+	    printf("ERROR: IMA_ParseMODSIG: "
+		   "modSigData length exceeds maximum size\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	} 
+	else {
+	    memcpy(&(imaTemplateData->imaTemplateMODSIG.modSigData), *buffer,
+		   imaTemplateData->imaTemplateMODSIG.modSigLength);
+	    *buffer += imaTemplateData->imaTemplateMODSIG.modSigLength;
+	    *length -= imaTemplateData->imaTemplateMODSIG.modSigLength;
+	}
+    }
+    return rc;
+}
+
+/* IMA_ParseBUF parses a modsig : 4 byte length + DER encoded CMS document, RFC 5652 */
+
+static uint32_t IMA_ParseBUF(ImaTemplateData	*imaTemplateData,
+			     uint8_t 		**buffer,
+			     size_t 		*length,
+			     int 		littleEndian)
+{
+    uint32_t 	rc = 0;
+
+    /* FIXME factor reading a 4 byte length plus data stream */
+    /* read the length */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length < sizeof(uint32_t)) {
+	    printf("ERROR: IMA_ParseBUF: buffer too small for length\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else {
+	    imaTemplateData->imaTemplateBUF.bufLength = IMA_Uint32_Convert(*buffer, littleEndian);
+	    *buffer += sizeof(uint32_t);
+	    *length -= sizeof(uint32_t);
+	}
+    }
+    /* read the DER */
+    if (rc == 0) {
+	/* bounds check the length */
+	if (*length  < imaTemplateData->imaTemplateBUF.bufLength) {
+	    printf("ERROR: IMA_ParseBUF: buffer too small for buf data\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+	else if (imaTemplateData->imaTemplateBUF.bufLength >
+		 sizeof(((ImaTemplateData *)NULL)->imaTemplateBUF.bufData)) {
+	    printf("ERROR: IMA_ParseBUF: "
+		   "bufData length exceeds maximum size\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	} 
+	else {
+	    memcpy(&(imaTemplateData->imaTemplateBUF.bufData), *buffer,
+		   imaTemplateData->imaTemplateBUF.bufLength);
+	    *buffer += imaTemplateData->imaTemplateBUF.bufLength;
+	    *length -= imaTemplateData->imaTemplateBUF.bufLength;
+	}
+    }
+    return rc;
+}
+
+/* IMA_TemplateData_ReadBuffer() unmarshals the template data fields from the template data byte
+   array.
+
+*/
+
+uint32_t IMA_TemplateData_ReadBuffer(ImaTemplateData *imaTemplateData,
+				     ImaEvent *imaEvent,
+				     int littleEndian)
+{
+    uint32_t 	rc = 0;
+    size_t 	length = imaEvent->template_data_len;
+    uint8_t 	*buffer = imaEvent->template_data;
+    TemplateDataParseFunction_t templateDataParseFunctions[IMA_PARSE_FUNCTIONS_MAX];
+    size_t	i;
+
+    /* initialize all fields, since not all fields are included in all templates */
+    if (rc == 0) {
+	IMA_TemplateData_Init(imaTemplateData);
+    }
+    if (rc == 0) {
+	rc = IMA_TemplateName_Parse(templateDataParseFunctions, IMA_PARSE_FUNCTIONS_MAX,
+				    imaEvent);	
+    }
+    for (i = 0 ; (rc == 0) && (templateDataParseFunctions[i] != NULL) ; i++) {
+	rc = templateDataParseFunctions[i](imaTemplateData, &buffer, &length, littleEndian);
+    }
+    /* length should now be zero */
+    if (rc == 0) {
+	if (length != 0) {
+	    printf("ERROR: IMA_TemplateData_ReadBuffer: "
+		   "buffer too large (bytes remaining after unmarshaling)\n");
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }    
+    return rc;
+}
+
+/* IMA_Event_Write() writes an event line to a binary file outFile.
+
+   The write is always big endian, network byte order.
+*/
+
+uint32_t IMA_Event_Write(ImaEvent *imaEvent,
+			 FILE *outFile)
+{
+    int rc = 0;
+    size_t writeSize;
+    uint32_t nbo32;	/* network byte order */
+
+    if (rc == 0) {
+	/* do the endian conversion */
+	nbo32 = htonl(imaEvent->pcrIndex);
+	/* write the IMA pcr index */
+	writeSize = fwrite(&nbo32, sizeof(uint32_t), 1, outFile);
+	if (writeSize != 1) {
+	    printf("ERROR: IMA_Event_Write: could not write pcrIndex, returned %lu\n",
+		   (unsigned long)writeSize);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    /* write the IMA digest, name length */
+    if (rc == 0) {
+	writeSize = fwrite(&(imaEvent->digest), sizeof(((ImaEvent *)NULL)->digest), 1, outFile);
+	if (writeSize != 1) {
+	    printf("ERROR: IMA_Event_Write: could not write digest, returned %lu\n",
+		   (unsigned long)writeSize);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    /* write the IMA name length */
+    if (rc == 0) {
+	/* do the endian conversion */
+	nbo32 = htonl(imaEvent->name_len);
+	/* write the IMA name length */
+	writeSize = fwrite(&nbo32, sizeof(uint32_t), 1, outFile);
+	if (writeSize != 1) {
+	    printf("ERROR: IMA_Event_Write: could not write name length, returned %lu\n",
+		   (unsigned long)writeSize);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    /* write the name */
+    if (rc == 0) {
+	writeSize = fwrite(&(imaEvent->name), imaEvent->name_len, 1, outFile);
+	if (writeSize != 1) {
+	    printf("ERROR: IMA_Event_Write: could not write name, returned %lu\n",
+		   (unsigned long)writeSize);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    /* write the template data length */
+    if (rc == 0) {
+	/* do the endian conversion */
+	nbo32 = htonl(imaEvent->template_data_len);
+	/* write the IMA template data length */
+	writeSize = fwrite(&nbo32, sizeof(uint32_t), 1, outFile);
+	if (writeSize != 1) {
+	    printf("ERROR: IMA_Event_Write: could not template data length , returned %lu\n",
+		   (unsigned long)writeSize);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    /* write the template data */
+    if (rc == 0) {
+	writeSize = fwrite(&(imaEvent->template_data), imaEvent->template_data_len, 1, outFile);
+	if (writeSize != 1) {
+	    printf("ERROR: IMA_Event_Write: could not write template data, returned %lu\n",
+		   (unsigned long)writeSize);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    return rc;
+}
+
+/* IMA_Extend() extends the event into the imaPcr.
+
+   An IMA quirk is that, if the event is all zero, all ones is extended into the SHA-1 bank.  Since
+   the SHA-256 bank currently gets the SHA-1 value zero extended, it will get 20 ff's and 12 00's.
+
+   halg indicates whether to calculate the digest for the SHA-1 or SHA-256 PCR bank.  The IMA event
+   log itself is always SHA-1.
+
+   This function assumes that the same hash algorithm / PCR bank is used for all calls.
+*/
+
+uint32_t IMA_Extend(TPMT_HA *imapcr,
+		    ImaEvent *imaEvent,
+		    TPMI_ALG_HASH hashAlg)
+{
+    uint32_t 		rc = 0;
+    uint16_t		digestSize;
+    uint16_t		zeroPad;
+    int 		notAllZero;
+    unsigned char zeroDigest[SHA256_DIGEST_SIZE];
+    unsigned char oneDigest[SHA256_DIGEST_SIZE];
+
+    /* FIXME sanity check TPM_IMA_PCR imaEvent->pcrIndex */
+    
+    /* extend based on the previous IMA PCR value */
+    if (rc == 0) {
+	memset(zeroDigest, 0, SHA256_DIGEST_SIZE);
+	memset(oneDigest, 0xff, SHA256_DIGEST_SIZE);
+	if (hashAlg == TPM_ALG_SHA1) {
+	    digestSize = SHA1_DIGEST_SIZE;
+	    zeroPad = 0;
+	}
+	else if (hashAlg == TPM_ALG_SHA256) {
+	    digestSize = SHA256_DIGEST_SIZE;
+	    /* pad the SHA-1 event with zeros for the SHA-256 bank */
+	    zeroPad = SHA256_DIGEST_SIZE - SHA1_DIGEST_SIZE;
+	}
+	else {
+	    printf("ERROR: IMA_Extend: Unsupported hash algorithm: %04x\n", hashAlg);
+	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+	}
+    }
+    if (rc == 0) {
+	notAllZero = memcmp(imaEvent->digest, zeroDigest, SHA1_DIGEST_SIZE);
+	imapcr->hashAlg = hashAlg;
+#if 1
+	TSS_PrintAll("IMA_Extend: Start PCR", (uint8_t *)&imapcr->digest, digestSize);
+	TSS_PrintAll("IMA_Extend: SHA-256 Pad", zeroDigest, zeroPad);
+#endif
+	if (notAllZero) {
+	    TSS_PrintAll("IMA_Extend: Extend", (uint8_t *)&imaEvent->digest, SHA1_DIGEST_SIZE);
+	    rc = TSS_Hash_Generate(imapcr,
+				   digestSize, (uint8_t *)&imapcr->digest,
+				   SHA1_DIGEST_SIZE, &imaEvent->digest,
+				   /* SHA-1 PCR extend gets zero padded */
+				   zeroPad, zeroDigest,
+				   0, NULL);
+#if 1
+	    TSS_PrintAll("IMA_Extend: notAllZero End PCR",
+			 (uint8_t *)&imapcr->digest, digestSize);
+#endif
+	}
+	/* IMA has a quirk where, when it places all all zero digest into the measurement log, it
+	   extends all ones into IMA PCR */
+	else {
+	    TSS_PrintAll("IMA_Extend: Extend", (uint8_t *)oneDigest, SHA1_DIGEST_SIZE);
+	    rc = TSS_Hash_Generate(imapcr,
+				   digestSize, (uint8_t *)&imapcr->digest,
+				   SHA1_DIGEST_SIZE, oneDigest,
+				   /* SHA-1 gets zero padded */
+				   zeroPad, zeroDigest,
+				   0, NULL);
+#if 1
+	    TSS_PrintAll("IMA_Extend: allZero End PCR",
+			 (uint8_t *)&imapcr->digest, digestSize);
+#endif
+	}
+    }
+    if (rc != 0) {
+	printf("ERROR: IMA_Extend: could not extend imapcr, rc %08x\n", rc);
+    }
+    return rc;
+}
+
+/* IMA_VerifyImaDigest() verifies the IMA digest against the hash of the template data.
+
+   This handles the SHA-1 IMA event log.
+*/
+
+uint32_t IMA_VerifyImaDigest(uint32_t *badEvent, /* TRUE if hash does not match */
+			     ImaEvent *imaEvent, /* the current IMA event being processed */
+			     int eventNum)	 /* the current IMA event number being processed */
+{
+    uint32_t 	rc = 0;
+    int		irc;
+    TPMT_HA 	calculatedImaDigest;
+    
+    /* calculate the hash of the template data */
+    if (rc == 0) {
+	calculatedImaDigest.hashAlg = TPM_ALG_SHA1;
+	/* standard case, hash of entire template data */
+	if (imaEvent->nameInt != IMA_FORMAT_IMA) {
+	    rc = TSS_Hash_Generate(&calculatedImaDigest,
+				   imaEvent->template_data_len, imaEvent->template_data,
+				   0, NULL);
+	}
+	/* special case of "ima" template, hash of File Data Hash || File Name padded with zeros to
+	   256 bytes */
+	else {
+	    ImaTemplateData imaTemplateData;
+	    int zeroPadLength;
+	    uint8_t zeroPad[256];
+	    if (rc == 0) {
+		rc = IMA_TemplateData_ReadBuffer(&imaTemplateData,
+						 imaEvent,
+						 TRUE);	/* FIXME littleEndian */
+	    }
+	    if (rc == 0) {
+		if (imaTemplateData.imaTemplateNNG.fileNameLength > sizeof(zeroPad)) {
+		    printf("ERROR: IMA_VerifyImaDigest: ima template file name length %lu > %lu\n",
+			   (unsigned long)imaTemplateData.imaTemplateNNG.fileNameLength,
+			   (unsigned long)sizeof(zeroPad));
+		    rc = TSS_RC_INSUFFICIENT_BUFFER;
+		}
+	    }
+	    if (rc == 0) {
+		memset(zeroPad, 0, sizeof(zeroPad));
+		/* subtract safe after above length check */
+		zeroPadLength = sizeof(zeroPad) - imaTemplateData.imaTemplateNNG.fileNameLength;
+	    }		
+	    if (rc == 0) {
+		rc = TSS_Hash_Generate(&calculatedImaDigest,
+				       SHA1_DIGEST_SIZE, &imaTemplateData.imaTemplateDNG.fileDataHash,
+				       imaTemplateData.imaTemplateNNG.fileNameLength,
+				       &imaTemplateData.imaTemplateNNG.fileName,
+				       zeroPadLength, zeroPad,
+				       0, NULL);
+	    }
+	}
+    }
+    /* compare the calculated hash to the event digest received from the client */
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_PrintAll("IMA_VerifyImaDigest: Received IMA digest",
+				   imaEvent->digest, SHA1_DIGEST_SIZE);
+	if (tssUtilsVerbose) TSS_PrintAll("IMA_VerifyImaDigest: Calculated IMA digest",
+				   (uint8_t *)&calculatedImaDigest.digest, SHA1_DIGEST_SIZE);
+
+	irc = memcmp(imaEvent->digest, &calculatedImaDigest.digest, SHA1_DIGEST_SIZE);
+	if (irc == 0) {
+	    if (tssUtilsVerbose) printf("IMA_VerifyImaDigest: IMA digest verified, event %u\n", eventNum);
+	    *badEvent = FALSE;
+	}
+	else {
+	    printf("ERROR: IMA_VerifyImaDigest: IMA digest did not verify, event %u\n",
+		   eventNum);
+	    *badEvent = TRUE;
+	}
+    }
+    return rc;
+}
+
+/* IMA_Uint32_Convert() converts a uint8_t (from an input stream) to host byte order
+ */
+
+static uint32_t IMA_Uint32_Convert(const uint8_t *stream,
+				   int littleEndian)
+{
+    uint32_t out = 0;
+
+    /* little endian input */
+    if (littleEndian) {
+	out = (stream[0] <<  0) |
+	      (stream[1] <<  8) |
+	      (stream[2] << 16) |
+	      (stream[3] << 24);
+    }
+    /* big endian input */
+    else {
+	out = (stream[0] << 24) |
+	      (stream[1] << 16) |
+	      (stream[2] <<  8) |
+	      (stream[3] <<  0);
+    }
+    return out;
+}
+
+/* IMA_Strn2cpy() copies src to dest, including a NUL terminator
+
+   It checks that src is nul terminated within srcLength bytes.
+   It checks that src fits into dest within destLength bytes
+
+   Returns error if either the src is not nul terminated or will not fit in dest.
+*/
+
+static uint32_t IMA_Strn2cpy(char *dest, const uint8_t *src,
+			     size_t destLength, size_t srcLength)
+{
+    uint32_t rc = 0;
+    int done = 0;
+    
+    while ((destLength > 0) && (srcLength > 0)) {
+	*dest = *src;
+	if (*dest == '\0') {
+	    done = 1;
+	    break;
+	}
+	else {
+	    dest++;
+	    src++;
+	    destLength--;
+	    srcLength--;
+	}
+    }
+    if (!done) {
+	rc = TSS_RC_INSUFFICIENT_BUFFER;
+    }
+    return rc;
+}
+
+/* IMA_Event_Marshal() marshals an ImaEvent structure */
+
+TPM_RC IMA_Event_Marshal(ImaEvent *source,
+			 uint16_t *written, uint8_t **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->pcrIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->digest, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->name_len, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu((uint8_t *)source->name, source->name_len, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->template_data_len, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->template_data, source->template_data_len,
+			       written, buffer, size);
+    }
+    return rc;
+}
+
+/* IMA_Event_PcrExtend() extends PCR digests with the digest from the ImaEvent event log
+   entry.
+
+   Bank 0 is SHA-1.  Bank 1 is SHA-256.
+
+   The function supports all PCRs, even though the PCRs are limited in practice.
+
+*/
+
+uint32_t IMA_Event_PcrExtend(TPMT_HA pcrs[IMA_PCR_BANKS][IMPLEMENTATION_PCR],
+			     ImaEvent *imaEvent)
+{
+    TPM_RC 		rc = 0;
+    uint8_t		eventData[SHA256_DIGEST_SIZE];
+    
+    /* validate PCR number */
+    if (rc == 0) {
+	if (imaEvent->pcrIndex >= IMPLEMENTATION_PCR) {
+	    printf("ERROR: IMA_Event_PcrExtend: PCR number %u %08x out of range\n",
+		   imaEvent->pcrIndex, imaEvent->pcrIndex);
+	    rc = TSS_RC_BAD_PROPERTY;
+	}
+    }
+    /* process each event hash algorithm */
+    if (rc == 0) {
+	unsigned char 	zeroDigest[SHA1_DIGEST_SIZE];
+	int 		notAllZero;
+	memset(zeroDigest, 0, SHA1_DIGEST_SIZE);
+	notAllZero = memcmp(imaEvent->digest, zeroDigest, SHA1_DIGEST_SIZE);
+	/* for the SHA-256 zero extend */
+	memset(eventData, 0, SHA256_DIGEST_SIZE);
+	
+	/* IMA has a quirk where some measurements store a zero digest in the event log, but
+	   extend ones into PCR 10 */
+	if (notAllZero) {
+	    memcpy(eventData, imaEvent->digest, SHA1_DIGEST_SIZE);
+	}
+	else {
+	    memset(eventData, 0xff, SHA1_DIGEST_SIZE);
+	}
+    }
+    /* SHA-1 */
+    if (rc == 0) {
+	rc = TSS_Hash_Generate(&pcrs[0][imaEvent->pcrIndex],
+			       SHA1_DIGEST_SIZE,
+			       (uint8_t *)&pcrs[0][imaEvent->pcrIndex].digest,
+			       SHA1_DIGEST_SIZE,
+			       eventData,
+			       0, NULL);
+    }
+    /* SHA-256 */
+    if (rc == 0) {
+	rc = TSS_Hash_Generate(&pcrs[1][imaEvent->pcrIndex],
+			       SHA256_DIGEST_SIZE,
+			       (uint8_t *)&pcrs[1][imaEvent->pcrIndex].digest,
+			       SHA256_DIGEST_SIZE,
+			       eventData,
+			       0, NULL);
+    }
+    return rc;
+}
+
+#if 0
+/* IMA_Event_ToString() converts the ImaEvent structure to a hexascii string, big endian. */
+
+uint32_t IMA_Event_ToString(char **eventString,	/* freed by caller */
+			    ImaEvent *imaEvent)
+{
+    int 	rc = 0;
+    size_t	length;
+    
+    /* calculate size of string, from ImaEvent structure */
+    if (rc == 0) {
+	length = ((sizeof(uint32_t) + SHA1_DIGEST_SIZE + sizeof(uint32_t) +
+		   TCG_EVENT_NAME_LEN_MAX + 1 + sizeof(uint32_t) +
+		   imaEvent->template_data_len) * 2) + 1;
+    }
+    if (rc == 0) {
+	*eventString = malloc(length);
+	if (*eventString == NULL) {
+	    printf("ERROR: IMA_Event_ToString: error allocating %lu bytes\n", length);
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	memset(*eventString, '\0', length);
+	char *p = *eventString;
+
+	sprintf(p, "%08lx", (long unsigned int)imaEvent->pcrIndex);
+	p += sizeof(uint32_t)* 2;
+
+	Array_Print(p, NULL, imaEvent->digest, SHA1_DIGEST_SIZE);
+	p += SHA1_DIGEST_SIZE * 2;
+
+	sprintf(p, "%08lx", (long unsigned int)imaEvent->name_len);
+	p += sizeof(uint32_t) * 2;
+
+	Array_Print(p, NULL, FALSE, (uint8_t *)imaEvent->name, imaEvent->name_len);
+	p += imaEvent->name_len * 2;
+
+	sprintf(p, "%08lx", (long unsigned int)imaEvent->template_data_len);
+	p += sizeof(uint32_t) * 2;
+
+	Array_Print(p, NULL, FALSE, imaEvent->template_data, imaEvent->template_data_len);
+	p += imaEvent->template_data_len * 2;
+	/* printf("IMA_Event_ToString: result\n:%s:\n", *eventString); */
+    }
+    return rc;
+}
+
+#endif
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/imalib.h b/libstb/tss2/ibmtpm20tss/utils/imalib.h
new file mode 100644
index 0000000..5796f70
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/imalib.h
@@ -0,0 +1,222 @@
+/********************************************************************************/
+/*										*/
+/*			     	IMA Routines					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef IMA_H
+#define IMA_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <sys/param.h>
+
+#include <ibmtss/TPM_Types.h>
+
+/* FIXME meed OS independent value */
+/* Debian/Hurd does not define MAXPATHLEN */
+#ifndef MAXPATHLEN
+#define MAXPATHLEN 4096
+#endif
+
+#define IMA_PCR 		10
+/* IMA currently supports only SHA-1 and SHA-256 */
+#define IMA_PCR_BANKS		2
+
+/* FIXME need verification */
+#define TCG_EVENT_NAME_LEN_MAX	255
+
+#define TCG_TEMPLATE_DATA_LEN_MAX (sizeof(ImaTemplateData))
+
+/* from security/integrity/integrity.h: */
+
+enum evm_ima_xattr_type {
+    IMA_XATTR_DIGEST = 0x01,
+    EVM_XATTR_HMAC,
+    EVM_IMA_XATTR_DIGSIG,
+    IMA_XATTR_DIGEST_NG,
+    IMA_XATTR_LAST
+};
+
+/* from include/uapi/linux/hash_info.h: */
+
+enum hash_algo {
+    HASH_ALGO_MD4,
+    HASH_ALGO_MD5,
+    HASH_ALGO_SHA1,
+    HASH_ALGO_RIPE_MD_160,
+    HASH_ALGO_SHA256,
+    HASH_ALGO_SHA384,
+    HASH_ALGO_SHA512,
+    HASH_ALGO_SHA224,
+    HASH_ALGO_RIPE_MD_128,
+    HASH_ALGO_RIPE_MD_256,
+    HASH_ALGO_RIPE_MD_320,
+    HASH_ALGO_WP_256,
+    HASH_ALGO_WP_384,
+    HASH_ALGO_WP_512,
+    HASH_ALGO_TGR_128,
+    HASH_ALGO_TGR_160,
+    HASH_ALGO_TGR_192,
+    HASH_ALGO__LAST
+};
+
+/* IMA template names */
+
+#define IMA_UNSUPPORTED	0
+#define IMA_FORMAT_IMA_NG	1
+#define IMA_FORMAT_IMA_SIG	2
+#define IMA_FORMAT_IMA		3
+#define IMA_FORMAT_MODSIG	4
+#define IMA_FORMAT_BUF		5
+
+//typedef TPM_DIGEST TPM_PCRVALUE;        	/* The value inside of the PCR */
+
+typedef struct ImaEvent {
+    uint32_t pcrIndex;
+    uint8_t digest[SHA1_DIGEST_SIZE];		/* IMA hard coded to SHA-1 */
+    uint32_t name_len;
+    char name[TCG_EVENT_NAME_LEN_MAX + 1];
+    unsigned int nameInt;			/* integer for template data handler */
+    struct ima_template_desc *template_desc; 	/* template descriptor */
+    uint32_t template_data_len;
+    uint8_t *template_data;			/* template related data */
+} ImaEvent;
+
+typedef struct ImaTemplateDNG {
+    uint32_t hashLength;
+    char hashAlg[64+1];		/* FIXME need verification */
+    TPMI_ALG_HASH hashAlgId;
+    uint32_t fileDataHashLength;
+    uint8_t fileDataHash[SHA256_DIGEST_SIZE];
+} ImaTemplateDNG;
+
+typedef struct ImaTemplateNNG {
+    uint32_t fileNameLength;
+    uint8_t fileName[MAXPATHLEN+1];
+} ImaTemplateNNG;
+
+typedef struct ImaTemplateSIG {
+    uint32_t sigLength;
+    uint32_t sigHeaderLength;
+    uint8_t sigHeader[9];	/* FIXME need verification, length and contents */
+    uint16_t signatureSize;
+    uint8_t signature[256];	/* FIXME need verification */
+} ImaTemplateSIG;
+
+typedef struct ImaTemplateDMODSIG {
+    uint32_t dModSigHashLength;
+    char dModSigHashAlg[64+1];		/* FIXME need verification */
+    TPMI_ALG_HASH dModSigHashAlgId;
+    uint32_t dModSigFileDataHashLength;
+    uint8_t dModSigFileDataHash[SHA256_DIGEST_SIZE];
+} ImaTemplateDMODSIG;
+
+typedef struct ImaTemplateMODSIG {
+    uint32_t modSigLength;
+    uint8_t modSigData[4096];	/* FIXME guess */
+
+} ImaTemplateMODSIG;
+
+typedef struct ImaTemplateBUF {
+    uint32_t bufLength;
+    uint8_t bufData[4096];	/* FIXME guess */
+} ImaTemplateBUF;
+
+typedef struct ImaTemplateData {
+    /* d-ng */
+    ImaTemplateDNG imaTemplateDNG;
+    /* n-ng */
+    ImaTemplateNNG imaTemplateNNG;
+    /* sig */
+    ImaTemplateSIG imaTemplateSIG;
+    /* d-modsig */
+    ImaTemplateDMODSIG imaTemplateDMODSIG;
+    /* modsig */
+    ImaTemplateMODSIG imaTemplateMODSIG;
+    /* buf */
+    ImaTemplateBUF imaTemplateBUF;
+
+} ImaTemplateData;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    void IMA_Event_Init(ImaEvent *imaEvent);
+    void IMA_Event_Free(ImaEvent *imaEvent);
+    void IMA_Event_Trace(ImaEvent *imaEvent, int traceTemplate);
+    void IMA_TemplateData_Init(ImaTemplateData *imaTemplateData);
+    void IMA_TemplateData_Trace(ImaTemplateData *imaTemplateData,
+				unsigned int nameInt);
+    uint32_t IMA_Event_ReadFile(ImaEvent *imaEvent,
+				int *endOfFile,
+				FILE *infile,
+				int littleEndian);
+    uint32_t IMA_Event_ReadBuffer(ImaEvent *imaEvent,
+				  size_t *length,
+				  uint8_t **buffer,
+				  int *endOfBuffer,
+				  int littleEndian,
+				  int getTemplate);
+    uint32_t IMA_TemplateData_ReadBuffer(ImaTemplateData *imaTemplateData,
+					 ImaEvent *imaEvent,
+					 int littleEndian);
+    uint32_t IMA_Event_Write(ImaEvent *imaEvent,
+			     FILE *outFile);
+    uint32_t IMA_Extend(TPMT_HA *imapcr,
+			ImaEvent *imaEvent,
+			TPMI_ALG_HASH hashAlg);
+    uint32_t IMA_VerifyImaDigest(uint32_t *badEvent,
+				 ImaEvent *imaEvent,
+				 int eventNum);
+    TPM_RC IMA_Event_Marshal(ImaEvent *source,
+			     uint16_t *written, uint8_t **buffer, uint32_t *size);
+
+    uint32_t IMA_Event_PcrExtend(TPMT_HA pcrs[IMA_PCR_BANKS][IMPLEMENTATION_PCR],
+				 ImaEvent *imaEvent);
+#if 0
+    uint32_t IMA_Event_ToString(char **eventString,
+				ImaEvent *imaEvent);
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/import.c b/libstb/tss2/ibmtpm20tss/utils/import.c
new file mode 100644
index 0000000..3ffb8b5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/import.c
@@ -0,0 +1,377 @@
+/********************************************************************************/
+/*										*/
+/*			   Import		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Import_In 			in;
+    Import_Out 			out;
+    TPMI_DH_OBJECT		parentHandle = 0;
+    const char			*parentPassword = NULL;
+    const char 			*encryptionKeyFilename = NULL;
+    const char			*objectPublicFilename = NULL;
+    const char			*duplicateFilename = NULL;
+    const char			*inSymSeedFilename = NULL;
+    const char			*outPrivateFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure */
+    in.symmetricAlg.algorithm = TPM_ALG_NULL;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &parentHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ik") == 0) {
+	    i++;
+	    if (i < argc) {
+		encryptionKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ik option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipu") == 0) {
+	    i++;
+	    if (i < argc) {
+		objectPublicFilename = argv[i];
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-id") == 0) {
+	    i++;
+	    if (i < argc) {
+		duplicateFilename = argv[i];
+	    }
+	    else {
+		printf("-id option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-iss") == 0) {
+	    i++;
+	    if (i < argc) {
+		inSymSeedFilename = argv[i];
+	    }
+	    else {
+		printf("-iss option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"aes") == 0) {
+		    in.symmetricAlg.algorithm = TPM_ALG_AES;
+		    in.symmetricAlg.keyBits.aes = 128;
+		    in.symmetricAlg.mode.aes = TPM_ALG_CFB;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opr") == 0) {
+	    i++;
+	    if (i < argc) {
+		outPrivateFilename = argv[i];
+	    }
+	    else {
+		printf("-opr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((in.symmetricAlg.algorithm == TPM_ALG_NULL) &&
+	(encryptionKeyFilename != NULL)) {
+	printf("-ik needs -salg\n");
+	printUsage();
+    }
+    if ((in.symmetricAlg.algorithm != TPM_ALG_NULL) &&
+	(encryptionKeyFilename == NULL)) {
+	printf("-salg needs -ik\n");
+	printUsage();
+    }
+    if (parentHandle == 0) {
+	printf("Missing or bad object handle parameter -hp\n");
+	printUsage();
+    }
+    if (objectPublicFilename == NULL) {
+	printf("Missing parameter -ipu\n");
+	printUsage();
+    }
+    if (duplicateFilename == NULL) {
+	printf("Missing parameter -id\n");
+	printUsage();
+    }
+    if (inSymSeedFilename == NULL) {
+	printf("Missing parameter -iss\n");
+	printUsage();
+    }
+    if (outPrivateFilename  == NULL) {
+	printf("Missing parameter -opr\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.parentHandle = parentHandle;
+    }
+    /* optional symmetric encryption key */
+    if (rc == 0) {
+	if (encryptionKeyFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.encryptionKey.b,
+				 sizeof(in.encryptionKey.t.buffer),
+				 encryptionKeyFilename);
+	}
+	else {
+	    in.encryptionKey.t.size = 0;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructureFlag(&in.objectPublic,
+					(UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					FALSE,			/* NULL not permitted */
+					objectPublicFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.duplicate.b,
+			     sizeof(in.duplicate.t.buffer),
+			     duplicateFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.inSymSeed.b,
+			     sizeof(in.inSymSeed.t.secret),
+			     inSymSeedFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Import,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_File_WriteStructure(&out.outPrivate,
+				     (MarshalFunction_t)TSS_TPM2B_PRIVATE_Marshalu,
+				     outPrivateFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("import: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("import: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("import\n");
+    printf("\n");
+    printf("Runs TPM2_Import\n");
+    printf("\n");
+    printf("\t-hp\tparent handle\n");
+    printf("\t[-pwdp\tpassword for parent (default empty)]\n");
+    printf("\t[-ik\tencryption key in file name]\n");
+    printf("\t-ipu\tobject public area file name\n");
+    printf("\t-id\tduplicate file name\n");
+    printf("\t-iss\tsymmetric seed file name\n");
+    printf("\t[-salg\tsymmetric algorithm (default none)]\n");
+    printf("\t-opr\tprivate area file name\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/importpem.c b/libstb/tss2/ibmtpm20tss/utils/importpem.c
new file mode 100644
index 0000000..d0ec66d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/importpem.c
@@ -0,0 +1,482 @@
+/********************************************************************************/
+/*										*/
+/*			   Import a PEM keypair 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* Use OpenSSL to create an RSA or ECC keypair like this
+
+   > openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048
+   > openssl ecparam -name prime256v1 -genkey -noout |
+	openssl pkey -aes256 -passout pass:rrrr -text > tmpecprivkey.pem
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+#include "cryptoutils.h"
+#include "objecttemplates.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Import_In 			in;
+    Import_Out 			out;
+    TPMI_DH_OBJECT		parentHandle = 0;
+    const char			*parentPassword = NULL;
+    const char			*pemKeyFilename = NULL;
+    const char			*pemKeyPassword = "";	/* default empty password */
+    const char			*outPublicFilename = NULL;
+    const char			*outPrivateFilename = NULL;
+    const char			*policyFilename = NULL;
+    int				keyType = TYPE_SI;
+    uint32_t 			keyTypeSpecified = 0;
+    TPMI_ALG_SIG_SCHEME 	scheme = TPM_ALG_RSASSA;
+    TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_HASH		nalg = TPM_ALG_SHA256;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    FILE 			*pemKeyFile = NULL;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &parentHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ipem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-rsa") == 0) {
+	    algPublic = TPM_ALG_RSA;
+	}
+	else if (strcmp(argv[i], "-ecc") == 0) {
+	    algPublic = TPM_ALG_ECC;
+	    scheme = TPM_ALG_ECDSA;
+	}
+	else if (strcmp(argv[i],"-scheme") == 0) {
+	    if (keyType == TYPE_SI) {
+		i++;
+		if (i < argc) {
+		    if (strcmp(argv[i],"rsassa") == 0) {
+			scheme = TPM_ALG_RSASSA;
+		    }
+		    else if (strcmp(argv[i],"rsapss") == 0) {
+			scheme = TPM_ALG_RSAPSS;
+		    }
+		    else {
+			printf("Bad parameter %s for -scheme\n", argv[i]);
+			printUsage();
+		    }
+		}
+	    }
+	    else {
+		printf("-scheme can only be specified for signing key\n");
+		printUsage();
+	    }
+        }
+	else if (strcmp(argv[i], "-st") == 0) {
+	    keyType = TYPE_ST;
+	    scheme = TPM_ALG_NULL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-den") == 0) {
+	    keyType = TYPE_DEN;
+	    scheme = TPM_ALG_NULL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-si") == 0) {
+	    keyType = TYPE_SI;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemKeyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opu") == 0) {
+	    i++;
+	    if (i < argc) {
+		outPublicFilename = argv[i];
+	    }
+	    else {
+		printf("-opu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opr") == 0) {
+	    i++;
+	    if (i < argc) {
+		outPrivateFilename = argv[i];
+	    }
+	    else {
+		printf("-opr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pol") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyFilename = argv[i];
+	    }
+	    else {
+		printf("-pol option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    nalg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (parentHandle == 0) {
+	printf("Missing or bad object handle parameter -hp\n");
+	printUsage();
+    }
+    if (pemKeyFilename == NULL) {
+	printf("Missing parameter -ipem\n");
+	printUsage();
+    }
+    if (keyTypeSpecified > 1) {
+	printf("Too many key attributes\n");
+	printUsage();
+    }
+    if (outPublicFilename == NULL) {
+	printf("Missing parameter -opu\n");
+	printUsage();
+    }
+    if (outPrivateFilename == NULL) {
+	printf("Missing parameter -opr\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.parentHandle = parentHandle;
+	in.encryptionKey.t.size = 0;
+	in.inSymSeed.t.size = 0;
+	in.symmetricAlg.algorithm = TPM_ALG_NULL;
+    }
+    if (rc == 0) {
+	switch (algPublic) {
+	  case TPM_ALG_RSA:
+	    rc = convertRsaPemToKeyPair(&in.objectPublic,
+					&in.duplicate,
+					keyType,
+					scheme,
+					nalg,
+					halg,
+					pemKeyFilename,
+					pemKeyPassword);
+	    break;
+#ifndef TPM_TSS_NOECC
+	  case TPM_ALG_ECC:
+	    rc = convertEcPemToKeyPair(&in.objectPublic,
+				       &in.duplicate,
+				       keyType,
+				       scheme,
+				       nalg,
+				       halg,
+				       pemKeyFilename,
+				       pemKeyPassword);
+	    break;
+#endif	/* TPM_TSS_NOECC */
+	  default:
+	    printf("-rsa algorithm %04x not supported\n", algPublic);
+	    rc = TPM_RC_ASYMMETRIC;
+	}
+    }
+    /* instantiate optional policy */
+    if (rc == 0) {
+	rc = getPolicy(&in.objectPublic.publicArea, policyFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Import,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* output the TPM2B_PUBLIC */
+    if (rc == 0) {
+	rc = TSS_File_WriteStructure(&in.objectPublic,
+				     (MarshalFunction_t)TSS_TPM2B_PUBLIC_Marshalu,
+				     outPublicFilename);
+    }
+    /* output the TPM2B_PRIVATE, which is now wrapped by the parent */
+    if (rc == 0) {
+	rc = TSS_File_WriteStructure(&out.outPrivate,
+				     (MarshalFunction_t)TSS_TPM2B_PRIVATE_Marshalu,
+				     outPrivateFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("importpem: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("importpem: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    if (pemKeyFile != NULL) {
+	fclose(pemKeyFile);			/* @2 */
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("importpem\n");
+    printf("\n");
+    printf("Runs TPM2_Import for a PEM key\n");
+    printf("\n");
+    printf("\t-hp\tparent handle\n");
+    printf("\t[-pwdp\tpassword for parent (default empty)]\n");
+    printf("\t-ipem\tPEM format key pair\n");
+    printf("\n");
+    printf("\t[Asymmetric Key Algorithm]\n");
+    printf("\n");
+    printf("\t[-rsa\t(default)]\n");
+    printf("\t[-ecc\t]\n");
+    printf("\n");
+    printf("\t[-si\tsigning (default)]\n");
+    printf("\t[-scheme  signing scheme (rsassa rsapss) (RSA default RSASSA) (ECC ECDSA)]\n");
+    printf("\t[-st\tstorage (NULL scheme)]\n");
+    printf("\t[-den\tdecryption, (unrestricted, RSA and ECC NULL scheme)\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t-opu\tpublic area file name\n");
+    printf("\t-opr\tprivate area file name\n");
+    printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-pol\tpolicy file (default empty)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/load.c b/libstb/tss2/ibmtpm20tss/utils/load.c
new file mode 100644
index 0000000..1b87c8d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/load.c
@@ -0,0 +1,280 @@
+/********************************************************************************/
+/*										*/
+/*			   Load 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: load.c 1324 2018-08-31 16:36:12Z kgoldman $			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Load_In 			in;
+    Load_Out 			out;
+    TPMI_DH_OBJECT		parentHandle = 0;
+    const char			*publicKeyFilename = NULL;
+    const char			*privateKeyFilename = NULL;
+    const char			*parentPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &parentHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipr") == 0) {
+	    i++;
+	    if (i < argc) {
+		privateKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ipr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (parentHandle == 0) {
+	printf("Missing handle parameter -hp\n");
+	printUsage();
+    }
+    if (privateKeyFilename == NULL) {
+	printf("Missing private key parameter -ipr\n");
+	printUsage();
+    }
+    if (publicKeyFilename == NULL) {
+	printf("Missing private key parameter -ipu\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.inPrivate,
+				    (UnmarshalFunction_t)TSS_TPM2B_PRIVATE_Unmarshalu,
+				    privateKeyFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructureFlag(&in.inPublic,
+					(UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					FALSE,			/* NULL not permitted */
+					publicKeyFilename);
+    }
+    if (rc == 0) {
+	in.parentHandle = parentHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Load,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("Handle %08x\n", out.objectHandle);
+	if (tssUtilsVerbose) printf("load: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("load: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("load\n");
+    printf("\n");
+    printf("Runs TPM2_Load\n");
+    printf("\n");
+    printf("\t-hp\tparent handle\n");
+    printf("\t[-pwdp\tpassword for parent key (default empty)]\n");
+    printf("\t-ipu\tpublic key file name\n");
+    printf("\t-ipr\tprivate key file name\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/loadexternal.c b/libstb/tss2/ibmtpm20tss/utils/loadexternal.c
new file mode 100644
index 0000000..5d29c13
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/loadexternal.c
@@ -0,0 +1,542 @@
+/********************************************************************************/
+/*										*/
+/*			   Load External					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/*
+  DER example:
+
+  Create a key pair in PEM format
+  
+  > openssl genrsa -out keypair.pem -aes256 -passout pass:rrrr 2048
+  > openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem
+
+  Convert to plaintext DER format
+
+  > openssl rsa -inform pem -outform der -in keypair.pem -out keypair.der -passin pass:rrrr
+  > openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include "objecttemplates.h"
+#include "cryptoutils.h"
+#include "ekutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    LoadExternal_In 		in;
+    LoadExternal_Out 		out;
+    char 			hierarchyChar = 0;
+    TPMI_RH_HIERARCHY		hierarchy = TPM_RH_NULL;
+    int				keyType = TYPE_SI;
+    TPMI_ALG_SIG_SCHEME 	scheme = TPM_ALG_RSASSA;
+    uint32_t 			keyTypeSpecified = 0;
+    TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_HASH		nalg = TPM_ALG_SHA256;
+    const char			*publicKeyFilename = NULL;
+    const char			*derKeyFilename = NULL;
+    const char			*pemKeyFilename = NULL;
+    const char			*keyPassword = NULL;
+    int				userWithAuth = TRUE;
+    unsigned int		inputCount = 0;
+    int				noSpace = FALSE;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (argv[i][0] != 'e' && argv[i][0] != 'o' &&
+		    argv[i][0] != 'p' && argv[i][0] != 'n') {
+		    printUsage();
+		}
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    nalg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-rsa") == 0) {
+	    algPublic = TPM_ALG_RSA;
+	}
+	else if (strcmp(argv[i], "-ecc") == 0) {
+	    algPublic = TPM_ALG_ECC;
+	}
+	else if (strcmp(argv[i],"-scheme") == 0) {
+	    if (keyType == TYPE_SI) {
+		i++;
+		if (i < argc) {
+		    if (strcmp(argv[i],"rsassa") == 0) {
+			scheme = TPM_ALG_RSASSA;
+		    }
+		    else if (strcmp(argv[i],"rsapss") == 0) {
+			scheme = TPM_ALG_RSAPSS;
+		    }
+		    else {
+			printf("Bad parameter %s for -scheme\n", argv[i]);
+			printUsage();
+		    }
+		}
+	    }
+	    else {
+		printf("-scheme can only be specified for signing key\n");
+		printUsage();
+	    }
+        }
+	else if (strcmp(argv[i], "-st") == 0) {
+	    keyType = TYPE_ST;
+	    scheme = TPM_ALG_NULL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-den") == 0) {
+	    keyType = TYPE_DEN;
+	    scheme = TPM_ALG_NULL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-si") == 0) {
+	    keyType = TYPE_SI;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i],"-ipu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+		inputCount++;
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemKeyFilename = argv[i];
+		inputCount++;
+	    }
+	    else {
+		printf("-ipem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ider") == 0) {
+	    i++;
+	    if (i < argc) {
+		derKeyFilename = argv[i];
+		inputCount++;
+	    }
+	    else {
+		printf("-ider option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-uwa") == 0) {
+	    userWithAuth = FALSE;
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (inputCount != 1) {
+	printf("Missing or too many parameters -ipu, -ipem, -ider\n");
+	printUsage();
+    }
+    if (keyTypeSpecified > 1) {
+	printf("Too many key attributes\n");
+	printUsage();
+    }
+    if (derKeyFilename == NULL) {
+	if (keyPassword != NULL) {
+	    printf("Password only valid for -ider keypair\n");
+	    printUsage();
+	}
+    }
+    /* loadexternal key pair cannot be restricted (storage key) and must have NULL symmetric
+       scheme*/
+    if (derKeyFilename != NULL) {
+	if (keyType == TYPE_ST) {
+	    keyType = TYPE_DEN;
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (hierarchyChar == 'e') {
+	    hierarchy = TPM_RH_ENDORSEMENT;
+	}
+	else if (hierarchyChar == 'o') {
+	    hierarchy = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    hierarchy = TPM_RH_PLATFORM;
+	}
+	else if (hierarchyChar == 'n') {
+	    hierarchy = TPM_RH_NULL;
+	}
+    }
+    if (rc == 0) {
+	in.inPrivate.t.size = 0;	/* default - mark optional inPrivate not used */
+	/* TPM format key, output from create */
+	if (publicKeyFilename != NULL) {
+	    rc = TSS_File_ReadStructureFlag(&in.inPublic,
+					    (UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					    TRUE,			/* NULL permitted */
+					    publicKeyFilename);
+	}
+	/* PEM format, output from e.g. openssl, readpublic, createprimary, create */
+	else if (pemKeyFilename != NULL) {
+	    switch (algPublic) {
+	      case TPM_ALG_RSA:
+		rc = convertRsaPemToPublic(&in.inPublic,
+					   keyType,
+					   scheme,
+					   nalg,
+					   halg,
+					   pemKeyFilename);
+		break;
+#ifndef TPM_TSS_NOECC
+	      case TPM_ALG_ECC:
+		rc = convertEcPemToPublic(&in.inPublic,
+					  keyType,
+					  scheme,
+					  nalg,
+					  halg,
+					  pemKeyFilename);
+		break;
+#endif	/* TPM_TSS_NOECC */
+	      default:
+		printf("-rsa algorithm %04x not supported\n", algPublic);
+		rc = TPM_RC_ASYMMETRIC;
+	    }
+	}
+	/* DER format key pair */
+	else if (derKeyFilename != NULL) {
+	    in.inPrivate.t.size = 1;		/* mark that private area should be loaded */
+	    switch (algPublic) {
+	      case TPM_ALG_RSA:
+		rc = convertRsaDerToKeyPair(&in.inPublic,
+					    &in.inPrivate,
+					    keyType,
+					    scheme,
+					    nalg,
+					    halg,
+					    derKeyFilename,
+					    keyPassword);
+		break;
+#ifndef TPM_TSS_NOECC
+	      case TPM_ALG_ECC:
+		rc = convertEcDerToKeyPair(&in.inPublic,
+					   &in.inPrivate,
+					   keyType,
+					   scheme,
+					   nalg,
+					   halg,
+					   derKeyFilename,
+					   keyPassword);
+		break;
+#endif	/* TPM_TSS_NOECC */
+	      default:
+		printf("-rsa algorithm %04x not supported\n", algPublic);
+		rc = TPM_RC_ASYMMETRIC;
+	    }
+	}
+	else {
+	    printf("Failure parsing -ipu, -ipem, -ider\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	if (!userWithAuth) {
+	    in.inPublic.publicArea.objectAttributes.val &= ~TPMA_OBJECT_USERWITHAUTH;
+	}
+	in.hierarchy = hierarchy;
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_PUBLIC_Print(&in.inPublic.publicArea, 0);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_LoadExternal,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("Handle %08x\n", out.objectHandle);
+	if (noSpace) {
+	    unsigned int b;
+	    for (b = 0 ; b < out.name.t.size ; b++) {
+		printf("%02x", out.name.t.name[b]);
+	    }
+	    printf("\n");
+	}
+	if (tssUtilsVerbose) printf("loadexternal: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("loadexternal: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("loadexternal\n");
+    printf("\n");
+    printf("Runs TPM2_LoadExternal\n");
+    printf("\n");
+    printf("\t[-hi\thierarchy (e, o, p, n) (default NULL)]\n");
+    printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\n");
+    printf("\t[Asymmetric Key Algorithm]\n");
+    printf("\n");
+    printf("\t[-rsa\t(default)]\n");
+    printf("\t[-ecc\t]\n");
+    printf("\n");
+    printf("\t-ipu\tTPM2B_PUBLIC public key file name\n");
+    printf("\t-ipem\tPEM format public key file name\n");
+    printf("\t-ider\tDER format plaintext key pair file name\n");
+    printf("\t[-pwdk\tpassword for DER key (default empty)]\n");
+    printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
+    printf("\t[-si\tsigning (default) RSA]\n");
+    printf("\t[-scheme  for signing key (default RSASSA scheme)]\n");
+    printf("\t\trsassa\n");
+    printf("\t\trsapss\n");
+    printf("\t[-st\tstorage (default NULL scheme)]\n");
+    printf("\t[-den\tdecryption, (unrestricted, RSA and EC NULL scheme)\n");
+    printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n");
+    printf("\t\tUseful to paste into policy\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    printf("\t80\taudit\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/makecredential.c b/libstb/tss2/ibmtpm20tss/utils/makecredential.c
new file mode 100644
index 0000000..292ac97
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makecredential.c
@@ -0,0 +1,303 @@
+/********************************************************************************/
+/*										*/
+/*			    MakeCredential					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    MakeCredential_In 		in;
+    MakeCredential_Out 		out;
+    TPMI_DH_OBJECT		pubHandle = 0;
+    const char			*inputCredentialFilename = NULL;
+    const char			*nameFilename = NULL;			
+    const char			*outputCredentialFilename = NULL;
+    const char			*secretFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-in") == 0) {
+	    i++;
+	    if (i < argc) {
+		nameFilename = argv[i];
+	    }
+	    else {
+		printf("-in option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-icred") == 0) {
+	    i++;
+	    if (i < argc) {
+		inputCredentialFilename = argv[i];
+	    }
+	    else {
+		printf("-icred option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ocred") == 0) {
+	    i++;
+	    if (i < argc) {
+		outputCredentialFilename = argv[i];
+	    }
+	    else {
+		printf("-ocred option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		secretFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &pubHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (pubHandle == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (inputCredentialFilename == NULL) {
+	printf("Missing name parameter -icred\n");
+	printUsage();
+    }
+    if (nameFilename == NULL) {
+	printf("Missing name parameter -in\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.handle = pubHandle;
+    }
+    /* read the credential information */
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.credential.b,
+			     sizeof(in.credential.t.buffer),
+			     inputCredentialFilename);
+    }
+    /* read the object Name */
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.objectName.b,
+			     sizeof(in.objectName.t.name),
+			     nameFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_MakeCredential,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* optionally save the credential */
+    if ((rc == 0) && (outputCredentialFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.credentialBlob,
+				     (MarshalFunction_t)TSS_TPM2B_ID_OBJECT_Marshalu,
+				     outputCredentialFilename);
+    }
+    /* optionally save the secret */
+    if ((rc == 0) && (secretFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.secret,
+				     (MarshalFunction_t)TSS_TPM2B_ENCRYPTED_SECRET_Marshalu,
+				     secretFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("makecredential: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("makecredential: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("makecredential\n");
+    printf("\n");
+    printf("Runs TPM2_MakeCredential\n");
+    printf("\n");
+    printf("\t-ha\thandle of encryption key public area\n");
+    printf("\t-icred\tinput credential file name\n");
+    printf("\t-in\tobject name file name\n");
+    printf("\t[-ocred\t output credential file name (default do not save)]\n");
+    printf("\t[-os\tsecret file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefile-common b/libstb/tss2/ibmtpm20tss/utils/makefile-common
new file mode 100644
index 0000000..3f6fc65
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefile-common
@@ -0,0 +1,99 @@
+#################################################################################
+#										#
+#										#
+# TPM2 Library and Utilities makefile - Common to TPM 1.2 and 2.0 variations	#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	      $Id: makefile-common 1294 2018-08-09 19:08:34Z kgoldman $		#
+#										#
+# (c) Copyright IBM Corporation 2014, 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS += 				\
+	-Wall -W -Wmissing-declarations -Wmissing-prototypes -Wnested-externs \
+	-Wformat=2 -Wold-style-definition -Wno-self-assign \
+	-Werror=declaration-after-statement -Wvla \
+	-ggdb -O0 -c 
+
+# to compile with optimizations on (warning will result)
+#	-O3 -c
+# to compile with plaintext session state (see documentation)
+#	-DTPM_ENCRYPT_SESSIONS_DEFAULT="\"0\""
+
+# link - common flags for Posix and Windows, for TSS library and applications
+
+#LNFLAGS += 	-ggdb
+
+ALL += 	$(LIBTSS)				\
+	$(LIBTSSA)				\
+	$(LIBTSSUTILS)
+
+# TSS shared library headers 
+
+TSS_HEADERS += 					\
+		tssauth.h 			\
+		tssccattributes.h 		\
+		tssdev.h  			\
+		tsssocket.h  			\
+		ibmtss/tss.h			\
+		ibmtss/tsscryptoh.h		\
+		ibmtss/tsscrypto.h		\
+		ibmtss/tsserror.h		\
+		ibmtss/tssfile.h		\
+		ibmtss/tssmarshal.h		\
+		ibmtss/tssprint.h		\
+		ibmtss/tssprintcmd.h		\
+		tssproperties.h			\
+		ibmtss/tsstransmit.h		\
+		ibmtss/tssresponsecode.h	\
+		ibmtss/tssutils.h		\
+		ibmtss/Unmarshal_fp.h		\
+		ibmtss/Implementation.h
+
+# TSS shared library object files
+
+TSS_OBJS += 	tss.o			\
+		tssproperties.o		\
+		tssmarshal.o		\
+		tssauth.o 		\
+		tssutils.o 		\
+		tsssocket.o 		\
+		tssdev.o 		\
+		tsstransmit.o 		\
+		tssresponsecode.o 	\
+		tssccattributes.o	\
+		tssprint.o		\
+		Unmarshal.o 		\
+		CommandAttributeData.o
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefile-common12 b/libstb/tss2/ibmtpm20tss/utils/makefile-common12
new file mode 100644
index 0000000..b08a265
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefile-common12
@@ -0,0 +1,70 @@
+#################################################################################
+#										#
+#										#
+#	TPM2 Library and Utilities makefile - Common to all variations		#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	      $Id: makefile-common12 1257 2018-06-27 20:52:08Z kgoldman $	#
+#										#
+# (c) Copyright IBM Corporation 2014, 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# link - common flags for Posix and Windows, for TSS library and applications
+
+#LNFLAGS += 	-ggdb
+
+ALL += 	
+
+# TSS shared library headers 
+
+TSS_HEADERS +=				\
+		tss12.h  		\
+		tssauth12.h		\
+		tssccattributes12.h	\
+		ibmtss/tssmarshal12.h	\
+		ibmtss/Unmarshal12_fp.h	\
+		ibmtss/Parameters12.h	\
+		ibmtss/tpmstructures12.h	\
+		ibmtss/tpmconstants12.h	\
+		ibmtss/tpmtypes12.h
+
+# TSS shared library object files
+
+TSS_OBJS +=	tss12.o			\
+		tssauth12.o		\
+		tssmarshal12.o		\
+		Unmarshal12.o 		\
+		Commands12.o 		\
+		tssccattributes12.o	\
+		CommandAttributeData12.o
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefile-common20 b/libstb/tss2/ibmtpm20tss/utils/makefile-common20
new file mode 100644
index 0000000..191fd48
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefile-common20
@@ -0,0 +1,180 @@
+#################################################################################
+#										#
+#										#
+#	TPM 2.0 Library and Utilities makefile - Common to all variations	#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2014 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# link - common flags for Posix and Windows, for TSS library and applications
+
+#LNFLAGS += 	-ggdb
+
+ALL += 	activatecredential$(EXE)		\
+	eventextend$(EXE)			\
+	imaextend$(EXE)				\
+	certify$(EXE)				\
+	certifycreation$(EXE)			\
+	certifyx509$(EXE)			\
+	changeeps$(EXE)				\
+	changepps$(EXE)				\
+	clear$(EXE)				\
+	clearcontrol$(EXE)			\
+	clockrateadjust$(EXE)			\
+	clockset$(EXE)				\
+	commit$(EXE)				\
+	contextload$(EXE)			\
+	contextsave$(EXE)			\
+	create$(EXE)				\
+	createloaded$(EXE)			\
+	createprimary$(EXE)			\
+	dictionaryattacklockreset$(EXE) 	\
+	dictionaryattackparameters$(EXE) 	\
+	duplicate$(EXE)				\
+	eccparameters$(EXE)			\
+	ecephemeral$(EXE)			\
+	encryptdecrypt$(EXE)			\
+	evictcontrol$(EXE)			\
+	eventsequencecomplete$(EXE)		\
+	flushcontext$(EXE)			\
+	getcommandauditdigest$(EXE)		\
+	getcapability$(EXE)			\
+	getrandom$(EXE)				\
+	gettestresult$(EXE)			\
+	getsessionauditdigest$(EXE)		\
+	gettime$(EXE)				\
+	hash$(EXE)				\
+	hashsequencestart$(EXE) 		\
+	hierarchycontrol$(EXE) 			\
+	hierarchychangeauth$(EXE) 		\
+	hmac$(EXE)				\
+	hmacstart$(EXE)				\
+	import$(EXE)				\
+	importpem$(EXE)				\
+	load$(EXE)				\
+	loadexternal$(EXE)			\
+	makecredential$(EXE)			\
+	nvcertify$(EXE)				\
+	nvchangeauth$(EXE)			\
+	nvdefinespace$(EXE)			\
+	nvextend$(EXE) 				\
+	nvglobalwritelock$(EXE)			\
+	nvincrement$(EXE) 			\
+	nvread$(EXE)				\
+	nvreadlock$(EXE)			\
+	nvreadpublic$(EXE)			\
+	nvsetbits$(EXE)				\
+	nvundefinespace$(EXE)			\
+	nvundefinespacespecial$(EXE)		\
+	nvwrite$(EXE)				\
+	nvwritelock$(EXE)			\
+	objectchangeauth$(EXE) 			\
+	pcrallocate$(EXE)			\
+	pcrevent$(EXE)				\
+	pcrextend$(EXE)				\
+	pcrread$(EXE)				\
+	pcrreset$(EXE)				\
+	policyauthorize$(EXE)			\
+	policyauthvalue$(EXE)			\
+	policycommandcode$(EXE) 		\
+	policycphash$(EXE)	 		\
+	policynamehash$(EXE)	 		\
+	policycountertimer$(EXE)		\
+	policyduplicationselect$(EXE)		\
+	policygetdigest$(EXE)			\
+	policymaker$(EXE)			\
+	policymakerpcr$(EXE)			\
+	policynv$(EXE)				\
+	policyauthorizenv$(EXE)			\
+	policynvwritten$(EXE)			\
+	policypassword$(EXE)			\
+	policypcr$(EXE)				\
+	policyor$(EXE)				\
+	policyrestart$(EXE)			\
+	policysigned$(EXE)			\
+	policysecret$(EXE)			\
+	policytemplate$(EXE)			\
+	policyticket$(EXE)			\
+	powerup$(EXE)				\
+	quote$(EXE)				\
+	readclock$(EXE)				\
+	readpublic$(EXE)			\
+	returncode$(EXE)			\
+	rewrap$(EXE)				\
+	rsadecrypt$(EXE)			\
+	rsaencrypt$(EXE)			\
+	sequencecomplete$(EXE)			\
+	sequenceupdate$(EXE)			\
+	setcommandcodeauditstatus$(EXE)		\
+	setprimarypolicy$(EXE) 			\
+	shutdown$(EXE) 				\
+	sign$(EXE)				\
+	startauthsession$(EXE)			\
+	startup$(EXE) 				\
+	stirrandom$(EXE)			\
+	unseal$(EXE)				\
+	verifysignature$(EXE)			\
+	zgen2phase$(EXE)			\
+						\
+	signapp$(EXE)				\
+	writeapp$(EXE)				\
+	timepacket$(EXE)			\
+	createek$(EXE)				\
+	createekcert$(EXE)			\
+	tpm2pem$(EXE)				\
+	tpmpublic2eccpoint$(EXE)		\
+	publicname$(EXE)			\
+	getcryptolibrary$(EXE)			\
+	printattr$(EXE)				\
+	tpmcmd$(EXE)
+
+ALL	+= 					\
+	ntc2getconfig$(EXE)			\
+	ntc2preconfig$(EXE)			\
+	ntc2lockconfig$(EXE)
+
+# TSS shared library headers 
+
+TSS_HEADERS +=				\
+		tss20.h  		\
+		tssauth20.h
+
+# TSS shared library object files
+
+TSS_OBJS +=	tss20.o		\
+		tssauth20.o	\
+		Commands.o 	\
+		ntc2lib.o	\
+		tssntc.o
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefile.mac b/libstb/tss2/ibmtpm20tss/utils/makefile.mac
new file mode 100644
index 0000000..7af69c1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefile.mac
@@ -0,0 +1,454 @@
+#################################################################################
+#										#
+#			Mac TPM2 Utilities Makefile				#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2017 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# C compiler
+
+CC = /usr/bin/gcc
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS += 	-DTPM_POSIX 
+
+# example of pointing to a locally built openssl 1.1
+# CCFLAGS += 	-I/home/kgold/openssl-1.1.0c/include
+
+# compile - for TSS library
+
+# include the hardening flag PIC needed for compiling for dynamic
+# linking
+
+CCLFLAGS += 	-I. 		\
+		-fPIC		\
+		-I/usr/local/Cellar/openssl/1.0.2m/include/
+
+# to compile out printf's.  Regression test will fail because it tries
+# to print a structure -DTPM_TSS_NO_PRINT
+
+# example of changing the default interface type
+#	-DTPM_INTERFACE_TYPE_DEFAULT="\"dev\""
+
+# compile - for applications
+
+# include the hardening flag PIE needed for compiling for
+# static linking
+
+CCAFLAGS += 	-I.	\
+		-fPIE	\
+		-I/usr/local/Cellar/openssl/1.0.2m/include/
+
+# link - common flags flags TSS library and applications
+
+LNFLAGS += 	-DTPM_POSIX		\
+		-L.
+
+# This seems to be required on some Ubuntu distros due to an issue with the gold linker
+#		-fuse-ld=bfd
+
+# example of pointing to a locally built openssl 1.1
+# LNFLAGS +=	 -L/home/kgold/openssl-1.1.0c
+# This also requires setting the environment variable LD_LIBRARY_PATH.  E.g.,
+# setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:/home/kgold/openssl-1.1.0c
+
+# link - for TSS library
+
+# hardening flags for linking shared objects
+#LNLFLAGS += -shared -Wl,-z,now
+LNLFLAGS += -shared 
+
+# This is an alternative to using the bfd linker on Ubuntu
+LNLLIBS += -lcrypto
+
+# link - for applications, TSS path, TSS and OpenSSl libraries
+
+# hardening flags for linking executables
+#LNAFLAGS += -pie -Wl,-z,now -Wl,-rpath,.
+#LNAFLAGS += 	-pie	 
+LNAFLAGS +=		-L/usr/local/Cellar/openssl/1.0.2m/lib
+LNLFLAGS +=		-L/usr/local/Cellar/openssl/1.0.2m/lib
+LNALIBS +=  -libmtss -lcrypto
+
+# shared library
+
+# versioned shared library
+LIBTSSVERSIONED=libibmtss.dylib.0.1
+
+# soname field of the shared library
+# which will be made symbolic link to the versioned shared library
+# this is used to provide version backward-compatibility information
+LIBTSSSONAME=libibmtss.dylib.0
+
+# symbolic link to the versioned shared library
+# this allows linking to the shared library with '-libmtss' 
+
+#os := $(shell uname -o)
+#ifeq ($(os),Cygwin)
+#  LIBTSS=libibmtss.dll
+#else
+#  LIBTSS=libibmtss.so
+#endif
+LIBTSS=libibmtss.dylib
+
+# executable extension
+
+EXE =
+
+# 
+
+TSS_HEADERS=
+
+# default TSS library
+
+TSS_OBJS = 	tssfile.o 		\
+		tsscryptoh.o 		\
+		tsscrypto.o 		\
+		tssprintcmd.o
+
+# common to all builds
+
+include makefile-common
+include makefile-common20
+
+# default build target
+
+all:	$(ALL)
+
+# TSS shared library source
+
+tss.o: 		$(TSS_HEADERS) tss.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss.c
+tssproperties.o: $(TSS_HEADERS) tssproperties.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssproperties.c
+tssauth.o: 	$(TSS_HEADERS) tssauth.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth.c
+tssmarshal.o: 	$(TSS_HEADERS) tssmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal.c
+tsscryptoh.o: 	$(TSS_HEADERS) tsscryptoh.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscryptoh.c
+tsscrypto.o: 	$(TSS_HEADERS) tsscrypto.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscrypto.c
+tssutils.o: 	$(TSS_HEADERS) tssutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssutils.c
+tssfile.o: 	$(TSS_HEADERS) tssfile.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssfile.c
+tsssocket.o: 	$(TSS_HEADERS) tsssocket.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsssocket.c
+tssdev.o: 	$(TSS_HEADERS) tssdev.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssdev.c
+tsstransmit.o: 	$(TSS_HEADERS) tsstransmit.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsstransmit.c
+tssresponsecode.o: $(TSS_HEADERS) tssresponsecode.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssresponsecode.c
+tssccattributes.o: $(TSS_HEADERS) tssccattributes.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes.c
+tssprint.o: 	$(TSS_HEADERS) tssprint.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprint.c
+Unmarshal.o: 	$(TSS_HEADERS) Unmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal.c
+Commands.o: 	$(TSS_HEADERS) Commands.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Commands.c
+CommandAttributeData.o: 	$(TSS_HEADERS) CommandAttributeData.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData.c
+ntc2lib.o:	$(TSS_HEADERS) ntc2lib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ntc2lib.c
+tssntc.o:	$(TSS_HEADERS) tssntc.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssntc.c
+
+# TSS shared library build
+
+$(LIBTSS): 	$(TSS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-install_name,$(LIBTSSSONAME) -o $(LIBTSSVERSIONED) $(TSS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSONAME)
+		ln -sf $(LIBTSSVERSIONED) $(LIBTSSSONAME)
+		rm -f $(LIBTSS)
+		ln -sf $(LIBTSSSONAME) $(LIBTSS)
+
+.PHONY:		clean
+.PRECIOUS:	%.o
+
+clean:		
+		rm -f *.o  *~ 	\
+		h*.bin		\
+		$(LIBTSSSONAME)	\
+		$(LIBTSSVERSIONED) \
+		$(ALL)
+
+# applications
+
+activatecredential:	ibmtss/tss.h activatecredential.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) activatecredential.o $(LNALIBS) -o activatecredential
+eventextend:		eventextend.o eventlib.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eventextend.o $(LNALIBS) -o eventextend
+imaextend:		imaextend.o imalib.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) imaextend.o $(LNALIBS) -o imaextend
+certify:		ibmtss/tss.h certify.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certify.o $(LNALIBS) -o certify
+certifycreation:	ibmtss/tss.h certifycreation.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certifycreation.o $(LNALIBS) -o certifycreation
+certifyx509:		ibmtss/tss.h certifyx509.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certifyx509.o $(LNALIBS) -o certifyx509
+changeeps:		ibmtss/tss.h changeeps.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) changeeps.o $(LNALIBS) -o changeeps
+changepps:		ibmtss/tss.h changepps.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) changepps.o $(LNALIBS) -o changepps
+clear:			ibmtss/tss.h clear.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clear.o $(LNALIBS) -o clear
+clearcontrol:		ibmtss/tss.h clearcontrol.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clearcontrol.o $(LNALIBS) -o clearcontrol
+clockrateadjust:	ibmtss/tss.h clockrateadjust.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clockrateadjust.o $(LNALIBS) -o clockrateadjust
+clockset:		ibmtss/tss.h clockset.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clockset.o $(LNALIBS) -o clockset
+commit:			ibmtss/tss.h commit.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) commit.o $(LNALIBS) -o commit
+contextload:		ibmtss/tss.h contextload.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) contextload.o $(LNALIBS) -o contextload
+contextsave:		ibmtss/tss.h contextsave.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) contextsave.o $(LNALIBS) -o contextsave
+create:			ibmtss/tss.h create.o objecttemplates.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) create.o objecttemplates.o cryptoutils.o $(LNALIBS) -o create
+createloaded:		ibmtss/tss.h createloaded.o objecttemplates.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createloaded.o objecttemplates.o cryptoutils.o $(LNALIBS) -o createloaded
+createprimary:		ibmtss/tss.h createprimary.o objecttemplates.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createprimary.o objecttemplates.o cryptoutils.o $(LNALIBS) -o createprimary
+dictionaryattacklockreset:		ibmtss/tss.h dictionaryattacklockreset.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) dictionaryattacklockreset.o $(LNALIBS) -o dictionaryattacklockreset
+dictionaryattackparameters:		ibmtss/tss.h dictionaryattackparameters.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) dictionaryattackparameters.o $(LNALIBS) -o dictionaryattackparameters
+duplicate:		ibmtss/tss.h duplicate.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) duplicate.o $(LNALIBS) -o duplicate 
+eccparameters:		ibmtss/tss.h eccparameters.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eccparameters.o $(LNALIBS) -o eccparameters 
+ecephemeral:		ibmtss/tss.h ecephemeral.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ecephemeral.o $(LNALIBS) -o ecephemeral 
+encryptdecrypt:		ibmtss/tss.h encryptdecrypt.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) encryptdecrypt.o $(LNALIBS) -o encryptdecrypt	
+eventsequencecomplete:	ibmtss/tss.h eventsequencecomplete.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eventsequencecomplete.o $(LNALIBS) -o eventsequencecomplete	
+evictcontrol:		ibmtss/tss.h evictcontrol.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) evictcontrol.o $(LNALIBS) -o evictcontrol	
+flushcontext:		ibmtss/tss.h flushcontext.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) flushcontext.o $(LNALIBS) -o flushcontext
+getcommandauditdigest:	ibmtss/tss.h getcommandauditdigest.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcommandauditdigest.o $(LNALIBS) -o getcommandauditdigest
+getcapability:		ibmtss/tss.h getcapability.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcapability.o $(LNALIBS) -o getcapability
+getrandom:		ibmtss/tss.h getrandom.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getrandom.o $(LNALIBS) -o getrandom
+gettestresult:		ibmtss/tss.h gettestresult.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) gettestresult.o $(LNALIBS) -o gettestresult
+getsessionauditdigest:	ibmtss/tss.h getsessionauditdigest.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getsessionauditdigest.o $(LNALIBS) -o getsessionauditdigest
+gettime:		ibmtss/tss.h gettime.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) gettime.o $(LNALIBS) -o gettime
+hashsequencestart:	ibmtss/tss.h hashsequencestart.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hashsequencestart.o $(LNALIBS) -o hashsequencestart
+hash:			ibmtss/tss.h hash.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hash.o $(LNALIBS) -o hash
+hierarchycontrol:	ibmtss/tss.h hierarchycontrol.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hierarchycontrol.o $(LNALIBS) -o hierarchycontrol
+hierarchychangeauth:	ibmtss/tss.h hierarchychangeauth.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hierarchychangeauth.o $(LNALIBS) -o hierarchychangeauth
+hmac:			ibmtss/tss.h hmac.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hmac.o $(LNALIBS) -o hmac
+hmacstart:		ibmtss/tss.h hmacstart.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hmacstart.o $(LNALIBS) -o hmacstart
+import:			ibmtss/tss.h import.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) import.o $(LNALIBS) -o import
+importpem:		ibmtss/tss.h importpem.o objecttemplates.o ekutils.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) importpem.o objecttemplates.o ekutils.o cryptoutils.o $(LNALIBS) -o importpem
+load:			ibmtss/tss.h load.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) load.o $(LNALIBS) -o load
+loadexternal:		ibmtss/tss.h loadexternal.o cryptoutils.o ekutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) loadexternal.o cryptoutils.o ekutils.o $(LNALIBS) -o loadexternal
+makecredential:		ibmtss/tss.h makecredential.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) makecredential.o $(LNALIBS) -o makecredential
+nvcertify:		ibmtss/tss.h nvcertify.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvcertify.o $(LNALIBS) -o nvcertify
+nvchangeauth:		ibmtss/tss.h nvchangeauth.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvchangeauth.o $(LNALIBS) -o nvchangeauth
+nvdefinespace:		ibmtss/tss.h nvdefinespace.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvdefinespace.o $(LNALIBS) -o nvdefinespace
+nvextend:		ibmtss/tss.h nvextend.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvextend.o $(LNALIBS) -o nvextend
+nvglobalwritelock:	ibmtss/tss.h nvglobalwritelock.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvglobalwritelock.o $(LNALIBS) -o nvglobalwritelock
+nvincrement:		ibmtss/tss.h nvincrement.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvincrement.o $(LNALIBS) -o nvincrement
+nvread:			ibmtss/tss.h nvread.o cryptoutils.o ekutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvread.o cryptoutils.o ekutils.o $(LNALIBS) -o nvread
+nvreadlock:		ibmtss/tss.h nvreadlock.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvreadlock.o $(LNALIBS) -o nvreadlock
+nvreadpublic:		ibmtss/tss.h nvreadpublic.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvreadpublic.o $(LNALIBS) -o nvreadpublic
+nvsetbits:		ibmtss/tss.h nvsetbits.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvsetbits.o $(LNALIBS) -o nvsetbits
+nvundefinespace:	ibmtss/tss.h nvundefinespace.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvundefinespace.o $(LNALIBS) -o nvundefinespace
+nvundefinespacespecial:	ibmtss/tss.h nvundefinespacespecial.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvundefinespacespecial.o $(LNALIBS) -o nvundefinespacespecial
+nvwrite:		ibmtss/tss.h nvwrite.o cryptoutils.o ekutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvwrite.o cryptoutils.o ekutils.o $(LNALIBS) -o nvwrite
+nvwritelock:		ibmtss/tss.h nvwritelock.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvwritelock.o $(LNALIBS) -o nvwritelock
+objectchangeauth:	ibmtss/tss.h objectchangeauth.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) objectchangeauth.o $(LNALIBS) -o objectchangeauth
+pcrallocate: 		ibmtss/tss.h pcrallocate.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrallocate.o $(LNALIBS) -o pcrallocate
+pcrevent: 		ibmtss/tss.h pcrevent.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrevent.o $(LNALIBS) -o pcrevent
+pcrextend: 		ibmtss/tss.h pcrextend.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrextend.o $(LNALIBS) -o pcrextend
+pcrread: 		ibmtss/tss.h pcrread.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrread.o $(LNALIBS) -o pcrread
+pcrreset: 		ibmtss/tss.h pcrreset.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrreset.o $(LNALIBS) -o pcrreset
+policyauthorize:	ibmtss/tss.h policyauthorize.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthorize.o $(LNALIBS) -o policyauthorize
+policyauthvalue:	ibmtss/tss.h policyauthvalue.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthvalue.o $(LNALIBS) -o policyauthvalue
+policycommandcode:	ibmtss/tss.h policycommandcode.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycommandcode.o $(LNALIBS) -o policycommandcode
+policycphash:		ibmtss/tss.h policycphash.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycphash.o $(LNALIBS) -o policycphash
+policynamehash:		ibmtss/tss.h policynamehash.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynamehash.o $(LNALIBS) -o policynamehash
+policycountertimer :	ibmtss/tss.h policycountertimer.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycountertimer.o $(LNALIBS) -o policycountertimer
+policyduplicationselect:	ibmtss/tss.h policyduplicationselect.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyduplicationselect.o $(LNALIBS) -o policyduplicationselect
+policygetdigest:	ibmtss/tss.h policygetdigest.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policygetdigest.o $(LNALIBS) -o policygetdigest
+policymaker:		ibmtss/tss.h policymaker.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policymaker.o $(LNALIBS) -o policymaker
+policymakerpcr:		ibmtss/tss.h policymakerpcr.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policymakerpcr.o $(LNALIBS) -o policymakerpcr
+policyauthorizenv:	ibmtss/tss.h policyauthorizenv.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthorizenv.o $(LNALIBS) -o policyauthorizenv
+policynv:		ibmtss/tss.h policynv.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynv.o $(LNALIBS) -o policynv
+policynvwritten:	ibmtss/tss.h policynvwritten.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynvwritten.o $(LNALIBS) -o policynvwritten
+policyor:		ibmtss/tss.h policyor.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyor.o $(LNALIBS) -o policyor
+policypassword:		ibmtss/tss.h policypassword.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policypassword.o $(LNALIBS) -o policypassword
+policypcr:		ibmtss/tss.h policypcr.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policypcr.o $(LNALIBS) -o policypcr
+policyrestart:		ibmtss/tss.h policyrestart.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyrestart.o $(LNALIBS) -o policyrestart
+policysigned:		ibmtss/tss.h policysigned.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policysigned.o $(LNALIBS) -o policysigned
+policysecret:		ibmtss/tss.h policysecret.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policysecret.o $(LNALIBS) -o policysecret
+policytemplate:		ibmtss/tss.h policytemplate.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policytemplate.o $(LNALIBS) -o policytemplate
+policyticket:		ibmtss/tss.h policyticket.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyticket.o $(LNALIBS) -o policyticket
+quote:			ibmtss/tss.h quote.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) quote.o $(LNALIBS) -o quote
+powerup:		ibmtss/tss.h powerup.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) powerup.o $(LNALIBS) -o powerup
+readclock:		ibmtss/tss.h readclock.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) readclock.o $(LNALIBS) -o readclock
+readpublic:		ibmtss/tss.h readpublic.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) readpublic.o cryptoutils.o $(LNALIBS) -o readpublic
+returncode:		ibmtss/tss.h returncode.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) returncode.o $(LNALIBS) -o returncode
+rewrap:			ibmtss/tss.h rewrap.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rewrap.o $(LNALIBS) -o rewrap
+rsadecrypt: 		ibmtss/tss.h rsadecrypt.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rsadecrypt.o $(LNALIBS) -o rsadecrypt
+rsaencrypt: 		ibmtss/tss.h rsaencrypt.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rsaencrypt.o $(LNALIBS) -o rsaencrypt
+sequenceupdate:		ibmtss/tss.h sequenceupdate.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sequenceupdate.o $(LNALIBS) -o sequenceupdate
+sequencecomplete:	ibmtss/tss.h sequencecomplete.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sequencecomplete.o $(LNALIBS) -o sequencecomplete
+setprimarypolicy:	ibmtss/tss.h setprimarypolicy.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) setprimarypolicy.o $(LNALIBS) -o setprimarypolicy
+setcommandcodeauditstatus:	ibmtss/tss.h setcommandcodeauditstatus.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) setcommandcodeauditstatus.o $(LNALIBS) -o setcommandcodeauditstatus
+shutdown:		ibmtss/tss.h shutdown.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) shutdown.o $(LNALIBS) -o shutdown
+sign:			ibmtss/tss.h sign.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sign.o cryptoutils.o $(LNALIBS) -o sign
+startauthsession:	ibmtss/tss.h startauthsession.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) startauthsession.o $(LNALIBS) -o startauthsession
+startup:		ibmtss/tss.h startup.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) startup.o $(LNALIBS) -o startup
+stirrandom:		ibmtss/tss.h stirrandom.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) stirrandom.o $(LNALIBS) -o stirrandom
+unseal:			ibmtss/tss.h unseal.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) unseal.o $(LNALIBS) -o unseal
+verifysignature:	ibmtss/tss.h verifysignature.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) verifysignature.o cryptoutils.o $(LNALIBS) -o verifysignature
+zgen2phase:		ibmtss/tss.h zgen2phase.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) zgen2phase.o cryptoutils.o $(LNALIBS) -o zgen2phase
+signapp:		ibmtss/tss.h signapp.o ekutils.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) signapp.o ekutils.o cryptoutils.o $(LNALIBS) -o signapp
+writeapp:		ibmtss/tss.h writeapp.o ekutils.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) writeapp.o ekutils.o cryptoutils.o $(LNALIBS) -o writeapp
+timepacket:		ibmtss/tss.h timepacket.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) timepacket.o $(LNALIBS) -o timepacket
+createek:		createek.o cryptoutils.o ekutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createek.o cryptoutils.o ekutils.o $(LNALIBS) -o createek
+createekcert:		createekcert.o cryptoutils.o ekutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createekcert.o cryptoutils.o ekutils.o $(LNALIBS) -o createekcert
+tpm2pem:		tpm2pem.o cryptoutils.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpm2pem.o cryptoutils.o $(LNALIBS) -o tpm2pem
+tpmpublic2eccpoint:	tpmpublic2eccpoint.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpmpublic2eccpoint.o $(LNALIBS) -o tpmpublic2eccpoint
+ntc2getconfig:		ntc2getconfig.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2getconfig.o $(LNALIBS) -o ntc2getconfig
+ntc2preconfig:		ntc2preconfig.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2preconfig.o $(LNALIBS) -o ntc2preconfig
+ntc2lockconfig:		ntc2lockconfig.o $(LIBTSS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2lockconfig.o $(LNALIBS) -o ntc2lockconfig
+publicname:		publicname.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) publicname.o $(LNALIBS) -o publicname
+getcryptolibrary:	getcryptolibrary.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcryptolibrary.o $(LNALIBS) -o getcryptolibrary
+printattr:		printattr.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) printattr.o $(LNALIBS) -o printattr
+
+# for applications, not for TSS library
+
+%.o:		%.c ibmtss/tss.h 
+		$(CC) $(CCFLAGS) $(CCAFLAGS) $< -o $@
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefile.mak b/libstb/tss2/ibmtpm20tss/utils/makefile.mak
new file mode 100644
index 0000000..8e43d5c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefile.mak
@@ -0,0 +1,255 @@
+#################################################################################
+#										#
+#			Windows MinGW TPM2 Makefile OpenSSL 1.1.1 32-bit	#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# Windows OpenSSL 1.1.1 32-bit with mingw
+
+# Please contribute a solution for OpenSSL 64-bit (Shining Light),
+# which does not include the mingw .a files.
+
+# For this to work, copy the file .../openssl/bin/libcrypto-1.1.dll to
+# libcrypto.dll.  Please contribute a solution that does not require
+# this step.
+
+# C compiler
+
+CC = "c:/program files/mingw/bin/gcc.exe"
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS += 					\
+	-DTPM_WINDOWS				\
+	-I. 					\
+	-I"c:/program files/MinGW/include"	\
+	-I"c:/program files/openssl/include"	\
+
+# compile - for TSS library
+
+CCLFLAGS +=					\
+		-DTPM_TPM20
+
+# compile - for applications
+
+CCAFLAGS += 			\
+		-DTPM_TPM20
+
+# link - common flags flags TSS library and applications
+
+LNFLAGS +=					\
+	-D_MT					\
+	-DTPM_WINDOWS				\
+	-I.
+
+# link - for TSS library
+
+LNLFLAGS += 
+
+# link - for applications, TSS path, TSS and OpenSSl libraries
+
+LNAFLAGS += 
+
+LNLIBS = 	"c:/program files/openssl/lib/mingw/libcrypto.a" \
+		"c:/program files/MinGW/lib/libws2_32.a"
+
+# shared library
+
+LIBTSS=libibmtss.dll
+
+# executable extension
+
+EXE=.exe
+
+# 
+
+ALL =
+
+# default TSS library
+
+TSS_OBJS = 	tssfile.o 		\
+		tsscryptoh.o 		\
+		tsscrypto.o 		\
+		tssprintcmd.o
+
+# common to all builds
+
+include makefile-common
+include makefile-common20
+
+#
+# Start Windows TBSI
+#
+
+# mingw libraries are apparently no longer compatible with Windows
+# Kits for TBS.  Contributions are welcome.  Until then, use the
+# Visual Studio solution for the hardware TPM.
+
+#TSS_OBJS += tsstbsi.o
+
+#CCFLAGS +=	-DTPM_WINDOWS_TBSI
+#CCFLAGS +=	-D_WIN32_WINNT=0x0600
+
+# Windows 10
+
+#CCFLAGS +=	-DTPM_WINDOWS_TBSI_WIN8
+#CCFLAGS +=	-I"c:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\shared"
+
+#LNLIBS += "c:/Program Files (x86)/Windows Kits/10/Lib/10.0.17763.0/um/x64/tbs.lib"
+
+# Windows 7
+
+#CCFLAGS +=	-DTPM_WINDOWS_TBSI_WIN7
+
+#LNLIBS += c:/progra~1/Micros~2/Windows/v7.1/lib/Tbs.lib
+
+#
+# End Windows TBSI
+#
+
+# default build target
+
+all:	$(ALL)
+
+# TSS shared library source
+
+tss.o: 		$(TSS_HEADERS) tss.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss.c
+tssproperties.o: $(TSS_HEADERS) tssproperties.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssproperties.c
+tssauth.o: 	$(TSS_HEADERS) tssauth.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth.c
+tssmarshal.o: 	$(TSS_HEADERS) tssmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal.c
+tsscryptoh.o: 	$(TSS_HEADERS) tsscryptoh.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscryptoh.c
+tsscrypto.o: 	$(TSS_HEADERS) tsscrypto.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscrypto.c
+tssutils.o: 	$(TSS_HEADERS) tssutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssutils.c
+tssfile.o: 	$(TSS_HEADERS) tssfile.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssfile.c
+tsssocket.o: 	$(TSS_HEADERS) tsssocket.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsssocket.c
+tssdev.o: 	$(TSS_HEADERS) tssdev.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssdev.c
+tsstransmit.o: 	$(TSS_HEADERS) tsstransmit.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsstransmit.c
+tssresponsecode.o: $(TSS_HEADERS) tssresponsecode.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssresponsecode.c
+tssccattributes.o: $(TSS_HEADERS) tssccattributes.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes.c
+tssprint.o: 	$(TSS_HEADERS) tssprint.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprint.c
+Unmarshal.o: 	$(TSS_HEADERS) Unmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal.c
+Commands.o: 	$(TSS_HEADERS) Commands.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Commands.c
+CommandAttributeData.o: 	$(TSS_HEADERS) CommandAttributeData.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData.c
+ntc2lib.o:	$(TSS_HEADERS) ntc2lib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ntc2lib.c
+tssntc.o:	$(TSS_HEADERS) tssntc.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssntc.c
+
+# TPM 2.0
+
+tss20.o: 	$(TSS_HEADERS) tss20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss20.c
+tssauth20.o: 	$(TSS_HEADERS) tssauth20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth20.c
+
+# TSS shared library build
+
+$(LIBTSS): 	$(TSS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -shared -o $(LIBTSS) $(TSS_OBJS) \
+		-Wl,--out-implib,libibmtss.a $(LNLIBS)
+
+.PHONY:		clean
+.PRECIOUS:	%.o
+
+clean:		
+		rm -f *.o 	\
+		$(LIBTSS)	\
+		$(ALL)
+
+create.exe:	create.o objecttemplates.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o objecttemplates.o cryptoutils.o $(LNLIBS) $(LIBTSS) 
+
+createloaded.exe:	createloaded.o objecttemplates.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o objecttemplates.o cryptoutils.o $(LNLIBS) $(LIBTSS) 
+
+createprimary.exe:	createprimary.o objecttemplates.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o objecttemplates.o cryptoutils.o $(LNLIBS) $(LIBTSS) 
+
+eventextend.exe:	eventextend.o eventlib.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o eventlib.o cryptoutils.o $(LNLIBS) $(LIBTSS) 
+
+imaextend.exe:	imaextend.o imalib.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o imalib.o cryptoutils.o $(LNLIBS) $(LIBTSS) 
+
+createek.exe:	createek.o ekutils.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+certifyx509.exe:	certifyx509.o ekutils.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+createekcert.exe:	createekcert.o ekutils.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+importpem.exe:	importpem.o objecttemplates.o ekutils.o cryptoutils.o $(LIBTSS)
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o objecttemplates.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+loadexternal.exe:	loadexternal.o cryptoutils.o ekutils.o $(LIBTSS)
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o cryptoutils.o ekutils.o $(LNLIBS) $(LIBTSS)
+
+nvread.exe:	nvread.o ekutils.o cryptoutils.o $(LIBTSS) 
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+nvwrite.exe:	nvwrite.o ekutils.o cryptoutils.o $(LIBTSS)
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+signapp.exe:	signapp.o ekutils.o cryptoutils.o $(LIBTSS)
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+writeapp.exe:	writeapp.o ekutils.o cryptoutils.o $(LIBTSS)
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o ekutils.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+%.exe:		%.o applink.o cryptoutils.o $(LIBTSS)
+		$(CC) $(LNFLAGS) -L. -libmtss $< -o $@ applink.o cryptoutils.o $(LNLIBS) $(LIBTSS)
+
+%.o:		%.c
+		$(CC) $(CCFLAGS) $(CCAFLAGS) $< -o $@
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefile.min b/libstb/tss2/ibmtpm20tss/utils/makefile.min
new file mode 100644
index 0000000..32dd876
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefile.min
@@ -0,0 +1,178 @@
+#################################################################################
+#										#
+#		Linux TPM2 Utilities Makefile for minimal TSS			#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2016 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# makefile to build a TSS library that does not require file read/write or crypto
+# within the library
+#
+# See the documentation for limitations.
+
+# C compiler
+
+CC = /usr/bin/gcc
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS  += \
+	-DTPM_POSIX		\
+	-DTPM_TSS_NOFILE	\
+	-DTPM_TSS_NOCRYPTO	\
+	-DTPM_TSS_NORSA
+
+# -DTPM_NOSOCKET
+
+# compile - for TSS library
+
+CCLFLAGS += 	-I.			\
+		-fPIC			\
+		-DTPM_TPM20
+
+# compile - for applications
+
+CCAFLAGS += 	-I.		\
+		-DTPM_TPM20	\
+		-fPIE
+
+# link - common flags flags TSS library and applications
+
+LNFLAGS += 	-DTPM_POSIX		\
+		-L.
+
+# link - for TSS library
+
+# link - for applications, TSS path, TSS and OpenSSl libraries
+
+LNAFLAGS += -Wl,-rpath,.
+
+LNALIBS +=  -libmtssmin
+
+# shared library
+
+LIBTSS=libibmtssmin.so
+
+# 
+
+ALL = $(LIBTSS)
+#TSS_HEADERS = ibmtss/tssfile.h
+
+# default TSS library
+
+TSS_OBJS =	tssprintcmd.o
+
+
+# common to all builds
+
+include makefile-common
+include makefile-common20
+
+# default build target
+
+all:	writeapp
+
+# TSS shared library source
+
+tss.o: 			$(TSS_HEADERS) tss.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tss.c
+tssproperties.o: 	$(TSS_HEADERS) tssproperties.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssproperties.c
+tssauth.o: 		$(TSS_HEADERS) tssauth.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssauth.c
+tssmarshal.o: 		$(TSS_HEADERS) tssmarshal.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssmarshal.c
+tsscryptoh.o: 		$(TSS_HEADERS) tsscryptoh.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tsscryptoh.c
+tsscrypto.o: 		$(TSS_HEADERS) tsscrypto.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tsscrypto.c
+tssutils.o: 		$(TSS_HEADERS) tssutils.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssutils.c
+tsssocket.o: 		$(TSS_HEADERS) tsssocket.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tsssocket.c
+tssdev.o: 		$(TSS_HEADERS) tssdev.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssdev.c
+tsstransmit.o: 		$(TSS_HEADERS) tsstransmit.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tsstransmit.c
+tssresponsecode.o: 	$(TSS_HEADERS) tssresponsecode.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssresponsecode.c
+tssccattributes.o: 	$(TSS_HEADERS) tssccattributes.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssccattributes.c
+tssprint.o: 		$(TSS_HEADERS) tssprint.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssprint.c
+tssprintcmd.o: 		$(TSS_HEADERS) tssprintcmd.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssprintcmd.c
+Unmarshal.o: 		$(TSS_HEADERS) Unmarshal.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC Unmarshal.c
+Commands.o: 		$(TSS_HEADERS) Commands.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC Commands.c
+CommandAttributeData.o: $(TSS_HEADERS) CommandAttributeData.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC CommandAttributeData.c
+ntc2lib.o:		$(TSS_HEADERS) ntc2lib.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC ntc2lib.c
+tssntc.o:		$(TSS_HEADERS) tssntc.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) -fPIC tssntc.c
+
+# TPM 2.0
+
+tss20.o: 	$(TSS_HEADERS) tss20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss20.c
+tssauth20.o: 	$(TSS_HEADERS) tssauth20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth20.c
+
+# TSS shared library build
+
+$(LIBTSS): 	$(TSS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -shared -o $(LIBTSS) $(TSS_OBJS)
+
+.PHONY:		clean
+.PRECIOUS:	%.o
+
+clean:		
+		rm -f *.o	\
+		$(ALL)
+
+# applications
+
+writeapp:		ibmtss/tss.h writeapp.o tssutilsverbose.o $(LIBTSS) 
+
+			$(CC) $(LNFLAGS) $(LNAFLAGS) writeapp.o tssutilsverbose.o \
+			$(LNALIBS) -o writeapp
+
+# for applications, not for TSS library
+
+%.o:		%.c ibmtss/tss.h 
+		$(CC) $(CCFLAGS) $(CCAFLAGS) $< -o $@
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefile.nofile b/libstb/tss2/ibmtpm20tss/utils/makefile.nofile
new file mode 100644
index 0000000..3d22cc4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefile.nofile
@@ -0,0 +1,243 @@
+#################################################################################
+#										#
+#		Linux TPM2 Utilities Makefile for TSS without files		#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2016 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# makefile to build a TSS library that does not require file read/write.
+#
+# See the documentation for limitations.
+
+# C compiler
+
+CC = /usr/bin/gcc
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS  += 	-DTPM_POSIX			\
+		-DTPM_TSS_NOFILE
+
+# -DTPM_NOSOCKET
+
+# compile - for TSS library
+
+# include the hardening flag PIC needed for compiling for dynamic
+# linking
+
+CCLFLAGS += 	-I. 		\
+		-fPIC		\
+		-DTPM_TPM20
+
+# compile - for applications
+
+# include the hardening flag PIE needed for compiling for
+# static linking
+
+CCAFLAGS += 	-I.		\
+		-DTPM_TPM20	\
+		-fPIE
+
+# link - common flags flags TSS library and applications
+
+LNFLAGS += 	-DTPM_POSIX	\
+		-L.
+
+# link - for TSS library
+
+# hardening flags for linking shared objects
+LNLFLAGS += -shared -Wl,-z,now
+
+#	This is an alternative to using the bfd linker on Ubuntu
+LNLLIBS += -lcrypto
+
+# link - for applications, TSS path, TSS and OpenSSl libraries
+
+LNAFLAGS += -pie -Wl,-z,now -Wl,-rpath,.
+
+LNALIBS +=  -libmtssutils -libmtssmin
+
+# versioned shared library
+LIBTSSVERSIONED=libibmtssmin.so.1.3
+
+# soname field of the shared library
+# which will be made symbolic link to the versioned shared library
+# this is used to provide version backward-compatibility information
+LIBTSSSONAME=libibmtssmin.so.1
+
+# symbolic link to the versioned shared library
+# this allows linking to the shared library with '-libmtss' 
+
+os := $(shell uname -o)
+ifeq ($(os),Cygwin)
+  LIBTSS=libibmtssmin.dll
+else
+  LIBTSS=libibmtssmin.so
+endif
+
+# TSS utilities shared library
+
+LIBTSSUTILSVERSIONED=libibmtssutils.so.1.3
+LIBTSSUTILSSONAME=libibmtssutils.so.1
+LIBTSSUTILS=libibmtssutils.so
+
+# executable extension
+
+EXE =
+
+ALL = signapp writeapp
+
+TSS_HEADERS = ibmtss/tssfile.h
+
+# default TSS library
+
+TSS_OBJS =  	tsscryptoh.o 		\
+		tsscrypto.o 		\
+		tssprintcmd.o
+
+TSSUTILS_OBJS = cryptoutils.o	\
+		ekutils.o	\
+		imalib.o	\
+		eventlib.o
+
+# common to all builds
+
+include makefile-common
+include makefile-common20
+
+# default build target
+
+all: 	signapp writeapp
+
+# TSS shared library source
+
+tss.o: 			$(TSS_HEADERS) tss.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tss.c
+tssauth.o: 		$(TSS_HEADERS) tssauth.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth.c
+tssproperties.o: 	$(TSS_HEADERS) tssproperties.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssproperties.c
+tssmarshal.o: 		$(TSS_HEADERS) tssmarshal.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal.c
+tsscryptoh.o: 		$(TSS_HEADERS) tsscryptoh.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tsscryptoh.c
+tsscrypto.o: 		$(TSS_HEADERS) tsscrypto.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tsscrypto.c
+tssutils.o: 		$(TSS_HEADERS) tssutils.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssutils.c
+tsssocket.o: 		$(TSS_HEADERS) tsssocket.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tsssocket.c
+tssdev.o: 		$(TSS_HEADERS) tssdev.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssdev.c
+tsstransmit.o: 		$(TSS_HEADERS) tsstransmit.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tsstransmit.c
+tssresponsecode.o: 	$(TSS_HEADERS) tssresponsecode.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssresponsecode.c
+tssccattributes.o: 	$(TSS_HEADERS) tssccattributes.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes.c
+tssprint.o: 		$(TSS_HEADERS) tssprint.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssprint.c
+tssprintcmd.o: 		$(TSS_HEADERS) tssprintcmd.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssprintcmd.c
+Unmarshal.o: 		$(TSS_HEADERS) Unmarshal.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal.c
+Commands.o: 		$(TSS_HEADERS) Commands.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) Commands.c
+CommandAttributeData.o: $(TSS_HEADERS) CommandAttributeData.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData.c
+ntc2lib.o:		$(TSS_HEADERS) ntc2lib.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) ntc2lib.c
+tssntc.o:		$(TSS_HEADERS) tssntc.c
+			$(CC) $(CCFLAGS) $(CCLFLAGS) tssntc.c
+
+# TPM 2.0
+
+tss20.o: 	$(TSS_HEADERS) tss20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss20.c
+tssauth20.o: 	$(TSS_HEADERS) tssauth20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth20.c
+
+# TSS utilities shared library source
+
+cryptoutils.o: 	$(TSS_HEADERS) cryptoutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) cryptoutils.c
+ekutils.o: 	$(TSS_HEADERS) ekutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ekutils.c
+imalib.o: 	$(TSS_HEADERS) imalib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) imalib.c
+eventlib.o: 	$(TSS_HEADERS) eventlib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) eventlib.c
+
+# TSS shared library build
+
+$(LIBTSS): 	$(TSS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSSONAME) -o $(LIBTSSVERSIONED) $(TSS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSONAME)
+		ln -sf $(LIBTSSVERSIONED) $(LIBTSSSONAME)
+		rm -f $(LIBTSS)
+		ln -sf $(LIBTSSSONAME) $(LIBTSS)
+
+# TSS utilities shared library
+
+$(LIBTSSUTILS):	$(TSSUTILS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSUTILSSONAME) -o $(LIBTSSUTILSVERSIONED) $(TSSUTILS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSUTILSONAME)
+		ln -sf $(LIBTSSUTILSVERSIONED) $(LIBTSSUTILSSONAME)
+		rm -f $(LIBTSSUTILS)
+		ln -sf $(LIBTSSUTILSSONAME) $(LIBTSSUTILS)
+
+.PHONY:		clean
+.PRECIOUS:	%.o
+
+clean:		
+		rm -f *.o 		\
+		$(LIBTSSSONAME)		\
+		$(LIBTSSVERSIONED) 	\
+		$(LIBTSSUTILSSONAME) 	\
+		$(LIBTSSUTILSVERSIONED)	\
+		$(ALL)
+
+# applications
+
+signapp:		ibmtss/tss.h signapp.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) signapp.o $(LNALIBS) -o signapp
+writeapp:		ibmtss/tss.h writeapp.o $(LIBTSS) $(LIBTSSUTILS) 
+			$(CC) $(LNFLAGS) $(LNAFLAGS) writeapp.o $(LNALIBS) -o writeapp
+
+# for applications, not for TSS library
+
+%.o:		%.c ibmtss/tss.h 
+		$(CC) $(CCFLAGS) $(CCAFLAGS) $< -o $@
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefiletpm12 b/libstb/tss2/ibmtpm20tss/utils/makefiletpm12
new file mode 100644
index 0000000..92e9b97
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefiletpm12
@@ -0,0 +1,265 @@
+#################################################################################
+#										#
+#		Linux TPM 1.2 TSS Makefile					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2018 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# C compiler
+
+CC = /usr/bin/gcc
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS += 	-DTPM_POSIX
+
+# example of pointing to a locally built openssl 1.1
+# CCFLAGS += 	-I/home/kgold/openssl/include
+
+# compile - for TSS library
+
+# include the hardening flag PIC needed for compiling for dynamic
+# linking
+
+CCLFLAGS += 	-I. 		\
+		-fPIC		\
+		-DTPM_TPM12
+
+# to compile out printf's.  Regression test will fail because it tries
+# to print a structure -DTPM_TSS_NO_PRINT
+
+# example of changing the default interface type
+#	-DTPM_INTERFACE_TYPE_DEFAULT="\"dev\""
+
+# compile - for applications
+
+# include the hardening flag PIE needed for compiling for
+# static linking
+
+CCAFLAGS += 	-I.		\
+		-DTPM_TPM12	\
+		-fPIE
+
+# link - common flags flags TSS library and applications
+
+LNFLAGS += 	-DTPM_POSIX		\
+		-L.
+
+# This seems to be required on some Ubuntu distros due to an issue with the gold linker
+#		-fuse-ld=bfd
+
+# example of pointing to a locally built openssl 1.1
+# LNFLAGS +=	 -L/home/kgold/openssl
+# This also requires setting the environment variable LD_LIBRARY_PATH.  E.g.,
+# setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:/home/kgold/openssl-1.1.0c
+
+# link - for TSS library
+
+# hardening flags for linking shared objects
+LNLFLAGS += -shared -Wl,-z,now
+
+# This is an alternative to using the bfd linker on Ubuntu
+LNLLIBS += -lcrypto
+
+# link - for applications, TSS path, TSS and OpenSSl libraries
+
+# hardening flags for linking executables
+LNAFLAGS += -pie -Wl,-z,now -Wl,-rpath,.
+
+LNALIBS +=  -libmtss
+
+# shared library
+
+# versioned shared library
+LIBTSSVERSIONED=libibmtss.so.1.3
+
+# soname field of the shared library
+# which will be made symbolic link to the versioned shared library
+# this is used to provide version backward-compatibility information
+LIBTSSSONAME=libibmtss.so.1
+
+# symbolic link to the versioned shared library
+# this allows linking to the shared library with '-libmtss' 
+
+os := $(shell uname -o)
+ifeq ($(os),Cygwin)
+  LIBTSS=libibmtss.dll
+else
+  LIBTSS=libibmtss.so
+endif
+
+# TSS utilities shared library
+
+LIBTSSUTILSVERSIONED=libibmtssutils.so.1.3
+LIBTSSUTILSSONAME=libibmtssutils.so.1
+LIBTSSUTILS=libibmtssutils.so
+
+# executable extension
+
+EXE =
+
+# 
+
+ALL = 
+TSS_HEADERS=
+
+# default TSS library
+
+TSS_OBJS =	tssfile.o 		\
+		tsscryptoh.o 		\
+		tsscrypto.o
+
+TSSUTILS_OBJS = cryptoutils.o	\
+		ekutils.o	\
+		imalib.o	\
+		eventlib.o
+
+# common to all builds
+
+include makefile-common
+include makefile-common12
+
+# default build target
+
+all:	$(ALL)
+
+# TSS shared library source
+
+tss.o: 		$(TSS_HEADERS) tss.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss.c
+tssproperties.o: $(TSS_HEADERS) tssproperties.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssproperties.c
+tssauth.o: 	$(TSS_HEADERS) tssauth.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth.c
+tssmarshal.o: 	$(TSS_HEADERS) tssmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal.c
+tsscryptoh.o: 	$(TSS_HEADERS) tsscryptoh.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscryptoh.c
+tsscrypto.o: 	$(TSS_HEADERS) tsscrypto.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscrypto.c
+tssutils.o: 	$(TSS_HEADERS) tssutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssutils.c
+tssfile.o: 	$(TSS_HEADERS) tssfile.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssfile.c
+tsssocket.o: 	$(TSS_HEADERS) tsssocket.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsssocket.c
+tssdev.o: 	$(TSS_HEADERS) tssdev.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssdev.c
+tsstransmit.o: 	$(TSS_HEADERS) tsstransmit.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsstransmit.c
+tssresponsecode.o: $(TSS_HEADERS) tssresponsecode.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssresponsecode.c
+tssccattributes.o: $(TSS_HEADERS) tssccattributes.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes.c
+tssprint.o: 	$(TSS_HEADERS) tssprint.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprint.c
+tssprintcmd.o: 	$(TSS_HEADERS) tssprintcmd.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprintcmd.c
+Unmarshal.o: 	$(TSS_HEADERS) Unmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal.c
+Commands.o: 	$(TSS_HEADERS) Commands.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Commands.c
+CommandAttributeData.o: 	$(TSS_HEADERS) CommandAttributeData.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData.c
+ntc2lib.o:	$(TSS_HEADERS) ntc2lib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ntc2lib.c
+tssntc.o:	$(TSS_HEADERS) tssntc.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssntc.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss20.c
+# TPM 1.2
+
+tss12.o: 	$(TSS_HEADERS) tss12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss12.c
+tssauth12.o: 	$(TSS_HEADERS) tssauth12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth12.c
+tssmarshal12.o:	$(TSS_HEADERS) tssmarshal12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal12.c
+Unmarshal12.o: 	$(TSS_HEADERS) Unmarshal12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal12.c
+Commands12.o: 	$(TSS_HEADERS) Commands12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Commands12.c
+tssccattributes12.o: $(TSS_HEADERS) tssccattributes12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes12.c
+CommandAttributeData12.o: 	$(TSS_HEADERS) CommandAttributeData12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData12.c
+
+# TSS utilities shared library source
+
+cryptoutils.o: 	$(TSS_HEADERS) cryptoutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) cryptoutils.c
+ekutils.o: 	$(TSS_HEADERS) ekutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ekutils.c
+imalib.o: 	$(TSS_HEADERS) imalib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) imalib.c
+eventlib.o: 	$(TSS_HEADERS) eventlib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) eventlib.c
+
+# TSS shared library build
+
+$(LIBTSS): 	$(TSS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSSONAME) -o $(LIBTSSVERSIONED) $(TSS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSONAME)
+		ln -sf $(LIBTSSVERSIONED) $(LIBTSSSONAME)
+		rm -f $(LIBTSS)
+		ln -sf $(LIBTSSSONAME) $(LIBTSS)
+
+# TSS utilities shared library
+
+$(LIBTSSUTILS):	$(TSSUTILS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSUTILSSONAME) -o $(LIBTSSUTILSVERSIONED) $(TSSUTILS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSUTILSONAME)
+		ln -sf $(LIBTSSUTILSVERSIONED) $(LIBTSSUTILSSONAME)
+		rm -f $(LIBTSSUTILS)
+		ln -sf $(LIBTSSUTILSSONAME) $(LIBTSSUTILS)
+
+.PHONY:		clean
+.PRECIOUS:	%.o
+
+clean:		
+		rm -f *.o  *~ 		\
+		h*.bin			\
+		$(LIBTSSSONAME)		\
+		$(LIBTSSVERSIONED) 	\
+		$(LIBTSSUTILSSONAME) 	\
+		$(LIBTSSUTILSVERSIONED)	\
+		$(ALL)
+
+# applications are in .../utils12
+
+# for applications, not for TSS library
+
+%.o:		%.c ibmtss/tss.h 
+		$(CC) $(CCFLAGS) $(CCAFLAGS) $< -o $@
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefiletpm20 b/libstb/tss2/ibmtpm20tss/utils/makefiletpm20
new file mode 100644
index 0000000..0af7c52
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefiletpm20
@@ -0,0 +1,494 @@
+#################################################################################
+#										#
+#		Linux TPM2 Utilities Makefile					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2014 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# C compiler
+
+CC = /usr/bin/gcc
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS += 	-DTPM_POSIX
+
+# example of pointing to a locally built openssl 1.1
+# CCFLAGS += 	-I/home/kgold/openssl/include
+
+# compile - for TSS library
+
+# include the hardening flag PIC needed for compiling for dynamic
+# linking
+
+CCLFLAGS += 	-I. 		\
+		-fPIC		\
+		-DTPM_TPM20
+
+# to compile out printf's.  Regression test will fail because it tries
+# to print a structure -DTPM_TSS_NO_PRINT
+
+# example of changing the default interface type
+#	-DTPM_INTERFACE_TYPE_DEFAULT="\"dev\""
+
+# compile - for applications
+
+# include the hardening flag PIE needed for compiling for
+# static linking
+
+CCAFLAGS += 	-I.		\
+		-DTPM_TPM20	\
+		-fPIE
+
+# link - common flags flags TSS library and applications
+
+LNFLAGS += 	-DTPM_POSIX		\
+		-L.
+
+# This seems to be required on some Ubuntu distros due to an issue with the gold linker
+#		-fuse-ld=bfd
+
+# example of pointing to a locally built openssl 1.1
+# LNFLAGS +=	 -L/home/kgold/openssl
+# This also requires setting the environment variable LD_LIBRARY_PATH.  E.g.,
+# setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:/home/kgold/openssl
+
+# link - for TSS library
+
+# hardening flags for linking shared objects
+LNLFLAGS += -shared -Wl,-z,now
+
+# This is an alternative to using the bfd linker on Ubuntu
+LNLLIBS += -lcrypto
+
+# link - for applications, TSS path, TSS and OpenSSl libraries
+
+# hardening flags for linking executables
+LNAFLAGS += -pie -Wl,-z,now -Wl,-rpath,.
+
+LNALIBS +=  -libmtssutils -libmtss
+
+# shared library
+
+# versioned shared library
+LIBTSSVERSIONED=libibmtss.so.1.3
+
+# soname field of the shared library
+# which will be made symbolic link to the versioned shared library
+# this is used to provide version backward-compatibility information
+LIBTSSSONAME=libibmtss.so.1
+
+# symbolic link to the versioned shared library
+# this allows linking to the shared library with '-libmtss' 
+
+os := $(shell uname -o)
+ifeq ($(os),Cygwin)
+  LIBTSS=libibmtss.dll
+else
+  LIBTSS=libibmtss.so
+endif
+
+# TSS utilities shared library
+
+LIBTSSUTILSVERSIONED=libibmtssutils.so.1.3
+LIBTSSUTILSSONAME=libibmtssutils.so.1
+LIBTSSUTILS=libibmtssutils.so
+
+# executable extension
+
+EXE =
+
+# 
+
+
+TSS_HEADERS=
+
+# default TSS library
+
+TSS_OBJS = 	tssfile.o 		\
+		tsscryptoh.o 		\
+		tsscrypto.o 		\
+		tssprintcmd.o
+
+TSSUTILS_OBJS = cryptoutils.o	\
+		ekutils.o	\
+		imalib.o	\
+		eventlib.o
+
+# common to all builds
+
+include makefile-common
+include makefile-common20
+
+# default build target
+
+all:	$(ALL)
+
+# TSS shared library source
+
+tss.o: 		$(TSS_HEADERS) tss.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss.c
+tssauth.o: 	$(TSS_HEADERS) tssauth.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth.c
+tssproperties.o: $(TSS_HEADERS) tssproperties.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssproperties.c
+tssmarshal.o: 	$(TSS_HEADERS) tssmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal.c
+tsscryptoh.o: 	$(TSS_HEADERS) tsscryptoh.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscryptoh.c
+tsscrypto.o: 	$(TSS_HEADERS) tsscrypto.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscrypto.c
+tssutils.o: 	$(TSS_HEADERS) tssutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssutils.c
+tssfile.o: 	$(TSS_HEADERS) tssfile.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssfile.c
+tsssocket.o: 	$(TSS_HEADERS) tsssocket.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsssocket.c
+tssdev.o: 	$(TSS_HEADERS) tssdev.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssdev.c
+tsstransmit.o: 	$(TSS_HEADERS) tsstransmit.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsstransmit.c
+tssresponsecode.o: $(TSS_HEADERS) tssresponsecode.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssresponsecode.c
+tssccattributes.o: $(TSS_HEADERS) tssccattributes.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes.c
+tssprint.o: 	$(TSS_HEADERS) tssprint.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprint.c
+tssprintcmd.o: 	$(TSS_HEADERS) tssprintcmd.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprintcmd.c
+Unmarshal.o: 	$(TSS_HEADERS) Unmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal.c
+Commands.o: 	$(TSS_HEADERS) Commands.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Commands.c
+CommandAttributeData.o: 	$(TSS_HEADERS) CommandAttributeData.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData.c
+ntc2lib.o:	$(TSS_HEADERS) ntc2lib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ntc2lib.c
+tssntc.o:	$(TSS_HEADERS) tssntc.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssntc.c
+
+# TPM 2.0
+
+tss20.o: 	$(TSS_HEADERS) tss20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss20.c
+tssauth20.o: 	$(TSS_HEADERS) tssauth20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth20.c
+
+# TSS utilities shared library source
+
+cryptoutils.o: 	$(TSS_HEADERS) cryptoutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) cryptoutils.c
+ekutils.o: 	$(TSS_HEADERS) ekutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ekutils.c
+imalib.o: 	$(TSS_HEADERS) imalib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) imalib.c
+eventlib.o: 	$(TSS_HEADERS) eventlib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) eventlib.c
+
+# TSS shared library build
+
+$(LIBTSS): 	$(TSS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSSONAME) -o $(LIBTSSVERSIONED) $(TSS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSONAME)
+		ln -sf $(LIBTSSVERSIONED) $(LIBTSSSONAME)
+		rm -f $(LIBTSS)
+		ln -sf $(LIBTSSSONAME) $(LIBTSS)
+
+# TSS utilities shared library
+
+$(LIBTSSUTILS):	$(TSSUTILS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSUTILSSONAME) -o $(LIBTSSUTILSVERSIONED) $(TSSUTILS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSUTILSONAME)
+		ln -sf $(LIBTSSUTILSVERSIONED) $(LIBTSSUTILSSONAME)
+		rm -f $(LIBTSSUTILS)
+		ln -sf $(LIBTSSUTILSSONAME) $(LIBTSSUTILS)
+
+.PHONY:		clean
+.PRECIOUS:	%.o
+
+clean:		
+		rm -f *.o  *~ 		\
+		h*.bin			\
+		$(LIBTSSSONAME)		\
+		$(LIBTSSVERSIONED) 	\
+		$(LIBTSSUTILSSONAME) 	\
+		$(LIBTSSUTILSVERSIONED)	\
+		$(ALL)
+# applications
+
+activatecredential:	ibmtss/tss.h activatecredential.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) activatecredential.o $(LNALIBS) -o activatecredential
+eventextend:		eventextend.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eventextend.o $(LNALIBS) -o eventextend
+imaextend:		imaextend.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) imaextend.o $(LNALIBS) -o imaextend
+certify:		ibmtss/tss.h certify.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certify.o $(LNALIBS) -o certify
+certifycreation:	ibmtss/tss.h certifycreation.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certifycreation.o $(LNALIBS) -o certifycreation
+certifyx509:		ibmtss/tss.h certifyx509.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certifyx509.o $(LNALIBS) -lcrypto -o certifyx509
+changeeps:		ibmtss/tss.h changeeps.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) changeeps.o $(LNALIBS) -o changeeps
+changepps:		ibmtss/tss.h changepps.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) changepps.o $(LNALIBS) -o changepps
+clear:			ibmtss/tss.h clear.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clear.o $(LNALIBS) -o clear
+clearcontrol:		ibmtss/tss.h clearcontrol.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clearcontrol.o $(LNALIBS) -o clearcontrol
+clockrateadjust:	ibmtss/tss.h clockrateadjust.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clockrateadjust.o $(LNALIBS) -o clockrateadjust
+clockset:		ibmtss/tss.h clockset.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clockset.o $(LNALIBS) -o clockset
+commit:			ibmtss/tss.h commit.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) commit.o $(LNALIBS) -o commit
+contextload:		ibmtss/tss.h contextload.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) contextload.o $(LNALIBS) -o contextload
+contextsave:		ibmtss/tss.h contextsave.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) contextsave.o $(LNALIBS) -o contextsave
+create:			ibmtss/tss.h create.o objecttemplates.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) create.o objecttemplates.o $(LNALIBS) -o create
+createloaded:		ibmtss/tss.h createloaded.o objecttemplates.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createloaded.o objecttemplates.o $(LNALIBS) -o createloaded
+createprimary:		ibmtss/tss.h createprimary.o objecttemplates.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createprimary.o objecttemplates.o $(LNALIBS) -o createprimary
+dictionaryattacklockreset:		ibmtss/tss.h dictionaryattacklockreset.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) dictionaryattacklockreset.o $(LNALIBS) -o dictionaryattacklockreset
+dictionaryattackparameters:		ibmtss/tss.h dictionaryattackparameters.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) dictionaryattackparameters.o $(LNALIBS) -o dictionaryattackparameters
+duplicate:		ibmtss/tss.h duplicate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) duplicate.o $(LNALIBS) -o duplicate 
+eccparameters:		ibmtss/tss.h eccparameters.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eccparameters.o $(LNALIBS) -o eccparameters 
+ecephemeral:		ibmtss/tss.h ecephemeral.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ecephemeral.o $(LNALIBS) -o ecephemeral 
+encryptdecrypt:		ibmtss/tss.h encryptdecrypt.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) encryptdecrypt.o $(LNALIBS) -o encryptdecrypt	
+eventsequencecomplete:	ibmtss/tss.h eventsequencecomplete.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eventsequencecomplete.o $(LNALIBS) -o eventsequencecomplete	
+evictcontrol:		ibmtss/tss.h evictcontrol.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) evictcontrol.o $(LNALIBS) -o evictcontrol	
+flushcontext:		ibmtss/tss.h flushcontext.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) flushcontext.o $(LNALIBS) -o flushcontext
+getcommandauditdigest:	ibmtss/tss.h getcommandauditdigest.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcommandauditdigest.o $(LNALIBS) -o getcommandauditdigest
+getcapability:		ibmtss/tss.h getcapability.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcapability.o $(LNALIBS) -o getcapability
+getrandom:		ibmtss/tss.h getrandom.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getrandom.o $(LNALIBS) -o getrandom
+gettestresult:		ibmtss/tss.h gettestresult.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) gettestresult.o $(LNALIBS) -o gettestresult
+getsessionauditdigest:	ibmtss/tss.h getsessionauditdigest.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getsessionauditdigest.o $(LNALIBS) -o getsessionauditdigest
+gettime:		ibmtss/tss.h gettime.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) gettime.o $(LNALIBS) -o gettime
+hashsequencestart:	ibmtss/tss.h hashsequencestart.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hashsequencestart.o $(LNALIBS) -o hashsequencestart
+hash:			ibmtss/tss.h hash.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hash.o $(LNALIBS) -o hash
+hierarchycontrol:	ibmtss/tss.h hierarchycontrol.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hierarchycontrol.o $(LNALIBS) -o hierarchycontrol
+hierarchychangeauth:	ibmtss/tss.h hierarchychangeauth.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hierarchychangeauth.o $(LNALIBS) -o hierarchychangeauth
+hmac:			ibmtss/tss.h hmac.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hmac.o $(LNALIBS) -o hmac
+hmacstart:		ibmtss/tss.h hmacstart.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hmacstart.o $(LNALIBS) -o hmacstart
+import:			ibmtss/tss.h import.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) import.o $(LNALIBS) -o import
+importpem:		ibmtss/tss.h importpem.o objecttemplates.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) importpem.o objecttemplates.o $(LNALIBS) -o importpem
+load:			ibmtss/tss.h load.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) load.o $(LNALIBS) -o load
+loadexternal:		ibmtss/tss.h loadexternal.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) loadexternal.o $(LNALIBS) -o loadexternal
+makecredential:		ibmtss/tss.h makecredential.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) makecredential.o $(LNALIBS) -o makecredential
+nvcertify:		ibmtss/tss.h nvcertify.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvcertify.o $(LNALIBS) -o nvcertify
+nvchangeauth:		ibmtss/tss.h nvchangeauth.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvchangeauth.o $(LNALIBS) -o nvchangeauth
+nvdefinespace:		ibmtss/tss.h nvdefinespace.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvdefinespace.o $(LNALIBS) -o nvdefinespace
+nvextend:		ibmtss/tss.h nvextend.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvextend.o $(LNALIBS) -o nvextend
+nvglobalwritelock:	ibmtss/tss.h nvglobalwritelock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvglobalwritelock.o $(LNALIBS) -o nvglobalwritelock
+nvincrement:		ibmtss/tss.h nvincrement.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvincrement.o $(LNALIBS) -o nvincrement
+nvread:			ibmtss/tss.h nvread.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvread.o $(LNALIBS) -o nvread
+nvreadlock:		ibmtss/tss.h nvreadlock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvreadlock.o $(LNALIBS) -o nvreadlock
+nvreadpublic:		ibmtss/tss.h nvreadpublic.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvreadpublic.o $(LNALIBS) -o nvreadpublic
+nvsetbits:		ibmtss/tss.h nvsetbits.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvsetbits.o $(LNALIBS) -o nvsetbits
+nvundefinespace:	ibmtss/tss.h nvundefinespace.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvundefinespace.o $(LNALIBS) -o nvundefinespace
+nvundefinespacespecial:	ibmtss/tss.h nvundefinespacespecial.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvundefinespacespecial.o $(LNALIBS) -o nvundefinespacespecial
+nvwrite:		ibmtss/tss.h nvwrite.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvwrite.o $(LNALIBS) -o nvwrite
+nvwritelock:		ibmtss/tss.h nvwritelock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvwritelock.o $(LNALIBS) -o nvwritelock
+objectchangeauth:	ibmtss/tss.h objectchangeauth.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) objectchangeauth.o $(LNALIBS) -o objectchangeauth
+pcrallocate: 		ibmtss/tss.h pcrallocate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrallocate.o $(LNALIBS) -o pcrallocate
+pcrevent: 		ibmtss/tss.h pcrevent.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrevent.o $(LNALIBS) -o pcrevent
+pcrextend: 		ibmtss/tss.h pcrextend.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrextend.o $(LNALIBS) -o pcrextend
+pcrread: 		ibmtss/tss.h pcrread.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrread.o $(LNALIBS) -o pcrread
+pcrreset: 		ibmtss/tss.h pcrreset.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrreset.o $(LNALIBS) -o pcrreset
+policyauthorize:	ibmtss/tss.h policyauthorize.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthorize.o $(LNALIBS) -o policyauthorize
+policyauthvalue:	ibmtss/tss.h policyauthvalue.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthvalue.o $(LNALIBS) -o policyauthvalue
+policycommandcode:	ibmtss/tss.h policycommandcode.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycommandcode.o $(LNALIBS) -o policycommandcode
+policycphash:		ibmtss/tss.h policycphash.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycphash.o $(LNALIBS) -o policycphash
+policynamehash:		ibmtss/tss.h policynamehash.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynamehash.o $(LNALIBS) -o policynamehash
+policycountertimer:	ibmtss/tss.h policycountertimer.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycountertimer.o $(LNALIBS) -o policycountertimer
+policyduplicationselect:	ibmtss/tss.h policyduplicationselect.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyduplicationselect.o $(LNALIBS) -o policyduplicationselect
+policygetdigest:	ibmtss/tss.h policygetdigest.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policygetdigest.o $(LNALIBS) -o policygetdigest
+policymaker:		ibmtss/tss.h policymaker.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policymaker.o $(LNALIBS) -o policymaker
+policymakerpcr:		ibmtss/tss.h policymakerpcr.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policymakerpcr.o $(LNALIBS) -o policymakerpcr
+policyauthorizenv:	ibmtss/tss.h policyauthorizenv.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthorizenv.o $(LNALIBS) -o policyauthorizenv
+policynv:		ibmtss/tss.h policynv.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynv.o $(LNALIBS) -o policynv
+policynvwritten:	ibmtss/tss.h policynvwritten.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynvwritten.o $(LNALIBS) -o policynvwritten
+policyor:		ibmtss/tss.h policyor.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyor.o $(LNALIBS) -o policyor
+policypassword:		ibmtss/tss.h policypassword.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policypassword.o $(LNALIBS) -o policypassword
+policypcr:		ibmtss/tss.h policypcr.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policypcr.o $(LNALIBS) -o policypcr
+policyrestart:		ibmtss/tss.h policyrestart.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyrestart.o $(LNALIBS) -o policyrestart
+policysigned:		ibmtss/tss.h policysigned.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policysigned.o $(LNALIBS) -o policysigned
+policysecret:		ibmtss/tss.h policysecret.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policysecret.o $(LNALIBS) -o policysecret
+policytemplate:		ibmtss/tss.h policytemplate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policytemplate.o $(LNALIBS) -o policytemplate
+policyticket:		ibmtss/tss.h policyticket.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyticket.o $(LNALIBS) -o policyticket
+quote:			ibmtss/tss.h quote.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) quote.o $(LNALIBS) -o quote
+powerup:		ibmtss/tss.h powerup.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) powerup.o $(LNALIBS) -o powerup
+readclock:		ibmtss/tss.h readclock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) readclock.o $(LNALIBS) -o readclock
+readpublic:		ibmtss/tss.h readpublic.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) readpublic.o $(LNALIBS) -o readpublic
+returncode:		ibmtss/tss.h returncode.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) returncode.o $(LNALIBS) -o returncode
+rewrap:			ibmtss/tss.h rewrap.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rewrap.o $(LNALIBS) -o rewrap
+rsadecrypt: 		ibmtss/tss.h rsadecrypt.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rsadecrypt.o $(LNALIBS) -o rsadecrypt
+rsaencrypt: 		ibmtss/tss.h rsaencrypt.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rsaencrypt.o $(LNALIBS) -o rsaencrypt
+sequenceupdate:		ibmtss/tss.h sequenceupdate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sequenceupdate.o $(LNALIBS) -o sequenceupdate
+sequencecomplete:	ibmtss/tss.h sequencecomplete.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sequencecomplete.o $(LNALIBS) -o sequencecomplete
+setprimarypolicy:	ibmtss/tss.h setprimarypolicy.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) setprimarypolicy.o $(LNALIBS) -o setprimarypolicy
+setcommandcodeauditstatus:	ibmtss/tss.h setcommandcodeauditstatus.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) setcommandcodeauditstatus.o $(LNALIBS) -o setcommandcodeauditstatus
+shutdown:		ibmtss/tss.h shutdown.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) shutdown.o $(LNALIBS) -o shutdown
+sign:			ibmtss/tss.h sign.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sign.o $(LNALIBS) -o sign
+startauthsession:	ibmtss/tss.h startauthsession.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) startauthsession.o $(LNALIBS) -o startauthsession
+startup:		ibmtss/tss.h startup.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) startup.o $(LNALIBS) -o startup
+stirrandom:		ibmtss/tss.h stirrandom.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) stirrandom.o $(LNALIBS) -o stirrandom
+unseal:			ibmtss/tss.h unseal.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) unseal.o $(LNALIBS) -o unseal
+verifysignature:	ibmtss/tss.h verifysignature.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) verifysignature.o $(LNALIBS) -o verifysignature
+zgen2phase:		ibmtss/tss.h zgen2phase.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) zgen2phase.o $(LNALIBS) -o zgen2phase
+signapp:		ibmtss/tss.h signapp.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) signapp.o $(LNALIBS) -o signapp
+writeapp:		ibmtss/tss.h writeapp.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) writeapp.o $(LNALIBS) -o writeapp
+timepacket:		ibmtss/tss.h timepacket.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) timepacket.o $(LNALIBS) -o timepacket
+createek:		createek.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createek.o $(LNALIBS) -o createek
+createekcert:		createekcert.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createekcert.o $(LNALIBS) -o createekcert
+tpm2pem:		tpm2pem.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpm2pem.o $(LNALIBS) -o tpm2pem
+tpmpublic2eccpoint:	tpmpublic2eccpoint.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpmpublic2eccpoint.o $(LNALIBS) -o tpmpublic2eccpoint
+ntc2getconfig:		ntc2getconfig.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2getconfig.o $(LNALIBS) -o ntc2getconfig
+ntc2preconfig:		ntc2preconfig.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2preconfig.o $(LNALIBS) -o ntc2preconfig
+ntc2lockconfig:		ntc2lockconfig.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2lockconfig.o $(LNALIBS) -o ntc2lockconfig
+publicname:		publicname.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) publicname.o $(LNALIBS) -o publicname
+getcryptolibrary:	getcryptolibrary.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcryptolibrary.o $(LNALIBS) -o getcryptolibrary
+printattr:		printattr.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) printattr.o $(LNALIBS) -o printattr
+tpmcmd:			tpmcmd.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpmcmd.o $(LNALIBS) -o tpmcmd
+
+# for applications, not for TSS library
+
+%.o:		%.c ibmtss/tss.h 
+		$(CC) $(CCFLAGS) $(CCAFLAGS) $< -o $@
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/makefiletpmc b/libstb/tss2/ibmtpm20tss/utils/makefiletpmc
new file mode 100644
index 0000000..3557957
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/makefiletpmc
@@ -0,0 +1,515 @@
+#################################################################################
+#										#
+#		Linux TPM 1.2 TSS and TPM 2.0 TSS and Utilities Makefile	#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2018 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# C compiler
+
+CC = /usr/bin/gcc
+
+# compile - common flags for TSS library and applications
+
+CCFLAGS += 	-DTPM_POSIX
+
+# example of pointing to a locally built openssl 1.1
+# CCFLAGS += 	-I/home/kgold/openssl/include
+
+# compile - for TSS library
+
+# include the hardening flag PIC needed for compiling for dynamic
+# linking
+
+CCLFLAGS += 	-I. 		\
+		-fPIC		\
+		-DTPM_TPM20	\
+		-DTPM_TPM12
+
+# to compile out printf's.  Regression test will fail because it tries
+# to print a structure -DTPM_TSS_NO_PRINT
+
+# example of changing the default interface type
+#	-DTPM_INTERFACE_TYPE_DEFAULT="\"dev\""
+
+# compile - for applications
+
+# include the hardening flag PIE needed for compiling for
+# static linking
+
+CCAFLAGS += 	-I.		\
+		-DTPM_TPM20	\
+		-DTPM_TPM12	\
+		-fPIE
+
+# link - common flags flags TSS library and applications
+
+LNFLAGS += 	-DTPM_POSIX		\
+		-L.
+
+# This seems to be required on some Ubuntu distros due to an issue with the gold linker
+#		-fuse-ld=bfd
+
+# example of pointing to a locally built openssl 1.1
+# LNFLAGS +=	 -L/home/kgold/openssl
+# This also requires setting the environment variable LD_LIBRARY_PATH.  E.g.,
+# setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:/home/kgold/openssl
+
+# link - for TSS library
+
+# hardening flags for linking shared objects
+LNLFLAGS += -shared -Wl,-z,now
+
+# This is an alternative to using the bfd linker on Ubuntu
+LNLLIBS += -lcrypto
+
+# link - for applications, TSS path, TSS and OpenSSl libraries
+
+# hardening flags for linking executables
+LNAFLAGS += -pie -Wl,-z,now -Wl,-rpath,.
+
+LNALIBS +=  -libmtssutils -libmtss
+
+# shared library
+
+# versioned shared library
+LIBTSSVERSIONED=libibmtss.so.1.3
+
+# soname field of the shared library
+# which will be made symbolic link to the versioned shared library
+# this is used to provide version backward-compatibility information
+LIBTSSSONAME=libibmtss.so.1
+
+# symbolic link to the versioned shared library
+# this allows linking to the shared library with '-libmtss'
+
+os := $(shell uname -o)
+ifeq ($(os),Cygwin)
+  LIBTSS=libibmtss.dll
+else
+  LIBTSS=libibmtss.so
+endif
+
+# TSS utilities shared library
+
+LIBTSSUTILSVERSIONED=libibmtssutils.so.1.3
+LIBTSSUTILSSONAME=libibmtssutils.so.1
+LIBTSSUTILS=libibmtssutils.so
+
+# executable extension
+
+EXE =
+
+#
+
+
+TSS_HEADERS=
+
+# default TSS library
+
+TSS_OBJS = 	tssfile.o 		\
+		tsscryptoh.o 		\
+		tsscrypto.o 		\
+		tssprintcmd.o
+
+TSSUTILS_OBJS = cryptoutils.o	\
+		ekutils.o	\
+		imalib.o	\
+		eventlib.o
+
+# common to all builds
+
+include makefile-common
+include makefile-common12
+include makefile-common20
+
+# default build target
+
+all:	$(ALL)
+
+# TSS shared library source
+
+tss.o: 		$(TSS_HEADERS) tss.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss.c
+tssauth.o: 	$(TSS_HEADERS) tssauth.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth.c
+tssproperties.o: $(TSS_HEADERS) tssproperties.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssproperties.c
+tssmarshal.o: 	$(TSS_HEADERS) tssmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal.c
+tsscryptoh.o: 	$(TSS_HEADERS) tsscryptoh.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscryptoh.c
+tsscrypto.o: 	$(TSS_HEADERS) tsscrypto.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsscrypto.c
+tssutils.o: 	$(TSS_HEADERS) tssutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssutils.c
+tssfile.o: 	$(TSS_HEADERS) tssfile.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssfile.c
+tsssocket.o: 	$(TSS_HEADERS) tsssocket.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsssocket.c
+tssdev.o: 	$(TSS_HEADERS) tssdev.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssdev.c
+tsstransmit.o: 	$(TSS_HEADERS) tsstransmit.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tsstransmit.c
+tssresponsecode.o: $(TSS_HEADERS) tssresponsecode.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssresponsecode.c
+tssccattributes.o: $(TSS_HEADERS) tssccattributes.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes.c
+tssprint.o: 	$(TSS_HEADERS) tssprint.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprint.c
+tssprintcmd.o: 	$(TSS_HEADERS) tssprintcmd.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssprintcmd.c
+Unmarshal.o: 	$(TSS_HEADERS) Unmarshal.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal.c
+Commands.o: 	$(TSS_HEADERS) Commands.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Commands.c
+CommandAttributeData.o: 	$(TSS_HEADERS) CommandAttributeData.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData.c
+ntc2lib.o:	$(TSS_HEADERS) ntc2lib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ntc2lib.c
+tssntc.o:	$(TSS_HEADERS) tssntc.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssntc.c
+
+# TPM 2.0
+
+tss20.o: 	$(TSS_HEADERS) tss20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss20.c
+tssauth20.o: 	$(TSS_HEADERS) tssauth20.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth20.c
+# TPM 1.2
+
+tss12.o: 	$(TSS_HEADERS) tss12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tss12.c
+tssauth12.o: 	$(TSS_HEADERS) tssauth12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssauth12.c
+tssmarshal12.o:	$(TSS_HEADERS) tssmarshal12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssmarshal12.c
+Unmarshal12.o: 	$(TSS_HEADERS) Unmarshal12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Unmarshal12.c
+Commands12.o: 	$(TSS_HEADERS) Commands12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) Commands12.c
+tssccattributes12.o: $(TSS_HEADERS) tssccattributes12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) tssccattributes12.c
+CommandAttributeData12.o: 	$(TSS_HEADERS) CommandAttributeData12.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) CommandAttributeData12.c
+
+# TSS utilities shared library source
+
+cryptoutils.o: 	$(TSS_HEADERS) cryptoutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) cryptoutils.c
+ekutils.o: 	$(TSS_HEADERS) ekutils.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) ekutils.c
+imalib.o: 	$(TSS_HEADERS) imalib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) imalib.c
+eventlib.o: 	$(TSS_HEADERS) eventlib.c
+		$(CC) $(CCFLAGS) $(CCLFLAGS) eventlib.c
+
+# TSS shared library build
+
+$(LIBTSS): 	$(TSS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSSONAME) -o $(LIBTSSVERSIONED) \
+			$(TSS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSONAME)
+		ln -sf $(LIBTSSVERSIONED) $(LIBTSSSONAME)
+		rm -f $(LIBTSS)
+		ln -sf $(LIBTSSSONAME) $(LIBTSS)
+
+# TSS utilities shared library
+
+$(LIBTSSUTILS):	$(TSSUTILS_OBJS)
+		$(CC) $(LNFLAGS) $(LNLFLAGS) -Wl,-soname,$(LIBTSSUTILSSONAME) -o $(LIBTSSUTILSVERSIONED) \
+			$(TSSUTILS_OBJS) $(LNLLIBS)
+		rm -f $(LIBTSSSUTILSONAME)
+		ln -sf $(LIBTSSUTILSVERSIONED) $(LIBTSSUTILSSONAME)
+		rm -f $(LIBTSSUTILS)
+		ln -sf $(LIBTSSUTILSSONAME) $(LIBTSSUTILS)
+
+.PHONY:		clean
+.PRECIOUS:	%.o
+
+clean:
+		rm -f *.o  *~ 		\
+		h*.bin			\
+		$(LIBTSSSONAME)		\
+		$(LIBTSSVERSIONED) 	\
+		$(LIBTSSUTILSSONAME) 	\
+		$(LIBTSSUTILSVERSIONED)	\
+		$(ALL)
+
+# applications
+
+activatecredential:	ibmtss/tss.h activatecredential.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) activatecredential.o $(LNALIBS) -o activatecredential
+eventextend:		eventextend.o eventlib.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eventextend.o $(LNALIBS) -o eventextend
+imaextend:		imaextend.o imalib.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) imaextend.o $(LNALIBS) -o imaextend
+certify:		ibmtss/tss.h certify.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certify.o $(LNALIBS) -o certify
+certifycreation:	ibmtss/tss.h certifycreation.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certifycreation.o $(LNALIBS) -o certifycreation
+certifyx509:		ibmtss/tss.h certifyx509.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) certifyx509.o $(LNALIBS) -lcrypto -o certifyx509
+changeeps:		ibmtss/tss.h changeeps.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) changeeps.o $(LNALIBS) -o changeeps
+changepps:		ibmtss/tss.h changepps.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) changepps.o $(LNALIBS) -o changepps
+clear:			ibmtss/tss.h clear.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clear.o $(LNALIBS) -o clear
+clearcontrol:		ibmtss/tss.h clearcontrol.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clearcontrol.o $(LNALIBS) -o clearcontrol
+clockrateadjust:	ibmtss/tss.h clockrateadjust.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clockrateadjust.o $(LNALIBS) -o clockrateadjust
+clockset:		ibmtss/tss.h clockset.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) clockset.o $(LNALIBS) -o clockset
+commit:			ibmtss/tss.h commit.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) commit.o $(LNALIBS) -o commit
+contextload:		ibmtss/tss.h contextload.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) contextload.o $(LNALIBS) -o contextload
+contextsave:		ibmtss/tss.h contextsave.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) contextsave.o $(LNALIBS) -o contextsave
+create:			ibmtss/tss.h create.o objecttemplates.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) create.o objecttemplates.o $(LNALIBS) -o create
+createloaded:		ibmtss/tss.h createloaded.o objecttemplates.o $(LIBTSS) $(LIBTTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createloaded.o objecttemplates.o $(LNALIBS) -o createloaded
+createprimary:		ibmtss/tss.h createprimary.o objecttemplates.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createprimary.o objecttemplates.o $(LNALIBS) -o createprimary
+dictionaryattacklockreset:		ibmtss/tss.h dictionaryattacklockreset.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) dictionaryattacklockreset.o $(LNALIBS) -o dictionaryattacklockreset
+dictionaryattackparameters:		ibmtss/tss.h dictionaryattackparameters.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) dictionaryattackparameters.o $(LNALIBS) -o dictionaryattackparameters
+duplicate:		ibmtss/tss.h duplicate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) duplicate.o $(LNALIBS) -o duplicate
+eccparameters:		ibmtss/tss.h eccparameters.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eccparameters.o $(LNALIBS) -o eccparameters
+ecephemeral:		ibmtss/tss.h ecephemeral.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ecephemeral.o $(LNALIBS) -o ecephemeral
+encryptdecrypt:		ibmtss/tss.h encryptdecrypt.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) encryptdecrypt.o $(LNALIBS) -o encryptdecrypt
+eventsequencecomplete:	ibmtss/tss.h eventsequencecomplete.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) eventsequencecomplete.o $(LNALIBS) -o eventsequencecomplete
+evictcontrol:		ibmtss/tss.h evictcontrol.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) evictcontrol.o $(LNALIBS) -o evictcontrol
+flushcontext:		ibmtss/tss.h flushcontext.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) flushcontext.o $(LNALIBS) -o flushcontext
+getcommandauditdigest:	ibmtss/tss.h getcommandauditdigest.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcommandauditdigest.o $(LNALIBS) -o getcommandauditdigest
+getcapability:		ibmtss/tss.h getcapability.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcapability.o $(LNALIBS) -o getcapability
+getrandom:		ibmtss/tss.h getrandom.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getrandom.o $(LNALIBS) -o getrandom
+gettestresult:		ibmtss/tss.h gettestresult.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) gettestresult.o $(LNALIBS) -o gettestresult
+getsessionauditdigest:	ibmtss/tss.h getsessionauditdigest.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getsessionauditdigest.o $(LNALIBS) -o getsessionauditdigest
+gettime:		ibmtss/tss.h gettime.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) gettime.o $(LNALIBS) -o gettime
+hashsequencestart:	ibmtss/tss.h hashsequencestart.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hashsequencestart.o $(LNALIBS) -o hashsequencestart
+hash:			ibmtss/tss.h hash.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hash.o $(LNALIBS) -o hash
+hierarchycontrol:	ibmtss/tss.h hierarchycontrol.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hierarchycontrol.o $(LNALIBS) -o hierarchycontrol
+hierarchychangeauth:	ibmtss/tss.h hierarchychangeauth.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hierarchychangeauth.o $(LNALIBS) -o hierarchychangeauth
+hmac:			ibmtss/tss.h hmac.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hmac.o $(LNALIBS) -o hmac
+hmacstart:		ibmtss/tss.h hmacstart.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) hmacstart.o $(LNALIBS) -o hmacstart
+import:			ibmtss/tss.h import.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) import.o $(LNALIBS) -o import
+importpem:		ibmtss/tss.h importpem.o objecttemplates.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) importpem.o objecttemplates.o $(LNALIBS) -o importpem
+load:			ibmtss/tss.h load.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) load.o $(LNALIBS) -o load
+loadexternal:		ibmtss/tss.h loadexternal.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) loadexternal.o $(LNALIBS) -o loadexternal
+makecredential:		ibmtss/tss.h makecredential.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) makecredential.o $(LNALIBS) -o makecredential
+nvcertify:		ibmtss/tss.h nvcertify.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvcertify.o $(LNALIBS) -o nvcertify
+nvchangeauth:		ibmtss/tss.h nvchangeauth.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvchangeauth.o $(LNALIBS) -o nvchangeauth
+nvdefinespace:		ibmtss/tss.h nvdefinespace.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvdefinespace.o $(LNALIBS) -o nvdefinespace
+nvextend:		ibmtss/tss.h nvextend.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvextend.o $(LNALIBS) -o nvextend
+nvglobalwritelock:	ibmtss/tss.h nvglobalwritelock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvglobalwritelock.o $(LNALIBS) -o nvglobalwritelock
+nvincrement:		ibmtss/tss.h nvincrement.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvincrement.o $(LNALIBS) -o nvincrement
+nvread:			ibmtss/tss.h nvread.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvread.o $(LNALIBS) -o nvread
+nvreadlock:		ibmtss/tss.h nvreadlock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvreadlock.o $(LNALIBS) -o nvreadlock
+nvreadpublic:		ibmtss/tss.h nvreadpublic.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvreadpublic.o $(LNALIBS) -o nvreadpublic
+nvsetbits:		ibmtss/tss.h nvsetbits.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvsetbits.o $(LNALIBS) -o nvsetbits
+nvundefinespace:	ibmtss/tss.h nvundefinespace.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvundefinespace.o $(LNALIBS) -o nvundefinespace
+nvundefinespacespecial:	ibmtss/tss.h nvundefinespacespecial.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvundefinespacespecial.o $(LNALIBS) -o nvundefinespacespecial
+nvwrite:		ibmtss/tss.h nvwrite.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvwrite.o $(LNALIBS) -o nvwrite
+nvwritelock:		ibmtss/tss.h nvwritelock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) nvwritelock.o $(LNALIBS) -o nvwritelock
+objectchangeauth:	ibmtss/tss.h objectchangeauth.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) objectchangeauth.o $(LNALIBS) -o objectchangeauth
+pcrallocate: 		ibmtss/tss.h pcrallocate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrallocate.o $(LNALIBS) -o pcrallocate
+pcrevent: 		ibmtss/tss.h pcrevent.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrevent.o $(LNALIBS) -o pcrevent
+pcrextend: 		ibmtss/tss.h pcrextend.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrextend.o $(LNALIBS) -o pcrextend
+pcrread: 		ibmtss/tss.h pcrread.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrread.o $(LNALIBS) -o pcrread
+pcrreset: 		ibmtss/tss.h pcrreset.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) pcrreset.o $(LNALIBS) -o pcrreset
+policyauthorize:	ibmtss/tss.h policyauthorize.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthorize.o $(LNALIBS) -o policyauthorize
+policyauthvalue:	ibmtss/tss.h policyauthvalue.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthvalue.o $(LNALIBS) -o policyauthvalue
+policycommandcode:	ibmtss/tss.h policycommandcode.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycommandcode.o $(LNALIBS) -o policycommandcode
+policycphash:		ibmtss/tss.h policycphash.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycphash.o $(LNALIBS) -o policycphash
+policynamehash:		ibmtss/tss.h policynamehash.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynamehash.o $(LNALIBS) -o policynamehash
+policycountertimer:	ibmtss/tss.h policycountertimer.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policycountertimer.o $(LNALIBS) -o policycountertimer
+policyduplicationselect:	ibmtss/tss.h policyduplicationselect.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyduplicationselect.o $(LNALIBS) -o policyduplicationselect
+policygetdigest:	ibmtss/tss.h policygetdigest.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policygetdigest.o $(LNALIBS) -o policygetdigest
+policymaker:		ibmtss/tss.h policymaker.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policymaker.o $(LNALIBS) -o policymaker
+policymakerpcr:		ibmtss/tss.h policymakerpcr.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policymakerpcr.o $(LNALIBS) -o policymakerpcr
+policyauthorizenv:	ibmtss/tss.h policyauthorizenv.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyauthorizenv.o $(LNALIBS) -o policyauthorizenv
+policynv:		ibmtss/tss.h policynv.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynv.o $(LNALIBS) -o policynv
+policynvwritten:	ibmtss/tss.h policynvwritten.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policynvwritten.o $(LNALIBS) -o policynvwritten
+policyor:		ibmtss/tss.h policyor.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyor.o $(LNALIBS) -o policyor
+policypassword:		ibmtss/tss.h policypassword.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policypassword.o $(LNALIBS) -o policypassword
+policypcr:		ibmtss/tss.h policypcr.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policypcr.o $(LNALIBS) -o policypcr
+policyrestart:		ibmtss/tss.h policyrestart.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyrestart.o $(LNALIBS) -o policyrestart
+policysigned:		ibmtss/tss.h policysigned.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policysigned.o $(LNALIBS) -o policysigned
+policysecret:		ibmtss/tss.h policysecret.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policysecret.o $(LNALIBS) -o policysecret
+policytemplate:		ibmtss/tss.h policytemplate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policytemplate.o $(LNALIBS) -o policytemplate
+policyticket:		ibmtss/tss.h policyticket.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) policyticket.o $(LNALIBS) -o policyticket
+quote:			ibmtss/tss.h quote.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) quote.o $(LNALIBS) -o quote
+powerup:		ibmtss/tss.h powerup.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) powerup.o $(LNALIBS) -o powerup
+readclock:		ibmtss/tss.h readclock.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) readclock.o $(LNALIBS) -o readclock
+readpublic:		ibmtss/tss.h readpublic.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) readpublic.o $(LNALIBS) -o readpublic
+returncode:		ibmtss/tss.h returncode.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) returncode.o $(LNALIBS) -o returncode
+rewrap:			ibmtss/tss.h rewrap.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rewrap.o $(LNALIBS) -o rewrap
+rsadecrypt: 		ibmtss/tss.h rsadecrypt.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rsadecrypt.o $(LNALIBS) -o rsadecrypt
+rsaencrypt: 		ibmtss/tss.h rsaencrypt.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) rsaencrypt.o $(LNALIBS) -o rsaencrypt
+sequenceupdate:		ibmtss/tss.h sequenceupdate.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sequenceupdate.o $(LNALIBS) -o sequenceupdate
+sequencecomplete:	ibmtss/tss.h sequencecomplete.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sequencecomplete.o $(LNALIBS) -o sequencecomplete
+setprimarypolicy:	ibmtss/tss.h setprimarypolicy.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) setprimarypolicy.o $(LNALIBS) -o setprimarypolicy
+setcommandcodeauditstatus:	ibmtss/tss.h setcommandcodeauditstatus.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) setcommandcodeauditstatus.o $(LNALIBS) -o setcommandcodeauditstatus
+shutdown:		ibmtss/tss.h shutdown.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) shutdown.o $(LNALIBS) -o shutdown
+sign:			ibmtss/tss.h sign.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) sign.o $(LNALIBS) -o sign
+startauthsession:	ibmtss/tss.h startauthsession.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) startauthsession.o $(LNALIBS) -o startauthsession
+startup:		ibmtss/tss.h startup.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) startup.o $(LNALIBS) -o startup
+stirrandom:		ibmtss/tss.h stirrandom.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) stirrandom.o $(LNALIBS) -o stirrandom
+unseal:			ibmtss/tss.h unseal.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) unseal.o $(LNALIBS) -o unseal
+verifysignature:	ibmtss/tss.h verifysignature.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) verifysignature.o $(LNALIBS) -o verifysignature
+zgen2phase:		ibmtss/tss.h zgen2phase.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) zgen2phase.o $(LNALIBS) -o zgen2phase
+signapp:		ibmtss/tss.h signapp.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) signapp.o $(LNALIBS) -o signapp
+writeapp:		ibmtss/tss.h writeapp.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) writeapp.o $(LNALIBS) -o writeapp
+timepacket:		ibmtss/tss.h timepacket.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) timepacket.o $(LNALIBS) -o timepacket
+createek:		createek.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createek.o $(LNALIBS) -o createek
+createekcert:		createekcert.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) createekcert.o $(LNALIBS) -o createekcert
+tpm2pem:		tpm2pem.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpm2pem.o $(LNALIBS) -o tpm2pem
+tpmpublic2eccpoint:	tpmpublic2eccpoint.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpmpublic2eccpoint.o $(LNALIBS) -o tpmpublic2eccpoint
+ntc2getconfig:		ntc2getconfig.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2getconfig.o $(LNALIBS) -o ntc2getconfig
+ntc2preconfig:		ntc2preconfig.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2preconfig.o $(LNALIBS) -o ntc2preconfig
+ntc2lockconfig:		ntc2lockconfig.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) ntc2lockconfig.o $(LNALIBS) -o ntc2lockconfig
+publicname:		publicname.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) publicname.o $(LNALIBS) -o publicname
+getcryptolibrary:	getcryptolibrary.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) getcryptolibrary.o $(LNALIBS) -o getcryptolibrary
+printattr:		printattr.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) printattr.o $(LNALIBS) -o printattr
+tpmcmd:			tpmcmd.o $(LIBTSS) $(LIBTSSUTILS)
+			$(CC) $(LNFLAGS) $(LNAFLAGS) tpmcmd.o $(LNALIBS) -o tpmcmd
+
+# for applications, not for TSS library
+
+%.o:		%.c ibmtss/tss.h
+		$(CC) $(CCFLAGS) $(CCAFLAGS) $< -o $@
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssactivatecredential.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssactivatecredential.1
new file mode 100644
index 0000000..a9710fc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssactivatecredential.1
@@ -0,0 +1,41 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH ACTIVATECREDENTIAL "1" "March 2020" "activatecredential 1.3" "User Commands"
+.SH NAME
+activatecredential \- Runs TPM2 activatecredential
+.SH DESCRIPTION
+activatecredential
+.PP
+Runs TPM2_ActivateCredential
+.TP
+\fB\-ha\fR
+activation handle of object associated with the certificate
+.TP
+\fB\-hk\fR
+handle of loaded decryption key
+.TP
+\fB\-icred\fR
+input credential file name
+.TP
+\fB\-is\fR
+secret file name
+.TP
+[\-pwda
+password for activation key (default empty)]
+.TP
+[\-pwdk
+password for decryption key (default empty)]
+.TP
+[\-ocred
+output credential file name (default do not save)]
+.TP
+\fB\-se[0\-2]\fR
+session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertify.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertify.1
new file mode 100644
index 0000000..e3aa6ec
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertify.1
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CERTIFY "1" "March 2020" "certify 1.3" "User Commands"
+.SH NAME
+certify \- Runs TPM2 certify
+.SH DESCRIPTION
+certify
+.PP
+Runs TPM2_Certify
+.TP
+\fB\-ho\fR
+object handle
+.TP
+[\-pwdo
+password for object (default empty)]
+.TP
+\fB\-hk\fR
+certifying key handle
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384 sha512) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc, hmac) (default rsa)]
+.TP
+[\-qd
+qualifying data file name]
+.TP
+[\-os
+signature file name (default do not save)]
+.TP
+[\-oa
+attestation output file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertifycreation.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertifycreation.1
new file mode 100644
index 0000000..e267c1a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertifycreation.1
@@ -0,0 +1,49 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CERTIFYCREATION "1" "March 2020" "certifycreation 1.3" "User Commands"
+.SH NAME
+certifycreation \- Runs TPM2 certifycreation
+.SH DESCRIPTION
+certifycreation
+.PP
+Runs TPM2_CertifyCreation
+.TP
+\fB\-ho\fR
+object handle
+.TP
+\fB\-hk\fR
+certifying key handle
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc) (default rsa)]
+.TP
+[\-qd
+qualifying data file name]
+.TP
+\fB\-tk\fR
+input ticket file name
+.TP
+\fB\-ch\fR
+input creation hash file name
+.TP
+[\-os
+signature file name] (default do not save)
+.TP
+[\-oa
+attestation output file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertifyx509.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertifyx509.1
new file mode 100644
index 0000000..6ce3fbc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscertifyx509.1
@@ -0,0 +1,68 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CERTIFYX509 "1" "March 2020" "certifyx509 1.3" "User Commands"
+.SH NAME
+certifyx509 \- Runs TPM2 certifyx509
+.SH DESCRIPTION
+certifyx509
+.PP
+Runs TPM2_Certifyx509
+.TP
+\fB\-ho\fR
+object handle
+.TP
+[\-pwdo
+password for object (default empty)]
+.TP
+\fB\-hk\fR
+certifying key handle
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384 sha512) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc) (default rsa)]
+.TP
+[\-ku
+X509 key usage \- string \- comma separated, no spaces]
+.TP
+[\-iob
+TPMA_OBJECT \- 4 byte hex]
+e.g. sign: critical,digitalSignature,keyCertSign,cRLSign (default)
+e.g. decrypt: critical,dataEncipherment,keyAgreement,encipherOnly,decipherOnly
+e.g. fixedTPM: critical,nonRepudiation
+e.g. parent (restrict decrypt): critical,keyEncipherment
+.TP
+[\-bit
+bit in partialCertificate to toggle]
+.TP
+[\-sub
+subject same as issuer for self signed (root) certificate]
+.TP
+[\-opc
+partial certificate file name (default do not save)]
+.TP
+[\-oa
+addedToCertificate file name (default do not save)]
+.TP
+[\-otbs
+signed tbsDigest file name (default do not save)]
+.TP
+[\-os
+signature file name (default do not save)]
+.TP
+[\-ocert
+reconstructed certificate file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsschangeeps.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsschangeeps.1
new file mode 100644
index 0000000..a106b34
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsschangeeps.1
@@ -0,0 +1,16 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CHANGEEPS "1" "March 2020" "changeeps 1.3" "User Commands"
+.SH NAME
+changeeps \- Runs TPM2 changeeps
+.SH DESCRIPTION
+changeeps
+.PP
+Runs TPM2_ChangeEPS
+.TP
+\fB\-pwda\fR
+authorization password (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsschangepps.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsschangepps.1
new file mode 100644
index 0000000..c9d96b0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsschangepps.1
@@ -0,0 +1,16 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CHANGEPPS "1" "March 2020" "changepps 1.3" "User Commands"
+.SH NAME
+changepps \- Runs TPM2 changepps
+.SH DESCRIPTION
+changepps
+.PP
+Runs TPM2_ChangePPS
+.TP
+\fB\-pwda\fR
+authorization password (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclear.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclear.1
new file mode 100644
index 0000000..a3a8e14
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclear.1
@@ -0,0 +1,20 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CLEAR "1" "March 2020" "clear 1.3" "User Commands"
+.SH NAME
+clear \- Runs TPM2 clear
+.SH DESCRIPTION
+clear
+.PP
+Runs TPM2_Clear
+.TP
+\fB\-hi\fR
+authhandle hierarchy (l, p)
+l lockout, p platform
+.TP
+\fB\-pwda\fR
+authorization password (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclearcontrol.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclearcontrol.1
new file mode 100644
index 0000000..85971c3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclearcontrol.1
@@ -0,0 +1,23 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CLEARCONTROL "1" "March 2020" "clearcontrol 1.3" "User Commands"
+.SH NAME
+clearcontrol \- Runs TPM2 clearcontrol
+.SH DESCRIPTION
+clearcontrol
+.PP
+Runs TPM2_ClearControl
+.TP
+\fB\-hi\fR
+authhandle hierarchy (l, p)
+l lockout, p platform
+.TP
+\fB\-pwda\fR
+authorization password (default empty)
+.TP
+\fB\-state\fR
+0 to disable, 1 to enable (default enable)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclockrateadjust.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclockrateadjust.1
new file mode 100644
index 0000000..fe8402b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclockrateadjust.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CLOCKRATEADJUST "1" "December 2019" "clockrateadjust 1546" "User Commands"
+.SH NAME
+clockrateadjust \- Runs TPM2 clockrateadjust
+.SH DESCRIPTION
+clockrateadjust
+.PP
+Runs TPM2_ClockRateAdjust
+.TP
+[\-hi
+hierarchy auth (p, o) (default p)]
+.TP
+[\-pwdp
+hierarchy password (default empty)]
+.TP
+[\-adj
+rate adjust (default 0)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclockset.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclockset.1
new file mode 100644
index 0000000..7c0c7d1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssclockset.1
@@ -0,0 +1,31 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CLOCKSET "1" "March 2020" "clockset 1.3" "User Commands"
+.SH NAME
+clockset \- Runs TPM2 clockset
+.SH DESCRIPTION
+clockset
+.PP
+Runs TPM2_ClockSet
+.TP
+\fB\-clock\fR
+new clock
+.TP
+\fB\-iclock\fR
+new clock file name
+.TP
+[\-addsec
+seconds to add to new clock]
+.TP
+\fB\-hi\fR
+hierarchy (o, p) (default platform)
+.IP
+o owner, p platform
+.TP
+\fB\-pwdp\fR
+password for hierarchy (default empty)
+.TP
+\fB\-se[0\-2]\fR
+session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscommit.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscommit.1
new file mode 100644
index 0000000..5b3b233
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscommit.1
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH COMMIT "1" "March 2020" "commit 1.3" "User Commands"
+.SH NAME
+commit \- Runs TPM2 commit
+.SH DESCRIPTION
+commit
+.PP
+Runs TPM2_Commit
+.TP
+\fB\-hk\fR
+key handle
+.TP
+[\-pt
+point input file name (default empty)]
+.TP
+[\-s2
+s2 input file name (default empty)]
+.TP
+[\-y2
+y2 input file name (default empty)]
+.TP
+[\-Kf
+K output data file name (default do not save)]
+.TP
+[\-Lf
+output data file name (default do not save)]
+.TP
+[\-Ef
+output data file name (default do not save)]
+.TP
+[\-cf
+output counter file name (default do not save)]
+.TP
+[\-pwdk
+password for key (default empty)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscontextload.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscontextload.1
new file mode 100644
index 0000000..6fb9866
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscontextload.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CONTEXTLOAD "1" "March 2020" "contextload 1.3" "User Commands"
+.SH NAME
+contextload \- Runs TPM2 contextload
+.SH DESCRIPTION
+contextload
+.PP
+Runs TPM2_ContextLoad
+.TP
+\fB\-if\fR
+context file name
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscontextsave.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscontextsave.1
new file mode 100644
index 0000000..2f3c6d3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscontextsave.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CONTEXTSAVE "1" "March 2020" "contextsave 1.3" "User Commands"
+.SH NAME
+contextsave \- Runs TPM2 contextsave
+.SH DESCRIPTION
+contextsave
+.PP
+Runs TPM2_ContextSave
+.TP
+\fB\-ha\fR
+handle
+.TP
+[\-of
+context file name (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreate.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreate.1
new file mode 100644
index 0000000..ba53e19
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreate.1
@@ -0,0 +1,127 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CREATE "1" "March 2020" "create 1.3" "User Commands"
+.SH NAME
+create \- Runs TPM2 create
+.SH DESCRIPTION
+create
+.PP
+Runs TPM2_Create
+.HP
+\fB\-hp\fR parent handle
+.IP
+[Asymmetric Key Algorithm]
+.HP
+\fB\-rsa\fR keybits (default)
+.IP
+(2048 default)
+.HP
+\fB\-ecc\fR curve
+.IP
+bnp256
+nistp256
+nistp384
+.IP
+Key attributes
+.TP
+\fB\-bl\fR
+data blob for unseal (create only)
+requires \fB\-if\fR
+.TP
+\fB\-den\fR
+decryption, (unrestricted, RSA and EC NULL scheme)
+.TP
+\fB\-deo\fR
+decryption, (unrestricted, RSA OAEP, EC NULL scheme)
+.TP
+\fB\-dee\fR
+decryption, (unrestricted, RSA ES, EC NULL scheme)
+.TP
+\fB\-des\fR
+encryption/decryption, AES symmetric
+[\-116 for TPM rev 116 compatibility]
+.TP
+\fB\-st\fR
+storage (restricted)
+[default for primary keys]
+.TP
+\fB\-si\fR
+unrestricted signing (RSA and EC NULL scheme)
+.TP
+\fB\-sir\fR
+restricted signing (RSA RSASSA, EC ECDSA scheme)
+.TP
+\fB\-dau\fR
+unrestricted ECDAA signing key pair
+.TP
+\fB\-dar\fR
+restricted ECDAA signing key pair
+.TP
+\fB\-kh\fR
+keyed hash (unrestricted, hmac)
+.TP
+\fB\-khr\fR
+keyed hash (restricted, hmac)
+.TP
+\fB\-dp\fR
+derivation parent
+.TP
+\fB\-gp\fR
+general purpose, not storage
+.TP
+[\-kt
+(can be specified more than once)]
+f       fixedTPM (default for primary keys and derivation parents)
+p       fixedParent (default for primary keys and derivation parents)
+nf      no fixedTPM (default for non\-primary keys)
+np      no fixedParent (default for non\-primary keys)
+ed      encrypted duplication (default not set)
+.TP
+[\-da
+object subject to DA protection (default no)]
+.TP
+[\-pol
+policy file (default empty)]
+.TP
+[\-uwa
+userWithAuth attribute clear (default set)]
+.TP
+[\-if
+data (inSensitive) file name]
+.TP
+[\-nalg
+name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-halg
+scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-pwdp
+password for parent key (default empty)]
+.TP
+[\-opu
+public key file name (default do not save)]
+.TP
+[\-opr
+private key file name (default do not save)]
+.TP
+[\-opem
+public key PEM format file name (default do not save)]
+.TP
+[\-tk
+output ticket file name (default do not save)]
+.TP
+[\-ch
+output creation hash file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateek.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateek.1
new file mode 100644
index 0000000..cd5e2a6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateek.1
@@ -0,0 +1,33 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CREATEEK "1" "March 2020" "createek 1.3" "User Commands"
+.SH NAME
+createek \- Runs TPM2 createek
+.SH DESCRIPTION
+createek
+.PP
+Parses and prints the various EK NV indexes specified by the IWG
+Creates a primary key based on the EK NV indexes
+.TP
+\fB\-te\fR
+print EK Template
+.TP
+\fB\-no\fR
+print EK nonce
+.TP
+\fB\-ce\fR
+print EK certificate
+.TP
+\fB\-cp\fR
+CreatePrimary using the EK template and EK nonce.
+Validate the EK against the EK certificate
+.TP
+[\-noflush
+Do not flush the primary key after validation]
+.TP
+[\-root
+filename \- validate EK certificate against the root]
+filename contains a list of PEM format CA root certificate
+filenames, one per line.
+The list may contain up to 100 certificates.
+.HP
+\fB\-alg\fR (rsa or ecc)
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateekcert.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateekcert.1
new file mode 100644
index 0000000..9901a3f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateekcert.1
@@ -0,0 +1,40 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CREATEEKCERT "1" "March 2020" "createekcert 1.3" "User Commands"
+.SH NAME
+createekcert \- Runs TPM2 createekcert
+.SH SYNOPSIS
+.B createekcert
+\fI\,-alg rsa -cakey cakey.pem    -capwd rrrr -v\/\fR
+.br
+.B createekcert
+\fI\,-alg ecc -cakey cakeyecc.pem -capwd rrrr -caalg ec -v\/\fR
+.SH DESCRIPTION
+createekcert
+.PP
+Provisions an EK certificate, using the default IWG template
+E.g.,
+.TP
+[\-pwdp
+platform hierarchy password (default empty)]
+.TP
+\fB\-cakey\fR
+CA PEM key file name
+.TP
+[\-capwd
+CA PEM key password (default empty)]
+.TP
+[\-caalg
+CA key algorithm (rsa or ec) (default rsa)]
+.TP
+[\-alg
+(rsa or ecc certificate) (default rsa)]
+.TP
+[\-noflush
+do not flush the primary key]
+.TP
+[\-of
+DER certificate output file name]
+.PP
+Currently:
+.IP
+Certificate issuer, subject, and validity are hard coded.
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateloaded.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateloaded.1
new file mode 100644
index 0000000..0e6d451
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateloaded.1
@@ -0,0 +1,128 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CREATELOADED "1" "March 2020" "createloaded 1.3" "User Commands"
+.SH NAME
+createloaded \- Runs TPM2 createloaded
+.SH DESCRIPTION
+createloaded
+.PP
+Runs TPM2_CreateLoaded
+.HP
+\fB\-hp\fR parent handle (can be hierarchy)
+.IP
+40000001 Owner
+4000000c Platform
+4000000b Endorsement
+.IP
+[Asymmetric Key Algorithm]
+.HP
+\fB\-rsa\fR keybits (default)
+.IP
+(2048 default)
+.HP
+\fB\-ecc\fR curve
+.IP
+bnp256
+nistp256
+nistp384
+.IP
+Key attributes
+.TP
+\fB\-bl\fR
+data blob for unseal (create only)
+requires \fB\-if\fR
+.TP
+\fB\-den\fR
+decryption, (unrestricted, RSA and EC NULL scheme)
+.TP
+\fB\-deo\fR
+decryption, (unrestricted, RSA OAEP, EC NULL scheme)
+.TP
+\fB\-dee\fR
+decryption, (unrestricted, RSA ES, EC NULL scheme)
+.TP
+\fB\-des\fR
+encryption/decryption, AES symmetric
+[\-116 for TPM rev 116 compatibility]
+.TP
+\fB\-st\fR
+storage (restricted)
+[default for primary keys]
+.TP
+\fB\-si\fR
+unrestricted signing (RSA and EC NULL scheme)
+.TP
+\fB\-sir\fR
+restricted signing (RSA RSASSA, EC ECDSA scheme)
+.TP
+\fB\-dau\fR
+unrestricted ECDAA signing key pair
+.TP
+\fB\-dar\fR
+restricted ECDAA signing key pair
+.TP
+\fB\-kh\fR
+keyed hash (unrestricted, hmac)
+.TP
+\fB\-khr\fR
+keyed hash (restricted, hmac)
+.TP
+\fB\-dp\fR
+derivation parent
+.TP
+\fB\-gp\fR
+general purpose, not storage
+.TP
+[\-kt
+(can be specified more than once)]
+f       fixedTPM (default for primary keys and derivation parents)
+p       fixedParent (default for primary keys and derivation parents)
+nf      no fixedTPM (default for non\-primary keys)
+np      no fixedParent (default for non\-primary keys)
+ed      encrypted duplication (default not set)
+.TP
+[\-da
+object subject to DA protection (default no)]
+.TP
+[\-pol
+policy file (default empty)]
+.TP
+[\-uwa
+userWithAuth attribute clear (default set)]
+.TP
+[\-if
+data (inSensitive) file name]
+.TP
+[\-nalg
+name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-halg
+scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-der
+object's parent is a derivation parent]
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-pwdp
+password for parent key (default empty)]
+.TP
+[\-opu
+public key file name (default do not save)]
+.TP
+[\-opr
+private key file name (default do not save)]
+.TP
+[\-opem
+public key PEM format file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateprimary.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateprimary.1
new file mode 100644
index 0000000..7aa86c7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsscreateprimary.1
@@ -0,0 +1,131 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH CREATEPRIMARY "1" "March 2020" "createprimary 1.3" "User Commands"
+.SH NAME
+createprimary \- Runs TPM2 createprimary
+.SH DESCRIPTION
+createprimary creates a primary storage key
+.PP
+Runs TPM2_CreatePrimary
+.TP
+[\-hi
+hierarchy (e, o, p, n) (default null)]
+.TP
+[\-pwdp
+password for hierarchy (default empty)]
+.TP
+[\-pwdpi
+password file name for hierarchy (default empty)]
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-iu
+inPublic unique field file (default none)]
+.TP
+[\-opu
+public key file name (default do not save)]
+.TP
+[\-opem
+public key PEM format file name (default do not save)]
+.TP
+[\-tk
+output ticket file name]
+.TP
+[\-ch
+output creation hash file name]
+.IP
+[Asymmetric Key Algorithm]
+.HP
+\fB\-rsa\fR keybits (default)
+.IP
+(2048 default)
+.HP
+\fB\-ecc\fR curve
+.IP
+bnp256
+nistp256
+nistp384
+.IP
+Key attributes
+.TP
+\fB\-bl\fR
+data blob for unseal (create only)
+requires \fB\-if\fR
+.TP
+\fB\-den\fR
+decryption, (unrestricted, RSA and EC NULL scheme)
+.TP
+\fB\-deo\fR
+decryption, (unrestricted, RSA OAEP, EC NULL scheme)
+.TP
+\fB\-dee\fR
+decryption, (unrestricted, RSA ES, EC NULL scheme)
+.TP
+\fB\-des\fR
+encryption/decryption, AES symmetric
+[\-116 for TPM rev 116 compatibility]
+.TP
+\fB\-st\fR
+storage (restricted)
+[default for primary keys]
+.TP
+\fB\-si\fR
+unrestricted signing (RSA and EC NULL scheme)
+.TP
+\fB\-sir\fR
+restricted signing (RSA RSASSA, EC ECDSA scheme)
+.TP
+\fB\-dau\fR
+unrestricted ECDAA signing key pair
+.TP
+\fB\-dar\fR
+restricted ECDAA signing key pair
+.TP
+\fB\-kh\fR
+keyed hash (unrestricted, hmac)
+.TP
+\fB\-khr\fR
+keyed hash (restricted, hmac)
+.TP
+\fB\-dp\fR
+derivation parent
+.TP
+\fB\-gp\fR
+general purpose, not storage
+.TP
+[\-kt
+(can be specified more than once)]
+f       fixedTPM (default for primary keys and derivation parents)
+p       fixedParent (default for primary keys and derivation parents)
+nf      no fixedTPM (default for non\-primary keys)
+np      no fixedParent (default for non\-primary keys)
+ed      encrypted duplication (default not set)
+.TP
+[\-da
+object subject to DA protection (default no)]
+.TP
+[\-pol
+policy file (default empty)]
+.TP
+[\-uwa
+userWithAuth attribute clear (default set)]
+.TP
+[\-if
+data (inSensitive) file name]
+.TP
+[\-nalg
+name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-halg
+scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssdictionaryattacklockreset.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssdictionaryattacklockreset.1
new file mode 100644
index 0000000..0f5ef05
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssdictionaryattacklockreset.1
@@ -0,0 +1,16 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH DICTIONARYATTACKLOCKRESET "1" "March 2020" "dictionaryattacklockreset 1.3" "User Commands"
+.SH NAME
+dictionaryattacklockreset \- Runs TPM2 dictionaryattacklockreset
+.SH DESCRIPTION
+dictionaryattacklockreset
+.PP
+Runs TPM2_DictionaryAttackLockReset
+.TP
+[\-pwd
+lockout auth password (default empty)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssdictionaryattackparameters.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssdictionaryattackparameters.1
new file mode 100644
index 0000000..8b7d5a6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssdictionaryattackparameters.1
@@ -0,0 +1,25 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH DICTIONARYATTACKPARAMETERS "1" "March 2020" "dictionaryattackparameters 1.3" "User Commands"
+.SH NAME
+dictionaryattackparameters \- Runs TPM2 dictionaryattackparameters
+.SH DESCRIPTION
+dictionaryattackparameters
+.PP
+Runs TPM2_DictionaryAttackParameters
+.TP
+[\-pwd
+lockout auth password (default empty)]
+.TP
+[\-nmt
+new max tries (default 1 try)]
+.TP
+[\-nrt
+new recovery time (default 10 seconds)]
+.TP
+[\-lr
+lockout recovery (default 1 second)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssduplicate.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssduplicate.1
new file mode 100644
index 0000000..c6b63bd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssduplicate.1
@@ -0,0 +1,43 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH DUPLICATE "1" "March 2020" "duplicate 1.3" "User Commands"
+.SH NAME
+duplicate \- Runs TPM2 duplicate
+.SH DESCRIPTION
+duplicate
+.PP
+Runs TPM2_Duplicate
+.TP
+\fB\-ho\fR
+object handle
+.TP
+[\-pwdo
+password for object (default empty)]
+.TP
+[\-hp
+new parent handle (default TPM_RH_NULL)]
+.TP
+[\-ik
+encryption key in file name]
+.TP
+[\-salg
+symmetric algorithm (aes)(default none)]
+.TP
+[\-oek
+encryption key out file name (default do not save)]
+.TP
+[\-od
+duplicate private area file name (default do not save)]
+.TP
+[\-oss
+symmetric seed file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseccparameters.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseccparameters.1
new file mode 100644
index 0000000..00570e5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseccparameters.1
@@ -0,0 +1,16 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH ECCPARAMETERS "1" "March 2020" "eccparameters 1.3" "User Commands"
+.SH NAME
+eccparameters \- Runs TPM2 eccparameters
+.SH DESCRIPTION
+eccparameters
+.PP
+Runs TPM2_ECC_Parameters
+.TP
+\fB\-cv\fR
+curve ID
+bnp256
+nistp256
+nistp384
+.IP
+[\-of data file, ECC parameters (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssecephemeral.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssecephemeral.1
new file mode 100644
index 0000000..d25de4d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssecephemeral.1
@@ -0,0 +1,20 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH ECEPHEMERAL "1" "March 2020" "ecephemeral 1.3" "User Commands"
+.SH NAME
+ecephemeral \- Runs TPM2 ecephemeral
+.SH DESCRIPTION
+ecephmeral
+.PP
+Runs TPM2_EC_Ephemeral
+.TP
+\fB\-ecc\fR
+curve
+bnp256
+nistp256
+nistp384
+.TP
+[\-oq
+output Q ephemeral public key file name (default do not save)]
+.TP
+[\-cf
+output counter file name (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssencryptdecrypt.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssencryptdecrypt.1
new file mode 100644
index 0000000..413f86c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssencryptdecrypt.1
@@ -0,0 +1,37 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH ENCRYPTDECRYPT "1" "March 2020" "encryptdecrypt 1.3" "User Commands"
+.SH NAME
+encryptdecrypt \- Runs TPM2 encryptdecrypt
+.SH DESCRIPTION
+encryptdecrypt
+.PP
+Runs TPM2_EncryptDecrypt
+.TP
+\fB\-hk\fR
+key handle
+.TP
+\fB\-pwdk\fR
+password for key (default empty)
+.TP
+\fB\-d\fR
+decrypt (default encrypt)
+.TP
+\fB\-if\fR
+input file name
+.TP
+[\-of
+output file name (default do not save)]
+.TP
+[\-2
+use TPM2_EncryptDecrypt2]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseventextend.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseventextend.1
new file mode 100644
index 0000000..2ff2b42
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseventextend.1
@@ -0,0 +1,29 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH EVENTEXTEND "1" "March 2020" "eventextend 1.3" "User Commands"
+.SH NAME
+eventextend \- Runs TPM2 eventextend
+.SH SYNOPSIS
+.B eventextend
+\fI\,-if <measurement file> \/\fR[\fI\,-v\/\fR]
+.SH DESCRIPTION
+Extends a measurement file (binary) into a TPM or simulated PCRs
+.TP
+\fB\-if\fR
+file containing the data to be extended
+.TP
+[\-nospec
+file does not contain spec ID header (useful for incremental test)]
+.TP
+[\-tpm
+extend TPM PCRs]
+.TP
+[\-sim
+calculate simulated PCRs and boot aggregate]
+.TP
+[\-pcrmax
+with \fB\-sim\fR, sets the highest PCR number to be used to calculate the
+.IP
+boot aggregate (default 7)]
+.TP
+[\-ns
+no space, no text, no newlines]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseventsequencecomplete.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseventsequencecomplete.1
new file mode 100644
index 0000000..9e1c6be
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsseventsequencecomplete.1
@@ -0,0 +1,40 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH EVENTSEQUENCECOMPLETE "1" "March 2020" "eventsequencecomplete 1.3" "User Commands"
+.SH NAME
+eventsequencecomplete \- Runs TPM2 eventsequencecomplete
+.SH DESCRIPTION
+eventsequencecomplete
+.PP
+Runs TPM2_EventSequenceComplete
+.TP
+[\-ha
+pcr handle (default NULL)]
+.TP
+\fB\-hs\fR
+sequence handle
+.TP
+[\-pwds
+password for sequence (default empty)]
+.TP
+[\-if
+input file to be added (default no data)]
+.TP
+[\-of1
+sha1 output digest file (default do not save)]
+.TP
+[\-of2
+sha256 output digest file (default do not save)]
+.TP
+[\-of3
+sha384 output digest file (default do not save)]
+.TP
+[\-of5
+sha512 output digest file (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssevictcontrol.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssevictcontrol.1
new file mode 100644
index 0000000..3e974b1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssevictcontrol.1
@@ -0,0 +1,29 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH EVICTCONTROL "1" "March 2020" "evictcontrol 1.3" "User Commands"
+.SH NAME
+evictcontrol \- Runs TPM2 evictcontrol
+.SH DESCRIPTION
+evictcontrol
+.PP
+Runs TPM2_EvictControl
+.TP
+\fB\-hi\fR
+authhandle hierarchy (o, p)
+o owner, p platform
+.TP
+\fB\-ho\fR
+object handle
+if transient: make persistent, if persistent: flush
+.TP
+\fB\-hp\fR
+persistent handle
+owner    81000000 to 817FFFFF
+platform 81800000 to 81FFFFFF
+.TP
+\fB\-pwda\fR
+authorization password (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssflushcontext.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssflushcontext.1
new file mode 100644
index 0000000..76bcba6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssflushcontext.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH FLUSHCONTEXT "1" "March 2020" "flushcontext 1.3" "User Commands"
+.SH NAME
+flushcontext \- Runs TPM2 flushcontext
+.SH DESCRIPTION
+flushcontext
+.PP
+Runs TPM2_FlushContext
+.TP
+\fB\-ha\fR
+handle
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcapability.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcapability.1
new file mode 100644
index 0000000..d4f8e97
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcapability.1
@@ -0,0 +1,58 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH GETCAPABILITY "1" "March 2020" "getcapability 1.3" "User Commands"
+.SH NAME
+getcapability \- Runs TPM2 getcapability
+.SH DESCRIPTION
+getcapability
+.PP
+Runs TPM2_GetCapability
+.TP
+\fB\-cap\fR
+capability
+.TP
+\fB\-pr\fR
+property (defaults to 0)
+.TP
+\fB\-pc\fR
+propertyCount (defaults to 64)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+80
+command audit
+.TP
+\fB\-cap\fR
+values
+.TP
+TPM_CAP_ALGS
+0
+.TP
+TPM_CAP_HANDLES
+1
+.TP
+TPM_CAP_COMMANDS
+2
+.TP
+TPM_CAP_PP_COMMANDS
+3
+.TP
+TPM_CAP_AUDIT_COMMANDS
+4
+.TP
+TPM_CAP_PCRS
+5
+.TP
+TPM_CAP_TPM_PROPERTIES
+6
+.TP
+TPM_CAP_PCR_PROPERTIES
+7
+.TP
+TPM_CAP_ECC_CURVES
+8
+.TP
+TPM_CAP_AUTH_POLICIES
+9
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcommandauditdigest.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcommandauditdigest.1
new file mode 100644
index 0000000..8277011
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcommandauditdigest.1
@@ -0,0 +1,43 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH GETCOMMANDAUDITDIGEST "1" "March 2020" "getcommandauditdigest 1.3" "User Commands"
+.SH NAME
+getcommandauditdigest \- Runs TPM2 getcommandauditdigest
+.SH DESCRIPTION
+getcommandauditdigest
+.PP
+Runs TPM2_GetCommandAuditDigest
+.TP
+[\-pwde
+endorsement hierarchy password (default empty)]
+.TP
+\fB\-hk\fR
+signing key handle
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc, hmac) (default rsa)]
+.TP
+[\-qd
+qualifying data file name]
+.TP
+[\-os
+signature file name (default do not save)]
+.TP
+[\-oa
+attestation output file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcryptolibrary.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcryptolibrary.1
new file mode 100644
index 0000000..e02e98c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetcryptolibrary.1
@@ -0,0 +1,10 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH GETCRYPTOLIBRARY "1" "March 2020" "getcryptolibrary 1.3" "User Commands"
+.SH NAME
+getcryptolibrary \- Runs TPM2 getcryptolibrary
+.SH DESCRIPTION
+getcryptolibrary
+.PP
+Returns a string indicating the crypto library compiled in.
+.PP
+This is used within test scripts.
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetrandom.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetrandom.1
new file mode 100644
index 0000000..9118144
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetrandom.1
@@ -0,0 +1,29 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH GETRANDOM "1" "March 2020" "getrandom 1.3" "User Commands"
+.SH NAME
+getrandom \- Runs TPM2 getrandom
+.SH DESCRIPTION
+getrandom
+.PP
+Runs TPM2_GetRandom
+.TP
+\fB\-by\fR
+bytes requested
+.TP
+[\-of
+output file, with \fB\-nz\fR, appends nul terminator (default do not save)]
+.TP
+[\-nz
+get random number with no zero bytes (for authorization value)]
+.TP
+[\-ns
+no space, no text, no newlines]
+just a string of hexascii suitable for a symmetric key
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetsessionauditdigest.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetsessionauditdigest.1
new file mode 100644
index 0000000..80ad6fc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgetsessionauditdigest.1
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH GETSESSIONAUDITDIGEST "1" "March 2020" "getsessionauditdigest 1.3" "User Commands"
+.SH NAME
+getsessionauditdigest \- Runs TPM2 getsessionauditdigest
+.SH DESCRIPTION
+getsessionauditdigest
+.PP
+Runs TPM2_GetSessionAuditDigest
+.TP
+[\-pwde
+endorsement hierarchy password (default empty)]
+.TP
+[\-hk
+signing key handle]
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+\fB\-hs\fR
+audit session handle
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-qd
+qualifying data file name]
+.TP
+[\-os
+signature file name (default do not save)]
+.TP
+[\-oa
+attestation output file name (default do not save)]
+.TP
+[\-od
+session digest file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgettestresult.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgettestresult.1
new file mode 100644
index 0000000..324fd58
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgettestresult.1
@@ -0,0 +1,16 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH GETTESTRESULT "1" "March 2020" "gettestresult 1.3" "User Commands"
+.SH NAME
+gettestresult \- Runs TPM2 gettestresult
+.SH DESCRIPTION
+gettestresult
+.PP
+Runs TPM2_GetTestResult
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgettime.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgettime.1
new file mode 100644
index 0000000..c35250c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssgettime.1
@@ -0,0 +1,43 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH GETTIME "1" "March 2020" "gettime 1.3" "User Commands"
+.SH NAME
+gettime \- Runs TPM2 gettime
+.SH DESCRIPTION
+gettime
+.PP
+Runs TPM2_GetTime
+.TP
+\fB\-hk\fR
+signing key handle
+.TP
+[\-pwdk
+password for signing key (default empty)]
+.TP
+[\-pwde
+password for endorsement hierarchy (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc, hmac) (default rsa)]
+.TP
+[\-qd
+qualifying data file name]
+.TP
+[\-os
+signature file name  (default do not save)]
+.TP
+[\-oa
+attestation output file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshash.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshash.1
new file mode 100644
index 0000000..8d4ba02
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshash.1
@@ -0,0 +1,30 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH HASH "1" "March 2020" "hash 1.3" "User Commands"
+.SH NAME
+hash \- Runs TPM2 hash
+.SH DESCRIPTION
+hash
+.PP
+Runs TPM2_Hash
+.TP
+[\-hi
+hierarchy (e, o, p, n) (default null)]
+e endorsement, o owner, p platform, n null
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+\fB\-if\fR
+input file to be hashed
+.TP
+\fB\-ic\fR
+data string to be hashed
+.TP
+[\-ns
+no space, no text, no newlines]
+.TP
+[\-oh
+hash file name (default do not save)]
+.TP
+[\-tk
+ticket file name (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshashsequencestart.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshashsequencestart.1
new file mode 100644
index 0000000..a662389
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshashsequencestart.1
@@ -0,0 +1,23 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH HASHSEQUENCESTART "1" "March 2020" "hashsequencestart 1.3" "User Commands"
+.SH NAME
+hashsequencestart \- Runs TPM2 hashsequencestart
+.SH DESCRIPTION
+hashsequencestart
+.PP
+Runs TPM2_HashSequenceStart
+.TP
+[\-pwda
+password for sequence (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512, null) (default sha256)]
+null is an event sequence
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshierarchychangeauth.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshierarchychangeauth.1
new file mode 100644
index 0000000..2ea40c2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshierarchychangeauth.1
@@ -0,0 +1,32 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH HIERARCHYCHANGEAUTH "1" "March 2020" "hierarchychangeauth 1.3" "User Commands"
+.SH NAME
+hierarchychangeauth \- Runs TPM2 hierarchychangeauth
+.SH DESCRIPTION
+hierarchychangeauth
+.PP
+Runs TPM2_HierarchyChangeAuth
+.TP
+\fB\-hi\fR
+hierarchy (l, e, o, p)
+l lockout, e endorsement, o owner, p platform
+.TP
+\fB\-pwdn\fR
+new authorization password (default empty)
+.TP
+\fB\-pwdni\fR
+new authorization password file name (default empty)
+.TP
+\fB\-pwda\fR
+authorization password (default empty)
+.TP
+\fB\-pwdai\fR
+authorization password file name (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshierarchycontrol.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshierarchycontrol.1
new file mode 100644
index 0000000..562bc09
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshierarchycontrol.1
@@ -0,0 +1,25 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH HIERARCHYCONTROL "1" "March 2020" "hierarchycontrol 1.3" "User Commands"
+.SH NAME
+hierarchycontrol \- Runs TPM2 hierarchycontrol
+.SH DESCRIPTION
+hierarchycontrol
+.PP
+Runs TPM2_HierarchyControl
+.TP
+\fB\-hi\fR
+authhandle hierarchy (e, o, p)
+.TP
+\fB\-he\fR
+enable hierarchy (e, o, p, n)
+e       endorsement, o owner, p platform, n null
+.TP
+[\-pwda
+authorization password (default empty)]
+.IP
+[\-state (0 to disable, 1 to enable) (default enable)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshmac.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshmac.1
new file mode 100644
index 0000000..eecff00
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshmac.1
@@ -0,0 +1,37 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH HMAC "1" "March 2020" "hmac 1.3" "User Commands"
+.SH NAME
+hmac \- Runs TPM2 hmac
+.SH DESCRIPTION
+hmac
+.PP
+Runs TPM2_HMAC
+.TP
+\fB\-hk\fR
+key handle
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+\fB\-if\fR
+input file to be HMACed
+.TP
+\fB\-ic\fR
+data string to be HMACed
+.TP
+[\-os
+hmac file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshmacstart.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshmacstart.1
new file mode 100644
index 0000000..17be09a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsshmacstart.1
@@ -0,0 +1,25 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH HMACSTART "1" "March 2020" "hmacstart 1.3" "User Commands"
+.SH NAME
+hmacstart \- Runs TPM2 hmacstart
+.SH DESCRIPTION
+hmacstart
+.PP
+Runs TPM2_Hmac_Start
+.TP
+\fB\-hk\fR
+key handle
+.TP
+\fB\-pwdk\fR
+password for key (default empty)
+.TP
+\fB\-pwda\fR
+password for sequence (default empty)
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimaextend.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimaextend.1
new file mode 100644
index 0000000..fde17c3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimaextend.1
@@ -0,0 +1,37 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH IMAEXTEND "1" "March 2020" "imaextend 1.3" "User Commands"
+.SH NAME
+imaextend \- Runs TPM2 imaextend
+.SH DESCRIPTION
+imaextend
+.PP
+Runs TPM2_PCR_Extend to Extend a SHA\-1 IMA measurement file (binary) into TPM PCRs
+The IMA measurement is directly extended into the SHA\-1 bank, and a zero padded
+measurement is extended into the SHA\-256 bank
+.PP
+This handles the case where a zero measurement extends ones into the IMA PCR
+.PP
+If \fB\-sim\fR is specified, TPM PCRs are not extended.  Rather, imaextend extends into
+simluated PCRs and traces the result.
+.TP
+\fB\-if\fR
+IMA event log file name
+.TP
+[\-le
+input file is little endian (default big endian)]
+.TP
+[\-sim
+calculate simulated PCRs]
+.TP
+[\-b
+beginning entry (default 0, beginning of log)]
+A beginning entry after the end of the log becomes a noop
+.TP
+[\-e
+ending entry (default end of log)]
+E.g., \fB\-b\fR 0 \fB\-e\fR 0 sends one entry
+.TP
+[\-l
+time \- run in a continuous loop, with a sleep of 'time' seconds betwteen loops]
+The intent is that this be run without specifying \fB\-b\fR and \fB\-e\fR
+Afer each pass, the next beginning entry is set to the last entry +1
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimport.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimport.1
new file mode 100644
index 0000000..2126673
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimport.1
@@ -0,0 +1,43 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH IMPORT "1" "March 2020" "import 1.3" "User Commands"
+.SH NAME
+import \- Runs TPM2 import
+.SH DESCRIPTION
+import
+.PP
+Runs TPM2_Import
+.TP
+\fB\-hp\fR
+parent handle
+.TP
+[\-pwdp
+password for parent (default empty)]
+.TP
+[\-ik
+encryption key in file name]
+.TP
+\fB\-ipu\fR
+object public area file name
+.TP
+\fB\-id\fR
+duplicate file name
+.TP
+\fB\-iss\fR
+symmetric seed file name
+.TP
+[\-salg
+symmetric algorithm (default none)]
+.TP
+\fB\-opr\fR
+private area file name
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimportpem.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimportpem.1
new file mode 100644
index 0000000..d0195a9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssimportpem.1
@@ -0,0 +1,66 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH IMPORTPEM "1" "March 2020" "importpem 1.3" "User Commands"
+.SH NAME
+importpem \- Runs TPM2 importpem
+.SH DESCRIPTION
+importpem
+.PP
+Runs TPM2_Import for a PEM key
+.TP
+\fB\-hp\fR
+parent handle
+.TP
+[\-pwdp
+password for parent (default empty)]
+.TP
+\fB\-ipem\fR
+PEM format key pair
+.IP
+[Asymmetric Key Algorithm]
+.TP
+[\-rsa
+(default)]
+.TP
+[\-ecc
+]
+.TP
+[\-si
+signing (default)]
+.TP
+[\-scheme
+signing scheme (rsassa rsapss) (RSA default RSASSA) (ECC ECDSA)]
+.TP
+[\-st
+storage (NULL scheme)]
+.TP
+[\-den
+decryption, (unrestricted, RSA and ECC NULL scheme)
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+\fB\-opu\fR
+public area file name
+.TP
+\fB\-opr\fR
+private area file name
+.TP
+[\-nalg
+name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-halg
+scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-pol
+policy file (default empty)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssload.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssload.1
new file mode 100644
index 0000000..fb5165e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssload.1
@@ -0,0 +1,31 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH LOAD "1" "March 2020" "load 1.3" "User Commands"
+.SH NAME
+load \- Runs TPM2 load
+.SH DESCRIPTION
+load
+.PP
+Runs TPM2_Load
+.TP
+\fB\-hp\fR
+parent handle
+.TP
+[\-pwdp
+password for parent key (default empty)]
+.TP
+\fB\-ipu\fR
+public key file name
+.TP
+\fB\-ipr\fR
+private key file name
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssloadexternal.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssloadexternal.1
new file mode 100644
index 0000000..5fa80d7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssloadexternal.1
@@ -0,0 +1,73 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH LOADEXTERNAL "1" "December 2019" "loadexternal 1546" "User Commands"
+.SH NAME
+loadexternal \- Runs TPM2 loadexternal
+.SH DESCRIPTION
+loadexternal
+.PP
+Runs TPM2_LoadExternal
+.TP
+[\-hi
+hierarchy (e, o, p, n) (default NULL)]
+.TP
+[\-nalg
+name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-halg
+scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.IP
+[Asymmetric Key Algorithm]
+.TP
+[\-rsa
+(default)]
+.TP
+[\-ecc
+]
+.TP
+\fB\-ipu\fR
+TPM2B_PUBLIC public key file name
+.TP
+\fB\-ipem\fR
+PEM format public key file name
+.TP
+\fB\-ider\fR
+DER format plaintext key pair file name
+.TP
+[\-pwdk
+password for DER key (default empty)]
+.TP
+[\-uwa
+userWithAuth attribute clear (default set)]
+.TP
+[\-si
+signing (default) RSA]
+.TP
+[\-scheme
+for signing key (default RSASSA scheme)]
+.IP
+rsassa
+rsapss
+.TP
+[\-st
+storage (default NULL scheme)]
+.TP
+[\-den
+decryption, (unrestricted, RSA and EC NULL scheme)
+.TP
+[\-ns
+additionally print Name in hex ascii on one line]
+Useful to paste into policy
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
+.TP
+80
+audit
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssmakecredential.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssmakecredential.1
new file mode 100644
index 0000000..86cad50
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssmakecredential.1
@@ -0,0 +1,34 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH MAKECREDENTIAL "1" "March 2020" "makecredential 1.3" "User Commands"
+.SH NAME
+makecredential \- Runs TPM2 makecredential
+.SH DESCRIPTION
+makecredential
+.PP
+Runs TPM2_MakeCredential
+.TP
+\fB\-ha\fR
+handle of encryption key public area
+.TP
+\fB\-icred\fR
+input credential file name
+.TP
+\fB\-in\fR
+object name file name
+.TP
+[\-ocred
+output credential file name (default do not save)]
+.TP
+[\-os
+secret file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2getconfig.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2getconfig.1
new file mode 100644
index 0000000..2a3d73c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2getconfig.1
@@ -0,0 +1,19 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NTC2GETCONFIG "1" "March 2020" "ntc2getconfig 1.3" "User Commands"
+.SH NAME
+ntc2getconfig \- Runs TPM2 ntc2getconfig
+.SH DESCRIPTION
+ntc2getconfig
+.PP
+Runs NTC2_GetConfig
+.TP
+[\-verify
+Verify results against System P default (default no verify)]
+.TP
+[\-verifylocked
+Also verify that the preconfig is locked
+.IP
+(default verify not locked)]
+.TP
+[\-p8 or \fB\-p9\fR
+Verify Nuvoton TPM for P8 or P9]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2lockconfig.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2lockconfig.1
new file mode 100644
index 0000000..1d28ca2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2lockconfig.1
@@ -0,0 +1,10 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NTC2LOCKCONFIG "1" "March 2020" "ntc2lockconfig 1.3" "User Commands"
+.SH NAME
+ntc2lockconfig \- Runs TPM2 ntc2lockconfig
+.SH DESCRIPTION
+ntc2lockpreconfig
+.PP
+Runs NTC2_LockPreConfig
+.PP
+\fB\-lock\fR   (required)
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2preconfig.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2preconfig.1
new file mode 100644
index 0000000..01ff677
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssntc2preconfig.1
@@ -0,0 +1,67 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NTC2PRECONFIG "1" "March 2020" "ntc2preconfig 1.3" "User Commands"
+.SH NAME
+ntc2preconfig \- Runs TPM2 ntc2preconfig
+.SH DESCRIPTION
+ntc2preconfig
+.PP
+Runs NTC2_PreConfig
+.TP
+\fB\-p8\fR or \fB\-p9\fR
+Configure Nuvoton TPM for P8 or P9
+.TP
+\fB\-override\fR
+permits individual register values, read\-modify\-write
+.PP
+Values to set, each is a hex byte, (default do not change)
+.TP
+[\-i2cLoc1_2
+byte]
+.TP
+[\-i2cLoc3_4
+byte]
+.TP
+[\-AltCfg
+byte]
+.TP
+[\-Direction
+byte]
+.TP
+[\-PullUp
+byte]
+.TP
+[\-PushPull
+byte]
+.TP
+[\-CFG_A
+byte]
+.TP
+[\-CFG_B
+byte]
+.TP
+[\-CFG_C
+byte]
+.TP
+[\-CFG_D
+byte]
+.TP
+[\-CFG_E
+byte]
+.TP
+[\-CFG_F
+byte]
+.TP
+[\-CFG_G
+byte]
+.TP
+[\-CFG_H
+byte]
+.TP
+[\-CFG_I
+byte]
+.TP
+[\-CFG_J
+byte]
+.TP
+[\-IsValid
+byte]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvcertify.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvcertify.1
new file mode 100644
index 0000000..6b513f3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvcertify.1
@@ -0,0 +1,52 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVCERTIFY "1" "March 2020" "nvcertify 1.3" "User Commands"
+.SH NAME
+nvcertify \- Runs TPM2 nvcertify
+.SH DESCRIPTION
+nvcertify
+.PP
+Runs TPM2_NV_Certify
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+[\-pwdn
+password for NV index (default empty)]
+.TP
+\fB\-hk\fR
+certifying key handle
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc, hmac) (default rsa)]
+.TP
+\fB\-sz\fR
+data size
+.TP
+[\-off
+offset (default 0)]
+.TP
+[\-os
+signature file name  (default do not save)]
+.TP
+[\-oa
+attestation output file name (default do not save)]
+.TP
+[\-od
+certified data file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvchangeauth.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvchangeauth.1
new file mode 100644
index 0000000..76a14da
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvchangeauth.1
@@ -0,0 +1,25 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVCHANGEAUTH "1" "March 2020" "nvchangeauth 1.3" "User Commands"
+.SH NAME
+nvchangeauth \- Runs TPM2 nvchangeauth
+.SH DESCRIPTION
+nvchangeauth
+.PP
+Runs TPM2_NV_ChangeAuth
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+\fB\-pwdo\fR
+password (default empty)
+.TP
+\fB\-pwdn\fR
+new password (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvdefinespace.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvdefinespace.1
new file mode 100644
index 0000000..1e979f7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvdefinespace.1
@@ -0,0 +1,101 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVDEFINESPACE "1" "March 2020" "nvdefinespace 1.3" "User Commands"
+.SH NAME
+nvdefinespace \- Runs TPM2 nvdefinespace
+.SH DESCRIPTION
+nvdefinespace
+.PP
+Runs TPM2_NV_DefineSpace
+.TP
+\fB\-ha\fR
+NV index handle
+01xxxxxx
+.TP
+\fB\-hi\fR
+authorizing hierarchy (o, p)
+o owner, p platform
+p sets PLATFORMCREATE
+.TP
+[\-pwdp
+password for hierarchy (default empty)]
+.TP
+[\-hia
+hierarchy authorization (o, p)(default index authorization)]
+.TP
+default
+AUTHWRITE, AUTHREAD
+.TP
+o sets
+OWNERWRITE, OWNERREAD
+.TP
+p sets
+PPWRITE, PPREAD (platform)
+.TP
+[\-pwdn
+password for NV index (default empty)]
+sets AUTHWRITE (if not PIN index), AUTHREAD
+.TP
+[\-nalg
+name algorithm (sha1, sha256, sha384 sha512) (default sha256)]
+.TP
+[\-sz
+data size in decimal (default 0)]
+Ignored for other than ordinary index
+.TP
+[\-ty
+index type (o, c, b, e, p, f) (default ordinary)]
+ordinary, counter, bits, extend, pin pass, pin fail
+.TP
+[\-pol
+policy file (default empty)]
+sets POLICYWRITE, POLICYREAD
+.TP
+[+at
+attributes to add (may be specified more than once)]
+.TP
+ppw
+(PPWRITE)         ppr (PPREAD)
+.TP
+ow
+(OWNERWRITE)      or  (OWNERREAD)
+.TP
+aw
+(AUTHWRITE)       ar  (AUTHREAD)
+.TP
+wd
+(WRITEDEFINE)     gl  (GLOBALLOCK)
+.TP
+rst
+(READ_STCLEAR)    wst (WRITE_STCLEAR)
+.TP
+wa
+(WRITEALL)        ody (ORDERLY)
+.TP
+pold
+(POLICY_DELETE)   stc (CLEAR_STCLEAR)
+.TP
+[\-at
+attributes to delete (may be specified more than once)]
+.TP
+ppw
+(PPWRITE)         ppr (PPREAD)
+.TP
+ow
+(OWNERWRITE)      or  (OWNERREAD)
+.TP
+aw
+(AUTHWRITE)       ar  (AUTHREAD)
+.TP
+pw
+(POLICYWRITE)     pr  (POLICYREAD)
+.TP
+da
+(NO_DA) (default set)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvextend.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvextend.1
new file mode 100644
index 0000000..acd37bf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvextend.1
@@ -0,0 +1,28 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVEXTEND "1" "March 2020" "nvextend 1.3" "User Commands"
+.SH NAME
+nvextend \- Runs TPM2 nvextend
+.SH DESCRIPTION
+nvextend
+.PP
+Runs TPM2_NV_Extend
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+\fB\-pwdn\fR
+password for NV index (default empty)
+.TP
+\fB\-ic\fR
+data string
+.TP
+\fB\-if\fR
+data file
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+20
+command decrypt
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvglobalwritelock.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvglobalwritelock.1
new file mode 100644
index 0000000..bc0b0b1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvglobalwritelock.1
@@ -0,0 +1,19 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVGLOBALWRITELOCK "1" "March 2020" "nvglobalwritelock 1.3" "User Commands"
+.SH NAME
+nvglobalwritelock \- Runs TPM2 nvglobalwritelock
+.SH DESCRIPTION
+nvglobalwritelock
+.PP
+Runs TPM2_NV_GlobalWriteLock
+.TP
+\fB\-hia\fR
+hierarchy authorization (o, p)
+.TP
+[\-pwd
+authorization password (default empty)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvincrement.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvincrement.1
new file mode 100644
index 0000000..4ce4e21
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvincrement.1
@@ -0,0 +1,19 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVINCREMENT "1" "March 2020" "nvincrement 1.3" "User Commands"
+.SH NAME
+nvincrement \- Runs TPM2 nvincrement
+.SH DESCRIPTION
+nvincrement
+.PP
+Runs TPM2_NV_Increment
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+\fB\-pwdn\fR
+password for NV index (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvread.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvread.1
new file mode 100644
index 0000000..83705c9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvread.1
@@ -0,0 +1,50 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVREAD "1" "March 2020" "nvread 1.3" "User Commands"
+.SH NAME
+nvread \- Runs TPM2 nvread
+.SH DESCRIPTION
+nvread
+.PP
+Runs TPM2_NV_Read
+.TP
+[\-hia
+hierarchy authorization (o, p)(default index authorization)]
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+[\-pwdn
+password for NV index (default empty)]
+.TP
+[\-sz
+data size (default to size of index)]
+counter, bits, pin read 8 bytes, extend reads based on hash algorithm
+.TP
+[\-cert
+dumps the certificate
+.TP
+01c00002
+RSA EK certificate
+.TP
+01c0000a
+ECC EK certificate
+.TP
+[\-ocert
+certificate file name, writes in PEM format
+.TP
+[\-off
+offset (default 0)]
+.TP
+[\-of
+data file (default do not save)]
+.TP
+[\-id
+data values for pinCount and pinLimit verification, (4 bytes each)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvreadlock.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvreadlock.1
new file mode 100644
index 0000000..64781e8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvreadlock.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVREADLOCK "1" "March 2020" "nvreadlock 1.3" "User Commands"
+.SH NAME
+nvreadlock \- Runs TPM2 nvreadlock
+.SH DESCRIPTION
+nvreadlock
+.PP
+Runs TPM2_NV_ReadLock
+.TP
+[\-hia
+hierarchy authorization (o, p)(default index authorization)]
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+\fB\-pwdn\fR
+password for NV index (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvreadpublic.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvreadpublic.1
new file mode 100644
index 0000000..0b02f53
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvreadpublic.1
@@ -0,0 +1,36 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVREADPUBLIC "1" "March 2020" "nvreadpublic 1.3" "User Commands"
+.SH NAME
+nvreadpublic \- Runs TPM2 nvreadpublic
+.SH DESCRIPTION
+nvreadpublic
+.PP
+Runs TPM2_NV_ReadPublic
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+[\-nalg
+expected name hash algorithm (sha1, sha256, sha384 sha512)
+(default no check)]
+.TP
+[\-opu
+NV public file name (default do not save)]
+.TP
+[\-ns
+additionally print Name in hex ascii on one line]
+.TP
+[\-on
+binary format Name file name]
+Useful to paste into policy
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+40
+response encrypt
+.TP
+80
+audit
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvsetbits.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvsetbits.1
new file mode 100644
index 0000000..751700e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvsetbits.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVSETBITS "1" "March 2020" "nvsetbits 1.3" "User Commands"
+.SH NAME
+nvsetbits \- Runs TPM2 nvsetbits
+.SH DESCRIPTION
+nvsetbits
+.PP
+Runs TPM2_NV_SetBits
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+[\-pwdn
+password for NV index (default empty)]
+.TP
+[\-bit
+bit to set, can be specified multiple times]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvundefinespace.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvundefinespace.1
new file mode 100644
index 0000000..b7cd10c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvundefinespace.1
@@ -0,0 +1,23 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVUNDEFINESPACE "1" "March 2020" "nvundefinespace 1.3" "User Commands"
+.SH NAME
+nvundefinespace \- Runs TPM2 nvundefinespace
+.SH DESCRIPTION
+nvundefinespace
+.PP
+Runs TPM2_NV_UndefineSpace
+.TP
+\fB\-hi\fR
+hierarchy (o, p)
+o owner, p platform
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+\fB\-pwdp\fR
+password for hierarchy (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvundefinespacespecial.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvundefinespacespecial.1
new file mode 100644
index 0000000..6b03a44
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvundefinespacespecial.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVUNDEFINESPACESPECIAL "1" "March 2020" "nvundefinespacespecial 1.3" "User Commands"
+.SH NAME
+nvundefinespacespecial \- Runs TPM2 nvundefinespacespecial
+.SH DESCRIPTION
+nvundefinespacespecial
+.PP
+Runs TPM2_NV_UndefineSpaceSpecial
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+[\-pwdp
+password for platform (default empty)]
+.TP
+[\-pwdn
+password for NV index (default empty)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvwrite.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvwrite.1
new file mode 100644
index 0000000..4601a29
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvwrite.1
@@ -0,0 +1,40 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVWRITE "1" "March 2020" "nvwrite 1.3" "User Commands"
+.SH NAME
+nvwrite \- Runs TPM2 nvwrite
+.SH DESCRIPTION
+nvwrite
+.PP
+Runs TPM2_NV_Write
+.TP
+[\-hia
+hierarchy authorization (o, p)(default index authorization)]
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+[\-pwdn
+authorization password (default empty)]
+hierarchy or NV index password
+.TP
+[\-ic
+data string]
+.TP
+[\-if
+data file]
+.TP
+[\-id
+data values, pinPass and pinLimit (4 bytes each)]
+if none is specified, a 0 byte write occurs
+\fB\-id\fR is normally used for pin pass or pin fail indexes
+.TP
+[\-off
+offset (default 0)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+20
+command decrypt
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvwritelock.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvwritelock.1
new file mode 100644
index 0000000..a43117b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssnvwritelock.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH NVWRITELOCK "1" "March 2020" "nvwritelock 1.3" "User Commands"
+.SH NAME
+nvwritelock \- Runs TPM2 nvwritelock
+.SH DESCRIPTION
+nvwritelock
+.PP
+Runs TPM2_NV_WriteLock
+.TP
+[\-hia
+hierarchy authorization (o, p) (default index authorization)]
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+\fB\-pwdn\fR
+password for NV index (default empty)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssobjectchangeauth.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssobjectchangeauth.1
new file mode 100644
index 0000000..97ca7fb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssobjectchangeauth.1
@@ -0,0 +1,34 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH OBJECTCHANGEAUTH "1" "March 2020" "objectchangeauth 1.3" "User Commands"
+.SH NAME
+objectchangeauth \- Runs TPM2 objectchangeauth
+.SH DESCRIPTION
+objectchangeauth
+.PP
+Runs TPM2_ObjectChangeAuth
+.TP
+\fB\-hp\fR
+parent handle
+.TP
+\fB\-ho\fR
+object handle
+.TP
+[\-pwdo
+password for object (default empty)]
+.TP
+[\-pwdn
+new password for object (default empty)]
+.IP
+[\-pwdni new password file for object, nul terminated (default empty)]
+[\-opr   private key file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrallocate.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrallocate.1
new file mode 100644
index 0000000..378e21e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrallocate.1
@@ -0,0 +1,25 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH PCRALLOCATE "1" "March 2020" "pcrallocate 1.3" "User Commands"
+.SH NAME
+pcrallocate \- Runs TPM2 pcrallocate
+.SH DESCRIPTION
+pcrallocate
+.PP
+Runs TPM2_PCR_Allocate
+.PP
+Allocates banks for a full set of PCR 0\-23.  Not all
+hardware TPMs support multiple banks or all algorithms
+.TP
+[\-pwdp
+platform hierarchy password (default empty)]
+.TP
++sha1   \fB\-sha1\fR
+allocate / deallocate a SHA\-1 bank
+.HP
++sha256 \fB\-sha256\fR allocate / deallocate a SHA\-256 bank
+.HP
++sha384 \fB\-sha384\fR allocate / deallocate a SHA\-384 bank
+.HP
++sha512 \fB\-sha512\fR allocate / deallocate a SHA\-512 bank
+.IP
+More than one algorithm can be specified
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrevent.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrevent.1
new file mode 100644
index 0000000..fa5f544
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrevent.1
@@ -0,0 +1,29 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH PCREVENT "1" "March 2020" "pcrevent 1.3" "User Commands"
+.SH NAME
+pcrevent \- Runs TPM2 pcrevent
+.SH DESCRIPTION
+pcrevent
+.PP
+Runs TPM2_PCR_Event
+.TP
+\fB\-ha\fR
+pcr handle
+.TP
+\fB\-ic\fR
+data string
+.TP
+\fB\-if\fR
+data file
+.TP
+[\-of1
+sha1 output digest file (default do not save)]
+.TP
+[\-of2
+sha256 output digest file (default do not save)]
+.TP
+[\-of3
+sha384 output digest file (default do not save)]
+.TP
+[\-of5
+sha512 output digest file (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrextend.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrextend.1
new file mode 100644
index 0000000..fc4ac2c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrextend.1
@@ -0,0 +1,21 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH PCREXTEND "1" "March 2020" "pcrextend 1.3" "User Commands"
+.SH NAME
+pcrextend \- Runs TPM2 pcrextend
+.SH DESCRIPTION
+pcrextend
+.PP
+Runs TPM2_PCR_Extend
+.TP
+\fB\-ha\fR
+pcr handle
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+\fB\-halg\fR may be specified more than once
+.TP
+\fB\-ic\fR
+data string, 0 pad appended to halg length
+.TP
+\fB\-if\fR
+data file, 0 pad appended to halg length
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrread.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrread.1
new file mode 100644
index 0000000..53aa8b6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrread.1
@@ -0,0 +1,36 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH PCRREAD "1" "March 2020" "pcrread 1.3" "User Commands"
+.SH NAME
+pcrread \- Runs TPM2 pcrread
+.SH DESCRIPTION
+pcrread
+.PP
+Runs TPM2_PCR_Read
+.TP
+\fB\-ha\fR
+pcr handle
+.TP
+\fB\-halg\fR
+(sha1, sha256, sha384, sha512) (default sha256)
+\fB\-halg\fR may be specified more than once
+.TP
+[\-of
+data file for first algorithm specified, in binary]
+.TP
+[\-ahalg
+to extend session audit digest for testing (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-iosad
+file for session audit digest testing]
+.TP
+[\-ns
+no space, no text, no newlines]
+Used for scripting policy construction
+.HP
+\fB\-se0\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+80
+audit
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrreset.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrreset.1
new file mode 100644
index 0000000..0c3b3ba
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspcrreset.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH PCRRESET "1" "March 2020" "pcrreset 1.3" "User Commands"
+.SH NAME
+pcrreset \- Runs TPM2 pcrreset
+.SH DESCRIPTION
+pcrreset
+.PP
+Runs TPM2_PCR_Reset
+.TP
+\fB\-ha\fR
+pcr handle
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthorize.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthorize.1
new file mode 100644
index 0000000..de353ba
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthorize.1
@@ -0,0 +1,31 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYAUTHORIZE "1" "March 2020" "policyauthorize 1.3" "User Commands"
+.SH NAME
+policyauthorize \- Runs TPM2 policyauthorize
+.SH DESCRIPTION
+policyauthorize
+.PP
+Runs TPM2_PolicyAuthorize
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-appr\fR
+file name of digest of the policy being approved
+.TP
+[\-pref
+policyRef file] (default none)
+.TP
+\fB\-skn\fR
+signing key Name file name
+.TP
+\fB\-tk\fR
+ticket file name
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+20
+command decrypt
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthorizenv.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthorizenv.1
new file mode 100644
index 0000000..a0590a6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthorizenv.1
@@ -0,0 +1,26 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYAUTHORIZENV "1" "March 2020" "policyauthorizenv 1.3" "User Commands"
+.SH NAME
+policyauthorizenv \- Runs TPM2 policyauthorizenv
+.SH DESCRIPTION
+policyauthorizenv
+.PP
+Runs TPM2_PolicyAuthorizeNV
+.TP
+[\-hi
+hierarchy authHandle (o, p)]
+default NV index
+.TP
+\fB\-ha\fR
+NV index handle
+.TP
+[\-pwda
+password for authorization (default empty)]
+.TP
+\fB\-hs\fR
+policy session handle
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthvalue.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthvalue.1
new file mode 100644
index 0000000..be7b87b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyauthvalue.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYAUTHVALUE "1" "March 2020" "policyauthvalue 1.3" "User Commands"
+.SH NAME
+policyauthvalue \- Runs TPM2 policyauthvalue
+.SH DESCRIPTION
+policyauthvalue
+.PP
+Runs TPM2_PolicyAuthValue
+.TP
+\fB\-ha\fR
+policy session handle
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycommandcode.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycommandcode.1
new file mode 100644
index 0000000..493958b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycommandcode.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYCOMMANDCODE "1" "March 2020" "policycommandcode 1.3" "User Commands"
+.SH NAME
+policycommandcode \- Runs TPM2 policycommandcode
+.SH DESCRIPTION
+policycommandcode
+.PP
+Runs TPM2_PolicyCommandCode
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-cc\fR
+command code
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycountertimer.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycountertimer.1
new file mode 100644
index 0000000..5ca6245
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycountertimer.1
@@ -0,0 +1,67 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYCOUNTERTIMER "1" "March 2020" "policycountertimer 1.3" "User Commands"
+.SH NAME
+policycountertimer \- Runs TPM2 policycountertimer
+.SH DESCRIPTION
+policycountertimer
+.PP
+Runs TPM2_PolicyCounterTimer
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-ic\fR
+data string (operandB)
+.TP
+\fB\-if\fR
+data file (operandB)
+.TP
+[\-off
+offset (default 0)]
+.TP
+\fB\-op\fR
+operation (default A = B)
+.TP
+0
+A = B
+.TP
+1
+A != B
+.TP
+2
+A > B signed    
+.TP
+3
+A > B unsigned  
+.TP
+4
+A < B signed    
+.TP
+5
+A < B unsigned  
+.TP
+6
+A >= B signed   
+.TP
+7
+A >= B unsigned 
+.TP
+8
+A <= B signed   
+.TP
+9
+A <= B unsigned 
+.TP
+A
+All bits SET in B are SET in A. ((A&B)=B)
+.TP
+B
+All bits SET in B are CLEAR in A. ((A&B)=0)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycphash.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycphash.1
new file mode 100644
index 0000000..ce9d502
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicycphash.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYCPHASH "1" "March 2020" "policycphash 1.3" "User Commands"
+.SH NAME
+policycphash \- Runs TPM2 policycphash
+.SH DESCRIPTION
+policycphash
+.PP
+Runs TPM2_PolicyCpHash
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-cp\fR
+cpHash file
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyduplicationselect.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyduplicationselect.1
new file mode 100644
index 0000000..f7b5543
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyduplicationselect.1
@@ -0,0 +1,28 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYDUPLICATIONSELECT "1" "March 2020" "policyduplicationselect 1.3" "User Commands"
+.SH NAME
+policyduplicationselect \- Runs TPM2 policyduplicationselect
+.SH DESCRIPTION
+policyduplicationselect
+.PP
+Runs TPM2_PolicyDuplicationSelect
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-inpn\fR
+new parent Name file
+.TP
+\fB\-ion\fR
+object Name file
+.TP
+[\-io
+include object (default no)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicygetdigest.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicygetdigest.1
new file mode 100644
index 0000000..a7cb83e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicygetdigest.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYGETDIGEST "1" "March 2020" "policygetdigest 1.3" "User Commands"
+.SH NAME
+policygetdigest \- Runs TPM2 policygetdigest
+.SH DESCRIPTION
+policygetdigest
+.PP
+Runs TPM2_PolicyGetDigest
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+[\-of
+binary digest file name (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicymaker.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicymaker.1
new file mode 100644
index 0000000..cb44765
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicymaker.1
@@ -0,0 +1,25 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYMAKER "1" "March 2020" "policymaker 1.3" "User Commands"
+.SH NAME
+policymaker \- Runs TPM2 policymaker
+.SH DESCRIPTION
+policymaker
+.TP
+[\-halg
+hash algorithm (sha1 sha256 sha384 sha512) (default sha256)]
+.TP
+[\-nz
+do not extend starting with zeros, just hash the last line]
+.TP
+\fB\-if\fR
+input policy statements in hex ascii
+.TP
+[\-of
+output file \- policy hash in binary]
+.TP
+[\-pr
+stdout \- policy hash in hex ascii]
+.TP
+[\-ns
+additionally print policy hash in hex ascii on one line]
+Useful to paste into policy OR
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicymakerpcr.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicymakerpcr.1
new file mode 100644
index 0000000..a4f5d09
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicymakerpcr.1
@@ -0,0 +1,29 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYMAKERPCR "1" "March 2020" "policymakerpcr 1.3" "User Commands"
+.SH NAME
+policymakerpcr \- Runs TPM2 policymakerpcr
+.SH DESCRIPTION
+policymakerpcr
+.PP
+Creates a policyPCR term suitable for input to policymaker (hex ascii)
+.PP
+Assumes that the byte mask and PCR values are consistent
+.TP
+[\-halg
+hash algorithm  (sha1 sha256 sha384 sha512) (default sha256)]
+.TP
+\fB\-bm\fR
+pcr byte mask in hex, big endian
+.IP
+e.g. 010000 selects PCR 16
+e.g. ffffff selects all 24 PCRs
+.HP
+\fB\-if\fR input file \- PCR values, hex ascii, one per line, 24 max
+.IP
+required unless pcr mask is 0
+.TP
+[\-of
+output file \- policy hash in binary]
+.TP
+[\-pr
+stdout \- policy hash in hex ascii]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynamehash.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynamehash.1
new file mode 100644
index 0000000..e531291
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynamehash.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYNAMEHASH "1" "March 2020" "policynamehash 1.3" "User Commands"
+.SH NAME
+policynamehash \- Runs TPM2 policynamehash
+.SH DESCRIPTION
+policynamehash
+.PP
+Runs TPM2_PolicyNameHash
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-nh\fR
+NameHash file \- TPM2B_DIGEST
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynv.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynv.1
new file mode 100644
index 0000000..aa3b8bb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynv.1
@@ -0,0 +1,77 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYNV "1" "March 2020" "policynv 1.3" "User Commands"
+.SH NAME
+policynv \- Runs TPM2 policynv
+.SH DESCRIPTION
+policynv
+.PP
+Runs TPM2_PolicyNV
+.TP
+[\-hi
+hierarchy authHandle (o, p)]
+default NV index
+.TP
+\fB\-ha\fR
+NV index handle (operand A)
+.TP
+[\-pwda
+password for authorization (default empty)]
+.TP
+\fB\-hs\fR
+policy session handle
+.TP
+\fB\-ic\fR
+data string (operandB)
+.TP
+\fB\-if\fR
+data file (operandB)
+.TP
+[\-off
+offset (default 0)]
+.TP
+\fB\-op\fR
+operation (default A = B)
+.TP
+0
+A = B
+.TP
+1
+A != B
+.TP
+2
+A > B signed    
+.TP
+3
+A > B unsigned  
+.TP
+4
+A < B signed    
+.TP
+5
+A < B unsigned  
+.TP
+6
+A >= B signed   
+.TP
+7
+A >= B unsigned 
+.TP
+8
+A <= B signed   
+.TP
+9
+A <= B unsigned 
+.TP
+A
+All bits SET in B are SET in A. ((A&B)=B)
+.TP
+B
+All bits SET in B are CLEAR in A. ((A&B)=0)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynvwritten.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynvwritten.1
new file mode 100644
index 0000000..d570574
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicynvwritten.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYNVWRITTEN "1" "March 2020" "policynvwritten 1.3" "User Commands"
+.SH NAME
+policynvwritten \- Runs TPM2 policynvwritten
+.SH DESCRIPTION
+policynvwritten
+.PP
+Runs TPM2_PolicyNvWritten
+.TP
+\fB\-hs\fR
+policy session handle
+.TP
+\fB\-ws\fR
+written set (y, n)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+80
+audit
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyor.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyor.1
new file mode 100644
index 0000000..100b220
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyor.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYOR "1" "March 2020" "policyor 1.3" "User Commands"
+.SH NAME
+policyor \- Runs TPM2 policyor
+.SH DESCRIPTION
+policyor
+.PP
+Runs TPM2_PolicyOR
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-if\fR
+policy digest file (2\-8 \fB\-if\fR specifiers required)
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicypassword.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicypassword.1
new file mode 100644
index 0000000..de00863
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicypassword.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYPASSWORD "1" "March 2020" "policypassword 1.3" "User Commands"
+.SH NAME
+policypassword \- Runs TPM2 policypassword
+.SH DESCRIPTION
+policypassword
+.PP
+Runs TPM2_PolicyPassword
+.TP
+\fB\-ha\fR
+policy session handle
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicypcr.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicypcr.1
new file mode 100644
index 0000000..3cc608c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicypcr.1
@@ -0,0 +1,18 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYPCR "1" "March 2020" "policypcr 1.3" "User Commands"
+.SH NAME
+policypcr \- Runs TPM2 policypcr
+.SH DESCRIPTION
+policypcr
+.PP
+Runs TPM2_PolicyPCR
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+\fB\-bm\fR
+pcr mask in hex
+e.g., \fB\-bm\fR 10000 is PCR 16, 000001 is PCR 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyrestart.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyrestart.1
new file mode 100644
index 0000000..dae60fb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyrestart.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYRESTART "1" "March 2020" "policyrestart 1.3" "User Commands"
+.SH NAME
+policyrestart \- Runs TPM2 policyrestart
+.SH DESCRIPTION
+policyrestart
+.PP
+Runs TPM2_PolicyRestart
+.TP
+\fB\-ha\fR
+policy session handle
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicysecret.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicysecret.1
new file mode 100644
index 0000000..8c7ba7d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicysecret.1
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYSECRET "1" "March 2020" "policysecret 1.3" "User Commands"
+.SH NAME
+policysecret \- Runs TPM2 policysecret
+.SH DESCRIPTION
+policysecret
+.PP
+Runs TPM2_PolicySecret
+.TP
+\fB\-ha\fR
+authorizing entity handle
+.TP
+\fB\-hs\fR
+policy session handle
+.TP
+[\-in
+nonceTPM file (default none)]
+.TP
+[\-cp
+cpHash file (default none)]
+.TP
+[\-pref
+policyRef file (default none)]
+.TP
+[\-exp
+expiration (default none)]
+.TP
+[\-pwde
+authorizing entity password (default empty)]
+.TP
+[\-tk
+ticket file name]
+.TP
+[\-to
+timeout file name]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicysigned.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicysigned.1
new file mode 100644
index 0000000..c0292de
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicysigned.1
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYSIGNED "1" "March 2020" "policysigned 1.3" "User Commands"
+.SH NAME
+policysigned \- Runs TPM2 policysigned
+.SH DESCRIPTION
+policysigned
+.PP
+Runs TPM2_PolicySigned
+.TP
+\fB\-hk\fR
+signature verification key handle
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+[\-in
+nonceTPM file (default none)]
+.TP
+[\-cp
+cpHash file (default none)]
+.TP
+[\-pref
+policyRef file (default none)]
+.TP
+[\-exp
+expiration in decimal (default none)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+\fB\-sk\fR
+RSA signing key file name (PEM format)
+Use this signing key.
+.TP
+\fB\-is\fR
+signature file name
+Use this signature from e.g., a smart card or other HSM.
+.TP
+[\-pwdk
+signing key password (default null)]
+.TP
+[\-tk
+ticket file name]
+.TP
+[\-to
+timeout file name]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicytemplate.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicytemplate.1
new file mode 100644
index 0000000..669a83b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicytemplate.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYTEMPLATE "1" "March 2020" "policytemplate 1.3" "User Commands"
+.SH NAME
+policytemplate \- Runs TPM2 policytemplate
+.SH DESCRIPTION
+policytemplate
+.PP
+Runs TPM2_PolicyTemplate
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-te\fR
+template file
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyticket.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyticket.1
new file mode 100644
index 0000000..c078be8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspolicyticket.1
@@ -0,0 +1,30 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POLICYTICKET "1" "March 2020" "policyticket 1.3" "User Commands"
+.SH NAME
+policyticket \- Runs TPM2 policyticket
+.SH DESCRIPTION
+policyticket
+.PP
+Runs TPM2_PolicyTicket
+.TP
+\fB\-ha\fR
+policy session handle
+.TP
+\fB\-to\fR
+timeout file name
+.TP
+[\-cp
+cpHash file (default none)]
+.TP
+[\-pref
+policyRef file (default none)]
+.TP
+\fB\-na\fR
+authName file (not hierarchy)
+.TP
+\fB\-hi\fR
+hierarchy (e, o, p) (authName is hierarchy)
+e endorsement, o owner, p platform
+.TP
+\fB\-tk\fR
+ticket file name
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspowerup.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspowerup.1
new file mode 100644
index 0000000..439ea15
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspowerup.1
@@ -0,0 +1,8 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH POWERUP "1" "March 2020" "powerup 1.3" "User Commands"
+.SH NAME
+powerup \- Runs TPM2 powerup
+.SH DESCRIPTION
+powerup
+.PP
+Powers the simulator off and on, and powers up NV
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssprintattr.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssprintattr.1
new file mode 100644
index 0000000..2350729
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssprintattr.1
@@ -0,0 +1,16 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH PRINTATTR "1" "March 2020" "printattr 1.3" "User Commands"
+.SH NAME
+printattr \- Runs TPM2 printattr
+.SH DESCRIPTION
+printattr
+.PP
+Prints TPMA attributes as text
+.HP
+\fB\-ob\fR TPMA_OBJECT
+.HP
+\fB\-se\fR TPMA_SESSION
+.HP
+\fB\-st\fR TPMA_STARTUP_CLEAR
+.HP
+\fB\-nv\fR TPMA_NV
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspublicname.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspublicname.1
new file mode 100644
index 0000000..4122ddc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsspublicname.1
@@ -0,0 +1,63 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH PUBLICNAME "1" "March 2020" "publicname 1.3" "User Commands"
+.SH NAME
+publicname \- Runs TPM2 publicname
+.SH DESCRIPTION
+publicname
+.PP
+Calculates the public name of an entity. There are times that a policy creator
+has TPM, PEM, or DER format information, but does not have access to a TPM.
+This utility accepts these inputs and outputs the name in the 'no spaces'
+format suitable for pasting into a policy.  The binary format is used in the
+regression test
+.TP
+\fB\-invpu\fR
+TPM2B_NV_PUBLIC public key file name
+.TP
+\fB\-ipu\fR
+TPM2B_PUBLIC public key file name
+.TP
+\fB\-ipem\fR
+PEM format public key file name
+.TP
+\fB\-ider\fR
+DER format plaintext key pair file name]
+.TP
+[\-on
+binary format Name file name]
+.TP
+[\-ns
+print Name in hexacsii]
+.IP
+\fB\-pem\fR and \fB\-ider\fR optional arguments
+.TP
+[\-rsa
+(default)]
+.TP
+[\-ecc
+]
+.TP
+[\-scheme
+for signing key (default RSASSA scheme)]
+.IP
+rsassa
+rsapss
+null
+.TP
+[\-nalg
+name hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-halg
+scheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-uwa
+userWithAuth attribute clear (default set)]
+.TP
+[\-si
+signing (default) RSA]
+.TP
+[\-st
+storage (default NULL scheme)]
+.TP
+[\-den
+decryption, (unrestricted, RSA and EC NULL scheme)
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssquote.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssquote.1
new file mode 100644
index 0000000..859fba5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssquote.1
@@ -0,0 +1,46 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH QUOTE "1" "March 2020" "quote 1.3" "User Commands"
+.SH NAME
+quote \- Runs TPM2 quote
+.SH DESCRIPTION
+quote
+.PP
+Runs TPM2_Quote
+.TP
+\fB\-hp\fR
+pcr handle (may be specified more than once)
+.TP
+\fB\-hk\fR
+quoting key handle
+.TP
+[\-pwdk
+password for quoting key (default empty)]
+.TP
+[\-halg
+for signing (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-palg
+for PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc, hmac) (default rsa)]
+.TP
+[\-qd
+qualifying data file name]
+.TP
+[\-os
+quote signature file name (default do not save)]
+.TP
+[\-oa
+attestation output file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreadclock.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreadclock.1
new file mode 100644
index 0000000..0117712
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreadclock.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH READCLOCK "1" "March 2020" "readclock 1.3" "User Commands"
+.SH NAME
+readclock \- Runs TPM2 readclock
+.SH DESCRIPTION
+readclock
+.PP
+Runs TPM2_ReadClock
+.TP
+[\-otime
+time file name (default do not save)]
+.TP
+[\-oclock
+clock file name (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreadpublic.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreadpublic.1
new file mode 100644
index 0000000..4daa03c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreadpublic.1
@@ -0,0 +1,32 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH READPUBLIC "1" "March 2020" "readpublic 1.3" "User Commands"
+.SH NAME
+readpublic \- Runs TPM2 readpublic
+.SH DESCRIPTION
+readpublic
+.PP
+Runs TPM2_ReadPublic
+.TP
+\fB\-ho\fR
+object handle
+.TP
+[\-opu
+public key file name (default do not save)]
+.TP
+[\-opem
+public key PEM format file name (default do not save)]
+.TP
+[\-ns
+additionally print Name in hex ascii on one line]
+Useful to paste into policy
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+40
+response encrypt
+.TP
+80
+audit
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreturncode.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreturncode.1
new file mode 100644
index 0000000..596ca09
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssreturncode.1
@@ -0,0 +1,9 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH RETURNCODE "1" "March 2020" "returncode 1.3" "User Commands"
+.SH NAME
+returncode \- Runs TPM2 returncode
+.SH SYNOPSIS
+.B returncode
+\fI\,hex-number\/\fR
+.SH DESCRIPTION
+Returns the TPM_RC name and text for the return code
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrewrap.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrewrap.1
new file mode 100644
index 0000000..ea85e78
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrewrap.1
@@ -0,0 +1,43 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH REWRAP "1" "March 2020" "rewrap 1.3" "User Commands"
+.SH NAME
+rewrap \- Runs TPM2 rewrap
+.SH DESCRIPTION
+rewrap
+.PP
+Runs TPM2_Rewrap
+.TP
+\fB\-ho\fR
+handle of object old parent
+.TP
+[\-pwdo
+password for old parent (default empty)]
+.TP
+\fB\-hn\fR
+handle of object new parent
+.TP
+\fB\-id\fR
+duplicate private area file name
+.TP
+\fB\-in\fR
+object name file name
+.TP
+\fB\-iss\fR
+input symmetric seed file name
+.TP
+[\-od
+rewrap private area file name (default do not save)]
+.TP
+[\-oss
+symmetric seed file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrsadecrypt.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrsadecrypt.1
new file mode 100644
index 0000000..90b8176
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrsadecrypt.1
@@ -0,0 +1,33 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH RSADECRYPT "1" "March 2020" "rsadecrypt 1.3" "User Commands"
+.SH NAME
+rsadecrypt \- Runs TPM2 rsadecrypt
+.SH DESCRIPTION
+rsadecrypt
+.PP
+Runs TPM2_RSA_Decrypt
+.TP
+\fB\-hk\fR
+key handle
+.TP
+[\-pwdk
+password for key (default empty)[
+.IP
+[\-ipwdk password file for key, nul terminated (default empty)]
+\fB\-ie\fR     encrypt file name
+\fB\-od\fR     decrypt file name (default do not save)
+[\-oid   (sha1, sha256, sha384 sha512)]
+.IP
+optionally add OID and PKCS1 padding to the
+encrypt data (demo of signing with arbitrary OID)
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrsaencrypt.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrsaencrypt.1
new file mode 100644
index 0000000..507f714
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssrsaencrypt.1
@@ -0,0 +1,17 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH RSAENCRYPT "1" "March 2020" "rsaencrypt 1.3" "User Commands"
+.SH NAME
+rsaencrypt \- Runs TPM2 rsaencrypt
+.SH DESCRIPTION
+rsaencrypt
+.PP
+Runs TPM2_RSA_Encrypt
+.TP
+\fB\-hk\fR
+key handle
+.TP
+\fB\-id\fR
+decrypt file name
+.TP
+[\-oe
+encrypt file name (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssequencecomplete.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssequencecomplete.1
new file mode 100644
index 0000000..fe10495
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssequencecomplete.1
@@ -0,0 +1,34 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH SEQUENCECOMPLETE "1" "March 2020" "sequencecomplete 1.3" "User Commands"
+.SH NAME
+sequencecomplete \- Runs TPM2 sequencecomplete
+.SH DESCRIPTION
+sequencecomplete
+.PP
+Runs TPM2_SequenceComplete
+.TP
+\fB\-hs\fR
+sequence handle
+.TP
+[\-pwds
+password for sequence (default empty)]
+.TP
+[\-if
+input file to be added (default no data)]
+.TP
+[\-of
+result file name]
+.TP
+[\-tk
+ticket file name]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssequenceupdate.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssequenceupdate.1
new file mode 100644
index 0000000..c37376c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssequenceupdate.1
@@ -0,0 +1,22 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH SEQUENCEUPDATE "1" "March 2020" "sequenceupdate 1.3" "User Commands"
+.SH NAME
+sequenceupdate \- Runs TPM2 sequenceupdate
+.SH DESCRIPTION
+sequenceupdate
+.PP
+Runs TPM2_SequenceUpdate
+.TP
+\fB\-hs\fR
+sequence handle
+.TP
+[\-pwds
+password for sequence (default empty)]
+.TP
+\fB\-if\fR
+input file to be HMACed
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.IP
+01 continue
+20 command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssetcommandcodeauditstatus.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssetcommandcodeauditstatus.1
new file mode 100644
index 0000000..a49fe13
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssetcommandcodeauditstatus.1
@@ -0,0 +1,31 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH SETCOMMANDCODEAUDITSTATUS "1" "March 2020" "setcommandcodeauditstatus 1.3" "User Commands"
+.SH NAME
+setcommandcodeauditstatus \- Runs TPM2 setcommandcodeauditstatus
+.SH DESCRIPTION
+setprimarypolicy
+.PP
+Runs TPM2_SetCommandCodeAuditStatus
+.TP
+[\-hi
+authhandle hierarchy (o, p) (default platform)]
+.TP
+[\-pwda
+authorization password (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512, null) (default null)]
+.TP
+[\-set
+command code to set (may be specified more than once (default none)]
+.TP
+[\-clr
+command code to clear (may be specified more than once (default none)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssetprimarypolicy.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssetprimarypolicy.1
new file mode 100644
index 0000000..5c888e2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssetprimarypolicy.1
@@ -0,0 +1,28 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH SETPRIMARYPOLICY "1" "March 2020" "setprimarypolicy 1.3" "User Commands"
+.SH NAME
+setprimarypolicy \- Runs TPM2 setprimarypolicy
+.SH DESCRIPTION
+setprimarypolicy
+.PP
+Runs TPM2_SetPrimaryPolicy
+.TP
+[\-hi
+authhandle hierarchy (l, e, o, p) (default platform)]
+.TP
+[\-pwda
+authorization password (default empty)]
+.TP
+[\-pol
+policy file (default empty policy)]
+.TP
+[\-halg
+(sha1, sha256) (default null)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssshutdown.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssshutdown.1
new file mode 100644
index 0000000..e40e003
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssshutdown.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH SHUTDOWN "1" "March 2020" "shutdown 1.3" "User Commands"
+.SH NAME
+shutdown \- Runs TPM2 shutdown
+.SH DESCRIPTION
+shutdown
+.PP
+Runs TPM2_Shutdown
+.TP
+[\-c
+shutdown clear (default)]
+.TP
+[\-s
+shutdown state]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssign.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssign.1
new file mode 100644
index 0000000..a3974ca
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssign.1
@@ -0,0 +1,48 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH SIGN "1" "March 2020" "sign 1.3" "User Commands"
+.SH NAME
+sign \- Runs TPM2 sign
+.SH DESCRIPTION
+sign
+.PP
+Runs TPM2_Sign
+.TP
+\fB\-hk\fR
+key handle
+.TP
+\fB\-if\fR
+input message to hash and sign
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-salg
+signature algorithm (rsa, ecc, hmac) (default rsa)]
+.IP
+[\-scheme signing scheme (rsassa, rsapss, ecdsa, ecdaa, hmac)]
+.IP
+(default rsassa, ecdsa, hmac)]
+.TP
+[\-cf
+input counter file (commit count required for ECDAA scheme]
+.TP
+[\-ipu
+public key file name to verify signature (default no verify)]
+Verify only supported for RSA now
+.TP
+[\-os
+signature file name (default do not save)]
+.TP
+[\-tk
+ticket file name]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssignapp.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssignapp.1
new file mode 100644
index 0000000..97244dd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsssignapp.1
@@ -0,0 +1,15 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH SIGNAPP "1" "March 2020" "signapp 1.3" "User Commands"
+.SH NAME
+signapp \- Runs TPM2 signapp
+.SH DESCRIPTION
+signapp
+.PP
+Runs a TPM2_Sign application, including creating a primary storage key
+and creating and loading a signing key
+.TP
+\fB\-ic\fR
+input message to hash and sign
+.TP
+[\-pwsess
+Use a password session, no HMAC or parameter encryption]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstartauthsession.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstartauthsession.1
new file mode 100644
index 0000000..13ca336
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstartauthsession.1
@@ -0,0 +1,37 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH STARTAUTHSESSION "1" "March 2020" "startauthsession 1.3" "User Commands"
+.SH NAME
+startauthsession \- Runs TPM2 startauthsession
+.SH DESCRIPTION
+startauthsession
+.PP
+Runs TPM2_StartAuthSession
+.HP
+\fB\-se\fR
+.TP
+h
+HMAC session
+.TP
+p
+Policy session
+.TP
+t
+Trial policy session
+.TP
+[\-halg
+(sha1, sha256, sha384, sha512) (default sha256)]
+.TP
+[\-hs
+salt handle (default TPM_RH_NULL)]
+.TP
+[\-bi
+bind handle (default TPM_RH_NULL)]
+.TP
+[\-pwdb
+bind password for bind handle (default empty)]
+.TP
+[\-sym
+(xor, aes) symmetric parameter encryption algorithm (default xor)]
+.TP
+[\-on
+nonceTPM file for policy session (default do not save)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstartup.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstartup.1
new file mode 100644
index 0000000..dae5c9b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstartup.1
@@ -0,0 +1,20 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH STARTUP "1" "March 2020" "startup 1.3" "User Commands"
+.SH NAME
+startup \- Runs TPM2 startup
+.SH DESCRIPTION
+startup
+.PP
+Runs TPM2_Startup
+.TP
+[\-c
+startup clear (default)]
+.TP
+[\-s
+startup state]
+.TP
+[\-st
+run TPM2_SelfTest]
+.TP
+[\-sto
+run only TPM2_SelfTest (no startup)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstirrandom.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstirrandom.1
new file mode 100644
index 0000000..53d7474
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssstirrandom.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH STIRRANDOM "1" "March 2020" "stirrandom 1.3" "User Commands"
+.SH NAME
+stirrandom \- Runs TPM2 stirrandom
+.SH DESCRIPTION
+stirrandom
+.PP
+Runs TPM2_StirRandom
+.TP
+\fB\-if\fR
+input file name
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstimepacket.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstimepacket.1
new file mode 100644
index 0000000..d23e3b7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstimepacket.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH TIMEPACKET "1" "March 2020" "timepacket 1.3" "User Commands"
+.SH NAME
+timepacket \- Runs TPM2 timepacket
+.SH DESCRIPTION
+timepacket
+.PP
+Times the supplied packet
+.TP
+\fB\-if\fR
+packet in hexascii (requires one space at end of packet)
+.TP
+[\-l
+number of loops to time (default 1)]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpm2pem.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpm2pem.1
new file mode 100644
index 0000000..1ceb237
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpm2pem.1
@@ -0,0 +1,14 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH TPM2PEM "1" "March 2020" "tpm2pem 1.3" "User Commands"
+.SH NAME
+tpm2pem \- Runs TPM2 tpm2pem
+.SH DESCRIPTION
+tpm2pem
+.PP
+Converts an RSA or EC TPM2B_PUBLIC to PEM
+.TP
+\fB\-ipu\fR
+public key input file in TPM format
+.TP
+\fB\-opem\fR
+public key output file in PEM format
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpmcmd.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpmcmd.1
new file mode 100644
index 0000000..6e000dd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpmcmd.1
@@ -0,0 +1,11 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH TPMCMD "1" "March 2020" "tpmcmd 1.3" "User Commands"
+.SH NAME
+tpmcmd \- Runs TPM2 tpmcmd
+.SH DESCRIPTION
+tpmcmd
+.PP
+Sends an in\-band TPM simulator signal
+.TP
+\fB\-stop\fR
+Stop the TPM simulator
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpmpublic2eccpoint.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpmpublic2eccpoint.1
new file mode 100644
index 0000000..14809e1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsstpmpublic2eccpoint.1
@@ -0,0 +1,17 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH TPMPUBLIC2ECCPOINT "1" "March 2020" "tpmpublic2eccpoint 1.3" "User Commands"
+.SH NAME
+tpmpublic2eccpoint \- Runs TPM2 tpmpublic2eccpoint
+.SH DESCRIPTION
+tpmpublic2eccpoint
+.PP
+Converts an EC TPM2B_PUBLIC to TPM2B_ECC_POINT.  The intended use case
+is to convert the public key output of certain commands (TPM2_CreatePrimary,
+TPM2_Create, TPM2_CreateLoaded, TPM2_ReadPublic) to a format useful for
+TPM2_ZGen_2Phase.
+.TP
+\fB\-ipu\fR
+EC public key input file in TPM TPM2B_PUBLIC format
+.TP
+\fB\-pt\fR
+EC public key output file in TPM TPM2B_ECC_POINT format
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssunseal.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssunseal.1
new file mode 100644
index 0000000..05442ef
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssunseal.1
@@ -0,0 +1,25 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH UNSEAL "1" "March 2020" "unseal 1.3" "User Commands"
+.SH NAME
+unseal \- Runs TPM2 unseal
+.SH DESCRIPTION
+unseal
+.PP
+Runs TPM2_Unseal
+.TP
+\fB\-ha\fR
+sealed data item handle
+.TP
+[\-pwd
+password sealed data item (default empty)]
+.TP
+[\-of
+output data (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tssverifysignature.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssverifysignature.1
new file mode 100644
index 0000000..b047325
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tssverifysignature.1
@@ -0,0 +1,59 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH VERIFYSIGNATURE "1" "March 2020" "verifysignature 1.3" "User Commands"
+.SH NAME
+verifysignature \- Runs TPM2 verifysignature
+.SH DESCRIPTION
+verifysignature
+.PP
+Runs TPM2_VerifySignature and/or verifies using the PEM public key
+.TP
+\fB\-if\fR
+input message file name
+.TP
+\fB\-ih\fR
+input hash file name
+.IP
+One of \fB\-if\fR, \fB\-ih\fR must be specified
+.TP
+\fB\-is\fR
+signature file name
+.TP
+[\-raw
+signature specified by \fB\-is\fR is in raw format]
+(default TPMT_SIGNATURE)
+.TP
+\fB\-hk\fR
+key handle
+.TP
+\fB\-ipem\fR
+public key PEM format file name to verify signature
+.TP
+\fB\-ihmac\fR
+HMAC key in raw binary format file name to verify signature
+.IP
+One of \fB\-hk\fR, \fB\-ipem\fR, \fB\-ihmac\fR must be specified
+.TP
+[\-tk
+ticket file name (requires \fB\-hk\fR)]
+.TP
+[\-halg
+(sha1, sha256, sha384 sha512) (default sha256)]
+.IP
+[Asymmetric Key Algorithm]
+.TP
+[\-rsa
+(default)]
+.TP
+[\-ecc
+]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default NULL)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+80
+audit
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsswriteapp.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsswriteapp.1
new file mode 100644
index 0000000..12eb525
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsswriteapp.1
@@ -0,0 +1,15 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH WRITEAPP "1" "March 2020" "writeapp 1.3" "User Commands"
+.SH NAME
+writeapp \- Runs TPM2 writeapp
+.SH DESCRIPTION
+writeapp
+.PP
+writeapp is a sample NV write application.  Provisions an NV location,
+then does two writes with password 'pwd' using a bound, salted
+HMAC session using AES CFB parameter encryption.
+.PP
+Used to test minimal TSS build
+.TP
+[\-pwsess
+Use a password session, no HMAC or parameter encryption]
diff --git a/libstb/tss2/ibmtpm20tss/utils/man/man1/tsszgen2phase.1 b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsszgen2phase.1
new file mode 100644
index 0000000..c4eff80
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/man/man1/tsszgen2phase.1
@@ -0,0 +1,47 @@
+.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.6.
+.TH ZGEN2PHASE "1" "March 2020" "zgen2phase 1.3" "User Commands"
+.SH NAME
+zgen2phase \- Runs TPM2 zgen2phase
+.SH DESCRIPTION
+zgen2phase
+.PP
+Runs TPM2_ZGen_2Phase
+.TP
+\fB\-hk\fR
+unrestricted decryption key handle
+.TP
+[\-pwdk
+password for key (default empty)]
+.TP
+\fB\-qsb\fR
+QsB point input file name
+.TP
+\fB\-qeb\fR
+QeB point input file name
+.TP
+\fB\-cf\fR
+counter file name
+.TP
+[\-scheme
+(default ecdh)]
+.IP
+ecdh
+ecmqv
+sm2
+.TP
+[\-z1
+Z1 output data file name (default do not save)]
+.TP
+[\-z2
+Z2 output data file name (default do not save)]
+.HP
+\fB\-se[0\-2]\fR session handle / attributes (default PWAP)
+.TP
+01
+continue
+.TP
+20
+command decrypt
+.TP
+40
+response encrypt
diff --git a/libstb/tss2/ibmtpm20tss/utils/ntc2getconfig.c b/libstb/tss2/ibmtpm20tss/utils/ntc2getconfig.c
new file mode 100644
index 0000000..7222153
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ntc2getconfig.c
@@ -0,0 +1,199 @@
+/********************************************************************************/
+/*										*/
+/*			   Nuvoton GetConfig 	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+   Gets the Nuvoton preConfig registers.  Optionally checks 'lock' and several
+   hard coded configurations.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+#include "ntc2lib.h"
+
+static void printUsage(void);
+static void printHexResponse(NTC2_CFG_STRUCT *preConfig);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    		/* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NTC2_GetConfig_Out 		out;
+    NTC2_CFG_STRUCT 		preConfig;	
+    int 			verify = FALSE;
+    int 			verifyLocked = FALSE;
+    int				p8 = FALSE;
+    int				p9 = FALSE;
+  
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-verify") == 0) {
+	    verify = TRUE;
+	}
+	else if (strcmp(argv[i],"-verifylocked") == 0) {
+	    verify = TRUE;
+	    verifyLocked = TRUE;
+	}
+	else if (strcmp(argv[i],"-p8") == 0) {
+	    p8 = TRUE;
+	}
+	else if (strcmp(argv[i],"-p9") == 0) {
+	    p9 = TRUE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (verify) {
+	if (!p8 && !p9) {
+	    printf("Either -p8 or -p9 must be specified\n");
+	    printUsage();
+	}
+	if (p8 && p9) {
+	    printf("-p8 and -p9 cannot both be specified\n");
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 NULL,
+			 NULL,
+			 NTC2_CC_GetConfig,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printHexResponse(&out.preConfig);
+    }
+    /* required / expected values */
+    if (verify) {
+	if (rc == 0) {
+	    requiredConfig(&preConfig, p9);
+	}
+	if (rc == 0) {
+	    rc = verifyConfig(&preConfig,	/* expected */
+			      &out.preConfig,	/* actual */
+			      verifyLocked);	/* expect locked */
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("ntc2getconfig: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("ntc2getconfig: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+/* printHexResponse() prints the read preConfig in a concise hex format */
+
+static void printHexResponse(NTC2_CFG_STRUCT *preConfig)
+{
+    printf("i2cLoc1_2:\t%02x\n", preConfig->i2cLoc1_2);
+    printf("i2cLoc3_4:\t%02x\n", preConfig->i2cLoc3_4);
+    printf("AltCfg:\t\t%02x\n", preConfig->AltCfg);
+    printf("Direction:\t%02x\n", preConfig->Direction);
+    printf("PullUp:\t\t%02x\n", preConfig->PullUp);
+    printf("PushPull:\t%02x\n", preConfig->PushPull);
+    printf("CFG_A:\t\t%02x\n", preConfig->CFG_A);
+    printf("CFG_B:\t\t%02x\n", preConfig->CFG_B);
+    printf("CFG_C:\t\t%02x\n", preConfig->CFG_C);
+    printf("CFG_D:\t\t%02x\n", preConfig->CFG_D);
+    printf("CFG_E:\t\t%02x\n", preConfig->CFG_E);
+    printf("CFG_F:\t\t%02x\n", preConfig->CFG_F);
+    printf("CFG_G:\t\t%02x\n", preConfig->CFG_G);
+    printf("CFG_H:\t\t%02x\n", preConfig->CFG_H);
+    printf("CFG_I:\t\t%02x\n", preConfig->CFG_I);
+    printf("CFG_J:\t\t%02x\n", preConfig->CFG_J);
+    printf("IsValid:\t%02x\n", preConfig->IsValid);
+    printf("IsLocked:\t%02x\n", preConfig->IsLocked);
+    return;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("ntc2getconfig\n");
+    printf("\n");
+    printf("Runs NTC2_GetConfig\n");
+    printf("\n");
+    printf("\t[-verify\tVerify results against System P default (default no verify)]\n");
+    printf("\t[-verifylocked\tAlso verify that the preconfig is locked\n"
+	   "\t\t(default verify not locked)]\n");
+    printf("\t[-p8 or -p9\tVerify Nuvoton TPM for P8 or P9]");
+    printf("\n");
+    exit(1);
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/ntc2lib.c b/libstb/tss2/ibmtpm20tss/utils/ntc2lib.c
new file mode 100644
index 0000000..29bd08b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ntc2lib.c
@@ -0,0 +1,210 @@
+/********************************************************************************/
+/*										*/
+/*	     	TPM2 Nuvoton Proprietary Command Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: ntc2lib.c 1290 2018-08-01 14:45:24Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2018					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "ntc2lib.h"
+
+/* verifyConfig() compares the expected and actual values for the entire NTC2_CFG_STRUCT structure.
+
+   If verifyLocked is TRUE, checks that the configuration is locked.  If FALSE, checks that the
+   configuration is not locked
+*/
+
+TPM_RC verifyConfig(NTC2_CFG_STRUCT *expected, NTC2_CFG_STRUCT *actual, int verifyLocked)
+{
+    TPM_RC			rc = 0;
+    int b0, b1, b2, b3, b4, b5, b6, b7, b8, b9, b10, b11, b12, b13, b14, b15, b16;
+    b0 = (actual->i2cLoc1_2 	== expected->i2cLoc1_2);
+    if (!b0) {
+	printf("ERROR: i2cLoc1_2 expect %02x actual %02x\n", expected->i2cLoc1_2, actual->i2cLoc1_2);
+	rc = TPM_RC_VALUE;
+    }
+    b1 = (actual->i2cLoc3_4 	== expected->i2cLoc3_4);
+    if (!b1) {
+	printf("ERROR: i2cLoc3_4 expect %02x actual %02x\n", expected->i2cLoc3_4, actual->i2cLoc3_4);
+	rc = TPM_RC_VALUE;
+    }
+    b2 = (actual->AltCfg 		== expected->AltCfg);
+    if (!b2) {
+	printf("ERROR: AltCfg expect %02x actual %02x\n", expected->AltCfg, actual->AltCfg);
+	rc = TPM_RC_VALUE;
+    }
+    b3 = (actual->Direction 	== expected->Direction);
+    if (!b3) {
+	printf("ERROR: Direction expect %02x actual %02x\n", expected->Direction, actual->Direction);
+	rc = TPM_RC_VALUE;
+    }
+    b4 = (actual->PullUp 		== expected->PullUp);
+    if (!b4) {
+	printf("ERROR: PullUp expect %02x actual %02x\n", expected->PullUp, actual->PullUp);
+	rc = TPM_RC_VALUE;
+    }
+    b5 = (actual->PushPull 		== expected->PushPull);
+    if (!b5) {
+	printf("ERROR: PushPull expect %02x actual %02x\n", expected->PushPull, actual->PushPull);
+	rc = TPM_RC_VALUE;
+    }
+    b6 = (actual->CFG_A 		== expected->CFG_A);
+    if (!b6) {
+	printf("ERROR: CFG_A expect %02x actual %02x\n", expected->CFG_A, actual->CFG_A);
+	rc = TPM_RC_VALUE;
+    }
+    b7 = (actual->CFG_B 		== expected->CFG_B);
+    if (!b7) {
+	printf("ERROR: CFG_B expect %02x actual %02x\n", expected->CFG_B, actual->CFG_B);
+	rc = TPM_RC_VALUE;
+    }
+    b8 = (actual->CFG_C 		== expected->CFG_C);
+    if (!b8) {
+	printf("ERROR: CFG_C expect %02x actual %02x\n", expected->CFG_C, actual->CFG_C);
+	rc = TPM_RC_VALUE;
+    }
+    b9 = (actual->CFG_D 		== expected->CFG_D);
+    if (!b9) {
+	printf("ERROR: CFG_D expect %02x actual %02x\n", expected->CFG_D, actual->CFG_D);
+	rc = TPM_RC_VALUE;
+    }
+    b10 = (actual->CFG_E 		== expected->CFG_E);
+    if (!b10) {
+	printf("CFG_E expect %02x actual %02x\n", expected->CFG_E, actual->CFG_E);
+	rc = TPM_RC_VALUE;
+    }
+    b11 = (actual->CFG_F 		== expected->CFG_F);
+    if (!b11) {
+	printf("CFG_F expect %02x actual %02x\n", expected->CFG_F, actual->CFG_F);
+	rc = TPM_RC_VALUE;
+    }
+    b12 = (actual->CFG_G 		== expected->CFG_G);
+    if (!b12) {
+	printf("ERROR: CFG_G expect %02x actual %02x\n", expected->CFG_G, actual->CFG_G);
+	rc = TPM_RC_VALUE;
+    }
+    b13 = (actual->CFG_H 		== expected->CFG_H);
+    if (!b13) {
+	printf("ERROR: CFG_H expect %02x actual %02x\n", expected->CFG_H, actual->CFG_H);
+	rc = TPM_RC_VALUE;
+    }
+    b14 = (actual->CFG_I 		== expected->CFG_I);
+    if (!b14) {
+	printf("ERROR: CFG_I expect %02x actual %02x\n", expected->CFG_I, actual->CFG_I);
+	rc = TPM_RC_VALUE;
+    }
+    b15 = (actual->CFG_J 		== expected->CFG_J);
+    if (!b15) {
+	printf("ERROR: CFG_J expect %02x actual %02x\n", expected->CFG_J, actual->CFG_J);
+	rc = TPM_RC_VALUE;
+    }
+    b16 = (actual->IsValid 		== expected->IsValid);
+    if (!b16) {
+	printf("ERROR: IsValid expect %02x actual %02x\n", expected->IsValid, actual->IsValid);
+	rc = TPM_RC_VALUE;
+    }
+    if (verifyLocked) {
+	if (actual->IsLocked != 0xaa) {
+	    printf("ERROR: IsLocked is %02x not %02x\n",
+		   actual->IsLocked, 0xaa);
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    else {
+	if (actual->IsLocked != 0xff) {
+	    printf("ERROR: IsLocked %02x not %02x\n",
+		   actual->IsLocked, 0xff);
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    return rc;
+}
+
+/* requiredConfig() fills in the structure with the required values
+
+   p9 FALSE uses P8 values.  p9 TRUE uses P9 values
+*/
+
+void requiredConfig(NTC2_CFG_STRUCT *preConfig, int p9)
+{
+    /* p8 preConfig */
+    if (!p9) {
+	preConfig->i2cLoc1_2 	= P8_REQUIRED_i2cLoc1_2;
+	preConfig->i2cLoc3_4 	= P8_REQUIRED_i2cLoc3_4;
+	preConfig->AltCfg 	= P8_REQUIRED_AltCfg;
+	preConfig->Direction 	= P8_REQUIRED_Direction;
+	preConfig->PullUp 	= P8_REQUIRED_PullUp;
+	preConfig->PushPull 	= P8_REQUIRED_PushPull;
+	preConfig->CFG_A 	= P8_REQUIRED_CFG_A;
+	preConfig->CFG_B 	= P8_REQUIRED_CFG_B;
+	preConfig->CFG_C 	= P8_REQUIRED_CFG_C;
+	preConfig->CFG_D 	= P8_REQUIRED_CFG_D;
+	preConfig->CFG_E 	= P8_REQUIRED_CFG_E;
+	preConfig->CFG_F 	= P8_REQUIRED_CFG_F;
+	preConfig->CFG_G 	= P8_REQUIRED_CFG_G;
+	preConfig->CFG_H 	= P8_REQUIRED_CFG_H;
+	preConfig->CFG_I 	= P8_REQUIRED_CFG_I;
+	preConfig->CFG_J 	= P8_REQUIRED_CFG_J;
+	preConfig->IsValid 	= P8_REQUIRED_IsValid;
+	preConfig->IsLocked 	= P8_REQUIRED_IsLocked;
+    }
+    /* p9 preConfig */
+    else {
+	preConfig->i2cLoc1_2 	= P9_REQUIRED_i2cLoc1_2;
+	preConfig->i2cLoc3_4 	= P9_REQUIRED_i2cLoc3_4;
+	preConfig->AltCfg 	= P9_REQUIRED_AltCfg;
+	preConfig->Direction 	= P9_REQUIRED_Direction;
+	preConfig->PullUp 	= P9_REQUIRED_PullUp;
+	preConfig->PushPull 	= P9_REQUIRED_PushPull;
+	preConfig->CFG_A 	= P9_REQUIRED_CFG_A;
+	preConfig->CFG_B 	= P9_REQUIRED_CFG_B;
+	preConfig->CFG_C 	= P9_REQUIRED_CFG_C;
+	preConfig->CFG_D 	= P9_REQUIRED_CFG_D;
+	preConfig->CFG_E 	= P9_REQUIRED_CFG_E;
+	preConfig->CFG_F 	= P9_REQUIRED_CFG_F;
+	preConfig->CFG_G 	= P9_REQUIRED_CFG_G;
+	preConfig->CFG_H 	= P9_REQUIRED_CFG_H;
+	preConfig->CFG_I 	= P9_REQUIRED_CFG_I;
+	preConfig->CFG_J 	= P9_REQUIRED_CFG_J;
+	preConfig->IsValid 	= P9_REQUIRED_IsValid;
+	preConfig->IsLocked 	= P9_REQUIRED_IsLocked;
+    }
+    return;
+}
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/ntc2lib.h b/libstb/tss2/ibmtpm20tss/utils/ntc2lib.h
new file mode 100644
index 0000000..4d37959
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ntc2lib.h
@@ -0,0 +1,116 @@
+/********************************************************************************/
+/*										*/
+/*	     	TPM2 Novoton Proprietary Command Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: ntc2lib.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2017					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef NTC2LIB_H
+#define NTC2LIB_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/TPM_Types.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+/* default values for System P8 I2C */
+
+#define P8_REQUIRED_i2cLoc1_2  	0xff
+#define P8_REQUIRED_i2cLoc3_4  	0xff
+#define P8_REQUIRED_AltCfg	0x03
+#define P8_REQUIRED_Direction  	0x00
+#define P8_REQUIRED_PullUp    	0xff
+#define P8_REQUIRED_PushPull   	0xff
+#define P8_REQUIRED_CFG_A    	0xfe
+#define P8_REQUIRED_CFG_B    	0xff
+#define P8_REQUIRED_CFG_C    	0xff
+#define P8_REQUIRED_CFG_D    	0xff
+#define P8_REQUIRED_CFG_E    	0xff
+#define P8_REQUIRED_CFG_F    	0xff
+#define P8_REQUIRED_CFG_G    	0xff
+#define P8_REQUIRED_CFG_H    	0xff
+#define P8_REQUIRED_CFG_I    	0xff
+#define P8_REQUIRED_CFG_J    	0xff
+#define P8_REQUIRED_IsValid    	0xaa
+#define P8_REQUIRED_IsLocked	0x00;
+
+/* default values for System P8 I2C */
+
+#define P9_REQUIRED_i2cLoc1_2  	0xa9		/* changed */
+#define P9_REQUIRED_i2cLoc3_4  	0xa5		/* changed */
+#define P9_REQUIRED_AltCfg	0x03
+#define P9_REQUIRED_Direction  	0x00
+#define P9_REQUIRED_PullUp    	0xff
+#define P9_REQUIRED_PushPull   	0xff
+#define P9_REQUIRED_CFG_A    	0xfe
+#define P9_REQUIRED_CFG_B    	0xff
+#define P9_REQUIRED_CFG_C    	0xff
+#define P9_REQUIRED_CFG_D    	0xff
+#define P9_REQUIRED_CFG_E    	0xff
+#define P9_REQUIRED_CFG_F    	0xff
+#define P9_REQUIRED_CFG_G    	0xff
+#define P9_REQUIRED_CFG_H    	0xf0		/* changed */
+#define P9_REQUIRED_CFG_I    	0xff
+#define P9_REQUIRED_CFG_J    	0xff
+#define P9_REQUIRED_IsValid    	0xaa
+#define P9_REQUIRED_IsLocked	0x00;
+
+/* required values, others not supported */
+
+#define FIXED_Direction   	0x00
+#define FIXED_PullUp    	0xff
+#define FIXED_PushPull    	0xff
+#define FIXED_CFG_F    		0xff
+#define FIXED_CFG_I    		0xff
+#define FIXED_CFG_J    		0xff
+#define FIXED_IsValid    	0xaa
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC
+    verifyConfig(NTC2_CFG_STRUCT *expected, NTC2_CFG_STRUCT *actual, int verifyLocked);
+    void
+    requiredConfig(NTC2_CFG_STRUCT *preConfig, int p9);
+    
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/ntc2lockconfig.c b/libstb/tss2/ibmtpm20tss/utils/ntc2lockconfig.c
new file mode 100644
index 0000000..983379c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ntc2lockconfig.c
@@ -0,0 +1,135 @@
+/********************************************************************************/
+/*										*/
+/*			   Nuvoton Lock Preconfig  				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+   Locks the Nuvoton preConfig registers
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+#include "ntc2lib.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    		/* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    int				lock = FALSE;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-lock") == 0) {
+	    lock = TRUE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (!lock) {
+	printf("\nntc2lockpreconfig requires -lock\n");
+	printUsage();
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 NULL,
+			 NULL,
+			 NTC2_CC_LockPreConfig,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("ntc2lockpreconfig: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("ntc2lockpreconfig: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("ntc2lockpreconfig\n");
+    printf("\n");
+    printf("Runs NTC2_LockPreConfig\n");
+    printf("\n");
+    printf("-lock\t(required)\n");
+    printf("\n");
+    exit(1);
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/ntc2preconfig.c b/libstb/tss2/ibmtpm20tss/utils/ntc2preconfig.c
new file mode 100644
index 0000000..3d8c35b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/ntc2preconfig.c
@@ -0,0 +1,579 @@
+/********************************************************************************/
+/*										*/
+/*			   Nuvoton Preconfig 	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* The function permits configuring either standard manufacturing values or individual registers.
+
+   The hard coded values are in ../src/ntc2lib.h.  They are configured as a set.
+
+   That file also has certain required values that cannot be changed.
+
+   To override the standard manufacturing values, cautiously use -override.  This can brick the TPM,
+   since it's setting up the bus interface.  Override does a red-modify-write, reading the registers
+   and substiuting the new values.
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+#include "ntc2lib.h"
+
+static void printUsage(void);
+static TPM_RC fixedConfig(NTC2_CFG_STRUCT *preConfig);
+static void mergeConfig(NTC2_CFG_STRUCT *preConfigOut,
+			const NTC2_CFG_STRUCT *preConfigIn,
+			const NTC2_CFG_STRUCT *preConfigSet);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    		/* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NTC2_GetConfig_Out 		out;
+    NTC2_PreConfig_In 		in;
+    NTC2_CFG_STRUCT 		preConfigSet;		/* flags mark values to change */
+    NTC2_CFG_STRUCT 		preConfigIn;		/* values to change */
+    int				p8 = FALSE;
+    int				p9 = FALSE;
+    int 			override = FALSE;	/* TRUE to override P required values */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+
+    memset(&preConfigSet, 0, sizeof(NTC2_CFG_STRUCT));	/* default nothing to change */
+    memset(&preConfigIn, 0, sizeof(NTC2_CFG_STRUCT));   /* initialized to suppress false gcc -O3
+							   warning */
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	int inttmp;	/* for sccanf */
+	if (strcmp(argv[i],"-p8") == 0) {
+	    p8 = TRUE;
+	}
+	else if (strcmp(argv[i],"-p9") == 0) {
+	    p9 = TRUE;
+	}
+	else if (strcmp(argv[i],"-override") == 0) {
+	    override = TRUE;
+	}
+	else if (strcmp(argv[i],"-i2cLoc1_2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.i2cLoc1_2 = inttmp;
+		preConfigSet.i2cLoc1_2 = 1;
+	    }
+	    else {
+		printf("Missing parameter for -i2cLoc1_2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-i2cLoc3_4") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.i2cLoc3_4 = inttmp;
+		preConfigSet.i2cLoc3_4 = 1;
+	    }
+	    else {
+		printf("Missing parameter for -i2cLoc3_4\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-AltCfg") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.AltCfg = inttmp;
+		preConfigSet.AltCfg = 1;
+	    }
+	    else {
+		printf("Missing parameter for -AltCfg\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-Direction") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.Direction = inttmp;
+		preConfigSet.Direction = 1;
+	    }
+	    else {
+		printf("Missing parameter for -Direction\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-PullUp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.PullUp = inttmp;
+		preConfigSet.PullUp = 1;
+	    }
+	    else {
+		printf("Missing parameter for -PullUp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-PushPull") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.PushPull = inttmp;
+		preConfigSet.PushPull = 1;
+	    }
+	    else {
+		printf("Missing parameter for -PushPull\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_A") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_A = inttmp;
+		preConfigSet.CFG_A = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_A\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_B") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_B = inttmp;
+		preConfigSet.CFG_B = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_B\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_C") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_C = inttmp;
+		preConfigSet.CFG_C = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_C\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_D") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_D = inttmp;
+		preConfigSet.CFG_D = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_D\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_E") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_E = inttmp;
+		preConfigSet.CFG_E = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_E\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_F") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_F = inttmp;
+		preConfigSet.CFG_F = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_F\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_G") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_G = inttmp;
+		preConfigSet.CFG_G = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_G\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_H") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_H = inttmp;
+		preConfigSet.CFG_H = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_H\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_I") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_I = inttmp;
+		preConfigSet.CFG_I = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_I\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-CFG_J") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.CFG_J = inttmp;
+		preConfigSet.CFG_J = 1;
+	    }
+	    else {
+		printf("Missing parameter for -CFG_J\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-IsValid") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &inttmp);
+		preConfigIn.IsValid = inttmp;
+		preConfigSet.IsValid = 1;
+	    }
+	    else {
+		printf("Missing parameter for -IsValid\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (p8 && p9) {
+	printf("-p8 and -p9 cannot both be specified\n");
+	printUsage();
+    }
+     /* can't specify both hard coded and override */
+    if ((p8 || p9) && override) {
+	printf("\nCannot have both -override and -p8 or -p9\n");
+	printUsage();
+    }
+    /* must specify one of these options */
+    if (!(p8 || p9) && !override) {
+	printf("\nNeed either -p8, -p9, or -override\n");
+	printUsage();
+    }
+    /* if override, at least one of the registers must be specified */
+    if (override && 
+	!(preConfigSet.i2cLoc1_2 	||
+	  preConfigSet.i2cLoc3_4 	||
+	  preConfigSet.AltCfg  		||
+	  preConfigSet.Direction  	||
+	  preConfigSet.PullUp  		||
+	  preConfigSet.PushPull  	||
+	  preConfigSet.CFG_A  		||
+	  preConfigSet.CFG_B  		||
+	  preConfigSet.CFG_C  		||
+	  preConfigSet.CFG_D  		||
+	  preConfigSet.CFG_E  		||
+	  preConfigSet.CFG_F  		||
+	  preConfigSet.CFG_G  		||
+	  preConfigSet.CFG_H  		||
+	  preConfigSet.CFG_I  		||
+	  preConfigSet.CFG_J  		||
+	  preConfigSet.IsValid)) {
+	printf("\n-override requires at least one value to set\n");
+	printUsage();
+    }
+    /* if hard coded values, none of the registers can be specified */
+    if ((p8 || p9) && 
+	(preConfigSet.i2cLoc1_2 	||
+	 preConfigSet.i2cLoc3_4 	||
+	 preConfigSet.AltCfg  		||
+	 preConfigSet.Direction  	||
+	 preConfigSet.PullUp  		||
+	 preConfigSet.PushPull  	||
+	 preConfigSet.CFG_A  		||
+	 preConfigSet.CFG_B  		||
+	 preConfigSet.CFG_C  		||
+	 preConfigSet.CFG_D  		||
+	 preConfigSet.CFG_E  		||
+	 preConfigSet.CFG_F  		||
+	 preConfigSet.CFG_G  		||
+	 preConfigSet.CFG_H  		||
+	 preConfigSet.CFG_I  		||
+	 preConfigSet.CFG_J  		||
+	 preConfigSet.IsValid )) {
+	printf("\n-p8 and -p9  cannot specify a value to set\n");
+	printUsage();
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* if overriding hard coded values, do read-modify-write */
+    if (override) {
+	/* call TSS NTC2_CC_GetConfig to read the current configuration parameters */
+	if (rc == 0) {
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out, 
+			     NULL,
+			     NULL,
+			     NTC2_CC_GetConfig,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	if (rc == 0) {
+	    /* copy the existing read config to the new write config as the baseline values */
+	    in.preConfig = out.preConfig;
+	    /* merge values to change, from command line parameters */
+	    mergeConfig(&in.preConfig,	/* baseline on input, merged on output */
+			&preConfigIn,	/* values to merge */
+			&preConfigSet);	/* boolean, true to merge the value */
+	}
+    }
+    /* if setting System P required values */
+    if (p8 || p9) {
+	if (rc == 0) {
+	    requiredConfig(&in.preConfig, p9);
+	}
+    }
+    /* check that Nuvoton fixed values are in the correct state.  This is a sanity check for
+       -p8 or -p9, but a required test for override */
+    if (rc == 0) {
+	rc = fixedConfig(&in.preConfig);
+    }
+    /* call TSS to execute the NTC2_CC_PreConfig command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 NTC2_CC_PreConfig,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("ntc2preconfig: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("ntc2preconfig: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+/* fixedConfig() is a sanity check that the TPM is not being configured incorrectly.  Certain values
+   are fixed.
+
+   For -prequired, this is a simple consistency check on the required and fixed #define values
+   For -override, this is a validation of the user input
+*/
+
+static TPM_RC fixedConfig(NTC2_CFG_STRUCT *preConfig)
+{
+    if (preConfig->Direction != FIXED_Direction) {
+	printf("Direction is not the required value %02x\n", FIXED_Direction);
+	return TPM_RC_RANGE;
+    }
+    if (preConfig->PullUp != FIXED_PullUp) {
+	printf("PullUp is not the required value %02x\n", FIXED_PullUp);
+	return TPM_RC_RANGE;
+    }
+    if (preConfig->PushPull != FIXED_PushPull) {
+	printf("PushPull is not the required value %02x\n", FIXED_PushPull);
+	return TPM_RC_RANGE;
+    }
+    if (preConfig->CFG_F != FIXED_CFG_F) {
+	printf("CFG_F is not the required value %02x\n", FIXED_CFG_F);
+	return TPM_RC_RANGE;
+    }
+    if (preConfig->CFG_I != FIXED_CFG_I) {
+	printf("CFG_I is not the required value %02x\n", FIXED_CFG_I);
+	return TPM_RC_RANGE;
+    }
+    if (preConfig->CFG_J != FIXED_CFG_J) {
+	printf("CFG_J is not the required value %02x\n", FIXED_CFG_J);
+	return TPM_RC_RANGE;
+    }
+    if (preConfig->IsValid != FIXED_IsValid) {
+	printf("IsValid is not the required value %02x\n", FIXED_IsValid);
+	return TPM_RC_RANGE;
+    }
+    return 0;
+}
+
+/* mergeConfig() handles the read modify write setup.
+
+   preConfigIn are the new values
+   preConfigSet are booleans, true for the new values
+   preConfigOut at input are the current values, at output are the merged values
+*/
+
+static void mergeConfig(NTC2_CFG_STRUCT *preConfigOut,
+			const NTC2_CFG_STRUCT *preConfigIn,
+			const NTC2_CFG_STRUCT *preConfigSet)
+{
+    if (preConfigSet->i2cLoc1_2) {
+	preConfigOut->i2cLoc1_2 = preConfigIn->i2cLoc1_2;
+    }
+    if (preConfigSet->i2cLoc3_4) {
+	preConfigOut->i2cLoc3_4 = preConfigIn->i2cLoc3_4;
+    }
+    if (preConfigSet->AltCfg) {
+	preConfigOut->AltCfg = preConfigIn->AltCfg;
+    }
+    if (preConfigSet->Direction) {
+	preConfigOut->Direction = preConfigIn->Direction;
+    }
+    if (preConfigSet->PullUp) {
+	preConfigOut->PullUp = preConfigIn->PullUp;
+    }
+    if (preConfigSet->PushPull) {
+	preConfigOut->PushPull = preConfigIn->PushPull;
+    }
+    if (preConfigSet->CFG_A) {
+	preConfigOut->CFG_A = preConfigIn->CFG_A;
+    }
+    if (preConfigSet->CFG_B) {
+	preConfigOut->CFG_B = preConfigIn->CFG_B;
+    }
+    if (preConfigSet->CFG_C) {
+	preConfigOut->CFG_C = preConfigIn->CFG_C;
+    }
+    if (preConfigSet->CFG_D) {
+	preConfigOut->CFG_D = preConfigIn->CFG_D;
+    }
+    if (preConfigSet->CFG_E) {
+	preConfigOut->CFG_E = preConfigIn->CFG_E;
+    }
+    if (preConfigSet->CFG_F) {
+	preConfigOut->CFG_F = preConfigIn->CFG_F;
+    }
+    if (preConfigSet->CFG_G) {
+	preConfigOut->CFG_G = preConfigIn->CFG_G;
+    }
+    if (preConfigSet->CFG_H) {
+	preConfigOut->CFG_H = preConfigIn->CFG_H;
+    }
+    if (preConfigSet->CFG_I) {
+	preConfigOut->CFG_I = preConfigIn->CFG_I;
+    }
+    if (preConfigSet->CFG_J) {
+	preConfigOut->CFG_J = preConfigIn->CFG_J;
+    }
+    if (preConfigSet->IsValid) {
+	preConfigOut->IsValid = preConfigIn->IsValid;
+    }
+    return;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("ntc2preconfig\n");
+    printf("\n");
+    printf("Runs NTC2_PreConfig\n");
+    printf("\n");
+    printf("\t-p8 or -p9\tConfigure Nuvoton TPM for P8 or P9\n");
+    printf("\t-override\tpermits individual register values, read-modify-write\n");
+    printf("\n");
+    printf("Values to set, each is a hex byte, (default do not change)\n");
+    printf("\n");
+    printf("\t[-i2cLoc1_2\tbyte]\n");
+    printf("\t[-i2cLoc3_4\tbyte]\n");
+    printf("\t[-AltCfg\tbyte]\n");
+    printf("\t[-Direction\tbyte]\n");
+    printf("\t[-PullUp\tbyte]\n");
+    printf("\t[-PushPull\tbyte]\n");
+    printf("\t[-CFG_A\t\tbyte]\n");
+    printf("\t[-CFG_B\t\tbyte]\n");
+    printf("\t[-CFG_C\t\tbyte]\n");
+    printf("\t[-CFG_D\t\tbyte]\n");
+    printf("\t[-CFG_E\t\tbyte]\n");
+    printf("\t[-CFG_F\t\tbyte]\n");
+    printf("\t[-CFG_G\t\tbyte]\n");
+    printf("\t[-CFG_H\t\tbyte]\n");
+    printf("\t[-CFG_I\t\tbyte]\n");
+    printf("\t[-CFG_J\t\tbyte]\n");
+    printf("\t[-IsValid\tbyte]\n");
+    exit(1);
+}
+
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvcertify.c b/libstb/tss2/ibmtpm20tss/utils/nvcertify.c
new file mode 100644
index 0000000..81bde69
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvcertify.c
@@ -0,0 +1,449 @@
+/********************************************************************************/
+/*										*/
+/*			    NV_Certify						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_Certify_In 		in;
+    NV_Certify_Out 		out;
+    TPMI_DH_OBJECT		signHandle = 0;
+    const char			*keyPassword = NULL; 
+    char 			hierarchyAuthChar = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    uint16_t 			size = 0;
+    uint16_t 			offset = 0;			/* default 0 */
+    TPMS_ATTEST 		tpmsAttest;
+    const char			*signatureFilename = NULL;
+    const char			*attestInfoFilename = NULL;
+    const char			*certifyDataFilename = NULL;
+    TPM_ALG_ID			sigAlg = TPM_ALG_RSA;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    sigAlg = TPM_ALG_RSA;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    sigAlg = TPM_ALG_ECDSA;
+		}
+		else if (strcmp(argv[i],"hmac") == 0) {
+		    sigAlg = TPM_ALG_HMAC;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sz") == 0) {
+	    i++;
+	    if (i < argc) {
+		size = atoi(argv[i]);
+	    }
+	    else {
+		printf("-sz option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-off") == 0) {
+	    i++;
+	    if (i < argc) {
+		offset = atoi(argv[i]);
+	    }
+	    else {
+		printf("-off option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		attestInfoFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-od") == 0) {
+	    i++;
+	    if (i < argc) {
+		certifyDataFilename = argv[i];
+	    }
+	    else {
+		printf("-od option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* certifying key */
+    if (signHandle == 0) {
+	printf("Missing sign handle parameter -hk\n");
+	printUsage();
+    }
+    /* Authorization handle */
+    if (rc == 0) {
+	if (hierarchyAuthChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;  
+	}
+	else if (hierarchyAuthChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;  
+	}
+	else if (hierarchyAuthChar == 0) {
+	    in.authHandle = nvIndex;
+	}
+	else {
+	    printf("\n");
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.signHandle = signHandle;
+	in.nvIndex = nvIndex;
+	in.qualifyingData.t.size = 0;
+	if (sigAlg == TPM_ALG_RSA) {
+	    /* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	    in.inScheme.scheme = TPM_ALG_RSASSA;	
+	    /* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	    /* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    in.inScheme.details.rsassa.hashAlg = halg;
+	}
+	else if (sigAlg == TPM_ALG_ECDSA) {
+	    in.inScheme.scheme = TPM_ALG_ECDSA;	
+	    in.inScheme.details.ecdsa.hashAlg = halg;
+	}
+	else {	/* HMAC */
+	    in.inScheme.scheme = TPM_ALG_HMAC;	
+	    in.inScheme.details.hmac.hashAlg = halg;
+	}
+	in.size = size;
+	in.offset = offset;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_Certify,
+			 sessionHandle0, keyPassword, sessionAttributes0,
+			 sessionHandle1, nvPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+    }
+    if ((rc == 0) && (attestInfoFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.certifyInfo.t.attestationData,
+				      out.certifyInfo.t.size,
+				      attestInfoFilename);
+    }
+    /* unmarshal the TPM2B_ATTEST output to a TPMS_ATTEST structure */
+    if (rc == 0) {
+	uint8_t *tmpBuffer = out.certifyInfo.t.attestationData;
+	uint32_t tmpSize = out.certifyInfo.t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&tpmsAttest, &tmpBuffer, &tmpSize);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMS_ATTEST_Print(&tpmsAttest, 0);
+    }
+    if ((rc == 0) && (certifyDataFilename != NULL)) {
+	/* TPMS_NV_DIGEST_CERTIFY_INFO */
+	if ((offset == 0) && (size == 0)) {
+	    rc = TSS_File_WriteBinaryFile(tpmsAttest.attested.nvDigest.nvDigest.t.buffer,
+					  tpmsAttest.attested.nvDigest.nvDigest.t.size,
+					  certifyDataFilename);
+	}
+	/* TPMS_NV_CERTIFY_INFO */
+	else {
+	    rc = TSS_File_WriteBinaryFile(tpmsAttest.attested.nv.nvContents.t.buffer,
+					  tpmsAttest.attested.nv.nvContents.t.size,
+					  certifyDataFilename);
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+	if (tssUtilsVerbose) printf("nvcertify: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvcertify: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvcertify\n");
+    printf("\n");
+    printf("Runs TPM2_NV_Certify\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t[-pwdn\tpassword for NV index (default empty)]\n");
+    printf("\t-hk\tcertifying key handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
+    printf("\t-sz\tdata size\n");
+    printf("\t[-off\toffset (default 0)]\n");
+    printf("\t[-os\tsignature file name  (default do not save)]\n");
+    printf("\t[-oa\tattestation output file name (default do not save)]\n");
+    printf("\t[-od\tcertified data file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvchangeauth.c b/libstb/tss2/ibmtpm20tss/utils/nvchangeauth.c
new file mode 100644
index 0000000..e2244ac
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvchangeauth.c
@@ -0,0 +1,255 @@
+/********************************************************************************/
+/*										*/
+/*			    NV_ChangeAuth	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_ChangeAuth_In 		in;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*password = NULL; 
+    const char			*newPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdo") == 0) {
+	    i++;
+	    if (i < argc) {
+		password = argv[i];
+	    }
+	    else {
+		printf("-pwdo option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		newPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+    }
+    /* convert password string to TPM2B */
+    if (rc == 0) {
+	if (newPassword == NULL) {
+	    in.newAuth.t.size = 0;
+	}
+	else {
+	    rc = TSS_TPM2B_StringCopy(&in.newAuth.b,
+				      newPassword, sizeof(in.newAuth.t.buffer));
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_ChangeAuth,
+			 sessionHandle0, password, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvchangeauth: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvchangeauth: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvchangeauth\n");
+    printf("\n");
+    printf("Runs TPM2_NV_ChangeAuth\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t-pwdo\tpassword (default empty)\n");
+    printf("\t-pwdn\tnew password (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvdefinespace.c b/libstb/tss2/ibmtpm20tss/utils/nvdefinespace.c
new file mode 100644
index 0000000..34e1586
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvdefinespace.c
@@ -0,0 +1,591 @@
+/********************************************************************************/
+/*										*/
+/*			    NV Define Space	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+#define TPMA_NVA_CLEAR_STCLEAR	0x08000000
+
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_DefineSpace_In 		in;
+    char 			hierarchyChar = 0;
+    char 			hierarchyAuthChar = '\0';
+    TPMI_ALG_HASH		nalg = TPM_ALG_SHA256;
+    unsigned int		hashSize = SHA256_DIGEST_SIZE;
+    char 			typeChar = 'o';
+    unsigned int		typeCount = 0;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    uint16_t 			dataSize = 0;
+    TPMA_NV			nvAttributes;	  	/* final attributes to command */
+    TPMA_NV			setAttributes;		/* attributes to add to defaults*/
+    TPMA_NV			clearAttributes;	/* attributes to subtract from defaults */
+    const char			*policyFilename = NULL;
+    const char			*nvPassword = NULL; 
+    const char			*parentPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* nvAttributes first accumumates attributes that are default side effects of other arguments.
+       E.g., specifying a policy sets POLICYWRITE and POLICYREAD.  After all arguments are
+       processed, setAttributes and clearAttributes may optional fine tune the attributes. E.g.,
+       POLICYWRITE can be cleared. */
+
+    /* default values */
+    nvAttributes.val = 0;
+    setAttributes.val = TPMA_NVA_NO_DA;
+    clearAttributes.val = 0;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hia") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyAuthChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hia\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		    hashSize = SHA1_DIGEST_SIZE;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		    hashSize = SHA256_DIGEST_SIZE;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		    hashSize = SHA384_DIGEST_SIZE;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    nalg = TPM_ALG_SHA512;
+		    hashSize = SHA512_DIGEST_SIZE;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pol") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyFilename = argv[i];
+	    }
+	    else {
+		printf("-pol option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sz") == 0) {
+	    i++;
+	    if (i < argc) {
+		dataSize = atoi(argv[i]);
+	    }
+	    else {
+		printf("-sz option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ty") == 0) {
+	    i++;
+	    if (i < argc) {
+		typeChar = argv[i][0];
+		typeCount++;
+	    }
+	    else {
+		printf("-ty option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "+at") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i], "wd")  == 0) {
+		    setAttributes.val |= TPMA_NVA_WRITEDEFINE;
+		}
+		else if (strcmp(argv[i], "wst") == 0) {
+		    setAttributes.val |= TPMA_NVA_WRITE_STCLEAR;
+		}
+		else if (strcmp(argv[i], "gl") == 0) {
+		    setAttributes.val |= TPMA_NVA_GLOBALLOCK;
+		}
+		else if (strcmp(argv[i], "rst") == 0) {
+		    setAttributes.val |= TPMA_NVA_READ_STCLEAR;
+		}
+		else if (strcmp(argv[i], "pold") == 0) {
+		    setAttributes.val |= TPMA_NVA_POLICY_DELETE;
+		}
+		else if (strcmp(argv[i], "stc") == 0) {
+		    setAttributes.val |= TPMA_NVA_CLEAR_STCLEAR;
+		}
+		else if (strcmp(argv[i], "ody") == 0) {
+		    setAttributes.val |= TPMA_NVA_ORDERLY;
+		}
+		else if (strcmp(argv[i], "ppw") == 0) {
+		    setAttributes.val |= TPMA_NVA_PPWRITE;
+		}
+		else if (strcmp(argv[i], "ppr") == 0) {
+		    setAttributes.val |= TPMA_NVA_PPREAD;
+		}
+		else if (strcmp(argv[i], "ow") == 0) {
+		    setAttributes.val |= TPMA_NVA_OWNERWRITE;
+		}
+		else if (strcmp(argv[i], "or") == 0) {
+		    setAttributes.val |= TPMA_NVA_OWNERREAD;
+		}
+		else if (strcmp(argv[i], "aw") == 0) {
+		    setAttributes.val |= TPMA_NVA_AUTHWRITE;
+		}
+		else if (strcmp(argv[i], "ar") == 0) {
+		    setAttributes.val |= TPMA_NVA_AUTHREAD;
+		}
+		else if (strcmp(argv[i], "wa") == 0) {
+		    setAttributes.val |= TPMA_NVA_WRITEALL;
+		}
+		else {
+		    printf("Bad parameter %s for +at\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for +at\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-at") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i], "da") == 0) {
+		    clearAttributes.val |= TPMA_NVA_NO_DA;
+		}
+		else if (strcmp(argv[i], "ppw") == 0) {
+		    clearAttributes.val |= TPMA_NVA_PPWRITE;
+		}
+		else if (strcmp(argv[i], "ppr") == 0) {
+		    clearAttributes.val |= TPMA_NVA_PPREAD;
+		}
+		else if (strcmp(argv[i], "ow") == 0) {
+		    clearAttributes.val |= TPMA_NVA_OWNERWRITE;
+		}
+		else if (strcmp(argv[i], "or") == 0) {
+		    clearAttributes.val |= TPMA_NVA_OWNERREAD;
+		}
+		else if (strcmp(argv[i], "aw") == 0) {
+		    clearAttributes.val |= TPMA_NVA_AUTHWRITE;
+		}
+		else if (strcmp(argv[i], "ar") == 0) {
+		    clearAttributes.val |= TPMA_NVA_AUTHREAD;
+		}
+		else if (strcmp(argv[i], "pw") == 0) {
+		    clearAttributes.val |= TPMA_NVA_POLICYWRITE;
+		}
+		else if (strcmp(argv[i], "pr") == 0) {
+		    clearAttributes.val |= TPMA_NVA_POLICYREAD;
+		}
+		else {
+		    printf("Bad parameter %s for -at\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -at\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (typeCount > 1) {
+	printf("-ty can only be specified once\n");
+	printUsage();
+    }
+    /* Authorization attributes */
+    if (rc == 0) {
+	if (hierarchyAuthChar == 'o') {
+	    nvAttributes.val |= TPMA_NVA_OWNERWRITE | TPMA_NVA_OWNERREAD;
+	}
+	else if (hierarchyAuthChar == 'p') {
+	    nvAttributes.val |= TPMA_NVA_PPWRITE | TPMA_NVA_PPREAD;
+	}
+	else if (hierarchyAuthChar == '\0') {
+	    nvAttributes.val |= TPMA_NVA_AUTHWRITE | TPMA_NVA_AUTHREAD;
+	}
+	else {
+	    printf("-hia has bad parameter\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	if (hierarchyChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	    nvAttributes.val |= TPMA_NVA_PLATFORMCREATE;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	switch (typeChar) {
+	  case 'o':
+	    nvAttributes.val |= TPMA_NVA_ORDINARY;
+	    break;
+	  case 'c':
+	    nvAttributes.val |= TPMA_NVA_COUNTER;
+	    dataSize = 8;
+	    break;
+	  case 'b':
+	    nvAttributes.val |= TPMA_NVA_BITS;
+	    dataSize = 8;
+	    break;
+	  case 'e':
+	    nvAttributes.val |= TPMA_NVA_EXTEND;
+	    dataSize = hashSize;
+	    break;
+	  case 'p':
+	    nvAttributes.val |= TPMA_NVA_PIN_PASS;
+	    dataSize = 8;
+	    break;
+	  case 'f':
+	    nvAttributes.val |= TPMA_NVA_PIN_FAIL;
+	    dataSize = 8;
+	    break;
+	  default:
+	    printf("Illegal -ty\n");
+	    printUsage();
+	}
+    }	
+    /* Table 75 - Definition of Types for TPM2B_AUTH */
+    if (rc == 0) {
+	if (nvPassword == NULL) {
+	    in.auth.b.size = 0;
+	}
+	/* if there was a password specified, permit index authorization */
+	else {
+	    /* PIN index cannot use index AUTHWRITE authorization */
+	    if (((nvAttributes.val & TPMA_NVA_TPM_NT_MASK) != TPMA_NVA_PIN_FAIL) &&
+		((nvAttributes.val & TPMA_NVA_TPM_NT_MASK) != TPMA_NVA_PIN_PASS)) {
+		nvAttributes.val |= TPMA_NVA_AUTHWRITE;
+	    }
+	    nvAttributes.val |= TPMA_NVA_AUTHREAD;
+	    rc = TSS_TPM2B_StringCopy(&in.auth.b,
+				      nvPassword, sizeof(in.auth.t.buffer));
+	}
+    }
+    /* optional authorization policy */
+    if (rc == 0) {
+	if (policyFilename != NULL) {
+	    if (rc == 0) {
+		nvAttributes.val |= TPMA_NVA_POLICYWRITE | TPMA_NVA_POLICYREAD;
+		rc = TSS_File_Read2B(&in.publicInfo.nvPublic.authPolicy.b,
+				     sizeof(in.publicInfo.nvPublic.authPolicy.t.buffer),
+				     policyFilename);
+	    }
+	    /* sanity check that the size of the policy hash matches the name algorithm */
+	    if (rc == 0) {
+		if (in.publicInfo.nvPublic.authPolicy.b.size != hashSize) {
+		    printf("Policy size %u does not match name algorithm %u\n",
+			   in.publicInfo.nvPublic.authPolicy.b.size, hashSize);
+		    rc = TPM_RC_POLICY;
+		}
+	    }
+	}
+	else {
+	    in.publicInfo.nvPublic.authPolicy.t.size = 0;	/* default empty policy */
+	}
+    }
+    /* Table 197 - Definition of TPM2B_NV_PUBLIC Structure publicInfo */
+    /* Table 196 - Definition of TPMS_NV_PUBLIC Structure nvPublic */
+    if (rc == 0) {
+	in.publicInfo.nvPublic.nvIndex = nvIndex;	/* the handle of the data area */
+	in.publicInfo.nvPublic.nameAlg = nalg;		/* hash algorithm used to compute the name
+							   of the Index and used for the
+							   authPolicy */
+	in.publicInfo.nvPublic.attributes = nvAttributes;	/* the default Index attributes */
+	/* additional set attributes */
+	in.publicInfo.nvPublic.attributes.val |= setAttributes.val;
+	/* clear attributes */
+	in.publicInfo.nvPublic.attributes.val &= ~(clearAttributes.val);
+	in.publicInfo.nvPublic.dataSize = dataSize;	/* the size of the data area */
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_DefineSpace,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("nvdefinespace: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvdefinespace: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvdefinespace\n");
+    printf("\n");
+    printf("Runs TPM2_NV_DefineSpace\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t\t01xxxxxx\n");
+    printf("\t-hi\tauthorizing hierarchy (o, p)\n");
+    printf("\t\to owner, p platform\n");
+    printf("\t\tp sets PLATFORMCREATE\n");
+    printf("\t[-pwdp\tpassword for hierarchy (default empty)]\n");
+    printf("\t[-hia\thierarchy authorization (o, p)(default index authorization)]\n");
+    printf("\n");
+    printf("\t\tdefault  AUTHWRITE, AUTHREAD\n");
+    printf("\t\to sets  OWNERWRITE, OWNERREAD\n");
+    printf("\t\tp sets  PPWRITE, PPREAD (platform)\n");
+    printf("\n");
+    printf("\t[-pwdn\tpassword for NV index (default empty)]\n");
+    printf("\t\tsets AUTHWRITE (if not PIN index), AUTHREAD\n");
+    printf("\t[-nalg\tname algorithm (sha1, sha256, sha384 sha512) (default sha256)]\n");
+    printf("\t[-sz\tdata size in decimal (default 0)]\n");
+    printf("\t\tIgnored for other than ordinary index\n");
+    printf("\t[-ty\tindex type (o, c, b, e, p, f) (default ordinary)]\n");
+    printf("\t\tordinary, counter, bits, extend, pin pass, pin fail\n");
+    printf("\t[-pol\tpolicy file (default empty)]\n");
+    printf("\t\tsets POLICYWRITE, POLICYREAD\n");
+    printf("\t[+at\tattributes to add (may be specified more than once)]\n");
+    printf("\n");
+    printf("\t\tppw   (PPWRITE)\t\tppr (PPREAD) \n");
+    printf("\t\tow    (OWNERWRITE)\tor  (OWNERREAD) \n");
+    printf("\t\taw    (AUTHWRITE)\tar  (AUTHREAD) \n");
+    printf("\t\twd    (WRITEDEFINE)\tgl  (GLOBALLOCK) \n");
+    printf("\t\trst   (READ_STCLEAR)\twst (WRITE_STCLEAR) \n");
+    printf("\t\twa    (WRITEALL)\tody (ORDERLY) \n");
+    printf("\t\tpold  (POLICY_DELETE) \tstc (CLEAR_STCLEAR) \n");
+    printf("\n");
+    printf("\t[-at\tattributes to delete (may be specified more than once)]\n");
+    printf("\n");
+    printf("\t\tppw   (PPWRITE)\t\tppr (PPREAD)\n");
+    printf("\t\tow    (OWNERWRITE)\tor  (OWNERREAD)\n");
+    printf("\t\taw    (AUTHWRITE)\tar  (AUTHREAD)\n");
+    printf("\t\tpw    (POLICYWRITE)\tpr  (POLICYREAD)\n");
+    printf("\t\tda    (NO_DA) (default set)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvextend.c b/libstb/tss2/ibmtpm20tss/utils/nvextend.c
new file mode 100644
index 0000000..ce99439
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvextend.c
@@ -0,0 +1,274 @@
+/********************************************************************************/
+/*										*/
+/*			    NV Extend		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_Extend_In 		in;
+    const char 			*data = NULL;
+    const char 			*datafilename = NULL;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		data = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-if")  == 0) {
+	    i++;
+	    if (i < argc) {
+		datafilename = argv[i];
+	    } else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if ((data == NULL) && (datafilename == NULL)) {
+	printf("Data string or data file must be specified\n");
+	printUsage();
+    }
+    if ((data != NULL) && (datafilename != NULL)) {
+	printf("Data string and data file cannot both be specified\n");
+	printUsage();
+    }
+    if ((rc == 0) && (data != NULL)) {
+	rc = TSS_TPM2B_StringCopy(&in.data.b,
+				  data, sizeof(in.data.t.buffer));
+	
+    }
+    if ((rc == 0) && (datafilename != NULL)) {
+	rc = TSS_File_Read2B(&in.data.b,
+			     sizeof(in.data.t.buffer),
+			     datafilename);
+    }
+    if (rc == 0) {
+	in.authHandle = nvIndex;
+	in.nvIndex = nvIndex;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_Extend,
+			 sessionHandle0, nvPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvextend: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvextend: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvextend\n");
+    printf("\n");
+    printf("Runs TPM2_NV_Extend\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t-pwdn\tpassword for NV index (default empty)\n");
+    printf("\t-ic\tdata string\n");
+    printf("\t-if\tdata file\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvglobalwritelock.c b/libstb/tss2/ibmtpm20tss/utils/nvglobalwritelock.c
new file mode 100644
index 0000000..2a737ec
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvglobalwritelock.c
@@ -0,0 +1,237 @@
+/********************************************************************************/
+/*										*/
+/*			    NV GlobalWriteLock	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_GlobalWriteLock_In 	in;
+    char 			hierarchyAuthChar = 0;
+    const char			*password = NULL; 		/* default no password */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hia") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyAuthChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hia\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwd") == 0) {
+	    i++;
+	    if (i < argc) {
+		password = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Authorization handle */
+    if (rc == 0) {
+	if (hierarchyAuthChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;  
+	}
+	else if (hierarchyAuthChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;  
+	}
+	else {
+	    printf("\n");
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_GlobalWriteLock,
+			 sessionHandle0, password, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvglobalwritelock: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvglobalwritelock: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvglobalwritelock\n");
+    printf("\n");
+    printf("Runs TPM2_NV_GlobalWriteLock\n");
+    printf("\n");
+    printf("\t-hia\thierarchy authorization (o, p)\n");
+    printf("\t[-pwd\tauthorization password (default empty)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvincrement.c b/libstb/tss2/ibmtpm20tss/utils/nvincrement.c
new file mode 100644
index 0000000..8488993
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvincrement.c
@@ -0,0 +1,233 @@
+/********************************************************************************/
+/*										*/
+/*			    NV_Increment	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <inttypes.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_Increment_In 		in;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.authHandle = nvIndex;
+	in.nvIndex = nvIndex;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_Increment,
+			 sessionHandle0, nvPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    { 
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvincrement: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvincrement: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvincrement\n");
+    printf("\n");
+    printf("Runs TPM2_NV_Increment\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t-pwdn\tpassword for NV index (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvread.c b/libstb/tss2/ibmtpm20tss/utils/nvread.c
new file mode 100644
index 0000000..34eebf8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvread.c
@@ -0,0 +1,483 @@
+/********************************************************************************/
+/*										*/
+/*			    NV Read		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include "ekutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_Read_In 			in;
+    NV_Read_Out			out;
+    uint16_t 			offset = 0;			/* default 0 */
+    uint16_t 			readLength = 0;			/* bytes to read */
+    int 			ireadLength = 0;		/* bytes to read as integer */
+    int 			cert = FALSE;			/* boolean, read certificate */
+    const char			*certificateFilename = NULL;
+    int				readLengthSet = FALSE;
+    char 			hierarchyAuthChar = 0;
+    const char 			*datafilename = NULL;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    uint32_t 			pinCount = 0;	/* these two initialized to suppress falose gcc -O3
+						   warnings */
+    uint32_t 			pinLimit = 0;
+    int				inData = FALSE;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    unsigned char 		*readBuffer = NULL; 
+    uint32_t 			nvBufferMax;
+    uint16_t 			bytesRead;			/* bytes read so far */
+    int				done = FALSE;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hia") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyAuthChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hia\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of")  == 0) {
+	    i++;
+	    if (i < argc) {
+		datafilename = argv[i];
+	    } else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-off") == 0) {
+	    i++;
+	    if (i < argc) {
+		offset = atoi(argv[i]);
+	    }
+	    else {
+		printf("-off option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sz") == 0) {
+	    i++;
+	    if (i < argc) {
+		ireadLength = atoi(argv[i]);
+		readLengthSet  = TRUE;
+	    }
+	    else {
+		printf("-sz option needs a value\n");
+		printUsage();
+	    }
+	    if ((ireadLength >= 0) && (ireadLength <= 0xffff)) {
+		readLength = (uint16_t)ireadLength;
+	    }
+	    else {
+		printf("-sz %d out of range\n", ireadLength);
+		printUsage();
+	    }
+	}
+	else if (!strcmp("-cert",argv[i])) {
+	    cert = TRUE;
+	}
+	else if (strcmp(argv[i],"-ocert") == 0) {
+	    i++;
+	    if (i < argc) {
+		certificateFilename = argv[i];
+	    }
+	    else {
+		printf("-ocert option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-id")  == 0) {
+	    i++;
+	    if (i < argc) {
+		pinCount = atoi(argv[i]);
+		i++;
+		if (i < argc) {
+		    pinLimit = atoi(argv[i]);
+		    inData = TRUE;
+		}
+		else {
+		    printf("-id option needs two values\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-id option needs two values\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    /* Authorization handle */
+    if (rc == 0) {
+	if (hierarchyAuthChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;  
+	}
+	else if (hierarchyAuthChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;  
+	}
+	else if (hierarchyAuthChar == 0) {
+	    in.authHandle = nvIndex;
+	}
+	else {
+	    printf("\n");
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* Determine the readLength from the NV index type.  This is just for the utility.  An
+       application would already know the index type. */
+    if (!readLengthSet) {	/* if caller specifies a read length, use it */
+	NV_ReadPublic_In 		in;
+	NV_ReadPublic_Out		out;
+	if (rc == 0) {
+	    in.nvIndex = nvIndex;
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out,
+			     (COMMAND_PARAMETERS *)&in,
+			     NULL,
+			     TPM_CC_NV_ReadPublic,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	if (rc == 0) {
+	    TPMI_ALG_HASH nameAlg;
+	    uint32_t nvType = (out.nvPublic.nvPublic.attributes.val & TPMA_NVA_TPM_NT_MASK) >> 4;
+	    switch (nvType) {
+	      case TPM_NT_ORDINARY:
+		readLength = out.nvPublic.nvPublic.dataSize;
+		break;
+	      case TPM_NT_COUNTER:
+	      case TPM_NT_BITS:
+	      case TPM_NT_PIN_FAIL:
+	      case TPM_NT_PIN_PASS:
+		readLength = 8;
+		break;
+	      case TPM_NT_EXTEND:
+		nameAlg = out.nvPublic.nvPublic.nameAlg;
+		readLength = TSS_GetDigestSize(nameAlg);
+		break;
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (readLength > 0) {	
+	    readBuffer = malloc(readLength);		/* freed @1 */
+	    if (readBuffer == NULL) {
+		printf("Cannot malloc %u bytes for read buffer\n", readLength);
+		exit(1);	
+	    }
+	}
+	else {
+	    readBuffer = NULL;
+	}
+    }
+    if ((rc == 0) && inData) {
+	if (readLength != 8) {
+	    printf("-id needs read length 8, is %u\n", readLength);
+	    exit(1);	
+	}
+    }
+    /* data may have to be read in chunks.  Read the TPM_PT_NV_BUFFER_MAX, the chunk size */
+    if (rc == 0) {
+	rc = readNvBufferMax(tssContext,
+			     &nvBufferMax);
+    }    
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+	in.offset = offset;	/* start at supplied offset */
+	bytesRead = 0;		/* bytes read so far */
+    }
+    /* call TSS to execute the command */
+    while ((rc == 0) && !done) {
+	if (rc == 0) {
+	    /* read a chunk */
+	    in.offset = offset + bytesRead;
+	    if ((uint32_t)(readLength - bytesRead) < nvBufferMax) {
+		in.size = readLength - bytesRead;	/* last chunk */
+	    }
+	    else {
+		in.size = nvBufferMax;		/* next chunk */
+	    }
+	}
+	if (rc == 0) {
+	    if (tssUtilsVerbose) printf("nvread: reading %u bytes\n", in.size);
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out,
+			     (COMMAND_PARAMETERS *)&in,
+			     NULL,
+			     TPM_CC_NV_Read,
+			     sessionHandle0, nvPassword, sessionAttributes0,
+			     sessionHandle1, NULL, sessionAttributes1,
+			     sessionHandle2, NULL, sessionAttributes2,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	/* copy the results to the read buffer */
+	if ((rc == 0) && (readBuffer != NULL)) {	/* check to handle 0 size read */
+	    memcpy(readBuffer + bytesRead, out.data.b.buffer, out.data.b.size);
+	}
+	if (rc == 0) {
+	    bytesRead += out.data.b.size;
+	    if (bytesRead == readLength) {
+		done = TRUE;
+	    }
+	}
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (datafilename != NULL) && (readBuffer != NULL)) {
+	rc = TSS_File_WriteBinaryFile(readBuffer, readLength, datafilename);
+    }
+    if (rc == 0) {
+	/* if not tracing the certificate, trace the result */
+	if (!cert) {
+	    if (tssUtilsVerbose) printf("nvread: success\n");
+	    TSS_PrintAll("nvread: data", readBuffer, readLength);
+	}
+	if (cert || (certificateFilename != NULL)) {
+	    void *x509Certificate = NULL;	/* opaque structure */
+	    /* convert the DER stream to crypto library structure */
+	    rc = convertDerToX509(&x509Certificate,	/* freed @2 */
+				  readLength,
+				  readBuffer);
+	    /* if cert, trace the certificate using openssl print function */
+	    if ((rc == 0) && cert) {
+		x509PrintStructure(x509Certificate);
+	    }
+	    /* if a file name was specified, write the certificate in PEM format */
+	    if ((rc == 0) && (certificateFilename != NULL)) {
+		rc = convertX509ToPem(certificateFilename,
+				      x509Certificate);
+	    }
+	    x509FreeStructure(x509Certificate);   	/* @2 */
+	}
+    }
+    /* PIN index regression test aid, compare expected to actual */
+    if (rc == 0) {
+	if (inData) {
+	    uint32_t tmpSize = 8;		/* readLength was checked previously */
+	    uint8_t *tmpBuffer = readBuffer;
+	    uint32_t actual;		/* data comes off TPM big endian (nbo) */
+
+	    TSS_UINT32_Unmarshalu(&actual, &tmpBuffer, &tmpSize);
+	    if (pinCount != actual) {
+		printf("Error: Expected pinCount %u Actual %u\n", pinCount, actual);
+		rc = TSS_RC_BAD_READ_VALUE;
+	    }
+	    TSS_UINT32_Unmarshalu(&actual, &tmpBuffer, &tmpSize);
+	    if (pinLimit != actual) {
+		printf("Error: Expected pinLimit %u Actual %u\n", pinLimit, actual);
+		rc = TSS_RC_BAD_READ_VALUE;
+	    }
+	}
+    }
+    if (rc != 0) {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvread: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(readBuffer);	/* @1 */
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvread\n");
+    printf("\n");
+    printf("Runs TPM2_NV_Read\n");
+    printf("\n");
+    printf("\t[-hia\thierarchy authorization (o, p)(default index authorization)]\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t[-pwdn\tpassword for NV index (default empty)]\n");
+    printf("\t[-sz\tdata size (default to size of index)]\n");
+    printf("\t\tcounter, bits, pin read 8 bytes, extend reads based on hash algorithm\n");
+    printf("\t[-cert\tdumps the certificate\n");
+    printf("\t01c00002\tRSA EK certificate\n");
+    printf("\t01c0000a\tECC EK certificate\n");
+    printf("\t[-ocert\t certificate file name, writes in PEM format\n");
+    printf("\t[-off\t offset (default 0)]\n");
+    printf("\t[-of\t data file (default do not save)]\n");
+    printf("\t[-id\tdata values for pinCount and pinLimit verification, (4 bytes each)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvreadlock.c b/libstb/tss2/ibmtpm20tss/utils/nvreadlock.c
new file mode 100644
index 0000000..94e7f3f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvreadlock.c
@@ -0,0 +1,260 @@
+/********************************************************************************/
+/*										*/
+/*			    NV ReadLock	 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: nvreadlock.c 1290 2018-08-01 14:45:24Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_ReadLock_In 		in;
+    char 			hierarchyAuthChar = 0;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hia") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyAuthChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hia\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    /* Authorization handle */
+    if (rc == 0) {
+	if (hierarchyAuthChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;  
+	}
+	else if (hierarchyAuthChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;  
+	}
+	else if (hierarchyAuthChar == 0) {
+	    in.authHandle = nvIndex;
+	}
+	else {
+	    printf("\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_ReadLock,
+			 sessionHandle0, nvPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvreadlock: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvreadlock: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvreadlock\n");
+    printf("\n");
+    printf("Runs TPM2_NV_ReadLock\n");
+    printf("\n");
+    printf("\t[-hia\thierarchy authorization (o, p)(default index authorization)]\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t-pwdn\tpassword for NV index (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvreadpublic.c b/libstb/tss2/ibmtpm20tss/utils/nvreadpublic.c
new file mode 100644
index 0000000..cf36b96
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvreadpublic.c
@@ -0,0 +1,351 @@
+/********************************************************************************/
+/*										*/
+/*			    NV ReadPublic					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+/* for endian conversion */
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscrypto.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_ReadPublic_In 		in;
+    NV_ReadPublic_Out		out;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    TPMI_ALG_HASH		nalg = TPM_ALG_NULL;
+    TPMI_ALG_HASH 		nameHashAlg;
+    const char			*nvPublicFilename = NULL;
+    const char			*nameFilename = NULL;
+    int				noSpace = FALSE;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    nalg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opu") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPublicFilename = argv[i];
+	    }
+	    else {
+		printf("-opu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-on") == 0) {
+	    i++;
+	    if (i < argc) {
+		nameFilename = argv[i];
+	    }
+	    else {
+		printf("-on option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_ReadPublic,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* NOTE: The caller validates the result to the extent that it does not trust the NV index to be
+       defined properly */
+    
+    /* Table 197 - Definition of TPM2B_NV_PUBLIC Structure - nvPublic*/
+    /* Table 196 - Definition of TPMS_NV_PUBLIC Structure */
+    /* Table 83 - Definition of TPM2B_NAME Structure t */
+
+    /* TPMS_NV_PUBLIC hash alg vs expected */
+    if (rc == 0) {
+	if ((nalg != TPM_ALG_NULL) && (out.nvPublic.nvPublic.nameAlg != nalg)) {
+	    printf("nvreadpublic: TPM2B_NV_PUBLIC hash algorithm does not match expected\n");
+	    rc = TSS_RC_MALFORMED_NV_PUBLIC;
+	}
+    }
+    /* TPM2B_NAME hash algorithm vs expected */
+    if (rc == 0) {
+	uint16_t tmp16;
+	memcpy(&tmp16, out.nvName.t.name, sizeof(uint16_t));
+	/* nameHashAlg = ntohs(*(TPMI_ALG_HASH *)(out.nvName.t.name)); */
+	nameHashAlg = ntohs(tmp16);
+	if ((nalg != TPM_ALG_NULL) && (nameHashAlg != nalg)) {
+	    printf("nvreadpublic: TPM2B_NAME hash algorithm does not match expected\n");
+	    rc = TSS_RC_MALFORMED_NV_PUBLIC;
+	}
+    }
+    /* TPMS_NV_PUBLIC index vs expected */
+    if (rc == 0) {
+	if (out.nvPublic.nvPublic.nvIndex != in.nvIndex) {
+	    printf("nvreadpublic: TPM2B_NV_PUBLIC index does not match expected\n");
+	    rc = TSS_RC_MALFORMED_NV_PUBLIC;
+	}
+    }
+    /* save the public key */
+    if ((rc == 0) && (nvPublicFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.nvPublic,
+				     (MarshalFunction_t)TSS_TPM2B_NV_PUBLIC_Marshalu,
+				     nvPublicFilename);
+    }
+    /* save the Name */
+    if ((rc == 0) && (nameFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.nvName.b.buffer,
+				      out.nvName.b.size,
+				      nameFilename);
+    }
+    if (rc == 0) {
+	printf("nvreadpublic: name algorithm %04x\n", out.nvPublic.nvPublic.nameAlg);
+	printf("nvreadpublic: data size %u\n", out.nvPublic.nvPublic.dataSize);
+	printf("nvreadpublic: attributes %08x\n", out.nvPublic.nvPublic.attributes.val);
+	TSS_TPMA_NV_Print(out.nvPublic.nvPublic.attributes, 0);
+	TSS_PrintAll("nvreadpublic: policy",
+		     out.nvPublic.nvPublic.authPolicy.t.buffer,
+		     out.nvPublic.nvPublic.authPolicy.t.size);
+	TSS_PrintAll("nvreadpublic: name",
+		     out.nvName.t.name, out.nvName.t.size);
+	if (noSpace) {
+	    unsigned int b;
+	    for (b = 0 ; b < out.nvName.t.size ; b++) {
+		printf("%02x", out.nvName.t.name[b]);
+	    }
+	    printf("\n");
+	}
+	if (tssUtilsVerbose) printf("nvreadpublic: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvreadpublic: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvreadpublic\n");
+    printf("\n");
+    printf("Runs TPM2_NV_ReadPublic\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t[-nalg\texpected name hash algorithm (sha1, sha256, sha384 sha512)\n"
+	   "\t\t(default no check)]\n");
+    printf("\t[-opu\tNV public file name (default do not save)]\n");
+    printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n");
+    printf("\t[-on\tbinary format Name file name]\n");
+    printf("\t\tUseful to paste into policy\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t40\tresponse encrypt\n");
+    printf("\t80\taudit\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvsetbits.c b/libstb/tss2/ibmtpm20tss/utils/nvsetbits.c
new file mode 100644
index 0000000..e115156
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvsetbits.c
@@ -0,0 +1,254 @@
+/********************************************************************************/
+/*										*/
+/*			    NV SetBits		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <inttypes.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_SetBits_In 		in;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    in.bits = 0;	/* default no bits */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-bit") == 0) {
+	    unsigned int bit;
+	    i++;
+	    if (i < argc) {
+		bit = atoi(argv[i]);
+		if (bit < 64) {
+		    in.bits |= (uint64_t)1 << bit;
+		}
+		else {
+		    printf("-bit out of range\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-bit option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.authHandle = nvIndex;
+	in.nvIndex = nvIndex;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_SetBits,
+			 sessionHandle0, nvPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvsetbits: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvsetbits: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvsetbits\n");
+    printf("\n");
+    printf("Runs TPM2_NV_SetBits\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t[-pwdn\tpassword for NV index (default empty)]\n");
+    printf("\t[-bit\tbit to set, can be specified multiple times]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvundefinespace.c b/libstb/tss2/ibmtpm20tss/utils/nvundefinespace.c
new file mode 100644
index 0000000..32071df
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvundefinespace.c
@@ -0,0 +1,258 @@
+/********************************************************************************/
+/*										*/
+/*			    NV Undefine Space	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_UndefineSpace_In 	in;
+    char 			hierarchyChar = 0;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*parentPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		parentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (hierarchyChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;	/* the NV Index to remove from NV space */
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_UndefineSpace,
+			 sessionHandle0, parentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvundefinespace: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvundefinespace: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvundefinespace\n");
+    printf("\n");
+    printf("Runs TPM2_NV_UndefineSpace\n");
+    printf("\n");
+    printf("\t-hi\thierarchy (o, p)\n");
+    printf("\t\to owner, p platform\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t-pwdp\tpassword for hierarchy (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvundefinespacespecial.c b/libstb/tss2/ibmtpm20tss/utils/nvundefinespacespecial.c
new file mode 100644
index 0000000..408799e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvundefinespacespecial.c
@@ -0,0 +1,244 @@
+/********************************************************************************/
+/*										*/
+/*			    NV Undefine Space Special 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_UndefineSpaceSpecial_In 	in;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    const char			*platformPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RS_PW;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		platformPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.platform = TPM_RH_PLATFORM;
+	in.nvIndex = nvIndex;	/* the NV Index to remove from NV space */
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_UndefineSpaceSpecial,
+			 sessionHandle0, nvPassword, sessionAttributes0,
+			 sessionHandle1, platformPassword, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvundefinespacespecial: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvundefinespacespecial: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvundefinespacespecial\n");
+    printf("\n");
+    printf("Runs TPM2_NV_UndefineSpaceSpecial\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t[-pwdp\tpassword for platform (default empty)]\n");
+    printf("\t[-pwdn\tpassword for NV index (default empty)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvwrite.c b/libstb/tss2/ibmtpm20tss/utils/nvwrite.c
new file mode 100644
index 0000000..0d508a6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvwrite.c
@@ -0,0 +1,415 @@
+/********************************************************************************/
+/*										*/
+/*			    NV Write		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include "ekutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_Write_In 		in;
+    uint16_t 			offset = 0;			/* default 0 */
+    uint32_t 			pinPass = 0;	/* these two initialized to suppress falose gcc -O3
+						   warnings */
+    uint32_t 			pinLimit = 0;
+    int				inData = FALSE;
+    unsigned int		dataSource = 0;
+    const char 			*commandData = NULL;
+    const char 			*datafilename = NULL;
+    char 			hierarchyAuthChar = 0;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    uint32_t 			nvBufferMax;
+    size_t 			writeLength;		/* file bytes to write */
+    unsigned char 		*writeBuffer = NULL; 	/* file buffer to write */
+    uint16_t 			bytesWritten;		/* bytes written so far */
+    int				done = FALSE;
+ 
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hia") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyAuthChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hia\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		commandData = argv[i];
+		dataSource++;
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-if")  == 0) {
+	    i++;
+	    if (i < argc) {
+		datafilename = argv[i];
+		dataSource++;
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-id")  == 0) {
+	    i++;
+	    if (i < argc) {
+		pinPass = atoi(argv[i]);
+		i++;
+		if (i < argc) {
+		    pinLimit = atoi(argv[i]);
+		    dataSource++;
+		    inData = TRUE;
+		}
+		else {
+		    printf("-id option needs two values\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-id option needs two values\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-off") == 0) {
+	    i++;
+	    if (i < argc) {
+		offset = atoi(argv[i]);
+	    }
+	    else {
+		printf("-off option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    if (dataSource > 1) {
+	printf("More than one input data source (-if, -ic, -id\n");
+	printUsage();
+    }
+    /* Authorization handle */
+    if (rc == 0) {
+	if (hierarchyAuthChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;  
+	}
+	else if (hierarchyAuthChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;  
+	}
+	else if (hierarchyAuthChar == 0) {
+	    in.authHandle = nvIndex;
+	}
+	else {
+	    printf("\n");
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* data may have to be written in chunks.  Read the chunk size */
+    if (rc == 0) {
+	rc = readNvBufferMax(tssContext,
+			     &nvBufferMax);
+    }
+    /* if there is no input data source, default to 0 byte write */
+    if ((rc == 0) && (dataSource == 0)) {
+	in.data.b.size = 0;
+    }
+    /* -if, file data can be written in chunks */
+    if ((rc == 0) && (datafilename != NULL)) {
+	rc = TSS_File_ReadBinaryFile(&writeBuffer,     /* freed @1 */
+				     &writeLength,
+				     datafilename);
+    }
+    if ((rc == 0) && (datafilename != NULL)) {
+	if (writeLength > 0xffff) {	/* overflow TPM2B uint16_t */
+	    printf("nvwrite: size %u greater than 0xffff\n", (unsigned int)writeLength);	
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* -id, for pin pass or pin fail */
+    if ((rc == 0) && (inData)) {
+	uint32_t tmpData;
+	in.data.b.size = sizeof(uint32_t) + sizeof(uint32_t);
+	tmpData = htonl(pinPass);
+	memcpy(in.data.b.buffer, &tmpData, sizeof(tmpData));
+	tmpData = htonl(pinLimit);
+	memcpy(in.data.b.buffer + sizeof(tmpData), &tmpData, sizeof(tmpData));
+    }
+    /* -ic, command line data must fit in one write */
+    if ((rc == 0) && (commandData != NULL)) {
+	rc = TSS_TPM2B_StringCopy(&in.data.b, commandData, nvBufferMax);
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+	in.offset = offset;		/* beginning offset */
+	bytesWritten = 0;
+    }
+    while ((rc == 0) && !done) {
+	uint16_t writeBytes = 0;		/* bytes to write in this pass, initialized to
+						   suppress false gcc -O3 warning */
+	if (rc == 0) {
+	    /* for data from file, write a chunk */
+	    if (datafilename != NULL) {
+		in.offset = offset + bytesWritten;
+		if ((uint32_t)(writeLength - bytesWritten) < nvBufferMax) {
+		    writeBytes = (uint16_t)writeLength - bytesWritten;	/* last chunk */
+		}
+		else {
+		    writeBytes = nvBufferMax;	/* next chunk */
+		}
+		rc = TSS_TPM2B_Create(&in.data.b, writeBuffer + bytesWritten, writeBytes,
+				      sizeof(in.data.t.buffer));
+	    }
+	}
+	/* call TSS to execute the command */
+	if (rc == 0) {
+	    if (tssUtilsVerbose) printf("nvwrite: writing %u bytes\n", in.data.b.size);
+	    rc = TSS_Execute(tssContext,
+			     NULL,
+			     (COMMAND_PARAMETERS *)&in,
+			     NULL,
+			     TPM_CC_NV_Write,
+			     sessionHandle0, nvPassword, sessionAttributes0,
+			     sessionHandle1, NULL, sessionAttributes1,
+			     sessionHandle2, NULL, sessionAttributes2,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	/* data file can be written in chunks, other options are single write */
+	if (rc == 0) {
+	    if (datafilename == NULL) {
+		done = TRUE;
+	    }
+	    else {
+		bytesWritten += writeBytes;
+		if (bytesWritten == writeLength) {
+		    done = TRUE;
+		}
+	    }
+	}
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvwrite: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvwrite: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	if (rc == TSS_RC_FILE_OPEN) {
+	    printf("Possible cause: missing nvreadpublic before nvwrite\n");
+	}
+	rc = EXIT_FAILURE;
+    }
+    free(writeBuffer);	/* @1 */
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvwrite\n");
+    printf("\n");
+    printf("Runs TPM2_NV_Write\n");
+    printf("\n");
+    printf("\t[-hia\thierarchy authorization (o, p)(default index authorization)]\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t[-pwdn\tauthorization password (default empty)]\n");
+    printf("\t\thierarchy or NV index password\n");
+    printf("\t[-ic\tdata string]\n");
+    printf("\t[-if\tdata file]\n");
+    printf("\t[-id\tdata values, pinPass and pinLimit (4 bytes each)]\n");
+    printf("\t\tif none is specified, a 0 byte write occurs\n");
+    printf("\t\t-id is normally used for pin pass or pin fail indexes\n");
+    printf("\t[-off\toffset (default 0)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/nvwritelock.c b/libstb/tss2/ibmtpm20tss/utils/nvwritelock.c
new file mode 100644
index 0000000..9d6c8cf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/nvwritelock.c
@@ -0,0 +1,259 @@
+/********************************************************************************/
+/*										*/
+/*			    NV WriteLock	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    NV_WriteLock_In 		in;
+    char 			hierarchyAuthChar = 0;
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    const char			*nvPassword = NULL; 		/* default no password */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hia") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyAuthChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hia\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((nvIndex >> 24) != TPM_HT_NV_INDEX) {
+	printf("NV index handle not specified or out of range, MSB not 01\n");
+	printUsage();
+    }
+    /* Authorization handle */
+    if (rc == 0) {
+	if (hierarchyAuthChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;  
+	}
+	else if (hierarchyAuthChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;  
+	}
+	else if (hierarchyAuthChar == 0) {
+	    in.authHandle = nvIndex;
+	}
+	else {
+	    printf("\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_WriteLock,
+			 sessionHandle0, nvPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("nvwritelock: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("nvwritelock: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("nvwritelock\n");
+    printf("\n");
+    printf("Runs TPM2_NV_WriteLock\n");
+    printf("\n");
+    printf("\t[-hia\thierarchy authorization (o, p) (default index authorization)]\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t-pwdn\tpassword for NV index (default empty)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/objectchangeauth.c b/libstb/tss2/ibmtpm20tss/utils/objectchangeauth.c
new file mode 100644
index 0000000..64005d2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/objectchangeauth.c
@@ -0,0 +1,328 @@
+/********************************************************************************/
+/*										*/
+/*			    ObjectChangeAuth	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ObjectChangeAuth_In 	in;
+    ObjectChangeAuth_Out 	out;
+    TPMI_DH_OBJECT		parentHandle = TPM_RH_NULL;
+    TPMI_DH_OBJECT		objectHandle = TPM_RH_NULL;
+    const char			*objectPassword = NULL; 
+    const char			*newPassword = NULL;
+    const char			*newPasswordFilename = NULL;
+    uint8_t			*newPasswordBuffer = NULL;
+    size_t 			newPasswordBufferLength = 0;
+    const char			*newPasswordPtr = NULL;
+    const char			*privateKeyFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &parentHandle );
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &objectHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdo") == 0) {
+	    i++;
+	    if (i < argc) {
+		objectPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdo option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		newPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipwdn") == 0) {
+	    i++;
+	    if (i < argc) {
+		newPasswordFilename = argv[i];
+	    }
+	    else {
+		printf("-ipwdn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opr") == 0) {
+	    i++;
+	    if (i < argc) {
+		privateKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-opr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (parentHandle  == TPM_RH_NULL) {
+	printf("Missing or bad parent handle parameter -hp\n");
+	printUsage();
+    }
+    if (objectHandle == TPM_RH_NULL) {
+	printf("Missing or bad object handle parameter -ho\n");
+	printUsage();
+    }
+    if ((newPassword != NULL) && (newPasswordFilename != NULL)) {
+	printf("Only one of -pwdn and -ipwdn can be specified\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.objectHandle = objectHandle;
+	in.parentHandle = parentHandle;
+    }
+    if (rc == 0) {
+	/* use passsword from command line */
+	if (newPassword != NULL) {
+	    newPasswordPtr = newPassword;
+	}
+	/* use password from file */
+	else if (newPasswordFilename != NULL) {
+	    rc = TSS_File_ReadBinaryFile(&newPasswordBuffer,     /* freed @2 */
+					 &newPasswordBufferLength,
+					 newPasswordFilename);
+	    newPasswordPtr = (const char *)newPasswordBuffer;
+	}
+	/* empty password */
+	else {
+	    newPasswordPtr = NULL;
+	}
+    }
+    /* convert password string to TPM2B */
+    if (rc == 0) {
+	if (newPasswordPtr == NULL) {
+	    in.newAuth.t.size = 0;
+	}
+	else {
+	    rc = TSS_TPM2B_StringCopy(&in.newAuth.b,
+				      newPasswordPtr, sizeof(in.newAuth.t.buffer));
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ObjectChangeAuth,
+			 sessionHandle0, objectPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* save the private key */
+    if ((rc == 0) && (privateKeyFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outPrivate,
+				     (MarshalFunction_t)TSS_TPM2B_PRIVATE_Marshalu,
+				     privateKeyFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("objectchangeauth: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("objectchangeauth: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("objectchangeauth\n");
+    printf("\n");
+    printf("Runs TPM2_ObjectChangeAuth\n");
+    printf("\n");
+    printf("\t-hp\tparent handle\n");
+    printf("\t-ho\tobject handle\n");
+    printf("\t[-pwdo\tpassword for object (default empty)]\n");
+    printf("\t[-pwdn\tnew password for object (default empty)]\n");
+    printf("\t[-pwdni\tnew password file for object, nul terminated (default empty)]\n");
+    printf("\t[-opr\tprivate key file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/objecttemplates.c b/libstb/tss2/ibmtpm20tss/utils/objecttemplates.c
new file mode 100644
index 0000000..06b07ef
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/objecttemplates.c
@@ -0,0 +1,582 @@
+/********************************************************************************/
+/*										*/
+/*			 Object Templates					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* These are templates suitable for creating typical objects.  The functions are shared by create
+   and createprimary
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+#include "objecttemplates.h"
+
+/* asymPublicTemplate() is a template for an ECC or RSA key.
+
+   It can create these types:
+
+   TYPE_ST:   storage key (decrypt, restricted, RSA NULL scheme, EC NULL scheme)
+   TYPE_DEN:  decryption key (not storage key, RSA NULL scheme, EC NULL scheme)
+   TYPE_DEO:  decryption key (not storage key, RSA OAEP scheme, EC NULL scheme)
+   TYPE_DEE:  decryption key (not storage key, RSA ES scheme, EC NULL scheme)
+   TYPE_SI:   signing key (unrestricted, RSA NULL schemem EC NULL scheme)
+   TYPE_SIR:  signing key (restricted, RSA RSASSA scheme, EC ECDSA scheme)
+   TYPE_GP:   general purpose key
+   TYPE_DAA:  signing key (unrestricted, ECDAA)
+   TYPE_DAAR: signing key (restricted, ECDAA)
+*/
+
+TPM_RC asymPublicTemplate(TPMT_PUBLIC *publicArea,	/* output */
+			  TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
+								   here */
+			  TPMA_OBJECT deleteObjectAttributes,
+			  int keyType,			/* see above */
+			  TPMI_ALG_PUBLIC algPublic,	/* RSA or ECC */
+			  TPMI_RSA_KEY_BITS keyBits,	/* RSA modulus */
+			  TPMI_ECC_CURVE curveID,	/* for ECC */
+			  TPMI_ALG_HASH nalg,		/* Name algorithm */
+			  TPMI_ALG_HASH halg,		/* hash algorithm */
+			  const char *policyFilename)	/* binary policy, NULL means empty */
+{
+    TPM_RC			rc = 0;
+
+    if (rc == 0) {
+	publicArea->objectAttributes = addObjectAttributes;
+	/* Table 185 - TPM2B_PUBLIC inPublic */
+	/* Table 184 - TPMT_PUBLIC publicArea */
+	publicArea->type = algPublic;		/* RSA or ECC */
+	publicArea->nameAlg = nalg;
+
+	/* Table 32 - TPMA_OBJECT objectAttributes */
+	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
+
+	switch (keyType) {
+	  case TYPE_DEN:
+	  case TYPE_DEO:
+	  case TYPE_DEE:
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	    break;
+	  case TYPE_ST:
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
+	    break;
+	  case TYPE_SI:
+	  case TYPE_DAA:
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	    break;
+	  case TYPE_SIR:
+	  case TYPE_DAAR:
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
+	    break;
+	  case TYPE_GP:
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	    break;
+	}
+	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
+    }
+    if (rc == 0) {
+	/* Table 72 -  TPM2B_DIGEST authPolicy */
+	/* policy set separately */
+
+	/* Table 182 - Definition of TPMU_PUBLIC_PARMS parameters */
+	if (algPublic == TPM_ALG_RSA) {
+	    /* Table 180 - Definition of {RSA} TPMS_RSA_PARMS rsaDetail */
+	    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure symmetric */
+	    switch (keyType) {
+	      case TYPE_DEN:
+	      case TYPE_DEO:
+	      case TYPE_DEE:
+	      case TYPE_SI:
+	      case TYPE_SIR:
+	      case TYPE_GP:
+		/* Non-storage keys must have TPM_ALG_NULL for the symmetric algorithm */
+		publicArea->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
+		break;
+	      case TYPE_ST:
+		publicArea->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
+		/* Table 125 - TPMU_SYM_KEY_BITS keyBits */
+		publicArea->parameters.rsaDetail.symmetric.keyBits.aes = 128;
+		/* Table 126 - TPMU_SYM_MODE mode */
+		publicArea->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+		break;
+	    }
+
+	    /* Table 155 - Definition of {RSA} TPMT_RSA_SCHEME scheme */
+	    switch (keyType) {
+	      case TYPE_DEN:
+	      case TYPE_GP:
+	      case TYPE_ST:
+	      case TYPE_SI:
+		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+		break;
+	      case TYPE_DEO:
+		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_OAEP;
+		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
+		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
+		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
+		publicArea->parameters.rsaDetail.scheme.details.oaep.hashAlg = halg;
+		break;
+	      case TYPE_DEE:
+		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_RSAES;
+		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
+		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
+		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
+		publicArea->parameters.rsaDetail.scheme.details.oaep.hashAlg = halg;
+		break;
+	      case TYPE_SIR:
+		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_RSASSA;
+		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
+		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
+		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
+		publicArea->parameters.rsaDetail.scheme.details.rsassa.hashAlg = halg;
+		break;
+	    }
+	
+	    /* Table 159 - Definition of {RSA} (TPM_KEY_BITS) TPMI_RSA_KEY_BITS Type keyBits */
+	    publicArea->parameters.rsaDetail.keyBits = keyBits;
+	    publicArea->parameters.rsaDetail.exponent = 0;
+	    /* Table 177 - TPMU_PUBLIC_ID unique */
+	    /* Table 177 - Definition of TPMU_PUBLIC_ID */
+	    publicArea->unique.rsa.t.size = 0;
+	}
+	else {	/* algPublic == TPM_ALG_ECC */
+	    /* Table 181 - Definition of {ECC} TPMS_ECC_PARMS Structure eccDetail */
+	    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure symmetric */
+	    switch (keyType) {
+	      case TYPE_DEN:
+	      case TYPE_DEO:
+	      case TYPE_DEE:
+	      case TYPE_SI:
+	      case TYPE_SIR:
+	      case TYPE_DAA:
+	      case TYPE_DAAR:
+	      case TYPE_GP:
+		/* Non-storage keys must have TPM_ALG_NULL for the symmetric algorithm */
+		publicArea->parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
+		break;
+	      case TYPE_ST:
+		publicArea->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
+		/* Table 125 - TPMU_SYM_KEY_BITS keyBits */
+		publicArea->parameters.eccDetail.symmetric.keyBits.aes = 128;
+		/* Table 126 - TPMU_SYM_MODE mode */
+		publicArea->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+		break;
+	    }
+	    /* Table 166 - Definition of (TPMT_SIG_SCHEME) {ECC} TPMT_ECC_SCHEME Structure scheme */
+	    /* Table 164 - Definition of (TPM_ALG_ID) {ECC} TPMI_ALG_ECC_SCHEME Type scheme */
+	    switch (keyType) {
+	      case TYPE_GP:
+	      case TYPE_SI:
+	      case TYPE_DEN:
+	      case TYPE_DEO:
+	      case TYPE_DEE:
+		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+		/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
+		/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants curveID */
+		publicArea->parameters.eccDetail.curveID = curveID;
+		/* Table 150 - Definition of TPMT_KDF_SCHEME Structure kdf */
+		/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
+		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+		break;
+	      case TYPE_SIR:
+		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_ECDSA;
+		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
+		/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
+		publicArea->parameters.eccDetail.scheme.details.ecdsa.hashAlg = halg;
+		/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
+		/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants curveID */
+		publicArea->parameters.eccDetail.curveID = curveID;
+		/* Table 150 - Definition of TPMT_KDF_SCHEME Structure kdf */
+		/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
+		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+		/* Table 149 - Definition of TPMU_KDF_SCHEME Union <IN/OUT, S> */
+		/* Table 148 - Definition of Types for KDF Schemes, hash-based key-
+		   or mask-generation functions */
+		/* Table 135 - Definition of TPMS_SCHEME_HASH Structure hashAlg */
+		publicArea->parameters.eccDetail.kdf.details.mgf1.hashAlg = halg;
+		break;
+	      case TYPE_DAA:
+	      case TYPE_DAAR:
+		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_ECDAA;
+		publicArea->parameters.eccDetail.scheme.details.ecdaa.hashAlg = halg;
+		publicArea->parameters.eccDetail.scheme.details.ecdaa.count = 1;
+		publicArea->parameters.eccDetail.curveID = curveID;
+		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+		publicArea->unique.ecc.y.t.size = 0;
+		publicArea->unique.ecc.x.t.size = 0;
+		break;
+	      case TYPE_ST:
+		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+		publicArea->parameters.eccDetail.scheme.details.anySig.hashAlg = 0;
+		publicArea->parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
+		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+		publicArea->parameters.eccDetail.kdf.details.mgf1.hashAlg = 0;
+		break;
+	    }
+	    /* Table 177 - TPMU_PUBLIC_ID unique */
+	    /* Table 177 - Definition of TPMU_PUBLIC_ID */
+	    publicArea->unique.ecc.x.t.size = 0;
+	    publicArea->unique.ecc.y.t.size = 0;
+	}
+    }
+    if (rc == 0) {
+	rc = getPolicy(publicArea, policyFilename);
+    }
+    return rc;
+}
+
+/* symmetricCipherTemplate() is a template for an AES 128 CFB key
+
+ */
+
+TPM_RC symmetricCipherTemplate(TPMT_PUBLIC *publicArea,		/* output */
+			       TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
+								   here */
+			       TPMA_OBJECT deleteObjectAttributes,
+			       TPMI_ALG_HASH nalg,		/* Name algorithm */
+			       int rev116,		/* TPM rev 116 compatibility, sets SIGN */
+			       const char *policyFilename)	/* binary policy, NULL means empty */
+{
+    TPM_RC rc = 0;
+    
+    if (rc == 0) {
+	publicArea->objectAttributes = addObjectAttributes;
+
+	/* Table 185 - TPM2B_PUBLIC inPublic */
+	/* Table 184 - TPMT_PUBLIC publicArea */
+	publicArea->type = TPM_ALG_SYMCIPHER;
+	publicArea->nameAlg = nalg;
+	/* Table 32 - TPMA_OBJECT objectAttributes */
+	/* rev 116 used DECRYPT for both decrypt and encrypt.  After 116, encrypt required SIGN */
+	if (!rev116) {
+	    /* actually encrypt */
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
+	}
+	publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
+	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
+	/* Table 72 -  TPM2B_DIGEST authPolicy */
+	/* policy set separately */
+	/* Table 182 - Definition of TPMU_PUBLIC_PARMS parameters */
+	{
+	    /* Table 131 - Definition of TPMS_SYMCIPHER_PARMS symDetail */
+	    {
+		/* Table 129 - Definition of TPMT_SYM_DEF_OBJECT sym */
+		/* Table 62 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_OBJECT Type */
+		publicArea->parameters.symDetail.sym.algorithm = TPM_ALG_AES;
+		/* Table 125 - Definition of TPMU_SYM_KEY_BITS Union */
+		publicArea->parameters.symDetail.sym.keyBits.aes = 128;
+		/* Table 126 - Definition of TPMU_SYM_MODE Union */
+		publicArea->parameters.symDetail.sym.mode.aes = TPM_ALG_CFB;
+	    }
+	}
+	/* Table 177 - TPMU_PUBLIC_ID unique */
+	/* Table 72 - Definition of TPM2B_DIGEST Structure */
+	publicArea->unique.sym.t.size = 0; 
+    }
+    if (rc == 0) {
+	rc = getPolicy(publicArea, policyFilename);
+    }
+    return rc;
+}
+
+/* keyedHashPublicTemplate() is a template for an HMAC key
+
+   It can create these types:
+
+   TYPE_KH:	HMAC key, unrestricted
+   TYPE_KHR:	HMAC key, restricted
+*/
+
+TPM_RC keyedHashPublicTemplate(TPMT_PUBLIC *publicArea,		/* output */
+			       TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
+								   here */
+			       TPMA_OBJECT deleteObjectAttributes,
+			       int keyType,			/* see above */
+			       TPMI_ALG_HASH nalg,		/* Name algorithm */
+			       TPMI_ALG_HASH halg,		/* hash algorithm */
+			       const char *policyFilename)	/* binary policy, NULL means empty */
+{
+    TPM_RC			rc = 0;
+
+    if (rc == 0) {
+	publicArea->objectAttributes = addObjectAttributes;
+
+	/* Table 185 - TPM2B_PUBLIC inPublic */
+	/* Table 184 - TPMT_PUBLIC publicArea */
+	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
+	publicArea->type = TPM_ALG_KEYEDHASH;
+	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
+	publicArea->nameAlg = nalg;
+	/* Table 32 - TPMA_OBJECT objectAttributes */
+	publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
+	switch (keyType) {
+	  case TYPE_KH:
+	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	    break;
+	  case TYPE_KHR:
+	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
+	    break;
+	}
+	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
+	/* Table 72 -  TPM2B_DIGEST authPolicy */
+	/* policy set separately */
+	{
+	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
+	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
+	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
+	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_HMAC;
+	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
+	    /* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    publicArea->parameters.keyedHashDetail.scheme.details.hmac.hashAlg = halg;
+	}
+	/* Table 177 - TPMU_PUBLIC_ID unique */
+	/* Table 72 - Definition of TPM2B_DIGEST Structure */
+	publicArea->unique.sym.t.size = 0; 
+    }
+    if (rc == 0) {
+	rc = getPolicy(publicArea, policyFilename);
+    }
+    return rc;
+}
+
+/* derivationParentPublicTemplate() is a template for a derivation parent
+
+   The key is not restricted
+*/
+
+TPM_RC derivationParentPublicTemplate(TPMT_PUBLIC *publicArea,		/* output */
+				      TPMA_OBJECT addObjectAttributes,	/* add default, can be
+									   overridden here */
+				      TPMA_OBJECT deleteObjectAttributes,
+				      TPMI_ALG_HASH nalg,		/* Name algorithm */
+				      TPMI_ALG_HASH halg,		/* hash algorithm */
+				      const char *policyFilename)	/* binary policy, NULL means
+									   empty */
+{
+    TPM_RC			rc = 0;
+
+    if (rc == 0) {
+	publicArea->objectAttributes = addObjectAttributes;
+
+	/* Table 185 - TPM2B_PUBLIC inPublic */
+	/* Table 184 - TPMT_PUBLIC publicArea */
+	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
+	publicArea->type = TPM_ALG_KEYEDHASH;
+	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
+	publicArea->nameAlg = nalg;
+	/* Table 32 - TPMA_OBJECT objectAttributes */
+	publicArea->objectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
+	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
+	/* Table 72 -  TPM2B_DIGEST authPolicy */
+	/* policy set separately */
+	{
+	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
+	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
+	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
+	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_XOR;
+	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
+	    /* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    publicArea->parameters.keyedHashDetail.scheme.details.xorr.kdf = TPM_ALG_KDF1_SP800_108;
+	    publicArea->parameters.keyedHashDetail.scheme.details.xorr.hashAlg = halg;
+	}
+	/* Table 177 - TPMU_PUBLIC_ID unique */
+	/* Table 72 - Definition of TPM2B_DIGEST Structure */
+	publicArea->unique.sym.t.size = 0; 
+    }
+    if (rc == 0) {
+	rc = getPolicy(publicArea, policyFilename);
+    }
+    return rc;
+}
+
+/* blPublicTemplate() is a template for a sealed data blob.
+
+*/
+
+TPM_RC blPublicTemplate(TPMT_PUBLIC *publicArea,	/* output */
+			TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
+								   here */
+			TPMA_OBJECT deleteObjectAttributes,
+			TPMI_ALG_HASH nalg,		/* Name algorithm */
+			const char *policyFilename)	/* binary policy, NULL means empty */
+{
+    TPM_RC			rc = 0;
+
+    if (rc == 0) {
+	publicArea->objectAttributes = addObjectAttributes;
+
+	/* Table 185 - TPM2B_PUBLIC inPublic */
+	/* Table 184 - TPMT_PUBLIC publicArea */
+	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
+	publicArea->type = TPM_ALG_KEYEDHASH;
+	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
+	publicArea->nameAlg = nalg;
+	/* Table 32 - TPMA_OBJECT objectAttributes */
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
+	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
+	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
+	/* Table 72 -  TPM2B_DIGEST authPolicy */
+	/* policy set separately */
+	{
+	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
+	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
+	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
+	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_NULL;
+	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
+	}
+	/* Table 177 - TPMU_PUBLIC_ID unique */
+	/* Table 72 - Definition of TPM2B_DIGEST Structure */
+	publicArea->unique.sym.t.size = 0; 
+    }
+    if (rc == 0) {
+	rc = getPolicy(publicArea, policyFilename);
+    }
+    return rc;
+}
+
+TPM_RC getPolicy(TPMT_PUBLIC *publicArea,
+		 const char *policyFilename)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	if (policyFilename != NULL) {
+	    rc = TSS_File_Read2B(&publicArea->authPolicy.b,
+				 sizeof(publicArea->authPolicy.t.buffer),
+				 policyFilename);
+	}
+	else {
+	    publicArea->authPolicy.t.size = 0;	/* default empty policy */
+	}
+    }
+    return rc;
+}
+
+void printUsageTemplate(void)
+{
+    printf("\t[Asymmetric Key Algorithm]\n");
+    printf("\n");
+    printf("\t-rsa keybits (default)\n");
+    printf("\t\t(2048 default)\n");
+    printf("\t-ecc curve\n");
+    printf("\t\tbnp256\n");
+    printf("\t\tnistp256\n");
+    printf("\t\tnistp384\n");
+    printf("\n");
+    printf("\tKey attributes\n");
+    printf("\n");
+    printf("\t\t-bl\tdata blob for unseal (create only)\n");
+    printf("\t\t\trequires -if\n");
+    printf("\t\t-den\tdecryption, (unrestricted, RSA and EC NULL scheme)\n");
+    printf("\t\t-deo\tdecryption, (unrestricted, RSA OAEP, EC NULL scheme)\n");
+    printf("\t\t-dee\tdecryption, (unrestricted, RSA ES, EC NULL scheme)\n");
+    printf("\t\t-des\tencryption/decryption, AES symmetric\n");
+    printf("\t\t\t[-116 for TPM rev 116 compatibility]\n");
+    printf("\t\t-st\tstorage (restricted)\n");
+    printf("\t\t\t[default for primary keys]\n");
+    printf("\t\t-si\tunrestricted signing (RSA and EC NULL scheme)\n");
+    printf("\t\t-sir\trestricted signing (RSA RSASSA, EC ECDSA scheme)\n");
+    printf("\t\t-dau\tunrestricted ECDAA signing key pair\n");
+    printf("\t\t-dar\trestricted ECDAA signing key pair\n");
+    printf("\t\t-kh\tkeyed hash (unrestricted, hmac)\n");
+    printf("\t\t-khr\tkeyed hash (restricted, hmac)\n");
+    printf("\t\t-dp\tderivation parent\n");
+    printf("\t\t-gp\tgeneral purpose, not storage\n");
+    printf("\n");
+    printf("\t\t[-kt\t(can be specified more than once)]\n"
+	   "\t\t\tf\tfixedTPM (default for primary keys and derivation parents)\n"
+	   "\t\t\tp\tfixedParent (default for primary keys and derivation parents)\n"
+	   "\t\t\tnf\tno fixedTPM (default for non-primary keys)\n"
+	   "\t\t\tnp\tno fixedParent (default for non-primary keys)\n"
+	   "\t\t\ted\tencrypted duplication (default not set)\n");
+    printf("\t[-da\tobject subject to DA protection (default no)]\n");
+    printf("\t[-pol\tpolicy file (default empty)]\n");
+    printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
+    printf("\t[-if\tdata (inSensitive) file name]\n");
+    printf("\n");
+    printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    return;	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/objecttemplates.h b/libstb/tss2/ibmtpm20tss/utils/objecttemplates.h
new file mode 100644
index 0000000..8779178
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/objecttemplates.h
@@ -0,0 +1,108 @@
+/********************************************************************************/
+/*										*/
+/*			 Object Templates					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef OBJECTTEMPLATES_H
+#define OBJECTTEMPLATES_H
+
+/* object type */
+
+#define TYPE_BL		1
+#define TYPE_ST		2
+#define TYPE_DEN	3	
+#define TYPE_DEO	4
+#define TYPE_SI		5
+#define TYPE_SIR	6
+#define TYPE_GP		7
+#define TYPE_DES	8
+#define TYPE_KH		9
+#define TYPE_DP		10
+#define TYPE_DAA        11
+#define TYPE_DAAR       12
+#define TYPE_KHR	13
+#define TYPE_DEE	14
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC asymPublicTemplate(TPMT_PUBLIC *publicArea,
+			      TPMA_OBJECT addObjectAttributes,
+			      TPMA_OBJECT deleteObjectAttributes,
+			      int type,
+			      TPMI_ALG_PUBLIC algPublic,
+			      TPMI_RSA_KEY_BITS keyBits,
+			      TPMI_ECC_CURVE curveID,			       
+			      TPMI_ALG_HASH nalg,
+			      TPMI_ALG_HASH halg,
+			      const char *policyFilename);
+    TPM_RC symmetricCipherTemplate(TPMT_PUBLIC *publicArea,
+				   TPMA_OBJECT addObjectAttributes,
+				   TPMA_OBJECT deleteObjectAttributes,
+				   TPMI_ALG_HASH nalg,
+				   int rev116,
+				   const char *policyFilename);
+    TPM_RC keyedHashPublicTemplate(TPMT_PUBLIC *publicArea,
+				   TPMA_OBJECT addObjectAttributes,
+				   TPMA_OBJECT deleteObjectAttributes,
+				   int type,
+				   TPMI_ALG_HASH nalg,
+				   TPMI_ALG_HASH halg,
+				   const char *policyFilename);
+    TPM_RC derivationParentPublicTemplate(TPMT_PUBLIC *publicArea,
+					  TPMA_OBJECT addObjectAttributes,
+					  TPMA_OBJECT deleteObjectAttributes,
+					  TPMI_ALG_HASH nalg,
+					  TPMI_ALG_HASH halg,
+					  const char *policyFilename);
+    TPM_RC blPublicTemplate(TPMT_PUBLIC *publicArea,
+			    TPMA_OBJECT addObjectAttributes,
+			    TPMA_OBJECT deleteObjectAttributes,
+			    TPMI_ALG_HASH nalg,
+			    const char *policyFilename);
+
+    void printUsageTemplate(void);
+
+    TPM_RC getPolicy(TPMT_PUBLIC *publicArea,
+		     const char *policyFilename);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/pcrallocate.c b/libstb/tss2/ibmtpm20tss/utils/pcrallocate.c
new file mode 100644
index 0000000..70007dc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/pcrallocate.c
@@ -0,0 +1,342 @@
+/********************************************************************************/
+/*										*/
+/*			    PCR_Allocate	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void setPcrSelect(TPMS_PCR_SELECTION *pcrSelections,
+			 TPM_ALG_ID hashAlg,
+			 uint8_t select);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PCR_Allocate_In 		in;
+    PCR_Allocate_Out 		out;
+    const char			*platformPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    unsigned int		bankNumber = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwdp") == 0) {
+	    i++;
+	    if (i < argc) {
+		platformPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sha1") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA1, 0x00);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"+sha1") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA1, 0xff);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sha256") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA256, 0x00);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"+sha256") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA256, 0xff);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sha384") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA384, 0x00);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"+sha384") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA384, 0xff);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sha512") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA512, 0x00);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"+sha512") == 0) {
+	    if (bankNumber < HASH_COUNT) {
+		setPcrSelect(&in.pcrAllocation.pcrSelections[bankNumber],
+			     TPM_ALG_SHA512, 0xff);
+		bankNumber++;
+	    }
+	    else {
+		printf("%u banks specified, TSS supports %u banks\n",
+		       bankNumber+1, HASH_COUNT);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* at least one bank must be selected */
+    if (rc == 0) {
+	if (bankNumber == 0) {
+	    printf("No PCR algorithm specified\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.authHandle = TPM_RH_PLATFORM;
+	in.pcrAllocation.count = bankNumber;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PCR_Allocate,
+			 sessionHandle0, platformPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("pcrallocate: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("pcrallocate: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void setPcrSelect(TPMS_PCR_SELECTION *pcrSelections,
+			 TPM_ALG_ID hashAlg,
+			 uint8_t select)
+{
+    pcrSelections->hash = hashAlg;
+    pcrSelections->sizeofSelect = 3;
+    pcrSelections->pcrSelect[0] = select;
+    pcrSelections->pcrSelect[1] = select;
+    pcrSelections->pcrSelect[2] = select;
+    return;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("pcrallocate\n");
+    printf("\n");
+    printf("Runs TPM2_PCR_Allocate\n");
+    printf("\n");
+    printf("\nAllocates banks for a full set of PCR 0-23.  Not all\n"
+	   "hardware TPMs support multiple banks or all algorithms\n");
+    printf("\n");
+    printf("\t[-pwdp\tplatform hierarchy password (default empty)]\n");
+    printf("\t+sha1   -sha1   allocate / deallocate a SHA-1 bank\n");
+    printf("\t+sha256 -sha256 allocate / deallocate a SHA-256 bank\n");
+    printf("\t+sha384 -sha384 allocate / deallocate a SHA-384 bank\n");
+    printf("\t+sha512 -sha512 allocate / deallocate a SHA-512 bank\n");
+    printf("\t\tMore than one algorithm can be specified\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/pcrevent.c b/libstb/tss2/ibmtpm20tss/utils/pcrevent.c
new file mode 100644
index 0000000..affd0ed
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/pcrevent.c
@@ -0,0 +1,317 @@
+/********************************************************************************/
+/*										*/
+/*			   PCR_Event 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PCR_Event_In 		in;
+    PCR_Event_Out 		out;
+    TPMI_DH_PCR 		pcrHandle = IMPLEMENTATION_PCR;
+    const char 			*data = NULL;
+    const char 			*datafilename = NULL;
+    const char			*outFilename1 = NULL;	/* for sha1 */
+    const char			*outFilename2 = NULL;	/* for sha256 */
+    const char			*outFilename3 = NULL;	/* for sha384 */
+    const char			*outFilename5 = NULL;	/* for sha512 */
+    int				process1 = FALSE;	/* these catch the case */
+    int				process2 = FALSE;	/* where an output file was */
+    int				process3 = FALSE;	/* specified but the TPM did */
+    int				process5 = FALSE;	/* not return the algorithm */
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &pcrHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		data = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-if")  == 0) {
+	    i++;
+	    if (i < argc) {
+		datafilename = argv[i];
+	    } else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of1")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename1 = argv[i];
+		process1 = TRUE;
+	    } else {
+		printf("-of1 option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of2")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename2 = argv[i];
+		process2 = TRUE;
+	    } else {
+		printf("-of2 option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of3")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename3 = argv[i];
+		process3 = TRUE;
+	    } else {
+		printf("-of3 option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-of5")  == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename5 = argv[i];
+		process5 = TRUE;
+	    } else {
+		printf("-of5 option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (pcrHandle >= IMPLEMENTATION_PCR) {
+	printf("Missing or bad PCR handle parameter -ha\n");
+	printUsage();
+    }
+    if ((data == NULL) && (datafilename == NULL)) {
+	printf("Data string or data file must be specified\n");
+	printUsage();
+    }
+    if ((data != NULL) && (datafilename != NULL)) {
+	printf("Data string and data file cannot both be specified\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.pcrHandle = pcrHandle;
+    }
+    if (rc == 0) {
+	if (data != NULL) {
+	    if (tssUtilsVerbose) printf("Event data %u bytes\n", (unsigned int)strlen(data));
+	    rc = TSS_TPM2B_StringCopy(&in.eventData.b, data, sizeof(in.eventData.t.buffer));
+	}
+    }
+    if (datafilename != NULL) {
+	rc = TSS_File_Read2B(&in.eventData.b,
+			     sizeof(in.eventData.t.buffer),
+			     datafilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PCR_Event,
+			 TPM_RS_PW, NULL, 0,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint32_t c;
+	printf("pcrevent: success\n");
+	/* Table 100 - Definition of TPML_DIGEST_VALUES Structure */
+	/* Table 71 - Definition of TPMT_HA Structure <IN/OUT> digests[] */
+	/* Table 70 - Definition of TPMU_HA Union <IN/OUT, S> digests */
+	printf("pcrevent: count %u\n", out.digests.count);
+
+	for (c = 0 ;  c < out.digests.count ;c++) {
+	    switch (out.digests.digests[c].hashAlg) {
+	      case TPM_ALG_SHA1:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-1\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.digests.digests[c].digest.sha1,
+					  SHA1_DIGEST_SIZE);
+		if (outFilename1 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.digests.digests[c].digest.sha1,
+						  SHA1_DIGEST_SIZE,
+						  outFilename1);
+		    process1 = FALSE;
+		}
+		break;
+	      case TPM_ALG_SHA256:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-256\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.digests.digests[c].digest.sha256,
+					  SHA256_DIGEST_SIZE);
+		if (outFilename2 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.digests.digests[c].digest.sha256,
+						  SHA256_DIGEST_SIZE,
+						  outFilename2); 
+		    process2 = FALSE;
+		}
+		break;
+	      case TPM_ALG_SHA384:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-384\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.digests.digests[c].digest.sha384,
+					  SHA384_DIGEST_SIZE);
+		if (outFilename3 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.digests.digests[c].digest.sha384,
+						  SHA384_DIGEST_SIZE,
+						  outFilename3); 
+		    process3 = FALSE;
+		}
+		break;
+	      case TPM_ALG_SHA512:
+		if (tssUtilsVerbose) printf("Hash algorithm SHA-512\n");
+		if (tssUtilsVerbose) TSS_PrintAll("Digest",
+					  (uint8_t *)&out.digests.digests[c].digest.sha512,
+					  SHA512_DIGEST_SIZE);
+		if (outFilename5 != NULL) {
+		    rc = TSS_File_WriteBinaryFile((uint8_t *)&out.digests.digests[c].digest.sha512,
+						  SHA512_DIGEST_SIZE,
+						  outFilename5); 
+		    process5 = FALSE;
+		}
+		break;
+	      default:
+		printf("Hash algorithm %04x unknown\n", out.digests.digests[c].hashAlg);
+		break;
+	    }
+	}
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("pcrevent: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    if (rc == 0) {
+	if (process1) {
+	    printf("-of1 specified but TPM did not return SHA-1\n");
+	    rc = EXIT_FAILURE;
+	}
+	if (process2) {
+	    printf("-of2 specified but TPM did not return SHA-256\n");
+	    rc = EXIT_FAILURE;
+	}
+	if (process3) {
+	    printf("-of3 specified but TPM did not return SHA-384\n");
+	    rc = EXIT_FAILURE;
+	}
+	if (process5) {
+	    printf("-of5 specified but TPM did not return SHA-512\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("pcrevent\n");
+    printf("\n");
+    printf("Runs TPM2_PCR_Event\n");
+    printf("\n");
+    printf("\t-ha\tpcr handle\n");
+    printf("\t-ic\tdata string\n");
+    printf("\t-if\tdata file\n");
+    printf("\t[-of1\tsha1 output digest file (default do not save)]\n");
+    printf("\t[-of2\tsha256 output digest file (default do not save)]\n");
+    printf("\t[-of3\tsha384 output digest file (default do not save)]\n");
+    printf("\t[-of5\tsha512 output digest file (default do not save)]\n");
+   exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/pcrextend.c b/libstb/tss2/ibmtpm20tss/utils/pcrextend.c
new file mode 100644
index 0000000..be58209
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/pcrextend.c
@@ -0,0 +1,269 @@
+/********************************************************************************/
+/*										*/
+/*			   PCR_Extend 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    	/* argc iterator */
+    uint32_t			algs;	/* hash algorithm iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PCR_Extend_In 		in;
+    TPMI_DH_PCR 		pcrHandle = IMPLEMENTATION_PCR;
+    const char 			*dataString = NULL;
+    const char 			*datafilename = NULL;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* Table 100 - Definition of TPML_DIGEST_VALUES Structure */
+    in.digests.count = 0xffffffff;	/* flag for default hash algorithm */
+
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &pcrHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    /* Table 100 - Definition of TPML_DIGEST_VALUES Structure */
+	    if (in.digests.count == 0xffffffff) {	/* first time */
+		in.digests.count = 1;			/* extend a bank */
+	    }
+	    else {
+		in.digests.count++;			/* extend a bank */
+	    }
+	    if (in.digests.count > HASH_COUNT) {
+		printf("Too many -halg specifiers, %u permitted\n", HASH_COUNT);
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		/* Table 100 - Definition of TPML_DIGEST_VALUES Structure digests */
+		/* Table 71 - Definition of TPMT_HA Structure <IN/OUT> */
+		/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type hashAlg */
+		if (strcmp(argv[i],"sha1") == 0) {
+		    in.digests.digests[in.digests.count-1].hashAlg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    in.digests.digests[in.digests.count-1].hashAlg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    in.digests.digests[in.digests.count-1].hashAlg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    in.digests.digests[in.digests.count-1].hashAlg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		dataString = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-if")  == 0) {
+	    i++;
+	    if (i < argc) {
+		datafilename = argv[i];
+	    } else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (pcrHandle >= IMPLEMENTATION_PCR) {
+	printf("Missing or bad PCR handle parameter -ha\n");
+	printUsage();
+    }
+    if ((dataString == NULL) && (datafilename == NULL)) {
+	printf("Data string or data file must be specified\n");
+	printUsage();
+    }
+    if ((dataString != NULL) && (datafilename != NULL)) {
+	printf("Data string and data file cannot both be specified\n");
+	printUsage();
+    }
+    if ((dataString != NULL) && (strlen(dataString) > sizeof(TPMU_HA))) {
+	printf("Data length greater than maximum hash size %lu bytes\n",
+	       (unsigned long)sizeof(TPMU_HA));
+	printUsage();
+    }
+    /* handle default hash algorithm */
+    if (in.digests.count == 0xffffffff) {	/* if none specified */
+	in.digests.count = 1;
+	in.digests.digests[0].hashAlg = TPM_ALG_SHA256;
+    }
+    if (rc == 0) {
+	in.pcrHandle = pcrHandle;
+	/* Table 70 - Definition of TPMU_HA Union <IN/OUT, S> */
+	/* append zero padding to maximum hash algorithm length */
+	for (algs = 0 ; algs < in.digests.count ; algs++) {
+	    memset((uint8_t *)&in.digests.digests[algs].digest, 0, sizeof(TPMU_HA));
+	}
+    }
+    if (rc == 0) {
+	if (dataString != NULL) {
+	    if (tssUtilsVerbose) printf("Extending %u bytes from stream into %u banks\n",
+				(unsigned int)strlen(dataString), in.digests.count);
+	    for (algs = 0 ; algs < in.digests.count ; algs++) {
+		memcpy((uint8_t *)&in.digests.digests[algs].digest,
+		       dataString, strlen(dataString));
+	    }
+	}
+    }
+    if (datafilename != NULL) {
+	unsigned char 	*fileData = NULL;
+	size_t 		length;
+	if (rc == 0) {
+	    rc = TSS_File_ReadBinaryFile(&fileData,			/* freed @1 */
+					 &length, datafilename);
+	}
+	if (rc == 0) {
+	    if (length > sizeof(TPMU_HA)) {
+		printf("Data length greater than maximum hash size %lu bytes\n",
+		       (unsigned long)sizeof(TPMU_HA));
+		rc = EXIT_FAILURE;
+	    } 
+	}
+	if (rc == 0) {
+	    if (tssUtilsVerbose) printf("Extending %u bytes from file into %u banks\n",
+				(unsigned int)length, in.digests.count);
+	    for (algs = 0 ; algs < in.digests.count ; algs++) {
+		memcpy((uint8_t *)&in.digests.digests[algs].digest, fileData, length);
+	    }
+	}
+	free(fileData);		/* @1 */
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PCR_Extend,
+			 TPM_RS_PW, NULL, 0,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("pcrextend: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("pcrextend: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("pcrextend\n");
+    printf("\n");
+    printf("Runs TPM2_PCR_Extend\n");
+    printf("\n");
+    printf("\t-ha\tpcr handle\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t\t-halg may be specified more than once\n");
+    printf("\n");
+    printf("\t-ic\tdata string, 0 pad appended to halg length\n");
+    printf("\t-if\tdata file, 0 pad appended to halg length\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/pcrread.c b/libstb/tss2/ibmtpm20tss/utils/pcrread.c
new file mode 100644
index 0000000..768af50
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/pcrread.c
@@ -0,0 +1,437 @@
+/********************************************************************************/
+/*										*/
+/*			   PCR_Read 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscryptoh.h>
+
+static void printPcrRead(PCR_Read_Out *out);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PCR_Read_In 		in;
+    PCR_Read_Out 		out;
+    TPMI_DH_PCR 		pcrHandle = IMPLEMENTATION_PCR;
+    const char 			*datafilename = NULL;
+    TPMI_ALG_HASH		ahalg = TPM_ALG_SHA256;
+    uint32_t 			sizeInBytes = 0;	/* initialized to suppress false gcc -O3
+							   warning */
+    const char 			*sadfilename = NULL;
+    int				noSpace = FALSE;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    in.pcrSelectionIn.count = 0xffffffff;
+
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &pcrHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    if (in.pcrSelectionIn.count == 0xffffffff) {
+		in.pcrSelectionIn.count = 1;
+	    }
+	    else {
+		in.pcrSelectionIn.count++;
+	    }
+	    if (in.pcrSelectionIn.count > HASH_COUNT) {
+		printf("Too many -halg specifiers, %u permitted\n", HASH_COUNT);
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    in.pcrSelectionIn.pcrSelections[in.pcrSelectionIn.count-1].hash = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    in.pcrSelectionIn.pcrSelections[in.pcrSelectionIn.count-1].hash = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    in.pcrSelectionIn.pcrSelections[in.pcrSelectionIn.count-1].hash = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    in.pcrSelectionIn.pcrSelections[in.pcrSelectionIn.count-1].hash = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ahalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    ahalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    ahalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    ahalg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    ahalg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -ahalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i], "-of")  == 0) {
+	    i++;
+	    if (i < argc) {
+		datafilename = argv[i];
+	    } else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-iosad")  == 0) {
+	    i++;
+	    if (i < argc) {
+		sadfilename = argv[i];
+	    } else {
+		printf("-iosad option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (pcrHandle >= IMPLEMENTATION_PCR) {
+	printf("Missing or bad PCR handle parameter -ha\n");
+	printUsage();
+    }
+    /* handle default hash algorithm */
+    if (in.pcrSelectionIn.count == 0xffffffff) {	/* if none specified */
+	in.pcrSelectionIn.count = 1;
+	in.pcrSelectionIn.pcrSelections[0].hash = TPM_ALG_SHA256;
+    }
+    if (rc == 0) {
+	uint16_t c;
+	/* Table 102 - Definition of TPML_PCR_SELECTION Structure */
+	/* Table 85 - Definition of TPMS_PCR_SELECTION Structure */
+	for (c = 0 ; c < in.pcrSelectionIn.count ; c++) {
+	    in.pcrSelectionIn.pcrSelections[c].sizeofSelect = 3;
+	    in.pcrSelectionIn.pcrSelections[c].pcrSelect[0] = 0;
+	    in.pcrSelectionIn.pcrSelections[c].pcrSelect[1] = 0;
+	    in.pcrSelectionIn.pcrSelections[c].pcrSelect[2] = 0;
+	    in.pcrSelectionIn.pcrSelections[c].pcrSelect[pcrHandle / 8] = 1 << (pcrHandle % 8);
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PCR_Read,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* first hash algorithm, in binary */
+    if (rc != 0) {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("pcrread: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    if ((rc == 0) && (datafilename != NULL) && (out.pcrValues.count != 0)) {
+	rc = TSS_File_WriteBinaryFile(out.pcrValues.digests[0].t.buffer,
+				      out.pcrValues.digests[0].t.size,
+				      datafilename);
+    }
+    /* auth session hash algorithm for cpHash and rpHash */
+    if (rc == 0) {
+        sizeInBytes = TSS_GetDigestSize(ahalg);
+    }
+    /* option to output cpHash and rpHash to test session audit of PCR Read */
+    if (sadfilename != NULL) {
+	TPMT_HA 	cpHash;
+	uint8_t 	cpBuffer [MAX_COMMAND_SIZE];
+	uint16_t 	cpBufferSize = 0;
+	TPMT_HA 	rpHash;
+	uint8_t 	rpBuffer [MAX_RESPONSE_SIZE];
+	uint16_t 	rpBufferSize = 0;
+	uint8_t 	*tmpptr;
+	uint32_t 	tmpsize;
+	TPMT_HA 	sessionDigest;
+	uint8_t		*sessionDigestData = NULL;
+	size_t		sessionDigestSize;
+	/* calculate cpHash from CC || parameters */
+	if (rc == 0) {
+	    tmpptr = cpBuffer;
+	    tmpsize = sizeof(cpBuffer);
+	    rc = TSS_TPML_PCR_SELECTION_Marshalu(&in.pcrSelectionIn,
+						 &cpBufferSize, &tmpptr, &tmpsize);
+	}
+	if (rc == 0) {
+	    TPM_CC commandCode = TPM_CC_PCR_Read;
+	    TPM_CC commandCodeNbo = htonl(commandCode);
+	    cpHash.hashAlg = ahalg;
+	    rc = TSS_Hash_Generate(&cpHash,		/* largest size of a digest */
+				   sizeof(TPM_CC), &commandCodeNbo,
+				   cpBufferSize, cpBuffer,
+				   0, NULL);
+	}
+	if ((rc == 0) && tssUtilsVerbose) {
+#if 0
+	    TSS_PrintAll("cpBuffer", cpBuffer, cpBufferSize);
+	    TSS_PrintAll("cpHash", (uint8_t *)&cpHash.digest, sizeInBytes);
+#endif
+	}
+	/* calculate rpHash from RC || CC || parameters */
+	if (rc == 0) {
+	    tmpptr = rpBuffer;
+	    tmpsize = sizeof(rpBuffer);
+	    rc = TSS_UINT32_Marshalu(&out.pcrUpdateCounter,
+				     &rpBufferSize, &tmpptr, &tmpsize);
+	}
+	if (rc == 0) {
+	    rc = TSS_TPML_PCR_SELECTION_Marshalu(&out.pcrSelectionOut,
+						 &rpBufferSize, &tmpptr, &tmpsize);
+	}
+	if (rc == 0) {
+	    rc = TSS_TPML_DIGEST_Marshalu(&out.pcrValues,
+					  &rpBufferSize, &tmpptr, &tmpsize);
+	}
+	if (rc == 0) {
+	    TPM_CC 		commandCode = TPM_CC_PCR_Read;
+	    TPM_CC 		commandCodeNbo = htonl(commandCode);
+	    rpHash.hashAlg = ahalg;
+	    rc = TSS_Hash_Generate(&rpHash,			/* largest size of a digest */
+				   sizeof(TPM_RC), &rc,	/* RC is always 0, no need to endian
+							   convert */
+				   sizeof(TPM_CC), &commandCodeNbo,
+				   rpBufferSize, rpBuffer,
+				   0, NULL);
+	}
+	if ((rc == 0) && tssUtilsVerbose) {
+#if 0
+	    TSS_PrintAll("rpBuffer", rpBuffer, rpBufferSize);
+	    TSS_PrintAll("rpHash", (uint8_t *)&rpHash.digest, sizeInBytes);
+#endif
+	}
+	/* read the original session digest, must be initialized to all zero */
+	if (rc == 0) {
+	    rc = TSS_File_ReadBinaryFile(&sessionDigestData,	/* freed @1 */
+					 &sessionDigestSize,
+					 sadfilename);
+	}
+	/* sanity check the size against the session digest hash algorithm */
+	if (rc == 0) {
+	    if (sizeInBytes != sessionDigestSize) {
+		printf("pcrread: -ahalg size %u does not match digest size %u from %s\n",
+		       (unsigned int)sizeInBytes, (unsigned int)sessionDigestSize, sadfilename);
+	    }
+	}
+	/* extend cpHash and rpHash */
+	if (rc == 0) {
+	    sessionDigest.hashAlg = ahalg;
+	    rc = TSS_Hash_Generate(&sessionDigest,
+				   sizeInBytes, sessionDigestData, 
+				   sizeInBytes, (uint8_t *)&cpHash.digest,
+				   sizeInBytes, (uint8_t *)&rpHash.digest,
+				   0, NULL);
+	}
+	if ((rc == 0) && tssUtilsVerbose) {
+	    TSS_PrintAll("Session digest old", sessionDigestData, sizeInBytes);
+	    TSS_PrintAll("Session digest new", (uint8_t *)&sessionDigest.digest, sizeInBytes);
+	}
+	if (rc == 0) {
+	    /* write back the result */
+	    rc = TSS_File_WriteBinaryFile((uint8_t *)&sessionDigest.digest,
+					  sizeInBytes,
+					  sadfilename);
+	}
+	free(sessionDigestData);	/* @1 */
+    }
+    if (rc == 0) {
+	/* machine readable format */
+	if (noSpace) {
+	    uint32_t count;
+	    /* TPM can return count 0 if the requested algorithm is not allocated */
+	    if (out.pcrValues.count != 0) {
+		for (count = 0 ; count < out.pcrValues.count ; count++) {
+		    uint32_t bp;
+		    for (bp = 0 ; bp < out.pcrValues.digests[count].t.size ; bp++) {
+			printf("%02x", out.pcrValues.digests[count].t.buffer[bp]);
+		    }
+		    printf("\n");
+		}
+	    }
+	    else {
+		printf("count %u\n", out.pcrValues.count);
+	    }
+	}
+	/* human readable format, all hash algorithms */
+	else {
+	    printPcrRead(&out);
+	    if (tssUtilsVerbose) printf("pcrread: success\n");
+	}
+    }
+    return rc;
+}
+
+static void printPcrRead(PCR_Read_Out *out)
+{
+    uint32_t	i;
+    
+    /* Table 99 - Definition of TPML_DIGEST Structure */
+    printf("count %u pcrUpdateCounter %u \n", out->pcrValues.count, out->pcrUpdateCounter);
+    for (i = 0 ; i < out->pcrValues.count ; i++) {
+	TSS_PrintAll("digest", out->pcrValues.digests[i].t.buffer, out->pcrValues.digests[i].t.size);
+    }
+    return;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("pcrread\n");
+    printf("\n");
+    printf("Runs TPM2_PCR_Read\n");
+    printf("\n");
+    printf("\t-ha\tpcr handle\n");
+    printf("\t-halg\t(sha1, sha256, sha384, sha512) (default sha256)\n");
+    printf("\t\t-halg may be specified more than once\n");
+    printf("\t[-of\tdata file for first algorithm specified, in binary]\n");
+    printf("\t[-ahalg\t to extend session audit digest for testing (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-iosad\t file for session audit digest testing]\n");
+    printf("\t[-ns\tno space, no text, no newlines]\n");
+    printf("\t\tUsed for scripting policy construction\n");
+    printf("\n");
+    printf("\t-se0 session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t80\taudit\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/pcrreset.c b/libstb/tss2/ibmtpm20tss/utils/pcrreset.c
new file mode 100644
index 0000000..f47e673
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/pcrreset.c
@@ -0,0 +1,144 @@
+/********************************************************************************/
+/*										*/
+/*			   PCR_Reset 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PCR_Reset_In 		in;
+    TPMI_DH_PCR 		pcrHandle = IMPLEMENTATION_PCR;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &pcrHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (pcrHandle >= IMPLEMENTATION_PCR) {
+	printf("Missing or bad PCR handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.pcrHandle = pcrHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PCR_Reset,
+			 TPM_RS_PW, NULL, 0,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("pcrreset: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("pcrreset: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("pcrreset\n");
+    printf("\n");
+    printf("Runs TPM2_PCR_Reset\n");
+    printf("\n");
+    printf("\t-ha\tpcr handle\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/Policies.txt b/libstb/tss2/ibmtpm20tss/utils/policies/Policies.txt
new file mode 100644
index 0000000..165bb7c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/Policies.txt
@@ -0,0 +1,138 @@
+#################################################################################
+#										#
+#			TPM2 regression test Directory of files			#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+Note that PolicySecret uses a double hash, with the second hash being
+the policyRef.  An empty policyRef is represented by a blank line.
+
+aaa					the characters aaa
+bits48321601.bin			uint64 with those bits set
+msgtpmgen.bin				message with TPM_GENERATED
+policyauthorizesha1.txt			policyauthorize using rsapubkey.pem
+policyauthorizesha256.txt		"
+policyauthorizesha384.txt		"
+policyauthorizesha512.txt		"
+policyauthorizenv.txt			policy authorize NV
+policyauthorizenv-unseal.txt		policyauthorizenv + policyccunseal
+policyccactivate.txt			policy command code activate credential
+policycccertify.txt			policy command code certify
+policycccreate-auth.txt			policy command code create + policy authvalue
+policyccduplicate.txt			policy command code duplicate
+policyccnvchangeauth-auth.txt		policy command code nvchangeauth + policy authvalue
+policyccquote.txt			policy command code quote
+policyccsign.txt			policy command code sign
+policyccsign-auth.txt			policy command code sign + policy authvalue
+policyccundefinespacespecial-auth	policy command code undefinespacespecial + policy authvalue
+policycountertimer.txt			policy counter timer
+policycphash.txt			policy cphash
+policycphashhash.txt			policy cphash data
+policydupsel-no.txt			policy duplicatation select no includeObject
+policydupsel-yes.txt			policy duplicatation select with includeObject
+policyiwgek.txt				standard IWG EK policy, and IWG PolicyA (EH auth)
+policyiwgekcsha256.txt			standard IWG EK policyC (auth NV)
+policyiwgekcsha384.txt			standard IWG EK policyC
+policyiwgekcsha512.txt			standard IWG EK policyC
+policyiwgekbsha256.txt			standard IWG EK policyB (policy OR)
+policyiwgekbsha384.txt			standard IWG EK policyB (policy OR)
+policyiwgekbsha512.txt			standard IWG EK policyB (policy OR)
+policynvargs.txt			policy nv arguments
+policynvnv.txt				policy nv has name and args			
+policyor.txt				policy command code sign | quote
+policypcr.txt				policy pcr intermediate file
+policypcr0.txt				20 zeros
+policypcr16aaasha1.txt			sha1   PCR 16 extend of aaa
+policypcr16aaasha256.txt		sha256 PCR 16 extend of aaa
+policypcr16aaasha384.txt		sha384 PCR 16 extend of aaa
+policypcr16aaasha512.txt		sha512 PCR 16 extend of aaa
+policysecretnv.txt			policy secret using nv index
+policysecretnvpf.txt			policy secret using NV PIN fail index
+policysecretnvpp.txt			policy secret using NV PIN pass index
+policysecretp.txt			policy secret using platform auth
+policysecretsha256.txt			policy secret using loaded object
+policysignedsha1.txt			policy signed using pubkey.pem Name
+policysignedsha256.txt			policy signed using pubkey.pem Name
+policysignedsha384.txt			policy signed using pubkey.pem Name
+policysignedsha512.txt			policy signed using pubkey.pem Name
+policytemplate.txt			template hash input to policytemplatehash
+policytemplatehash.txt			policy template for signing key
+policywrittenset.txt			policy nv written with written set
+
+policywrittenclrsigned.txt		policy nv written with written clear + policy signed
+policywrittensetsigned.txt		policy nv written with written set + policy signed
+policyorwrittensigned.txt		policy OR of the above two policies
+
+pnhnamehash.txt				name hash
+
+nvwritecphasha.txt			intermediate value
+nvwriteahasha.txt			intermediate value externally signed	
+nvwritecphashb.txt			intermediate value
+nvwriteahashb.txt			intermediate value externally signed	
+
+privkey.pem				RSA private key for policy signed
+pubkey.pem				RSA public key for policy signed
+p256privkey.pem				ECC private key for policy signed
+p256pubkey.pem				ECC public key for policy signed
+
+sha1.bin		big endian sha1   algorithm ID, for policyAuthorizeNV
+sha256.bin		big endian sha256 algorithm ID, for policyAuthorizeNV
+sha384.bin		big endian sha384 algorithm ID, for policyAuthorizeNV
+sha512.bin		big endian sha512 algorithm ID, for policyAuthorizeNV
+
+sha1aaa.bin		sha1   of aaa
+sha1extaaa.bin		sha1   extend of aaa
+sha1extaaa0.bin		sha1   extend of aaa zero padded	
+sha1exthaaa.bin		sha1   extend of hash of aaa
+
+sha256aaa.bin		sha256 of aaa
+sha256extaaa.bin	sha256 extend of aaa
+sha256extaaa0.bin	sha256 extend of aaa zero padded
+sha256exthaaa.bin	sha256 extend of hash of aaa
+
+sha384aaa.bin		sha384 of aaa
+sha384extaaa.bin	sha384 extend of aaa
+sha384exthaaa.bin	sha384 extend of hash of aaa
+sha384extaaa0.bin	sha384 extend of aaa zero padded
+
+sha512aaa.bin		sha512 of aaa
+sha512extaaa.bin	sha512 extend of aaa
+sha512exthaaa.bin	sha512 extend of hash of aaa
+sha512extaaa0.bin	sha512 extend of aaa zero padded
+
+zero4.bin		4 bytes of zero (e.g., just expiration data for policysigned)
+zero8.bin		8 bytes of zero
+zerosha256.bin		32 bytes of zero
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/aaa b/libstb/tss2/ibmtpm20tss/utils/policies/aaa
new file mode 100644
index 0000000..7c4a013
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/aaa
@@ -0,0 +1 @@
+aaa
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/bits48321601.bin b/libstb/tss2/ibmtpm20tss/utils/policies/bits48321601.bin
new file mode 100644
index 0000000..97baddd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/bits48321601.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/msgtpmgen.bin b/libstb/tss2/ibmtpm20tss/utils/policies/msgtpmgen.bin
new file mode 100644
index 0000000..4caf4d3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/msgtpmgen.bin
@@ -0,0 +1 @@
+ÿTCG1234567890123456
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahasha.bin b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahasha.bin
new file mode 100644
index 0000000..c6c6513
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahasha.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahasha.txt b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahasha.txt
new file mode 100644
index 0000000..1cd347b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahasha.txt
@@ -0,0 +1 @@
+00000000cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahashb.bin b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahashb.bin
new file mode 100644
index 0000000..023e08f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahashb.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahashb.txt b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahashb.txt
new file mode 100644
index 0000000..1ed56ea
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwriteahashb.txt
@@ -0,0 +1 @@
+00000000df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphasha.bin b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphasha.bin
new file mode 100644
index 0000000..04cc7e9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphasha.bin
@@ -0,0 +1 @@
+Ϙîh;Ýî«¼u³c¾<ùî"*x¸&?{³U,¦
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphasha.txt b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphasha.txt
new file mode 100644
index 0000000..601706b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphasha.txt
@@ -0,0 +1 @@
+00000137000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000800000000000000000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphashb.bin b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphashb.bin
new file mode 100644
index 0000000..b93cd2b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphashb.bin
@@ -0,0 +1 @@
+ßXù«Ë#Œ×É	†-ˆoÔnÛSÈÚ9¿¢ÖÏc
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphashb.txt b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphashb.txt
new file mode 100644
index 0000000..a9b1e23
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/nvwritecphashb.txt
@@ -0,0 +1 @@
+00000137000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000861626364656667680000
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/p256privkey.pem b/libstb/tss2/ibmtpm20tss/utils/policies/p256privkey.pem
new file mode 100644
index 0000000..05cbc54
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/p256privkey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIA/5U49bWoIFaq2eZ9P7tTv5PO9rqbQtmEo26MSJ8KtUoAoGCCqGSM49
+AwEHoUQDQgAEjPyIf6kFyFd0qKGZrUFPfNkmVRthSU7L23fESiFJhRRMWptx83xF
+YVW2TrVIgq9tsWwgFbLCDgUgEJX7Ln41aw==
+-----END EC PRIVATE KEY-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/p256pubkey.pem b/libstb/tss2/ibmtpm20tss/utils/policies/p256pubkey.pem
new file mode 100644
index 0000000..054dfbd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/p256pubkey.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjPyIf6kFyFd0qKGZrUFPfNkmVRth
+SU7L23fESiFJhRRMWptx83xFYVW2TrVIgq9tsWwgFbLCDgUgEJX7Ln41aw==
+-----END PUBLIC KEY-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/pnhnamehash.bin b/libstb/tss2/ibmtpm20tss/utils/policies/pnhnamehash.bin
new file mode 100644
index 0000000..9b72b17
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/pnhnamehash.bin
@@ -0,0 +1 @@
+àbwÙü�"=ŠV3~ë}˜(½{Ç)<'?zÄñ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/pnhnamehash.txt b/libstb/tss2/ibmtpm20tss/utils/policies/pnhnamehash.txt
new file mode 100644
index 0000000..5aa06f3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/pnhnamehash.txt
@@ -0,0 +1 @@
+000b631928da162431353a59c03a2ca7dbb70989144042363c7fa83839d9da6c437a
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv-unseal.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv-unseal.bin
new file mode 100644
index 0000000..f182b54
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv-unseal.bin
@@ -0,0 +1 @@
+Í$&þlR5…”" Yi3KˆG‚
ÙŒC÷64]
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv-unseal.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv-unseal.txt
new file mode 100644
index 0000000..aec6680
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv-unseal.txt
@@ -0,0 +1,2 @@
+00000192000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+0000016c0000015e
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv.bin
new file mode 100644
index 0000000..3467922
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv.bin
@@ -0,0 +1 @@
+f¡ÛÍÂö a{3 îm•«ö,v´˜²‘
0‘ôú
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv.txt
new file mode 100644
index 0000000..1b026e5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizenv.txt
@@ -0,0 +1 @@
+00000192000b5e8ebdf045819419070c7d5777bfeb61ffac4996ea4b6fbade6da42b632d4918
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha1.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha1.bin
new file mode 100644
index 0000000..36ba1e0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha1.bin
@@ -0,0 +1,2 @@
+‚XÀ2ŒÄå.ÄìÎal
+ôŠ0ˆ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha1.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha1.txt
new file mode 100644
index 0000000..31a4943
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha1.txt
@@ -0,0 +1,2 @@
+0000016a00044234c24fc1b9de6693a62453417d2734d7538f6f
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha256.bin
new file mode 100644
index 0000000..bc9d0bb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha256.bin
@@ -0,0 +1 @@
+ë£ùŒ^¯¨ùOQ›M*1ƒîy‡fr9Ž#Ù3ˆ¨å
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha256.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha256.txt
new file mode 100644
index 0000000..a6c3646
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha256.txt
@@ -0,0 +1,2 @@
+0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha384.bin
new file mode 100644
index 0000000..d0eb35b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha384.bin
@@ -0,0 +1,2 @@
+\Æ4‰þùÈB~þ,_9t¶Ù¨6JÍÙp~ð¹ý&VÚ¥
+›¿ÖfßIÒ[�PŽ8
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha384.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha384.txt
new file mode 100644
index 0000000..93c6f47
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha384.txt
@@ -0,0 +1,2 @@
+0000016a000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha512.bin
new file mode 100644
index 0000000..9206474
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha512.bin
@@ -0,0 +1 @@
+ÉÈ)û¼uT™ÛH·&ˆ$Ñø)r
`kÖ_AŽ˜~÷>j~%‚Çm�6Ch
îVQÕ´hLþÑÐj×e#?Â’”ý,Å
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha512.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha512.txt
new file mode 100644
index 0000000..0a93611
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyauthorizesha512.txt
@@ -0,0 +1,2 @@
+0000016a000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccactivate.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyccactivate.bin
new file mode 100644
index 0000000..8e9ce1c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccactivate.bin
@@ -0,0 +1 @@
+å‡Áµ�‡0÷!ãþ¤+FÀE[$o–®è]ë;æMfj
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccactivate.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyccactivate.txt
new file mode 100644
index 0000000..51a225a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccactivate.txt
@@ -0,0 +1 @@
+0000016c00000147
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycccertify.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policycccertify.bin
new file mode 100644
index 0000000..4618ce5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycccertify.bin
@@ -0,0 +1 @@
+Žš:ÎX?yóDÿx[¾©ðzÇú3%³Ôš!ÝQ”ÆXP
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycccertify.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policycccertify.txt
new file mode 100644
index 0000000..ce2f5ce
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycccertify.txt
@@ -0,0 +1 @@
+0000016c00000148
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycccreate-auth.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policycccreate-auth.bin
new file mode 100644
index 0000000..b1edb1e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycccreate-auth.bin
@@ -0,0 +1 @@
+KP÷?.øÀ–ÉмkIŠí»�†üZTïÓ�D
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycccreate-auth.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policycccreate-auth.txt
new file mode 100644
index 0000000..c285110
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycccreate-auth.txt
@@ -0,0 +1,2 @@
+0000016c00000153
+0000016b
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccduplicate.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyccduplicate.bin
new file mode 100644
index 0000000..5d2e7fc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccduplicate.bin
@@ -0,0 +1 @@
+¾õkŒÈNí×R�,Ù“V½+¿�
R	ÃøJè¢
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccduplicate.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyccduplicate.txt
new file mode 100644
index 0000000..9e7ea41
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccduplicate.txt
@@ -0,0 +1 @@
+0000016c0000014b
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccnvchangeauth-auth.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyccnvchangeauth-auth.bin
new file mode 100644
index 0000000..5afe188
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccnvchangeauth-auth.bin
@@ -0,0 +1 @@
+ªƒ¥˜Ù:VÉÊoê|?üNcWÿm“á›J¶ªá+ Þ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccnvchangeauth-auth.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyccnvchangeauth-auth.txt
new file mode 100644
index 0000000..b41a131
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccnvchangeauth-auth.txt
@@ -0,0 +1,2 @@
+0000016c0000013b
+0000016b
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccquote.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyccquote.bin
new file mode 100644
index 0000000..136ccb5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccquote.bin
@@ -0,0 +1 @@
+ 9ÊÕþh‡ˆø#<>>ãÏ'ªÉâïãHjëN0L�Í'
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccquote.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyccquote.txt
new file mode 100644
index 0000000..3b5cb8b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccquote.txt
@@ -0,0 +1 @@
+0000016c00000158
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign-auth.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign-auth.bin
new file mode 100644
index 0000000..29cddc8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign-auth.bin
@@ -0,0 +1 @@
+~¡
àü²DòKÈ÷L(¨¹íñKSêLÏ<ZLãŒun
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign-auth.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign-auth.txt
new file mode 100644
index 0000000..5972762
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign-auth.txt
@@ -0,0 +1,2 @@
+0000016c0000015d
+0000016b
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign.bin
new file mode 100644
index 0000000..54085d3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign.bin
@@ -0,0 +1,2 @@
+Ìi²&';õ½@mÏ
+}ßØ;wp̼Ѫ€Ø
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign.txt
new file mode 100644
index 0000000..943b101
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccsign.txt
@@ -0,0 +1 @@
+0000016c0000015d
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccundefinespacespecial-auth.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyccundefinespacespecial-auth.bin
new file mode 100644
index 0000000..c6d0d7d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccundefinespacespecial-auth.bin
@@ -0,0 +1 @@
+¹|ÜÁëʲ%aÑúõ“ð=ùe÷À/|Dkõ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyccundefinespacespecial-auth.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyccundefinespacespecial-auth.txt
new file mode 100644
index 0000000..ab6834c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyccundefinespacespecial-auth.txt
@@ -0,0 +1,2 @@
+0000016c0000011f
+0000016b
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycountertimer.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policycountertimer.bin
new file mode 100644
index 0000000..f767440
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycountertimer.bin
@@ -0,0 +1 @@
+æ„�'UÀ9Óhc!È“P%ݪ&Bš
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycountertimer.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policycountertimer.txt
new file mode 100644
index 0000000..f177440
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycountertimer.txt
@@ -0,0 +1 @@
+0000016d000000000000000000000002
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycphash.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policycphash.bin
new file mode 100644
index 0000000..1c357a6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycphash.bin
@@ -0,0 +1 @@
+älùóÇ0|¦ri°„´Ro
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycphash.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policycphash.txt
new file mode 100644
index 0000000..52edeab
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycphash.txt
@@ -0,0 +1 @@
+0000016eb5f919bbc01f0ebad02010169a67a8c158ec12f3
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycphashhash.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policycphashhash.bin
new file mode 100644
index 0000000..a30627d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycphashhash.bin
@@ -0,0 +1 @@
+µù»ÀºÐ šg¨ÁXìó
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policycphashhash.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policycphashhash.txt
new file mode 100644
index 0000000..23ab210
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policycphashhash.txt
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-no.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-no.bin
new file mode 100644
index 0000000..1658347
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-no.bin
@@ -0,0 +1 @@
+_Uº+i°8¬ÿ*†ïef¾¨#hC—L?§67rVì¼E
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-no.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-no.txt
new file mode 100644
index 0000000..a5099f2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-no.txt
@@ -0,0 +1 @@
+00000188000b1a5df6677533452737bc79a55ab6d9fa91745c033dfe3f82cdf0903ba9d655f100
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-yes.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-yes.bin
new file mode 100644
index 0000000..c851dc6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-yes.bin
@@ -0,0 +1 @@
+dL€ËãOõ‚8bC“”�ñèŠÆ#MÑ°ÅL÷;
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-yes.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-yes.txt
new file mode 100644
index 0000000..858ee1b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policydupsel-yes.txt
@@ -0,0 +1 @@
+00000188000b631928da162431353a59c03a2ca7dbb70989144042363c7fa83839d9da6c437a000b1a5df6677533452737bc79a55ab6d9fa91745c033dfe3f82cdf0903ba9d655f101
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgek.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgek.txt
new file mode 100644
index 0000000..de74206
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgek.txt
@@ -0,0 +1,2 @@
+000001514000000B
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha256.bin
new file mode 100644
index 0000000..18a9215
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha256.bin
@@ -0,0 +1,2 @@
+Ê=
+™¢¹9÷£4$ïϳ£…ÔLÑýE�‰Ñ›PqÀ· 
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha256.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha256.txt
new file mode 100644
index 0000000..e6d3198
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha256.txt
@@ -0,0 +1 @@
+00000171837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha384.bin
new file mode 100644
index 0000000..139fc23
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha384.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha384.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha384.txt
new file mode 100644
index 0000000..ed9da6b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha384.txt
@@ -0,0 +1 @@
+000001718bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha512.bin
new file mode 100644
index 0000000..cc190d3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha512.bin
@@ -0,0 +1 @@
+¸"¦ž…P¤‘Mãú¦¡Œ,À:’�]fÕž÷žI¤)Äk&•qÕ~Û%ûÛ8BV´Íaj_mµ¶ù›ê
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha512.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha512.txt
new file mode 100644
index 0000000..50d3175
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekbsha512.txt
@@ -0,0 +1 @@
+000001711e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha256.bin
new file mode 100644
index 0000000..a584ce2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha256.bin
@@ -0,0 +1 @@
+7gâíÔ?ôZ:~®üïxd=Ê–F2çªØ,g:0Øc?Þ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha256.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha256.txt
new file mode 100644
index 0000000..7af2e54
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha256.txt
@@ -0,0 +1 @@
+00000192000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha384.bin
new file mode 100644
index 0000000..bbddab6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha384.bin
@@ -0,0 +1 @@
+Ö,æ/³Â@ë<ö£27ï+jô)<"´UâaÏý!zÕ´”|-sæ0îÒÜ+5“Ñe
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha384.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha384.txt
new file mode 100644
index 0000000..6692c3e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha384.txt
@@ -0,0 +1 @@
+00000192000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha512.bin
new file mode 100644
index 0000000..1baa1f6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha512.bin
@@ -0,0 +1 @@
+XžááFTGèÞ¯æÛ${
¸Ÿœ}Ñk�J¡Y‡I_ºSˆÝêp/5$I3,a¸õ
>ù“¤š8Ã÷?È
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha512.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha512.txt
new file mode 100644
index 0000000..4e04c86
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgekcsha512.txt
@@ -0,0 +1 @@
+00000192000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha256.bin
new file mode 100644
index 0000000..48f4c16
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha256.bin
@@ -0,0 +1 @@
+ƒq—gD„³ø�Ì�F¥×$ýR×nRdò¡Ú3iª
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha384.bin
new file mode 100644
index 0000000..2e183e6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha384.bin
@@ -0,0 +1 @@
+‹¿"fS|µn@<MÁÔ¶OC&Ü8noS PÃ'Œ“>‹±8$Ì´18qÆÛS
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha512.bin
new file mode 100644
index 0000000..e75ad1d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyiwgeksha512.bin
@@ -0,0 +1 @@
+;vP,Š%ª{?ÆF¡°úàc°;ShùÄÍÞÊÿ‘Ýh+¬…ÔØ2·�êEÞ_Å¿
Ä¡‘|Ô/ Aãù˜àî
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policynamehash.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policynamehash.bin
new file mode 100644
index 0000000..fd3224b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policynamehash.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policynamehash.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policynamehash.txt
new file mode 100644
index 0000000..9b68411
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policynamehash.txt
@@ -0,0 +1 @@
+0000017018e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policynvargs.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policynvargs.txt
new file mode 100644
index 0000000..4f4d97c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policynvargs.txt
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policynvnv.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policynvnv.bin
new file mode 100644
index 0000000..df080a7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policynvnv.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policynvnv.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policynvnv.txt
new file mode 100644
index 0000000..a124ea9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policynvnv.txt
@@ -0,0 +1 @@
+000001492c513f149e737ec4063fc1d37aee9beabc4b4bbf00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyor.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyor.bin
new file mode 100644
index 0000000..a5002ed
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyor.bin
@@ -0,0 +1 @@
+kþÂ:¾W°*Î9Ý»`ú9M¬{8–VW„³süa’”)Û
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyor.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyor.txt
new file mode 100644
index 0000000..5028df9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyor.txt
@@ -0,0 +1 @@
+00000171cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811a039cad5fe68870688f8233c3e3ee3cf27aac9e2efe3486aeb4e304c0e90cd27
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyorwrittensigned.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policyorwrittensigned.bin
new file mode 100644
index 0000000..488b068
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyorwrittensigned.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policyorwrittensigned.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policyorwrittensigned.txt
new file mode 100644
index 0000000..50162e9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policyorwrittensigned.txt
@@ -0,0 +1 @@
+00000171480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f20943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr.bin
new file mode 100644
index 0000000..8f69740
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr.bin
@@ -0,0 +1 @@
+…3ƒõè<`C4oŸ7!vŽ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr0.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr0.bin
new file mode 100644
index 0000000..df879cf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr0.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr0.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr0.txt
new file mode 100644
index 0000000..b61f288
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr0.txt
@@ -0,0 +1 @@
+0000000000000000000000000000000000000000
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha1.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha1.bin
new file mode 100644
index 0000000..88e9157
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha1.bin
@@ -0,0 +1 @@
+´íÞ£5‡×C)ö¨Ñ牒dFðL…
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha256.bin
new file mode 100644
index 0000000..a0cd48b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha256.bin
@@ -0,0 +1 @@
+„ÿ/ñ-7Ë#û=ÙfwÊìH”\ƒåꢾ˜éuª!ãÖ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha384.bin
new file mode 100644
index 0000000..da4fcb3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha384.bin
@@ -0,0 +1 @@
+Kͳë|I“C¥eî܆"|†6 —¢^4.ÒO~­ a‹^׺»ã^ð«ê™Uß„
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha512.bin
new file mode 100644
index 0000000..d13ac53
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr1623aaasha512.bin
@@ -0,0 +1 @@
+„Yv¸ÔØ©¤}u>�ÍÂxì•×èï…Ç8.­Fär1£8TåÏ.m#gm9Z“Q�óð�VMfø{�üa
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha1.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha1.bin
new file mode 100644
index 0000000..e5fd0af
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha1.bin
@@ -0,0 +1 @@
+¶ÝC‚Êä]ОQÑc¤$õò
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha1.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha1.txt
new file mode 100644
index 0000000..237c939
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha1.txt
@@ -0,0 +1 @@
+1d47f68aced515f7797371b554e32d47981aa0a0
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha256.bin
new file mode 100644
index 0000000..56600b4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha256.bin
@@ -0,0 +1 @@
+vDöê×`Ú¹6Õ…ìۄΚyÝáÇà¢Ù	 
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha256.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha256.txt
new file mode 100644
index 0000000..78108c4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha256.txt
@@ -0,0 +1 @@
+c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha384.bin
new file mode 100644
index 0000000..d10b3e2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha384.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha384.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha384.txt
new file mode 100644
index 0000000..8deef9b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha384.txt
@@ -0,0 +1 @@
+292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha512.bin
new file mode 100644
index 0000000..8aa9e59
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha512.bin
@@ -0,0 +1 @@
+W%�™dØtð…,�pA̾!Âß~æ±™êfF·û#UwK–~«âeÛZR‚œ¯<Àä™6]ì
>m*bm.
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha512.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha512.txt
new file mode 100644
index 0000000..19f7ca2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcr16aaasha512.txt
@@ -0,0 +1 @@
+7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policypcrbm0.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policypcrbm0.bin
new file mode 100644
index 0000000..bd0f292
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policypcrbm0.bin
@@ -0,0 +1 @@
+m8I8áÕ‹Vq’U”?if¶ú,#
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnv.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnv.bin
new file mode 100644
index 0000000..b5fac8d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnv.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnv.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnv.txt
new file mode 100644
index 0000000..02facd9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnv.txt
@@ -0,0 +1,2 @@
+00000151000be0651081c2fcda306993da43d1de5b24be426e2d61907b42835469136c97681f
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpf.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpf.bin
new file mode 100644
index 0000000..912504b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpf.bin
@@ -0,0 +1 @@
+�V�ÚR'0ܾ¨­Y¼¥• ÓØ ¨²Ø[Åß
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpf.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpf.txt
new file mode 100644
index 0000000..884fab4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpf.txt
@@ -0,0 +1,2 @@
+00000151000b8e42e7023c8851a2fabdb3ecffa9d155bc40058b7da1261f2c790442959f8d6e
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpp.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpp.bin
new file mode 100644
index 0000000..86f9ff2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpp.bin
@@ -0,0 +1 @@
+VäÇ&××Ý<½L®À.ƒ<73<ûùÃ_«S#ß}
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpp.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpp.txt
new file mode 100644
index 0000000..51ce1a5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretnvpp.txt
@@ -0,0 +1,2 @@
+00000151000bda1cbd54bb81546c1c7630ddd409503a0d6d0305161b1588d66bc8fa17daad81
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretp.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretp.bin
new file mode 100644
index 0000000..712f412
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretp.bin
@@ -0,0 +1 @@
+ȱ).ÿ,ç£ú±®Ù­%O°?Àš¼-јQaºh½Ç
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretp.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretp.txt
new file mode 100644
index 0000000..af4ef62
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretp.txt
@@ -0,0 +1,2 @@
+000001514000000C
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha256.bin
new file mode 100644
index 0000000..712f412
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha256.bin
@@ -0,0 +1 @@
+ȱ).ÿ,ç£ú±®Ù­%O°?Àš¼-јQaºh½Ç
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha256ha.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha256ha.bin
new file mode 100644
index 0000000..27ef362
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha256ha.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha384.bin
new file mode 100644
index 0000000..25fa9b8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha384.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha384ha.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha384ha.bin
new file mode 100644
index 0000000..cca7c0f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha384ha.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha512.bin
new file mode 100644
index 0000000..d94cc53
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha512.bin
@@ -0,0 +1 @@
+Åî
íÏ%˜à@\óœÞaþÕ*tñU#m±€‹MB±JªýúéÈ%jÉåÌ„°&»v%S¿Ž“˜þòÍÒ'
ƒ¬ 
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha512ha.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha512ha.bin
new file mode 100644
index 0000000..8e34a76
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretpsha512ha.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretsha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretsha256.bin
new file mode 100644
index 0000000..38af028
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretsha256.bin
@@ -0,0 +1 @@
+KÊ·ì¢|\Úœqæu(cÒ‡Ò3ìIz¾ˆñï”]\
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysecretsha256.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretsha256.txt
new file mode 100644
index 0000000..cdc7ff2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysecretsha256.txt
@@ -0,0 +1,2 @@
+00000151000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha1.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha1.bin
new file mode 100644
index 0000000..12608cc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha1.bin
@@ -0,0 +1 @@
+��zNàvëµÏîÁ‚ÌL
³ ^Y©¹e¡Y¯Í=¿Tû
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha1.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha1.txt
new file mode 100644
index 0000000..bad3715
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha1.txt
@@ -0,0 +1,2 @@
+0000016000044234c24fc1b9de6693a62453417d2734d7538f6f
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha256.bin
new file mode 100644
index 0000000..154bcb9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha256.bin
@@ -0,0 +1 @@
+Þ¿�ú<˜ñ}ÑÐ{Týá“å@Pžp–ªs'S³ƒ1
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha256.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha256.txt
new file mode 100644
index 0000000..8285509
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha256.txt
@@ -0,0 +1,2 @@
+00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha384.bin
new file mode 100644
index 0000000..becd3c0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha384.bin
@@ -0,0 +1 @@
+EÅÚ�v’:poßVêçßÛAâ
u$IT”f“kÄüˆ«\
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha384.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha384.txt
new file mode 100644
index 0000000..e903b2e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha384.txt
@@ -0,0 +1,2 @@
+00000160000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha512.bin
new file mode 100644
index 0000000..bdef3a8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha512.bin
@@ -0,0 +1 @@
+Í4–9ê@ˆ^ú7‹§!ñxmR»“GœsEˆ<Ü	o
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha512.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha512.txt
new file mode 100644
index 0000000..dbfdcca
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policysignedsha512.txt
@@ -0,0 +1,2 @@
+00000160000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policytemplate.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplate.bin
new file mode 100644
index 0000000..5eee120
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplate.bin
@@ -0,0 +1 @@
+ïdÚ‘ü¬‚ô6(„(Sتø}üáEé%ÏþXhª-"¶
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policytemplate.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplate.txt
new file mode 100644
index 0000000..d1e3d48
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplate.txt
@@ -0,0 +1 @@
+0001000b000404720000001000100800000000000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policytemplatehash.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplatehash.bin
new file mode 100644
index 0000000..8cd392a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplatehash.bin
@@ -0,0 +1 @@
+û”±Cå+•·ìD7y™ÖGp®K$¯Z¸~FòX¯ëÞ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policytemplatehash.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplatehash.txt
new file mode 100644
index 0000000..a995ed0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policytemplatehash.txt
@@ -0,0 +1 @@
+00000190ef64da9118fcac82f4361b28842853d8aaf87dfce145e925cffe5868aa2d22b6
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenclrsigned.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenclrsigned.bin
new file mode 100644
index 0000000..ce19999
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenclrsigned.bin
@@ -0,0 +1 @@
+Hx.‚Â@ˆ2Äßœ¾‡o’T½à[.©RH>·iò
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenclrsigned.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenclrsigned.txt
new file mode 100644
index 0000000..407fb27
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenclrsigned.txt
@@ -0,0 +1,3 @@
+0000018f00
+00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenset.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenset.bin
new file mode 100644
index 0000000..4f6bb8c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenset.bin
@@ -0,0 +1 @@
+0sHß
_ëíe”æý¬„"ã	
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenset.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenset.txt
new file mode 100644
index 0000000..89b8feb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittenset.txt
@@ -0,0 +1 @@
+0000018f01
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policywrittensetsigned.bin b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittensetsigned.bin
new file mode 100644
index 0000000..4c3623c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittensetsigned.bin
@@ -0,0 +1,3 @@
+	Cº<;M±È?×…ùÜ
+‚IöyJ8æE
+PV�´ëÒF
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/policywrittensetsigned.txt b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittensetsigned.txt
new file mode 100644
index 0000000..9f80606
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/policywrittensetsigned.txt
@@ -0,0 +1,3 @@
+0000018f01
+00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/rsaprivkey.der b/libstb/tss2/ibmtpm20tss/utils/policies/rsaprivkey.der
new file mode 100644
index 0000000..de6eeba
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/rsaprivkey.der
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/rsaprivkey.pem b/libstb/tss2/ibmtpm20tss/utils/policies/rsaprivkey.pem
new file mode 100644
index 0000000..fb87e79
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/rsaprivkey.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,2530131EB712F2DC51A71D0DEB7BFB49
+
+L9oEHVuNLTSmh3KQShMi20qZXgWG1KxpHelQxp1sq7AAMXDDkysT5mRksNv/TfVc
+pD31VlKWTWsoN1tYv6slg2b39EKyo8nLy4h0qQXzsu8TE/tEpd/1ROqnDEZBemfU
+5dJf2OwSYe80qTlgJWVp0Hl15iiKZgq4ADyvWWL4arjyEoZT1bSAOOC9HOHxQAng
+dRl1jM63k5t9VF/PlQVcA4BTWkRahL+6sPswtkxHT1bZtgqo2Y0qnsH9vxln+RT0
+L2AX0mFYvtm0dHTbsNaixfXSQEiCVQC+jrFvxdAi1Bzcqm4GKsfMduTkkYqb962t
+vnBvme7FF81Eu1+5x45krFpIRAIIlYCL5lliEDQDVVbsc26E9uLczU852FQ2aRlW
+XV2U3F+jorlA86Fi3bYcWH8zCrjzOnuaqMQA3S5fHPxN5RzLDV4hTPOmlVJT4xDk
+d3hnuTZm7TNhWQ8e7CR/6eEQ+QN6+7cU8hpFbMoclsbBNLa+8WI81mPVwgZtKXuo
+4+5wTbJalk5AjiKJhoH6pWT6CynTWjs4N5faiQ/u2lp9yESI265hcB8grjz3Bzts
+3feKCbh+uMDA03u6whxkH7roDlBYCwf1OFgbLFXUeefUXnsQwnytmigZ1K9jXcx3
+n/rONzdj4Juh9R55L/bjNCun7scQwr1ksV6NH1LIbIl87yhQJ3zvh6+jDEbvuV/o
+CVlCyHiyL2tGvAMGoVUko6xj+b2KM47fTA/BBvoB6d12aICasYqrF5Kl0o2MApI+
+c116mFS0K+LQ1XddmRNyR0ACswAxN7fy/TuLdbS3N8w47E+5xQ8dbB+qJhuz60jY
+RoUZzYUVf1LNoleShMoB/tEgichf6LZ4yVRO2L0LaFCgFlPsmfvtQ0o4BhgrvmLu
+sRy/iZuENaXKwJ8KInWqJNH4yBWOD9gRo1vva719P261h1IoHvclehLXOs81TBZk
+7uRr2eFH8LXEYuJpa97Dkx4ZmbMBDbxTQGEV+zj/ZJWIY2Sl0Zi/TLSVig54SeUQ
+8L1qQRvOUO3952ynH0YeZfuWhODnoeWXDR4AHveY5vn1DSTlKZerEpMZIjDtqHcL
+BZK4g+4X/yZ3Wtm3zwRhZlI0WNT7nLNGF8d/4QgUP4XydGuDGjK4mt0/5dqYvjtL
+y82gzwwtWiouSAWRdONEtP00IyeMb1m0xjUou/GcEWnG7GUjikJGZft2yOl7o3pZ
+2EX6uY/TLN23B0sfXohyxjTRnK01X1aEnNrEOYcL7cpQ+iipaBa2PQRUtTsAzQf1
+p5UWxHI/BDg8Tlbc9Vka9JmvBiAnsU+2ak4oOiivCDJUrFjTheSND11xIjJrmfX7
+QhwMt+EKJ7Jr6RD3qWzW62G2BB9pdk4jVdGmEtlFupYnZSY/ZqAaJHye/NbCkeSI
+P1c5JEQFnOJRXRWUA2Wo5ZcBR6F1vECp8hsRm6ukBa6WppG7ybsQ5FYmpFvR9MmN
+d8bdlYBR2ou09xc4i+bNjMN+uaRa9T4/WLbc5tsMIcJNrVoUYilBOebuPzAze3Bv
+NVSgeXLgpT5How1WxoDKapn8mRlf4GwhgHjHkFVYOYkFpj5k2uW64s1XXCMuWPMz
+-----END RSA PRIVATE KEY-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/rsapubkey.pem b/libstb/tss2/ibmtpm20tss/utils/policies/rsapubkey.pem
new file mode 100644
index 0000000..85a74bf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/rsapubkey.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukO2Z2rjxNm7EWi82TpW
+hXmJo5fPf2enN4KzF35qVM4KjYdpVODWQ377Lq3edqriP1Ji2dUvqoUHNrkfwSOH
+EHHKWXO++if4o+kI5YdC1MzwXMVHI2Yrn7fAteGArM7Ox9GRcdzmicw38HMWWGtM
+OBUkaLZnO7rJW1VPQQw1IG9d+hFepXfrNl75zz2S2mceWecFRGBFE8DPW+zMQIMm
+qFtt9g9+LIw0b1fn13DsMW7JX3J126ZwgTH6BEmSIY04xz2Tz0Z0+GNb+mwDypP9
+1o0l0ITkETMsfabpGgEfC2x+67lQJR986MyLZ+WDK+3LeT2b4mA2bxpRa6yDrEv/
+gQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha1.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha1.bin
new file mode 100644
index 0000000..d6db588
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha1.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha1aaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha1aaa.bin
new file mode 100644
index 0000000..ddbbf15
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha1aaa.bin
@@ -0,0 +1 @@
+~$
çO±íúÓ€cö¦©b¨
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha1extaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha1extaaa.bin
new file mode 100644
index 0000000..8fc7991
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha1extaaa.bin
@@ -0,0 +1 @@
+q9
]|À}¥ËzyÄÈÅÚ�
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha1extaaa0.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha1extaaa0.bin
new file mode 100644
index 0000000..373c118
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha1extaaa0.bin
@@ -0,0 +1 @@
+GöŠÎÕ÷ysqµTã-G˜  
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha1exthaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha1exthaaa.bin
new file mode 100644
index 0000000..691387b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha1exthaaa.bin
@@ -0,0 +1 @@
+«SÇì?þþ!ž�‰ÚñŽU>#Ž¦
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha256.bin
new file mode 100644
index 0000000..874b071
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha256.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha256aaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha256aaa.bin
new file mode 100644
index 0000000..4b3b4bf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha256aaa.bin
@@ -0,0 +1 @@
+˜4‡mÏ°\±g¥ÂIS륌JÈ›ßWò�/�	¯~èð
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha256extaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha256extaaa.bin
new file mode 100644
index 0000000..f59fde9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha256extaaa.bin
@@ -0,0 +1 @@
+wËïâÜ$Ķ��E_†Qb…’f‹+çA¤ÕËÞÛšJI
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha256extaaa0.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha256extaaa0.bin
new file mode 100644
index 0000000..a695947
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha256extaaa0.bin
@@ -0,0 +1 @@
+—dÑ¿·âÃ_“s+Jã6´5N¼èÐÖ>¾»
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha256exthaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha256exthaaa.bin
new file mode 100644
index 0000000..53c667b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha256exthaaa.bin
@@ -0,0 +1 @@
+ß�� Ó=æ{±Ç&¦ \Тëa·Éî‘fëÏÜÛ«
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha384.bin
new file mode 100644
index 0000000..6f60177
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha384.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha384aaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha384aaa.bin
new file mode 100644
index 0000000..3131cd6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha384aaa.bin
@@ -0,0 +1,2 @@
+Žå½ÖJ£u6ÁòW¦´IcÌ2{}}Ë,´z"=3ADb¿¡„H|órÎ
+ßÈ?ƒ6Ø
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha384extaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha384extaaa.bin
new file mode 100644
index 0000000..873c7a7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha384extaaa.bin
@@ -0,0 +1 @@
+ñ樖¤_uËï‰ÇN³š“Iß5NÆþ*å›�Vˆ
˜˜Ž;ã`Èi2�·ßY
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha384extaaa0.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha384extaaa0.bin
new file mode 100644
index 0000000..59599c5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha384extaaa0.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha384exthaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha384exthaaa.bin
new file mode 100644
index 0000000..65bbe15
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha384exthaaa.bin
@@ -0,0 +1 @@
+a¼p9┇°±F]dæ­2¦ÕÂ[E
§K¼§Ì$%6Ê@ù6DðØ°˜ê¦P—M
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha512.bin
new file mode 100644
index 0000000..c4b6c7e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha512.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha512aaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha512aaa.bin
new file mode 100644
index 0000000..81f23f0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha512aaa.bin
@@ -0,0 +1 @@
+ÖöD±˜é{]‡XÖÓ@ÍG‡ú뛉�Áç`‚ˆfKçrWJXÐ3¼ñ à”_ðdhëå>-ÿ6âHBLrs}¬	
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha512extaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha512extaaa.bin
new file mode 100644
index 0000000..b26d4de
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha512extaaa.bin
@@ -0,0 +1 @@
+eOÉËÙ³¸YA¢ëºw"³?r)ÄÈ#ǧò
L¥T³5	Æ™R™ö9Äñ:¯gÈ�½å‰ÅêBà›o<ê¡PœÕ
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha512extaaa0.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha512extaaa0.bin
new file mode 100644
index 0000000..a9135d8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha512extaaa0.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/sha512exthaaa.bin b/libstb/tss2/ibmtpm20tss/utils/policies/sha512exthaaa.bin
new file mode 100644
index 0000000..316b842
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/sha512exthaaa.bin
@@ -0,0 +1 @@
+˾³)a$LœG€„
´:v?º–ïÁÙRôãà,Š1Šå? §¡tè#ãÍÆRo¶wm6G'M¦)Ûɧl*
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/zero4.bin b/libstb/tss2/ibmtpm20tss/utils/policies/zero4.bin
new file mode 100644
index 0000000..593f470
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/zero4.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/zero8.bin b/libstb/tss2/ibmtpm20tss/utils/policies/zero8.bin
new file mode 100644
index 0000000..1b1cb4d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/zero8.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/zerosha1.bin b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha1.bin
new file mode 100644
index 0000000..df879cf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha1.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/zerosha256.bin b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha256.bin
new file mode 100644
index 0000000..4e4e493
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha256.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/zerosha384.bin b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha384.bin
new file mode 100644
index 0000000..2a56096
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha384.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policies/zerosha512.bin b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha512.bin
new file mode 100644
index 0000000..9017fd9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policies/zerosha512.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/policyauthorize.c b/libstb/tss2/ibmtpm20tss/utils/policyauthorize.c
new file mode 100644
index 0000000..73c40dd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policyauthorize.c
@@ -0,0 +1,307 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyAuthorize	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyAuthorize_In 		in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*approvedPolicyFilename = NULL;
+    const char			*policyRefFilename = NULL;
+    const char			*signingKeyNameFilename = NULL;
+    const char			*ticketFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-appr") == 0) {
+	    i++;
+	    if (i < argc) {
+		approvedPolicyFilename = argv[i];
+	    }
+	    else {
+		printf("-appr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pref") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyRefFilename = argv[i];
+	    }
+	    else {
+		printf("-pref option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-skn") == 0) {
+	    i++;
+	    if (i < argc) {
+		signingKeyNameFilename = argv[i];
+	    }
+	    else {
+		printf("-skn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* validate command line parameters */
+    if (policySession == 0) {
+	printf("Missing parameter -ha\n");
+	printUsage();
+    }
+    if (approvedPolicyFilename == NULL) {
+	printf("Missing parameter -appr\n");
+	printUsage();
+    }
+    if (policyRefFilename == NULL) {
+	in.policyRef.b.size = 0;	/* default empty buffer */
+    }
+    if (signingKeyNameFilename == NULL) {
+	printf("Missing parameter -skn\n");
+	printUsage();
+    }
+    if (ticketFilename == NULL) {
+	printf("Missing parameter -tk\n");
+	printUsage();
+    }
+    /* set in parameters */
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.approvedPolicy.b,
+			     sizeof(in.approvedPolicy.t.buffer),
+			     approvedPolicyFilename);
+    }
+    if ((rc == 0) && (policyRefFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.policyRef.b,
+			     sizeof(in.policyRef.t.buffer),
+			     policyRefFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.keySign.b,
+			     sizeof(in.keySign.t.name),
+			     signingKeyNameFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.checkTicket,
+				    (UnmarshalFunction_t)TSS_TPMT_TK_VERIFIED_Unmarshalu,
+				    ticketFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyAuthorize,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policyauthorize: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policyauthorize: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policyauthorize\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyAuthorize\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-appr\tfile name of digest of the policy being approved\n");
+    printf("\t[-pref\tpolicyRef file] (default none)\n");
+    printf("\t-skn\tsigning key Name file name\n");
+    printf("\t-tk\tticket file name\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policyauthorizenv.c b/libstb/tss2/ibmtpm20tss/utils/policyauthorizenv.c
new file mode 100644
index 0000000..0c5dbbf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policyauthorizenv.c
@@ -0,0 +1,279 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyAuthorizeNV					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyAuthorizeNV_In 	in;
+    char 			hierarchyChar = 0;
+    const char			*authPassword = NULL; 		/* default no password */
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    TPMI_SH_POLICY		policySession = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -hs\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (nvIndex == 0) {
+	printf("Missing NV index handle parameter -ha\n");
+	printUsage();
+    }
+    if (policySession == 0) {
+	printf("Missing policy session handle parameter -hs\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	if (hierarchyChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	}
+	else if (hierarchyChar == 0) {
+	    in.authHandle = nvIndex;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+	in.policySession = policySession;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyAuthorizeNV,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policyauthorizenv: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policyauthorizenv: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policyauthorizenv\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyAuthorizeNV\n");
+    printf("\n");
+    printf("\t[-hi\thierarchy authHandle (o, p)]\n");
+    printf("\t\tdefault NV index\n");
+    printf("\t-ha\tNV index handle\n");
+    printf("\t[-pwda\tpassword for authorization (default empty)]\n");
+    printf("\t-hs\tpolicy session handle\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policyauthvalue.c b/libstb/tss2/ibmtpm20tss/utils/policyauthvalue.c
new file mode 100644
index 0000000..99cfdad
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policyauthvalue.c
@@ -0,0 +1,142 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyAuthValue	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    TPMI_SH_POLICY		policySession = 0;
+    PolicyAuthValue_In 		in;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyAuthValue,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policyauthvalue: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policyauthvalue: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policyauthvalue\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyAuthValue\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policycommandcode.c b/libstb/tss2/ibmtpm20tss/utils/policycommandcode.c
new file mode 100644
index 0000000..e5a43b5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policycommandcode.c
@@ -0,0 +1,161 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyCommandCode	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    TPMI_SH_POLICY		policySession = 0;
+    TPM_CC			commandCode = 0;
+    PolicyCommandCode_In 	in;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-cc") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &commandCode);
+	    }
+	    else {
+		printf("Missing parameter for -cc\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (commandCode == 0) {
+	printf("Missing parameter -cc\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+	in.code = commandCode;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyCommandCode,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policycommandcode: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policycommandcode: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policycommandcode\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyCommandCode\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-cc\tcommand code\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policycountertimer.c b/libstb/tss2/ibmtpm20tss/utils/policycountertimer.c
new file mode 100644
index 0000000..ab0ec41
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policycountertimer.c
@@ -0,0 +1,302 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyCounterTimer	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void   printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyCounterTimer_In 	in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*operandBData = NULL;
+    const char 			*operandBFilename = NULL;
+    uint16_t 			offset = 0;			/* default 0 */
+    TPM_EO			operation = 0;			/* default A = B */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		operandBData = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-if")  == 0) {
+	    i++;
+	    if (i < argc) {
+		operandBFilename = argv[i];
+	    } else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-off") == 0) {
+	    i++;
+	    if (i < argc) {
+		offset = atoi(argv[i]);
+	    }
+	    else {
+		printf("-off option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-op") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%hx", &operation);
+	    }
+	    else {
+		printf("Missing parameter for -op\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing policy session handle parameter -hs\n");
+	printUsage();
+    }
+    if ((operandBData == NULL) && (operandBFilename == NULL)) {
+	printf("operandB data string or data file must be specified\n");
+	printUsage();
+     }
+    if ((operandBData != NULL) && (operandBFilename != NULL)) {
+	printf("operandB data string and data file cannot both be specified\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+	in.offset = offset;
+	in.operation = operation;
+    }
+    if (operandBData != NULL) {
+	rc = TSS_TPM2B_StringCopy(&in.operandB.b,
+				  operandBData, sizeof(in.operandB.t.buffer));
+	
+    }
+    if (operandBFilename != NULL) {
+	rc = TSS_File_Read2B(&in.operandB.b,
+			     sizeof(in.operandB.t.buffer),
+			     operandBFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyCounterTimer,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policycountertimer: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policycountertimer: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policycountertimer\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyCounterTimer\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-ic\tdata string (operandB)\n");
+    printf("\t-if\tdata file (operandB) \n");
+    printf("\t[-off\toffset (default 0)]\n");
+    printf("\t-op\toperation (default A = B)\n");
+    printf("\n");
+    printf("\t\t0	A = B \n");
+    printf("\t\t1	A != B \n");
+    printf("\t\t2	A > B signed	 \n");
+    printf("\t\t3	A > B unsigned	 \n");
+    printf("\t\t4	A < B signed	 \n");
+    printf("\t\t5	A < B unsigned	 \n");
+    printf("\t\t6	A >= B signed	 \n");
+    printf("\t\t7	A >= B unsigned	 \n");
+    printf("\t\t8	A <= B signed	 \n");
+    printf("\t\t9	A <= B unsigned	 \n");
+    printf("\t\tA	All bits SET in B are SET in A. ((A&B)=B) \n");
+    printf("\t\tB	All bits SET in B are CLEAR in A. ((A&B)=0) \n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policycphash.c b/libstb/tss2/ibmtpm20tss/utils/policycphash.c
new file mode 100644
index 0000000..3936a74
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policycphash.c
@@ -0,0 +1,245 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyCpHash	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void   printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyCpHash_In 		in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*cpHashAFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-cp") == 0) {
+	    i++;
+	    if (i < argc) {
+		cpHashAFilename = argv[i];
+	    }
+	    else {
+		printf("-cp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (cpHashAFilename == NULL) {
+	printf("Missing handle parameter -cp\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.cpHashA.b,
+			     sizeof(in.cpHashA.t.buffer),
+			     cpHashAFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyCpHash,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policycphash: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policycphash: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policycphash\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyCpHash\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-cp\tcpHash file\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policyduplicationselect.c b/libstb/tss2/ibmtpm20tss/utils/policyduplicationselect.c
new file mode 100644
index 0000000..06f9fcc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policyduplicationselect.c
@@ -0,0 +1,272 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyDuplicationSelect 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void   printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyDuplicationSelect_In 	in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*newParentNameFilename = NULL;
+    const char 			*objectNameFilename = NULL;
+    TPMI_YES_NO			includeObject = NO;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-inpn") == 0) {
+	    i++;
+	    if (i < argc) {
+		newParentNameFilename = argv[i];
+	    }
+	    else {
+		printf("-inpn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ion") == 0) {
+	    i++;
+	    if (i < argc) {
+		objectNameFilename = argv[i];
+	    }
+	    else {
+		printf("-ion option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-io") == 0) {
+	    includeObject = YES;
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (newParentNameFilename == NULL) {
+	printf("Missing handle parameter -inpn\n");
+	printUsage();
+    }
+    if (objectNameFilename == NULL) {
+	printf("include object -io requires object Name -ion\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+	in.includeObject = includeObject;
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.newParentName.b,
+			     sizeof(in.newParentName.t.name),
+			     newParentNameFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.objectName.b,
+			     sizeof(in.objectName.t.name),
+			     objectNameFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyDuplicationSelect,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policyduplicationselect: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policyduplicationselect: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policyduplicationselect\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyDuplicationSelect\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-inpn\tnew parent Name file\n");
+    printf("\t-ion\tobject Name file\n");
+    printf("\t[-io\tinclude object (default no)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policygetdigest.c b/libstb/tss2/ibmtpm20tss/utils/policygetdigest.c
new file mode 100644
index 0000000..25a6ed3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policygetdigest.c
@@ -0,0 +1,162 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyGetDigest	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyGetDigest_In 		in;
+    PolicyGetDigest_Out 	out;
+    TPMI_SH_POLICY		policySession = 0;
+    const char			*digestFilename = NULL;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		digestFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyGetDigest,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (digestFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.policyDigest.t.buffer,
+				      out.policyDigest.t.size,
+				      digestFilename );
+    }
+    if (rc == 0) {
+	TSS_PrintAll("policyDigest", out.policyDigest.t.buffer, out.policyDigest.t.size);
+	if (tssUtilsVerbose) printf("policygetdigest: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policygetdigest: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policygetdigest\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyGetDigest\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t[-of\tbinary digest file name (default do not save)]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policymaker.c b/libstb/tss2/ibmtpm20tss/utils/policymaker.c
new file mode 100644
index 0000000..7290ed7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policymaker.c
@@ -0,0 +1,354 @@
+/********************************************************************************/
+/*										*/
+/*			   policymaker						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+   policymaker calculates a TPM2 policy hash
+
+   Inputs are:
+
+   a hash algorithm
+   a file with lines in hexascii, to be extended into the policy digest, big endian
+
+   NOTE: Empty lines (lines with just a newline character) are permitted and cause a double hash.
+   This is useful for e.g. TPM2_PolicySigned when the policyRef is empty.
+
+   Outputs are:
+
+   if specified, a file with a binary digest
+   if specified, a print of the hash
+
+   Example input: policy command code with a command code of NV write
+
+   0000016c00000137
+
+   TPM2_PolicyCounterTimer is handled as a special case, where there is a double hash.
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+
+static void printUsage(void);
+static int Format_FromHexascii(unsigned char *binary,
+			       const char *string,
+			       size_t length);
+static int Format_ByteFromHexascii(unsigned char *byte,
+				   const char *string);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC		rc = 0;
+    int			i;    			/* argc iterator */
+    char 		*prc = NULL;		/* pointer return code */
+    const char 		*inFilename = NULL;
+    const char 		*outFilename = NULL;
+    int			pr = FALSE;
+    int			nz = FALSE;
+    int			noSpace = FALSE;
+    TPMT_HA 		digest;
+    /* initialized to suppress false gcc -O3 warning */
+    uint32_t           	sizeInBytes = 0;	/* hash algorithm mapped to size */
+    uint32_t           	startSizeInBytes = 0;	/* starting buffer for extend */
+    FILE 		*inFile = NULL;
+    FILE 		*outFile = NULL;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line defaults */
+    digest.hashAlg = TPM_ALG_SHA256;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pr") == 0) {
+	    pr = TRUE;
+	}
+	else if (strcmp(argv[i],"-nz") == 0) {
+	    nz = TRUE;
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (inFilename == NULL) {
+	printf("Missing input file parameter -if\n");
+	printUsage();
+    }
+    /* open the input file */
+    if (rc == 0) {
+	inFile = fopen(inFilename, "r");
+	if (inFile == NULL) {
+	    printf("Error opening %s for %s, %s\n", inFilename, "r", strerror(errno));
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	sizeInBytes = TSS_GetDigestSize(digest.hashAlg);
+	/* startauthsession sets session digest to zero */
+	if (!nz) {
+	    startSizeInBytes = sizeInBytes;
+	    memset((uint8_t *)&digest.digest, 0, sizeInBytes);
+	}
+	else {	/* nz TRUE, start with empty buffer */
+	    startSizeInBytes = 0;
+	}
+    }
+    /* iterate through each line */
+    do {
+	char 		lineString[10240];		/* returned line in hex ascii */
+	unsigned char 	lineBinary[5120];		/* returned line in binary */
+	size_t		lineLength;			
+
+	if (rc == 0) {
+	    prc = fgets(lineString, sizeof(lineString), inFile);
+	}
+	if (prc != NULL) {
+	    /* convert hex ascii to binary */ 
+	    if (rc == 0) {
+		lineLength = strlen(lineString);
+		rc = Format_FromHexascii(lineBinary,
+					 lineString, lineLength/2);
+	    }
+	    if (rc == 0) {
+		/* not TPM2_PolicyCounterTimer */
+		if (memcmp(lineString, "0000016d", 8) != 0) {
+		    /* hash extend digest.digest with line */
+		    if (rc == 0) {
+			rc = TSS_Hash_Generate(&digest,
+					       startSizeInBytes, (uint8_t *)&digest.digest,
+					       lineLength /2, lineBinary,
+					       0, NULL);
+		    }
+		}
+		/* TPM2_PolicyCounterTimer is a special case - double hash */
+		else {
+		    TPMT_HA	args;
+		    args.hashAlg = digest.hashAlg;
+		    if (rc == 0) {
+			/* args is a hash of the arguments excluding the command code */
+			rc = TSS_Hash_Generate(&args,
+					       (lineLength /2) -4, lineBinary +4,
+					       0, NULL);
+		    }
+		    if (rc == 0) {
+			uint8_t commandCode[] = {0x00, 0x00, 0x01, 0x6d};
+			rc = TSS_Hash_Generate(&digest,
+					       startSizeInBytes, (uint8_t *)&digest.digest,
+					       sizeof(commandCode), commandCode,
+					       startSizeInBytes, (uint8_t *)&args.digest,
+					       0, NULL);
+		    }
+		}
+	    }
+	    if (rc == 0) {
+		if (tssUtilsVerbose) TSS_PrintAll("intermediate policy digest",
+					  (uint8_t *)&digest.digest, sizeInBytes);
+	    }
+	}
+    }
+    while ((rc == 0) && (prc != NULL));
+
+    if ((rc == 0) && pr) {
+	TSS_PrintAll("policy digest", (uint8_t *)&digest.digest, sizeInBytes);
+    }
+    if ((rc == 0) && noSpace) {
+	unsigned int b;
+	printf("policy digest:\n");
+	for (b = 0 ; b < sizeInBytes ; b++) {
+	    printf("%02x", *(((uint8_t *)&digest.digest) + b));
+	}
+	printf("\n");
+    }
+    /* open the output file */
+    if ((rc == 0) && (outFilename != NULL)) {
+	outFile = fopen(outFilename, "wb");
+	if (outFile == NULL) {
+	    printf("Error opening %s for %s, %s\n", outFilename , "W", strerror(errno));
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if ((rc == 0) && (outFilename != NULL)) {
+	fwrite((uint8_t *)&digest.digest, 1, sizeInBytes, outFile);
+    }
+    if (inFile != NULL) {
+	fclose(inFile);
+    }
+    if (outFile != NULL) {
+	fclose(outFile);
+    }
+    if (rc != 0) {
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+/* Format_FromHexAscii() converts 'string' in hex ascii to 'binary' of 'length'
+
+   It assumes that the string has enough bytes to accommodate the length.
+*/
+
+static int Format_FromHexascii(unsigned char *binary,
+			       const char *string,
+			       size_t length)
+{
+    int 	rc = 0;
+    size_t	i;
+
+    for (i = 0 ; (rc == 0) && (i < length) ; i++) {
+	rc = Format_ByteFromHexascii(binary + i,
+				     string + (i * 2));
+	
+    }
+    return rc;
+}
+
+/* Format_ByteFromHexAscii() converts two bytes of hex ascii to one byte of binary
+ */
+
+static int Format_ByteFromHexascii(unsigned char *byte,
+				   const char *string)
+{
+    int 	rc = 0;
+    size_t	i;
+    char	c;
+    *byte 	= 0;
+    
+    for (i = 0 ; (rc == 0) && (i < 2) ; i++) {
+	(*byte) <<= 4;		/* big endian, shift up the nibble */
+	c = *(string + i);	/* extract the next character from the string */
+
+	if ((c >= '0') && (c <= '9')) {
+	    *byte += c - '0';
+	}
+	else if ((c >= 'a') && (c <= 'f')) {
+	    *byte += c + 10 - 'a';
+	}
+	else if ((c >= 'A') && (c <= 'F')) {
+	    *byte += c + 10 - 'A';
+	}
+	else {
+	    printf("Format_ByteFromHexascii: "
+		   "Error: Line has non hex ascii character: %02x %c\n", c, c);
+	    rc = EXIT_FAILURE;
+	}
+    }
+    return rc;
+}
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policymaker\n");
+    printf("\n");
+    printf("\t[-halg\thash algorithm (sha1 sha256 sha384 sha512) (default sha256)]\n");
+    printf("\t[-nz\tdo not extend starting with zeros, just hash the last line]\n");
+    printf("\t-if\tinput policy statements in hex ascii\n");
+    printf("\t[-of\toutput file - policy hash in binary]\n");
+    printf("\t[-pr\tstdout - policy hash in hex ascii]\n");
+    printf("\t[-ns\tadditionally print policy hash in hex ascii on one line]\n");
+    printf("\t\tUseful to paste into policy OR\n");
+    printf("\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policymakerpcr.c b/libstb/tss2/ibmtpm20tss/utils/policymakerpcr.c
new file mode 100644
index 0000000..41f8faf
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policymakerpcr.c
@@ -0,0 +1,439 @@
+/********************************************************************************/
+/*										*/
+/*			   policymakerpcr					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+   policymakerpcr calculates a policyPCR term suitable for input to policymaker
+
+   Inputs are:
+
+   a hash algorithm
+
+   a byte mask, totally big endian, e.g. 010000 is PCR 16 
+
+   a file with lines in hexascii representing PCRs, e.g., the output of pcrread -ns
+   removed
+
+   This assumes that the byte mask and PCR value file are consistent.
+   
+   Outputs are:
+
+   if specified, a file with a hex ascii policyPCR line suitable for input to policymaker
+
+   if specified, a print of the hash
+
+   Example: 
+
+   policymakerpcr -halg sha1 -bm 010000 -if policies/policypcr16aaasha1.txt -v -pr -of policies/policypcr.txt
+
+   Where policypcr16aaasha1.txt is represents the SHA-1 value of PCR 16
+   
+   e.g., 1d47f68aced515f7797371b554e32d47981aa0a0
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+static void printPolicyPCR(FILE *out,
+			   uint32_t           	sizeInBytes,         		
+			   TPML_PCR_SELECTION	*pcrs,
+			   TPMT_HA 		*digest);
+static int Format_FromHexascii(unsigned char *binary,
+			       const char *string,
+			       size_t length);
+static int Format_ByteFromHexascii(unsigned char *byte,
+				   const char *string);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC		rc = 0;
+    int			i;    			/* argc iterator */
+    char 		*prc = NULL;		/* pointer return code */
+    const char 		*inFilename = NULL;
+    const char 		*outFilename = NULL;
+    FILE 		*inFile = NULL;
+    FILE 		*outFile = NULL;
+    /* initialized to suppress false gcc -O3 warning */
+    uint32_t           	sizeInBytes = 0;	/* hash algorithm mapped to size */
+    uint32_t	  	pcrmask = 0xffffffff;	/* pcr register mask */
+    TPML_PCR_SELECTION	pcrs;
+    unsigned int 	pcrCount = 0;
+    TPMU_HA		pcr[IMPLEMENTATION_PCR];	/* all the PCRs */
+    int			pr = FALSE;
+    TPMT_HA 		digest;
+    uint8_t		pcrBytes[IMPLEMENTATION_PCR * sizeof(TPMU_HA)];
+    uint16_t		pcrLength;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line defaults */
+    digest.hashAlg = TPM_ALG_SHA256;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    digest.hashAlg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-bm") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (1 != sscanf(argv[i], "%x", &pcrmask)) {
+		    printf("Invalid -bm argument '%s'\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-bm option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pr") == 0) {
+	    pr = TRUE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (pcrmask == 0xffffffff) {
+	printf("Missing or illegal pcr byte mask parameter -bm\n");
+	printUsage();
+    }
+    if ((pcrmask != 0) && (inFilename == NULL)) {
+	printf("Missing file name parameter -if\n");
+	printUsage();
+    }
+    if ((pcrmask == 0) && (inFilename != NULL)) {
+	printf("Unnecessary file name parameter -if\n");
+	printUsage();
+    }
+    /* open the input file if needed */
+    if ((rc == 0) && (pcrmask != 0)) {
+	inFile = fopen(inFilename, "r");
+	if (inFile == NULL) {
+	    printf("Error opening %s for %s, %s\n", inFilename, "r", strerror(errno));
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	sizeInBytes = TSS_GetDigestSize(digest.hashAlg);
+    }
+    /* Table 102 - Definition of TPML_PCR_SELECTION Structure */
+    if (rc == 0) {
+	pcrs.count = 1;		/* hard code one hash algorithm */
+	/* Table 85 - Definition of TPMS_PCR_SELECTION Structure - pcrSelections */
+	pcrs.pcrSelections[0].hash = digest.hashAlg;
+	pcrs.pcrSelections[0].sizeofSelect= 3;	/* hard code 24 PCRs */
+	/* TCG always marshals lower PCR first */
+	pcrs.pcrSelections[0].pcrSelect[0] = (pcrmask >>  0) & 0xff;
+	pcrs.pcrSelections[0].pcrSelect[1] = (pcrmask >>  8) & 0xff;
+	pcrs.pcrSelections[0].pcrSelect[2] = (pcrmask >> 16) & 0xff;
+    }
+    /* read the input file to the PCR array, assumes the PCR select bm has the correct number of
+       bits */
+    /* iterate through each line */
+    for (pcrCount = 0 ;
+	 (rc == 0) && (pcrCount < IMPLEMENTATION_PCR) && (inFile != NULL) ;
+	 pcrCount++) {
+	
+	char 		lineString[256];		/* returned line in hex ascii */
+	uint32_t	lineLength;			
+
+	if (rc == 0) {
+	    prc = fgets(lineString, sizeof(lineString), inFile);
+	}
+	/* no more lines, pcrCount is number of PCRs processed */
+	if (rc == 0) {
+	    if (prc == NULL) {
+		break;
+	    }
+	}
+	if (rc == 0) {
+	    lineLength = strlen(lineString);
+	    if (lineLength == 0) {
+		break;
+	    }
+	    if (lineString[lineLength-1] == '\n') {
+		lineString[lineLength-1] = '0';
+		lineLength--;
+	    }
+	}
+	if (rc == 0) {
+	    if (lineLength != (sizeInBytes *2)) {
+		printf("Line length %u is not twice digest size %u\n", lineLength, sizeInBytes);
+		rc = -1;
+	    }
+	}	
+	/* convert hex ascii to binary */ 
+	if ((rc == 0) && (prc != NULL)) {
+	    rc = Format_FromHexascii((uint8_t *)&pcr[pcrCount],
+				     lineString, lineLength/2);
+	}
+	if (rc == 0) {
+	    if (tssUtilsVerbose) printf("PCR %u\n", pcrCount);
+	    if (tssUtilsVerbose) TSS_PrintAll("PCR", (uint8_t *)&pcr[pcrCount], sizeInBytes);
+	}
+    }
+    /* serialize PCRs */
+    if (rc == 0) {
+	unsigned int pc;
+	uint8_t *buffer = pcrBytes;
+	uint32_t size = IMPLEMENTATION_PCR * sizeof(TPMU_HA);
+	pcrLength = 0;
+	for (pc = 0 ; (rc == 0) && (pc < pcrCount) ; pc++) {
+	    rc = TSS_Array_Marshalu((uint8_t *)&pcr[pc], sizeInBytes, &pcrLength, &buffer, &size);
+	}
+    }
+    /* hash the marshaled PCR array */
+    if (rc == 0) {
+	rc = TSS_Hash_Generate(&digest,
+			       pcrLength, pcrBytes,
+			       0, NULL);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_PrintAll("PCR composite digest", (uint8_t *)&digest.digest, sizeInBytes);
+    }
+    if ((rc == 0) && pr) {
+	printPolicyPCR(stdout,
+		       sizeInBytes,
+		       &pcrs,
+		       &digest);
+    }
+    if (outFilename != NULL) {
+	if (rc == 0) {
+	    outFile = fopen(outFilename, "wb");
+	    if (outFile == NULL) {
+		printf("Error opening %s for %s, %s\n", outFilename , "W", strerror(errno));
+		rc = EXIT_FAILURE;
+	    }
+	}
+	if (rc == 0) {
+	    printPolicyPCR(outFile,
+			   sizeInBytes,
+			   &pcrs,
+			   &digest);
+	}
+    }
+    if (inFile != NULL) {
+	fclose(inFile);
+    }
+    if (outFile != NULL) {
+	fclose(outFile);
+    }
+    if (rc != 0) {
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printPolicyPCR(FILE 		*out,
+			   uint32_t           	sizeInBytes,         		
+			   TPML_PCR_SELECTION	*pcrs,
+			   TPMT_HA 		*digest)
+{
+    unsigned int i;
+    uint8_t *pcrDigest = (uint8_t *)&digest->digest;
+
+    fprintf(out, "%02x", 0xff & (TPM_CC_PolicyPCR >> 24));
+    fprintf(out, "%02x", 0xff & (TPM_CC_PolicyPCR >> 16));
+    fprintf(out, "%02x", 0xff & (TPM_CC_PolicyPCR >>  8));
+    fprintf(out, "%02x", 0xff & (TPM_CC_PolicyPCR >>  0));
+    /* NOTE only handles count of 1, 1 hash algorithm */
+    fprintf(out, "%08x", pcrs->count);
+
+    fprintf(out, "%02x", 0xff & (pcrs->pcrSelections[0].hash >> 8));
+    fprintf(out, "%02x", 0xff & (pcrs->pcrSelections[0].hash >> 0));
+
+    fprintf(out, "%02x", pcrs->pcrSelections[0].sizeofSelect);
+    
+    fprintf(out, "%02x", pcrs->pcrSelections[0].pcrSelect[0]);
+    fprintf(out, "%02x", pcrs->pcrSelections[0].pcrSelect[1]);
+    fprintf(out, "%02x", pcrs->pcrSelections[0].pcrSelect[2]);
+
+    for (i = 0 ; i < sizeInBytes ; i++) {
+	fprintf(out, "%02x", pcrDigest[i]);
+    }
+    fprintf(out, "\n");
+    return;
+}
+
+/* Format_FromHexAscii() converts 'string' in hex ascii to 'binary' of 'length'
+
+   It assumes that the string has enough bytes to accommodate the length.
+*/
+
+static int Format_FromHexascii(unsigned char *binary,
+			       const char *string,
+			       size_t length)
+{
+    int 	rc = 0;
+    size_t	i;
+
+    for (i = 0 ; (rc == 0) && (i < length) ; i++) {
+	rc = Format_ByteFromHexascii(binary + i,
+				     string + (i * 2));
+	
+    }
+    return rc;
+}
+
+/* Format_ByteFromHexAscii() converts two bytes of hex ascii to one byte of binary
+ */
+
+static int Format_ByteFromHexascii(unsigned char *byte,
+				   const char *string)
+{
+    int 	rc = 0;
+    size_t	i;
+    char	c;
+    *byte 	= 0;
+    
+    for (i = 0 ; (rc == 0) && (i < 2) ; i++) {
+	(*byte) <<= 4;		/* big endian, shift up the nibble */
+	c = *(string + i);	/* extract the next character from the string */
+
+	if ((c >= '0') && (c <= '9')) {
+	    *byte += c - '0';
+	}
+	else if ((c >= 'a') && (c <= 'f')) {
+	    *byte += c + 10 - 'a';
+	}
+	else if ((c >= 'A') && (c <= 'F')) {
+	    *byte += c + 10 - 'A';
+	}
+	else {
+	    printf("Format_ByteFromHexascii: "
+		   "Error: Line has non hex ascii character: %c\n", c);
+	    rc = EXIT_FAILURE;
+	}
+    }
+    return rc;
+}
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policymakerpcr\n");
+    printf("\n");
+    printf("Creates a policyPCR term suitable for input to policymaker (hex ascii)\n");
+    printf("\n");
+    printf("Assumes that the byte mask and PCR values are consistent\n");
+    printf("\n");
+    printf("\t[-halg\thash algorithm  (sha1 sha256 sha384 sha512) (default sha256)]\n");
+    printf("\t-bm\tpcr byte mask in hex, big endian\n");
+    printf("\n");
+    printf("\te.g. 010000 selects PCR 16\n");
+    printf("\te.g. ffffff selects all 24 PCRs\n");
+    printf("\n");
+    printf("\t-if input file - PCR values, hex ascii, one per line, %u max\n", IMPLEMENTATION_PCR);
+    printf("\trequired unless pcr mask is 0\n");
+    printf("\n");
+    printf("\t[-of\toutput file - policy hash in binary]\n");
+    printf("\t[-pr\tstdout - policy hash in hex ascii]\n");
+    printf("\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policynamehash.c b/libstb/tss2/ibmtpm20tss/utils/policynamehash.c
new file mode 100644
index 0000000..e1263d2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policynamehash.c
@@ -0,0 +1,256 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyNameHash 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void   printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyNameHash_In	 	in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*nameHashFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    uint8_t 			*buffer = NULL;
+    size_t 			length = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nh") == 0) {
+	    i++;
+	    if (i < argc) {
+		nameHashFilename = argv[i];
+	    }
+	    else {
+		printf("-inpn option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (nameHashFilename == NULL) {
+	printf("Missing handle parameter -nh\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     nameHashFilename);
+    }
+    if (rc == 0) {
+	if (length <= sizeof(in.nameHash.t.buffer)) {
+	    in.nameHash.t.size = (uint16_t)length;
+	    memcpy(&in.nameHash.t.buffer, buffer, length);
+	}
+	else {
+	    printf("Name length %u too large\n", (unsigned int)length);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyNameHash,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policynamehash: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policynamehash: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(buffer);		/* @1 */
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policynamehash\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyNameHash\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-nh\tNameHash file - TPM2B_DIGEST\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policynv.c b/libstb/tss2/ibmtpm20tss/utils/policynv.c
new file mode 100644
index 0000000..002751f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policynv.c
@@ -0,0 +1,360 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyNV	 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyNV_In 		in;
+    char 			hierarchyChar = 0;
+    const char			*authPassword = NULL; 		/* default no password */
+    TPMI_RH_NV_INDEX		nvIndex = 0;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*operandBData = NULL;
+    const char 			*operandBFilename = NULL;
+    uint16_t 			offset = 0;			/* default 0 */
+    TPM_EO			operation = 0;			/* default A = B */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &nvIndex);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -hs\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		operandBData = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-if")  == 0) {
+	    i++;
+	    if (i < argc) {
+		operandBFilename = argv[i];
+	    } else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-off") == 0) {
+	    i++;
+	    if (i < argc) {
+		offset = atoi(argv[i]);
+	    }
+	    else {
+		printf("-off option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-op") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%hx", &operation);
+	    }
+	    else {
+		printf("Missing parameter for -op\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (nvIndex == 0) {
+	printf("Missing NV index handle parameter -ha\n");
+	printUsage();
+    }
+    if (policySession == 0) {
+	printf("Missing policy session handle parameter -hs\n");
+	printUsage();
+    }
+    if ((operandBData == NULL) && (operandBFilename == NULL)) {
+	printf("operandB data string or data file must be specified\n");
+	printUsage();
+     }
+    if ((operandBData != NULL) && (operandBFilename != NULL)) {
+	printf("operandB data string and data file cannot both be specified\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	if (hierarchyChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	}
+	else if (hierarchyChar == 0) {
+	    in.authHandle = nvIndex;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.nvIndex = nvIndex;
+	in.policySession = policySession;
+	in.offset = offset;
+	in.operation = operation;
+    }
+    if (operandBData != NULL) {
+	rc = TSS_TPM2B_StringCopy(&in.operandB.b,
+				  operandBData, sizeof(in.operandB.t.buffer));
+	
+    }
+    if (operandBFilename != NULL) {
+	rc = TSS_File_Read2B(&in.operandB.b,
+			     sizeof(in.operandB.t.buffer),
+			     operandBFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyNV,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policynv: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policynv: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policynv\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyNV\n");
+    printf("\n");
+    printf("\t[-hi\thierarchy authHandle (o, p)]\n");
+    printf("\t\tdefault NV index\n");
+    printf("\n");
+    printf("\t-ha\tNV index handle (operand A)\n");
+    printf("\t[-pwda\tpassword for authorization (default empty)]\n");
+    printf("\t-hs\tpolicy session handle\n");
+    printf("\t-ic\tdata string (operandB)\n");
+    printf("\t-if\tdata file (operandB) \n");
+    printf("\t[-off\toffset (default 0)]\n");
+    printf("\t-op\toperation (default A = B)\n");
+    printf("\n");
+    printf("\t\t0	A = B \n");
+    printf("\t\t1	A != B \n");
+    printf("\t\t2	A > B signed	 \n");
+    printf("\t\t3	A > B unsigned	 \n");
+    printf("\t\t4	A < B signed	 \n");
+    printf("\t\t5	A < B unsigned	 \n");
+    printf("\t\t6	A >= B signed	 \n");
+    printf("\t\t7	A >= B unsigned	 \n");
+    printf("\t\t8	A <= B signed	 \n");
+    printf("\t\t9	A <= B unsigned	 \n");
+    printf("\t\tA	All bits SET in B are SET in A. ((A&B)=B) \n");
+    printf("\t\tB	All bits SET in B are CLEAR in A. ((A&B)=0) \n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policynvwritten.c b/libstb/tss2/ibmtpm20tss/utils/policynvwritten.c
new file mode 100644
index 0000000..1e688be
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policynvwritten.c
@@ -0,0 +1,247 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyNvWritten 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyNvWritten_In 		in;
+    TPMI_SH_POLICY		policySession = 0;
+    char 			writtenSetChar = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ws") == 0) {
+	    i++;
+	    if (i < argc) {
+		writtenSetChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -ws\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -hs\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing policy session handle parameter -hs\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	if (writtenSetChar == 'y') {
+	    in.writtenSet = YES;
+	}
+	else if (writtenSetChar == 'n') {
+	    in.writtenSet = NO;
+	}
+	else {
+	    printf("Missing or illegal -ws\n");
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyNvWritten,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policynvwritten: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policynvwritten: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policynvwritten\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyNvWritten\n");
+    printf("\n");
+    printf("\t-hs\tpolicy session handle\n");
+    printf("\t-ws\twritten set (y, n)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t80\taudit\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policyor.c b/libstb/tss2/ibmtpm20tss/utils/policyor.c
new file mode 100644
index 0000000..692ce4f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policyor.c
@@ -0,0 +1,251 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyOR	 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    uint32_t			j;
+    PolicyOR_In 		in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*pHashListFilename[8];
+    uint32_t			count = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (count < 8) {
+		    pHashListFilename[count] = argv[i];
+		    count++;
+		}
+		else {
+		    printf("-if can only be specified up to 8 times\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (count < 2) {
+	printf("-if must be specified 2 to 8 times\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+	in.pHashList.count = count;
+    }
+    /* -if is specified 2-8 times and fills the pHashListFilename array of policy AND term file names */
+    for (j = 0 ; ((j < count) && (rc == 0)) ; j++) {
+	rc = TSS_File_Read2B(&in.pHashList.digests[j].b,
+			     sizeof(in.pHashList.digests[j].t.buffer),
+			     pHashListFilename[j]);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyOR,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policyor: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policyor: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policyor\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyOR\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-if\tpolicy digest file (2-8 -if specifiers required)\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policypassword.c b/libstb/tss2/ibmtpm20tss/utils/policypassword.c
new file mode 100644
index 0000000..d9b806d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policypassword.c
@@ -0,0 +1,142 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyPassword	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    TPMI_SH_POLICY		policySession = 0;
+    PolicyPassword_In 		in;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyPassword,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policypassword: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policypassword: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policypassword\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyPassword\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policypcr.c b/libstb/tss2/ibmtpm20tss/utils/policypcr.c
new file mode 100644
index 0000000..adbc0a8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policypcr.c
@@ -0,0 +1,276 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyPCR	 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyPCR_In 		in;
+    TPMI_SH_POLICY		policySession = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    uint32_t	  		pcrmask = 0xffffffff;		/* pcr register mask */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	    
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-bm") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (1 != sscanf(argv[i], "%x", &pcrmask)) {
+		    printf("Invalid -bm argument '%s'\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-bm option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (pcrmask == 0xffffffff) {
+	printf("Missing handle parameter -bm\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+	/* NOTE not implemented yet */
+	in.pcrDigest.b.size = 0;
+	/* Table 102 - Definition of TPML_PCR_SELECTION Structure */
+	in.pcrs.count = 1;		/* hard code one hash algorithm */
+	/* Table 85 - Definition of TPMS_PCR_SELECTION Structure - pcrSelections */
+	in.pcrs.pcrSelections[0].hash = halg;
+	in.pcrs.pcrSelections[0].sizeofSelect= 3;	/* hard code 24 PCRs */
+	/* TCG always marshals lower PCR first */
+	in.pcrs.pcrSelections[0].pcrSelect[0] = (pcrmask >>  0) & 0xff;
+	in.pcrs.pcrSelections[0].pcrSelect[1] = (pcrmask >>  8) & 0xff;
+	in.pcrs.pcrSelections[0].pcrSelect[2] = (pcrmask >> 16) & 0xff;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyPCR,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policypcr: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policypcr: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policypcr\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyPCR\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t-bm\tpcr mask in hex\n");
+    printf("\t\te.g., -bm 10000 is PCR 16, 000001 is PCR 0\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policyrestart.c b/libstb/tss2/ibmtpm20tss/utils/policyrestart.c
new file mode 100644
index 0000000..4978ba4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policyrestart.c
@@ -0,0 +1,218 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyRestart	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyRestart_In 		in;
+    TPMI_SH_POLICY		sessionHandle = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (sessionHandle == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.sessionHandle = sessionHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyRestart,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policyrestart: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policyrestart: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policyrestart\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyRestart\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policysecret.c b/libstb/tss2/ibmtpm20tss/utils/policysecret.c
new file mode 100644
index 0000000..20642d8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policysecret.c
@@ -0,0 +1,358 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicySecret	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicySecret_In 		in;
+    PolicySecret_Out 		out;
+    TPMI_DH_ENTITY		authHandle = 0;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*nonceTPMFilename = NULL;
+    const char 			*cpHashAFilename = NULL;
+    const char			*policyRefFilename = NULL;
+    int32_t			expiration = 0;
+    const char			*ticketFilename = NULL;
+    const char			*timeoutFilename = NULL;
+    const char			*entityPassword = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    in.nonceTPM.b.size = 0;
+    in.cpHashA.b.size = 0;
+    in.policyRef.b.size = 0;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &authHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -hs\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-in") == 0) {
+	    i++;
+	    if (i < argc) {
+		nonceTPMFilename = argv[i];
+	    }
+	    else {
+		printf("-in option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-cp") == 0) {
+	    i++;
+	    if (i < argc) {
+		cpHashAFilename = argv[i];
+	    }
+	    else {
+		printf("-cp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pref") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyRefFilename = argv[i];
+	    }
+	    else {
+		printf("-pref option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-exp") == 0) {
+	    i++;
+	    if (i < argc) {
+		expiration = atoi(argv[i]);
+	    }
+	    else {
+		printf("Missing parameter for -exp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwde") == 0) {
+	    i++;
+	    if (i < argc) {
+		entityPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-to") == 0) {
+	    i++;
+	    if (i < argc) {
+		timeoutFilename = argv[i];
+	    }
+	    else {
+		printf("-to option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (authHandle == 0) {
+	printf("Missing authorizing entity handle parameter -hs\n");
+	printUsage();
+    }
+    if (policySession == 0) {
+	printf("Missing policy session handle parameter -hs\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.authHandle = authHandle;
+	in.policySession = policySession;
+    }
+    if ((rc == 0) && (nonceTPMFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.nonceTPM.b,
+			     sizeof(in.nonceTPM.t.buffer),
+			     nonceTPMFilename);
+    }
+    if ((rc == 0) && (cpHashAFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.cpHashA.b,
+			     sizeof(in.cpHashA.t.buffer),
+			     cpHashAFilename);
+    }
+    if ((rc == 0) && (policyRefFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.policyRef.b,
+			     sizeof(in.policyRef.t.buffer),
+			     policyRefFilename);
+    }
+    if (rc == 0) {
+	in.expiration = expiration;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicySecret,
+			 sessionHandle0, entityPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (ticketFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.policyTicket,
+				     (MarshalFunction_t)TSS_TPMT_TK_AUTH_Marshalu,
+				     ticketFilename);
+    }
+    if ((rc == 0) && (timeoutFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.timeout.b.buffer,
+				      out.timeout.b.size,
+				      timeoutFilename); 
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policysecret: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policysecret: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policysecret\n");
+    printf("\n");
+    printf("Runs TPM2_PolicySecret\n");
+    printf("\n");
+    printf("\t-ha\tauthorizing entity handle\n");
+    printf("\t-hs\tpolicy session handle\n");
+    printf("\t[-in\tnonceTPM file (default none)]\n");
+    printf("\t[-cp\tcpHash file (default none)]\n");
+    printf("\t[-pref\tpolicyRef file (default none)]\n");
+    printf("\t[-exp\texpiration (default none)]\n");
+    printf("\t[-pwde\tauthorizing entity password (default empty)]\n");
+    printf("\t[-tk\tticket file name]\n");
+    printf("\t[-to\ttimeout file name]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policysigned.c b/libstb/tss2/ibmtpm20tss/utils/policysigned.c
new file mode 100644
index 0000000..469cec9
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policysigned.c
@@ -0,0 +1,456 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicySigned	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+#include "cryptoutils.h"
+
+static void printUsage(void);
+static TPM_RC signAHash(TPM2B_PUBLIC_KEY_RSA *signature,
+			TPMT_HA *aHash,
+			const char *signingKeyFilename,
+			const char *signingKeyPassword);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicySigned_In 		in;
+    PolicySigned_Out 		out;
+    TPMI_DH_OBJECT		authObject = 0;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*nonceTPMFilename = NULL;
+    const char 			*cpHashAFilename = NULL;
+    const char			*policyRefFilename = NULL;
+    const char			*ticketFilename = NULL;
+    const char			*timeoutFilename = NULL;
+    int32_t			expiration = 0;
+    const char			*signingKeyFilename = NULL;
+    const char			*signingKeyPassword = NULL;
+    const char			*signatureFilename = NULL;
+    uint8_t			*signature = NULL;
+    size_t			signatureLength;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMT_HA 			aHash;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    in.nonceTPM.b.size = 0;	/* three of the components to aHash are optional */
+    in.cpHashA.b.size = 0;
+    in.policyRef.b.size = 0;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &authObject);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-in") == 0) {
+	    i++;
+	    if (i < argc) {
+		nonceTPMFilename = argv[i];
+	    }
+	    else {
+		printf("-in option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-cp") == 0) {
+	    i++;
+	    if (i < argc) {
+		cpHashAFilename = argv[i];
+	    }
+	    else {
+		printf("-cp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pref") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyRefFilename = argv[i];
+	    }
+	    else {
+		printf("-pref option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-exp") == 0) {
+	    i++;
+	    if (i < argc) {
+		expiration = atoi(argv[i]);
+	    }
+	    else {
+		printf("Missing parameter for -exp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sk") == 0) {
+	    i++;
+	    if (i < argc) {
+		signingKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-sk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-is") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-is option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-to") == 0) {
+	    i++;
+	    if (i < argc) {
+		timeoutFilename = argv[i];
+	    }
+	    else {
+		printf("-to option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		signingKeyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (authObject == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if ((signingKeyFilename == NULL) && (signatureFilename == NULL)) {
+	printf("Missing signing key -sk or signature -is\n");
+	printUsage();
+    }
+    if ((signingKeyFilename != NULL) && (signatureFilename != NULL)) {
+	printf("Cannot have both signing key -sk and signature -is\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.authObject = authObject;
+	in.policySession = policySession;
+    }
+    /* read the optional components - nonceTPM, cpHashA, policyRef */ 
+    if ((rc == 0) && (nonceTPMFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.nonceTPM.b,
+			     sizeof(in.nonceTPM.t.buffer),
+			     nonceTPMFilename);
+    }
+    if ((rc == 0) && (cpHashAFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.cpHashA.b,
+			     sizeof(in.cpHashA.t.buffer),
+			     cpHashAFilename);
+    }
+    if ((rc == 0) && (policyRefFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.policyRef.b,
+			     sizeof(in.policyRef.t.buffer),
+			     policyRefFilename);
+    }
+    if (rc == 0) {
+	in.expiration = expiration;
+	in.auth.sigAlg = TPM_ALG_RSASSA;	/* sample uses RSASSA */
+	in.auth.signature.rsassa.hash = halg;
+    }
+    /* sample code using a PEM key to sign */
+    if (signingKeyFilename != NULL) {
+	/* calculate the digest from the 4 components according to the TPM spec Part 3. */
+	/* aHash = HauthAlg(nonceTPM || expiration || cpHashA || policyRef)	(13) */
+	if (rc == 0) {
+	    int32_t expirationNbo = htonl(in.expiration);
+	    aHash.hashAlg = halg;
+	    /* This varargs function takes length / array pairs.  It skips pairs with a length of
+	       zero.  This handles the three optional components (default length zero) with no
+	       special handling. */
+	    rc = TSS_Hash_Generate(&aHash,		/* largest size of a digest */
+				   in.nonceTPM.t.size, in.nonceTPM.t.buffer,
+				   sizeof(int32_t), &expirationNbo,
+				   in.cpHashA.t.size, in.cpHashA.t.buffer,
+				   in.policyRef.t.size, in.policyRef.t.buffer,
+				   0, NULL);
+	}
+	/* sign aHash */
+	if (rc == 0) {
+	    rc = signAHash(&in.auth.signature.rsassa.sig,	/* sample uses RSASSA */
+			   &aHash,
+			   signingKeyFilename, signingKeyPassword);
+	}
+    }
+    /* sample code where the signature has been generated externally */
+    if (signatureFilename != NULL) {
+	if (rc == 0) {
+	    rc = TSS_File_ReadBinaryFile((unsigned char **)&signature,     /* freed @1 */
+					 &signatureLength,
+					 signatureFilename);
+	}
+	if (rc == 0) {
+	    if (signatureLength > sizeof(in.auth.signature.rsassa.sig.t.buffer)) {
+		printf("Signature length %lu is greater than buffer %lu\n",
+		       (unsigned long)signatureLength,
+		       (unsigned long)sizeof(in.auth.signature.rsassa.sig.t.buffer));
+		rc = TSS_RC_RSA_SIGNATURE;
+	    }
+	}
+	if (rc == 0) {
+	    in.auth.signature.rsassa.sig.t.size = (uint16_t)signatureLength;
+	    memcpy(&in.auth.signature.rsassa.sig.t.buffer, signature, signatureLength); 
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicySigned,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (ticketFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.policyTicket,
+				     (MarshalFunction_t)TSS_TPMT_TK_AUTH_Marshalu,
+				     ticketFilename);
+    }
+    if ((rc == 0) && (timeoutFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.timeout.b.buffer,
+				      out.timeout.b.size,
+				      timeoutFilename); 
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policysigned: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policysigned: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(signature);	/* @1 */
+    return rc;
+}
+
+/* signAHash() signs digest, returns signature.  The signature TPM2B_PUBLIC_KEY_RSA is a member of
+   the TPMT_SIGNATURE command parameter.
+
+   This sample signer uses a pem file signingKeyFilename with signingKeyPassword.
+
+*/
+
+TPM_RC signAHash(TPM2B_PUBLIC_KEY_RSA *signature,
+		 TPMT_HA *aHash,
+		 const char *signingKeyFilename,
+		 const char *signingKeyPassword)
+{
+    TPM_RC		rc = 0;
+    void		*rsaKey = NULL;
+    uint32_t  		sizeInBytes;		/* hash algorithm mapped to size */
+    size_t	 	signatureLength;	/* RSA_Sign() output */
+
+    if (rc == 0) {
+	sizeInBytes = TSS_GetDigestSize(aHash->hashAlg);
+#if 0
+	if (tssUtilsVerbose) {
+	    TSS_PrintAll("signAHash: aHash",
+			 (uint8_t *)(&aHash->digest), sizeInBytes);
+	}
+#endif
+    }
+    /* read the PEM format private key into the private key structure */
+    if (rc == 0) {
+	rc = convertPemToRsaPrivKey((void **)&rsaKey,	/* freed @1 */
+				    signingKeyFilename, (void *)signingKeyPassword);
+    }
+    /* sign aHash */
+    if (rc == 0) {
+	rc = signRSAFromRSA(signature->t.buffer, &signatureLength,
+			    sizeof(signature->t.buffer),
+			    (uint8_t *)(&aHash->digest), sizeInBytes,
+			    aHash->hashAlg,
+			    rsaKey);
+    }
+    if (rc == 0) {
+	signature->t.size = (uint16_t)signatureLength;	/* length of RSA key checked above */
+#if 0
+	if (tssUtilsVerbose) TSS_PrintAll("signAHash: signature",
+				  signature->t.buffer, signature->t.size);
+#endif
+    }
+    TSS_RsaFree(rsaKey);	/* @1 *//* FIXME may be wrong for mbedtls */
+    return rc;
+}
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policysigned\n");
+    printf("\n");
+    printf("Runs TPM2_PolicySigned\n");
+    printf("\n");
+    printf("\t-hk\tsignature verification key handle\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t[-in\tnonceTPM file (default none)]\n");
+    printf("\t[-cp\tcpHash file (default none)]\n");
+    printf("\t[-pref\tpolicyRef file (default none)]\n");
+    printf("\t[-exp\texpiration in decimal (default none)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t-sk\tRSA signing key file name (PEM format)\n");
+    printf("\t\tUse this signing key.\n");
+    printf("\t-is\tsignature file name\n");
+    printf("\t\tUse this signature from e.g., a smart card or other HSM.\n");
+    printf("\t[-pwdk\tsigning key password (default null)]\n");
+    printf("\t[-tk\tticket file name]\n");
+    printf("\t[-to\ttimeout file name]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policytemplate.c b/libstb/tss2/ibmtpm20tss/utils/policytemplate.c
new file mode 100644
index 0000000..97c739f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policytemplate.c
@@ -0,0 +1,166 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyTemplate	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyTemplate_In 		in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*templateFilename = NULL;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-te") == 0) {
+	    i++;
+	    if (i < argc) {
+		templateFilename = argv[i];
+	    }
+	    else {
+		printf("-te option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (templateFilename == NULL) {
+	printf("Missing handle parameter -te\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.templateHash.b,
+			     sizeof(in.templateHash.t.buffer),
+			     templateFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyTemplate,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policytemplate: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policytemplate: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policytemplate\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyTemplate\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-te\ttemplate file\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/policyticket.c b/libstb/tss2/ibmtpm20tss/utils/policyticket.c
new file mode 100644
index 0000000..d41d00d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/policyticket.c
@@ -0,0 +1,354 @@
+/********************************************************************************/
+/*										*/
+/*			    PolicyTicket	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    PolicyTicket_In 		in;
+    TPMI_SH_POLICY		policySession = 0;
+    const char 			*timeoutFilename = NULL;
+    const char 			*cpHashAFilename = NULL;
+    const char			*policyRefFilename = NULL;
+    const char 			*authNameFilename = NULL;
+    char 			hierarchyChar = 0;
+    TPMI_RH_HIERARCHY		primaryHandle = TPM_RH_NULL;
+    const char			*ticketFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    in.cpHashA.b.size = 0;
+    in.policyRef.b.size = 0;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &policySession);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-to") == 0) {
+	    i++;
+	    if (i < argc) {
+		timeoutFilename = argv[i];
+	    }
+	    else {
+		printf("-to option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-cp") == 0) {
+	    i++;
+	    if (i < argc) {
+		cpHashAFilename = argv[i];
+	    }
+	    else {
+		printf("-cp option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pref") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyRefFilename = argv[i];
+	    }
+	    else {
+		printf("-pref option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-na") == 0) {
+	    i++;
+	    if (i < argc) {
+		authNameFilename = argv[i];
+	    }
+	    else {
+		printf("-na option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policySession == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (timeoutFilename == NULL) {
+	printf("Missing timeout file name parameter -to\n");
+	printUsage();
+    }
+    if (ticketFilename == NULL) {
+	printf("Missing ticket file name parameter -tk\n");
+	printUsage();
+    }
+    if ((authNameFilename == NULL) && (hierarchyChar == 0)) {
+	printf("Missing parameter -na or -hi\n");
+	printUsage();
+    }
+    if ((authNameFilename != NULL) && (hierarchyChar != 0)) {
+	printf("Cannot specify both -na and -hi\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.policySession = policySession;
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.timeout.b,
+			     sizeof(in.timeout.t.buffer),
+			     timeoutFilename);
+    }
+    if ((rc == 0) && (cpHashAFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.cpHashA.b,
+			     sizeof(in.cpHashA.t.buffer),
+			     cpHashAFilename);
+    }
+    if ((rc == 0) && (policyRefFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.policyRef.b,
+			     sizeof(in.policyRef.t.buffer),
+			     policyRefFilename);
+    }
+    /* if the authorizing entity was an object */
+    if ((rc == 0) && (authNameFilename != NULL)) {
+	rc = TSS_File_Read2B(&in.authName.b,
+			     sizeof(in.authName.t.name),
+			     authNameFilename);
+    }
+    /* if the authorizing object was a hierarchy */
+    if ((rc == 0) && (hierarchyChar != 0)) {
+	if (hierarchyChar == 'e') {
+	    primaryHandle = TPM_RH_ENDORSEMENT;
+	}
+	else if (hierarchyChar == 'o') {
+	    primaryHandle = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    primaryHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Bad parameter %c for -hi\n", hierarchyChar);
+	    printUsage();
+	}
+	rc = TSS_TPM2B_CreateUint32(&in.authName.b, primaryHandle, sizeof(in.authName.t.name));
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.ticket,
+				    (UnmarshalFunction_t)TSS_TPMT_TK_AUTH_Unmarshalu,
+				    ticketFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_PolicyTicket,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("policyticket: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("policyticket: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("policyticket\n");
+    printf("\n");
+    printf("Runs TPM2_PolicyTicket\n");
+    printf("\n");
+    printf("\t-ha\tpolicy session handle\n");
+    printf("\t-to\ttimeout file name\n");
+    printf("\t[-cp\tcpHash file (default none)]\n");
+    printf("\t[-pref\tpolicyRef file (default none)]\n");
+    printf("\t-na\tauthName file (not hierarchy)\n");
+    printf("\t-hi\thierarchy (e, o, p) (authName is hierarchy)\n");
+    printf("\t\te endorsement, o owner, p platform\n");
+    printf("\t-tk\tticket file name\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/powerup.c b/libstb/tss2/ibmtpm20tss/utils/powerup.c
new file mode 100644
index 0000000..164b20c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/powerup.c
@@ -0,0 +1,128 @@
+/********************************************************************************/
+/*										*/
+/*			    Simulator Power up	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* FIXME should really be in tpmtcpprotocol.h */
+#ifdef TPM_WINDOWS
+#include <winsock2.h>		/* for simulator startup */
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsstransmit.h>	/* for simulator power up */
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC 		rc = 0;
+    int			i;				/* argc iterator */
+    TSS_CONTEXT		*tssContext = NULL;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /*
+      Start a TSS context
+    */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* power off platform */
+    if (rc == 0) {
+	rc = TSS_TransmitPlatform(tssContext, TPM_SIGNAL_POWER_OFF, "TPM2_PowerOffPlatform");
+    }
+    /* power on platform */
+    if (rc == 0) {
+	rc = TSS_TransmitPlatform(tssContext, TPM_SIGNAL_POWER_ON, "TPM2_PowerOnPlatform");
+    }
+    /* power on NV */
+    if (rc == 0) {
+	rc = TSS_TransmitPlatform(tssContext, TPM_SIGNAL_NV_ON, "TPM2_NvOnPlatform");
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("powerup: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("powerup: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("powerup\n");
+    printf("\n");
+    printf("Powers the simulator off and on, and powers up NV\n");
+    printf("\n");
+    exit(1);	
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/printattr.c b/libstb/tss2/ibmtpm20tss/utils/printattr.c
new file mode 100644
index 0000000..b340424
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/printattr.c
@@ -0,0 +1,139 @@
+/********************************************************************************/
+/*										*/
+/*			         Print Attributes				*/
+/*		      Written by Ken Goldman					*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Re-distributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Re-distributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssprint.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    unsigned int		tmpSession;
+    TPMA_OBJECT 		object;
+    TPMA_SESSION 		session;
+    TPMA_STARTUP_CLEAR 		startup;
+    TPMA_NV 			nv;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ob") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%8x", &object.val);
+		TSS_TPMA_OBJECT_Print("TPMA_OBJECT", object, 0);
+	    }
+	    else {
+		printf("Missing parameter for -ob\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%2x", &tmpSession);
+		session.val = tmpSession;
+		TSS_TPMA_SESSION_Print(session, 0);
+	    }
+	    else {
+		printf("Missing parameter for -se\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-st") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%8x", &startup.val);
+		TSS_TPMA_STARTUP_CLEAR_Print(startup, 0);
+	    }
+	    else {
+		printf("Missing parameter for -st\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nv") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%8x", &nv.val);
+		TSS_TPMA_NV_Print(nv, 0);
+	    }
+	    else {
+		printf("Missing parameter for -nv\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("printattr\n");
+    printf("\n");
+    printf("Prints TPMA attributes as text\n");
+    printf("\n");
+    printf("\t-ob TPMA_OBJECT\n");
+    printf("\t-se TPMA_SESSION \n");
+    printf("\t-st TPMA_STARTUP_CLEAR \n");
+    printf("\t-nv TPMA_NV\n"); 
+    exit(1);
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/publicname.c b/libstb/tss2/ibmtpm20tss/utils/publicname.c
new file mode 100644
index 0000000..1e46fd3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/publicname.c
@@ -0,0 +1,452 @@
+/********************************************************************************/
+/*										*/
+/*			         Public Name  					*/
+/*		      Written by Mark Marshall & Ken Goldman			*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tsscryptoh.h>
+#include "objecttemplates.h"
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    int				noSpace = FALSE;
+    TPM2B_PUBLIC		inPublic;
+    TPM2B_NV_PUBLIC		nvPublic;
+    int				keyType = TYPE_SI;
+    TPMI_ALG_SIG_SCHEME 	scheme = TPM_ALG_RSASSA;
+    uint32_t 			keyTypeSpecified = 0;
+    TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_HASH		nalg = TPM_ALG_SHA256;
+    const char			*nvPublicFilename = NULL;
+    const char			*publicKeyFilename = NULL;
+    const char			*derKeyFilename = NULL;
+    const char			*pemKeyFilename = NULL;
+    const char			*nameFilename = NULL;
+    int				userWithAuth = TRUE;
+    int				object = TRUE;		/* TPM object, false if NV index */
+    unsigned int		inputCount = 0;
+    TPM2B_TEMPLATE		marshaled;
+    uint16_t			written;
+    uint32_t			size;
+    uint8_t			*buffer;
+    TPMT_HA			name;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-nalg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    nalg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    nalg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    nalg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    nalg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -nalg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-nalg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-rsa") == 0) {
+	    algPublic = TPM_ALG_RSA;
+	}
+	else if (strcmp(argv[i], "-ecc") == 0) {
+	    algPublic = TPM_ALG_ECC;
+	}
+	else if (strcmp(argv[i],"-scheme") == 0) {
+	    if (keyType == TYPE_SI) {
+		i++;
+		if (i < argc) {
+		    if (strcmp(argv[i],"rsassa") == 0) {
+			scheme = TPM_ALG_RSASSA;
+		    }
+		    else if (strcmp(argv[i],"rsapss") == 0) {
+			scheme = TPM_ALG_RSAPSS;
+		    }
+		    else if (strcmp(argv[i],"null") == 0) {
+			scheme = TPM_ALG_NULL;
+		    }
+		    else {
+			printf("Bad parameter %s for -scheme\n", argv[i]);
+			printUsage();
+		    }
+		}
+	    }
+	    else {
+		printf("-scheme can only be specified for signing key\n");
+		printUsage();
+	    }
+        }
+	else if (strcmp(argv[i], "-st") == 0) {
+	    keyType = TYPE_ST;
+	    scheme = TPM_ALG_NULL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-den") == 0) {
+	    keyType = TYPE_DEN;
+	    scheme = TPM_ALG_NULL;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i], "-si") == 0) {
+	    keyType = TYPE_SI;
+	    keyTypeSpecified++;
+	}
+	else if (strcmp(argv[i],"-ipu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+		inputCount++;
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-invpu") == 0) {
+	    i++;
+	    if (i < argc) {
+		nvPublicFilename = argv[i];
+		object = FALSE;
+		inputCount++;
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemKeyFilename = argv[i];
+		inputCount++;
+	    }
+	    else {
+		printf("-ipem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ider") == 0) {
+	    i++;
+	    if (i < argc) {
+		derKeyFilename = argv[i];
+		inputCount++;
+	    }
+	    else {
+		printf("-ider option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-uwa") == 0) {
+	    userWithAuth = FALSE;
+	}
+	else if (strcmp(argv[i],"-on") == 0) {
+	    i++;
+	    if (i < argc) {
+		nameFilename = argv[i];
+	    }
+	    else {
+		printf("-on option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (inputCount != 1) {
+	printf("Missing or too many parameters -ipu, -ipem, -ider, -invpu\n");
+	printUsage();
+    }
+    if (keyTypeSpecified > 1) {
+	printf("Too many key attributes\n");
+	printUsage();
+    }
+    if ((publicKeyFilename != NULL) && (!userWithAuth)) {
+	printf("userWithAuth unused for TPM2B_PUBLIC input\n");
+	printUsage();
+	
+    }
+    /* loadexternal key pair cannot be restricted (storage key) and must have NULL symmetric
+       scheme*/
+    if (derKeyFilename != NULL) {
+	if (keyType == TYPE_ST) {
+	    keyType = TYPE_DEN;
+	}
+    }
+    if (rc == 0) {
+	/* TPM format key, output from create */
+	if (publicKeyFilename != NULL) {
+	    rc = TSS_File_ReadStructureFlag(&inPublic,
+					    (UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					    TRUE,			/* NULL permitted */
+					    publicKeyFilename);
+	}
+	/* NV Index public area */
+	else if (nvPublicFilename != 0) {
+	    rc = TSS_File_ReadStructure(&nvPublic,
+					(UnmarshalFunction_t)TSS_TPM2B_NV_PUBLIC_Unmarshalu,
+					nvPublicFilename);
+	    
+	}
+	/* PEM format, output from e.g. openssl, readpublic, createprimary, create */
+	else if (pemKeyFilename != NULL) {
+	    switch (algPublic) {
+	      case TPM_ALG_RSA:
+		rc = convertRsaPemToPublic(&inPublic,
+					   keyType,
+					   scheme,
+					   nalg,
+					   halg,
+					   pemKeyFilename);
+		break;
+#ifndef TPM_TSS_NOECC
+	      case TPM_ALG_ECC:
+		rc = convertEcPemToPublic(&inPublic,
+					  keyType,
+					  scheme,
+					  nalg,
+					  halg,
+					  pemKeyFilename);
+		break;
+#endif	/* TPM_TSS_NOECC */
+	      default:
+		printf("-rsa algorithm %04x not supported\n", algPublic);
+		rc = TPM_RC_ASYMMETRIC;
+	    }
+	}
+	/* DER format key pair */
+	else if (derKeyFilename != NULL) {
+	    switch (algPublic) {
+	      case TPM_ALG_RSA:
+		rc = convertRsaDerToPublic(&inPublic,
+					   keyType,
+					   scheme,
+					   nalg,
+					   halg,
+					   derKeyFilename);
+		break;
+#ifndef TPM_TSS_NOECC
+	      case TPM_ALG_ECC:
+		rc = convertEcDerToPublic(&inPublic,
+					  keyType,
+					  scheme,
+					  nalg,
+					  halg,
+					  derKeyFilename);
+		break;
+#endif	/* TPM_TSS_NOECC */
+	      default:
+		printf("-rsa algorithm %04x not supported\n", algPublic);
+		rc = TPM_RC_ASYMMETRIC;
+	    }
+	}
+	else {
+	    printf("Failure parsing -ipu, -ipem, -ider\n");
+	    printUsage();
+	}
+    }
+    /* TPM object */
+    if (object) {
+	if (rc == 0) {
+	    name.hashAlg = inPublic.publicArea.nameAlg;
+	    if (!userWithAuth) {
+		inPublic.publicArea.objectAttributes.val &= ~TPMA_OBJECT_USERWITHAUTH;
+	    }
+	}
+	if (rc == 0) {
+	    if (tssUtilsVerbose) TSS_TPMT_PUBLIC_Print(&inPublic.publicArea, 2);
+	}
+	if (rc == 0) {
+	    written = 0;
+	    size = sizeof(marshaled.t.buffer);
+	    buffer = marshaled.t.buffer;
+
+	    rc = TSS_TPMT_PUBLIC_Marshalu(&inPublic.publicArea, &written, &buffer, &size);
+	    marshaled.t.size = written;
+	}
+    }
+    /* TPM NV Index */
+    else {
+	if (rc == 0) {
+	    name.hashAlg = nvPublic.nvPublic.nameAlg;
+	}
+	if (rc == 0) {
+	    if (tssUtilsVerbose) TSS_TPMS_NV_PUBLIC_Print(&nvPublic.nvPublic, 2);
+	}
+	if (rc == 0) {
+	    written = 0;
+	    size = sizeof(marshaled.t.buffer);
+	    buffer = marshaled.t.buffer;
+
+	    rc = TSS_TPMS_NV_PUBLIC_Marshalu(&nvPublic.nvPublic, &written, &buffer, &size);
+	    marshaled.t.size = written;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Hash_Generate(&name,
+			       marshaled.t.size, marshaled.t.buffer,
+			       0, NULL);
+    }
+    /* trace the Name */
+    if ((rc == 0) && noSpace) {
+	printf("%02X%02x", name.hashAlg >> 8, name.hashAlg & 0xff);
+	for (i = 0; i < TSS_GetDigestSize(name.hashAlg); i++) {
+	    printf("%02x", name.digest.tssmax[i]);
+	}
+	printf("\n");
+    }
+    /* save the Name */
+    if ((rc == 0) && (nameFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&name,
+				     (MarshalFunction_t)TSS_TPMT_HA_Marshalu,
+				     nameFilename);
+    }
+    if (rc != 0) {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("publicname: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+ 
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("publicname\n");
+    printf("\n");
+    printf("Calculates the public name of an entity. There are times that a policy creator\n"
+	   "has TPM, PEM, or DER format information, but does not have access to a TPM.\n"
+	   "This utility accepts these inputs and outputs the name in the 'no spaces'\n"
+	   "format suitable for pasting into a policy.  The binary format is used in the\n"
+	   "regression test\n");
+    printf("\n");
+    printf("\t-invpu\tTPM2B_NV_PUBLIC public key file name\n");
+    printf("\t-ipu\tTPM2B_PUBLIC public key file name\n");
+    printf("\t-ipem\tPEM format public key file name\n");
+    printf("\t-ider\tDER format plaintext key pair file name]\n");
+    printf("\t[-on\tbinary format Name file name]\n");
+    printf("\t[-ns\tprint Name in hexacsii]\n");
+    printf("\n");
+    printf("\t\t-pem and -ider optional arguments\n");
+    printf("\n");
+    printf("\t[-rsa\t(default)]\n");
+    printf("\t[-ecc\t]\n");
+    printf("\t[-scheme  for signing key (default RSASSA scheme)]\n");
+    printf("\t\trsassa\n");
+    printf("\t\trsapss\n");
+    printf("\t\tnull\n");
+    printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
+    printf("\t[-si\tsigning (default) RSA]\n");
+    printf("\t[-st\tstorage (default NULL scheme)]\n");
+    printf("\t[-den\tdecryption, (unrestricted, RSA and EC NULL scheme)\n");
+    printf("\n");
+    exit(1);
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/quote.c b/libstb/tss2/ibmtpm20tss/utils/quote.c
new file mode 100644
index 0000000..c29fad0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/quote.c
@@ -0,0 +1,439 @@
+/********************************************************************************/
+/*										*/
+/*			    Quote						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Quote_In 			in;
+    Quote_Out 			out;
+    TPMI_DH_OBJECT		signHandle = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_HASH		palg = TPM_ALG_SHA256;
+    const char			*keyPassword = NULL; 
+    TPMI_DH_PCR 		pcrHandle = IMPLEMENTATION_PCR;
+    const char			*signatureFilename = NULL;
+    const char			*attestInfoFilename = NULL;
+    const char			*qualifyingDataFilename = NULL;
+    TPM_ALG_ID			sigAlg = TPM_ALG_RSA;
+    TPMS_ATTEST 		tpmsAttest;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+  
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    in.PCRselect.pcrSelections[0].sizeofSelect = 3;
+    in.PCRselect.pcrSelections[0].pcrSelect[0] = 0;
+    in.PCRselect.pcrSelections[0].pcrSelect[1] = 0;
+    in.PCRselect.pcrSelections[0].pcrSelect[2] = 0;
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hp") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%u", &pcrHandle);
+		if (pcrHandle > 23) {
+		    printf("Bad PCR handle parameter %u for -hp\n",pcrHandle);
+		    printUsage();
+		}
+		/* accumulate PCR select bits */
+		else {
+		    in.PCRselect.pcrSelections[0].pcrSelect[pcrHandle / 8] |= 1 << (pcrHandle % 8);
+		}
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &signHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-palg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    palg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    palg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    palg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    palg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -palg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-palg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    sigAlg = TPM_ALG_RSA;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    sigAlg = TPM_ALG_ECDSA;
+		}
+		else if (strcmp(argv[i],"hmac") == 0) {
+		    sigAlg = TPM_ALG_HMAC;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oa") == 0) {
+	    i++;
+	    if (i < argc) {
+		attestInfoFilename = argv[i];
+	    }
+	    else {
+		printf("-oa option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-qd") == 0) {
+	    i++;
+	    if (i < argc) {
+		qualifyingDataFilename = argv[i];
+	    }
+	    else {
+		printf("-qd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (signHandle == 0) {
+	printf("Missing sign handle parameter -hk\n");
+	printUsage();
+    }
+    if (pcrHandle >= IMPLEMENTATION_PCR) {
+	printf("Missing PCR handle parameter -hp\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform quoting */
+	in.signHandle = signHandle;
+	/* data supplied by the caller */
+	if (sigAlg == TPM_ALG_RSA) {
+	    /* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+	    in.inScheme.scheme = TPM_ALG_RSASSA;	
+	    /* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+	    /* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	    in.inScheme.details.rsassa.hashAlg = halg;
+	}
+	else if (sigAlg == TPM_ALG_ECDSA) {
+	    in.inScheme.scheme = TPM_ALG_ECDSA;	
+	    in.inScheme.details.ecdsa.hashAlg = halg;
+	}
+	else {	/* HMAC */
+	    in.inScheme.scheme = TPM_ALG_HMAC;	
+	    in.inScheme.details.hmac.hashAlg = halg;
+	}
+	/* Table 102 - Definition of TPML_PCR_SELECTION Structure */
+	in.PCRselect.count = 1;
+	/* Table 85 - Definition of TPMS_PCR_SELECTION Structure */
+	in.PCRselect.pcrSelections[0].hash = palg;
+    }
+    if (rc == 0) {
+	if (qualifyingDataFilename != NULL) {
+	    rc = TSS_File_Read2B(&in.qualifyingData.b,
+				 sizeof(in.qualifyingData.t.buffer),
+				 qualifyingDataFilename);
+	}
+	else {
+	    in.qualifyingData.t.size = 0;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Quote,
+			 sessionHandle0, keyPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	uint8_t *tmpBuffer = out.quoted.t.attestationData;
+	uint32_t tmpSize = out.quoted.t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&tpmsAttest, &tmpBuffer, &tmpSize);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMS_ATTEST_Print(&tpmsAttest, 0);
+    }
+    if (rc == 0) {
+	int match;
+	match = TSS_TPM2B_Compare(&in.qualifyingData.b, &tpmsAttest.extraData.b);
+	if (!match) {
+	    printf("quote: failed, extraData != qualifyingData\n");
+	    rc = EXIT_FAILURE;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+    }
+    if ((rc == 0) && (attestInfoFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.quoted.t.attestationData,
+				      out.quoted.t.size,
+				      attestInfoFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_TPMT_SIGNATURE_Print(&out.signature, 0);
+	if (tssUtilsVerbose) printf("quote: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("quote: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("quote\n");
+    printf("\n");
+    printf("Runs TPM2_Quote\n");
+    printf("\n");
+    printf("\t-hp\tpcr handle (may be specified more than once)\n");
+    printf("\t-hk\tquoting key handle\n");
+    printf("\t[-pwdk\tpassword for quoting key (default empty)]\n");
+    printf("\t[-halg\tfor signing (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-palg\tfor PCR bank selection (sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
+    printf("\t[-qd\tqualifying data file name]\n");
+    printf("\t[-os\tquote signature file name (default do not save)]\n");
+    printf("\t[-oa\tattestation output file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/readclock.c b/libstb/tss2/ibmtpm20tss/utils/readclock.c
new file mode 100644
index 0000000..dba92a8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/readclock.c
@@ -0,0 +1,161 @@
+/********************************************************************************/
+/*										*/
+/*			   ReadClock						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ReadClock_Out 		out;
+    const char			*timeFilename = NULL;
+    const char			*clockFilename = NULL;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-otime") == 0) {
+	    i++;
+	    if (i < argc) {
+		timeFilename = argv[i];
+	    }
+	    else {
+		printf("-otime option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oclock") == 0) {
+	    i++;
+	    if (i < argc) {
+		clockFilename = argv[i];
+	    }
+	    else {
+		printf("-oclock option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 NULL,
+			 NULL,
+			 TPM_CC_ReadClock,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* write the fields in binary host byte order */
+    if ((rc == 0) && (timeFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile((uint8_t *)&out.currentTime.time,
+				      sizeof(((TPMS_TIME_INFO *)NULL)->time),
+				      timeFilename) ;
+    }
+    if ((rc == 0) && (clockFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile((uint8_t *)&out.currentTime.clockInfo.clock,
+				      sizeof(((TPMS_TIME_INFO *)NULL)->clockInfo.clock),
+				      clockFilename);
+    }
+    if (rc == 0) {
+	TSS_TPMS_TIME_INFO_Print(&out.currentTime, 0);
+	if (tssUtilsVerbose) printf("readclock: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("readclock: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("readclock\n");
+    printf("\n");
+    printf("Runs TPM2_ReadClock\n");
+    printf("\n");
+    printf("\t[-otime    time file name (default do not save)]\n");
+    printf("\t[-oclock   clock file name (default do not save)]\n");
+    printf("\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/readpublic.c b/libstb/tss2/ibmtpm20tss/utils/readpublic.c
new file mode 100644
index 0000000..757da33
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/readpublic.c
@@ -0,0 +1,284 @@
+/********************************************************************************/
+/*										*/
+/*			   ReadPublic 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+#include "cryptoutils.h"
+
+static void printReadPublic(ReadPublic_Out *out);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    ReadPublic_In 		in;
+    ReadPublic_Out 		out;
+    TPMI_DH_PCR 		objectHandle = TPM_RH_NULL;
+    const char			*publicKeyFilename = NULL;
+    const char			*pemFilename = NULL;
+    int				noSpace = FALSE;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &objectHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-opu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemFilename = argv[i];
+	    }
+	    else {
+		printf("-opem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ns") == 0) {
+	    noSpace = TRUE;
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (objectHandle == TPM_RH_NULL) {
+	printf("Missing or bad object handle parameter -ho\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.objectHandle = objectHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ReadPublic,
+			 sessionHandle0, NULL, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* save the public key */
+    if ((rc == 0) && (publicKeyFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outPublic,
+				     (MarshalFunction_t)TSS_TPM2B_PUBLIC_Marshalu,
+				     publicKeyFilename);
+    }
+    /* save the optional PEM public key */
+    if ((rc == 0) && (pemFilename != NULL)) {
+	rc = convertPublicToPEM(&out.outPublic,
+				pemFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printReadPublic(&out);
+	if (noSpace) {
+	    unsigned int b;
+	    for (b = 0 ; b < out.name.t.size ; b++) {
+		printf("%02x", out.name.t.name[b]);
+	    }
+	    printf("\n");
+	}
+	if (tssUtilsVerbose) printf("readpublic: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("readpublic: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printReadPublic(ReadPublic_Out *out)
+{
+    TSS_TPMT_PUBLIC_Print(&out->outPublic.publicArea, 0);
+    TSS_PrintAll("name",
+		 out->name.t.name,
+		 out->name.t.size);
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("readpublic\n");
+    printf("\n");
+    printf("Runs TPM2_ReadPublic\n");
+    printf("\n");
+    printf("\t-ho\tobject handle\n");
+    printf("\t[-opu\tpublic key file name (default do not save)]\n");
+    printf("\t[-opem\tpublic key PEM format file name (default do not save)]\n");
+    printf("\t[-ns\tadditionally print Name in hex ascii on one line]\n");
+    printf("\t\tUseful to paste into policy\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t40\tresponse encrypt\n");
+    printf("\t80\taudit\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/reg.bat b/libstb/tss2/ibmtpm20tss/utils/reg.bat
new file mode 100644
index 0000000..1f1a5de
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/reg.bat
@@ -0,0 +1,383 @@
+@echo off
+
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+set soc=
+set mssim=
+if "%TPM_INTERFACE_TYPE%" == "" (
+   set soc=1
+)
+if "%TPM_INTERFACE_TYPE%" == "socsim" (
+   set soc=1
+)
+if defined soc (
+   if "%TPM_SERVER_TYPE%" == "" (
+       set mssim=1
+   )
+   if "%TPM_SERVER_TYPE%" == "mssim" (
+      set mssim=1
+   )
+)
+
+set ITERATE_ALGS=sha1 sha256 sha384 sha512
+set BAD_ITERATE_ALGS=sha256 sha384 sha512 sha1
+
+if defined mssim (
+   call regtests\inittpm.bat
+   IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed inittpm.bat"
+      exit /B 1
+   )
+)
+
+for /f %%i in ('%TPM_EXE_PATH%getrandom -by 16 -ns') do set TPM_SESSION_ENCKEY=%%i
+echo "Session state encryption key"
+echo %TPM_SESSION_ENCKEY%
+
+call regtests\initkeys.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed initkeys.bat"
+   exit /B 1
+)
+
+call regtests\testrng.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testrng.bat"
+   exit /B 1
+)
+
+call regtests\testpcr.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testpcr.bat"
+   exit /B 1
+)
+
+call regtests\testprimary.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testprimary.bat"
+   exit /B 1
+)
+
+call regtests\testcreateloaded.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testcreateloaded.bat"
+   exit /B 1
+)
+
+call regtests\testhmacsession.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testhmacsession.bat"
+   exit /B 1
+)
+
+call regtests\testbind.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testbind.bat"
+   exit /B 1
+)
+
+call regtests\testsalt.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testsalt.bat"
+   exit /B 1
+)
+
+call regtests\testhierarchy.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testhierarchy.bat"
+   exit /B 1
+)
+
+call regtests\teststorage.bat
+IF !ERRORLEVEL! NEQ 0 (
+  echo ""
+  echo "Failed teststorage.bat"
+  exit /B 1
+)
+
+call regtests\testchangeauth.bat
+   IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testchangeauth.bat"
+   exit /B 1
+)
+
+call regtests\testencsession.bat
+IF !ERRORLEVEL! NEQ 0 (
+  echo ""
+  echo "Failed testencsession.bat"
+  exit /B 1
+)
+
+call regtests\testsign.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testsign.bat"
+   exit /B 1
+)
+
+call regtests\testnv.bat
+IF !ERRORLEVEL! NEQ 0 (
+  echo ""
+  echo "Failed testnv.bat"
+  exit /B 1
+)
+
+call regtests\testnvpin.bat
+ IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testnvpin.bat"
+   exit /B 1
+ )
+
+call regtests\testevict.bat
+IF !ERRORLEVEL! NEQ 0 (
+  echo ""
+  echo "Failed testevict.bat"
+  exit /B 1
+)
+
+call regtests\testrsa.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testrsa.bat"
+   exit /B 1
+)
+
+call regtests\testaes.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testaes.bat"
+   exit /B 1
+)
+
+call regtests\testaes138.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testaes138.bat"
+   exit /B 1
+)
+
+call regtests\testhmac.bat
+IF !ERRORLEVEL! NEQ 0 (
+  echo ""
+  echo "Failed testhmac.bat"
+  exit /B 1
+)
+
+call regtests\testattest.bat
+IF !ERRORLEVEL! NEQ 0 (
+  echo ""
+  echo "Failed testattest.bat"
+  exit /B 1
+)
+
+call regtests\testpolicy.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testpolicy.bat"
+   exit /B 1
+)
+
+call regtests\testpolicy138.bat
+IF !ERRORLEVEL! NEQ 0 (
+   echo ""
+   echo "Failed testpolicy138.bat"
+   exit /B 1
+)
+
+call regtests\testcontext.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testcontext.bat"
+  exit /B 1
+)
+
+call regtests\testclocks.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testclocks.bat"
+  exit /B 1
+)
+
+call regtests\testda.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testda.bat"
+  exit /B 1
+)
+
+call regtests\testunseal.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testunseal.bat"
+  exit /B 1
+)
+
+call regtests\testdup.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testdup.bat"
+  exit /B 1
+)
+
+call regtests\testecc.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testecc.bat"
+  exit /B 1
+)
+
+call regtests\testcredential.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testcredential.bat"
+  exit /B 1
+)
+
+call regtests\testattest155.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testattest155.bat"
+  exit /B 1
+)
+
+call regtests\testx509.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testx509.bat"
+  exit /B 1
+)
+
+call regtests\testgetcap.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testgetcap.bat"
+  exit /B 1
+)
+
+call regtests\testshutdown.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testshutdown.bat"
+  exit /B 1
+)
+
+call regtests\testchangeseed.bat
+IF !ERRORLEVEL! NEQ 0 (
+      echo ""
+      echo "Failed testchangeseed.bat"
+  exit /B 1
+)
+
+REM cleanup
+
+%TPM_EXE_PATH%flushcontext -ha 80000000
+
+rm -f dec.bin
+rm -f derpriv.bin
+rm -f derpub.bin
+rm -f despriv.bin
+rm -f despub.bin
+rm -f empty.bin
+rm -f enc.bin
+rm -f khprivsha1.bin
+rm -f khprivsha256.bin
+rm -f khprivsha384.bin
+rm -f khprivsha512.bin
+rm -f khpubsha1.bin
+rm -f khpubsha256.bin
+rm -f khpubsha384.bin
+rm -f khpubsha512.bin
+rm -f msg.bin
+rm -f noncetpm.bin
+rm -f policyapproved.bin
+rm -f prich.bin
+rm -f pritk.bin
+rm -f pssig.bin
+rm -f run.out
+rm -f sig.bin
+rm -f signeccpriv.bin
+rm -f signeccpub.bin
+rm -f signeccpub.pem
+rm -f signpriv.bin
+rm -f signpub.bin
+rm -f signpub.pem
+rm -f signpub.pem
+rm -f signrpriv.bin
+rm -f signrpub.bin
+rm -f signrpub.pem
+rm -f stoch.bin
+rm -f storeeccpriv.bin
+rm -f storeeccpub.bin
+rm -f storepriv.bin
+rm -f storepub.bin
+rm -f stotk.bin
+rm -f tkt.bin
+rm -f tmp.bin
+rm -f tmp1.bin
+rm -f tmp2.bin
+rm -f tmppriv.bin
+rm -f tmppub.bin
+rm -f tmpsha1.bin
+rm -f tmpsha256.bin
+rm -f tmpsha384.bin
+rm -f tmpsha512.bin
+rm -f tmpspriv.bin
+rm -f tmpspub.bin
+rm -f to.bin
+rm -f zero.bin
+
+echo ""
+echo "Success"
+
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/reg.sh b/libstb/tss2/ibmtpm20tss/utils/reg.sh
new file mode 100755
index 0000000..3cdb75a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/reg.sh
@@ -0,0 +1,599 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2014 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# handles are
+# 80000000 platform hierarchy primary storage key
+#    password pps
+# storage key under primary
+#    password sto
+#    storepriv.bin
+# signing key under primary
+#    password sig
+#    signpriv.bin
+# RSA encryption key under primary
+#    password dec
+#    decpriv.bin
+
+# at test entry and exit, there is a platform primary key at 80000000 and
+# storage and signing keys under them, ready to load.
+# The exception is the last test case, which rolls the seeds.
+
+# This is a namespace prefix 
+# For the basic tarball, PREFIX is set to ./   (the current directory)
+
+PREFIX=./
+
+# The distro releases prefix all the TPM 2.0 utility names with tss,
+# so PREFIX is set to tss
+
+# PREFIX=tss
+
+#PREFIX="valgrind ./"
+
+# hash algorithms to be used for testing
+
+export ITERATE_ALGS="sha1 sha256 sha384 sha512"
+export BAD_ITERATE_ALGS="sha256 sha384 sha512 sha1"
+
+printUsage ()
+{
+    echo ""
+    echo ""
+    echo "-h help"
+    echo "-a all tests"
+    echo "-1 random number generator"
+    echo "-2 PCR"
+    echo "-3 primary keys"
+    echo "-4 createloaded - rev 146"
+    echo "-5 HMAC session - no bind or salt"
+    echo "-6 HMAC session - bind"
+    echo "-7 HMAC session - salt"
+    echo "-8 Hierarchy"
+    echo "-9 Storage"
+    echo "-10 Object Change Auth"
+    echo "-11 Encrypt and decrypt sessions"
+    echo "-12 Sign"
+    echo "-13 NV"
+    echo "-14 NV PIN Index - rev 138"
+    echo "-15 Evict control"
+    echo "-16 RSA encrypt decrypt"
+    echo "-17 AES encrypt decrypt"
+    echo "-18 AES encrypt decrypt - rev 138"
+    echo "-19 HMAC and Hash"
+    echo "-20 Attestation"
+    echo "-21 Policy"
+    echo "-22 Policy - rev 138"
+    echo "-23 Context"
+    echo "-24 Clocks and Timers"
+    echo "-25 DA logic"
+    echo "-26 Unseal"
+    echo "-27 Duplication"
+    echo "-28 ECC"
+    echo "-29 Credential"
+    echo "-30 Attestation - rev 155" 
+    echo "-31 X509 - rev 155" 
+    echo "-32 Get Capability"
+    echo "-35 Shutdown (only run for simulator)"
+    echo "-40 Tests under development (not part of all)"
+    echo ""
+    echo "-50 Change seed"
+}
+
+checkSuccess()
+{
+if [ $1 -ne 0 ]; then
+    echo " ERROR:"
+    cat run.out
+    exit 255
+else
+    echo " INFO:"
+fi
+
+}
+
+# FIXME should not increment past 254
+
+checkWarning()
+{
+if [ $1 -ne 0 ]; then
+    echo " WARN: $2"
+    ((WARN++))
+else
+    echo " INFO:"
+fi
+}
+
+checkFailure()
+{
+if [ $1 -eq 0 ]; then
+    echo " ERROR:"
+    cat run.out
+    exit 255
+else
+    echo " INFO:"
+fi
+}
+
+cleanup()
+{
+# stdout
+    rm -f run.out
+# general purpose keys
+    rm -f derrsa2048priv.bin
+    rm -f derrsa2048pub.bin
+    rm -f derrsa3072priv.bin
+    rm -f derrsa3072pub.bin
+    rm -f despriv.bin
+    rm -f despub.bin
+    rm -f khprivsha1.bin
+    rm -f khprivsha256.bin
+    rm -f khprivsha384.bin
+    rm -f khprivsha512.bin
+    rm -f khpubsha1.bin
+    rm -f khpubsha256.bin
+    rm -f khpubsha384.bin
+    rm -f khpubsha512.bin
+    rm -f khrprivsha1.bin
+    rm -f khrprivsha256.bin
+    rm -f khrprivsha384.bin
+    rm -f khrprivsha512.bin
+    rm -f khrpubsha1.bin
+    rm -f khrpubsha256.bin
+    rm -f khrpubsha384.bin
+    rm -f khrpubsha512.bin
+    rm -f prich.bin
+    rm -f pritk.bin
+    rm -f signeccnfpriv.bin
+    rm -f signeccnfpub.bin
+    rm -f signeccnfpub.pem
+    rm -f signeccpriv.bin
+    rm -f signeccpub.bin
+    rm -f signeccpub.pem
+    rm -f signeccrpriv.bin
+    rm -f signeccrpub.bin
+    rm -f signeccrpub.pem
+    rm -f signrsa2048nfpriv.bin
+    rm -f signrsa2048nfpub.bin
+    rm -f signrsa2048nfpub.pem
+    rm -f signrsa2048priv.bin
+    rm -f signrsa2048pub.bin
+    rm -f signrsa2048pub.pem
+    rm -f signrsa3072priv.bin
+    rm -f signrsa3072pub.bin
+    rm -f signrsa3072pub.pem
+    rm -f signrsa2048rpriv.bin
+    rm -f signrsa2048rpub.bin
+    rm -f signrsa2048rpub.pem
+    rm -f stoch.bin
+    rm -f storeeccpriv.bin
+    rm -f storeeccpub.bin
+    rm -f storsach.bin
+    rm -f storsatk.bin
+    rm -f stotk.bin
+    rm -r storersa2048priv.bin
+    rm -r storersa2048pub.bin
+
+# misc
+    rm -f dec.bin
+    rm -f enc.bin
+    rm -f msg.bin
+    rm -f noncetpm.bin
+    rm -f policyapproved.bin
+    rm -f pssig.bin
+    rm -f sig.bin
+    rm -f tkt.bin
+    rm -f tmp.bin
+    rm -f tmp1.bin
+    rm -f tmp2.bin
+    rm -f tmpsha1.bin
+    rm -f tmpsha256.bin
+    rm -f tmpsha384.bin
+    rm -f tmpsha512.bin
+    rm -f tmppriv.bin
+    rm -f tmppub.bin
+    rm -f tmpspriv.bin
+    rm -f tmpspub.bin
+    rm -f to.bin
+    rm -f zero.bin
+}
+
+initprimary()
+{
+    echo "Create a platform primary RSA storage key"
+    ${PREFIX}createprimary -hi p -pwdk sto -pol policies/zerosha256.bin -tk pritk.bin -ch prich.bin > run.out
+    checkSuccess $?
+}
+
+
+export -f checkSuccess
+export -f checkWarning
+export -f checkFailure
+export WARN
+export PREFIX
+export -f initprimary
+# hack because the mbedtls port is incomplete
+export CRYPTOLIBRARY=`${PREFIX}getcryptolibrary`
+
+# example for running scripts with encrypted sessions, see TPM_SESSION_ENCKEY=getrandom below
+export TPM_SESSION_ENCKEY
+
+main ()
+{
+    RC=0
+    I=0
+    ((WARN=0))
+
+    if [ "$1" == "-h" ]; then
+	printUsage
+	echo ""
+	echo "crypto library is ${CRYPTOLIBRARY}"
+	echo ""
+	exit 0
+    else
+	# the MS simulator needs power up and startup
+	if [ -z ${TPM_INTERFACE_TYPE} ] || [ ${TPM_INTERFACE_TYPE} == "socsim" ];  then
+	    if [ -z ${TPM_SERVER_TYPE} ] || [ ${TPM_SERVER_TYPE} == "mssim" ]; then
+		./regtests/inittpm.sh
+	    fi
+	fi
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	# example for running scripts with encrypted sessions, see TPM_ENCRYPT_SESSIONS above
+	# getrandom must wait until after inittpm.sh (powerup and startup)
+	TPM_SESSION_ENCKEY=`${PREFIX}getrandom -by 16 -ns`
+	./regtests/initkeys.sh
+	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((WARN=$RC))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-1" ]; then
+    	./regtests/testrng.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-2" ]; then
+    	./regtests/testpcr.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-3" ]; then
+    	./regtests/testprimary.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-4" ]; then
+    	./regtests/testcreateloaded.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+    	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-5" ]; then
+    	./regtests/testhmacsession.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-6" ]; then
+    	./regtests/testbind.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-7" ]; then
+    	./regtests/testsalt.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-8" ]; then
+    	./regtests/testhierarchy.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-9" ]; then
+    	./regtests/teststorage.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-10" ]; then
+    	./regtests/testchangeauth.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-11" ]; then
+    	./regtests/testencsession.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-12" ]; then
+    	./regtests/testsign.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-13" ]; then
+    	./regtests/testnv.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-14" ]; then
+    	./regtests/testnvpin.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-15" ]; then
+    	./regtests/testevict.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-16" ]; then
+    	./regtests/testrsa.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-17" ]; then
+    	./regtests/testaes.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-18" ]; then
+    	./regtests/testaes138.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-19" ]; then
+    	./regtests/testhmac.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-20" ]; then
+    	./regtests/testattest.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+	((WARN=$RC))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-21" ]; then
+    	./regtests/testpolicy.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-22" ]; then
+    	./regtests/testpolicy138.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-23" ]; then
+    	./regtests/testcontext.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-24" ]; then
+    	./regtests/testclocks.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-25" ]; then
+    	./regtests/testda.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-26" ]; then
+    	./regtests/testunseal.sh
+    	RC=$?
+    	if [ $RC -ne 0 ]; then
+    	    exit 255
+    	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-27" ]; then
+    	./regtests/testdup.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-28" ]; then
+    	./regtests/testecc.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-29" ]; then
+    	./regtests/testcredential.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-30" ]; then
+    	./regtests/testattest155.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-31" ]; then
+    	./regtests/testx509.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-32" ]; then
+    	./regtests/testgetcap.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-a" ] || [ "$1" == "-35" ]; then
+	# the MS simulator supports power cycling
+	if [ -z ${TPM_INTERFACE_TYPE} ] || [ ${TPM_INTERFACE_TYPE} == "socsim" ];  then
+	    if [ -z ${TPM_SERVER_TYPE} ] || [ ${TPM_SERVER_TYPE} == "mssim" ]; then
+		./regtests/testshutdown.sh
+	    fi
+	fi
+   	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ "$1" == "-40" ]; then
+     	./regtests/testdevel.sh
+     	RC=$?
+     	if [ $RC -ne 0 ]; then
+     	    exit 255
+     	fi
+     	((I++))
+     	((WARN=$RC))
+    fi
+# this must be the last test
+    if [ "$1" == "-a" ] || [ "$1" == "-50" ]; then
+    	./regtests/testchangeseed.sh
+    	RC=$?
+	if [ $RC -ne 0 ]; then
+	    exit 255
+	fi
+	((I++))
+    fi
+    if [ $RC -ne 0 ]; then
+	echo ""
+	echo "Failed"
+	echo ""
+	exit 255
+    else
+	# -0 is a debug mode that initializes and does not clean up
+	if [ "$1" != "-0" ]; then
+	    ${PREFIX}flushcontext -ha 80000000
+	    cleanup
+	fi
+
+	echo ""
+	echo "Success - ${I} Tests ${WARN} Warnings"
+	echo ""
+    fi
+}
+
+
+main "$@"
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/.cvsignore b/libstb/tss2/ibmtpm20tss/utils/regtests/.cvsignore
new file mode 100644
index 0000000..8ea2fe2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/.cvsignore
@@ -0,0 +1 @@
+testdevel.sh
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.bat
new file mode 100644
index 0000000..0f04aad
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.bat
@@ -0,0 +1,147 @@
+REM #############################################################################
+REM										#
+REM			TPM2 regression test					#
+REM			     Written by Ken Goldman				#
+REM		       IBM Thomas J. Watson Research Center			#
+REM										#
+REM (c) Copyright IBM Corporation 2015 - 2020					#
+REM 										#
+REM All rights reserved.							#
+REM 										#
+REM Redistribution and use in source and binary forms, with or without		#
+REM modification, are permitted provided that the following conditions are	#
+REM met:									#
+REM 										#
+REM Redistributions of source code must retain the above copyright notice,	#
+REM this list of conditions and the following disclaimer.			#
+REM 										#
+REM Redistributions in binary form must reproduce the above copyright		#
+REM notice, this list of conditions and the following disclaimer in the		#
+REM documentation and/or other materials provided with the distribution.	#
+REM 										#
+REM Neither the names of the IBM Corporation nor the names of its		#
+REM contributors may be used to endorse or promote products derived from	#
+REM this software without specific prior written permission.			#
+REM 										#
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+ 
+echo | set /p="1234567890123456" > msg.bin
+touch zero.bin
+
+REM try to undefine any NV index left over from a previous test.  Do not check for errors.
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 -pwdp ppp > run.out
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000002 > run.out
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000003 > run.out
+
+REM same for persistent objects
+%TPM_EXE_PATH%evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+
+echo ""
+echo "Initialize Regression Test Keys"
+echo ""
+
+echo "Create a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin -tk pritk.bin -ch prich.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Create an RSA storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pol policies/policycccreate-auth.bin -opr storersa2048priv.bin -opu storersa2048pub.bin -tk storsatk.bin -ch storsach.bin -pwdp sto -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Create an ECC storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -st -kt f -kt p -opr storeeccpriv.bin -opu storeeccpub.bin -pwdp sto -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+for %%B in (2048 3072) do (
+
+    echo "Create an unrestricted RSA %%B signing key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr signrsa%%Bpriv.bin -opu signrsa%%Bpub.bin -opem signrsa%%Bpub.pem -pwdp sto -pwdk sig > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+    )
+
+    echo "Create an RSA decryption key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -den -kt f -kt p -opr derrsa%%Bpriv.bin -opu derrsa%%Bpub.bin -pwdp sto -pwdk dec > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+    )
+
+)
+
+echo "Create an unrestricted ECC signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -si -kt f -kt p -opr signeccpriv.bin -opu signeccpub.bin -opem signeccpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Create a restricted RSA signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -sir -kt f -kt p -opr signrsa2048rpriv.bin -opu signrsa2048rpub.bin -opem signrsa2048rpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Create a restricted ECC signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -sir -kt f -kt p -opr signeccrpriv.bin -opu signeccrpub.bin -opem signeccrpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Create a not fixedTPM RSA signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -sir -opr signrsa2048nfpriv.bin -opu signrsa2048nfpub.bin -opem signrsa2048nfpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Create a not fixedTPM ECC signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -sir -opr signeccnfpriv.bin -opu signeccnfpub.bin -opem signeccnfpub.pem -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Create a symmetric cipher key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -des -kt f -kt p -opr despriv.bin -opu despub.bin -pwdp sto -pwdk aes > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create a %%H unrestricted keyed hash key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -kh -kt f -kt p -opr khpriv%%H.bin -opu khpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a %%H restricted keyed hash key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -khr -kt f -kt p -opr khrpriv%%H.bin -opu khrpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+exit /B 0
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.sh
new file mode 100755
index 0000000..fba6153
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/initkeys.sh
@@ -0,0 +1,130 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo -n "1234567890123456" > msg.bin
+touch zero.bin
+
+# try to undefine any NV index left over from a previous test.  Do not check for errors.
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+${PREFIX}nvundefinespace -hi p -ha 01000000 -pwdp ppp > run.out
+${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out
+${PREFIX}nvundefinespace -hi o -ha 01000002 > run.out
+${PREFIX}nvundefinespace -hi o -ha 01000003 > run.out
+# same for persistent objects
+${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+
+echo ""
+echo "Initialize Regression Test Keys"
+echo ""
+
+# Create a platform primary RSA storage key
+initprimary
+
+echo "Create an RSA storage key under the primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pol policies/policycccreate-auth.bin -opr storersa2048priv.bin -opu storersa2048pub.bin -tk storsatk.bin -ch storsach.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Create an ECC storage key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -st -kt f -kt p -opr storeeccpriv.bin -opu storeeccpub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+for BITS in 2048 3072
+do
+
+    echo "Create an unrestricted RSA $BITS signing key under the primary key"
+    ${PREFIX}create -hp 80000000 -rsa ${BITS} -si -kt f -kt p -opr signrsa${BITS}priv.bin -opu signrsa${BITS}pub.bin -opem signrsa${BITS}pub.pem -pwdp sto -pwdk sig > run.out
+    checkSuccess $?
+
+    echo "Create an RSA $BITS decryption key under the primary key"
+    ${PREFIX}create -hp 80000000 -den -kt f -kt p -opr derrsa${BITS}priv.bin -opu derrsa${BITS}pub.bin -pwdp sto -pwdk dec > run.out
+    checkSuccess $?
+
+done
+
+echo "Create an unrestricted ECC signing key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -si -kt f -kt p -opr signeccpriv.bin -opu signeccpub.bin -opem signeccpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a restricted RSA signing key under the primary key"
+${PREFIX}create -hp 80000000 -rsa 2048 -sir -kt f -kt p -opr signrsa2048rpriv.bin -opu signrsa2048rpub.bin -opem signrsa2048rpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create an restricted ECC signing key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -sir -kt f -kt p -opr signeccrpriv.bin -opu signeccrpub.bin -opem signeccrpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a not fixedTPM RSA signing key under the primary key"
+${PREFIX}create -hp 80000000 -sir -opr signrsa2048nfpriv.bin -opu signrsa2048nfpub.bin -opem signrsa2048nfpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a not fixedTPM ECC signing key under the primary key"
+${PREFIX}create -hp 80000000 -ecc nistp256 -sir -opr signeccnfpriv.bin -opu signeccnfpub.bin -opem signeccnfpub.pem -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Create a symmetric cipher key under the primary key"
+${PREFIX}create -hp 80000000 -des -kt f -kt p -opr despriv.bin -opu despub.bin -pwdp sto -pwdk aes > run.out
+RC=$?
+checkWarning $RC "Symmetric cipher key may not support sign attribute"
+
+if [ $RC -ne 0 ]; then
+    echo "Create a rev 116 symmetric cipher key under the primary key"
+    ${PREFIX}create -hp 80000000 -des -116 -kt f -kt p -opr despriv.bin -opu despub.bin -pwdp sto -pwdk aes > run.out
+    checkSuccess $?
+fi
+
+for HALG in ${ITERATE_ALGS}
+
+do
+
+    echo "Create a ${HALG} unrestricted keyed hash key under the primary key"
+    ${PREFIX}create -hp 80000000 -kh -kt f -kt p -opr khpriv${HALG}.bin -opu khpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+    checkSuccess $?
+
+    echo "Create a ${HALG} restricted keyed hash key under the primary key"
+    ${PREFIX}create -hp 80000000 -khr -kt f -kt p -opr khrpriv${HALG}.bin -opu khrpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+    checkSuccess $?
+
+
+
+done
+
+exit ${WARN}
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.bat
new file mode 100644
index 0000000..bfd0942
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.bat
@@ -0,0 +1,79 @@
+REM #############################################################################
+REM										#
+REM			TPM2 regression test					#
+REM			     Written by Ken Goldman				#
+REM		       IBM Thomas J. Watson Research Center			#
+REM		$Id: inittpm.bat 1276 2018-07-23 19:25:13Z kgoldman $		#
+REM										#
+REM (c) Copyright IBM Corporation 2015, 2018					#
+REM 										#
+REM All rights reserved.							#
+REM 										#
+REM Redistribution and use in source and binary forms, with or without		#
+REM modification, are permitted provided that the following conditions are	#
+REM met:									#
+REM 										#
+REM Redistributions of source code must retain the above copyright notice,	#
+REM this list of conditions and the following disclaimer.			#
+REM 										#
+REM Redistributions in binary form must reproduce the above copyright		#
+REM notice, this list of conditions and the following disclaimer in the		#
+REM documentation and/or other materials provided with the distribution.	#
+REM 										#
+REM Neither the names of the IBM Corporation nor the names of its		#
+REM contributors may be used to endorse or promote products derived from	#
+REM this software without specific prior written permission.			#
+REM 										#
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup -c -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Get Test Result"
+%TPM_EXE_PATH%gettestresult > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Allocate PCRs for SHA-1, SHA-256, SHA-384 SHA-512 PCRs"
+%TPM_EXE_PATH%pcrallocate +sha1 +sha256 +sha384 +sha512 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup -c -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.sh
new file mode 100755
index 0000000..eaefab4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/inittpm.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#		$Id: inittpm.sh 1277 2018-07-23 20:30:23Z kgoldman $		#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Initialize TPM"
+echo ""
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
+echo "Get Test Result"
+${PREFIX}gettestresult > run.out
+checkSuccess $?
+
+echo "Allocate initial SHA-1, SHA-256, SHA-384 SHA-512 PCRs"
+${PREFIX}pcrallocate +sha1 +sha256 +sha384 +sha512 > run.out
+checkSuccess $?
+    
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.bat
new file mode 100644
index 0000000..9220824
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.bat
@@ -0,0 +1,143 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testaes.bat 1301 2018-08-15 21:46:19Z kgoldman $		#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+
+    echo "Load the symmetric cipher key under the primary key %%~S"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Encrypt using the symmetric cipher key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Decrypt using the symmetric cipher key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Encrypt using the symmetric cipher key 0 length message %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -if zero.bin -of enc.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Decrypt using the symmetric cipher key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Verify the decrypt result"
+    diff zero.bin dec.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Flush the symmetric cipher key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Create a primary symmetric cipher key %%~S"
+    %TPM_EXE_PATH%createprimary -des -pwdk aesp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+ 
+    echo "Encrypt using the symmetric cipher primary key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Decrypt using the symmetric cipher primary key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Flush the symmetric cipher key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.sh
new file mode 100755
index 0000000..dd0d558
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	$Id: testaes.sh 1301 2018-08-15 21:46:19Z kgoldman $			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "Load the symmetric cipher key under the primary key ${SESS}"
+    ${PREFIX}load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Encrypt using the symmetric cipher key ${SESS}"
+    ${PREFIX}encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Decrypt using the symmetric cipher key ${SESS}"
+    ${PREFIX}encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    checkSuccess $?
+
+    echo "Encrypt using the symmetric cipher key 0 length message ${SESS}"
+    ${PREFIX}encryptdecrypt -hk 80000001 -if zero.bin -of enc.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Decrypt using the symmetric cipher key ${SESS}"
+    ${PREFIX}encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Verify the decrypt result"
+    diff zero.bin dec.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the symmetric cipher key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Create a primary symmetric cipher key ${SESS}"
+    ${PREFIX}createprimary -des -pwdk aesp ${SESS} > run.out
+    checkSuccess $?
+ 
+    echo "Encrypt using the symmetric cipher primary key ${SESS}"
+    ${PREFIX}encryptdecrypt -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp ${SESS}> run.out
+    checkSuccess $?
+
+    echo "Decrypt using the symmetric cipher primary key ${SESS}"
+    ${PREFIX}encryptdecrypt -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp ${SESS}> run.out
+    checkSuccess $?
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the symmetric cipher key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.bat
new file mode 100644
index 0000000..a2d17b1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.bat
@@ -0,0 +1,142 @@
+REM #################################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #	$Id: testaes.sh 714 2016-08-11 21:46:03Z kgoldman $			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015, 2016					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "Load the symmetric cipher key under the primary key %%~S"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Encrypt using the symmetric cipher key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Decrypt using the symmetric cipher key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Encrypt using the symmetric cipher key 0 length message %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -if zero.bin -of enc.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Decrypt using the symmetric cipher key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the decrypt result"
+    diff zero.bin dec.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+    
+    echo "Flush the symmetric cipher key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary symmetric cipher key %%~S"
+    %TPM_EXE_PATH%createprimary -des -pwdk aesp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+ 
+    echo "Encrypt using the symmetric cipher primary key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp %%~S> run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Decrypt using the symmetric cipher primary key %%~S"
+    %TPM_EXE_PATH%encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp %%~S> run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the symmetric cipher key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000000
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.sh
new file mode 100755
index 0000000..49eb6fe
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testaes138.sh
@@ -0,0 +1,114 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	$Id: testaes.sh 714 2016-08-11 21:46:03Z kgoldman $			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "AES symmetric key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "Load the symmetric cipher key under the primary key ${SESS}"
+    ${PREFIX}load -hp 80000000 -ipr despriv.bin -ipu despub.bin -pwdp sto ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Encrypt using the symmetric cipher key ${SESS}"
+    ${PREFIX}encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Decrypt using the symmetric cipher key ${SESS}"
+    ${PREFIX}encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    checkSuccess $?
+
+    echo "Encrypt using the symmetric cipher key 0 length message ${SESS}"
+    ${PREFIX}encryptdecrypt -2 -hk 80000001 -if zero.bin -of enc.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Decrypt using the symmetric cipher key ${SESS}"
+    ${PREFIX}encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aes ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Verify the decrypt result"
+    diff zero.bin dec.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the symmetric cipher key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Create a primary symmetric cipher key ${SESS}"
+    ${PREFIX}createprimary -des -pwdk aesp ${SESS} > run.out
+    checkSuccess $?
+ 
+    echo "Encrypt using the symmetric cipher primary key ${SESS}"
+    ${PREFIX}encryptdecrypt -2 -hk 80000001 -if msg.bin -of enc.bin -pwdk aesp ${SESS}> run.out
+    checkSuccess $?
+
+    echo "Decrypt using the symmetric cipher primary key ${SESS}"
+    ${PREFIX}encryptdecrypt -2 -hk 80000001 -d -if enc.bin -of dec.bin -pwdk aesp ${SESS}> run.out
+    checkSuccess $?
+
+    echo "Verify the decrypt result"
+    diff msg.bin dec.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the symmetric cipher key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.bat
new file mode 100644
index 0000000..d019bb1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.bat
@@ -0,0 +1,580 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2018 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Attestation"
+echo ""
+
+echo "Load the RSA signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the ECC signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read Public, unwritten Name"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if msg.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    for %%H in (%ITERATE_ALGS%) do (
+
+    	for %%A in (rsa ecc) do (
+
+		IF "%%A" == "rsa" (
+		   set K=80000001
+		)
+		IF "%%A" == "ecc" (
+		   set K=80000002
+		)		
+
+		echo "Signing Key Self Certify %%H %%A %%~S"
+		%TPM_EXE_PATH%certify -hk !K! -ho 80000001 -halg %%H -pwdk sig -pwdo sig %%~S -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Verify the %%A signature %%H"
+		%TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Quote %%H %%A %%~S"
+		%TPM_EXE_PATH%quote -hp 0 -hk !K! -halg %%H -palg %%H -pwdk sig %%~S -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Verify the %%A signature %%H"
+		%TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Get Time %%H %%A %%~S"
+		%TPM_EXE_PATH%gettime -hk !K! -halg %%H -pwdk sig %%~S -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Verify the %%A signature %%H"
+		%TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "NV Certify %%H %%A %%~S"
+		%TPM_EXE_PATH%nvcertify -ha 01000000 -pwdn nnn -hk !K! -pwdk sig -halg %%H -sz 16 %%~S -os sig.bin -oa tmp.bin -salg %%A > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Verify the %%A signature %%H"
+		%TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Set command audit digest ${HALG}"
+		%TPM_EXE_PATH%setcommandcodeauditstatus -hi p -halg null -clr 00000144 > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+
+		echo "Get command audit digest %%H %%A %%~S"
+		%TPM_EXE_PATH%getcommandauditdigest -hk !K! -halg %%H %%~S -pwdk sig -os sig.bin -oa tmp.bin -qd policies/aaa -salg %%A > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	
+		echo "Verify the %%A signature"
+		%TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		exit /B 1
+		)
+	)
+    )
+)
+
+echo "Flush the RSA attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the ECC attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Attestation with an HMAC key"
+echo ""
+
+echo "Generate an HMAC key"
+%TPM_EXE_PATH%getrandom -by 32 -of tmphkey.bin -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create a %%H HMAC key"
+    %TPM_EXE_PATH%create -hp 80000000 -pwdp sto -kh -halg %%H -if tmphkey.bin -opu tmppub.bin -opr tmppriv.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Load the %%H HMAC key"
+    %TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Signing Key Self Certify with an HMAC key %%H"
+    %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using TPM"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using OpenSSL"
+    %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Quote with an HMAC key %%H"
+    %TPM_EXE_PATH%quote -hp 0 -hk 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using TPM"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using OpenSSL"
+    %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Gettime signed with an HMAC key %%H"
+    %TPM_EXE_PATH%gettime -hk 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using TPM"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using OpenSSL"
+    %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Certify with an HMAC key %%H"
+    %TPM_EXE_PATH%nvcertify -ha 01000000 -pwdn nnn -hk 80000001 -halg %%H -salg hmac -sz 16 -os sig.bin -oa tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using TPM"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using OpenSSL"
+    %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Get command audit digest with an HMAC key %%H"
+    %TPM_EXE_PATH%getcommandauditdigest -hk 80000001 -halg %%H -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using TPM"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature %%H using OpenSSL"
+    %TPM_EXE_PATH%verifysignature -halg %%H -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the %%H HMAC key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Audit"
+echo ""
+
+REM 80000001 signing key
+REM 02000000 hmac and audit session
+
+echo ""
+echo "Audit with one session"
+echo ""
+
+echo "Load the audit signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%B in ("" "-bi 80000001 -pwdb sig") do (
+
+    for %%H in (%ITERATE_ALGS%) do (
+    
+
+    echo "Start an HMAC auth session %%H %%~B"
+    %TPM_EXE_PATH%startauthsession -se h -halg %%H %%~B > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Sign a digest %%H"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000000 81 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Sign a digest %%H"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000000 81  > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get Session Audit Digest %%H"
+    %TPM_EXE_PATH%getsessionauditdigest -hs 02000000 -hk 80000001 -pwdk sig -halg %%H -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the signature %%H"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if tmp.bin -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the session"
+    %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    )
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM 80000001 signing key
+REM 02000000 hmac session
+REM 02000001 audit session
+
+echo ""
+echo "Audit with HMAC and audit sessions"
+echo ""
+
+echo "Load the audit signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    for %%H in (%ITERATE_ALGS%) do (
+
+       echo "Start an audit session %%H"
+       %TPM_EXE_PATH%startauthsession -se h -halg %%H > run.out
+       IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+       )
+    
+       echo "Sign a digest %%H"
+       %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000001 81 > run.out
+       IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+       )
+    
+       echo "Get Session Audit Digest %%~S"
+       %TPM_EXE_PATH%getsessionauditdigest -hs 02000001 -hk 80000001 -pwdk sig -os sig.bin -oa tmp.bin %%~S -qd policies/aaa > run.out
+       IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+       )
+    
+       echo "Verify the signature"
+       %TPM_EXE_PATH%verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+       IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+       )
+    
+       echo "Flush the session"
+       %TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+       IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+       )
+    
+    )
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Certify Creation"
+echo ""
+
+echo "Load the RSA signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Certify the creation data for the primary key 80000000"
+%TPM_EXE_PATH%certifycreation -ho 80000000 -hk 80000001 -pwdk sig -tk pritk.bin -ch prich.bin -os sig.bin -oa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the RSA storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Certify the creation data for the storage key 80000002"
+%TPM_EXE_PATH%certifycreation -ho 80000002 -hk 80000001 -pwdk sig -tk storsatk.bin -ch storsach.bin -os sig.bin -oa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the storage key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Audit a PCR Read"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Start an audit session %%H"
+    %TPM_EXE_PATH%startauthsession -se h -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "PCR 16 reset"
+    %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    cp policies/zero%%H.bin tmpdigestr.bin
+
+    echo "PCR 16 read %%H"
+    %TPM_EXE_PATH%pcrread -ha 16 -halg %%H -se0 02000000 81 -ahalg %%H -iosad tmpdigestr.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get session audit digest"
+    %TPM_EXE_PATH%getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Check session audit digest"
+    diff tmpdigestr.bin tmpdigestg.bin
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Extend PCR 16"
+    %TPM_EXE_PATH%pcrextend -ha 16 -halg %%H -ic aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "PCR 16 read %%H"
+    %TPM_EXE_PATH%pcrread -ha 16 -halg %%H -se0 02000000 81 -ahalg %%H -iosad tmpdigestr.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+     echo "Get session audit digest"
+    %TPM_EXE_PATH%getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Check session audit digest"
+    diff tmpdigestr.bin tmpdigestg.bin
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the audit session"
+    %TPM_EXE_PATH%flushcontext -ha 02000000
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+REM cleanup
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+rm -f tmpdigestr.bin
+rm -f tmpdigestg.bin
+rm -f sig.bin
+rm -f tmp.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.sh
new file mode 100755
index 0000000..7cc6747
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest.sh
@@ -0,0 +1,442 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Attestation"
+echo ""
+
+
+# 80000001 RSA signing key
+# 80000002 ECC signing key
+
+echo "Load the RSA signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load the ECC signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkSuccess $?
+
+echo "NV Read Public, unwritten Name"
+${PREFIX}nvreadpublic -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV write"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if msg.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	for SALG in rsa ecc
+	do
+
+	    if [ ${SALG} == rsa ]; then
+		HANDLE=80000001
+	    else
+		HANDLE=80000002
+	    fi
+
+	    echo "Signing Key Self Certify ${HALG} ${SALG} ${SESS}"
+	    ${PREFIX}certify -hk ${HANDLE} -ho 80000001 -halg ${HALG} -pwdk sig -pwdo sig ${SESS} -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+	    checkSuccess $?
+
+	    echo "Verify the ${SALG} signature ${HALG}"
+	    ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Quote ${HALG} ${SALG} ${SALG} ${SESS}"
+	    ${PREFIX}quote -hp 0 -hk ${HANDLE} -halg ${HALG} -palg ${HALG} -pwdk sig ${SESS} -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+	    checkSuccess $?
+
+	    echo "Verify the ${SALG} signature ${HALG}"
+	    ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Get Time ${HALG} ${SALG} ${SESS}"
+	    ${PREFIX}gettime -hk ${HANDLE} -halg ${HALG} -pwdk sig ${SESS} -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+	    checkSuccess $?
+
+	    echo "Verify the ${SALG} signature ${HALG}"
+	    ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "NV Certify ${HALG} ${SALG} ${SESS}"
+	    ${PREFIX}nvcertify -ha 01000000 -pwdn nnn -hk ${HANDLE} -pwdk sig -halg ${HALG} -sz 16 ${SESS} -os sig.bin -oa tmp.bin -salg ${SALG} > run.out
+	    checkSuccess $?
+
+	    echo "Verify the ${SALG} signature ${HALG}"
+	    ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Set command audit digest ${HALG}"
+	    ${PREFIX}setcommandcodeauditstatus -hi p -halg null -clr 00000144 > run.out
+	    checkSuccess $?
+
+	    echo "Get command audit digest ${HALG} ${SALG} ${SESS}"
+	    ${PREFIX}getcommandauditdigest -hk ${HANDLE} -halg ${HALG} ${SESS} -pwdk sig -os sig.bin -oa tmp.bin -qd policies/aaa -salg ${SALG} > run.out
+	    checkSuccess $?
+
+	    echo "Verify the ${SALG} signature ${HALG}"
+	    ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+	    checkSuccess $?
+
+	done
+    done
+done
+
+echo "Flush the RSA attestation key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the ECC attestation key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Attestation with an HMAC key"
+echo ""
+
+echo "Generate an HMAC key"
+${PREFIX}getrandom -by 32 -of tmphkey.bin -ns > run.out
+checkSuccess $?
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Create a ${HALG} HMAC key ${HMACKEY}"
+    ${PREFIX}create -hp 80000000 -pwdp sto -kh -halg ${HALG} -if tmphkey.bin -opu tmppub.bin -opr tmppriv.bin > run.out
+    checkSuccess $?
+
+    echo "Load the ${HALG} HMAC key"
+    ${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+    checkSuccess $?
+
+    echo "Signing Key Self Certify with an HMAC key ${HALG}"
+    ${PREFIX}certify -hk 80000001 -ho 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using TPM"
+    ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using OpenSSL"
+    ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    checkSuccess $?
+
+    echo "Quote with an HMAC key ${HALG}"
+    ${PREFIX}quote -hp 0 -hk 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using TPM"
+    ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using OpenSSL"
+    ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    checkSuccess $?
+
+    echo "Gettime signed with an HMAC key ${HALG}"
+    ${PREFIX}gettime -hk 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using TPM"
+    ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using OpenSSL"
+    ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    checkSuccess $?
+
+    echo "NV Certify with an HMAC key ${HALG}"
+    ${PREFIX}nvcertify -ha 01000000 -pwdn nnn -hk 80000001 -halg ${HALG} -salg hmac -sz 16 -os sig.bin -oa tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using TPM"
+    ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using OpenSSL"
+    ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    checkSuccess $?
+
+    echo "Get command audit digest with an HMAC key ${HALG}"
+    ${PREFIX}getcommandauditdigest -hk 80000001 -halg ${HALG} -salg hmac -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using TPM"
+    ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature ${HALG} using OpenSSL"
+    ${PREFIX}verifysignature -halg ${HALG} -if tmp.bin -is sig.bin -ihmac tmphkey.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the ${HALG} HMAC key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Audit"
+echo ""
+
+# 80000001 signing key
+# 02000000 hmac and audit session
+
+echo ""
+echo "Audit with one session"
+echo ""
+
+echo "Load the audit signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+for BIND in "" "-bi 80000001 -pwdb sig"
+do
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	echo "Start an HMAC auth session ${HALG} ${BIND}"
+	${PREFIX}startauthsession -se h -halg ${HALG} ${BIND} > run.out
+	checkSuccess $?
+
+	echo "Sign a digest ${HALG}"
+	${PREFIX}sign -hk 80000001 -halg ${HALG} -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000000 81 > run.out
+	checkSuccess $?
+
+	echo "Sign a digest ${HALG}"
+	${PREFIX}sign -hk 80000001 -halg ${HALG} -if policies/aaa -os sig.bin -pwdk sig -se0 02000000 81 -ipu signrsa2048pub.bin > run.out
+	checkWarning $? "Interaction between bind and audit session response HMAC may not be fixed"
+
+	echo "Get Session Audit Digest ${HALG}"
+	${PREFIX}getsessionauditdigest -hs 02000000 -hk 80000001 -pwdk sig -halg ${HALG} -os sig.bin -oa tmp.bin -qd policies/aaa > run.out
+	checkSuccess $?
+
+	echo "Verify the signature ${HALG}"
+	${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the session"
+	${PREFIX}flushcontext -ha 02000000 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# 80000001 signing key
+# 02000000 hmac session
+# 02000001 audit session
+
+echo ""
+echo "Audit with HMAC and audit sessions"
+echo ""
+
+echo "Load the audit signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	echo "Start an audit session ${HALG}"
+	${PREFIX}startauthsession -se h -halg ${HALG} > run.out
+	checkSuccess $?
+
+	echo "Sign a digest ${HALG}"
+	${PREFIX}sign -hk 80000001 -halg $HALG -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa2048pub.bin -se0 02000001 81 > run.out
+	checkSuccess $?
+
+	echo "Get Session Audit Digest ${SESS}"
+	${PREFIX}getsessionauditdigest -hs 02000001 -hk 80000001 -pwdk sig -os sig.bin -oa tmp.bin ${SESS} -qd policies/aaa > run.out
+	checkSuccess $?
+
+	echo "Verify the signature"
+	${PREFIX}verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the session"
+	${PREFIX}flushcontext -ha 02000001 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Certify Creation"
+echo ""
+
+echo "Load the RSA signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Certify the creation data for the primary key 80000000"
+${PREFIX}certifycreation -ho 80000000 -hk 80000001 -pwdk sig -tk pritk.bin -ch prich.bin -os sig.bin -oa tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Load the RSA storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Certify the creation data for the storage key 80000002"
+${PREFIX}certifycreation -ho 80000002 -hk 80000001 -pwdk sig -tk storsatk.bin -ch storsach.bin -os sig.bin -oa tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if tmp.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the storage key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Audit a PCR Read"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Start an audit session ${HALG}"
+    ${PREFIX}startauthsession -se h -halg  ${HALG} > run.out
+    checkSuccess $?
+
+    echo "PCR 16 reset"
+    ${PREFIX}pcrreset -ha 16 > run.out
+    checkSuccess $?
+
+    cp policies/zero${HALG}.bin tmpdigestr.bin
+
+    echo "PCR 16 read ${HALG}"
+    ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out
+    checkSuccess $?
+
+    echo "Get session audit digest"
+    ${PREFIX}getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+    checkSuccess $?
+
+    echo "Check session audit digest"
+    diff tmpdigestr.bin tmpdigestg.bin
+    checkSuccess $?
+
+    echo "Extend PCR 16"
+    ${PREFIX}pcrextend -ha 16 -halg ${HALG} -ic aaa > run.out
+    checkSuccess $?
+
+    echo "PCR 16 read ${HALG}"
+    ${PREFIX}pcrread -ha 16 -halg ${HALG} -se0 02000000 81 -ahalg ${HALG} -iosad tmpdigestr.bin > run.out
+    checkSuccess $?
+
+     echo "Get session audit digest"
+    ${PREFIX}getsessionauditdigest -hs 02000000 -od tmpdigestg.bin > run.out
+    checkSuccess $?
+
+    echo "Check session audit digest"
+    diff tmpdigestr.bin tmpdigestg.bin
+    checkSuccess $?
+
+    echo "Flush the audit session"
+    ${PREFIX}flushcontext -ha 02000000
+    checkSuccess $?
+
+done
+
+# cleanup
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+rm -f tmpdigestr.bin
+rm -f tmpdigestg.bin
+rm -f sig.bin
+rm -f tmp.bin
+rm -f tmphkey.bin
+
+exit ${WARN}
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.bat
new file mode 100644
index 0000000..cc5874d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.bat
@@ -0,0 +1,162 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2019 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Attestation - rev 155"
+echo ""
+
+rem # 80000001 RSA signing key
+rem # 80000002 ECC signing key
+
+echo "Load the RSA signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the ECC signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read Public, unwritten Name"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if msg.bin -v > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    for %%H in (%ITERATE_ALGS%) do (
+
+	for %%A in (rsa ecc) do (
+
+		IF "%%A" == "rsa" (
+		   set K=80000001
+		)
+		IF "%%A" == "ecc" (
+		   set K=80000002
+		)		
+
+	    echo "NV Certify a digest %%H %%A %%~S"
+	    %TPM_EXE_PATH%nvcertify -ha 01000000 -pwdn nnn -hk !K! -pwdk sig -halg %%H -sz 0 %%~S -os sig.bin -oa tmp.bin -salg %%A -od tmpdigest1.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Verify the %%A signature %%H"
+	    %TPM_EXE_PATH%verifysignature -hk !K! -halg %%H -if tmp.bin -is sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "NV read"
+	    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -of tmpdata.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Digest the hashed and certified NV data %%H"
+	    %TPM_EXE_PATH%hash -halg %%H -if tmpdata.bin -oh tmpdigest2.bin
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Check the digest %%H results"
+	    diff tmpdigest1.bin tmpdigest2.bin
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	)
+    )
+)
+
+echo "Flush the RSA attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the ECC attestation key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+rem # cleanup
+
+rm tmpdigest1.bin
+rm tmpdata.bin
+rm tmpdigest2.bin
+
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.sh
new file mode 100755
index 0000000..1f97474
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testattest155.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2019 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Attestation - rev 155"
+echo ""
+
+# 80000001 RSA signing key
+# 80000002 ECC signing key
+
+echo "Load the RSA signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load the ECC signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkSuccess $?
+
+echo "NV Read Public, unwritten Name"
+${PREFIX}nvreadpublic -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV write"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if msg.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	for SALG in rsa ecc
+	do
+
+	    if [ ${SALG} == rsa ]; then
+		HANDLE=80000001
+	    else
+		HANDLE=80000002
+	    fi
+
+	    echo "NV Certify a digest ${HALG} ${SALG} ${SESS}"
+	    ${PREFIX}nvcertify -ha 01000000 -pwdn nnn -hk ${HANDLE} -pwdk sig -halg ${HALG} -sz 0 ${SESS} -os sig.bin -oa tmp.bin -salg ${SALG} -od tmpdigest1.bin > run.out
+	    checkSuccess $?
+
+	    echo "Verify the ${SALG} signature ${HALG}"
+	    ${PREFIX}verifysignature -hk ${HANDLE} -halg ${HALG} -if tmp.bin -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "NV read"
+	    ${PREFIX}nvread -ha 01000000 -pwdn nnn -of tmpdata.bin > run.out
+	    checkSuccess $?
+
+	    echo "Digest the hashed and certified NV data ${HALG}"
+	    ${PREFIX}hash -halg ${HALG} -if tmpdata.bin -oh tmpdigest2.bin
+	    checkSuccess $?
+
+	    echo "Check the digest ${HALG} results"
+	    diff tmpdigest1.bin tmpdigest2.bin
+	    checkSuccess $?
+
+	done
+    done
+done
+
+echo "Flush the RSA attestation key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the ECC attestation key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f tmpdigest1.bin
+rm -f tmpdata.bin
+rm -f tmpdigest2.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.bat
new file mode 100644
index 0000000..8bbad83
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.bat
@@ -0,0 +1,658 @@
+REM #############################################################################

+REM #										#

+REM #			TPM2 regression test					#

+REM #			     Written by Ken Goldman				#

+REM #		       IBM Thomas J. Watson Research Center			#

+REM #	$Id: testbind.bat 1278 2018-07-23 21:20:42Z kgoldman $			#

+REM #										#

+REM # (c) Copyright IBM Corporation 2015					#

+REM # 										#

+REM # All rights reserved.							#

+REM # 										#

+REM # Redistribution and use in source and binary forms, with or without	#

+REM # modification, are permitted provided that the following conditions are	#

+REM # met:									#

+REM # 										#

+REM # Redistributions of source code must retain the above copyright notice,	#

+REM # this list of conditions and the following disclaimer.			#

+REM # 										#

+REM # Redistributions in binary form must reproduce the above copyright		#

+REM # notice, this list of conditions and the following disclaimer in the	#

+REM # documentation and/or other materials provided with the distribution.	#

+REM # 										#

+REM # Neither the names of the IBM Corporation nor the names of its		#

+REM # contributors may be used to endorse or promote products derived from	#

+REM # this software without specific prior written permission.			#

+REM # 										#

+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#

+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#

+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#

+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#

+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#

+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#

+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#

+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#

+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#

+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#

+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#

+REM #										#

+REM #############################################################################

+REM 

+

+setlocal enableDelayedExpansion

+

+echo ""

+echo "Bind session"

+echo ""

+

+echo ""

+echo "Bind session to Primary Key"

+echo ""

+

+echo "Bind session bound to primary key at 80000000"

+%TPM_EXE_PATH%startauthsession -se h -bi 80000000 -pwdb sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+)

+

+echo "Create storage key using that bind session, same object 80000000"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+)

+

+echo "Create storage key using that bind session, same object 80000000, wrong password does not matter"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create second primary key with different password 000 and Name"

+%TPM_EXE_PATH%createprimary -hi o -pwdk 000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Bind session bound to second primary key at 80000001, correct password"

+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb 000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create storage key using that bind session, different object 80000000"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create storage key using that bind session, different object 80000000, wrong password - should fail"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 1 > run.out

+    IF !ERRORLEVEL! EQU 0 (

+       exit /B 1

+       )

+

+echo "Flush the session"

+%TPM_EXE_PATH%flushcontext -ha 02000000  > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Bind session bound to primary key at 80000000, wrong password"

+%TPM_EXE_PATH%startauthsession -se h -bi 80000000 -pwdb xxx > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create storage key using that bind session, same object 80000000 - should fail"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out

+    IF !ERRORLEVEL! EQU 0 (

+       exit /B 1

+       )

+

+echo "Flush the failing session"

+%TPM_EXE_PATH%flushcontext -ha 02000000  > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the second primary key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo ""

+echo "Bind session to Hierarchy"

+echo ""

+

+echo "Change platform hierarchy auth"

+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Bind session bound to platform hierarchy"

+%TPM_EXE_PATH%startauthsession -se h -bi 4000000c -pwdb ppp > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create storage key using that bind session, wrong password - should fail"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out

+    IF !ERRORLEVEL! EQU 0 (

+       exit /B 1

+       )

+

+echo "Create storage key using that bind session"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Bind session bound to platform hierarchy, wrong password"

+%TPM_EXE_PATH%startauthsession -se h -bi 4000000c -pwdb xxx > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create storage key using that bind session - should fail"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out

+    IF !ERRORLEVEL! EQU 0 (

+       exit /B 1

+       )

+

+echo "Change platform hierarchy auth back to null"

+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the session"

+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo ""

+echo "Bind session to NV"

+echo ""

+

+echo "NV Undefine Space"

+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out

+

+echo "NV Define Space"

+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 3 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "NV Read Public, unwritten Name"

+%TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Bind session bound to unwritten NV index at 01000000"

+%TPM_EXE_PATH%startauthsession -se h -bi 01000000 -pwdb nnn > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "NV write HMAC using bind session to set written"

+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 0 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Bind session bound to written NV index at 01000000"

+%TPM_EXE_PATH%startauthsession -se h -bi 01000000 -pwdb nnn > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "NV Write HMAC using bind session"

+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 1  > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "NV Read HMAC using bind session"

+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 3 -se0 02000000 1  > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "NV Read HMAC using bind session, wrong password does not matter"

+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn xxx -sz 3 -se0 02000000 1  > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create storage key using that bind session"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "NV Undefine Space"

+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo ""

+echo "Encrypt with bind to same object"

+echo ""

+

+for %%M in (xor aes) do (

+

+    echo "Start an HMAC auth session with %%M encryption and bind to primary key at 80000000"

+    %TPM_EXE_PATH%startauthsession -se h -sym %%M -bi 80000000 -pwdb sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Create storage key using bind session, same object, wrong password"

+    %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Create storage key using bind session, same object 80000000"

+    %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Load the key, with %%M encryption"

+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Flush the sealed object"

+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Flush the %%M session"

+    %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+)

+

+echo ""

+echo "Encrypt with bind to different object"

+echo ""

+

+for %%M in (xor aes) do (

+

+    echo "Start an HMAC auth session with %%M encryption and bind to platform auth"

+    %TPM_EXE_PATH%startauthsession -se h -sym %%M -bi 4000000c > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Create storage key using bind session, different object, wrong password, should fail"

+    %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+    IF !ERRORLEVEL! EQU 0 (

+      exit /B 1

+        )

+

+    echo "Create storage key using bind session, different object"

+    %TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Load the key, with %%M encryption"

+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Flush the sealed object"

+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+    echo "Flush the %%M session"

+    %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+)

+

+echo ""

+echo "Encrypt with bind to different object, xor"

+echo ""

+

+echo "Start an HMAC auth session with xor encryption and bind to platform auth"

+%TPM_EXE_PATH%startauthsession -se h -sym xor -bi 4000000c > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Create storage key using bind session, different object, wrong password, should fail"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+IF !ERRORLEVEL! EQU 0 (

+  exit /B 1

+    )

+

+echo "Create storage key using bind session, different object"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Load the key, with xor encryption"

+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Flush the sealed object"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Flush the xor session"

+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo ""

+echo "Encrypt with bind to different object, aes"

+echo ""

+

+echo "Start an HMAC auth session with aes encryption and bind to platform auth"

+%TPM_EXE_PATH%startauthsession -se h -sym aes -bi 4000000c > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Create storage key using bind session, different object, wrong password, should fail"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+IF !ERRORLEVEL! EQU 0 (

+  exit /B 1

+    )

+

+echo "Create storage key using bind session, different object"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Load the key, with aes encryption"

+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Flush the sealed object"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo "Flush the aes session"

+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+   exit /B 1

+   )

+

+echo ""

+echo "PolicyAuthValue and bind to different object, command encryption"

+echo ""

+

+echo "Create a signing key under the primary key - policy command code - sign, auth"

+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Load the signing key under the primary key"

+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Start a policy session, bind to primary key"

+%TPM_EXE_PATH%startauthsession -se p -bi 80000000 -pwdb sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy command code - sign"

+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy authvalue"

+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Sign a digest - policy, command encrypt"

+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Verify the signature"

+%TPM_EXE_PATH%verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the signing key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out 

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the session"

+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo ""

+echo "PolicyAuthValue and bind to same object, command encryption"

+echo ""

+

+echo "Create a signing key under the primary key - policy command code - sign, auth"

+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Load the signing key under the primary key"

+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Start a policy session"

+%TPM_EXE_PATH%startauthsession -se p -bi 80000001 -pwdb sig > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy command code - sign"

+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy authvalue"

+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Sign a digest - policy, command encrypt"

+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Verify the signature"

+%TPM_EXE_PATH%verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the signing key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the session"

+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo ""

+echo "PolicyAuthValue and bind to different object, response encryption"

+echo ""

+

+echo "Create a storage key under the primary key - policy command code - create, auth"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Load the storage key under the primary key"

+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Start a policy session, bind to primary key"

+%TPM_EXE_PATH%startauthsession -se p -bi 80000000 -pwdb sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy command code - create"

+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 153 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy authvalue"

+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create a signing key with response encryption"

+%TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Load the signing key to verify response encryption"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the signing key"

+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out 

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the session"

+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo ""

+echo "PolicyAuthValue and bind to same object, response encryption"

+echo ""

+

+echo "Create a storage key under the primary key - policy command code - create, auth"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin  > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Load the storage key under the primary key"

+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Start a policy session, bind to storage key"

+%TPM_EXE_PATH%startauthsession -se p -bi 80000001 -pwdb sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy command code - create"

+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 153 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Policy authvalue"

+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Create a signing key with response encryption"

+%TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Load the signing key to verify response encryption"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out 

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the signing key"

+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out 

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+echo "Flush the session"

+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out

+    IF !ERRORLEVEL! NEQ 0 (

+       exit /B 1

+       )

+

+exit /B 0

+

+REM # getcapability -cap 1 -pr 80000000

+REM # getcapability -cap 1 -pr 02000000

diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.sh
new file mode 100755
index 0000000..6af2408
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testbind.sh
@@ -0,0 +1,427 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	$Id: testbind.sh 1277 2018-07-23 20:30:23Z kgoldman $			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Bind session"
+echo ""
+
+echo ""
+echo "Bind session to Primary Key"
+echo ""
+
+echo "Bind session bound to primary key at 80000000"
+${PREFIX}startauthsession -se h -bi 80000000 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, same object 80000000"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, same object 80000000, wrong password does not matter"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Create second primary key with different password 000 and Name"
+${PREFIX}createprimary -hi o -pwdk 000 > run.out
+checkSuccess $?
+
+echo "Bind session bound to second primary key at 80000001, correct password"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb 000 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, different object 80000000"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, different object 80000000, wrong password - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Bind session bound to primary key at 80000000, wrong password"
+${PREFIX}startauthsession -se h -bi 80000000 -pwdb xxx > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, same object 80000000 - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Flush the failing session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the second primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind session to Hierarchy"
+echo ""
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Bind session bound to platform hierarchy"
+${PREFIX}startauthsession -se h -bi 4000000c -pwdb ppp > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session, wrong password - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp xxx -pwdk 222 -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Create storage key using that bind session"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Bind session bound to platform hierarchy, wrong password"
+${PREFIX}startauthsession -se h -bi 4000000c -pwdb xxx > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind session to NV"
+echo ""
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 3 > run.out
+checkSuccess $?
+
+echo "NV Read Public, unwritten Name"
+${PREFIX}nvreadpublic -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Bind session bound to unwritten NV index at 01000000"
+${PREFIX}startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+checkSuccess $?
+
+echo "NV write HMAC using bind session to set written"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Bind session bound to written NV index at 01000000"
+${PREFIX}startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+checkSuccess $?
+
+echo "NV Write HMAC using bind session"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -ic 123 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "NV Read HMAC using bind session"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 3 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "NV Read HMAC using bind session, wrong password does not matter"
+${PREFIX}nvread -ha 01000000 -pwdn xxx -sz 3 -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create storage key using that bind session"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk 222 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Encrypt with bind to same object"
+echo ""
+
+for MODE0 in xor aes
+
+do
+
+    echo "Start an HMAC auth session with $MODE0 encryption and bind to primary key at 80000000"
+    ${PREFIX}startauthsession -se h -sym $MODE0 -bi 80000000 -pwdb sto > run.out
+    checkSuccess $?
+
+    echo "Create storage key using bind session, same object, wrong password"
+    ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+    checkSuccess $?
+
+    echo "Create storage key using bind session, same object 80000000"
+    ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+    checkSuccess $?
+
+    echo "Load the key, with $MODE0 encryption"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+    checkSuccess $?
+
+    echo "Flush the sealed object"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the $MODE0 session"
+    ${PREFIX}flushcontext -ha 02000000 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Encrypt with bind to different object"
+echo ""
+
+for MODE0 in xor aes
+
+do
+
+    echo "Start an HMAC auth session with $MODE0 encryption and bind to platform auth"
+    ${PREFIX}startauthsession -se h -sym $MODE0 -bi 4000000c > run.out
+    checkSuccess $?
+
+    echo "Create storage key using bind session, different object, wrong password, should fail"
+    ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp xxx -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+    checkFailure $?
+
+    echo "Create storage key using bind session, different object"
+    ${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdk 222 -pwdp sto -opr tmppriv.bin -opu tmppub.bin -se0 02000000 61 > run.out
+    checkSuccess $?
+
+    echo "Load the key, with $MODE0 encryption"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto -se0 02000000 61 > run.out
+    checkSuccess $?
+
+    echo "Flush the sealed object"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the $MODE0 session"
+    ${PREFIX}flushcontext -ha 02000000 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "PolicyAuthValue and bind to different object, command encryption"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session, bind to primary key"
+${PREFIX}startauthsession -se p -bi 80000000 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, command encrypt"
+${PREFIX}sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out 
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "PolicyAuthValue and bind to same object, command encryption"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, command encrypt"
+${PREFIX}sign -hk 80000001 -if policies/aaa -os sig.bin -ipu tmppub.bin -se0 03000000 21 -pwdk sig > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "PolicyAuthValue and bind to different object, response encryption"
+echo ""
+
+#intermediate policy digest length 32
+# 54 a0 de 17 1d 03 c6 9b 17 b3 61 22 33 a5 e8 b2 
+# d8 ee e0 87 f9 c6 ea 85 8c 9c 2e 51 05 52 8b 14 
+# policy
+# 4b 50 04 f7 3f 2e f8 c0 96 c9 18 d0 bc 18 0e 6b 
+# 49 0c 8a ed 14 bb 8f 86 fc 5a 54 ef 0c d3 90 44 
+
+echo "Create a storage key under the primary key - policy command code - create, auth"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session, bind to primary key"
+${PREFIX}startauthsession -se p -bi 80000000 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Policy command code - create"
+${PREFIX}policycommandcode -ha 03000000 -cc 153 > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key with response encryption"
+${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out
+checkSuccess $?
+
+echo "Load the signing key to verify response encryption"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out 
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "PolicyAuthValue and bind to same object, response encryption"
+echo ""
+
+echo "Create a storage key under the primary key - policy command code - create, auth"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmpspriv.bin -opu tmpspub.bin -pwdp sto -pwdk sto -pol policies/policycccreate-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmpspriv.bin -ipu tmpspub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session, bind to storage key"
+${PREFIX}startauthsession -se p -bi 80000001 -pwdb sto > run.out
+checkSuccess $?
+
+echo "Policy command code - create"
+${PREFIX}policycommandcode -ha 03000000 -cc 153 > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key with response encryption"
+${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -se0 03000000 41 > run.out
+checkSuccess $?
+
+echo "Load the signing key to verify response encryption"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out 
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out 
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.bat
new file mode 100644
index 0000000..9bff841
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.bat
@@ -0,0 +1,179 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Object Change Auth"
+echo ""
+
+for %%B in ("" "-bi 80000001 -pwdb sig") do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+	echo "Load the signing key under the primary key"
+	%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Start an HMAC session %%~B"
+	%TPM_EXE_PATH%startauthsession -se h %%~B > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Object change auth, change password to xxx %%~S"
+	%TPM_EXE_PATH%objectchangeauth -ho 80000001 -pwdo sig -pwdn xxx -hp 80000000 -opr tmppriv.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Load the signing key with the changed auth %%~S"
+	%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu signrsa2048pub.bin -pwdp sto %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Sign a digest with the original key %%~S"
+	%TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Sign a digest with the changed key"
+	%TPM_EXE_PATH%sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Flush the key"
+	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Flush the key"
+	%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	echo "Flush the auth session"
+	%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	   )
+
+	)
+)
+
+echo ""
+echo "Object Change Auth with password from file"
+echo ""
+
+echo "Load the decryption key under the primary key 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr derrsa2048priv.bin -ipu derrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Generate a random password"
+%TPM_EXE_PATH%getrandom -by 16 -ns -nz -of tmppwd.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Object change auth, change password"
+%TPM_EXE_PATH%objectchangeauth -hp 80000000 -ho 80000001 -pwdo dec -ipwdn tmppwd.bin -opr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the decryption key with the changed auth 800000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr tmppriv.bin -ipu derrsa2048pub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Encrypt the message"
+%TPM_EXE_PATH%rsaencrypt -hk 80000002 -id policies/aaa -oe tmpenc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Decrypt the message"
+%TPM_EXE_PATH%rsadecrypt -hk 80000002 -ipwdk tmppwd.bin -ie tmpenc.bin -od tmpdec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Compare the result"
+tail --bytes=3 tmpdec.bin > tmp.bin
+diff policies/aaa tmp.bin
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the keypair 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the keypair 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM cleanup
+
+rm tmppwd.bin
+rm tmpenc.bin
+rm tmpdec.bin
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
+
+REM flushcontext -ha 80000001
+REM flushcontext -ha 80000002
+REM flushcontext -ha 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.sh
new file mode 100755
index 0000000..303b318
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeauth.sh
@@ -0,0 +1,144 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Object Change Auth"
+echo ""
+
+for BIND in "" "-bi 80000001 -pwdb sig"
+do
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Load the signing key under the primary key"
+	${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+	checkSuccess $?
+
+	echo "Start an HMAC session ${BIND}"
+	${PREFIX}startauthsession -se h ${BIND} > run.out
+	checkSuccess $?
+
+	echo "Object change auth, change password to xxx ${SESS}"
+	${PREFIX}objectchangeauth -ho 80000001 -pwdo sig -pwdn xxx -hp 80000000 -opr tmppriv.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Load the signing key with the changed auth ${SESS}"
+	${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu signrsa2048pub.bin -pwdp sto ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Sign a digest with the original key ${SESS}"
+	${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Sign a digest with the changed key"
+	${PREFIX}sign -hk 80000002 -halg sha1 -if policies/aaa -os sig.bin -pwdk xxx > run.out
+	checkSuccess $?
+
+	echo "Flush the key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+	echo "Flush the key"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+
+	echo "Flush the auth session"
+	${PREFIX}flushcontext -ha 02000000 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo ""
+echo "Object Change Auth with password from file"
+echo ""
+
+echo "Load the decryption key under the primary key 80000001"
+${PREFIX}load -hp 80000000 -ipr derrsa2048priv.bin -ipu derrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Generate a random password"
+RANDOM_PASSWORD=`${PREFIX}getrandom -by 16 -ns -nz -of tmppwd.bin`
+echo " INFO: Random password ${RANDOM_PASSWORD}"
+
+echo "Object change auth, change password to ${RANDOM_PASSWORD}"
+${PREFIX}objectchangeauth -hp 80000000 -ho 80000001 -pwdo dec -ipwdn tmppwd.bin -opr tmppriv.bin > run.out
+checkSuccess $?
+
+echo "Load the decryption key with the changed auth 800000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr tmppriv.bin -ipu derrsa2048pub.bin > run.out
+checkSuccess $?
+
+echo "Encrypt the message"
+${PREFIX}rsaencrypt -hk 80000002 -id policies/aaa -oe tmpenc.bin > run.out
+checkSuccess $?
+
+echo "Decrypt the message"
+${PREFIX}rsadecrypt -hk 80000002 -ipwdk tmppwd.bin -ie tmpenc.bin -od tmpdec.bin > run.out
+checkSuccess $?
+
+echo "Compare the result"
+tail -c 3 tmpdec.bin > tmp.bin
+diff policies/aaa tmp.bin
+checkSuccess $?
+
+echo "Flush the keypair 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the keypair 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f tmppwd.bin
+rm -f tmpenc.bin
+rm -f tmpdec.bin
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
+
+# ${PREFIX}flushcontext -ha 80000001
+# ${PREFIX}flushcontext -ha 80000002
+# ${PREFIX}flushcontext -ha 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.bat
new file mode 100644
index 0000000..22d5e79
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.bat
@@ -0,0 +1,208 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testchangeseed.bat 1278 2018-07-23 21:20:42Z kgoldman $	#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015-2018					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Change PPS"
+echo ""
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change STO, no password"
+%TPM_EXE_PATH%changepps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change PPS, bad password"
+%TPM_EXE_PATH%changepps > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Change PPS, good password"
+%TPM_EXE_PATH%changepps -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary key - platform hierarchy"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change PPS - flushes primary key"
+%TPM_EXE_PATH%changepps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the storage key under the flushed primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Create a different primary key - new PPS"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the storage key under the new primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
+
+echo ""
+echo "Change EPS"
+echo ""
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change EPS, no password"
+%TPM_EXE_PATH%changeeps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary key - endorsement hierarchy"
+%TPM_EXE_PATH%createprimary -hi e -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a storage key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the storage key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change EPS, no password"
+%TPM_EXE_PATH%changeeps > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the storage key under the flushed primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Create a different primary key - new EPS"
+%TPM_EXE_PATH%createprimary -hi e -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load the storage key under the new primary key, should fail"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Create a storage key under the new primary key"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load the storage key under the new primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.sh
new file mode 100755
index 0000000..22ec2dc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testchangeseed.sh
@@ -0,0 +1,157 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#		$Id: testchangeseed.sh 1277 2018-07-23 20:30:23Z kgoldman $	#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Change PPS"
+echo ""
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000000 > run.out
+checkSuccess $?
+
+echo "Change PPS, no password"
+${PREFIX}changepps > run.out
+checkSuccess $?
+
+echo "Set platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Change PPS, bad password"
+${PREFIX}changepps > run.out
+checkFailure $?
+
+echo "Change PPS, good password"
+${PREFIX}changepps -pwda ppp > run.out
+checkSuccess $?
+
+echo "Clear platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Create a primary key - platform hierarchy"
+${PREFIX}createprimary -hi p -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkSuccess $?
+
+echo "Change PPS - flushes primary key"
+${PREFIX}changepps > run.out
+checkSuccess $?
+
+echo "Load the storage key under the flushed primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+echo "Create a different primary key - new PPS"
+${PREFIX}createprimary -hi p -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the new primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
+
+echo ""
+echo "Change EPS"
+echo ""
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000000 > run.out
+checkSuccess $?
+
+echo "Change EPS, no password"
+${PREFIX}changeeps > run.out
+checkSuccess $?
+
+echo "Create a primary key - endorsement hierarchy"
+${PREFIX}createprimary -hi e -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkSuccess $?
+
+echo "Change EPS, no password"
+${PREFIX}changeeps > run.out
+checkSuccess $?
+
+echo "Load the storage key under the flushed primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+echo "Create a different primary key - new EPS"
+${PREFIX}createprimary -hi e -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the new primary key, should fail"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkFailure $?
+
+echo "Create a storage key under the new primary key"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp 111 -pwdk 222 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the new primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp 111 > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.bat
new file mode 100644
index 0000000..b9aa750
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.bat
@@ -0,0 +1,104 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testclocks.bat 1292 2018-08-01 17:27:24Z kgoldman $	#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2018					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Clocks"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "Read Clock"
+    %TPM_EXE_PATH%readclock -oclock tmpclk.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Clock set, time 0 %%~S - should fail"
+    %TPM_EXE_PATH%clockset -iclock tmpclk.bin %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+        exit /B 1
+    )
+
+    echo "Clock set, time plus 20 sec %%~S"
+    %TPM_EXE_PATH%clockset -iclock tmpclk.bin -addsec 20 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    for %%A in (-3 0 3) do (
+
+	echo "Clock rate adjust %%A %%~S"
+	%TPM_EXE_PATH%clockrateadjust -adj %%A %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+    )
+
+    for %%A in (-4 4) do (
+
+	echo "Clock rate adjust %%A %%~S - should fail"
+	%TPM_EXE_PATH%clockrateadjust -adj %%A %%~S > run.out
+    	IF !ERRORLEVEL! EQU 0 (
+       	    exit /B 1
+    	)
+
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+rm -f tmpclk.bin
+
+exit /B 0
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.sh
new file mode 100755
index 0000000..4f58a7e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testclocks.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	$Id: testclocks.sh 1115 2017-12-13 23:35:20Z kgoldman $			#
+#										#
+# (c) Copyright IBM Corporation 2015, 2016					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Clocks"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "Read Clock"
+    ${PREFIX}readclock -oclock tmpclk.bin > run.out
+    checkSuccess $?
+
+    echo "Clock set, current time ${SESS} - should fail"
+    ${PREFIX}clockset -iclock tmpclk.bin ${SESS} > run.out
+    checkFailure $?
+
+    echo "Clock set, time plus 20 sec ${SESS}"
+    ${PREFIX}clockset -iclock tmpclk.bin -addsec 20 ${SESS} > run.out
+    checkSuccess $?
+
+    for ADJ in -3 0 3
+    do
+
+	echo "Clock rate adjust ${ADJ} ${SESS}"
+	${PREFIX}clockrateadjust -adj ${ADJ} ${SESS} > run.out
+	checkSuccess $?
+
+    done
+
+    for ADJ in -4 4
+    do
+
+	echo "Clock rate adjust ${ADJ} ${SESS} - should fail"
+	${PREFIX}clockrateadjust -adj ${ADJ} ${SESS} > run.out
+	checkFailure $?
+
+    done
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+rm -f tmpclk.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.bat
new file mode 100644
index 0000000..8b672b6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.bat
@@ -0,0 +1,237 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Basic Context"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if msg.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Save context for the key"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign to verify that the original key is not flushed"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the original key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign with original key  - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Load context"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign with the loaded context"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Save context for the session"
+%TPM_EXE_PATH%contextsave -ha 02000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign with the saved session context - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Load context for the session"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Sign with the saved session context"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the loaded context"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo ""
+echo "Context Public Key for Salt"
+echo ""
+
+echo "Load the storage key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Save context for the storage key at 80000001"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load context at 80000002"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the original key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Start an HMAC auth session at 02000000 using the storage key 80000002 salt"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load the signing key under the primary key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the signing key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the salt key at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo ""
+echo "Context Primary Key"
+echo ""
+
+echo "Save context for the primary key at 80000000"
+%TPM_EXE_PATH%contextsave -ha 80000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load context primary key at 80000001"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load the signing key at 80000002 under the primary key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the signing key at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the primary key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.sh
new file mode 100755
index 0000000..f640d77
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testcontext.sh
@@ -0,0 +1,182 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Context"
+echo ""
+
+echo ""
+echo "Basic Context"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if msg.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Save context for the key"
+${PREFIX}contextsave -ha 80000001 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign to verify that the original key is not flushed"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the original key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Sign with original key  - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load context"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign with the loaded context"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Save context for the session"
+${PREFIX}contextsave -ha 02000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign with the saved session context - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load context for the session"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Sign with the saved session context"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the loaded context"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Context Public Key for Salt"
+echo ""
+
+echo "Load the storage key at 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Save context for the storage key at 80000001"
+${PREFIX}contextsave -ha 80000001 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Load context at 80000002"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the original key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session at 02000000 using the storage key 80000002 salt"
+${PREFIX}startauthsession -se h -hs 80000002 > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key at 80000001"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the signing key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the salt key at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "Context Primary Key"
+echo ""
+
+echo "Save context for the primary key at 80000000"
+${PREFIX}contextsave -ha 80000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Load context primary key at 80000001"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key at 80000002 under the primary key at 80000001"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the signing key at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.bat
new file mode 100644
index 0000000..b03400a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.bat
@@ -0,0 +1,299 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2019					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "CreateLoaded"
+echo ""
+
+echo ""
+echo "CreateLoaded Primary Key, Hierarchy Parent"
+echo ""
+
+for %%H in ("40000001" "4000000c" "4000000b") do (
+
+    echo "CreateLoaded primary key, parent %%~H"
+    %TPM_EXE_PATH%createloaded -hp %%~H -st -kt f -kt p -pwdk ppp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Create a storage key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Load the storage key under the primary key"
+    %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Flush the storage key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Flush the primary storage key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Load the storage key under the primary key - should fail"
+    %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+    IF !ERRORLEVEL! EQU 0 (
+        exit /B 1
+    )
+
+    echo "CreateLoaded recreate owner primary key"
+    %TPM_EXE_PATH%createloaded -hp %%~H -st -kt f -kt p -pwdk ppp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Load the storage key under the primary key"
+    %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Flush the storage key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+    echo "Flush the primary storage key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       	exit /B 1
+    )
+
+)
+
+echo ""
+echo "CreateLoaded Child Key, Primary Parent"
+echo ""
+
+echo "CreateLoaded child storage key at 80000001, parent 80000000"
+%TPM_EXE_PATH%createloaded -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk ppp  -opu tmpppub.bin -opr tmpppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key under the child storage key 80000001"
+%TPM_EXE_PATH%create -hp 80000001 -si -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key at 80000002 under the child storage key 80000001"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the child storage key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the child signing key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Reload the createloaded child storage key at 80000001, parent 80000000"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpppriv.bin -ipu tmpppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Reload the child signing key at 80000002 under the child storage key 80000001"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the child storage key 80000002 "
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the child signing key 80000001 "
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "CreateLoaded Primary Derived Key, Hierarchy Parent"
+echo ""
+
+for %%H in ("e" "o" "p") do (
+
+    echo "Create a primary %%~H derivation parent 80000001"
+    %TPM_EXE_PATH%createprimary -hi %%~H -dp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a derived key 80000002"
+    %TPM_EXE_PATH%createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the derived key 80000002"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a derived key 80000002"
+    %TPM_EXE_PATH%createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub1.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the derived key 80000002"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify that the two derived keys are the same"
+    diff tmppub.bin tmppub1.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the derivation parent"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo ""
+echo "CreateLoaded Child Derived Key, Primary Parent"
+echo ""
+
+echo "Create a derivation parent under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -dp -opr tmpdppriv.bin -opu tmpdppub.bin -pwdp sto -pwdk dp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the derivation parent to 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpdppriv.bin -ipu tmpdppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create an EC signing key under the derivation parent key"
+%TPM_EXE_PATH%createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -opem tmppub.pem  -pwdp dp -ecc nistp256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -salg ecc -if policies/aaa -os sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the ECC signature using the TPM"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -ecc -if policies/aaa -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature using PEM"
+%TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg sha256 -if policies/aaa -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create another EC signing key 80000002 under the derivation parent key"
+%TPM_EXE_PATH%createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv1.bin -opu tmppub1.bin -opem tmppub1.pem -pwdp dp -ecc nistp256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify that the two derived keys are the same"
+diff tmppub.bin tmppub1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the derivation parent"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+rm -f tmpdppriv.bin
+rm -f tmpdppub.bin
+rm -f tmpppriv.bin
+rm -f tmpppub.bin
+rm -f tmppub.pem
+rm -f tmppriv1.bin
+rm -f tmppub1.bin
+rm -f tmppub1.pem
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.sh
new file mode 100755
index 0000000..99d3753
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testcreateloaded.sh
@@ -0,0 +1,231 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "CreateLoaded"
+echo ""
+
+echo ""
+echo "CreateLoaded Primary Key, Hierarchy Parent"
+echo ""
+
+for HIER in "40000001" "4000000c" "4000000b"
+do
+
+    echo "CreateLoaded primary key, parent ${HIER}"
+    ${PREFIX}createloaded -hp ${HIER} -st -kt f -kt p -pwdk ppp > run.out
+    checkSuccess $?
+
+    echo "Create a storage key under the primary key"
+    ${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+    checkSuccess $?
+
+    echo "Load the storage key under the primary key"
+    ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+    checkSuccess $?
+
+    echo "Flush the storage key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+    echo "Flush the primary storage key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Load the storage key under the primary key - should fail"
+    ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+    checkFailure $?
+
+    echo "CreateLoaded recreate owner primary key"
+    ${PREFIX}createloaded -hp ${HIER} -st -kt f -kt p -pwdk ppp > run.out
+    checkSuccess $?
+
+    echo "Load the storage key under the primary key"
+    ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+    checkSuccess $?
+
+    echo "Flush the storage key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+    echo "Flush the primary storage key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "CreateLoaded Child Key, Primary Parent"
+echo ""
+
+echo "CreateLoaded child storage key at 80000001, parent 80000000"
+${PREFIX}createloaded -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk ppp -opu tmpppub.bin -opr tmpppriv.bin > run.out
+checkSuccess $?
+
+echo "Create a signing key under the child storage key 80000001"
+${PREFIX}create -hp 80000001 -si -opr tmppriv.bin -opu tmppub.bin -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Load the signing key at 80000002 under the child storage key 80000001"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Flush the child storage key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the child signing key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Reload the createloaded child storage key at 80000001, parent 80000000"
+${PREFIX}load -hp 80000000 -ipr tmpppriv.bin -ipu tmpppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Reload the child signing key at 80000002 under the child storage key 80000001"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Flush the child storage key 80000002 "
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the child signing key 80000001 "
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "CreateLoaded Primary Derived Key, Hierarchy Parent"
+echo ""
+
+for HIER in "e" "o" "p"
+do
+
+    echo "Create a primary ${HIER} derivation parent 80000001"
+    ${PREFIX}createprimary -hi ${HIER} -dp > run.out
+    checkSuccess $?
+
+    echo "Create a derived key 80000002"
+    ${PREFIX}createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the derived key 80000002"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+    echo "Create a derived key 80000002"
+    ${PREFIX}createloaded -hp 80000001 -der -ecc bnp256 -den -kt f -kt p -opu tmppub1.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the derived key 80000002"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+    echo "Verify that the two derived keys are the same"
+    diff tmppub.bin tmppub1.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the derivation parent"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "CreateLoaded Child Derived Key, Primary Parent"
+echo ""
+
+echo "Create a derivation parent under the primary key"
+${PREFIX}create -hp 80000000 -dp -opr tmpdppriv.bin -opu tmpdppub.bin -pwdp sto -pwdk dp > run.out
+checkSuccess $?
+
+echo "Load the derivation parent to 80000001"
+${PREFIX}load -hp 80000000 -ipr tmpdppriv.bin -ipu tmpdppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Create an EC signing key 80000002 under the derivation parent key"
+${PREFIX}createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -opem tmppub.pem -pwdp dp -ecc nistp256 > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -salg ecc -if policies/aaa -os sig.bin > run.out
+checkSuccess $?
+
+echo "Verify the ECC signature using the TPM"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -ecc -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Verify the signature using PEM"
+${PREFIX}verifysignature -ipem tmppub.pem -halg sha256 -if policies/aaa -is sig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Create another EC signing key 80000002 under the derivation parent key"
+${PREFIX}createloaded -hp 80000001 -der -si -kt f -kt p -opr tmppriv1.bin -opu tmppub1.bin -opem tmppub1.pem -pwdp dp -ecc nistp256 > run.out
+checkSuccess $?
+
+echo "Verify that the two derived keys are the same"
+diff tmppub.bin tmppub1.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the derivation parent"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+rm -f tmpppriv.bin
+rm -f tmpppub.bin
+rm -f tmpppub1.bin
+rm -f tmpppub.pem
+rm -f tmppub.pem
+rm -f tmppub1.pem
+rm -f tmppriv.bin
+rm -f tmppriv1.bin
+rm -f tmppub1.bin
+rm -f tmpdppriv.bin
+rm -f tmpdppub.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.bat
new file mode 100644
index 0000000..c65e965
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.bat
@@ -0,0 +1,504 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+REM 
+REM # primary key 80000000
+REM # storage key 80000001
+REM # signing key 80000002test
+REM # policy session 03000000
+REM # e5 87 c1 1a b5 0f 9d 87 30 f7 21 e3 fe a4 2b 46 
+REM # c0 45 5b 24 6f 96 ae e8 5d 18 eb 3b e6 4d 66 6a 
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Credential"
+echo ""
+
+echo "Use a random number as the credential input"
+%TPM_EXE_PATH%getrandom -by 32 -of tmpcredin.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the storage key under the primary key, 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a restricted signing key under the primary key"
+%TPM_EXE_PATH%create -hp 80000000 -sir -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk sig -pol policies/policyccactivate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key, 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Encrypt the credential using makecredential"
+%TPM_EXE_PATH%makecredential -ha 80000001 -icred tmpcredin.bin -in h80000002.bin -ocred tmpcredenc.bin -os tmpsecret.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code - activatecredential"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 00000147 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Activate credential"
+%TPM_EXE_PATH%activatecredential -ha 80000002 -hk 80000001 -icred tmpcredenc.bin -is tmpsecret.bin -pwdk sto -ocred tmpcreddec.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Check the decrypted result"
+diff tmpcredin.bin tmpcreddec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "EK Certificate"
+echo ""
+
+echo "Set platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%A in (rsa ecc) do (
+
+    echo "Create an %%A EK certificate"
+    %TPM_EXE_PATH%createekcert -alg %%A -cakey cakey.pem -capwd rrrr -pwdp ppp -of tmp.der > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Read the %%A EK certificate"
+    %TPM_EXE_PATH%createek -alg %%A -ce > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Read the %%A template - should fail"
+    %TPM_EXE_PATH%createek -alg %%A -te > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Read the %%A nonce - should fail"
+    %TPM_EXE_PATH%createek -alg %%A -no > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "CreatePrimary and validate the %%A EK against the EK certificate"
+    %TPM_EXE_PATH%createek -alg %%A -cp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Validate the %%A EK certificate against the root"
+    %TPM_EXE_PATH%createek -alg %%A -root certificates/rootcerts.windows.txt > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+echo "Clear platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo ""
+echo "EK Policies using optional policy in NV"
+echo ""
+
+REM # Section B.8.2	Computing PolicyA - the standard IWG PolicySecret with endorsement auth
+REM # policyiwgek.txt
+REM # 000001514000000B
+REM # (blank line for policyRef)
+REM #
+REM # policymaker -if policies/policyiwgek.txt -ns -halg sha256 -of policies/policyiwgeksha256.bin
+REM # policymaker -if policies/policyiwgek.txt -ns -halg sha384 -of policies/policyiwgeksha384.bin
+REM # policymaker -if policies/policyiwgek.txt -ns -halg sha512 -of policies/policyiwgeksha512.bin
+REM 
+REM # 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+REM # 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+REM # 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+REM 
+REM # Section B.8.3	Computing Policy Index Names - attributes 220F1008
+REM 
+REM # For test, put PolicySecret + platform auth in NV Index.  This is NOT the IWG standard, just for test.
+REM 
+REM # for prepending the hash algorithm identifier to make the TPMT_HA structure
+REM # printf "%b" '\x00\x0b' > policies/sha256.bin
+REM # printf "%b" '\x00\x0c' > policies/sha384.bin
+REM # printf "%b" '\x00\x0d' > policies/sha512.bin
+REM 
+REM # policymaker -if policies/policysecretp.txt -halg sha256  -pr -of policies/policysecretpsha256.bin -pr
+REM # policymaker -if policies/policysecretp.txt -halg sha384  -pr -of policies/policysecretpsha384.bin -pr
+REM # policymaker -if policies/policysecretp.txt -halg sha512  -pr -of policies/policysecretpsha512.bin -pr
+REM 
+REM # prepend the algorithm identifiers
+REM # cat policies/sha256.bin policies/policysecretpsha256.bin >! policies/policysecretpsha256ha.bin
+REM # cat policies/sha384.bin policies/policysecretpsha384.bin >! policies/policysecretpsha384ha.bin
+REM # cat policies/sha512.bin policies/policysecretpsha512.bin >! policies/policysecretpsha512ha.bin
+REM 
+REM # NV Index Name calculation
+REM
+
+set HALG=sha256 sha384 sha512
+set IDX=01c07f01 01c07f02 01c07f03
+set SIZ=34 50 66
+REM # algorithms from Algorithm Registry
+set HBIN=000b 000c 000d
+REM # Name from Table 14: Policy Index Names
+set NVNAME=000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f 000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c 000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+)
+
+set j=0
+for %%h in (!HALG!)   do set /A j+=1 & set HALG[!j!]=%%h
+set j=0
+for %%i in (!IDX!)    do set /A j+=1 & set IDX[!j!]=%%i
+set j=0
+for %%z in (!SIZ!)    do set /A j+=1 & set SIZ[!j!]=%%z
+set j=0
+for %%b in (!HBIN!)   do set /A j+=1 & set HBIN[!j!]=%%b
+set j=0
+for %%n in (!NVNAME!) do set /A j+=1 & set NVNAME[!j!]=%%n
+set L=!j!
+
+for /L %%j in (1,1,!L!) do (
+
+    echo "Undefine optional !HALG[%%j]! NV index !IDX[%%j]!"
+    %TPM_EXE_PATH%nvundefinespace -ha !IDX[%%j]! -hi o > run.out 
+
+    echo "Define optional !HALG[%%j]! NV index !IDX[%%j]! size !SIZ[%%j]! with PolicySecret for TPM_RH_ENDORSEMENT"
+    %TPM_EXE_PATH%nvdefinespace -ha !IDX[%%j]! -nalg !HALG[%%j]! -hi o -pol policies/policyiwgek!HALG[%%j]!.bin -sz !SIZ[%%j]! +at wa +at or +at ppr +at ar -at aw > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Start a !HALG[%%j]! policy session"
+    %TPM_EXE_PATH%startauthsession -se p -halg !HALG[%%j]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Satisfy the policy"
+    %TPM_EXE_PATH%policysecret -hs 03000000 -ha 4000000B > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get the session digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Write the !HALG[%%j]! index !IDX[%%j]! to set the written bit before reading the Name"
+    %TPM_EXE_PATH%nvwrite -ha !IDX[%%j]! -if policies/policysecretp!HALG[%%j]!ha.bin  -se0 03000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Read the !HALG[%%j]! Name"
+    %TPM_EXE_PATH%nvreadpublic -ha !IDX[%%j]! -ns > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the !HALG[%%j]! !HBIN[%%j]! Name"
+    grep !HBIN[%%j]! run.out > tmp.txt
+    grep -v nvreadpublic tmp.txt > tmpactual.txt
+    echo !NVNAME[%%j]! > tmpexpect.txt
+    diff -w tmpactual.txt tmpexpect.txt > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+REM # B.8.4	Computing PolicyC - TPM_CC_PolicyAuthorizeNV || nvIndex->Name)
+REM 
+REM # policyiwgekcsha256.txt 
+REM # 00000192000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f
+REM 
+REM # policyiwgekcsha384.txt 
+REM # 00000192000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c
+REM 
+REM # policyiwgekcsha512.txt 
+REM # 00000192000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+REM 
+REM # policymaker -if policies/policyiwgekcsha256.txt -ns -halg sha256 -pr -of policies/policyiwgekcsha256.bin
+REM # 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+REM 
+REM # policymaker -if policies/policyiwgekcsha384.txt -ns -halg sha384 -pr -of policies/policyiwgekcsha384.bin
+REM # d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+REM 
+REM # policymaker -if policies/policyiwgekcsha512.txt -ns -halg sha512 -pr -of policies/policyiwgekcsha512.bin
+REM # 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+REM 
+REM # B.8.5	Computing PolicyB - TPM_CC_PolicyOR || digests
+REM 
+REM # policyiwgekbsha256.txt
+REM # 00000171
+REM # 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+REM # 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+REM # policymaker -if policies/policyiwgekbsha256.txt -halg sha256 -pr -of policies/policyiwgekbsha256.bin
+REM  # ca 3d 0a 99 a2 b9 39 06 f7 a3 34 24 14 ef cf b3 
+REM  # a3 85 d4 4c d1 fd 45 90 89 d1 9b 50 71 c0 b7 a0 
+REM 
+REM # policyiwgekbsha384.txt
+REM # 00000171
+REM # 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+REM # d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+REM # policymaker -if policies/policyiwgekbsha384.txt -halg sha384 -pr -of policies/policyiwgekbsha384.bin
+REM  # b2 6e 7d 28 d1 1a 50 bc 53 d8 82 bc f5 fd 3a 1a 
+REM  # 07 41 48 bb 35 d3 b4 e4 cb 1c 0a d9 bd e4 19 ca 
+REM  # cb 47 ba 09 69 96 46 15 0f 9f c0 00 f3 f8 0e 12 
+REM 
+REM # policyiwgekbsha512.txt
+REM # 00000171
+REM # 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+REM # 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+REM # policymaker -if policies/policyiwgekbsha512.txt -halg sha512 -pr -of policies/policyiwgekbsha512.bin
+REM  # b8 22 1c a6 9e 85 50 a4 91 4d e3 fa a6 a1 8c 07 
+REM  # 2c c0 12 08 07 3a 92 8d 5d 66 d5 9e f7 9e 49 a4 
+REM  # 29 c4 1a 6b 26 95 71 d5 7e db 25 fb db 18 38 42 
+REM  # 56 08 b4 13 cd 61 6a 5f 6d b5 b6 07 1a f9 9b ea 
+ 
+echo ""
+echo "Test the EK policies"
+echo ""
+
+REM # Change endorsement and platform hierarchy passwords for testing
+
+echo "Change endorsement hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi e -pwdn eee
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Change platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+for /L %%j in (1,1,!L!) do (
+
+    echo "Create an RSA primary key !HALG[%%j]! 80000001"
+    %TPM_EXE_PATH%createprimary -si -nalg !HALG[%%j]! -pwdk kkk -pol policies/policyiwgekb!HALG[%%j]!.bin -rsa 2048 > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Start a policy session !HALG[%%j]! 03000000"
+    %TPM_EXE_PATH%startauthsession -se p -halg !HALG[%%j]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Satisfy Policy A - Policy Secret with PWAP session and endorsement hierarchy auth"
+    %TPM_EXE_PATH%policysecret -ha 4000000b -hs 03000000 -pwde eee > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get the session digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy OR !HALG[%%j]!"
+    %TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyiwgek!HALG[%%j]!.bin -if policies/policyiwgekc!HALG[%%j]!.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get the !HALG[%%j]! session digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Sign a digest - policy A"
+    %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy restart !HALG[%%j]! 03000000"
+    %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Satisfy NV Index Policy - Policy Secret with PWAP session and platform hierarchy auth"
+    %TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get the !HALG[%%j]! session digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Satisfy Policy C - Policy Authorize NV"
+    %TPM_EXE_PATH%policyauthorizenv -ha !IDX[%%j]! -hs 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get the !HALG[%%j]! session digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy OR !HALG[%%j]!"
+    %TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyiwgek!HALG[%%j]!.bin -if policies/policyiwgekc!HALG[%%j]!.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get the !HALG[%%j]! session digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Sign a digest - policy A"
+    %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the policy session !HALG[%%j]! 03000000"
+    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+ 
+    echo "Flush the primary key !HALG[%%j]! 80000001"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Reset endorsement hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi e -pwda eee
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Reset platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+set L=!j!
+
+for /L %%j in (1,1,!L!) do (
+
+    echo "Undefine optional !HALG[%%j]! NV index !IDX[%%j]!"
+    %TPM_EXE_PATH%nvundefinespace -ha !IDX[%%j]! -hi o > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+rm run.out
+rm sig.bin
+rm tmp.der
+rm tmpcreddec.bin
+rm tmpcredenc.bin
+rm tmpcredin.bin
+rm tmprpriv.bin
+rm tmprpub.bin
+rm tmpsecret.bin
+rm tmp.txt
+rm tmpactual.txt
+rm tmpexpect.txt
+
+
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000000
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 02000000
+
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.sh
new file mode 100755
index 0000000..447e053
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testcredential.sh
@@ -0,0 +1,404 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# primary key 80000000
+# storage key 80000001
+# signing key 80000002
+# policy session 03000000
+# e5 87 c1 1a b5 0f 9d 87 30 f7 21 e3 fe a4 2b 46 
+# c0 45 5b 24 6f 96 ae e8 5d 18 eb 3b e6 4d 66 6a 
+
+echo ""
+echo "Make and Activate Credential"
+echo ""
+
+echo "Use a random number as the credential input"
+${PREFIX}getrandom -by 32 -of tmpcredin.bin > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key, 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Create a restricted signing key under the primary key"
+${PREFIX}create -hp 80000000 -sir -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk sig -pol policies/policyccactivate.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key, 80000002"
+${PREFIX}load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Encrypt the credential using makecredential"
+${PREFIX}makecredential -ha 80000001 -icred tmpcredin.bin -in h80000002.bin -ocred tmpcredenc.bin -os tmpsecret.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code - activatecredential"
+${PREFIX}policycommandcode -ha 03000000 -cc 00000147 > run.out
+checkSuccess $?
+
+echo "Activate credential"
+${PREFIX}activatecredential -ha 80000002 -hk 80000001 -icred tmpcredenc.bin -is tmpsecret.bin -pwdk sto -ocred tmpcreddec.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Check the decrypted result"
+diff tmpcredin.bin tmpcreddec.bin > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "EK Certificate"
+echo ""
+
+# The mbedtls port does not support EC certificate creation yet */
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+
+    echo "Set platform hierarchy auth"
+    ${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+    checkSuccess $?
+
+    for ALG in "rsa" "ecc"
+    do 
+
+	echo "Create an ${ALG} EK certificate"
+	${PREFIX}createekcert -alg ${ALG} -cakey cakey.pem -capwd rrrr -pwdp ppp -of tmp.der > run.out
+	checkSuccess $?
+
+	echo "Read the ${ALG} EK certificate"
+	${PREFIX}createek -alg ${ALG} -ce > run.out
+	checkSuccess $?
+
+	echo "Read the ${ALG} template - should fail"
+	${PREFIX}createek -alg ${ALG} -te > run.out
+	checkFailure $?
+
+	echo "Read the ${ALG} nonce - should fail"
+	${PREFIX}createek -alg ${ALG} -no > run.out
+	checkFailure $?
+
+	echo "CreatePrimary and validate the ${ALG} EK against the EK certificate"
+	${PREFIX}createek -alg ${ALG} -cp > run.out
+	checkSuccess $?
+
+	echo "Validate the ${ALG} EK certificate against the root"
+	${PREFIX}createek -alg ${ALG} -root certificates/rootcerts.txt > run.out
+	checkSuccess $?
+
+    done
+
+    echo "Clear platform hierarchy auth"
+    ${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+    checkSuccess $?
+
+# openssl vs mbedtls
+fi
+
+echo ""
+echo "EK Policies using optional policy in NV"
+echo ""
+
+# Section B.8.2	Computing PolicyA - the standard IWG PolicySecret with endorsement auth
+# policyiwgek.txt
+# 000001514000000B
+# (blank line for policyRef)
+#
+# policymaker -if policies/policyiwgek.txt -ns -halg sha256 -of policies/policyiwgeksha256.bin
+# policymaker -if policies/policyiwgek.txt -ns -halg sha384 -of policies/policyiwgeksha384.bin
+# policymaker -if policies/policyiwgek.txt -ns -halg sha512 -of policies/policyiwgeksha512.bin
+
+# 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+# 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+# 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+
+# Section B.8.3	Computing Policy Index Names - attributes 220F1008
+
+# For test, put PolicySecret + platform auth in NV Index.  This is NOT the IWG standard, just for test.
+
+# for prepending the hash algorithm identifier to make the TPMT_HA structure
+# printf "%b" '\x00\x0b' > policies/sha256.bin
+# printf "%b" '\x00\x0c' > policies/sha384.bin
+# printf "%b" '\x00\x0d' > policies/sha512.bin
+
+# policymaker -if policies/policysecretp.txt -halg sha256  -pr -of policies/policysecretpsha256.bin -pr
+# policymaker -if policies/policysecretp.txt -halg sha384  -pr -of policies/policysecretpsha384.bin -pr
+# policymaker -if policies/policysecretp.txt -halg sha512  -pr -of policies/policysecretpsha512.bin -pr
+
+# prepend the algorithm identifiers
+# cat policies/sha256.bin policies/policysecretpsha256.bin >! policies/policysecretpsha256ha.bin
+# cat policies/sha384.bin policies/policysecretpsha384.bin >! policies/policysecretpsha384ha.bin
+# cat policies/sha512.bin policies/policysecretpsha512.bin >! policies/policysecretpsha512ha.bin
+
+# NV Index Name calculation
+
+HALG=(sha256 sha384 sha512)
+IDX=(01c07f01 01c07f02 01c07f03) 
+SIZ=(34 50 66)
+# algorithms from Algorithm Registry
+HBIN=(000b 000c 000d)
+# Name from Table 14: Policy Index Names
+NVNAME=(
+    000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f
+    000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c
+    000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+)
+
+for ((i = 0 ; i < 3; i++))
+do 
+
+    echo "Undefine optional ${HALG[i]} NV index ${IDX[i]}"
+    ${PREFIX}nvundefinespace -ha ${IDX[i]} -hi o > run.out 
+    echo " INFO:"
+
+    echo "Define optional ${HALG[i]} NV index ${IDX[i]} with PolicySecret for TPM_RH_ENDORSEMENT"
+    ${PREFIX}nvdefinespace -ha ${IDX[i]} -nalg ${HALG[i]} -hi o -pol policies/policyiwgek${HALG[i]}.bin -sz ${SIZ[i]} +at wa +at or +at ppr +at ar -at aw > run.out
+    checkSuccess $?
+
+    echo "Start a ${HALG[i]} policy session"
+    ${PREFIX}startauthsession -se p -halg ${HALG[i]} > run.out
+    checkSuccess $?
+
+    echo "Satisfy the policy"
+    ${PREFIX}policysecret -hs 03000000 -ha 4000000B > run.out
+    checkSuccess $?
+
+    echo "Get the session digest for debug"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Write the ${HALG[i]} ${IDX[i]} index to set the written bit before reading the Name"
+    ${PREFIX}nvwrite -ha ${IDX[i]} -if policies/policysecretp${HALG[i]}ha.bin  -se0 03000000 0 > run.out
+    checkSuccess $?
+
+    echo "Read the ${HALG[i]} Name"
+    ${PREFIX}nvreadpublic -ha ${IDX[i]} -ns > run.out
+    checkSuccess $?
+
+    echo "Verify the ${HALG[i]} Name"
+    ACTUAL=`grep ${HBIN[i]} run.out |grep -v nvreadpublic`
+    diff <(echo "${ACTUAL}" ) <(echo "${NVNAME[i]}" )
+    checkSuccess $?
+
+done
+
+# B.8.4	Computing PolicyC - TPM_CC_PolicyAuthorizeNV || nvIndex->Name)
+
+# policyiwgekcsha256.txt 
+# 00000192000b0c9d717e9c3fe69fda41769450bb145957f8b3610e084dbf65591a5d11ecd83f
+
+# policyiwgekcsha384.txt 
+# 00000192000cdb62fca346612c976732ff4e8621fb4e858be82586486504f7d02e621f8d7d61ae32cfc60c4d120609ed6768afcf090c
+
+# policyiwgekcsha512.txt 
+# 00000192000d1c47c0bbcbd3cf7d7cae6987d31937c171015dde3b7f0d3c869bca1f7e8a223b9acfadb49b7c9cf14d450f41e9327de34d9291eece2c58ab1dc10e9059cce560
+
+# policymaker -if policies/policyiwgekcsha256.txt -ns -halg sha256 -pr -of policies/policyiwgekcsha256.bin
+# 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+
+# policymaker -if policies/policyiwgekcsha384.txt -ns -halg sha384 -pr -of policies/policyiwgekcsha384.bin
+# d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+
+# policymaker -if policies/policyiwgekcsha512.txt -ns -halg sha512 -pr -of policies/policyiwgekcsha512.bin
+# 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+
+# B.8.5	Computing PolicyB - TPM_CC_PolicyOR || digests
+
+# policyiwgekbsha256.txt
+# 00000171
+# 837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa
+# 3767e2edd43ff45a3a7e1eaefcef78643dca964632e7aad82c673a30d8633fde
+# policymaker -if policies/policyiwgekbsha256.txt -halg sha256 -pr -of policies/policyiwgekbsha256.bin
+ # ca 3d 0a 99 a2 b9 39 06 f7 a3 34 24 14 ef cf b3 
+ # a3 85 d4 4c d1 fd 45 90 89 d1 9b 50 71 c0 b7 a0 
+
+# policyiwgekbsha384.txt
+# 00000171
+# 8bbf2266537c171cb56e403c4dc1d4b64f432611dc386e6f532050c3278c930e143e8bb1133824ccb431053871c6db53
+# d6032ce61f2fb3c240eb3cf6a33237ef2b6a16f4293c22b455e261cffd217ad5b4947c2d73e63005eed2dc2b3593d165
+# policymaker -if policies/policyiwgekbsha384.txt -halg sha384 -pr -of policies/policyiwgekbsha384.bin
+ # b2 6e 7d 28 d1 1a 50 bc 53 d8 82 bc f5 fd 3a 1a 
+ # 07 41 48 bb 35 d3 b4 e4 cb 1c 0a d9 bd e4 19 ca 
+ # cb 47 ba 09 69 96 46 15 0f 9f c0 00 f3 f8 0e 12 
+
+# policyiwgekbsha512.txt
+# 00000171
+# 1e3b76502c8a1425aa0b7b3fc646a1b0fae063b03b5368f9c4cddecaff0891dd682bac1a85d4d832b781ea451915de5fc5bf0dc4a1917cd42fa041e3f998e0ee
+# 589ee1e146544716e8deafe6db247b01b81e9f9c7dd16b814aa159138749105fba5388dd1dea702f35240c184933121e2c61b8f50d3ef91393a49a38c3f73fc8
+# policymaker -if policies/policyiwgekbsha512.txt -halg sha512 -pr -of policies/policyiwgekbsha512.bin
+ # b8 22 1c a6 9e 85 50 a4 91 4d e3 fa a6 a1 8c 07 
+ # 2c c0 12 08 07 3a 92 8d 5d 66 d5 9e f7 9e 49 a4 
+ # 29 c4 1a 6b 26 95 71 d5 7e db 25 fb db 18 38 42 
+ # 56 08 b4 13 cd 61 6a 5f 6d b5 b6 07 1a f9 9b ea 
+
+echo ""
+echo "Test the EK policies"
+echo ""
+
+# test message to be signed
+echo -n "1234567890123456" > msg.bin
+
+# Change endorsement and platform hierarchy passwords for testing
+
+echo "Change endorsement hierarchy password"
+${PREFIX}hierarchychangeauth -hi e -pwdn eee
+checkSuccess $?
+
+echo "Change platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp
+checkSuccess $?
+
+for ((i = 0 ; i < 3; i++))
+do 
+
+    echo "Create an RSA primary key ${HALG[i]} 80000001"
+    ${PREFIX}createprimary -si -nalg ${HALG[i]} -pwdk kkk -pol policies/policyiwgekb${HALG[i]}.bin -rsa 2048 > run.out 
+    checkSuccess $?
+
+    echo "Start a policy session ${HALG[i]} 03000000"
+    ${PREFIX}startauthsession -se p -halg ${HALG[i]} > run.out
+    checkSuccess $?
+
+    echo "Satisfy Policy A - Policy Secret with PWAP session and endorsement hierarchy auth"
+    ${PREFIX}policysecret -ha 4000000b -hs 03000000 -pwde eee > run.out
+    checkSuccess $?
+
+    echo "Get the session digest for debug"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Policy OR ${HALG[i]}"
+    ${PREFIX}policyor -ha 03000000 -if policies/policyiwgek${HALG[i]}.bin -if policies/policyiwgekc${HALG[i]}.bin > run.out
+    checkSuccess $?
+
+    echo "Get the ${HALG[i]} session digest for debug"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy A"
+    ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    checkSuccess $?
+
+    echo "Policy restart ${HALG[i]} 03000000"
+    ${PREFIX}policyrestart -ha 03000000 > run.out 
+    checkSuccess $?
+
+    echo "Satisfy NV Index Policy - Policy Secret with PWAP session and platform hierarchy auth"
+    ${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+    checkSuccess $?
+
+    echo "Get the ${HALG[i]} session digest for debug"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Satisfy Policy C - Policy Authorize NV"
+    ${PREFIX}policyauthorizenv -ha ${IDX[i]} -hs 03000000 > run.out
+    checkSuccess $?
+
+    echo "Get the ${HALG[i]} session digest for debug"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Policy OR ${HALG[i]}"
+    ${PREFIX}policyor -ha 03000000 -if policies/policyiwgek${HALG[i]}.bin -if policies/policyiwgekc${HALG[i]}.bin > run.out
+    checkSuccess $?
+
+    echo "Get the ${HALG[i]} session digest for debug"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy A"
+    ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    checkSuccess $?
+
+    echo "Flush the policy session ${HALG[i]} 03000000"
+    ${PREFIX}flushcontext -ha 03000000 > run.out
+    checkSuccess $?
+    
+    echo "Flush the primary key ${HALG[i]} 80000001"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Reset endorsement hierarchy password"
+${PREFIX}hierarchychangeauth -hi e -pwda eee
+checkSuccess $?
+
+echo "Reset platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp
+checkSuccess $?
+
+for ((i = 0 ; i < 3; i++))
+do 
+
+    echo "Undefine optional ${HALG[i]} NV index ${IDX[i]}"
+    ${PREFIX}nvundefinespace -ha ${IDX[i]} -hi o > run.out
+    checkSuccess $?
+
+done
+
+rm -f run.out
+rm -f sig.bin
+rm -f tmprpub.bin
+rm -f tmprpriv.bin
+rm -f tmpcredin.bin
+rm -f tmpcredenc.bin
+rm -f tmpcreddec.bin
+rm -f tmpsecret.bin
+rm -f tmp.der
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testda.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testda.bat
new file mode 100644
index 0000000..f991bfe
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testda.bat
@@ -0,0 +1,203 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testda.bat 1278 2018-07-23 21:20:42Z kgoldman $		#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "DA Logic"
+echo ""
+
+echo "Create an signing key with DA protection"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -da > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set DA recovery time to 0, disables DA"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Sign a digest with good password, no lockout"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set DA recovery time to 120 sec, enables DA"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 120 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Sign a digest with good password, lockout - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Reset DA lock"
+%TPM_EXE_PATH%dictionaryattacklockreset > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with good password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set DA recovery time to 120 sec, enables DA, max tries 2"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 120 -nmt 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Sign a digest with good password, no lockout yet"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Sign a digest with bad password - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Sign a digest with good password, lockout - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Reset DA lock"
+%TPM_EXE_PATH%dictionaryattacklockreset > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with good password, no lockout"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set DA recovery time to 0, disables DA"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Lockout Auth"
+echo ""
+
+echo "Change lockout auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi l -pwdn lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Reset DA lock with good password"
+%TPM_EXE_PATH%dictionaryattacklockreset -pwd lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set DA recovery time to 0 with good password"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 -pwd lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear lockout auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi l -pwda lll > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set DA recovery time to 0"
+%TPM_EXE_PATH%dictionaryattackparameters -nrt 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Reset DA lock"
+%TPM_EXE_PATH%dictionaryattacklockreset > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testda.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testda.sh
new file mode 100755
index 0000000..7cfa9a3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testda.sh
@@ -0,0 +1,152 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#		$Id: testda.sh 1277 2018-07-23 20:30:23Z kgoldman $		#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "DA Logic"
+echo ""
+
+echo "Create an signing key with DA protection"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -da > run.out
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0, disables DA"
+${PREFIX}dictionaryattackparameters -nrt 0 > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, no lockout"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 120 sec, enables DA"
+${PREFIX}dictionaryattackparameters -nrt 120 > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, lockout - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Reset DA lock"
+${PREFIX}dictionaryattacklockreset > run.out
+checkSuccess $?
+
+echo "Sign a digest with good password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 120 sec, enables DA, max tries 2"
+${PREFIX}dictionaryattackparameters -nrt 120 -nmt 2 > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, no lockout yet"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Sign a digest with bad password - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk xxx > run.out
+checkFailure $?
+
+echo "Sign a digest with good password, lockout - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Reset DA lock"
+${PREFIX}dictionaryattacklockreset > run.out
+checkSuccess $?
+
+echo "Sign a digest with good password, no lockout"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0, disables DA"
+${PREFIX}dictionaryattackparameters -nrt 0 > run.out
+checkSuccess $?
+
+echo ""
+echo "Lockout Auth"
+echo ""
+
+echo "Change lockout auth"
+${PREFIX}hierarchychangeauth -hi l -pwdn lll > run.out
+checkSuccess $?
+
+echo "Reset DA lock with good password"
+${PREFIX}dictionaryattacklockreset -pwd lll > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0 with good password"
+${PREFIX}dictionaryattackparameters -nrt 0 -pwd lll > run.out
+checkSuccess $?
+
+echo "Clear lockout auth"
+${PREFIX}hierarchychangeauth -hi l -pwda lll > run.out
+checkSuccess $?
+
+echo "Set DA recovery time to 0"
+${PREFIX}dictionaryattackparameters -nrt 0 > run.out
+checkSuccess $?
+
+echo "Reset DA lock"
+${PREFIX}dictionaryattacklockreset > run.out
+checkSuccess $?
+
+echo "Flush signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.bat
new file mode 100644
index 0000000..a748bc4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.bat
@@ -0,0 +1,786 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+REM 80000001 K1 storage key
+REM 80000002 K2 signing key to be duplicated
+REM 80000002 K2 duplicated
+REM 03000000 policy session
+
+REM policy
+REM be f5 6b 8c 1c c8 4e 11 ed d7 17 52 8d 2c d9 93 
+REM 56 bd 2b bf 8f 01 52 09 c3 f8 4a ee ab a8 e8 a2 
+
+REM used for the name in rewrap
+
+echo ""
+echo "Duplication"
+echo ""
+
+echo ""
+echo "Duplicate Child Key"
+echo ""
+
+REM # primary key		80000000
+REM # target storage key K1 	80000001
+REM #	originally under primary key
+REM #	duplicate to K1
+REM #	import to K1
+REM # signing key        K2	80000002
+
+set SALG=rsa ecc
+set SKEY=rsa2048 ecc
+
+set i=0
+for %%a in (!SALG!) do set /A i+=1 & set SALG[!i!]=%%a
+set i=0
+for %%b in (!SKEY!) do set /A i+=1 & set SKEY[!i!]=%%b
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    for %%E in ("" "-salg aes -ik tmprnd.bin") do (
+
+    	for %%H in (%ITERATE_ALGS%) do (
+
+	    echo "Create a signing key K2 under the primary key, with policy"
+	    %TPM_EXE_PATH%create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Load the !SALG[%%i]! storage key K1"
+	    %TPM_EXE_PATH%load -hp 80000000 -ipr store!SKEY[%%i]!priv.bin -ipu store!SKEY[%%i]!pub.bin -pwdp sto > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Load the signing key K2"
+	    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Sign a digest, %%H"
+	    %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -if policies/aaa -os sig.bin -pwdk sig  > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Verify the signature, %%H"
+	    %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -if policies/aaa -is sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Start a policy session"
+	    %TPM_EXE_PATH%startauthsession -se p > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Policy command code, duplicate"
+	    %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Get policy digest"
+	    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out 
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Get random AES encryption key"
+	    %TPM_EXE_PATH%getrandom -by 16 -of tmprnd.bin > run.out 
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+	    
+	    echo "Duplicate K2 under !SALG[%%i]! K1, %%~E"
+	    %TPM_EXE_PATH%duplicate -ho 80000002 -pwdo sig -hp 80000001 -od tmpdup.bin -oss tmpss.bin %%~E -se0 03000000 1 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Flush the original K2 to free object slot for import"
+	    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Import K2 under !SALG[%%i]! K1, %%~E"
+	    %TPM_EXE_PATH%import -hp 80000001 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin %%~E -opr tmppriv.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Sign under K2, %%H - should fail"
+	    %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -if policies/aaa -os sig.bin -pwdk sig > run.out
+    	    IF !ERRORLEVEL! EQU 0 (
+       	       exit /B 1
+    	    )
+
+	    echo "Load the duplicated signing key K2"
+	    %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Sign using duplicated K2, %%H"
+	    %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -if policies/aaa -os sig.bin -pwdk sig > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Verify the signature, %%H"
+	    %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -if policies/aaa -is sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Flush the duplicated K2"
+	    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Flush the parent K1"
+	    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Flush the session"
+	    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	)
+    )
+)
+
+echo ""
+echo "Duplicate Primary Key"
+echo ""
+
+echo "Create a platform primary signing key K2 80000001"
+%TPM_EXE_PATH%createprimary -hi p -si -kt nf -kt np -pol policies/policyccduplicate.bin -opu tmppub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Policy command code, duplicate"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Duplicate K2 under storage key"
+%TPM_EXE_PATH%duplicate -ho 80000001 -hp 80000000 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Import K2 under storage key"
+%TPM_EXE_PATH%import -hp 80000000 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load the duplicated signing key K2 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the primary key 8000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the duplicated key 80000002 "
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the session 03000000 "
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo ""
+echo "Import PEM RSA signing key under RSA and ECC storage key"
+echo ""
+
+echo "generate the signing key with openssl"
+openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048
+
+echo "load the ECC storage key"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr storeeccpriv.bin -ipu storeeccpub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+    for %%H in (%ITERATE_ALGS%) do (
+        for %%P in (80000000 80000001) do (
+
+	    echo "Import the signing key under the parent key %%P %%H"
+	    %TPM_EXE_PATH%importpem -hp %%P -pwdp sto -ipem tmpprivkey.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg %%H > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Load the TPM signing key"
+	    %TPM_EXE_PATH%load -hp  %%P -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Sign the message %%H  %%~S"
+	    %TPM_EXE_PATH%sign -hk 80000002 -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg %%H  %%~S > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Verify the signature %%H"
+	    %TPM_EXE_PATH%verifysignature -hk 80000002 -if policies/aaa -is tmpsig.bin -halg %%H > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Flush the signing key"
+	    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	)
+    )
+)
+
+echo ""
+echo "Import PEM EC signing key under RSA and ECC storage key"
+echo ""
+
+echo "generate the signing key with openssl"
+openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 -passout pass:rrrr -text > tmpecprivkey.pem
+
+for %%S in ("" "-se0 02000000 1") do (
+    for %%H in (%ITERATE_ALGS%) do (
+        for %%P in (80000000 80000001) do (
+
+	    echo "Import the signing key under the parent key %%P %%H"
+	    %TPM_EXE_PATH%importpem -hp %%P -pwdp sto -ipem tmpecprivkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg %%H > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Load the TPM signing key"
+	    %TPM_EXE_PATH%load -hp %%P -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Sign the message %%H %%~S"
+	    %TPM_EXE_PATH%sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg %%H %%~S > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1test
+	    )
+
+	    echo "Verify the signature %%H"
+	    %TPM_EXE_PATH%verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg %%H > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	    echo "Flush the signing key"
+	    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	        exit /B 1
+	    )
+
+	)
+    )
+)
+
+echo "Flush the ECC storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo ""
+echo "Rewrap"
+echo ""
+
+REM duplicate object O1 to K1 (the outer wrapper, knows inner wrapper)
+REM rewrap O1 from K1 to K2 (does not know inner wrapper)
+REM import O1 to K2 (knows inner wrapper)
+
+REM 03000000 policy session for duplicate
+    
+REM at TPM 1, duplicate object to K1 outer wrapper, AES wrapper
+
+echo "Create a storage key K2"
+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -opr tmpk2priv.bin -opu tmpk2pub.bin -pwdp sto -pwdk k2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the storage key K1 80000001 public key "
+%TPM_EXE_PATH%loadexternal -hi p -ipu storersa2048pub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key O1 with policy"
+%TPM_EXE_PATH%create -hp 80000000 -si -opr tmpsignpriv.bin -opu tmpsignpub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key O1 80000002 under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpsignpriv.bin -ipu tmpsignpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Save the signing key O1 name"
+cp h80000002.bin tmpo1name.bin
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code, duplicate"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get random AES encryption key"
+%TPM_EXE_PATH%getrandom -by 16 -of tmprnd.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Duplicate O1 80000002 under K1 80000001 outer wrapper, using AES inner wrapper"
+%TPM_EXE_PATH%duplicate -ho 80000002 -pwdo sig -hp 80000001 -ik tmprnd.bin -od tmpdup.bin -oss tmpss.bin -salg aes -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush signing key O1 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush storage key K1 80000001 public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM at TPM 2
+
+echo "Load storage key K1 80000001 public and private key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load storage key K2 80000002 public key"
+%TPM_EXE_PATH%loadexternal -hi p -ipu tmpk2pub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Rewrap O1 from K1 80000001 to K2 80000002 "
+%TPM_EXE_PATH%rewrap -ho 80000001 -hn 80000002 -pwdo sto -id tmpdup.bin -in tmpo1name.bin -iss tmpss.bin -od tmpdup.bin -oss tmpss.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush old key K1 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush new key K2 80000002 public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM at TPM 3
+
+echo "Load storage key K2 80000001 public key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmpk2priv.bin -ipu tmpk2pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Import rewraped O1 to K2"
+%TPM_EXE_PATH%import -hp 80000001 -pwdp k2 -ipu tmpsignpub.bin -id tmpdup.bin -iss tmpss.bin -salg aes -ik tmprnd.bin -opr tmpsignpriv3.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the imported signing key O1 80000002 under K2 80000001"
+%TPM_EXE_PATH%load -hp 80000001 -ipr tmpsignpriv3.bin -ipu tmpsignpub.bin -pwdp k2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign using duplicated K2"
+%TPM_EXE_PATH%sign -hk 80000002  -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -if policies/aaa -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush storage key K2 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush signing key O1 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Duplicate Primary Sealed AES from Source to Target EK"
+echo ""
+
+REM # source creates AES key, sends to target
+
+REM # Real code would send the target EK X509 certificate.  The target could
+REM # defer recreating the EK until later.
+
+REM # Target
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Target: Provision a target !SALG[%%i]! EK certificate"
+    %TPM_EXE_PATH%createekcert -alg !SALG[%%i]! -cakey cakey.pem -capwd rrrr > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Recreate the !SALG[%%i]! EK at 80000001"
+    %TPM_EXE_PATH%createek -alg !SALG[%%i]! -cp -noflush > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Convert the EK public key to PEM format for transmission to source"
+    %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmpekpub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Flush the EK"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+REM # Here, target would send the EK PEM public key to the source
+
+REM # The real source would
+REM #
+REM # 1 - walk the EK X509 certificate chain.  I have to add that sample code to createEK or make a new utility.
+REM # 2 - use openssl to convert the X509 EK certificate the the PEM public key file
+REM # 
+REM # for now, the source trusts the target EK PEM public key
+
+REM # Source
+
+    echo "Source: Create an AES 256 bit key"
+    %TPM_EXE_PATH%getrandom -by 32 -ns -of tmpaeskeysrc.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Create primary duplicable sealed AES key 80000001"
+    %TPM_EXE_PATH%createprimary -bl -kt nf -kt np -if tmpaeskeysrc.bin -pol policies/policyccduplicate.bin -opu tmpsdbpub.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Load the target !SALG[%%i]! EK public key as a storage key 80000002"
+    %TPM_EXE_PATH%loadexternal -!SALG[%%i]! -st -ipem tmpekpub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Start a policy session, duplicate needs a policy 03000000"
+    %TPM_EXE_PATH%startauthsession -se p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Policy command code, duplicate"
+    %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Read policy digest, for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Wrap the sealed AES key with the target EK public key"
+    %TPM_EXE_PATH%duplicate -ho 80000001 -hp 80000002 -od tmpsdbdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Flush the sealed AES key 80000001"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Source: Flush the EK public key 80000002"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+REM # Transmit the sealed AEK key wrapped with the target EK back to the target
+REM # tmpsdbdup.bin private part wrapped in EK public key, via symmetric seed
+REM # tmpsdbpub.bin public part 
+REM # tmpss.bin symmetric seed, encrypted with EK public key
+
+REM # Target
+
+REM # NOTE This assumes that the endorsement hierarchy password is Empty.
+REM # This may be a bad assumption if an attacker can get access and
+REM # change it.
+
+    echo "Target: Recreate the -!SALG[%%i]! EK at 80000001"
+    %TPM_EXE_PATH%createek -alg !SALG[%%i]! -cp -noflush > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Start a policy session, EK use needs a policy"
+    %TPM_EXE_PATH%startauthsession -se p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+    %TPM_EXE_PATH%policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Read policy digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Import the sealed AES key under the EK storage key"
+    %TPM_EXE_PATH%import -hp 80000001 -ipu tmpsdbpub.bin -id tmpsdbdup.bin -iss tmpss.bin -opr tmpsdbpriv.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Restart the policy session"
+    %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+    %TPM_EXE_PATH%policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Read policy digest for debug"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Load the sealed AES key under the EK storage key"
+    %TPM_EXE_PATH%load -hp 80000001 -ipu tmpsdbpub.bin -ipr tmpsdbpriv.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Target: Unseal the AES key"
+    %TPM_EXE_PATH%unseal -ha 80000002 -of tmpaeskeytgt.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+REM # A real target would not have access to tmpaeskeysrc.bin for the compare
+
+    echo "Target: Verify the unsealed result, same at source, for debug"
+    diff tmpaeskeytgt.bin tmpaeskeysrc.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the EK"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the sealed AES key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the policy session"
+    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+REM cleanup
+    
+echo "Undefine the RSA EK certificate index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01c00002
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Undefine the ECC EK certificate index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01c0000a
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+rm -f tmpo1name.bin
+rm -f tmpsignpriv.bin
+rm -f tmpsignpub.bin
+rm -f tmprnd.bin
+rm -f tmpdup.bin
+rm -f tmpss.bin
+rm -f tmpsignpriv3.bin
+rm -f tmpsig.bin
+rm -f tmpk2priv.bin
+rm -f tmpk2pub.bin
+rm -f tmposs.bin 
+rm -f tmpprivkey.pem
+rm -f tmpecprivkey.pem
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpekpub.pem
+rm -f tmpaeskeysrc.bin
+rm -f tmpsdbpub.bin
+rm -f tmpsdbdup.bin
+rm -f tmpss.bin
+rm -f tmpsdbpriv.bin
+rm -f tmpaeskeytgt.bin
+
+exit /B 0
+
+REM flushcontext -ha 80000001
+REM flushcontext -ha 80000002
+REM flushcontext -ha 03000000
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 03000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.sh
new file mode 100755
index 0000000..d234380
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testdup.sh
@@ -0,0 +1,626 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# 80000001 K1 storage key
+# 80000002 K2 signing key to be duplicated
+# 80000002 K2 duplicated
+# 03000000 policy session
+
+# policy
+# be f5 6b 8c 1c c8 4e 11 ed d7 17 52 8d 2c d9 93 
+# 56 bd 2b bf 8f 01 52 09 c3 f8 4a ee ab a8 e8 a2 
+
+# used for the name in rewrap
+
+if [ -z $TPM_DATA_DIR ]; then
+    TPM_DATA_DIR=.
+fi
+
+echo ""
+echo "Duplication"
+echo ""
+
+echo ""
+echo "Duplicate Child Key"
+echo ""
+
+# primary key		80000000
+# target storage key K1 80000001
+#	originally under primary key
+#	duplicate to K1
+#	import to K1
+# signing key        K2 80000002
+
+SALG=(rsa ecc)
+SKEY=(rsa2048 ecc)
+
+for ((i = 0 ; i < 2 ; i++))
+do
+    for ENC in "" "-salg aes -ik tmprnd.bin"
+    do 
+	for HALG in ${ITERATE_ALGS}
+	do
+
+	    echo "Create a signing key K2 under the primary key, with policy"
+	    ${PREFIX}create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+	    checkSuccess $?
+
+	    echo "Load the ${SALG[i]} storage key K1 80000001"
+	    ${PREFIX}load -hp 80000000 -ipr store${SKEY[i]}priv.bin -ipu store${SKEY[i]}pub.bin -pwdp sto > run.out
+	    checkSuccess $?
+
+	    echo "Load the signing key K2 80000002"
+	    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+	    checkSuccess $?
+
+	    echo "Sign a digest, $HALG"
+	    ${PREFIX}sign -hk 80000002 -halg $HALG -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+	    checkSuccess $?
+
+	    echo "Verify the signature, $HALG"
+	    ${PREFIX}verifysignature -hk 80000002 -halg $HALG -if policies/aaa -is tmpsig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Start a policy session"
+	    ${PREFIX}startauthsession -se p > run.out
+	    checkSuccess $?
+
+	    echo "Policy command code, duplicate"
+	    ${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+	    checkSuccess $?
+
+	    echo "Get policy digest"
+	    ${PREFIX}policygetdigest -ha 03000000 > run.out 
+	    checkSuccess $?
+
+	    echo "Get random AES encryption key"
+	    ${PREFIX}getrandom -by 16 -of tmprnd.bin > run.out 
+	    checkSuccess $?
+
+	    echo "Duplicate K2 under ${SALG[i]} K1, ${ENC}"
+	    ${PREFIX}duplicate -ho 80000002 -pwdo sig -hp 80000001 -od tmpdup.bin -oss tmpss.bin ${ENC} -se0 03000000 1 > run.out
+	    checkSuccess $?
+
+	    echo "Flush the original K2 to free object slot for import"
+	    ${PREFIX}flushcontext -ha 80000002 > run.out
+	    checkSuccess $?
+
+	    echo "Import K2 under ${SALG[i]} K1, ${ENC}"
+	    ${PREFIX}import -hp 80000001 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin ${ENC} -opr tmppriv.bin > run.out
+	    checkSuccess $?
+
+	    echo "Sign under K2, $HALG - should fail"
+	    ${PREFIX}sign -hk 80000002 -halg $HALG -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+	    checkFailure $?
+
+	    echo "Load the duplicated signing key K2"
+	    ${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+	    checkSuccess $?
+
+	    echo "Sign using duplicated K2, $HALG"
+	    ${PREFIX}sign -hk 80000002 -halg $HALG -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+	    checkSuccess $?
+
+	    echo "Verify the signature, $HALG"
+	    ${PREFIX}verifysignature -hk 80000002 -halg $HALG -if policies/aaa -is tmpsig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Flush the duplicated K2"
+	    ${PREFIX}flushcontext -ha 80000002 > run.out
+	    checkSuccess $?
+
+	    echo "Flush the parent K1"
+	    ${PREFIX}flushcontext -ha 80000001 > run.out
+	    checkSuccess $?
+
+	    echo "Flush the session"
+	    ${PREFIX}flushcontext -ha 03000000 > run.out
+	    checkSuccess $?
+
+	done
+    done
+done
+
+echo ""
+echo "Duplicate Primary Key"
+echo ""
+
+echo "Create a platform primary signing key K2 80000001"
+${PREFIX}createprimary -hi p -si -kt nf -kt np -pol policies/policyccduplicate.bin -opu tmppub.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code, duplicate"
+${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+checkSuccess $?
+
+echo "Duplicate K2 under storage key"
+${PREFIX}duplicate -ho 80000001 -hp 80000000 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Import K2 under storage key"
+${PREFIX}import -hp 80000000 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv.bin > run.out
+checkSuccess $?
+
+echo "Load the duplicated signing key K2 80000002"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Flush the primary key 8000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the duplicated key 80000002 "
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the session 03000000 "
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Import PEM RSA signing key under RSA and ECC storage key"
+echo ""
+
+echo "generate the signing key with openssl"
+openssl genrsa -out tmpprivkey.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+
+echo "load the ECC storage key"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr storeeccpriv.bin -ipu storeeccpub.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	for PARENT in 80000000 80000001
+	do
+
+		echo "Import the signing key under the parent key ${PARENT} ${HALG}"
+		${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpprivkey.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
+		checkSuccess $?
+
+		echo "Load the TPM signing key"
+		${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+		checkSuccess $?
+
+		echo "Sign the message ${HALG} ${SESS}"
+		${PREFIX}sign -hk 80000002 -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
+		checkSuccess $?
+
+		echo "Verify the signature ${HALG}"
+		${PREFIX}verifysignature -hk 80000002 -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
+		checkSuccess $?
+
+		echo "Flush the signing key"
+		${PREFIX}flushcontext -ha 80000002 > run.out
+		checkSuccess $?
+
+	done
+    done
+done
+
+echo ""
+echo "Import PEM EC signing key under RSA and ECC storage key"
+echo ""
+
+# mbedtls appears to only support the legacy PEM format
+# -----BEGIN EC PRIVATE KEY-----
+# and not the PKCS8 format
+# -----BEGIN ENCRYPTED PRIVATE KEY-----
+#
+
+echo "generate the signing key with openssl"
+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+    openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -aes256 -passout pass:rrrr -text > tmpecprivkey.pem 2>&1
+
+elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
+# plaintext key pair, legacy plaintext -----BEGIN PRIVATE KEY-----
+    openssl ecparam -name prime256v1 -genkey -noout | openssl pkey -text -out tmpecprivkeydec.pem > run.out 2>&1
+# encrypt key pair, legacy encrypted -----BEGIN EC PRIVATE KEY-----
+    openssl ec -aes128 -passout pass:rrrr -in tmpecprivkeydec.pem -out tmpecprivkey.pem > run.out 2>&1
+
+else
+    echo "Error: crypto library ${CRYPTOLIBRARY} not supported"
+    exit 255
+fi
+
+for SESS in "" "-se0 02000000 1"
+do
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	for PARENT in 80000000 80000001
+	do
+
+	    echo "Import the signing key under the parent key ${PARENT} ${HALG}"
+	    ${PREFIX}importpem -hp ${PARENT} -pwdp sto -ipem tmpecprivkey.pem -ecc -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin -halg ${HALG} > run.out
+	    checkSuccess $?
+
+	    echo "Load the TPM signing key"
+	    ${PREFIX}load -hp ${PARENT} -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+	    checkSuccess $?
+
+	    echo "Sign the message ${HALG} ${SESS}"
+	    ${PREFIX}sign -hk 80000002 -salg ecc -pwdk rrrr -if policies/aaa -os tmpsig.bin -halg ${HALG} ${SESS} > run.out
+	    checkSuccess $?
+
+	    echo "Verify the signature ${HALG}"
+	    ${PREFIX}verifysignature -hk 80000002 -ecc -if policies/aaa -is tmpsig.bin -halg ${HALG} > run.out
+	    checkSuccess $?
+
+	    echo "Flush the signing key"
+	    ${PREFIX}flushcontext -ha 80000002 > run.out
+	    checkSuccess $?
+
+	done
+    done
+done
+
+echo "Flush the ECC storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Rewrap"
+echo ""
+
+# duplicate object O1 to K1 (the outer wrapper, knows inner wrapper)
+# rewrap O1 from K1 to K2 (does not know inner wrapper)
+# import O1 to K2 (knows inner wrapper)
+
+# 03000000 policy session for duplicate
+
+# at TPM 1, duplicate object to K1 outer wrapper, AES wrapper
+
+echo "Create a storage key K2"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -opr tmpk2priv.bin -opu tmpk2pub.bin -pwdp sto -pwdk k2 > run.out
+checkSuccess $?
+
+echo "Load the storage key K1 80000001 public key "
+${PREFIX}loadexternal -hi p -ipu storersa2048pub.bin > run.out
+checkSuccess $?
+
+echo "Create a signing key O1 with policy"
+${PREFIX}create -hp 80000000 -si -opr tmpsignpriv.bin -opu tmpsignpub.bin -pwdp sto -pwdk sig -pol policies/policyccduplicate.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key O1 80000002 under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmpsignpriv.bin -ipu tmpsignpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Save the signing key O1 name"
+cp ${TPM_DATA_DIR}/h80000002.bin tmpo1name.bin
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code, duplicate"
+${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+checkSuccess $?
+
+echo "Get random AES encryption key"
+${PREFIX}getrandom -by 16 -of tmprnd.bin > run.out
+checkSuccess $?
+
+echo "Duplicate O1 80000002 under K1 80000001 outer wrapper, using AES inner wrapper"
+${PREFIX}duplicate -ho 80000002 -pwdo sig -hp 80000001 -ik tmprnd.bin -od tmpdup.bin -oss tmpss.bin -salg aes -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush signing key O1 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush storage key K1 80000001 public key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# at TPM 2
+
+echo "Load storage key K1 80000001 public and private key"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load storage key K2 80000002 public key"
+${PREFIX}loadexternal -hi p -ipu tmpk2pub.bin > run.out
+checkSuccess $?
+
+echo "Rewrap O1 from K1 80000001 to K2 80000002 "
+${PREFIX}rewrap -ho 80000001 -hn 80000002 -pwdo sto -id tmpdup.bin -in tmpo1name.bin -iss tmpss.bin -od tmpdup.bin -oss tmpss.bin > run.out
+checkSuccess $?
+
+echo "Flush old key K1 80000001"
+${PREFIX}flushcontext -ha 80000002 > run.out 
+checkSuccess $?
+
+echo "Flush new key K2 80000002 public key"
+${PREFIX}flushcontext -ha 80000001 > run.out 
+checkSuccess $?
+
+# at TPM 3
+
+echo "Load storage key K2 80000001 public key"
+${PREFIX}load -hp 80000000 -ipr tmpk2priv.bin -ipu tmpk2pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Import rewraped O1 to K2"
+${PREFIX}import -hp 80000001 -pwdp k2 -ipu tmpsignpub.bin -id tmpdup.bin -iss tmpss.bin -salg aes -ik tmprnd.bin -opr tmpsignpriv3.bin > run.out
+checkSuccess $?
+
+echo "Load the imported signing key O1 80000002 under K2 80000001"
+${PREFIX}load -hp 80000001 -ipr tmpsignpriv3.bin -ipu tmpsignpub.bin -pwdp k2 > run.out
+checkSuccess $?
+
+echo "Sign using duplicated K2"
+${PREFIX}sign -hk 80000002  -if policies/aaa -os tmpsig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush storage key K2 80000001"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush signing key O1 80000002"
+${PREFIX}flushcontext -ha 80000001 > run.out 
+checkSuccess $?
+
+echo ""
+echo "Duplicate Primary Sealed AES from Source to Target EK"
+echo ""
+
+# source creates AES key, sends to target
+
+# Real code would send the target EK X509 certificate.  The target could
+# defer recreating the EK until later.
+
+# Target
+
+# The mbedtls port does not support EC certificate creation yet */
+
+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+    for ((i = 0 ; i < 2 ; i++))
+    do
+
+	echo "Target: Provision a target ${SALG[i]} EK certificate"
+	${PREFIX}createekcert -alg ${SALG[i]} -cakey cakey.pem -capwd rrrr > run.out
+	checkSuccess $?
+
+	echo "Target: Recreate the ${SALG[i]} EK at 80000001"
+	${PREFIX}createek -alg ${SALG[i]} -cp -noflush > run.out
+	checkSuccess $?
+
+	echo "Target: Convert the EK public key to PEM format for transmission to source"
+	${PREFIX}readpublic -ho 80000001 -opem tmpekpub.pem > run.out
+	checkSuccess $?
+
+	echo "Target: Flush the EK"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+# Here, target would send the EK PEM public key to the source
+
+# The real source would
+#
+# 1 - walk the EK X509 certificate chain.  I have to add that sample code to createEK or make a new utility.
+# 2 - use openssl to convert the X509 EK certificate the the PEM public key file
+# 
+# for now, the source trusts the target EK PEM public key
+
+# Source
+
+	echo "Source: Create an AES 256 bit key"
+	${PREFIX}getrandom -by 32 -ns -of tmpaeskeysrc.bin > run.out
+	checkSuccess $?
+
+	echo "Source: Create primary duplicable sealed AES key 80000001"
+	${PREFIX}createprimary -bl -kt nf -kt np -if tmpaeskeysrc.bin -pol policies/policyccduplicate.bin -opu tmpsdbpub.bin > run.out
+	checkSuccess $?
+
+	echo "Source: Load the target ${SALG[i]} EK public key as a storage key 80000002"
+	${PREFIX}loadexternal -${SALG[i]} -st -ipem tmpekpub.pem > run.out
+	checkSuccess $?
+
+	echo "Source: Start a policy session, duplicate needs a policy 03000000"
+	${PREFIX}startauthsession -se p > run.out
+	checkSuccess $?
+
+	echo "Source: Policy command code, duplicate"
+	${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+	checkSuccess $?
+
+	echo "Source: Read policy digest, for debug"
+	${PREFIX}policygetdigest -ha 03000000 > run.out
+	checkSuccess $?
+
+	echo "Source: Wrap the sealed AES key with the target EK public key"
+	${PREFIX}duplicate -ho 80000001 -hp 80000002 -od tmpsdbdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+	checkSuccess $?
+
+	echo "Source: Flush the sealed AES key 80000001"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+	echo "Source: Flush the EK public key 80000002"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+
+# Transmit the sealed AEK key wrapped with the target EK back to the target
+# tmpsdbdup.bin private part wrapped in EK public key, via symmetric seed
+# tmpsdbpub.bin public part 
+# tmpss.bin symmetric seed, encrypted with EK public key
+
+# Target
+
+# NOTE This assumes that the endorsement hierarchy password is Empty.
+# This may be a bad assumption if an attacker can get access and
+# change it.
+
+	echo "Target: Recreate the -${SALG[i]} EK at 80000001"
+	${PREFIX}createek -alg ${SALG[i]} -cp -noflush > run.out
+	checkSuccess $?
+
+	echo "Target: Start a policy session, EK use needs a policy"
+	${PREFIX}startauthsession -se p > run.out
+	checkSuccess $?
+
+	echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+	${PREFIX}policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+	checkSuccess $?
+
+	echo "Target: Read policy digest for debug"
+	${PREFIX}policygetdigest -ha 03000000 > run.out
+	checkSuccess $?
+
+	echo "Target: Import the sealed AES key under the EK storage key"
+	${PREFIX}import -hp 80000001 -ipu tmpsdbpub.bin -id tmpsdbdup.bin -iss tmpss.bin -opr tmpsdbpriv.bin -se0 03000000 1 > run.out
+	checkSuccess $?
+
+	echo "Target: Restart the policy session"
+	${PREFIX}policyrestart -ha 03000000 > run.out
+	checkSuccess $?
+
+	echo "Target: Policy Secret with PWAP session and (Empty) endorsement auth"
+	${PREFIX}policysecret -ha 4000000b -hs 03000000 -pwde "" > run.out
+	checkSuccess $?
+
+	echo "Target: Read policy digest for debug"
+	${PREFIX}policygetdigest -ha 03000000 > run.out
+	checkSuccess $?
+
+	echo "Target: Load the sealed AES key under the EK storage key"
+	${PREFIX}load -hp 80000001 -ipu tmpsdbpub.bin -ipr tmpsdbpriv.bin -se0 03000000 1 > run.out
+	checkSuccess $?
+
+	echo "Target: Unseal the AES key"
+	${PREFIX}unseal -ha 80000002 -of tmpaeskeytgt.bin > run.out
+	checkSuccess $?
+
+# A real target would not have access to tmpaeskeysrc.bin for the compare
+
+	echo "Target: Verify the unsealed result, same at source, for debug"
+	diff tmpaeskeytgt.bin tmpaeskeysrc.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the EK"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+	echo "Flush the sealed AES key"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+
+	echo "Flush the policy session"
+	${PREFIX}flushcontext -ha 03000000 > run.out
+	checkSuccess $?
+
+    done
+
+# cleanup
+    
+echo "Undefine the RSA EK certificate index"
+${PREFIX}nvundefinespace -hi p -ha 01c00002
+checkSuccess $?
+
+echo "Undefine the ECC EK certificate index"
+${PREFIX}nvundefinespace -hi p -ha 01c0000a
+checkSuccess $?
+
+fi
+
+rm -f tmpo1name.bin
+rm -f tmpsignpriv.bin
+rm -f tmpsignpub.bin
+rm -f tmprnd.bin
+rm -f tmpdup.bin
+rm -f tmpss.bin
+rm -f tmpsignpriv3.bin
+rm -f tmpsig.bin
+rm -f tmpk2priv.bin
+rm -f tmpk2pub.bin
+rm -f tmposs.bin 
+rm -f tmpprivkey.pem
+rm -f tmpecprivkey.pem
+rm -f tmpecprivkeydec.pem
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpekpub.pem
+rm -f tmpaeskeysrc.bin
+rm -f tmpsdbpub.bin
+rm -f tmpsdbdup.bin
+rm -f tmpss.bin
+rm -f tmpsdbpriv.bin
+rm -f tmpaeskeytgt.bin
+
+# ${PREFIX}flushcontext -ha 80000001
+# ${PREFIX}flushcontext -ha 80000002
+# ${PREFIX}flushcontext -ha 03000000
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 03000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.bat
new file mode 100644
index 0000000..5de54d6
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.bat
@@ -0,0 +1,324 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2019.				#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "ECC Ephemeral"
+echo ""
+
+echo ""
+echo "ECC Parameters and Ephemeral"
+echo ""
+
+for %%C in (bnp256 nistp256 nistp384) do (
+
+    echo "ECC Parameters for curve %%C"
+    %TPM_EXE_PATH%eccparameters -cv %%C > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    for %%A in (-si -sir) do (
+
+	echo "Create %%A for curve %%C"
+	%TPM_EXE_PATH%create -hp 80000000 -pwdp sto %%A -ecc %%C > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+    )
+
+    echo "EC Ephemeral for curve %%C"
+    %TPM_EXE_PATH%ecephemeral -ecc %%C > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+)
+
+echo ""
+echo "ECC Commit"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+for %%K in ("-dau" "-dar") do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+	echo "Create a %%~K ECDAA signing key under the primary key"
+	%TPM_EXE_PATH%create -hp 80000000 -ecc bnp256 %%~K -nalg sha256 -halg sha256 -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk siga > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+	echo "Load the signing key 80000001 under the primary key 80000000"
+	%TPM_EXE_PATH%load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+    	REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000001
+    	
+    	REM The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+    	REM which means no P1, no s2 and no y2. 
+    	REM and output the result and get the efile.bin
+    	REM feed back the point in efile.bin as the new p1 because it is on the curve.
+	
+    	REM There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+	REM example of normal command    
+    	REM %TPM_EXE_PATH%commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -pwdk siga > run.out
+	
+	echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point %%~S"
+	%TPM_EXE_PATH%commit -hk 80000001 -Ef efile.bin -pwdk siga  %%~S > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+        REM copy efile as new p1 - for hash operation
+        cp efile.bin p1.bin
+
+        REM We have a point on the curve - in efile.bin.  Use E as P1 and feed it back in
+		
+	REM All this does is simulate the commit that the FIDO alliance wants to
+	REM use in its TPM Join operation.
+		
+	echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point %%~S"
+	%TPM_EXE_PATH%commit -hk 80000001 -pt p1.bin -Ef efile.bin -cf counterfile.bin -pwdk siga %%~S > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+        cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+        echo "Hash the E, P1, and Q to create the ticket to use in signing"
+        %TPM_EXE_PATH%hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+        
+        echo "Sign the hash of the points made from commit"
+        %TPM_EXE_PATH%sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+        
+	echo "Flush the signing key"
+	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+    )
+)
+
+REM save old counterfile for off nominal error check
+cp counterfile.bin counterfileold.bin
+
+
+for %%K in ("-dau" "-dar") do (
+    for %%S in ("" "-se0 02000000 1") do (
+
+        echo "Create a %%~K ECDAA signing primary key"
+        %TPM_EXE_PATH%createprimary -ecc bnp256 %%~K -nalg sha256 -halg sha256 -kt f -kt p -opu tmprpub.bin -pwdk siga > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+        
+        REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000001
+        
+        REM The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+        REM which means no P1, no s2 and no y2. 
+        REM and output the result and get the efile.bin
+        REM feed back the point in efile.bin as the new p1 because it is on the curve.
+        
+        REM There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+        REM example of normal command    
+        REM %TPM_EXE_PATH%commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -cf counterfile.bin -pwdk siga > run.out
+        
+        echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point %%~S"
+        %TPM_EXE_PATH%commit -hk 80000001 -Ef efile.bin -cf counterfile.bin -pwdk siga %%~S > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+        
+	REM copy efile as new p1 - for hash operation
+        cp efile.bin p1.bin
+       
+        REM We have a point on the curve - in efile.bin.  Use E as P1 and feed it back in
+        
+        REM All this does is simulate the commit that the FIDO alliance wants to
+        REM use in its TPM Join operation.
+        
+        echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point %%~S"
+        %TPM_EXE_PATH%commit -hk 80000001 -pt efile.bin -Ef efile.bin -pwdk siga %%~S > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+        cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+        echo "Hash the E, P1, and Q to create the ticket to use in signing"
+        %TPM_EXE_PATH%hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+        echo "Check error case bad counter"
+        %TPM_EXE_PATH%sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfileold.bin -if hashinput.bin -os sig.bin -tk tfile.bin  > run.out
+    	IF !ERRORLEVEL! EQU 0 (
+           exit /B 1
+    	)
+
+        echo "Sign the hash of the points made from commit"
+        %TPM_EXE_PATH%sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin  > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+        echo "Flush the signing key"
+        %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+    )
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "ECC zgen2phase"
+echo ""
+
+echo "ECC Parameters for curve nistp256"
+%TPM_EXE_PATH%eccparameters -cv nistp256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM This is just a script for a B "remote" side to create a static key
+REM pair and ephemeral for use in demonstrating (on the local side) a
+REM two-phase operation involving ecephemeral and zgen2phase
+
+echo "Create decryption key for curve nistp256"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -den -ecc nistp256 -opu QsBpub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "EC Ephemeral for curve nistp256"
+%TPM_EXE_PATH%ecephemeral -ecc nistp256 -oq QeBpt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM local side
+REM 
+REM scp or cp the QsBpub.bin and QeBpt.bin from the B side over to the
+REM A side. This assumes QsBpub is a TPM2B_PUBLIC from a create command
+REM on B side.  QeBpt is already in TPM2B_ECC_POINT form since it was
+REM created by ecephemeral on B side QsBpub.bin is presumed in a form
+REM produced by a create commamnd using another TPM
+
+echo "Create decryption key for curve nistp256"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -den -ecc nistp256 -opr QsApriv.bin -opu QsApub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the decryption key under the primary key, 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr QsApriv.bin -ipu QsApub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "EC Ephemeral for curve nistp256"
+%TPM_EXE_PATH%ecephemeral -ecc nistp256 -oq QeApt.bin -cf counter.bin  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Convert public raw to TPM2B_ECC_POINT"
+%TPM_EXE_PATH%tpmpublic2eccpoint -ipu QsBpub.bin -pt QsBpt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Execute zgen2phase for curve nistp256"
+%TPM_EXE_PATH%zgen2phase -hk 80000001 -scheme ecdh -qsb QsBpt.bin -qeb QeBpt.bin -cf counter.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+rm -rf efile.bin
+rm -rf tmprpub.bin
+rm -rf tmprpriv.bin
+rm -rf counterfile.bin
+rm -rf counterfileold.bin
+rm -rf p1.bin
+rm -rf hashinput.bin
+rm -rf outhash.bin
+rm -rf sig.bin
+rm -rf tfile.bin
+
+rm -rf QsBpub.bin
+rm -rf QeBpt.bin
+rm -rf QsApriv.bin
+rm -rf QsApub.bin
+rm -rf QeApt.bin
+rm -rf counter.bin
+rm -rf QsBpt.bin
+
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 80000000
+REM %TPM_EXE_PATH%getcapability -cap 1 -pr 02000000
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.sh
new file mode 100755
index 0000000..9ece33e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testecc.sh
@@ -0,0 +1,279 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	$Id: testecc.sh 1277 2018-07-23 20:30:23Z kgoldman $			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "ECC Ephemeral"
+echo ""
+
+echo ""
+echo "ECC Parameters and Ephemeral"
+echo ""
+
+for CURVE in "bnp256" "nistp256" "nistp384"
+do
+
+    echo "ECC Parameters for curve ${CURVE}"
+    ${PREFIX}eccparameters -cv ${CURVE} > run.out
+    checkSuccess $?
+
+    for ATTR in "-si" "-sir"
+    do
+
+	echo "Create ${ATTR} for curve ${CURVE}"
+	${PREFIX}create -hp 80000000 -pwdp sto ${ATTR} -ecc ${CURVE} > run.out
+	checkSuccess $?
+
+    done
+
+    echo "EC Ephemeral for curve ${CURVE}"
+    ${PREFIX}ecephemeral -ecc ${CURVE} > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "ECC Commit"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for KEYTYPE in "-dau" "-dar"
+do 
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Create a $KEYTYPE ECDAA signing key under the primary key"
+	${PREFIX}create -hp 80000000 -ecc bnp256 $KEYTYPE -nalg sha256 -halg sha256 -kt f -kt p -opr tmprpriv.bin -opu tmprpub.bin -pwdp sto -pwdk siga > run.out
+	checkSuccess $?
+
+	echo "Load the signing key 80000001 under the primary key 80000000"
+	${PREFIX}load -hp 80000000 -ipr tmprpriv.bin -ipu tmprpub.bin -pwdp sto > run.out
+	checkSuccess $?
+
+    	#${PREFIX}getcapability -cap 1 -pr 80000001
+    	
+    	# The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+    	# which means no P1, no s2 and no y2. 
+    	# and output the result and get the efile.bin
+    	# feed back the point in efile.bin as the new p1 because it is on the curve.
+	
+    	# There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+    	# example of normal command    
+    	# ${PREFIX}commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -cf counterfile.bin -pwdk siga > run.out
+    	# checkSuccess $?
+	
+	echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point ${SESS}"
+	${PREFIX}commit -hk 80000001 -Ef efile.bin -pwdk siga ${SESS} > run.out
+	checkSuccess $?
+
+        # copy efile as new p1 - for hash operation
+        cp efile.bin p1.bin
+
+        # We have a point on the curve - in efile.bin.  Use E as P1 and feed it back in
+		
+	# All this does is simulate the commit that the FIDO alliance wants to
+	# use in its TPM Join operation.
+		
+	echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point ${SESS}"
+	${PREFIX}commit -hk 80000001 -pt p1.bin -Ef efile.bin -cf counterfile.bin -pwdk siga ${SESS} > run.out
+	checkSuccess $?
+
+        cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+        echo "Hash the E, P1, and Q to create the ticket to use in signing"
+        ${PREFIX}hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+        checkSuccess $?
+        
+        echo "Sign the hash of the points made from commit"
+        ${PREFIX}sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin > run.out
+        checkSuccess $?
+        
+	echo "Flush the signing key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+    done
+done
+
+# save old counterfile for off nominal error check
+cp counterfile.bin counterfileold.bin
+
+for KEYTYPE in "-dau" "-dar"
+do 
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+        echo "Create a $KEYTYPE ECDAA signing primary key"
+        ${PREFIX}createprimary -ecc bnp256 $KEYTYPE -nalg sha256 -halg sha256 -kt f -kt p -opu tmprpub.bin -pwdk siga > run.out
+        checkSuccess $?
+        
+        #${PREFIX}getcapability -cap 1 -pr 80000001
+        
+        # The trick with commit is first use - empty ECC point and no s2 and y2 parameters
+        # which means no P1, no s2 and no y2. 
+        # and output the result and get the efile.bin
+        # feed back the point in efile.bin as the new p1 because it is on the curve.
+        
+        # There is no test case for s2 and y2. To construct a y2 requires using Cipolla's algorithm.
+        # example of normal command    
+        # ${PREFIX}commit -hk 80000001 -pt p1.bin -s2 s2.bin -y2 y2_a.bin -Kf kfile.bin -Lf lfile.bin -Ef efile.bin -cf counterfile.bin -pwdk siga > run.out
+        # checkSuccess $?
+        
+        echo "Create new point E, based on point-multiply of TPM's commit random scalar and Generator point ${SESS}"
+        ${PREFIX}commit -hk 80000001 -Ef efile.bin -pwdk siga ${SESS} > run.out
+        checkSuccess $?
+        
+        # copy efile as new p1 - for hash operation
+        cp efile.bin p1.bin
+       
+        # We have a point on the curve - in efile.bin.  Use E as P1 and feed it back in
+        
+        # All this does is simulate the commit that the FIDO alliance wants to
+        # use in its TPM Join operation.
+        
+        echo "Create new point E, based on point-multiply of TPM's commit random scalar and input point ${SESS}"
+        ${PREFIX}commit -hk 80000001 -pt p1.bin -Ef efile.bin -cf counterfile.bin -pwdk siga ${SESS} > run.out
+        checkSuccess $?
+        
+        cat efile.bin p1.bin tmprpub.bin > hashinput.bin
+
+        echo "Hash the E, P1, and Q to create the ticket to use in signing"
+        ${PREFIX}hash -hi p -halg sha256 -if hashinput.bin -oh outhash.bin -tk tfile.bin > run.out
+        checkSuccess $?
+
+        echo "Check error case bad counter"
+        ${PREFIX}sign -hk 80000001 -pwdk siga -ecdaa -cf counterfileold.bin -if hashinput.bin -os sig.bin -tk tfile.bin  > run.out
+        checkFailure $?
+
+        echo "Sign the hash of the points made from commit"
+        ${PREFIX}sign -hk 80000001 -pwdk siga -salg ecc -scheme ecdaa -cf counterfile.bin -if hashinput.bin -os sig.bin -tk tfile.bin  > run.out
+        checkSuccess $?
+
+        echo "Flush the signing key"
+        ${PREFIX}flushcontext -ha 80000001 > run.out
+        checkSuccess $?
+
+    done
+done
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "ECC zgen2phase"
+echo ""
+
+echo "ECC Parameters for curve nistp256"
+${PREFIX}eccparameters -cv nistp256 > run.out
+checkSuccess $?
+
+# This is just a script for a B "remote" side to create a static key
+# pair and ephemeral for use in demonstrating (on the local side) a
+# two-phase operation involving ecephemeral and zgen2phase
+
+echo "Create decryption key for curve nistp256"
+${PREFIX}create -hp 80000000 -pwdp sto -den -ecc nistp256 -opu QsBpub.bin > run.out
+checkSuccess $?
+
+echo "EC Ephemeral for curve nistp256"
+${PREFIX}ecephemeral -ecc nistp256 -oq QeBpt.bin > run.out
+checkSuccess $?
+
+# local side
+
+# scp or cp the QsBpub.bin and QeBpt.bin from the B side over to the
+# A side. This assumes QsBpub is a TPM2B_PUBLIC from a create command
+# on B side.  QeBpt is already in TPM2B_ECC_POINT form since it was
+# created by ecephemeral on B side QsBpub.bin is presumed in a form
+# produced by a create commamnd using another TPM
+
+echo "Create decryption key for curve nistp256"
+${PREFIX}create -hp 80000000 -pwdp sto -den -ecc nistp256 -opr QsApriv.bin -opu QsApub.bin > run.out
+checkSuccess $?
+
+echo "Load the decryption key under the primary key, 80000001"
+${PREFIX}load -hp 80000000 -ipr QsApriv.bin -ipu QsApub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "EC Ephemeral for curve nistp256"
+${PREFIX}ecephemeral -ecc nistp256 -oq QeApt.bin -cf counter.bin  > run.out
+checkSuccess $?
+
+echo "Convert public raw to TPM2B_ECC_POINT"
+${PREFIX}tpmpublic2eccpoint -ipu QsBpub.bin -pt QsBpt.bin > run.out
+checkSuccess $?
+
+echo "Execute zgen2phase for curve ${CURVE}"
+${PREFIX}zgen2phase -hk 80000001 -scheme ecdh -qsb QsBpt.bin -qeb QeBpt.bin -cf counter.bin > run.out
+checkSuccess $?
+
+echo "Flush the key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+rm -rf efile.bin
+rm -rf tmprpub.bin
+rm -rf tmprpriv.bin
+rm -rf counterfile.bin
+rm -rf counterfileold.bin
+rm -rf p1.bin
+rm -rf hashinput.bin
+rm -rf outhash.bin
+rm -rf sig.bin
+rm -rf tfile.bin
+
+rm -rf QsBpub.bin
+rm -rf QeBpt.bin
+rm -rf QsApriv.bin
+rm -rf QsApub.bin
+rm -rf QeApt.bin
+rm -rf counter.bin
+rm -rf QsBpt.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.bat
new file mode 100644
index 0000000..1e6b150
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.bat
@@ -0,0 +1,483 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+set TWOAUTH0=01 01 01 01 21 21 41 41 61
+set TWOAUTH1=01 21 41 61 01 41 01 21 01
+
+set THREEAUTH0=01 01 01 01 01 21 41
+set THREEAUTH1=01 01 01 21 41 01 01
+set THREEAUTH2=21 41 61 41 21 41 21
+
+echo ""
+echo "Parameter Encryption"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%M in (xor aes) do (
+
+    for %%N in (xor aes) do (
+
+	for %%P in (xor aes) do (
+
+
+	    echo "Start an HMAC auth session with %%M encryption"
+	    %TPM_EXE_PATH%startauthsession -se h -sym %%M > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Start an HMAC auth session with %%N encryption"
+	    %TPM_EXE_PATH%startauthsession -se h -sym %%N > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Start an HMAC auth session with %%P encryption"
+	    %TPM_EXE_PATH%startauthsession -se h -sym %%P > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    REM one auth
+
+	    for %%A in (21 41 61) do (
+
+		echo "Signing Key Self Certify, one auth %%A"
+		%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+		    -se0 02000000 %%A > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		   exit /B 1
+		)
+
+	    )
+
+	    REM two auth
+
+	    set i=0
+	    for %%a in (!TWOAUTH0!) do set /A i+=1 & set TWOAUTH0[!i!]=%%a
+	    set i=0
+	    for %%b in (!TWOAUTH1!) do set /A i+=1 & set TWOAUTH1[!i!]=%%b
+	    set L=!i!
+
+	    for /L %%i in (1,1,!L!) do (
+
+ 		echo "Signing Key Self Certify, two auth !TWOAUTH0[%%i]! !TWOAUTH1[%%i]!"
+		%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+		    -se0 02000000 !TWOAUTH0[%%i]! -se1 02000001 !TWOAUTH1[%%i]!  > run.out
+		IF !ERRORLEVEL! NEQ 0 (
+		   exit /B 1
+		)
+
+ 	    )
+
+	    REM three auth, first 01
+
+	    set i=0
+	    for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+	    set i=0
+	    for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+	    set i=0
+	    for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+	    set L=!i!
+
+	    for /L %%i in (1,1,!L!) do (
+
+		echo "Signing Key Self Certify, three auth !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+		%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+		    -se0 02000000 !THREEAUTH0[%%i]! -se1 02000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+	        IF !ERRORLEVEL! NEQ 0 (
+	   	   exit /B 1
+	   	)
+	    )
+
+	    echo "Flush the sessions"
+	    %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Flush the sessions"
+	    %TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	    echo "Flush the sessions"
+	    %TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+
+	)
+    )
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key, policy command code certify"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policycccertify.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Salt encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Signing Key Self Certify, three auth, salted parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+    %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+        -se0 02000000 !THREEAUTH0[%%i]! -se1 02000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Bind encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Signing Key Self Certify, three auth, bind parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+    %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+        -se0 02000000 !THREEAUTH0[%%i]! -se1 02000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+
+REM # policycccertify.txt 0000016c00000148
+REM # policymaker -if policies/policycccertify.txt -of policies/policycccertify.bin -v -pr 
+REM # 04 8e 9a 3a ce 08 58 3f 79 f3 44 ff 78 5b be a9 
+REM # f0 7a c7 fa 33 25 b3 d4 9a 21 dd 51 94 c6 58 50 
+
+echo ""
+echo "Salt encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Policy restart"
+    %TPM_EXE_PATH%policyrestart -ha 03000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Policy command code - certify"
+    %TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 148 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Signing Key Self Certify, three auth, salted parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+    %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk sig -qd policies/aaa -os sig.bin -oa tmp.bin ^
+        -se0 02000000 !THREEAUTH0[%%i]! -se1 03000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Bind encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an auth session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an encrypt session"
+%TPM_EXE_PATH%startauthsession -se h -bi 80000001 -pwdb sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+set i=0
+for %%a in (!THREEAUTH0!) do set /A i+=1 & set THREEAUTH0[!i!]=%%a
+set i=0
+for %%b in (!THREEAUTH1!) do set /A i+=1 & set THREEAUTH1[!i!]=%%b
+set i=0
+for %%c in (!THREEAUTH2!) do set /A i+=1 & set THREEAUTH2[!i!]=%%c
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Policy restart"
+    %TPM_EXE_PATH%policyrestart -ha 03000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Policy command code - certify"
+    %TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 148 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Signing Key Self Certify, three auth, bind parameter encryption !THREEAUTH0[%%i]! !THREEAUTH1[%%i]! !THREEAUTH2[%%i]!"
+    %TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk xxx -qd policies/aaa -os sig.bin -oa tmp.bin ^
+        -se0 02000000 !THREEAUTH0[%%i]! -se1 03000001 !THREEAUTH1[%%i]! -se2 02000002 !THREEAUTH2[%%i]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo "Flush the sessions"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sessions "
+%TPM_EXE_PATH%flushcontext -ha 02000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.sh
new file mode 100755
index 0000000..160d9f2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testencsession.sh
@@ -0,0 +1,340 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+TWOAUTH0=(01 01 01 01 21 21 41 41 61)
+TWOAUTH1=(01 21 41 61 01 41 01 21 01)
+
+THREEAUTH0=(01 01 01 01 01 21 41)
+THREEAUTH1=(01 01 01 21 41 01 01)
+THREEAUTH2=(21 41 61 41 21 41 21)
+
+echo ""
+echo "Parameter Encryption - Basic"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+for MODE0 in xor aes
+do 
+
+    for MODE1 in xor aes
+    do
+
+	for MODE2 in xor aes
+	do
+
+	    echo "Start an HMAC auth session with $MODE0 encryption"
+	    ${PREFIX}startauthsession -se h -sym $MODE0 > run.out
+	    checkSuccess $?
+
+	    echo "Start an HMAC auth session with $MODE1 encryption"
+	    ${PREFIX}startauthsession -se h -sym $MODE1 > run.out
+	    checkSuccess $?
+
+	    echo "Start an HMAC auth session with $MODE2 encryption"
+	    ${PREFIX}startauthsession -se h -sym $MODE2 > run.out
+	    checkSuccess $?
+
+	    # one auth
+
+	    for AUTH0 in 21 41 61
+	    do
+
+		echo "Signing Key Self Certify, one auth $AUTH0"
+		${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 $AUTH0 > run.out
+		checkSuccess $?
+
+	    done
+
+	    # two auth
+		
+	    for ((i = 0 ; i < 9; i++))
+	    do
+
+		echo "Signing Key Self Certify, two auth ${TWOAUTH0[i]} ${TWOAUTH1[i]}"
+		${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${TWOAUTH0[i]} -se1 02000001 ${TWOAUTH1[i]} > run.out
+		checkSuccess $?
+
+	    done
+
+	    # three auth
+
+	    for ((i = 0 ; i < 7; i++))
+	    do
+
+		echo "Signing Key Self Certify, three auth ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+		${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 02000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+		checkSuccess $?
+
+	    done
+
+	    echo "Flush the sessions"
+	    ${PREFIX}flushcontext -ha 02000000 > run.out
+	    checkSuccess $?
+
+	    echo "Flush the sessions"
+	    ${PREFIX}flushcontext -ha 02000001 > run.out
+	    checkSuccess $?
+
+	    echo "Flush the sessions"
+	    ${PREFIX}flushcontext -ha 02000002 > run.out
+	    checkSuccess $?
+	done
+    done
+done
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Create a signing key, policy command code certify"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policycccertify.bin > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+    echo "Signing Key Self Certify, three auth, salted parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+    ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 02000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind encrypt and decrypt HMAC sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+    echo "Signing Key Self Certify, three auth, bind parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+    ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 02000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+
+# policycccertify.txt 0000016c00000148
+# policymaker -if policies/policycccertify.txt -of policies/policycccertify.bin -v -pr 
+# 04 8e 9a 3a ce 08 58 3f 79 f3 44 ff 78 5b be a9 
+# f0 7a c7 fa 33 25 b3 d4 9a 21 dd 51 94 c6 58 50 
+
+echo ""
+echo "Salt encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -hs 80000000 > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+    echo "Policy restart"
+    ${PREFIX}policyrestart -ha 03000001 > run.out
+    checkSuccess $?
+
+    echo "Policy command code - certify"
+    ${PREFIX}policycommandcode -ha 03000001 -cc 148 > run.out
+    checkSuccess $?
+
+    echo "Signing Key Self Certify, three auth, salted parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+    ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk sig -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 03000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 03000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Bind encrypt and decrypt policy sessions"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an auth session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+echo "Start an encrypt session"
+${PREFIX}startauthsession -se h -bi 80000001 -pwdb sig > run.out
+checkSuccess $?
+
+for ((i = 0 ; i < 7 ; i++))
+do
+
+    echo "Policy restart"
+    ${PREFIX}policyrestart -ha 03000001 > run.out
+    checkSuccess $?
+
+    echo "Policy command code - certify"
+    ${PREFIX}policycommandcode -ha 03000001 -cc 148 > run.out
+    checkSuccess $?
+
+    echo "Signing Key Self Certify, three auth, bind parameter encryption ${THREEAUTH0[i]} ${THREEAUTH1[i]} ${THREEAUTH2[i]}"
+    ${PREFIX}certify -hk 80000001 -ho 80000001 -pwdo sig -pwdk xxx -qd policies/aaa -os sig.bin -oa tmp.bin -se0 02000000 ${THREEAUTH0[i]} -se1 03000001 ${THREEAUTH1[i]} -se2 02000002 ${THREEAUTH2[i]} > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 03000001 > run.out
+checkSuccess $?
+
+echo "Flush the sessions"
+${PREFIX}flushcontext -ha 02000002 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.bat
new file mode 100644
index 0000000..d81a615
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.bat
@@ -0,0 +1,125 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testevict.bat 1278 2018-07-23 21:20:42Z kgoldman $		#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Evict Control"
+echo ""
+
+echo "Create an unrestricted signing key"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Make the signing key persistent"
+%TPM_EXE_PATH%evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with the transient key"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with the persistent key"
+%TPM_EXE_PATH%sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the transient key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the persistent key - should fail"
+%TPM_EXE_PATH%flushcontext -ha 81800000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with the transient key- should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with the persistent key"
+%TPM_EXE_PATH%sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the persistent key"
+%TPM_EXE_PATH%evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with the persistent key - should fail"
+%TPM_EXE_PATH%sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with the transient key - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+   echo TP1 failed
+   exit /B 1
+)
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 81000000
+REM getcapability  -cap 1 -pr 02000000
+REM getcapability  -cap 1 -pr 01000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.sh
new file mode 100755
index 0000000..761eaa8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testevict.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#		$Id: testevict.sh 1277 2018-07-23 20:30:23Z kgoldman $		#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Evict Control"
+echo ""
+
+echo "Create an unrestricted signing key"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig > run.out
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Make the signing key persistent"
+${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo "Sign a digest with the transient key"
+${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Sign a digest with the persistent key"
+${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Flush the transient key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the persistent key - should fail"
+${PREFIX}flushcontext -ha 81800000 > run.out
+checkFailure $?
+
+echo "Sign a digest with the transient key- should fail"
+${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with the persistent key"
+${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Flush the persistent key"
+${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo "Sign a digest with the persistent key - should fail"
+${PREFIX}sign -hk 81800000 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with the transient key - should fail"
+${PREFIX}sign -hk 80000001 -halg sha1 -if policies/aaa -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 81000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
+# ${PREFIX}getcapability  -cap 1 -pr 01000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.bat
new file mode 100644
index 0000000..d454cda
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.bat
@@ -0,0 +1,158 @@
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2019                                            #
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+setlocal enableDelayedExpansion
+
+# used for the name in policy authorize
+
+echo ""
+echo "Get Capability"
+echo ""
+
+echo "Get Capability TPM_CAP_ALGS"
+%TPM_EXE_PATH%getcapability -cap 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Get Capability TPM_CAP_HANDLES"
+echo ""
+
+echo "TPM_HT_PCR"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 00000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "TPM_HT_NV_INDEX"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "TPM_HT_LOADED_SESSION"
+%TPM_EXE_PATH%getcapability -cap 1 -pr 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "TPM_HT_SAVED_SESSION"			  
+%TPM_EXE_PATH%getcapability -cap 1 -pr 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "TPM_HT_PERMANENT"			  
+%TPM_EXE_PATH%getcapability -cap 1 -pr 40000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "TPM_HT_TRANSIENT"			  
+%TPM_EXE_PATH%getcapability -cap 1 -pr 80000000  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "TPM_HT_PERSISTENT"			  
+%TPM_EXE_PATH%getcapability -cap 1 -pr 81000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "Get Capability TPM_CAP_COMMANDS"
+%TPM_EXE_PATH%getcapability -cap 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "Get Capability TPM_CAP_PP_COMMANDS"
+%TPM_EXE_PATH%getcapability -cap 3 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "Get Capability TPM_CAP_AUDIT_COMMANDS"
+%TPM_EXE_PATH%getcapability -cap 4 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get Capability TPM_CAP_PCRS"
+%TPM_EXE_PATH%getcapability -cap 5 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo ""
+echo "Get Capability TPM_CAP_TPM_PROPERTIES"
+echo ""
+
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 100"
+%TPM_EXE_PATH%getcapability -cap 6 -pr 100 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 200"
+%TPM_EXE_PATH%getcapability -cap 6 -pr 200 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "Get Capability TPM_CAP_PCR_PROPERTIES "
+%TPM_EXE_PATH%getcapability -cap 7 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "Get Capability TPM_CAP_ECC_CURVES"
+%TPM_EXE_PATH%getcapability -cap 8 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+echo "Get Capability TPM_CAP_AUTH_POLICIES"
+%TPM_EXE_PATH%getcapability -cap 9 -pr 40000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+				  
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.sh
new file mode 100755
index 0000000..f8994d5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testgetcap.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2019                                            #
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Get Capability"
+echo ""
+
+echo "Get Capability TPM_CAP_ALGS"
+${PREFIX}getcapability -cap 0 > run.out
+checkSuccess $?
+
+echo ""
+echo "Get Capability TPM_CAP_HANDLES"
+echo ""
+
+echo "TPM_HT_PCR"
+${PREFIX}getcapability -cap 1 -pr 00000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_NV_INDEX"
+${PREFIX}getcapability -cap 1 -pr 01000000 > run.out
+checkSuccess $?
+
+echo "TPM_HT_LOADED_SESSION"
+${PREFIX}getcapability -cap 1 -pr 02000000 > run.out
+checkSuccess $?			  
+				  
+echo "TPM_HT_SAVED_SESSION"			  
+${PREFIX}getcapability -cap 1 -pr 03000000 > run.out
+checkSuccess $?			  
+				  
+echo "TPM_HT_PERMANENT"			  
+${PREFIX}getcapability -cap 1 -pr 40000000 > run.out
+checkSuccess $?			  
+				  
+echo "TPM_HT_TRANSIENT"			  
+${PREFIX}getcapability -cap 1 -pr 80000000  > run.out
+checkSuccess $?			  
+				  
+echo "TPM_HT_PERSISTENT"			  
+${PREFIX}getcapability -cap 1 -pr 81000000 > run.out
+checkSuccess $?			  
+				  
+echo "Get Capability TPM_CAP_COMMANDS"
+${PREFIX}getcapability -cap 2 > run.out
+checkSuccess $?			  
+				  
+echo "Get Capability TPM_CAP_PP_COMMANDS"
+${PREFIX}getcapability -cap 3 > run.out
+checkSuccess $?			  
+				  
+echo "Get Capability TPM_CAP_AUDIT_COMMANDS"
+${PREFIX}getcapability -cap 4 > run.out
+checkSuccess $?			  
+
+echo "Get Capability TPM_CAP_PCRS"
+${PREFIX}getcapability -cap 5 > run.out
+checkSuccess $?			  
+				  
+echo ""
+echo "Get Capability TPM_CAP_TPM_PROPERTIES"
+echo ""
+
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 100"
+${PREFIX}getcapability -cap 6 -pr 100 > run.out
+checkSuccess $?			  
+				  
+echo "Get Capability TPM_CAP_TPM_PROPERTIES 200"
+${PREFIX}getcapability -cap 6 -pr 200 > run.out
+checkSuccess $?			  
+				  
+echo "Get Capability TPM_CAP_PCR_PROPERTIES "
+${PREFIX}getcapability -cap 7 > run.out
+checkSuccess $?			  
+				  
+echo "Get Capability TPM_CAP_ECC_CURVES"
+${PREFIX}getcapability -cap 8 > run.out
+checkSuccess $?			  
+				  
+echo "Get Capability TPM_CAP_AUTH_POLICIES"
+${PREFIX}getcapability -cap 9 -pr 40000000 > run.out
+checkSuccess $?			  
+				  
+
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.bat
new file mode 100644
index 0000000..fa3e655
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.bat
@@ -0,0 +1,369 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testhierarchy.bat 507 2016-03-08 22:35:47Z kgoldman $	#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Hierarchy Change Auth"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Generate a random authorization value"
+%TPM_EXE_PATH%getrandom -by 32 -nz -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "Change platform hierarchy auth %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary storage key - should fail"
+    %TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary storage key"
+    %TPM_EXE_PATH%createprimary -hi p -pwdk 111 -pwdp ppp > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the primary key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Change platform hierarchy auth back to null %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary storage key"
+    %TPM_EXE_PATH%createprimary -pwdk 111 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the primary key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo ""
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "Change platform hierarchy auth, new auth from file %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdni tmp.bin %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary storage key - should fail"
+    %TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary storage key, auth from file"
+    %TPM_EXE_PATH%createprimary -hi p -pwdk 111 -pwdpi tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the primary key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Change platform hierarchy auth back to null, auth from file %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdai tmp.bin %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary storage key"
+    %TPM_EXE_PATH%createprimary -pwdk 111 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the primary key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Hierarchy Change Auth with bind"
+echo ""
+
+echo "Change platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary storage key - should fail"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Create a primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk 111 -pwdp ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC auth session, bind to platform hierarchy"
+%TPM_EXE_PATH%startauthsession -se h -bi 4000000c -pwdb ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change platform hierarchy auth back to null"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp -se0 02000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary storage key"
+%TPM_EXE_PATH%createprimary -pwdk 111 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Hierarchy Control"
+echo ""
+
+echo "Enable the owner hierarchy"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change the platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Enable the owner hierarchy - no platform hierarchy password, should fail"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy - bad password, should fail"
+%TPM_EXE_PATH%createprimary -hi o -pwdp xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Disable the owner hierarchy using platform hierarchy password"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o -pwda ppp -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy, disabled, should fail"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he o -pwda ppp -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary key in the owner hierarchy"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Remove the platform hierarchy password"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the primary key in the owner hierarchy"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Clear"
+echo ""
+
+echo "Set storage hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi o -pwdn ooo > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a primary key - storage hierarchy"
+%TPM_EXE_PATH%createprimary -hi o -pwdp ooo > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read the public part"
+%TPM_EXE_PATH%readpublic -ho 80000001  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "ClearControl disable"
+%TPM_EXE_PATH%clearcontrol -hi p -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear - should fail"
+%TPM_EXE_PATH%clear -hi p > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "ClearControl enable"
+%TPM_EXE_PATH%clearcontrol -hi p -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear"
+%TPM_EXE_PATH%clear -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read the public part - should fail"
+%TPM_EXE_PATH%readpublic -ho 80000001  > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Create a primary key - old owner password should fail"
+%TPM_EXE_PATH%createprimary -hi o -pwdp ooo > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Create a primary key"
+%TPM_EXE_PATH%createprimary -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the primary key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM cleanup
+rm -f tmp.bin
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.sh
new file mode 100755
index 0000000..a3b1706
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testhierarchy.sh
@@ -0,0 +1,244 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#		$Id: testhierarchy.sh 990 2017-04-19 13:31:24Z kgoldman $	#
+#										#
+# (c) Copyright IBM Corporation 2015, 2016					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Hierarchy Change Auth"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Generate a random authorization value"
+${PREFIX}getrandom -by 32 -nz -of tmp.bin > run.out
+checkSuccess $?
+
+AUTH=("" "-pwda ppp " "" "-pwdai tmp.bin ")
+NEWAUTH=("-pwdn ppp " "" "-pwdni tmp.bin " "")
+CPAUTH=("-pwdp ppp " "" "-pwdpi tmp.bin " "")
+
+for ((i = 0 ; i < 4 ; i+=2))
+do 
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Change platform hierarchy auth ${AUTH[i]} ${NEWAUTH[i]} ${SESS}"
+	${PREFIX}hierarchychangeauth -hi p ${AUTH[i]} ${NEWAUTH[i]} ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Create a primary storage key - should fail"
+	${PREFIX}createprimary -hi p -pwdk 111 > run.out
+	checkFailure $?
+
+	echo "Create a primary storage key ${CPAUTH[i]}"
+	${PREFIX}createprimary -hi p -pwdk 111 ${CPAUTH[i]} > run.out
+	checkSuccess $?
+
+	echo "Flush the primary key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+	echo "Change platform hierarchy auth back to null ${AUTH[i+1]} ${NEWAUTH[i+1]} ${SESS}"
+	${PREFIX}hierarchychangeauth -hi p ${AUTH[i+1]} ${NEWAUTH[i+1]} ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Create a primary storage key"
+	${PREFIX}createprimary -pwdk 111 > run.out
+	checkSuccess $?
+
+	echo "Flush the primary key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Hierarchy Change Auth with bind"
+echo ""
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Create a primary storage key - should fail"
+${PREFIX}createprimary -hi p -pwdk 111 > run.out
+checkFailure $?
+
+echo "Create a primary storage key"
+${PREFIX}createprimary -hi p -pwdk 111 -pwdp ppp > run.out
+checkSuccess $?
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session, bind to platform hierarchy"
+${PREFIX}startauthsession -se h -bi 4000000c -pwdb ppp > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create a primary storage key"
+${PREFIX}createprimary -pwdk 111 > run.out
+checkSuccess $?
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Hierarchy Control"
+echo ""
+
+echo "Enable the owner hierarchy"
+${PREFIX}hierarchycontrol -hi p -he o > run.out
+checkSuccess $?
+
+echo "Change the platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Enable the owner hierarchy - no platform hierarchy password, should fail"
+${PREFIX}hierarchycontrol -hi p -he o > run.out
+checkFailure $?
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+${PREFIX}hierarchycontrol -hi p -he o -pwda ppp > run.out
+checkSuccess $?
+
+echo "Create a primary key in the owner hierarchy - bad password, should fail"
+${PREFIX}createprimary -hi o -pwdp xxx > run.out
+checkFailure $?
+
+echo "Create a primary key in the owner hierarchy"
+${PREFIX}createprimary -hi o > run.out
+checkSuccess $?
+
+echo "Disable the owner hierarchy using platform hierarchy password"
+${PREFIX}hierarchycontrol -hi p -he o -pwda ppp -state 0 > run.out
+checkSuccess $?
+
+echo "Create a primary key in the owner hierarchy, disabled, should fail"
+${PREFIX}createprimary -hi o > run.out
+checkFailure $?
+
+echo "Enable the owner hierarchy using platform hierarchy password"
+${PREFIX}hierarchycontrol -hi p -he o -pwda ppp -state 1 > run.out
+checkSuccess $?
+
+echo "Create a primary key in the owner hierarchy"
+${PREFIX}createprimary -hi o > run.out
+checkSuccess $?
+
+echo "Remove the platform hierarchy password"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the primary key in the owner hierarchy"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Clear"
+echo ""
+
+echo "Set storage hierarchy auth"
+${PREFIX}hierarchychangeauth -hi o -pwdn ooo > run.out
+checkSuccess $?
+
+echo "Create a primary key - storage hierarchy"
+${PREFIX}createprimary -hi o -pwdp ooo > run.out
+checkSuccess $?
+
+echo "Read the public part"
+${PREFIX}readpublic -ho 80000001 > run.out
+checkSuccess $?
+
+echo "ClearControl disable"
+${PREFIX}clearcontrol -hi p -state 1 > run.out
+checkSuccess $?
+
+echo "Clear - should fail"
+${PREFIX}clear -hi p > run.out
+checkFailure $?
+
+echo "ClearControl enable"
+${PREFIX}clearcontrol -hi p -state 0 > run.out
+checkSuccess $?
+
+echo "Clear"
+${PREFIX}clear -hi p > run.out
+checkSuccess $?
+
+echo "Read the public part - should fail"
+${PREFIX}readpublic -ho 80000001 > run.out
+checkFailure $?
+
+echo "Create a primary key - old owner password should fail"
+${PREFIX}createprimary -hi o -pwdp ooo > run.out
+checkFailure $?
+
+echo "Create a primary key"
+${PREFIX}createprimary -hi o > run.out
+checkSuccess $?
+
+echo "Flush the primary key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
+
+# cleanup
+rm -f tmp.bin
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.bat
new file mode 100644
index 0000000..3bbcc9b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.bat
@@ -0,0 +1,331 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2018 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Keyed hash HMAC key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM session 02000000
+REM loaded HMAC key 80000001
+REM primary HMAC key 80000001
+REM sequence object 80000002
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+    	echo "Load the %%H keyed hash key under the primary key"
+    	%TPM_EXE_PATH%load -hp 80000000 -ipr khpriv%%H.bin -ipu khpub%%H.bin -pwdp sto > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+    	)
+
+	echo "HMAC %%H using the keyed hash key, message from file %%~S"
+	%TPM_EXE_PATH%hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khk -halg %%H %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H start using the keyed hash key %%~S"
+	%TPM_EXE_PATH%hmacstart -hk 80000001 -pwdk khk -pwda aaa %%~S -halg %%H > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H sequence update %%~S"
+	%TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if msg.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H sequence complete %%~S"
+	%TPM_EXE_PATH%sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Verify the HMAC %%H using the two methods"
+	diff sig.bin tmp.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H using the keyed hash key, message from command line %%~S"
+	%TPM_EXE_PATH%hmac -hk 80000001 -ic 1234567890123456 -os sig.bin -pwdk khk -halg %%H %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Verify the HMAC %%H using the two methods"
+	diff sig.bin tmp.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Flush the %%H HMAC key"
+	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Create primary HMAC key - %%H"
+	%TPM_EXE_PATH%createprimary -kh -halg %%H -pwdk khp > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H using the keyed hash primary key %%~S"
+	%TPM_EXE_PATH%hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khp -halg %%H %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H start using the keyed hash primary key %%~S"
+	%TPM_EXE_PATH%hmacstart -hk 80000001 -pwdk khp -pwda aaa %%~S -halg %%H > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H sequence update %%~S"
+	%TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if msg.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "HMAC %%H sequence complete %%~S"
+	%TPM_EXE_PATH%sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Verify the HMAC %%H using the two methods"
+	diff sig.bin tmp.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Flush the %%H primary HMAC key"
+	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+    )
+)
+
+echo ""
+echo "Hash"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+	echo "Hash %%H in one call, data from file"
+	%TPM_EXE_PATH%hash -hi p -halg %%H -if policies/aaa -oh tmp.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Verify the hash %%H"
+	diff tmp.bin policies/%%Haaa.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Hash %%H in one cal, data on command linel"
+	%TPM_EXE_PATH%hash -hi p -halg %%H -ic aaa -oh tmp.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Verify the hash %%H"
+	diff tmp.bin policies/%%Haaa.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Hash %%H sequence start"
+	%TPM_EXE_PATH%hashsequencestart -halg %%H -pwda aaa > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Hash %%H sequence update %%~S"
+	%TPM_EXE_PATH%sequenceupdate -hs 80000001 -pwds aaa -if policies/aaa %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Hash %%H sequence complete %%~S"
+	%TPM_EXE_PATH%sequencecomplete -hi p -hs 80000001 -pwds aaa -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Verify the %%H hash"
+	diff tmp.bin policies/%%Haaa.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+    )
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+
+echo ""
+echo "Sign with ticket"
+echo ""
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048rpriv.bin -ipu signrsa2048rpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Hash and create ticket"
+%TPM_EXE_PATH%hash -hi p -halg sha256 -if msg.bin -oh sig.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig  > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Hash and create null ticket, msg with TPM_GENERATED"
+%TPM_EXE_PATH%hash -hi p -halg sha256 -if policies/msgtpmgen.bin -oh sig.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig  > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Hash sequence start"
+%TPM_EXE_PATH%hashsequencestart -halg sha256 -pwda aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Hash sequence update "
+%TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if msg.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Hash sequence complete"
+%TPM_EXE_PATH%sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg  sha256 -if msg.bin -os sig.bin -pwdk sig  > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Hash sequence start"
+%TPM_EXE_PATH%hashsequencestart -halg sha256 -pwda aaa -halg sha256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Hash sequence update, msg with TPM_GENERATED"
+%TPM_EXE_PATH%sequenceupdate -hs 80000002 -pwds aaa -if policies/msgtpmgen.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Hash sequence complete"
+%TPM_EXE_PATH%sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig  > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+REM getcapability -cap 1 -pr 02000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.sh
new file mode 100755
index 0000000..6d1f1cc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmac.sh
@@ -0,0 +1,254 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Keyed hash HMAC key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+# session 02000000
+# loaded HMAC key 80000001
+# primary HMAC key 80000001
+# sequence object 80000002
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Load the ${HALG} keyed hash key under the primary key"
+	${PREFIX}load -hp 80000000 -ipr khpriv${HALG}.bin -ipu khpub${HALG}.bin -pwdp sto > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} using the keyed hash key, message from file ${SESS}"
+	${PREFIX}hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khk -halg ${HALG} ${SESS} > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} start using the keyed hash key ${SESS}"
+	${PREFIX}hmacstart -hk 80000001 -pwdk khk -pwda aaa ${SESS} -halg ${HALG} > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} sequence update ${SESS}"
+	${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if msg.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} sequence complete ${SESS}"
+	${PREFIX}sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the HMAC ${HALG} using the two methods"
+	diff sig.bin tmp.bin > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} using the keyed hash key, message from command line ${SESS}"
+	${PREFIX}hmac -hk 80000001 -ic 1234567890123456 -os sig.bin -pwdk khk -halg ${HALG} ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the HMAC ${HALG} using the two methods"
+	diff sig.bin tmp.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the ${HALG} HMAC key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+	echo "Create primary HMAC key - $HALG"
+	${PREFIX}createprimary -kh -halg ${HALG} -pwdk khp > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} using the keyed hash primary key ${SESS}"
+	${PREFIX}hmac -hk 80000001 -if msg.bin -os sig.bin -pwdk khp -halg ${HALG} ${SESS} > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} start using the keyed hash primary key ${SESS}"
+	${PREFIX}hmacstart -hk 80000001 -pwdk khp -pwda aaa ${SESS} -halg ${HALG} > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} sequence update ${SESS}"
+	${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if msg.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "HMAC ${HALG} sequence complete ${SESS}"
+	${PREFIX}sequencecomplete -hs 80000002 -pwds aaa -of tmp.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the HMAC ${HALG} using the two methods"
+	diff sig.bin tmp.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the ${HALG} primary HMAC key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo ""
+echo "Hash"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Hash ${HALG} in one call, data from file"
+	${PREFIX}hash -hi p -halg ${HALG} -if policies/aaa -oh tmp.bin > run.out
+	checkSuccess $?
+
+	echo "Verify the hash ${HALG}"
+	diff tmp.bin policies/${HALG}aaa.bin > run.out
+	checkSuccess $?
+
+	echo "Hash ${HALG} in one call, data on command line"
+	${PREFIX}hash -hi p -halg ${HALG} -ic aaa -oh tmp.bin > run.out
+	checkSuccess $?
+
+	echo "Verify the hash ${HALG}"
+	diff tmp.bin policies/${HALG}aaa.bin > run.out
+	checkSuccess $?
+
+	echo "Hash ${HALG} sequence start"
+	${PREFIX}hashsequencestart -halg ${HALG} -pwda aaa > run.out
+	checkSuccess $?
+
+	echo "Hash ${HALG} sequence update ${SESS}"
+	${PREFIX}sequenceupdate -hs 80000001 -pwds aaa -if policies/aaa ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Hash ${HALG} sequence complete ${SESS}"
+	${PREFIX}sequencecomplete -hi p -hs 80000001 -pwds aaa -of tmp.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the ${HALG} hash"
+	diff tmp.bin policies/${HALG}aaa.bin > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+
+echo ""
+echo "Sign with ticket"
+echo ""
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048rpriv.bin -ipu signrsa2048rpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Hash and create ticket"
+${PREFIX}hash -hi p -halg sha256 -if msg.bin -oh sig.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with a restricted signing key and ticket"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Hash and create null ticket, msg with TPM_GENERATED"
+${PREFIX}hash -hi p -halg sha256 -if policies/msgtpmgen.bin -oh sig.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Hash sequence start"
+${PREFIX}hashsequencestart -halg sha256 -pwda aaa > run.out
+checkSuccess $?
+
+echo "Hash sequence update "
+${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if msg.bin > run.out
+checkSuccess $?
+
+echo "Hash sequence complete"
+${PREFIX}sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and no ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Sign a digest with a restricted signing key and ticket"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Hash sequence start"
+${PREFIX}hashsequencestart -halg sha256 -pwda aaa -halg sha256 > run.out
+checkSuccess $?
+
+echo "Hash sequence update, msg with TPM_GENERATED"
+${PREFIX}sequenceupdate -hs 80000002 -pwds aaa -if policies/msgtpmgen.bin > run.out
+checkSuccess $?
+
+echo "Hash sequence complete"
+${PREFIX}sequencecomplete -hi p -hs 80000002 -pwds aaa -of tmp.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest with a restricted signing key and ticket - should fail"
+${PREFIX}sign -hk 80000001 -halg sha256 -if msg.bin -tk tkt.bin -os sig.bin -pwdk sig > run.out
+checkFailure $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+rm -f tmp.bin
+rm -f tmp1.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.bat
new file mode 100644
index 0000000..01bcc9c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.bat
@@ -0,0 +1,111 @@
+REM #############################################################################

+REM										#

+REM			TPM2 regression test					#

+REM			     Written by Ken Goldman				#

+REM		       IBM Thomas J. Watson Research Center			#

+REM		$Id: testhmacsession.bat 1278 2018-07-23 21:20:42Z kgoldman $	#

+REM										#

+REM (c) Copyright IBM Corporation 2015, 2017					#

+REM 										#

+REM All rights reserved.							#

+REM 										#

+REM Redistribution and use in source and binary forms, with or without		#

+REM modification, are permitted provided that the following conditions are	#

+REM met:									#

+REM 										#

+REM Redistributions of source code must retain the above copyright notice,	#

+REM this list of conditions and the following disclaimer.			#

+REM 										#

+REM Redistributions in binary form must reproduce the above copyright		#

+REM notice, this list of conditions and the following disclaimer in the		#

+REM documentation and/or other materials provided with the distribution.	#

+REM 										#

+REM Neither the names of the IBM Corporation nor the names of its		#

+REM contributors may be used to endorse or promote products derived from	#

+REM this software without specific prior written permission.			#

+REM 										#

+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#

+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#

+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#

+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#

+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#

+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#

+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#

+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#

+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#

+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#

+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#

+REM										#

+REM #############################################################################

+

+setlocal enableDelayedExpansion

+

+echo ""

+echo "HMAC Session"

+echo ""

+

+echo "Start an HMAC auth session"

+%TPM_EXE_PATH%startauthsession -se h > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Create a storage key under the primary key - continue true"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 1 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Create a storage key under the primary key - continue false"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Create a storage key under the primary key - should fail"

+%TPM_EXE_PATH%create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out

+IF !ERRORLEVEL! EQU 0 (

+  exit /B 1

+)

+

+echo ""

+echo "User with Auth Clear"

+echo ""

+

+echo "Create a signing key under the primary key"

+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Load the signing key under the primary key"

+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Start an HMAC auth session"

+%TPM_EXE_PATH%startauthsession -se h > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Sign a digest - should fail with HMAC session"

+%TPM_EXE_PATH%sign -hk 80000001 -if policies/aaa -se0 02000000 0 > run.out

+IF !ERRORLEVEL! EQU 0 (

+  exit /B 1

+)

+

+echo "Flush the session, not flushed on failure"

+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Flush the signing key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+exit /B 0
\ No newline at end of file
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.sh
new file mode 100755
index 0000000..3771589
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testhmacsession.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#		$Id: testhmacsession.sh 1277 2018-07-23 20:30:23Z kgoldman $	#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "HMAC Session"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key - continue true"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 1 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key - continue false"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key - should fail"
+${PREFIX}create -hp 80000000 -st -kt f -kt p -pwdp sto -pwdk sto -se0 02000000 0 > run.out
+checkFailure $?
+
+echo ""
+echo "User with Auth Clear"
+echo ""
+
+echo "Create a signing key under the primary key"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -uwa -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Sign a digest - should fail with HMAC session"
+${PREFIX}sign -hk 80000001 -if policies/aaa -se0 02000000 0 > run.out
+checkFailure $?
+
+echo "Flush the session, not flushed on failure"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.bat
new file mode 100644
index 0000000..f272214
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.bat
@@ -0,0 +1,963 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testnv.bat 1301 2018-08-15 21:46:19Z kgoldman $		#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2018					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "NV"
+echo ""
+
+echo ""
+echo "NV Ordinary Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+set NALG=%ITERATE_ALGS%
+set BADNALG=%BAD_ITERATE_ALGS%
+
+set i=0
+for %%N in (!NALG!) do set /A i+=1 & set NALG[!i!]=%%N
+set i=0
+for %%B in (!BADNALG!) do set /A i+=1 & set BADNALG[!i!]=%%B
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+	echo "NV Define Space !NALG[%%i]!"
+	%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -nalg !NALG[%%i]! > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "NV Read Public, unwritten Name  bad Name algorithm !BADNALG[%%i]! - should fail"
+	%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg !BADNALG[%%i]! > run.out
+    	IF !ERRORLEVEL! EQU 0 (
+       	  exit /B 1
+    	)
+
+	echo "NV read - should fail before write %%~S"
+	%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+	IF !ERRORLEVEL! EQU 0 (
+	  exit /B 1
+	)
+
+	echo "NV write %%~S"
+	%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "NV read %%~S"
+	%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 3 -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "Verify the read data"
+	diff policies/aaa tmp.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+	echo "NV read, invalid offset - should fail %%~S"
+	%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 -off 1 -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! EQU 0 (
+	   exit /B 1
+	)
+
+	echo "NV read, invalid size - should fail %%~S"
+	%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 17 -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! EQU 0 (
+	   exit /B 1
+	)
+
+	echo "NV Undefine Space"
+	%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+
+    )
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space again should fail"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+    
+echo "NV Define Space out of range - should fail"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 02000000 -pwdn nnn  -sz 16 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV Set Bits Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "NV Define Space"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty b > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read - should fail before write %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16  %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Set bits 0, 16, 32, 48 %%~S" 
+    %TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn -bit 0 -bit 16 -bit 32 -bit 48 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Read the set bits %%~S" 
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the read data"
+    diff policies/bits48321601.bin tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine Space"
+    %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV Counter Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "NV Define Space"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty c > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read Public, unwritten Name"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Read the count - should fail before write %%~S" 
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin  %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Increment the count %%~S" 
+    %TPM_EXE_PATH%nvincrement -ha 01000000 -pwdn nnn  %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Read the count %%~S" 
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin  %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+REM FIXME need some way to verify the count
+
+    echo "NV Undefine Space"
+    %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV Extend Index"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    set SZ=20 32 48 64
+    set HALG=%ITERATE_ALGS%
+
+    set i=0
+    for %%a in (!SZ!) do set /A i+=1 & set SZ[!i!]=%%a
+    set i=0
+    for %%b in (!HALG!) do set /A i+=1 & set HALG[!i!]=%%b
+    set L=!i!
+
+    for /L %%i in (1,1,!L!) do (
+
+	echo "NV Define Space !HALG[%%i]!"
+	%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty e -nalg !HALG[%%i]! > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	   exit /B 1
+	)
+
+	echo "NV Read Public !HALG[%%i]!"
+	%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg !HALG[%%i]! > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	   exit /B 1
+	)
+
+	echo "NV read, unwritten Name - should fail before write %%~S"
+	%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 32 -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! EQU 0 (
+   	   exit /B 1
+	)
+
+	echo "NV extend %%~S"
+	%TPM_EXE_PATH%nvextend -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	   exit /B 1
+	)
+
+	echo "NV read size !SZ[%%i]!} %%~S"
+	%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz !SZ[%%i]! -of tmp.bin %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	   exit /B 1
+	)
+
+	echo "Verify the read data !HALG[%%i]!"
+	diff policies/!HALG[%%i]!extaaa.bin tmp.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	   exit /B 1
+	)
+
+	echo "NV Undefine Space"
+	%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	   exit /B 1
+	)
+
+    )
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
+REM getcapability  -cap 1 -pr 01000000
+
+echo ""
+echo "NV Owner auth"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "Set owner auth %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi o -pwdn ooo %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Define an NV index with owner auth %%~S"
+    %TPM_EXE_PATH%nvdefinespace -hi o -hia o -ha 01000000 -pwdp ooo %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read public, get Name, not written"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write with NV password %%~S - should fail"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn  %%~S> run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV write with owner password %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -hia o -pwdn ooo  %%~S> run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read with NV password %%~S - should fail"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV read with owner password %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -hia o -pwdn ooo %%~S > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine authorizing index %%~S"
+    %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 -pwdp ooo %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Clear owner auth %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi o -pwda ooo %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
+REM getcapability  -cap 1 -pr 01000000
+
+echo ""
+echo "NV Platform auth"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "Set platform auth %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp  %%~S> run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Define an NV index with platform auth %%~S"
+    %TPM_EXE_PATH%nvdefinespace -hi p -hia p -ha 01000000 -pwdp ppp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read public, get Name, not written"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write with NV password %%~S - should fail"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV write with platform password %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -pwdn ppp %%~S > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read with NV password %%~S - should fail"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV write with platform password %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -hia p -pwdn ppp %%~S > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine authorizing index %%~S"
+    %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 -pwdp ppp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Clear platform auth %%~S"
+    %TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Write Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "NV Define Space with write define"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at wd > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read Public, unwritten Name"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Write lock %%~S"
+    %TPM_EXE_PATH%nvwritelock -ha 01000000 -pwdn nnn %%~S > run.out  
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write %%~S - should fail"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV read %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine Space"
+    %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Read Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "NV Define Space with read stclear"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read Public, unwritten Name"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+     echo "Read lock %%~S"
+    %TPM_EXE_PATH%nvreadlock -ha 01000000 -pwdn nnn %%~S > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read %%~S - should fail"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine Space"
+    %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Global Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "NV Define Space 01000000 with global lock"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at gl > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Define Space 01000001 with global lock"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at gl > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write 01000000 %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write 01000001 %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV global lock"
+    %TPM_EXE_PATH%nvglobalwritelock -hia p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read Public, 01000000, locked"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read Public, 01000001, locked"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write 01000000 %%~S - should fail"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV write 01000001 %%~S - should fail"
+    %TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV read 01000000 %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read 01000001 %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000001 -pwdn nnn -sz 16 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine Space 01000000"
+    %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine Space 01000001"
+    %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV Change Authorization"
+echo ""
+
+REM policy is policycommandcode + policyauthvalue
+REM aa 83 a5 98 d9 3a 56 c9 ca 6f ea 7c 3f fc 4e 10 
+REM 63 57 ff 6d 93 e1 1a 9b 4a c2 b6 aa e1 2b a0 de 
+
+echo "NV Define Space with POLICY_DELETE and no policy - should fail"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 +at pold > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%S in ("" "-se0 02000000 1") do (
+
+    echo "NV Define Space 0100000"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Read Public, unwritten Name"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Start a policy session"
+    %TPM_EXE_PATH%startauthsession -se p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Policy command code"    
+    %TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 0000013b > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Policy authvalue"    
+    %TPM_EXE_PATH%policyauthvalue -ha 03000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Change authorization"
+    %TPM_EXE_PATH%nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV write %%~S, old auth - should fail"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV read %%~S, old auth - should fail"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 3 %%~S > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "NV write %%~S"
+    %TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn xxx -if policies/aaa %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV read %%~S"
+    %TPM_EXE_PATH%nvread -ha 01000000 -pwdn xxx -sz 3 %%~S > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "NV Undefine Space"
+    %TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the auth session"
+    %TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV Change Authorization with bind"
+echo ""
+
+echo "NV Define Space 0100000"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC session, bind to NV index"
+%TPM_EXE_PATH%startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code"    
+%TPM_EXE_PATH%policycommandcode -ha 03000001 -cc 0000013b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy authvalue"    
+%TPM_EXE_PATH%policyauthvalue -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Change authorization"
+%TPM_EXE_PATH%nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 03000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV Undefine space special"
+echo ""
+
+REM policy is policy command code + policy password
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%P in (policyauthvalue policypassword) do (
+
+    echo "NV Define Space 0100000"
+    %TPM_EXE_PATH%nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 +at pold -pol policies/policyccundefinespacespecial-auth.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Undefine space special - should fail"
+    %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -pwdn nnn > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Undefine space special - should fail"
+    %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Policy command code, NV undefine space special"
+    %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 11f > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Undefine space special - should fail"
+    %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+
+    echo "Policy %%P"
+    %TPM_EXE_PATH%%%P -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Undefine space special"
+    %TPM_EXE_PATH%nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
+REM getcapability  -cap 1 -pr 01000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.sh
new file mode 100755
index 0000000..b941f2e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testnv.sh
@@ -0,0 +1,707 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#		$Id: testnv.sh 1301 2018-08-15 21:46:19Z kgoldman $		#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "NV"
+echo ""
+
+echo ""
+echo "NV Ordinary Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+NALG=(${ITERATE_ALGS})
+BADNALG=(${BAD_ITERATE_ALGS})
+
+for ((i = 0 ; i < 4; i++))
+do
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "NV Define Space ${NALG[$i]}"
+	${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -nalg ${NALG[$i]} > run.out
+	checkSuccess $?
+
+	echo "NV Read Public, unwritten Name  bad Name algorithm ${BADNALG[$i]} - should fail"
+	${PREFIX}nvreadpublic -ha 01000000 -nalg ${BADNALG[$i]} > run.out
+	checkFailure $?
+
+	echo "NV read - should fail before write ${SESS}"
+	${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+	checkFailure $?
+
+	echo "NV write ${SESS}"
+	${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+	checkSuccess $?
+
+	echo "NV read ${SESS}"
+	${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 3 -of tmp.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the read data"
+	diff policies/aaa tmp.bin > run.out
+	checkSuccess $?
+
+	echo "NV read, invalid offset - should fail ${SESS}"
+	${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 -off 1 -of tmp.bin ${SESS} > run.out
+	checkFailure $?
+
+	echo "NV read, invalid size - should fail ${SESS}"
+	${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 17 -of tmp.bin ${SESS} > run.out
+	checkFailure $?
+
+	echo "NV Undefine Space"
+	${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space again should fail"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkFailure $?
+
+echo "NV Define Space out of range - should fail"
+${PREFIX}nvdefinespace -hi o -ha 02000000 -pwdn nnn  -sz 16 > run.out
+checkFailure $?
+
+echo ""
+echo "NV Set Bits Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "NV Define Space"
+    ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty b > run.out
+    checkSuccess $?
+
+    echo "NV read - should fail before write ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16  ${SESS} > run.out
+    checkFailure $?
+
+    echo "Set bits 0, 16, 32, 48 ${SESS}" 
+    ${PREFIX}nvsetbits -ha 01000000 -pwdn nnn -bit 0 -bit 16 -bit 32 -bit 48 ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Read the set bits ${SESS}" 
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Verify the read data"
+    diff policies/bits48321601.bin tmp.bin > run.out
+    checkSuccess $?
+
+    echo "NV Undefine Space"
+    ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV Counter Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "NV Define Space"
+    ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty c > run.out
+    checkSuccess $?
+
+    echo "NV Read Public, unwritten Name"
+    ${PREFIX}nvreadpublic -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "Read the count - should fail before write ${SESS}" 
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin  ${SESS} > run.out
+    checkFailure $?
+
+    echo "Increment the count ${SESS}" 
+    ${PREFIX}nvincrement -ha 01000000 -pwdn nnn  ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Read the count ${SESS}" 
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -of tmp.bin  ${SESS} > run.out
+    checkSuccess $?
+
+# FIXME need some way to verify the count
+
+    echo "NV Undefine Space"
+    ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# The test data was created using policymaker with a text file 616161
+# (three a's).  pcrexted cannot be used because it zero extends the
+# input to the hash size
+
+echo ""
+echo "NV Extend Index"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    SZ=(20 32 48 64)
+    HALG=(${ITERATE_ALGS})
+
+    for ((i = 0 ; i < 4; i++))
+    do
+
+	echo "NV Define Space ${HALG[$i]}"
+	${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -ty e -nalg ${HALG[$i]} > run.out
+	checkSuccess $?
+
+	echo "NV Read Public ${HALG[$i]}"
+	${PREFIX}nvreadpublic -ha 01000000 -nalg ${HALG[$i]} > run.out
+	checkSuccess $?
+
+	echo "NV read, unwritten Name - should fail before write ${SESS}"
+	${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 32 -of tmp.bin ${SESS} > run.out
+	checkFailure $?
+
+	echo "NV extend ${SESS}"
+	${PREFIX}nvextend -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+	checkSuccess $?
+
+	echo "NV read size ${SZ[$i]} ${SESS}"
+	${PREFIX}nvread -ha 01000000 -pwdn nnn -sz ${SZ[$i]} -of tmp.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the read data ${HALG[$i]}"
+	diff policies/${HALG[$i]}extaaa.bin tmp.bin > run.out
+	checkSuccess $?
+
+	echo "NV Undefine Space"
+	${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
+# getcapability  -cap 1 -pr 01000000
+
+echo ""
+echo "NV Owner auth"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "Set owner auth ${SESS}"
+    ${PREFIX}hierarchychangeauth -hi o -pwdn ooo ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Define an NV index with owner auth ${SESS}"
+    ${PREFIX}nvdefinespace -hi o -hia o -ha 01000000 -pwdp ooo ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV Read public, get Name, not written"
+    ${PREFIX}nvreadpublic -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "NV write with NV password ${SESS} - should fail"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn ${SESS}> run.out
+    checkFailure $?
+
+    echo "NV write with owner password ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -hia o -pwdn ooo  ${SESS}> run.out 
+    checkSuccess $?
+
+    echo "NV read with NV password ${SESS} - should fail"
+    ${PREFIX}nvread -ha 01000000 ${SESS} -pwdn nnn > run.out
+    checkFailure $?
+
+    echo "NV read with owner password ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -hia o -pwdn ooo ${SESS} > run.out 
+    checkSuccess $?
+
+    echo "NV Undefine authorizing index ${SESS}"
+    ${PREFIX}nvundefinespace -hi o -ha 01000000 -pwdp ooo ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Clear owner auth ${SESS}"
+    ${PREFIX}hierarchychangeauth -hi o -pwda ooo ${SESS} > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
+# getcapability  -cap 1 -pr 01000000
+
+echo ""
+echo "NV Platform auth"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "Set platform auth ${SESS}"
+    ${PREFIX}hierarchychangeauth -hi p -pwdn ppp  ${SESS}> run.out
+    checkSuccess $?
+
+    echo "Define an NV index with platform auth ${SESS}"
+    ${PREFIX}nvdefinespace -hi p -hia p -ha 01000000 -pwdp ppp ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV Read public, get Name, not written"
+    ${PREFIX}nvreadpublic -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "NV write with NV password ${SESS} - should fail"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV write with platform password ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -hia p -pwdn ppp ${SESS} > run.out 
+    checkSuccess $?
+
+    echo "NV read with NV password ${SESS} - should fail"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV write with platform password ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -hia p -pwdn ppp ${SESS} > run.out 
+    checkSuccess $?
+
+    echo "NV Undefine authorizing index ${SESS}"
+    ${PREFIX}nvundefinespace -hi p -ha 01000000 -pwdp ppp ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Clear platform auth ${SESS}"
+    ${PREFIX}hierarchychangeauth -hi p -pwda ppp ${SESS} > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Write Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "NV Define Space with write define"
+    ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at wd > run.out
+    checkSuccess $?
+
+    echo "NV Read Public, unwritten Name"
+    ${PREFIX}nvreadpublic -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "NV write ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV read ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Write lock ${SESS}"
+    ${PREFIX}nvwritelock -ha 01000000 -pwdn nnn ${SESS} > run.out  
+    checkSuccess $?
+
+    echo "NV write ${SESS} - should fail"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV read ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV Undefine Space"
+    ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Read Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "NV Define Space with read stclear"
+    ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst > run.out
+    checkSuccess $?
+
+    echo "NV Read Public, unwritten Name"
+    ${PREFIX}nvreadpublic -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "NV write ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV read ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+    checkSuccess $?
+
+     echo "Read lock ${SESS}"
+    ${PREFIX}nvreadlock -ha 01000000 -pwdn nnn ${SESS} > run.out 
+    checkSuccess $?
+
+    echo "NV write ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV read ${SESS} - should fail"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV Undefine Space"
+    ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Global Lock"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "NV Define Space 01000000 with global lock"
+    ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at gl > run.out
+    checkSuccess $?
+
+    echo "NV Define Space 01000001 with global lock"
+    ${PREFIX}nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at gl > run.out
+    checkSuccess $?
+
+    echo "NV write 01000000 ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV write 01000001 ${SESS}"
+    ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV global lock"
+    ${PREFIX}nvglobalwritelock -hia p > run.out
+    checkSuccess $?
+
+    echo "NV Read Public, 01000000, locked"
+    ${PREFIX}nvreadpublic -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "NV Read Public, 01000001, locked"
+    ${PREFIX}nvreadpublic -ha 01000001 > run.out
+    checkSuccess $?
+
+    echo "NV write 01000000 ${SESS} - should fail"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV write 01000001 ${SESS} - should fail"
+    ${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV read 01000000 ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV read 01000001 ${SESS}"
+    ${PREFIX}nvread -ha 01000001 -pwdn nnn -sz 16 ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV Undefine Space 01000000"
+    ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "NV Undefine Space 01000001"
+    ${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+# policy is policycommandcode + policyauthvalue
+# aa 83 a5 98 d9 3a 56 c9 ca 6f ea 7c 3f fc 4e 10 
+# 63 57 ff 6d 93 e1 1a 9b 4a c2 b6 aa e1 2b a0 de 
+
+echo "NV Define Space with POLICY_DELETE and no policy - should fail"
+${PREFIX}nvdefinespace -hi o -ha 01000000 +at pold > run.out
+checkFailure $?
+
+echo ""
+echo "NV Change Authorization"
+echo ""
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for SESS in "" "-se0 02000000 1"
+do
+
+    echo "NV Define Space 0100000"
+    ${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+    checkSuccess $?
+
+    echo "NV Read Public, unwritten Name"
+    ${PREFIX}nvreadpublic -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "NV write ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV read ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 ${SESS} > run.out
+    checkSuccess $?
+
+    echo "Start a policy session"
+    ${PREFIX}startauthsession -se p > run.out
+    checkSuccess $?
+
+    echo "Policy command code"    
+    ${PREFIX}policycommandcode -ha 03000001 -cc 0000013b > run.out
+    checkSuccess $?
+
+    echo "Policy authvalue"    
+    ${PREFIX}policyauthvalue -ha 03000001 > run.out
+    checkSuccess $?
+
+    echo "NV Change authorization"
+    ${PREFIX}nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out 
+    checkSuccess $?
+
+    echo "NV write ${SESS}, old auth - should fail"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV read ${SESS}, old auth - should fail"
+    ${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 3 ${SESS} > run.out
+    checkFailure $?
+
+    echo "NV write ${SESS}"
+    ${PREFIX}nvwrite -ha 01000000 -pwdn xxx -if policies/aaa ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV read ${SESS}"
+    ${PREFIX}nvread -ha 01000000 -pwdn xxx -sz 3 ${SESS} > run.out
+    checkSuccess $?
+
+    echo "NV Undefine Space"
+    ${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+    checkSuccess $?
+
+    echo "Flush the auth session"
+    ${PREFIX}flushcontext -ha 03000001 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV Change Authorization with bind"
+echo ""
+
+echo "NV Define Space 0100000"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 -pol policies/policyccnvchangeauth-auth.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session, bind to NV index"
+${PREFIX}startauthsession -se h -bi 01000000 -pwdb nnn > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy command code"    
+${PREFIX}policycommandcode -ha 03000001 -cc 0000013b > run.out
+checkSuccess $?
+
+echo "Policy authvalue"    
+${PREFIX}policyauthvalue -ha 03000001 > run.out
+checkSuccess $?
+
+echo "NV Change authorization"
+${PREFIX}nvchangeauth -ha 01000000 -pwdo nnn -pwdn xxx -se0 03000001 1 > run.out 
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 03000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV Undefine space special"
+echo ""
+
+# policy is policy command code + policy password
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+for POL in "policyauthvalue" "policypassword"
+do
+
+    echo "NV Define Space 0100000"
+    ${PREFIX}nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 +at pold -pol policies/policyccundefinespacespecial-auth.bin > run.out
+    checkSuccess $?
+
+    echo "Undefine space special - should fail"
+    ${PREFIX}nvundefinespacespecial -ha 01000000 -pwdn nnn > run.out
+    checkFailure $?
+
+    echo "Undefine space special - should fail"
+    ${PREFIX}nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+    checkFailure $?
+
+    echo "Policy command code, NV undefine space special"
+    ${PREFIX}policycommandcode -ha 03000000 -cc 11f > run.out
+    checkSuccess $?
+
+    echo "Undefine space special - should fail"
+    ${PREFIX}nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+    checkFailure $?
+
+    echo "Policy ${POL}"
+    ${PREFIX}${POL} -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Undefine space special"
+    ${PREFIX}nvundefinespacespecial -ha 01000000 -se0 03000000 1 -pwdn nnn > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
+# ${PREFIX}getcapability  -cap 1 -pr 01000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.bat
new file mode 100644
index 0000000..a113434
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.bat
@@ -0,0 +1,1029 @@
+REM #################################################################################
+REM #										    #
+REM #			TPM2 regression test					    #
+REM #			     Written by Ken Goldman				    #
+REM #		       IBM Thomas J. Watson Research Center			    #
+REM #										    #
+REM # (c) Copyright IBM Corporation 2016 - 2019					    #
+REM # 										    #
+REM # All rights reserved.							    #
+REM # 										    #
+REM # Redistribution and use in source and binary forms, with or without	    #
+REM # modification, are permitted provided that the following conditions are	    #
+REM # met:									    #
+REM # 									    	    #
+REM # Redistributions of source code must retain the above copyright notice,	    #
+REM # this list of conditions and the following disclaimer.			    #
+REM # 										    #
+REM # Redistributions in binary form must reproduce the above copyright		    #
+REM # notice, this list of conditions and the following disclaimer in the	    #
+REM # documentation and/or other materials provided with the distribution.	    #
+REM # 										    #
+REM # Neither the names of the IBM Corporation nor the names of its		    #
+REM # contributors may be used to endorse or promote products derived from	    #
+REM # this software without specific prior written permission.			    #
+REM # 										    #
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	    #
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		    #
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	    #
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	    #
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	    #
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		    #
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	    #
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	    #
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	    #
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	    #
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	    #
+REM #										    #
+REM #################################################################################
+
+setlocal enableDelayedExpansion
+
+REM # PIN Pass index name is
+REM 
+REM # 00 0b da 1c bd 54 bb 81 54 6c 1c 76 30 dd d4 09 
+REM # 50 3a 0d 6d 03 05 16 1b 15 88 d6 6b c8 fa 17 da 
+REM # ad 81 
+REM 
+REM # Policy Secret using PIN Pass index is
+REM 
+REM # 56 e4 c7 26 d7 d7 dd 3c bd 4c ae 11 c0 1b 2e 83 
+REM # 3c 37 33 3c fb c3 b9 c3 5f 05 ab 53 23 0c df 7d 
+REM 
+REM # PIN Fail index name is
+REM 
+REM # 00 0b 86 11 40 4a e8 0c 0a 84 e5 b8 97 05 98 f0 
+REM # b5 60 2d 14 21 19 bf 44 9d e5 f9 61 84 bc 4c 01 
+REM # c4 be 
+REM 
+REM # Policy Secret using PIN Fail index is
+REM 
+REM # 9d 56 8f da 52 27 30 dc be a8 ad 59 bc a5 0c 1c 
+REM # 16 02 95 03 a0 0b d3 d8 20 a8 b2 d8 5b c5 12 df 
+REM 
+REM 
+REM # 01000000 is PIN pass or PIN fail index
+REM # 01000001 is ordinary index with PIN pass policy
+REM # 01000002 is ordinary index with PIN fail policy
+
+
+echo ""
+echo "NV PIN Index"
+echo ""
+
+echo "NV Define Space, 01000001, ordinary index, with policysecret for pin pass index 01000000"
+%TPM_EXE_PATH%nvdefinespace -ha 01000001 -hi o -pwdn ppi -ty o -hia p -sz 1 -pol policies/policysecretnvpp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write to set written bit"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -hia p -ic 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Define Space, 01000002, ordinary index, with policysecret for pin fail index 01000000"
+%TPM_EXE_PATH%nvdefinespace -ha 01000002 -hi o -pwdn pfi -ty o -hia p -sz 1 -pol policies/policysecretnvpf.bin  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write to set written bit"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -hia p -ic 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index"
+echo ""
+
+echo "Set phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Define Space, 01000000, pin pass, read/write stclear, policy secret using platform auth"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, not written - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform read does not affect count"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform read does not affect count, should succeed"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8  -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy write, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy read should not increment pin count"
+%TPM_EXE_PATH%nvread -ha 01000000  -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Index read should increment pin count"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Index read, no uses - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform read, no uses"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index in Policy Secret"
+echo ""
+
+echo "Policy Secret with PWAP session, bad password - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password does not consume pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Policy Secret with PWAP session, should consume pin couunt"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Policy Get Digest, 50 b9 63 d6 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read ordinary index using PIN pass policy secret"
+%TPM_EXE_PATH%nvread -ha 01000001 -sz 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 01000000, 1 use, 1 / 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 1 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 0 uses, 0 / 0"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 1 use. 1 / 1, already used"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 0 uses. 2 / 1, already used"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 2 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write lock, 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 01000000, locked - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Reboot"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read lock, 01000000"
+%TPM_EXE_PATH%nvreadlock -ha 01000000 -hia p  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform read, locked - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Policy Secret with PWAP session, read locked"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Pass Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Set phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Cleanup NV PIN Pass"
+echo ""
+
+echo "NV Undefine Space, 01000000 "
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the policy session, 03000000 "
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index"
+echo ""
+
+echo "NV Define Space, 01000000, pin fail, read/write stclear, policy secret using platform auth"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, not written - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform read"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform read with bad password - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 -pwdn xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy write, 01000000, platform auth"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy read, 01000000"
+%TPM_EXE_PATH%nvread -ha 01000000 -sz 8 -id 0 1 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 01000000, 0/ 1 failure"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Index read, 01000000, correct password"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Index read, 01000000, bad password - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nn -sz 8  > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Index read, 01000000, correct password - should fail because tries used"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 01000000, 0 / 1 failure"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Index read, 01000000"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index in Policy Secret"
+echo ""
+
+echo "Platform write, 2 failures, 0 / 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Platform write, 1 failure use, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 0 failures, 1 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 fail, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write lock, 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 01000000, locked - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Reboot"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Startup"
+%TPM_EXE_PATH%startup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform write, 01000000, unlocked, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read lock 01000000"
+%TPM_EXE_PATH%nvreadlock -ha 01000000 -hia p > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform read, locked - should fail"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia p -sz 8 > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Policy Secret with PWAP session, read locked"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN Fail Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Set phEnableNV"
+%TPM_EXE_PATH%hierarchycontrol -hi p -he n -state 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "NV Undefine Space 01000000"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space 01000001"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space 01000002"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Recreate the primary key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "NV PIN define space"
+echo ""
+
+echo "NV Define Space, 01000000, no write auth - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppw > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "NV Define Space, 01000000, no read auth - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppr -at ar> run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "NV Define Space, 01000000, PIN Pass, auth write - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p +at aw > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "NV Define Space, 01000000, PIN Fail, auth write - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p +at aw > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "NV Define Space, 01000000, PIN Fail, noDA clear - should fail"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p -at da > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+rem #
+rem # Additional test for pinCount update when NV auth is not used.  This
+rem # tests for a bug fix
+rem #
+
+rem #
+rem # policy calculation
+rem #
+
+echo "Create the policy digest that will be used for the NvIndex write term"
+%TPM_EXE_PATH%startauthsession -se t > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Write"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 137 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Get the policycommandcode write term"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppw.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Restart the trial policy session"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Get the policycommandcode read term"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Restart the trial policy session"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Trial Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Get the policyor result"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmpor.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Flush the trial policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+rem #
+rem # Test PIN fail
+rem #
+
+rem # Write the PIN fail index
+
+echo "Creating the NvIndex as PIN Fail, remove authwrite, authread, add ownerread"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -ty f -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Start policy sesion"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Write"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 137 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Writing count 0, limit 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+rem # test the PIN fail index
+
+echo "Using with PolicySecret, first failure case, increments count"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Read the index, should be 1 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -id 1 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Using with PolicySecret, second failure case"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+IF !ERRORLEVEL! EQU 0 (
+  exit /B 1
+)
+
+echo "Read the index, owner auth, should be 2 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia o -id 2 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+rem # cleanup
+
+echo "Undefine the PIN fail index"
+%TPM_EXE_PATH%nvundefinespace -ha 01000000 -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+rem #
+rem # Test PIN pass
+rem #
+
+rem # Write the PIN pass index
+
+echo "Creating the NvIndex as PIN Pass, remove authwrite, authread, add ownerread"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -ty p -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Write"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 137 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Writing count 0, limit 2"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+rem # test the PIN pass index
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Read the index, should be 0 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Read the index, owner auth, should be 0 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia o -id 0 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Using with PolicySecret, success, increments count"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde pass > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Restart the policy session"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "policycommandcode TPM_CC_NV_Read"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Read the index, should be 1 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -id 1 2 -se0 03000000 00 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+echo "Read the index, owner auth, should be 1 2"
+%TPM_EXE_PATH%nvread -ha 01000000 -hia o -id 1 2 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+rem # cleanup
+
+echo "Undefine the PIN fail index"
+%TPM_EXE_PATH%nvundefinespace -ha 01000000 -hi o > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+rm -r tmppw.bin
+rm -r tmppr.bin
+rm -r tmpor.bin
+
+rem # %TPM_EXE_PATH%getcapability  -cap 1 -pr 80000000
+rem # %TPM_EXE_PATH%getcapability  -cap 1 -pr 02000000
+rem # %TPM_EXE_PATH%getcapability  -cap 1 -pr 03000000
+rem # %TPM_EXE_PATH%getcapability  -cap 1 -pr 01000000
+
+exit /B 0
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.sh
new file mode 100755
index 0000000..89d14a7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testnvpin.sh
@@ -0,0 +1,739 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2016 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# PIN Pass index name is
+
+# 00 0b da 1c bd 54 bb 81 54 6c 1c 76 30 dd d4 09 
+# 50 3a 0d 6d 03 05 16 1b 15 88 d6 6b c8 fa 17 da 
+# ad 81 
+
+# Policy Secret using PIN Pass index is
+
+# 56 e4 c7 26 d7 d7 dd 3c bd 4c ae 11 c0 1b 2e 83 
+# 3c 37 33 3c fb c3 b9 c3 5f 05 ab 53 23 0c df 7d 
+
+# PIN Fail index name is
+
+# 00 0b 86 11 40 4a e8 0c 0a 84 e5 b8 97 05 98 f0 
+# b5 60 2d 14 21 19 bf 44 9d e5 f9 61 84 bc 4c 01 
+# c4 be 
+
+# Policy Secret using PIN Fail index is
+ 
+# 9d 56 8f da 52 27 30 dc be a8 ad 59 bc a5 0c 1c 
+# 16 02 95 03 a0 0b d3 d8 20 a8 b2 d8 5b c5 12 df 
+
+# 01000000 is PIN pass or PIN fail index
+# 01000001 is ordinary index with PIN pass policy
+# 01000002 is ordinary index with PIN fail policy
+
+
+echo ""
+echo "NV PIN Index"
+echo ""
+
+echo "NV Define Space, 01000001, ordinary index, with policysecret for pin pass index 01000000"
+${PREFIX}nvdefinespace -ha 01000001 -hi o -pwdn ppi -ty o -hia p -sz 1 -pol policies/policysecretnvpp.bin > run.out
+checkSuccess $?
+
+echo "Platform write to set written bit"
+${PREFIX}nvwrite -ha 01000001 -hia p -ic 0 > run.out
+checkSuccess $?
+
+echo "NV Define Space, 01000002, ordinary index, with policysecret for pin fail index 01000000"
+${PREFIX}nvdefinespace -ha 01000002 -hi o -pwdn pfi -ty o -hia p -sz 1 -pol policies/policysecretnvpf.bin > run.out
+checkSuccess $?
+
+echo "Platform write to set written bit"
+${PREFIX}nvwrite -ha 01000002 -hia p -ic 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index"
+echo ""
+
+echo "Set phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n > run.out
+checkSuccess $?
+
+echo "NV Define Space, 01000000, pin pass, read/write stclear, policy secret using platform auth"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, not written - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read does not affect count"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read does not affect count, should succeed"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy write, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy read should not increment pin count"
+${PREFIX}nvread -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Platform write, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read should increment pin count"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -id 1 1 > run.out
+checkSuccess $?
+
+echo "Index read, no uses - should fail"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkFailure $?
+
+echo "Platform read, no uses"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 1 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index in Policy Secret"
+echo ""
+
+echo "Policy Secret with PWAP session, bad password - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, bad password does not consume pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, should consume pin couunt"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Policy Get Digest, 50 b9 63 d6 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Read ordinary index using PIN pass policy secret"
+${PREFIX}nvread -ha 01000001 -sz 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, 1 use, 1 / 2"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 1 2 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Platform write, 0 uses, 0 / 0"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 0 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 use. 1 / 1, already used"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 0 uses. 2 / 1, already used"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 2 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo ""
+echo "NV PIN Pass Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Write lock, 01000000"
+${PREFIX}nvwritelock -ha 01000000 -hia p > run.out 
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, pinCount used - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 01000000, locked - should fail"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkFailure $?
+
+echo "Reboot"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Read lock, 01000000"
+${PREFIX}nvreadlock -ha 01000000 -hia p > run.out
+checkSuccess $?
+
+echo "Platform read, locked - should fail"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, read locked"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Pass Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Clear phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 0 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Set phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Cleanup NV PIN Pass"
+echo ""
+
+echo "NV Undefine Space, 01000000 "
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the policy session, 03000000 "
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index"
+echo ""
+
+echo "NV Define Space, 01000000, pin fail, read/write stclear, policy secret using platform auth"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f +at wst +at rst -hia p -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, not written - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Platform read with bad password - should fail"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 -pwdn xxx > run.out
+checkFailure $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy write, 01000000, platform auth"
+${PREFIX}nvwrite -ha 01000000 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy read, 01000000"
+${PREFIX}nvread -ha 01000000 -sz 8 -id 0 1 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, 0 / 1 failure"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read, 01000000, correct password"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read, 01000000, bad password - should fail"
+${PREFIX}nvread -ha 01000000 -pwdn nn -sz 8 > run.out
+checkFailure $?
+
+echo "Index read, 01000000, correct password - fail because tries used"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkFailure $?
+
+echo "Platform write, 01000000, 0 / 1 failure"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Index read, 01000000"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 -id 0 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index in Policy Secret"
+echo ""
+
+echo "Platform write, 2 failures, 0 / 2"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 2 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, good password"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, bad password uses pinCount - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnnx > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, good password - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Platform write, 1 failure use, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Platform write, 0 failures, 1 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 1 1 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, good password, resets pinCount"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo ""
+echo "NV PIN Fail Index with Write Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 fail, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Write lock, 01000000"
+${PREFIX}nvwritelock -ha 01000000 -hia p > run.out 
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, locked - should fail"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkFailure $?
+
+echo "Reboot"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup"
+${PREFIX}startup > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Platform write, 01000000, unlocked, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index with Read Lock"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Read lock 01000000"
+${PREFIX}nvreadlock -ha 01000000 -hia p > run.out 
+checkSuccess $?
+
+echo "Platform read, locked - should fail"
+${PREFIX}nvread -ha 01000000 -hia p -sz 8 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, read locked"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkSuccess $?
+
+echo ""
+echo "NV PIN Fail Index with phEnableNV clear"
+echo ""
+
+echo "Platform write, 01000000, 1 failure, 0 / 1"
+${PREFIX}nvwrite -ha 01000000 -hia p -id 0 1 > run.out
+checkSuccess $?
+
+echo "Clear phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 0 > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session, phEnableNV disabled - should fail"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn > run.out
+checkFailure $?
+
+echo "Set phEnableNV"
+${PREFIX}hierarchycontrol -hi p -he n -state 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "NV Undefine Space 01000000"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out 
+checkSuccess $?
+
+echo "NV Undefine Space 01000001"
+${PREFIX}nvundefinespace -hi o -ha 01000001 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000002"
+${PREFIX}nvundefinespace -hi o -ha 01000002 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out > run.out
+checkSuccess $?
+
+# Recreate the primary key
+initprimary
+checkSuccess $?
+
+echo ""
+echo "NV PIN define space"
+echo ""
+
+echo "NV Define Space, 01000000, no write auth - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppw > run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, no read auth - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p -at ppr -at ar> run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, PIN Pass, auth write - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty p -hia p +at aw > run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, PIN Fail, auth write - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p +at aw > run.out
+checkFailure $?
+
+echo "NV Define Space, 01000000, PIN Fail, noDA clear - should fail"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -pwdn nnn -ty f -hia p -at da > run.out
+checkFailure $?
+
+#
+# Additional test for pinCount update when NV auth is not used.  This
+# tests for a bug fix
+#
+
+#
+# policy calculation
+#
+
+echo "Create the policy digest that will be used for the NvIndex write term"
+${PREFIX}startauthsession -se t > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Write"
+${PREFIX}policycommandcode -ha 03000000 -cc 137 > run.out
+checkSuccess $?
+
+echo "Get the policycommandcode write term"
+${PREFIX}policygetdigest -ha 03000000 -of tmppw.bin > run.out
+checkSuccess $?
+
+echo "Restart the trial policy session"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Get the policycommandcode read term"
+${PREFIX}policygetdigest -ha 03000000 -of tmppr.bin > run.out
+checkSuccess $?
+
+echo "Restart the trial policy session"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Trial Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Get the policyor result"
+${PREFIX}policygetdigest -ha 03000000 -of tmpor.bin > run.out
+checkSuccess $?
+
+echo "Flush the trial policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+#
+# Test PIN fail
+#
+
+# Write the PIN fail index
+
+echo "Creating the NvIndex as PIN Fail, remove authwrite, authread, add ownerread"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -ty f -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+checkSuccess $?
+
+echo "Start policy sesion"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Write"
+${PREFIX}policycommandcode -ha 03000000 -cc 137 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Writing count 0, limit 2"
+${PREFIX}nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+# test the PIN fail index
+
+echo "Using with PolicySecret, first failure case, increments count"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+checkFailure $?
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Read the index, should be 1 2"
+${PREFIX}nvread -ha 01000000 -id 1 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+echo "Using with PolicySecret, second failure case"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde pas > run.out
+checkFailure $?
+
+echo "Read the index, owner auth, should be 2 2"
+${PREFIX}nvread -ha 01000000 -hia o -id 2 2 > run.out
+checkSuccess $?
+
+# cleanup
+
+echo "Undefine the PIN fail index"
+${PREFIX}nvundefinespace -ha 01000000 -hi o > run.out
+checkSuccess $?
+
+#
+# Test PIN pass
+#
+
+# Write the PIN pass index
+
+echo "Creating the NvIndex as PIN Pass, remove authwrite, authread, add ownerread"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -ty p -pwdn pass -pol tmpor.bin -at aw -at ar +at or > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Write"
+${PREFIX}policycommandcode -ha 03000000 -cc 137 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Writing count 0, limit 2"
+${PREFIX}nvwrite -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+# test the PIN pass index
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Read the index, should be 0 2"
+${PREFIX}nvread -ha 01000000 -id 0 2 -se0 03000000 01 > run.out
+checkSuccess $?
+
+echo "Read the index, owner auth, should be 0 2"
+${PREFIX}nvread -ha 01000000 -hia o -id 0 2 > run.out
+checkSuccess $?
+
+echo "Using with PolicySecret, success, increments count"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde pass > run.out
+checkSuccess $?
+
+echo "Restart the policy session"
+${PREFIX}policyrestart -ha 03000000 > run.out
+checkSuccess $?
+
+echo "policycommandcode TPM_CC_NV_Read"
+${PREFIX}policycommandcode -ha 03000000 -cc 14e > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if tmppw.bin -if tmppr.bin > run.out
+checkSuccess $?
+
+echo "Read the index, should be 1 2"
+${PREFIX}nvread -ha 01000000 -id 1 2 -se0 03000000 00 > run.out
+checkSuccess $?
+
+echo "Read the index, owner auth, should be 1 2"
+${PREFIX}nvread -ha 01000000 -hia o -id 1 2 > run.out
+checkSuccess $?
+
+# cleanup
+
+echo "Undefine the PIN fail index"
+${PREFIX}nvundefinespace -ha 01000000 -hi o > run.out
+checkSuccess $?
+
+rm -r tmppw.bin
+rm -r tmppr.bin
+rm -r tmpor.bin
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
+# ${PREFIX}getcapability  -cap 1 -pr 03000000
+# ${PREFIX}getcapability  -cap 1 -pr 01000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.bat
new file mode 100644
index 0000000..e840fc2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.bat
@@ -0,0 +1,348 @@
+REM #############################################################################
+REM										#
+REM			TPM2 regression test					#
+REM			     Written by Ken Goldman				#
+REM		       IBM Thomas J. Watson Research Center			#
+REM										#
+REM (c) Copyright IBM Corporation 2015 - 2019					#
+REM 										#
+REM All rights reserved.							#
+REM 										#
+REM Redistribution and use in source and binary forms, with or without		#
+REM modification, are permitted provided that the following conditions are	#
+REM met:									#
+REM 										#
+REM Redistributions of source code must retain the above copyright notice,	#
+REM this list of conditions and the following disclaimer.			#
+REM 										#
+REM Redistributions in binary form must reproduce the above copyright		#
+REM notice, this list of conditions and the following disclaimer in the		#
+REM documentation and/or other materials provided with the distribution.	#
+REM 										#
+REM Neither the names of the IBM Corporation nor the names of its		#
+REM contributors may be used to endorse or promote products derived from	#
+REM this software without specific prior written permission.			#
+REM 										#
+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+REM #
+REM # for pcrextend
+REM #
+REM 
+REM # extend of aaa + 0 pad to digest length using pcrextend, use resettable PCR 16
+REM 
+REM # sha1extaaa0.bin
+REM # 1d 47 f6 8a ce d5 15 f7 79 73 71 b5 54 e3 2d 47 
+REM # 98 1a a0 a0 
+REM 
+REM # sha256extaaa0.bin
+REM # c2 11 97 64 d1 16 13 bf 07 b7 e2 04 c3 5f 93 73 
+REM # 2b 4a e3 36 b4 35 4e bc 16 e8 d0 c3 96 3e be bb 
+REM 
+REM # sha384extaaa0.bin
+REM # 29 29 63 e3 1c 34 c2 72 bd ea 27 15 40 94 af 92 
+REM # 50 ad 97 d9 e7 44 6b 83 6d 3a 73 7c 90 ca 47 df 
+REM # 2c 39 90 21 ce dd 00 85 3e f0 84 97 c5 a4 23 84 
+REM 
+REM # sha512extaaa0.bin
+REM # 7f e1 e4 cf 01 52 93 13 6b f1 30 18 30 39 b6 a6 
+REM # 46 ea 00 8b 75 af d0 f8 46 6a 9b fe 53 1a f8 ad 
+REM # a8 67 a6 58 28 cf ce 48 60 77 52 9e 54 f1 83 0a 
+REM # a4 9a b7 80 56 2b ae a4 9c 67 a8 73 34 ff e7 78 
+REM 
+REM #
+REM # for pcrevent
+REM #
+REM 
+REM # first hash using hash -ic aaa -ns
+REM # then extend using policymaker
+REM 
+REM # sha1 of aaa
+REM # 7e240de74fb1ed08fa08d38063f6a6a91462a815
+REM # extend
+REM # ab 53 c7 ec 3f fe fe 21 9e 9d 89 da f1 8e 16 55 
+REM # 3e 23 8e a6 
+REM 
+REM # sha256 of aaa
+REM # 9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0
+REM # extend
+REM # df 81 1e 9d 19 a0 d3 3d e6 7b b1 c7 26 a6 20 5c 
+REM # d0 a2 eb 0f 61 b7 c9 ee 91 66 eb cf dc 17 db ab 
+REM 
+REM # sha384 of aaa
+REM # 8e07e5bdd64aa37536c1f257a6b44963cc327b7d7dcb2cb47a22073d33414462bfa184487cf372ce0a19dfc83f8336d8
+REM # extend of that
+REM # 61 bc 70 39 e2 94 87 c2 17 b0 b1 46 10 5d 64 e6 
+REM # ad 32 a6 d5 c2 5b 45 01 a7 4b bc a7 7f cc 24 25 
+REM # 36 ca 1a 40 f9 36 44 f0 d8 b0 98 ea a6 50 97 4d 
+REM 
+REM # sha512 of aaa
+REM # d6f644b19812e97b5d871658d6d3400ecd4787faeb9b8990c1e7608288664be77257104a58d033bcf1a0e0945ff06468ebe53e2dff36e248424c7273117dac09 
+REM # extend of that (using policymaker)
+REM # cb 7f be b3 1c 29 61 24 4c 9c 47 80 84 0d b4 3a 
+REM # 76 3f ba 96 ef c1 d9 52 f4 e3 e0 2c 06 8a 31 8a 
+REM # e5 3f a0 a7 a1 74 e8 23 e3 07 1a cd c6 52 6f b6 
+REM # 77 6d 07 0f 36 47 27 4d a6 29 db c9 10 a7 6c 2a 
+REM 
+REM # all these variables are related
+REM 
+REM # bank algorithm test pattern is
+
+set BANKS=^
+    "sha1"			^
+    "sha256"			^
+    "sha384"			^
+    "sha512"			^
+    "sha1   sha256"		^
+    "sha1   sha384"		^
+    "sha1   sha512"		^
+    "sha256 sha384"		^
+    "sha256 sha512"		^
+    "sha384 sha512"		^
+    "sha1   sha256 sha384"	^
+    "sha1   sha256 sha512"	^
+    "sha1   sha384 sha512"	^
+    "sha256 sha384 sha512"	^
+    "sha1   sha256 sha384 sha512"
+
+REM # bank extend algorithm test pattern is
+
+set EXTEND=^
+    "-halg sha1"				^
+    "-halg sha256"				^
+    "-halg sha384"				^
+    "-halg sha512"				^
+    "-halg sha1   -halg sha256"			^
+    "-halg sha1   -halg sha384"			^
+    "-halg sha1   -halg sha512"			^
+    "-halg sha256 -halg sha384"			^
+    "-halg sha256 -halg sha512"			^
+    "-halg sha384 -halg sha512"			^
+    "-halg sha1   -halg sha256 -halg sha384"	^
+    "-halg sha1   -halg sha256 -halg sha512"	^
+    "-halg sha1   -halg sha384 -halg sha512"	^
+    "-halg sha256 -halg sha384 -halg sha512"	^
+    "-halg sha1   -halg sha256 -halg sha384 -halg sha512"
+
+REM # bank event file test pattern is
+
+set EVENT=^
+    "-of1 tmpsha1.bin"						^
+    "-of2 tmpsha256.bin"					^
+    "-of3 tmpsha384.bin"					^
+    "-of5 tmpsha512.bin"					^
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin"			^
+    "-of1 tmpsha1.bin   -of3 tmpsha384.bin"			^
+    "-of1 tmpsha1.bin   -of5 tmpsha512.bin"			^
+    "-of2 tmpsha256.bin -of3 tmpsha384.bin"			^
+    "-of2 tmpsha256.bin -of5 tmpsha512.bin"			^
+    "-of3 tmpsha384.bin -of5 tmpsha512.bin"			^
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin -of3 tmpsha384.bin"	^
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin -of5 tmpsha512.bin"	^
+    "-of1 tmpsha1.bin   -of3 tmpsha384.bin -of5 tmpsha512.bin"	^
+    "-of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin"	^
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin"
+)
+
+REM # assuming starts with starts with sha1 sha256 sha384 sha512
+
+set ALLOC=^
+    "-sha256 -sha384 -sha512"		^
+    "-sha1   +sha256"			^
+    "-sha256 +sha384"			^
+    "-sha384 +sha512"			^
+    "+sha1   +sha256 -sha512"		^
+    "-sha256 +sha384"			^
+    "-sha384 +sha512"			^
+    "-sha1   +sha256 +sha384 -sha512"	^
+    "-sha384 +sha512"			^
+    "-sha256 +sha384"			^
+    "+sha1   +sha256 -sha512"		^
+    "-sha384 +sha512"			^
+    "-sha256 +sha384"			^
+    "-sha1   +sha256"			^
+    "+sha1"
+)
+
+REM i is iterator over PCR bank allocation patterns
+set i=0
+for %%a in (!BANKS!) do set /A i+=1 & set BANKS[!i!]=%%~a
+set i=0
+for %%a in (!EXTEND!) do set /A i+=1 & set EXTEND[!i!]=%%~a
+set i=0
+for %%a in (!EVENT!) do set /A i+=1 & set EVENT[!i!]=%%~a
+set i=0
+for %%a in (!ALLOC!) do set /A i+=1 & set ALLOC[!i!]=%%~a
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    echo ""
+    echo "pcrallocate !BANKS[%%i]!"
+    echo ""
+    %TPM_EXE_PATH%pcrallocate !ALLOC[%%i]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+    )
+
+    echo "powerup"
+    %TPM_EXE_PATH%powerup > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+    )
+
+    echo "startup"
+    %TPM_EXE_PATH%startup > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+    )
+
+    echo "display PCR banks"
+    %TPM_EXE_PATH%getcapability -cap 5 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+    )
+    
+    echo ""
+    echo "PCR Extend"
+    echo ""
+
+    echo "PCR Reset"
+    %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+      )
+
+    echo "PCR Extend !EXTEND[%%i]!"
+    %TPM_EXE_PATH%pcrextend -ha 16 !EXTEND[%%i]! -if policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+      exit /B 1
+      )
+
+    for %%H in (!BANKS[%%i]!) do (
+
+    	echo "PCR Read %%H"
+    	%TPM_EXE_PATH%pcrread -ha 16 -halg %%H -of tmp.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+      	    exit /B 1
+      	)
+
+    	echo "Verify the read data %%H"
+    	diff policies/%%Hextaaa0.bin tmp.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+      	    exit /B 1
+      	)
+    )
+
+    echo ""
+    echo "PCR Event"
+    echo ""
+
+    echo "PCR Reset"
+    %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "PCR Event !EVENT[%%i]!"
+    %TPM_EXE_PATH%pcrevent -ha 16 -if policies/aaa !EVENT[%%i]! > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    for %%H in (!BANKS[%%i]!) do (
+
+    	echo "Verify Digest %%H"
+    	diff policies/%%Haaa.bin tmp%%H.bin > run.out > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+	echo "PCR Read %%H"
+	%TPM_EXE_PATH%pcrread -ha 16 -halg %%H -of tmp%%H.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+	echo "Verify Digest %%H"
+	diff policies/%%Hexthaaa.bin tmp%%H.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+    )
+
+    echo ""
+    echo "Event Sequence Complete"
+    echo ""
+
+    echo "PCR Reset"
+    %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Event sequence start, alg null"
+    %TPM_EXE_PATH%hashsequencestart -halg null -pwda aaa > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Event Sequence Complete"
+    %TPM_EXE_PATH%eventsequencecomplete -hs 80000000 -pwds aaa -ha 16 -if policies/aaa !EVENT[%%i]! > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    for %%H in (!BANKS[%%i]!) do (
+
+    	echo "Verify Digest %%H"
+	diff policies/%%Haaa.bin tmp%%H.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+	
+	echo "PCR Read %%H"
+	%TPM_EXE_PATH%pcrread -ha 16 -halg %%H -of tmp%%H.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+	echo "Verify Digest %%H"
+	diff policies/%%Hexthaaa.bin tmp%%H.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+	)
+
+    )
+
+)
+
+echo "PCR Reset"
+%TPM_EXE_PATH%pcrreset -ha 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+  exit /B 1
+)
+
+REM # recreate the primary key that was flushed on the powerup
+
+echo "Create a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin -tk pritk.bin -ch prich.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.sh
new file mode 100755
index 0000000..ef8fa2c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testpcr.sh
@@ -0,0 +1,300 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2019					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+#
+# for pcrextend
+#
+
+# extend of aaa + 0 pad to digest length using pcrextend, use resettable PCR 16
+
+# sha1extaaa0.bin
+# 1d 47 f6 8a ce d5 15 f7 79 73 71 b5 54 e3 2d 47 
+# 98 1a a0 a0 
+
+# sha256extaaa0.bin
+# c2 11 97 64 d1 16 13 bf 07 b7 e2 04 c3 5f 93 73 
+# 2b 4a e3 36 b4 35 4e bc 16 e8 d0 c3 96 3e be bb 
+
+# sha384extaaa0.bin
+# 29 29 63 e3 1c 34 c2 72 bd ea 27 15 40 94 af 92 
+# 50 ad 97 d9 e7 44 6b 83 6d 3a 73 7c 90 ca 47 df 
+# 2c 39 90 21 ce dd 00 85 3e f0 84 97 c5 a4 23 84 
+
+# sha512extaaa0.bin
+# 7f e1 e4 cf 01 52 93 13 6b f1 30 18 30 39 b6 a6 
+# 46 ea 00 8b 75 af d0 f8 46 6a 9b fe 53 1a f8 ad 
+# a8 67 a6 58 28 cf ce 48 60 77 52 9e 54 f1 83 0a 
+# a4 9a b7 80 56 2b ae a4 9c 67 a8 73 34 ff e7 78 
+
+#
+# for pcrevent
+#
+
+# first hash using hash -ic aaa -ns
+# then extend using policymaker
+
+# sha1 of aaa
+# 7e240de74fb1ed08fa08d38063f6a6a91462a815
+# extend
+# ab 53 c7 ec 3f fe fe 21 9e 9d 89 da f1 8e 16 55 
+# 3e 23 8e a6 
+
+# sha256 of aaa
+# 9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0
+# extend
+# df 81 1e 9d 19 a0 d3 3d e6 7b b1 c7 26 a6 20 5c 
+# d0 a2 eb 0f 61 b7 c9 ee 91 66 eb cf dc 17 db ab 
+
+# sha384 of aaa
+# 8e07e5bdd64aa37536c1f257a6b44963cc327b7d7dcb2cb47a22073d33414462bfa184487cf372ce0a19dfc83f8336d8
+# extend of that
+# 61 bc 70 39 e2 94 87 c2 17 b0 b1 46 10 5d 64 e6 
+# ad 32 a6 d5 c2 5b 45 01 a7 4b bc a7 7f cc 24 25 
+# 36 ca 1a 40 f9 36 44 f0 d8 b0 98 ea a6 50 97 4d 
+
+# sha512 of aaa
+# d6f644b19812e97b5d871658d6d3400ecd4787faeb9b8990c1e7608288664be77257104a58d033bcf1a0e0945ff06468ebe53e2dff36e248424c7273117dac09 
+# extend of that (using policymaker)
+# cb 7f be b3 1c 29 61 24 4c 9c 47 80 84 0d b4 3a 
+# 76 3f ba 96 ef c1 d9 52 f4 e3 e0 2c 06 8a 31 8a 
+# e5 3f a0 a7 a1 74 e8 23 e3 07 1a cd c6 52 6f b6 
+# 77 6d 07 0f 36 47 27 4d a6 29 db c9 10 a7 6c 2a 
+
+# all these variables are related
+
+# bank algorithm test pattern is
+
+BANKS=( \
+    "sha1"			\
+    "sha256"			\
+    "sha384"			\
+    "sha512"			\
+    "sha1   sha256"		\
+    "sha1   sha384"		\
+    "sha1   sha512"		\
+    "sha256 sha384"		\
+    "sha256 sha512"		\
+    "sha384 sha512"		\
+    "sha1   sha256 sha384"	\
+    "sha1   sha256 sha512"	\
+    "sha1   sha384 sha512"	\
+    "sha256 sha384 sha512"	\
+    "sha1   sha256 sha384 sha512"
+)
+
+# bank extend algorithm test pattern is
+
+EXTEND=( \
+    "-halg sha1"			\
+    "-halg sha256"			\
+    "-halg sha384"			\
+    "-halg sha512"			\
+    "-halg sha1   -halg sha256"		\
+    "-halg sha1   -halg sha384"		\
+    "-halg sha1   -halg sha512"		\
+    "-halg sha256 -halg sha384"		\
+    "-halg sha256 -halg sha512"		\
+    "-halg sha384 -halg sha512"		\
+    "-halg sha1   -halg sha256 -halg sha384"	
+    "-halg sha1   -halg sha256 -halg sha512"	\
+    "-halg sha1   -halg sha384 -halg sha512"	\
+    "-halg sha256 -halg sha384 -halg sha512"	\
+    "-halg sha1   -halg sha256 -halg sha384 -halg sha512"	\
+)
+
+# bank event file test pattern is
+
+EVENT=( \
+    "-of1 tmpsha1.bin"			\
+    "-of2 tmpsha256.bin"			\
+    "-of3 tmpsha384.bin"			\
+    "-of5 tmpsha512.bin"			\
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin"		\
+    "-of1 tmpsha1.bin   -of3 tmpsha384.bin"		\
+    "-of1 tmpsha1.bin   -of5 tmpsha512.bin"		\
+    "-of2 tmpsha256.bin -of3 tmpsha384.bin"		\
+    "-of2 tmpsha256.bin -of5 tmpsha512.bin"		\
+    "-of3 tmpsha384.bin -of5 tmpsha512.bin"		\
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin -of3 tmpsha384.bin"	\
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin -of5 tmpsha512.bin"	\
+    "-of1 tmpsha1.bin   -of3 tmpsha384.bin -of5 tmpsha512.bin"	\
+    "-of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin"	\
+    "-of1 tmpsha1.bin   -of2 tmpsha256.bin -of3 tmpsha384.bin -of5 tmpsha512.bin"
+)
+
+# assuming starts with starts with sha1 sha256 sha384 sha512
+
+ALLOC=( \
+    "-sha256 -sha384 -sha512"		\
+    "-sha1   +sha256"			\
+    "-sha256 +sha384"			\
+    "-sha384 +sha512"			\
+    "+sha1   +sha256 -sha512"		\
+    "-sha256 +sha384"			\
+    "-sha384 +sha512"			\
+    "-sha1   +sha256 +sha384 -sha512"	\
+    "-sha384 +sha512"			\
+    "-sha256 +sha384"			\
+    "+sha1   +sha256 -sha512"		\
+    "-sha384 +sha512"			\
+    "-sha256 +sha384"			\
+    "-sha1   +sha256"			\
+    "+sha1"
+)
+
+# i is iterator over PCR bank allocation patterns
+for ((i = 0 ; i < 15 ; i++))
+do
+    echo ""
+    echo "pcrallocate ${BANKS[i]}"
+    echo ""
+    ${PREFIX}pcrallocate ${ALLOC[i]} > run.out
+    checkSuccess $?
+
+    echo "powerup"
+    ${PREFIX}powerup > run.out
+    checkSuccess $?
+
+    echo "startup"
+    ${PREFIX}startup > run.out
+    checkSuccess $?
+
+    echo "display PCR banks"
+    ${PREFIX}getcapability -cap 5 > run.out
+    checkSuccess $?
+    
+    echo ""
+    echo "PCR Extend"
+    echo ""
+
+    echo "PCR Reset banks ${BANKS[i]}"
+    ${PREFIX}pcrreset -ha 16 > run.out
+    checkSuccess $?
+
+    echo "PCR Extend ${EXTEND[i]}"
+    ${PREFIX}pcrextend -ha 16 ${EXTEND[i]} -if policies/aaa > run.out
+    checkSuccess $?
+
+    for HALG in ${BANKS[i]}
+    do
+    
+	echo "PCR Read ${HALG}"
+	${PREFIX}pcrread -ha 16 -halg ${HALG} -of tmp.bin > run.out
+	checkSuccess $?
+
+	echo "Verify the read data ${HALG}"
+	diff policies/${HALG}extaaa0.bin tmp.bin > run.out
+	checkSuccess $?
+
+    done
+    
+    echo ""
+    echo "PCR Event"
+    echo ""
+
+    echo "PCR Reset"
+    ${PREFIX}pcrreset -ha 16 > run.out
+    checkSuccess $?
+
+    echo "PCR Event ${EVENT[i]}"
+    ${PREFIX}pcrevent -ha 16 -if policies/aaa ${EVENT[i]} > run.out
+    checkSuccess $?
+
+    for HALG in ${BANKS[i]}
+    do
+
+    	echo "Verify Digest ${HALG}"
+    	diff policies/${HALG}aaa.bin tmp${HALG}.bin > run.out
+    	checkSuccess $?
+
+    	echo "PCR Read ${HALG}"
+    	${PREFIX}pcrread -ha 16 -halg ${HALG} -of tmp${HALG}.bin > run.out
+    	checkSuccess $?
+
+    	echo "Verify Digest ${HALG}"
+    	diff policies/${HALG}exthaaa.bin tmp${HALG}.bin > run.out
+    	checkSuccess $?
+
+    done
+
+    echo ""
+    echo "Event Sequence Complete"
+    echo ""
+
+    echo "PCR Reset"
+    ${PREFIX}pcrreset -ha 16 > run.out
+    checkSuccess $?
+
+    echo "Event sequence start, alg null"
+    ${PREFIX}hashsequencestart -halg null -pwda aaa > run.out
+    checkSuccess $?
+
+    echo "Event Sequence Complete"
+    ${PREFIX}eventsequencecomplete -hs 80000000 -pwds aaa -ha 16 -if policies/aaa ${EVENT[i]} > run.out
+    checkSuccess $?
+
+    for HALG in ${BANKS[i]}
+    do
+
+	echo "Verify Digest ${HALG}"
+	diff policies/${HALG}aaa.bin tmp${HALG}.bin > run.out
+	checkSuccess $?
+	
+	echo "PCR Read ${HALG}"
+	${PREFIX}pcrread -ha 16 -halg ${HALG} -of tmp${HALG}.bin > run.out
+	checkSuccess $?
+
+	echo "Verify Digest ${HALG}"
+	diff policies/${HALG}exthaaa.bin tmp${HALG}.bin > run.out
+	checkSuccess $?
+
+    done
+
+done
+
+echo "PCR Reset"
+${PREFIX}pcrreset -ha 16 > run.out
+checkSuccess $?
+
+# recreate the primary key that was flushed on the powerup
+
+initprimary
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat
new file mode 100644
index 0000000..8ec32e2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.bat
@@ -0,0 +1,2715 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+REM # used for the name in policy ticket
+
+REM if [ -z $TPM_DATA_DIR ]; then
+REM     TPM_DATA_DIR=.
+REM fi
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Policy Command Code"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM sign with correct policy command code
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy and wrong password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, should fail, session used "
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+REM quote with bad policy or bad command 
+
+REM echo "Start a policy session"
+REM ./startauthsession -se p > run.out
+REM     IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Quote - PWAP"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Quote - policy, should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # echo "Flush the session"
+REM # ./flushcontext -ha 03000000 > run.out
+REM #     IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+
+REM # echo "Start a policy session"
+REM # ./startauthsession -se p > run.out
+REM #     IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+echo "Policy command code - quote"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 158 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+echo "Quote - policy, should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+
+REM # echo "Flush the session"
+REM # ./flushcontext -ha 03000000 > run.out
+REM #     IF !ERRORLEVEL! NEQ 0 (
+REM exit /B 1
+REM )
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Command Code and Policy Password / Authvalue"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # policypassword
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy password"
+%TPM_EXE_PATH%policypassword -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, no password should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # policyauthvalue
+
+REM # echo "Start a policy session"
+REM # startauthsession -se p > run.out
+REM #     IF !ERRORLEVEL! NEQ 0 (
+REM    exit /B 1
+REM    )
+
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, no password should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Password and Policy Authvalue flags"
+echo ""
+
+for %%C in (policypassword policyauthvalue) do (
+
+
+    echo "Create a signing key under the primary key - policy command code - sign, auth"
+    %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Load the signing key under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Start a policy session"
+    %TPM_EXE_PATH%startauthsession -se p > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Policy command code - sign"
+    %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Policy %%C"
+    %TPM_EXE_PATH%%%C -ha 03000000 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Sign a digest - policy, password"
+    %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Flush signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Create a signing key under the primary key - policy command code - sign"
+    %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Load the signing key under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Policy command code - sign"
+    %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Sign a digest - policy and wrong password"
+    %TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Flush signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+    echo "Flush policy session"
+    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+       )
+
+)
+
+echo ""
+echo "Policy Signed"
+echo ""
+
+REM # create rsaprivkey.pem
+REM # > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+REM # extract the public key
+REM # > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem 
+REM # sign a test message msg.bin
+REM # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+REM #
+REM # create the policy:
+REM # use loadexternal -ns to get the name
+REM 
+REM # sha1
+REM # 00044234c24fc1b9de6693a62453417d2734d7538f6f
+REM # sha256
+REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # sha384
+REM # 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+REM # sha512
+REM # 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+REM 
+REM # 00000160 plus the above name as text, add a blank line for empty policyRef
+REM # to create policies/policysigned$HALG.txt
+REM #
+REM # 0000016000044234c24fc1b9de6693a62453417d2734d7538f6f
+REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # 00000160000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+REM # 00000160000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+REM #
+REM # use sha256 policies, policymaker default (policy session digest
+REM # algorithm is separate from Name and signature hash algorithm)
+REM #
+REM # > policymaker -if policies/policysigned$HALG.txt -of policies/policysigned$HALG.bin -pr
+REM #
+REM # sha1
+REM # 9d 81 7a 4e e0 76 eb b5 cf ee c1 82 05 cc 4c 01 
+REM # b3 a0 5e 59 a9 b9 65 a1 59 af 1e cd 3d bf 54 fb 
+REM # sha256
+REM # de bf 9d fa 3c 98 08 0b f1 7d d1 d0 7b 54 fd e1 
+REM # 07 93 7f e5 40 50 9e 70 96 aa 73 27 53 b3 83 31 
+REM # sha384
+REM # 45 c5 da 90 76 92 3a 70 03 6f df 56 ea e7 df db 
+REM # 41 e2 01 75 24 49 54 94 66 93 6b c4 fc 88 ab 5c 
+REM # sha512
+REM # cd 34 96 08 39 ea 40 88 5e fa 7f 37 8b a7 21 f1 
+REM # 78 6d 52 bb 93 47 9c 73 45 88 3c dc 1f 09 06 6f 
+REM #
+REM # 80000000 primary key
+REM # 80000001 verification public key
+REM # 80000002 signing key with policy
+REM # 03000000 policy session
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Load external just the public part of PEM at 80000001 - %%H"
+    %TPM_EXE_PATH%loadexternal -halg %%H -nalg %%H -ipem policies/rsapubkey.pem -ns > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Sign a test message with openssl - %%H"
+    openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+    echo "Verify the signature with 80000001 - %%H"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if msg.bin -is pssig.bin -raw > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Create a signing key under the primary key - policy signed - %%H"
+    %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysigned%%H.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Load the signing key under the primary key at 80000002"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Start a policy session"
+    %TPM_EXE_PATH%startauthsession -se p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Sign a digest - policy, should fail"
+    %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+    )
+
+    echo "Policy signed - sign with PEM key - %%H"
+    %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Get policy digest"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 -of tmppol.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Sign a digest - policy signed"
+    %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+     echo "Policy restart, set back to zero"
+    %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Sign just expiration (uint32_t 4 zeros) with openssl - %%H"
+    openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/zero4.bin
+
+    echo "Policy signed, signature generated externally - %%H"
+    %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg %%H -is pssig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Sign a digest - policy signed"
+    %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Start a policy session - save nonceTPM"
+    %TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Policy signed with nonceTPM and expiration, create a ticket - %%H"
+    %TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg %%H -pwdk rrrr -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Sign a digest - policy signed"
+    %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Start a policy session"
+    %TPM_EXE_PATH%startauthsession -se p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Policy ticket"
+    %TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -na h80000001.bin -tk tkt.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Sign a digest - policy ticket"
+    %TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Flush the verification public key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+    echo "Flush the signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+    )
+
+)
+
+REM # getcapability  -cap 1 -pr 80000000
+REM # getcapability  -cap 1 -pr 02000000
+REM # getcapability  -cap 1 -pr 03000000
+
+REM # exit 0
+
+echo ""
+echo "Policy Secret"
+echo ""
+
+REM # 4000000c platform
+REM # 80000000 primary key
+REM # 80000001 signing key with policy
+REM # 03000000 policy session
+REM # 02000001 hmac session
+
+echo "Change platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key under the primary key - policy secret using platform auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session, create a ticket"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret using primary key, create a ticket"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy ticket"
+%TPM_EXE_PATH%policyticket -ha 03000000 -to to.bin -hi p -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy ticket"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with HMAC session"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp -se0 02000001 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change platform hierarchy auth back to null"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Secret with NV Auth"
+echo ""
+
+REM Name is 
+REM 00 0b e0 65 10 81 c2 fc da 30 69 93 da 43 d1 de 
+REM 5b 24 be 42 6e 2d 61 90 7b 42 83 54 69 13 6c 97 
+REM 68 1f 
+REM
+REM Policy is
+REM c6 93 f9 b0 ef 1a b7 1e ca ae 00 af 1f 0b f4 88 
+REM 37 9e ab 16 c1 f8 0d 9f f9 6d 90 41 4e 2f c6 b3 
+
+echo "NV Define Space 0100000"
+%TPM_EXE_PATH%nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key under the primary key - policy secret NV auth"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretnv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -on noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 01000000 -hs 03000000 -pwde nnn -in noncetpm.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space 0100000"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Secret with Object"
+echo ""
+
+REM # Use a externally generated object so that the Name is known and thus
+REM # the policy can be precalculated
+
+REM # Name
+REM # 00 0b 64 ac 92 1a 03 5c 72 b3 aa 55 ba 7d b8 b5 
+REM # 99 f1 72 6f 52 ec 2f 68 20 42 fc 0e 0d 29 fa e8 
+REM # 17 99 
+
+REM # 000001151 plus the above name as text, add a blank line for empty policyRef
+REM # to create policies/policysecretsha256.txt
+REM # 00000151000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
+REM # 4b 7f ca c2 b7 c3 ac a2 7c 5c da 9c 71 e6 75 28 
+REM # 63 d2 87 d2 33 ec 49 0e 7a be 88 f1 ef 94 5d 5c 
+
+echo "Load the RSA openssl key pair in the NULL hierarchy 80000001"
+%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key under the primary key - policy secret of object 80000001"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -uwa -pol policies/policysecretsha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - password auth - should fail"
+%TPM_EXE_PATH%sign -hk 80000002 -if policies/aaa -pwdk sig > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy secret"
+%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the policysecret key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the RSA openssl key pair in the NULL hierarchy, userWithAuth false 80000001"
+%TPM_EXE_PATH%loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr -uwa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session - should fail"
+%TPM_EXE_PATH%policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush the policysecret key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Authorize"
+echo ""
+
+REM # 80000000 primary
+REM # 80000001 verification public key, openssl
+REM # 80000002 signing key
+REM # 03000000 policy session
+
+REM # Name for 80000001 0004 4234 c24f c1b9 de66 93a6 2453 417d 2734 d753 8f6f
+REM #
+REM # policyauthorizesha256.txt
+REM # 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM #
+REM # (need blank line for policyRef)
+REM #
+REM # > policymaker -if policies/policyauthorizesha256.txt -of policies/policyauthorizesha256.bin -pr
+REM #
+REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+
+echo "Create a signing key with policy authorize"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load external just the public part of PEM authorizing key"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be zero"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be policy to approve, aHash input"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Openssl generate aHash"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policyapproved.bin
+
+echo "Verify the signature to generate ticket"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policyapproved.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policyapproved.bin -skn h80000001.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be policy authorize"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 -of policyapproved.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the verification public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # getcapability  -cap 1 -pr 80000000
+REM # getcapability  -cap 1 -pr 02000000
+REM # getcapability  -cap 1 -pr 03000000
+
+REM # exit 0
+
+echo ""
+echo "Set Primary Policy"
+echo ""
+
+echo "Platform policy empty"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform policy empty, bad password"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Set platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform policy empty, bad password"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Platform policy empty"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Platform policy to policy secret platform auth"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pwda ppp -halg sha256 -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Secret with PWAP session"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Change platform hierarchy auth to null with policy secret"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy PCR no select"
+echo ""
+
+REM # create AND term for policy PCR
+REM # > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709
+REM 
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
+REM 
+REM # 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66 
+REM # b6 fa 2c 23 
+
+echo "Create a signing key with policy PCR no select"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -halg sha1 -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy PCR, update with the correct digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be 6d 38 49 38 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign, should succeed"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy PCR, update with the correct digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "PCR extend PCR 0, updates pcr counter"
+%TPM_EXE_PATH%pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign, should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # policypcr0.txt has 20 * 00
+
+REM # create AND term for policy PCR
+REM # > policymakerpcr -halg sha1 -bm 10000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
+
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
+
+echo ""
+echo "Policy PCR"
+echo ""
+
+echo "Create a signing key with policy PCR PCR 16 zero"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Reset PCR 16 back to zero"
+%TPM_EXE_PATH%pcrreset -ha 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read PCR 16, should be 00 00 00 00 ..."
+%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign, policy not satisfied - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy PCR, update with the correct digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be 85 33 11 83"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign, should succeed"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "PCR extend PCR 16"
+%TPM_EXE_PATH%pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read PCR 0, should be 1d 47 f6 8a ..."
+%TPM_EXE_PATH%pcrread -ha 16 -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy PCR, update with the wrong digest"
+%TPM_EXE_PATH%policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be 66 dd e5 e3"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # 01000000 authorizing ndex
+REM # 01000001 authorized index
+REM # 03000000 policy session
+REM #
+REM # 4 byte NV index
+REM # policynv.txt
+REM # policy CC_PolicyNV || args || Name
+REM #
+REM # policynvargs.txt (binary)
+REM # args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==)
+REM # hash -hi n -halg sha1 -if policies/policynvargs.txt -v
+REM # openssl dgst -sha1  policies/policynvargs.txt
+REM # 2c513f149e737ec4063fc1d37aee9beabc4b4bbf
+REM #
+REM # NV authorizing index
+REM #
+REM # after defining index and NV write to set written, use 
+REM # nvreadpublic -ha 01000000 -nalg sha1
+REM # to get name
+REM # 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
+REM #
+REM # append Name to policynvnv.txt
+REM #
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
+REM # bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc 
+REM #
+REM # file zero8.bin has 8 bytes of hex zero
+
+echo ""
+echo "Policy NV, NV index authorizing"
+echo ""
+
+echo "Define a setbits index, authorizing index"
+%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read public, get Name, not written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV setbits to set written"
+%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read public, get Name, written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read, should be zero"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Define an ordinary index, authorized index, policyNV"
+%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read public, get Name, not written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000001 -nalg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write to set written"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+ 
+echo "NV write, policy not satisfied  - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy get digest, should be 0"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy NV to satisfy the policy"
+%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest, should be bc 9b 4c 4f ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write, policy satisfied"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Set bit in authorizing NV index"
+%TPM_EXE_PATH%nvsetbits -ha 01000000 -pwdn nnn -bit 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read, should be 1"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy NV to satisfy the policy - should fail"
+%TPM_EXE_PATH%policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy get digest, should be 00 00 00 00 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine authorizing index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine authorized index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy NV Written"
+echo ""
+
+echo "Define an ordinary index, authorized index, policyNV"
+%TPM_EXE_PATH%nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read public, get Name, not written"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -nalg sha1 > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+ 
+echo "NV write, policy not satisfied  - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out  
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy NV Written no, does not satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write, policy not satisfied - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out  
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy NV Written yes, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write, policy satisfied but written clear - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write using password, set written"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy NV Written yes, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write, policy satisfied"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy NV Written no"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy NV Written yes - should fail"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out  
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine authorizing index"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Signed externally signed cpHash"
+echo ""
+
+REM # NV Index 01000000 has policy OR
+REM 
+REM # Policy A - provisioning: policy written false + policysigned
+REM #	demo: authorizer signs NV write all zero
+REM 
+REM # Policy B - application: policy written true + policysigned
+REM #	demo: authorizer signs NV write abcdefgh
+
+echo "Load external just the public part of PEM at 80000001"
+%TPM_EXE_PATH%loadexternal -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get the Name of the signing key at 80000001"
+%TPM_EXE_PATH%readpublic -ho 80000001 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM 
+REM # construct policy A
+REM 
+REM # policies/policywrittenclrsigned.txt
+REM # 0000018f00
+REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # Add the extra blank line here for policyRef
+REM 
+REM # policymaker -if policies/policywrittenclrsigned.txt -of policies/policywrittenclrsigned.bin -pr -ns -v
+REM # intermediate policy digest length 32
+REM #  3c 32 63 23 67 0e 28 ad 37 bd 57 f6 3b 4c c3 4d 
+REM #  26 ab 20 5e f2 2f 27 5c 58 d4 7f ab 24 85 46 6e 
+REM #  intermediate policy digest length 32
+REM #  6b 0d 2d 2b 55 4d 68 ec bc 6c d5 b8 c0 96 c1 70 
+REM #  57 5a 95 25 37 56 38 7e 83 d7 76 d9 5b 1b 8e f3 
+REM #  intermediate policy digest length 32
+REM #  48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87 
+REM #  18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2 
+REM #  policy digest length 32
+REM #  48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87 
+REM #  18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2 
+REM # policy digest:
+REM # 480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f2
+REM 
+REM # construct policy B
+REM 
+REM # policies/policywrittensetsigned.txt
+REM # 0000018f01
+REM # 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # Add the extra blank line here for policyRef
+REM 
+REM # policymaker -if policies/policywrittensetsigned.txt -of policies/policywrittensetsigned.bin -pr -ns -v
+REM #  intermediate policy digest length 32
+REM #  f7 88 7d 15 8a e8 d3 8b e0 ac 53 19 f3 7a 9e 07 
+REM #  61 8b f5 48 85 45 3c 7a 54 dd b0 c6 a6 19 3b eb 
+REM #  intermediate policy digest length 32
+REM #  7d c2 8f b0 dd 4f ee 97 78 2b 55 43 b1 dc 6b 1e 
+REM #  e2 bc 79 05 d4 a1 f6 8d e2 97 69 5f a9 aa 78 5f 
+REM #  intermediate policy digest length 32
+REM #  09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82 
+REM #  49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46 
+REM #  policy digest length 32
+REM #  09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82 
+REM #  49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46 
+REM # policy digest:
+REM # 0943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+REM 
+REM # construct the Policy OR of A and B
+REM 
+REM # policyorwrittensigned.txt - command code plus two policy digests
+REM # 00000171480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f20943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+REM # policymaker -if policies/policyorwrittensigned.txt -of policies/policyorwrittensigned.bin -pr 
+REM #  policy digest length 32
+REM #  06 00 ae 34 7a 30 b0 67 36 d3 32 85 a0 cc ad 46 
+REM #  54 1e 62 71 f5 d0 85 10 a7 ff 0e 90 30 54 d6 c9 
+
+echo "Define index 01000000 with the policy OR"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi o -sz 8 -pwdn "" -pol policies/policyorwrittensigned.bin -at aw > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get the Name of the NV index not written, should be 00 0b ... bb 0b"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # 000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy A - not written"
+echo ""
+
+REM # construct cpHash for Policy A - not written, writing zeros
+REM  
+REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of 0's at offset 0000
+REM # For index auth, authHandle Name and index Name are the same
+REM # policies/nvwritecphasha.txt
+REM # 00000137000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000800000000000000000000
+REM # policymaker -nz -if policies/nvwritecphasha.txt -of policies/nvwritecphasha.bin -pr -ns
+REM #  policy digest length 32
+REM #  cf 98 1e ee 68 04 3b dd ee 0c ab bc 75 b3 63 be 
+REM #  3c f9 ee 22 2a 78 b8 26 3f 06 7b b3 55 2c a6 11 
+REM # policy digest:
+REM # cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+REM 
+REM # construct aHash for Policy A
+REM 
+REM # expiration + cpHashA
+REM # policies/nvwriteahasha.txt
+REM # 00000000cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+REM # just convert to binary, because openssl does the hash before signing
+REM # xxd -r -p policies/nvwriteahasha.txt policies/nvwriteahasha.bin
+
+echo "Policy NV Written no, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws n > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Should be policy A first intermediate value 3c 32 63 23 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign aHash with openssl 8813 6530 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahasha.bin
+echo ""
+
+echo "Policy signed, signature generated externally"
+%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphasha.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Should be policy A final value 48 0b 78 2e ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Should be policy OR final value 06 00 ae 34 "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write to set written"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -if policies/zero8.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy B - written"
+echo ""
+
+echo "Get the new (written) Name of the NV index not written, should be 00 0b f5 75"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # 000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8
+REM 
+REM # construct cpHash for Policy B
+REM  
+REM # (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of abcdefgh at offset 00000
+REM # For index auth, authHandle Name and index Name are the same
+REM # policies/nvwritecphashb.txt
+REM # 00000137000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000861626364656667680000
+REM # policymaker -nz -if policies/nvwritecphashb.txt -of policies/nvwritecphashb.bin -pr -ns
+REM #  policy digest length 32
+REM #  df 58 08 f9 ab cb 23 7f 8c d7 c9 09 1c 86 12 2d 
+REM #  88 6f 02 d4 6e db 53 c8 da 39 bf a2 d6 cf 07 63 
+REM # policy digest:
+REM # df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+REM 
+REM # construct aHash for Policy B
+REM 
+REM # expiration + cpHashA
+REM # policies/nvwriteahashb.txt
+REM # 00000000df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+REM # just convert to binary, because openssl does the hash before signing
+REM # xxd -r -p policies/nvwriteahashb.txt policies/nvwriteahashb.bin
+
+echo "Policy NV Written yes, satisfy policy"
+%TPM_EXE_PATH%policynvwritten -hs 03000000 -ws y > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Should be policy A first intermediate value f7 88 7d 15 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign aHash with openssl 3700 0a91 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahashb.bin > run.out
+echo ""
+
+echo "Policy signed, signature generated externally"
+%TPM_EXE_PATH%policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphashb.bin -is sig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Should be policy B final value 09 43 ba 3c ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Should be policy OR final value 06 00 ae 34 "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write new data"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -ic abcdefgh -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Flush the policy session 03000000"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signature verification key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Undefine the NV Index 01000000"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # test using clockrateadjust
+REM # policycphashhash.txt is (hex) 00000130 4000000c 000
+REM # hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v
+REM # openssl dgst -sha1 policycphashhash.txt
+REM # cpHash is
+REM # b5f919bbc01f0ebad02010169a67a8c158ec12f3
+REM # append to policycphash.txt 00000163 + cpHash
+REM # policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr
+REM #  06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f 
+
+echo ""
+echo "Policy cpHash"
+echo ""
+
+echo "Set the platform policy to policy cpHash"
+%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clockrate adjust using wrong password - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0  > run.out 
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy cpHash, satisfy policy"
+%TPM_EXE_PATH%policycphash -ha 03000000 -cp policies/policycphashhash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+ 
+echo "Policy get digest, should be 06 e4 6c f9"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clockrate adjust, policy satisfied but bad command params - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 1 -se0 03000000 1 > run.out 
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Clockrate adjust, policy satisfied"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear the platform policy"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Duplication Select with includeObject FALSE"
+echo ""
+
+REM # These tests uses a new parent and object to be duplicated generated
+REM # externally.  This makes the Names repeatable and permits the
+REM # policy to be pre-calculated and static.
+REM 
+REM # command code 00000188
+REM # newParentName
+REM # 000b 1a5d f667 7533 4527 37bc 79a5 5ab6 
+REM # d9fa 9174 5c03 3dfe 3f82 cdf0 903b a9d6
+REM # 55f1
+REM # includeObject 00
+REM # policymaker -if policies/policydupsel-no.txt -of policies/policydupsel-no.bin -pr -v
+REM # 5f 55 ba 2b 69 0f b0 38 ac 15 ff 2a 86 ef 65 66 
+REM # be a8 23 68 43 97 4c 3f a7 36 37 72 56 ec bc 45 
+REM 
+REM # 80000000 SK storage primary key
+REM # 80000001 NP new parent, the target of the duplication
+REM # 80000002 SI signing key, duplicate from SK to NP
+REM # 03000000 policy session
+
+echo "Import the new parent storage key NP under the primary key"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -st -pwdk rrrr -opu tmpstpub.bin -opr tmpstpriv.bin -halg sha256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+	
+echo "Load the new parent TPM storage key NP at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpstpub.bin -ipr tmpstpriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Import a signing key SI under the primary key 80000000, with policy duplication select"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policydupsel-no.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001"
+%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be 5f 55 ba 2b ...."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the duplicated SI at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Duplication Select with includeObject TRUE"
+echo ""
+
+REM # command code 00000188
+REM # SI objectName
+REM # 000b 6319 28da 1624 3135 3a59 c03a 2ca7
+REM # dbb7 0989 1440 4236 3c7f a838 39d9 da6c
+REM # 437a
+REM # HP newParentName
+REM # 000b 
+REM # 1a5d f667 7533 4527 37bc 79a5 5ab6 d9fa 
+REM # 9174 5c03 3dfe 3f82 cdf0 903b a9d6 55f1
+REM # includeObject 01
+REM
+REM # policymaker -if policies/policydupsel-yes.txt -of policies/policydupsel-yes.bin -pr -v
+REM # 14 64 06 4c 80 cb e3 4f f5 03 82 15 38 62 43 17 
+REM # 93 94 8f f1 e8 8a c6 23 4d d1 b0 c5 4c 05 f7 3b 
+REM 
+REM # 80000000 SK storage primary key
+REM # 80000001 NP new parent, the target of the duplication
+REM # 80000002 SI signing key, duplicate from SK to NP
+REM # 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key SI  with objectName 000b 6319 28da at 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001 with includeObject"
+%TPM_EXE_PATH%policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin -io > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest,should be policy to approve, aHash input 14 64 06 4c same as policies/policydupsel-yes.bin"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the original SI at 80000002 to free object slot for loadexternal "
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policydupsel-yes.bin
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature against 80000002 to generate ticket"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policydupsel-yes.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policydupsel-yes.bin -skn h80000002.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the PEM authorizing verification key at 80000002 to free object slot for import"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the original signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001 000b 1a5d f667"
+%TPM_EXE_PATH%duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key SI at 80000002"
+%TPM_EXE_PATH%load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest"
+%TPM_EXE_PATH%sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the duplicated SI at 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the new parent TPM storage key NP 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Name Hash"
+echo ""
+
+REM # signing key SI Name
+REM # 000b 
+REM # 6319 28da 1624 3135 3a59 c03a 2ca7 dbb7 
+REM # 0989 1440 4236 3c7f a838 39d9 da6c 437a 
+REM 
+REM # compute nameHash
+REM 
+REM # nameHash - just a hash, not an extend
+REM # policymaker -if policies/pnhnamehash.txt -of policies/pnhnamehash.bin -nz -pr -v -ns
+REM # 18 e0 0c 62 77 18 d9 fc 81 22 3d 8a 56 33 7e eb 
+REM # 0e 7d 98 28 bd 7b c7 29 1d 3c 27 3f 7a c4 04 f1 
+REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+REM 
+REM # compute policy (based on 
+REM 
+REM # 00000170 TPM_CC_PolicyNameHash
+REM # signing key SI Name
+REM # 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+REM 
+REM # policymaker -if policies/policynamehash.txt -of policies/policynamehash.bin -pr -v
+REM # 96 30 f9 00 c3 4c 66 09 c1 c5 92 41 78 c1 b2 3d 
+REM # 9f d4 93 f4 f9 c2 98 c8 30 4a e3 0f 97 a2 fd 49 
+REM 
+REM # 80000000 SK storage primary key
+REM # 80000001 SI signing key
+REM # 80000002 Authorizing public key
+REM # 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+%TPM_EXE_PATH%importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key SI at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest using the password"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy name hash, object SI 80000001"
+%TPM_EXE_PATH%policynamehash -ha 03000000 -nh policies/pnhnamehash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be policy to approve, 96 30 f9 00"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policynamehash.bin
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature against 80000002 to generate ticket"
+%TPM_EXE_PATH%verifysignature -hk 80000002 -halg sha256 -if policies/policynamehash.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policynamehash.bin -skn h80000002.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be eb a3 f9 8c ...."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest using the policy"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the authorizing key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # test using clockrateadjust and platform policy
+
+REM # operand A time is 64 bits at offset 0, operation GT (2)
+REM # 0000016d 0000 0000 0000 0000 | 0000 | 0002
+REM # 
+REM # convert to binary policy
+REM # > policymaker -halg sha1 -if policies/policycountertimer.txt -of policies/policycountertimer.bin -pr -v
+REM # e6 84 81 27 55 c0 39 d3 68 63 21 c8 93 50 25 dd 
+REM # aa 26 42 9a 
+
+echo ""
+echo "Policy Counter Timer"
+echo ""
+
+echo "Set the platform policy to policy "
+%TPM_EXE_PATH%setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clockrate adjust using wrong password - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy counter timer, zero operandB, op EQ satisfy policy - should fail"
+%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 0 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+ 
+echo "Policy counter timer, zero operandB, op GT satisfy policy"
+%TPM_EXE_PATH%policycountertimer -ha 03000000 -if policies/zero8.bin -op 2 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+ 
+echo "Policy get digest, should be e6 84 81 27"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clockrate adjust, policy satisfied"
+%TPM_EXE_PATH%clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Clear the platform policy"
+%TPM_EXE_PATH%setprimarypolicy -hi p > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # policyccsign.txt  0000016c 0000015d (policy command code | sign)
+REM # policyccquote.txt 0000016c 00000158 (policy command code | quote)
+REM #
+REM # > policymaker -if policies/policyccsign.txt -of policies/policyccsign.bin -pr -v
+REM # cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811
+REM #
+REM # > policymaker -if policies/policyccquote.txt -of policies/policyccquote.bin -pr -v
+REM # a039cad5fe68870688f8233c3e3ee3cf27aac9e2efe3486aeb4e304c0e90cd27
+REM #
+REM # policyor.txt is CC_PolicyOR || digests
+REM # 00000171 | cc69 ... | a039 ...
+REM # > policymaker -if policies/policyor.txt -of policies/policyor.bin -pr -v
+REM # 6b fe c2 3a be 57 b0 2a ce 39 dd 13 bb 60 fa 39 
+REM # 4d ac 7b 38 96 56 57 84 b3 73 fc 61 92 94 29 db 
+
+echo ""
+echo "PolicyOR"
+echo ""
+
+echo "Create an unrestricted signing key, policy command code sign or quote"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyor.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - should fail"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Quote - should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Get time - should fail, policy not set"
+%TPM_EXE_PATH%gettime -hk 80000001 -qd policies/aaa -se1 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy OR - should fail"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy Command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest, should be cc 69 18 b2"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest, should be 6b fe c2 3a"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign with policy OR"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy OR"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Quote - should fail, wrong command code"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Command code - quote, digest a0 39 ca d5"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 00000158 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy OR, digest 6b fe c2 3a"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Quote with policy OR"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Command code - gettime 7a 3e bd aa"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000014c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy OR, gettime not an AND term - should fail"
+%TPM_EXE_PATH%policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # There are times that a policy creator has TPM, PEM, or DER format
+REM # information, but does not have access to a TPM.  The publicname
+REM # utility accepts these inputs and outputs the name in the 'no spaces'
+REM # format suitable for pasting into a policy.
+
+echo ""
+echo "publicname RSA"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create an rsa %%H key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -rsa 2048 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the rsa %%H key 80000001"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Compute the TPM2B_PUBLIC Name"
+    %TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the TPM2B_PUBLIC result"
+    diff tmp.bin h80000001.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Convert the rsa public key to PEM format"
+    %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the rsa %%H key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "loadexternal the rsa PEM public key"
+    %TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -rsa -nalg %%H -halg %%H -scheme rsassa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Compute the PEM Name"
+    %TPM_EXE_PATH%publicname -ipem tmppub.pem -rsa -si -nalg %%H -halg %%H -on tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the PEM result"
+    diff tmp.bin h80000001.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Convert the TPM PEM key to DER"
+    openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin
+    echo "INFO:"
+
+    echo "Compute the DER Name"
+    %TPM_EXE_PATH%publicname -ider tmppub.der -rsa -si -nalg %%H -halg %%H -on tmp.bin -v > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the DER result"
+    diff tmp.bin h80000001.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the rsa %%H key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+echo ""
+echo "publicname ECC"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create an ecc nistp256 %%H key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -ecc nistp256 -nalg %%H -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the ecc %%H key 80000001"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Compute the TPM2B_PUBLIC Name"
+    %TPM_EXE_PATH%publicname -ipu tmppub.bin -on tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the TPM2B_PUBLIC result"
+    diff tmp.bin h80000001.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Convert the ecc public key to PEM format"
+    %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the ecc %%H key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "loadexternal the ecc PEM public key"
+    %TPM_EXE_PATH%loadexternal -ipem tmppub.pem -si -ecc -nalg %%H -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Compute the PEM Name"
+    %TPM_EXE_PATH%publicname -ipem tmppub.pem -ecc -si -nalg %%H -halg %%H -on tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the PEM result"
+    diff tmp.bin h80000001.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Convert the TPM PEM key to DER"
+    openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin -pubout
+    echo "INFO:"
+
+    echo "Compute the DER Name"
+    %TPM_EXE_PATH%publicname -ider tmppub.der -ecc -si -nalg %%H -halg %%H -on tmp.bin -v > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the DER result"
+    diff tmp.bin h80000001.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the ecc %%H key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+echo ""
+echo "publicname NV"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "NV Define Space %%H"
+    %TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -sz 16 -nalg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "NV Read Public"
+    %TPM_EXE_PATH%nvreadpublic -ha 01000000 -opu tmppub.bin -on tmpname.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Compute the NV Index Name"
+    %TPM_EXE_PATH%publicname -invpu tmppub.bin -on tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the NV Index result"
+    diff tmp.bin tmpname.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "NV Undefine Space"
+    %TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+rm pssig.bin
+rm run.out
+rm sig.bin
+rm tkt.bin
+rm tmp.bin
+rm tmpdup.bin
+rm tmphkey.bin
+rm tmpname.bin
+rm tmppol.bin
+rm tmppriv.bin
+rm tmppub.bin
+rm tmppub.der
+rm tmppub.pem
+rm tmpsig.bin
+rm tmpsipriv.bin
+rm tmpsipriv1.bin
+rm tmpsipub.bin
+rm tmpss.bin
+rm tmpstpriv.bin
+rm tmpstpub.bin
+
+exit /B 0
+
+REM # getcapability -cap 1 -pr 80000000
+REM # getcapability -cap 1 -pr 01000000
+REM # getcapability -cap 1 -pr 02000000
+REM # getcapability -cap 1 -pr 03000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.sh
new file mode 100755
index 0000000..ba7a7ab
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy.sh
@@ -0,0 +1,2031 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# used for the name in policy ticket
+
+if [ -z $TPM_DATA_DIR ]; then
+    TPM_DATA_DIR=.
+fi
+
+
+echo ""
+echo "Policy Command Code"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+# sign with correct policy command code
+# cc69 18b2 2627 3b08 f5bd 406d 7f10 cf16
+# 0f0a 7d13 dfd8 3b77 70cc bcd1 aa80 d811
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be cc69 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy and wrong password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail, session used "
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+# quote with bad policy or bad command 
+
+# echo "Start a policy session"
+# ${PREFIX}startauthsession -se p > run.out
+# checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Quote - PWAP"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Quote - policy, should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+# echo "Flush the session"
+# ${PREFIX}flushcontext -ha 03000000 > run.out
+# checkSuccess $?
+
+# echo "Start a policy session"
+# ${PREFIX}startauthsession -se p > run.out
+# checkSuccess $?
+
+echo "Policy command code - quote"
+${PREFIX}policycommandcode -ha 03000000 -cc 158 > run.out
+checkSuccess $?
+
+echo "Quote - policy, should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+# echo "Flush the session"
+# ${PREFIX}flushcontext -ha 03000000 > run.out
+# checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Command Code and Policy Password / Authvalue"
+echo ""
+
+echo "Create a signing key under the primary key - policy command code - sign, auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+# policypassword
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy password"
+${PREFIX}policypassword -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, no password should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Sign a digest - policy, password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+checkSuccess $?
+
+# policyauthvalue
+
+# echo "Start a policy session"
+# ${PREFIX}startauthsession -se p > run.out
+# checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, no password should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Sign a digest - policy, password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 -pwdk sig > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Password and Policy Authvalue flags"
+echo ""
+
+for COMMAND in policypassword policyauthvalue 
+
+do
+
+    echo "Create a signing key under the primary key - policy command code - sign, auth"
+    ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign-auth.bin > run.out
+    checkSuccess $?
+
+    echo "Load the signing key under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Start a policy session"
+    ${PREFIX}startauthsession -se p > run.out
+    checkSuccess $?
+
+    echo "Policy command code - sign"
+    ${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+    checkSuccess $?
+
+    echo "Policy ${COMMAND}"
+    ${PREFIX}${COMMAND} -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy, password"
+    ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk sig > run.out
+    checkSuccess $?
+
+    echo "Flush signing key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Create a signing key under the primary key - policy command code - sign"
+    ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyccsign.bin > run.out
+    checkSuccess $?
+
+    echo "Load the signing key under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Policy command code - sign"
+    ${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy and wrong password"
+    ${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+    checkSuccess $?
+
+    echo "Flush signing key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush policy session"
+    ${PREFIX}flushcontext -ha 03000000 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Policy Signed"
+echo ""
+
+# create rsaprivkey.pem
+# > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+# extract the public key
+# > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem 
+# sign a test message msg.bin
+# > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+#
+# create the policy:
+# use loadexternal -ns to get the name
+
+# sha1
+# 00044234c24fc1b9de6693a62453417d2734d7538f6f
+# sha256
+# 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# sha384
+# 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+# sha512
+# 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+
+# 00000160 plus the above name as text, add a blank line for empty policyRef
+# to create policies/policysigned$HALG.txt
+#
+# 0000016000044234c24fc1b9de6693a62453417d2734d7538f6f
+# 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# 00000160000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+# 00000160000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+#
+# use sha256 policies, policymaker default (policy session digest
+# algorithm is separate from Name and signature hash algorithm)
+#
+# > policymaker -if policies/policysigned$HALG.txt -of policies/policysigned$HALG.bin -pr
+#
+# sha1
+# 9d 81 7a 4e e0 76 eb b5 cf ee c1 82 05 cc 4c 01 
+# b3 a0 5e 59 a9 b9 65 a1 59 af 1e cd 3d bf 54 fb 
+# sha256
+# de bf 9d fa 3c 98 08 0b f1 7d d1 d0 7b 54 fd e1 
+# 07 93 7f e5 40 50 9e 70 96 aa 73 27 53 b3 83 31 
+# sha384
+# 45 c5 da 90 76 92 3a 70 03 6f df 56 ea e7 df db 
+# 41 e2 01 75 24 49 54 94 66 93 6b c4 fc 88 ab 5c 
+# sha512
+# cd 34 96 08 39 ea 40 88 5e fa 7f 37 8b a7 21 f1 
+# 78 6d 52 bb 93 47 9c 73 45 88 3c dc 1f 09 06 6f 
+#
+# 80000000 primary key
+# 80000001 verification public key
+# 80000002 signing key with policy
+# 03000000 policy session
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Load external just the public part of PEM at 80000001 - $HALG"
+    ${PREFIX}loadexternal -halg $HALG -nalg $HALG -ipem policies/rsapubkey.pem -ns > run.out
+    checkSuccess $?
+
+    echo "Sign a test message with openssl - $HALG"
+    openssl dgst -$HALG -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
+
+    echo "Verify the signature with 80000001 - $HALG"
+    ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if msg.bin -is pssig.bin -raw > run.out
+    checkSuccess $?
+
+    echo "Create a signing key under the primary key - policy signed - $HALG"
+    ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysigned$HALG.bin > run.out
+    checkSuccess $?
+
+    echo "Load the signing key under the primary key, at 80000002"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Start a policy session"
+    ${PREFIX}startauthsession -se p > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy, should fail"
+    ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    checkFailure $?
+
+    echo "Policy signed, sign with PEM key - $HALG"
+    ${PREFIX}policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg $HALG -pwdk rrrr > run.out
+    checkSuccess $?
+
+    echo "Get policy digest"
+    ${PREFIX}policygetdigest -ha 03000000 -of tmppol.bin > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy signed"
+    ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+    checkSuccess $?
+
+    echo "Policy restart, set back to zero"
+    ${PREFIX}policyrestart -ha 03000000 > run.out 
+    checkSuccess $?
+
+    echo "Sign just expiration (uint32_t 4 zeros) with openssl - $HALG"
+    openssl dgst -$HALG -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/zero4.bin > run.out 2>&1
+
+    echo "Policy signed, signature generated externally - $HALG"
+    ${PREFIX}policysigned -hk 80000001 -ha 03000000 -halg $HALG -is pssig.bin > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy signed"
+    ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+    checkSuccess $?
+
+    echo "Start a policy session - save nonceTPM"
+    ${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+    checkSuccess $?
+
+    echo "Policy signed with nonceTPM and expiration, create a ticket - $HALG"
+    ${PREFIX}policysigned -hk 80000001 -ha 03000000 -sk policies/rsaprivkey.pem -halg $HALG -pwdk rrrr -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy signed"
+    ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+    checkSuccess $?
+
+    echo "Start a policy session"
+    ${PREFIX}startauthsession -se p > run.out
+    checkSuccess $?
+
+    echo "Policy ticket"
+    ${PREFIX}policyticket -ha 03000000 -to to.bin -na ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+    checkSuccess $?
+
+    echo "Sign a digest - policy ticket"
+    ${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+    checkSuccess $?
+
+    echo "Flush the verification public key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the signing key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+done
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
+# getcapability  -cap 1 -pr 03000000
+
+# exit 0
+
+echo ""
+echo "Policy Secret with Platform Auth"
+echo ""
+
+# 4000000c platform
+# 80000000 primary key
+# 80000001 signing key with policy
+# 03000000 policy session
+# 02000001 hmac session
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Create a signing key under the primary key - policy secret using platform auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session, create a ticket"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Policy Secret using primary key, create a ticket"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp -in noncetpm.bin -exp -200 -tk tkt.bin -to to.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy ticket"
+${PREFIX}policyticket -ha 03000000 -to to.bin -hi p -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy ticket"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Policy Secret with HMAC session"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp -se0 02000001 0 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Secret with NV Auth"
+echo ""
+
+# Name is 
+# 00 0b e0 65 10 81 c2 fc da 30 69 93 da 43 d1 de 
+# 5b 24 be 42 6e 2d 61 90 7b 42 83 54 69 13 6c 97 
+# 68 1f 
+
+# Policy is
+# c6 93 f9 b0 ef 1a b7 1e ca ae 00 af 1f 0b f4 88 
+# 37 9e ab 16 c1 f8 0d 9f f9 6d 90 41 4e 2f c6 b3 
+
+echo "NV Define Space 0100000"
+${PREFIX}nvdefinespace -hi p -ha 01000000 -pwdn nnn -sz 16 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Create a signing key under the primary key - policy secret NV auth"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policysecretnv.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -on noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 01000000 -hs 03000000 -pwde nnn -in noncetpm.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 0100000"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+
+echo ""
+echo "Policy Secret with Object"
+echo ""
+
+# Use a externally generated object so that the Name is known and thus
+# the policy can be precalculated
+
+# Name
+# 00 0b 64 ac 92 1a 03 5c 72 b3 aa 55 ba 7d b8 b5 
+# 99 f1 72 6f 52 ec 2f 68 20 42 fc 0e 0d 29 fa e8 
+# 17 99 
+
+# 000001151 plus the above name as text, add a blank line for empty policyRef
+# to create policies/policysecretsha256.txt
+# 00000151000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
+# 4b 7f ca c2 b7 c3 ac a2 7c 5c da 9c 71 e6 75 28 
+# 63 d2 87 d2 33 ec 49 0e 7a be 88 f1 ef 94 5d 5c 
+
+echo "Load the RSA openssl key pair in the NULL hierarchy 80000001"
+${PREFIX}loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Create a signing key under the primary key - policy secret of object 80000001"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -uwa -pol policies/policysecretsha256.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key 80000002"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Sign a digest - password auth - should fail"
+${PREFIX}sign -hk 80000002 -if policies/aaa -pwdk sig > run.out
+checkFailure $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy secret"
+${PREFIX}sign -hk 80000002 -if msg.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the policysecret key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Load the RSA openssl key pair in the NULL hierarchy, userWithAuth false 80000001"
+${PREFIX}loadexternal -rsa -ider policies/rsaprivkey.der -pwdk rrrr -uwa > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session - should fail"
+${PREFIX}policysecret -ha 80000001 -hs 03000000 -pwde rrrr > run.out
+checkFailure $?
+
+echo "Flush the policysecret key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Authorize"
+echo ""
+
+# 80000000 primary
+# 80000001 verification public key, openssl
+# 80000002 signing key
+# 03000000 policy session
+
+# Name for 80000001 0004 4234 c24f c1b9 de66 93a6 2453 417d 2734 d753 8f6f
+#
+# policyauthorizesha256.txt
+# 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+#
+# (need blank line for policyRef)
+#
+# > policymaker -if policies/policyauthorizesha256.txt -of policies/policyauthorizesha256.bin -pr
+#
+# eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+# ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+
+echo "Create a signing key with policy authorize"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Load external just the public part of PEM authorizing key 80000001"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key 80000002 "
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be zero"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policy to approve, aHash input, same as policies/policyccsign.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policyccsign.bin > run.out 2>&1
+
+echo "Verify the signature to generate ticket 80000001"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/policyccsign.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policyccsign.bin -skn ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policy authorize"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the verification public key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+# getcapability  -cap 1 -pr 80000000
+# getcapability  -cap 1 -pr 02000000
+# getcapability  -cap 1 -pr 03000000
+
+# exit 0
+
+echo ""
+echo "Set Primary Policy"
+echo ""
+
+echo "Platform policy empty"
+${PREFIX}setprimarypolicy -hi p > run.out
+checkSuccess $?
+
+echo "Platform policy empty, bad password"
+${PREFIX}setprimarypolicy -hi p -pwda ppp > run.out
+checkFailure $?
+
+echo "Set platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Platform policy empty, bad password"
+${PREFIX}setprimarypolicy -hi p > run.out
+checkFailure $?
+
+echo "Platform policy empty"
+${PREFIX}setprimarypolicy -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Platform policy to policy secret platform auth"
+${PREFIX}setprimarypolicy -hi p -pwda ppp -halg sha256 -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Secret with PWAP session"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth to null with policy secret"
+${PREFIX}hierarchychangeauth -hi p -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy PCR no select"
+echo ""
+
+# create AND term for policy PCR
+# > policymakerpcr -halg sha1 -bm 0 -v -pr -of policies/policypcr.txt
+# 0000017f00000001000403000000da39a3ee5e6b4b0d3255bfef95601890afd80709
+
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcrbm0.bin -pr -v
+
+# 6d 38 49 38 e1 d5 8b 56 71 92 55 94 3f 06 69 66 
+# b6 fa 2c 23 
+
+echo "Create a signing key with policy PCR no select"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcrbm0.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -halg sha1 -se p > run.out
+checkSuccess $?
+
+echo "Policy PCR, update with the correct digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 6d 38 49 38 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign, should succeed"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Policy PCR, update with the correct digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 0 > run.out
+checkSuccess $?
+
+echo "PCR extend PCR 0, updates pcr counter"
+${PREFIX}pcrextend -ha 0 -halg sha1 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Sign, should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the key"
+${PREFIX}flushcontext -ha 80000001 > run.out 
+checkSuccess $?
+
+echo ""
+echo "Policy PCR 16"
+echo ""
+
+# policypcr0.txt has 20 * 00
+
+# create AND term for policy PCR
+# > policymakerpcr -halg sha1 -bm 010000 -if policies/policypcr0.txt -v -pr -of policies/policypcr.txt
+# 0000017f000000010004030000016768033e216468247bd031a0a2d9876d79818f8f
+
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policypcr.txt -of policies/policypcr.bin -pr -v
+
+# 85 33 11 83 19 03 12 f5 e8 3c 60 43 34 6f 9f 37
+# 21 04 76 8e
+
+echo "Create a signing key with policy PCR PCR 16 zero"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -nalg sha1 -pol policies/policypcr.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Reset PCR 16 back to zero"
+${PREFIX}pcrreset -ha 16 > run.out
+checkSuccess $?
+
+echo "Read PCR 16, should be 00 00 00 00 ..."
+${PREFIX}pcrread -ha 16 -halg sha1 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Sign, policy not satisfied - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Policy PCR, update with the correct digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 85 33 11 83 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign, should succeed"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "PCR extend PCR 16"
+${PREFIX}pcrextend -ha 16 -halg sha1 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Read PCR 0, should be 1d 47 f6 8a ..."
+${PREFIX}pcrread -ha 16 -halg sha1 > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy PCR, update with the wrong digest"
+${PREFIX}policypcr -ha 03000000 -halg sha1 -bm 10000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 66 dd e5 e3"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 0 > run.out
+checkFailure $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the key"
+${PREFIX}flushcontext -ha 80000001 > run.out 
+checkSuccess $?
+
+# 01000000 authorizing index
+# 01000001 authorized index
+# 03000000 policy session
+#
+# 4 byte NV index
+# policynv.txt
+# policy CC_PolicyNV || args || Name
+#
+# policynvargs.txt (binary)
+# args = hash of 0000 0000 0000 0000 | 0000 | 0000 (eight bytes of zero | offset | op ==)
+# hash -hi n -halg sha1 -if policies/policynvargs.txt -v
+# openssl dgst -sha1 policies/policynvargs.txt
+# 2c513f149e737ec4063fc1d37aee9beabc4b4bbf
+#
+# NV authorizing index
+#
+# after defining index and NV write to set written, use 
+# ${PREFIX}nvreadpublic -ha 01000000 -nalg sha1
+# to get name
+# 00042234b8df7cdf8605ee0a2088ac7dfe34c6566c5c
+#
+# append Name to policynvnv.txt
+#
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policynvnv.txt -of policies/policynvnv.bin -pr -v
+# bc 9b 4c 4f 7b 00 66 19 5b 1d d9 9c 92 7e ad 57 e7 1c 2a fc 
+#
+# file zero8.bin has 8 bytes of hex zero
+
+echo ""
+echo "Policy NV, NV index authorizing"
+echo ""
+
+echo "Define a setbits index, authorizing index"
+${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -ty b > run.out
+checkSuccess $?
+
+echo "NV Read public, get Name, not written"
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+checkSuccess $?
+
+echo "NV setbits to set written"
+${PREFIX}nvsetbits -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "NV Read public, get Name, written"
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out
+checkSuccess $?
+
+echo "NV Read, should be zero"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkSuccess $?
+
+echo "Define an ordinary index, authorized index, policyNV"
+${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000001 -pwdn nnn -sz 2 -ty o -pol policies/policynvnv.bin > run.out
+checkSuccess $?
+
+echo "NV Read public, get Name, not written"
+${PREFIX}nvreadpublic -ha 01000001 -nalg sha1 > run.out
+checkSuccess $?
+
+echo "NV write to set written"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -ic aa > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+ 
+echo "NV write, policy not satisfied  - should fail"
+${PREFIX}nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy get digest, should be 0"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy NV to satisfy the policy"
+${PREFIX}policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be bc 9b 4c 4f ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV write, policy satisfied"
+${PREFIX}nvwrite -ha 01000001 -ic aa -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Set bit in authorizing NV index"
+${PREFIX}nvsetbits -ha 01000000 -pwdn nnn -bit 0 > run.out
+checkSuccess $?
+
+echo "NV Read, should be 1"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 8 > run.out
+checkSuccess $?
+
+echo "Policy NV to satisfy the policy - should fail"
+${PREFIX}policynv -ha 01000000 -pwda nnn -hs 03000000 -if policies/zero8.bin -op 0 > run.out
+checkFailure $?
+
+echo "Policy get digest, should be 00 00 00 00 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine authorizing index"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine authorized index"
+${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out 
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out  
+checkSuccess $?
+
+echo ""
+echo "Policy NV Written"
+echo ""
+
+echo "Define an ordinary index, authorized index, policyNV"
+${PREFIX}nvdefinespace -hi p -nalg sha1 -ha 01000000 -pwdn nnn -sz 2 -ty o -pol policies/policywrittenset.bin > run.out  
+checkSuccess $?
+
+echo "NV Read public, get Name, not written"
+${PREFIX}nvreadpublic -ha 01000000 -nalg sha1 > run.out  
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+ 
+echo "NV write, policy not satisfied  - should fail"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out  
+checkFailure $?
+
+echo "Policy NV Written no, does not satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws n > run.out  
+checkSuccess $?
+
+echo "NV write, policy not satisfied - should fail"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out  
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out  
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy NV Written yes, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkSuccess $?
+
+echo "NV write, policy satisfied but written clear - should fail"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out  
+checkSuccess $?
+
+echo "NV write using password, set written"
+${PREFIX}nvwrite -ha 01000000 -ic aa -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy NV Written yes, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkSuccess $?
+
+echo "NV write, policy satisfied"
+${PREFIX}nvwrite -ha 01000000 -ic aa -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out  
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Policy NV Written no"
+${PREFIX}policynvwritten -hs 03000000 -ws n > run.out
+checkSuccess $?
+
+echo "Policy NV Written yes - should fail"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out  
+checkSuccess $?
+
+echo "NV Undefine authorizing index"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Signed externally signed cpHash"
+echo ""
+
+# NV Index 01000000 has policy OR
+
+# Policy A - provisioning: policy written false + policysigned
+#	demo: authorizer signs NV write all zero
+
+# Policy B - application: policy written true + policysigned
+#	demo: authorizer signs NV write abcdefgh
+
+echo "Load external just the public part of PEM at 80000001"
+${PREFIX}loadexternal -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Get the Name of the signing key at 80000001"
+${PREFIX}readpublic -ho 80000001 -ns > run.out
+checkSuccess $?
+# 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+
+# construct policy A
+
+# policies/policywrittenclrsigned.txt
+# 0000018f00
+# 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# Add the extra blank line here for policyRef
+
+# policymaker -if policies/policywrittenclrsigned.txt -of policies/policywrittenclrsigned.bin -pr -ns -v
+# intermediate policy digest length 32
+#  3c 32 63 23 67 0e 28 ad 37 bd 57 f6 3b 4c c3 4d 
+#  26 ab 20 5e f2 2f 27 5c 58 d4 7f ab 24 85 46 6e 
+#  intermediate policy digest length 32
+#  6b 0d 2d 2b 55 4d 68 ec bc 6c d5 b8 c0 96 c1 70 
+#  57 5a 95 25 37 56 38 7e 83 d7 76 d9 5b 1b 8e f3 
+#  intermediate policy digest length 32
+#  48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87 
+#  18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2 
+#  policy digest length 32
+#  48 0b 78 2e 02 82 c2 40 88 32 c4 df 9c 0e be 87 
+#  18 6f 92 54 bd e0 5b 0c 2e a9 52 48 3e b7 69 f2 
+# policy digest:
+# 480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f2
+
+# construct policy B
+
+# policies/policywrittensetsigned.txt
+# 0000018f01
+# 00000160000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# Add the extra blank line here for policyRef
+
+# policymaker -if policies/policywrittensetsigned.txt -of policies/policywrittensetsigned.bin -pr -ns -v
+#  intermediate policy digest length 32
+#  f7 88 7d 15 8a e8 d3 8b e0 ac 53 19 f3 7a 9e 07 
+#  61 8b f5 48 85 45 3c 7a 54 dd b0 c6 a6 19 3b eb 
+#  intermediate policy digest length 32
+#  7d c2 8f b0 dd 4f ee 97 78 2b 55 43 b1 dc 6b 1e 
+#  e2 bc 79 05 d4 a1 f6 8d e2 97 69 5f a9 aa 78 5f 
+#  intermediate policy digest length 32
+#  09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82 
+#  49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46 
+#  policy digest length 32
+#  09 43 ba 3c 3b 4d b1 c8 3f c3 97 85 f9 dc 0a 82 
+#  49 f6 79 4a 04 38 e6 45 0a 50 56 8f b4 eb d2 46 
+# policy digest:
+# 0943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+
+# construct the Policy OR of A and B
+
+# policyorwrittensigned.txt - command code plus two policy digests
+# 00000171480b782e0282c2408832c4df9c0ebe87186f9254bde05b0c2ea952483eb769f20943ba3c3b4db1c83fc39785f9dc0a8249f6794a0438e6450a50568fb4ebd246
+# policymaker -if policies/policyorwrittensigned.txt -of policies/policyorwrittensigned.bin -pr 
+#  policy digest length 32
+#  06 00 ae 34 7a 30 b0 67 36 d3 32 85 a0 cc ad 46 
+#  54 1e 62 71 f5 d0 85 10 a7 ff 0e 90 30 54 d6 c9 
+
+echo "Define index 01000000 with the policy OR"
+${PREFIX}nvdefinespace -ha 01000000 -hi o -sz 8 -pwdn "" -pol policies/policyorwrittensigned.bin -at aw > run.out
+checkSuccess $?
+
+echo "Get the Name of the NV index not written, should be 00 0b ... bb 0b"
+${PREFIX}nvreadpublic -ha 01000000 -ns > run.out
+checkSuccess $?
+
+# 000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy A - not written"
+echo ""
+
+# construct cpHash for Policy A - not written, writing zeros
+ 
+# (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of 0's at offset 0000
+# For index auth, authHandle Name and index Name are the same
+# policies/nvwritecphasha.txt
+# 00000137000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000b366258674dcf8aa16d344f24dde1c799fc60f9427a7286bb8cd1e4e9fd1fbb0b000800000000000000000000
+# policymaker -nz -if policies/nvwritecphasha.txt -of policies/nvwritecphasha.bin -pr -ns
+#  policy digest length 32
+#  cf 98 1e ee 68 04 3b dd ee 0c ab bc 75 b3 63 be 
+#  3c f9 ee 22 2a 78 b8 26 3f 06 7b b3 55 2c a6 11 
+# policy digest:
+# cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+
+# construct aHash for Policy A
+
+# expiration + cpHashA
+# policies/nvwriteahasha.txt
+# 00000000cf981eee68043bddee0cabbc75b363be3cf9ee222a78b8263f067bb3552ca611
+# just convert to binary, because openssl does the hash before signing
+# xxd -r -p policies/nvwriteahasha.txt policies/nvwriteahasha.bin
+
+echo "Policy NV Written no, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws n > run.out
+checkSuccess $?
+
+echo "Should be policy A first intermediate value 3c 32 63 23 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Sign aHash with openssl 8813 6530 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahasha.bin > run.out 2>&1
+echo ""
+
+echo "Policy signed, signature generated externally"
+${PREFIX}policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphasha.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Should be policy A final value 48 0b 78 2e ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+checkSuccess $?
+
+echo "Should be policy OR final value 06 00 ae 34 "
+${PREFIX}policygetdigest -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "NV write to set written"
+${PREFIX}nvwrite -ha 01000000 -if policies/zero8.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy B - written"
+echo ""
+
+echo "Get the new (written) Name of the NV index not written, should be 00 0b f5 75"
+${PREFIX}nvreadpublic -ha 01000000 -ns > run.out
+checkSuccess $?
+
+# 000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8
+
+# construct cpHash for Policy B
+ 
+# (commandCode || authHandle Name || NV Index Name || data + offset) - data 8 bytes of abcdefgh at offset 00000
+# For index auth, authHandle Name and index Name are the same
+# policies/nvwritecphashb.txt
+# 00000137000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000bf575f09107d38c4cb82e8ec054b1aca9a91e40a06ec074b578bdd9cdaf4b76c8000861626364656667680000
+# policymaker -nz -if policies/nvwritecphashb.txt -of policies/nvwritecphashb.bin -pr -ns
+#  policy digest length 32
+#  df 58 08 f9 ab cb 23 7f 8c d7 c9 09 1c 86 12 2d 
+#  88 6f 02 d4 6e db 53 c8 da 39 bf a2 d6 cf 07 63 
+# policy digest:
+# df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+
+# construct aHash for Policy B
+
+# expiration + cpHashA
+# policies/nvwriteahashb.txt
+# 00000000df5808f9abcb237f8cd7c9091c86122d886f02d46edb53c8da39bfa2d6cf0763
+# just convert to binary, because openssl does the hash before signing
+# xxd -r -p policies/nvwriteahashb.txt policies/nvwriteahashb.bin
+
+echo "Policy NV Written yes, satisfy policy"
+${PREFIX}policynvwritten -hs 03000000 -ws y > run.out
+checkSuccess $?
+
+echo "Should be policy A first intermediate value f7 88 7d 15 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign aHash with openssl 3700 0a91 ..."
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out sig.bin policies/nvwriteahashb.bin > run.out 2>&1
+echo ""
+
+echo "Policy signed, signature generated externally"
+${PREFIX}policysigned -hk 80000001 -ha 03000000 -halg sha256 -cp policies/nvwritecphashb.bin -is sig.bin > run.out
+checkSuccess $?
+
+echo "Should be policy B final value 09 43 ba 3c ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policywrittenclrsigned.bin -if policies/policywrittensetsigned.bin > run.out
+checkSuccess $?
+
+echo "Should be policy OR final value 06 00 ae 34 "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV write new data"
+${PREFIX}nvwrite -ha 01000000 -ic abcdefgh -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Cleanup"
+echo ""
+
+echo "Flush the policy session 03000000"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the signature verification key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Undefine the NV Index 01000000"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out 
+checkSuccess $?
+
+# test using clockrateadjust
+# policycphashhash.txt is (hex) 00000130 4000000c 000
+# hash -if policycphashhash.txt -oh policycphashhash.bin -halg sha1 -v
+# openssl dgst -sha1 policycphashhash.txt
+# cpHash is
+# b5f919bbc01f0ebad02010169a67a8c158ec12f3
+# append to policycphash.txt 00000163 + cpHash
+# policymaker -halg sha1 -if policies/policycphash.txt -of policies/policycphash.bin -pr
+#  06 e4 6c f9 f3 c7 0f 30 10 18 7c a6 72 69 b0 84 b4 52 11 6f 
+
+echo ""
+echo "Policy cpHash"
+echo ""
+
+echo "Set the platform policy to policy cpHash"
+${PREFIX}setprimarypolicy -hi p -pol policies/policycphash.bin -halg sha1 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust using wrong password - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out 
+checkFailure $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out 
+checkSuccess $?
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy cpHash, satisfy policy"
+${PREFIX}policycphash -ha 03000000 -cp policies/policycphashhash.bin > run.out
+checkSuccess $?
+ 
+echo "Policy get digest, should be 06 e4 6c f9"
+${PREFIX}policygetdigest -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Clockrate adjust, policy satisfied but bad command params - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 1 -se0 03000000 1 > run.out 
+checkFailure $?
+
+echo "Clockrate adjust, policy satisfied"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 -se0 03000000 1 > run.out 
+checkSuccess $?
+
+echo "Clear the platform policy"
+${PREFIX}setprimarypolicy -hi p > run.out 
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out 
+checkSuccess $?
+
+echo ""
+echo "Policy Duplication Select with includeObject FALSE"
+echo ""
+
+# These tests uses a new parent and object to be duplicated generated
+# externally.  This makes the Names repeatable and permits the
+# policy to be pre-calculated and static.
+
+# command code 00000188
+# newParentName
+# 000b 1a5d f667 7533 4527 37bc 79a5 5ab6 
+# d9fa 9174 5c03 3dfe 3f82 cdf0 903b a9d6
+# 55f1
+# includeObject 00
+# policymaker -if policies/policydupsel-no.txt -of policies/policydupsel-no.bin -pr -v
+# 5f 55 ba 2b 69 0f b0 38 ac 15 ff 2a 86 ef 65 66 
+# be a8 23 68 43 97 4c 3f a7 36 37 72 56 ec bc 45 
+
+# 80000000 SK storage primary key
+# 80000001 NP new parent, the target of the duplication
+# 80000002 SI signing key, duplicate from SK to NP
+# 03000000 policy session
+
+echo "Import the new parent storage key NP under the primary key"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -st -pwdk rrrr -opu tmpstpub.bin -opr tmpstpriv.bin -halg sha256 > run.out
+checkSuccess $?
+	
+echo "Load the new parent TPM storage key NP at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpstpub.bin -ipr tmpstpriv.bin > run.out
+checkSuccess $?
+
+echo "Import a signing key SI under the primary key 80000000, with policy duplication select"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policydupsel-no.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001"
+${PREFIX}policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be 5f 55 ba 2b ...."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001"
+${PREFIX}duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+${PREFIX}import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000002"
+${PREFIX}load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush the duplicated SI at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Duplication Select with includeObject TRUE"
+echo ""
+
+# command code 00000188
+# SI objectName
+# 000b 6319 28da 1624 3135 3a59 c03a 2ca7
+# dbb7 0989 1440 4236 3c7f a838 39d9 da6c
+# 437a
+# HP newParentName
+# 000b 
+# 1a5d f667 7533 4527 37bc 79a5 5ab6 d9fa 
+# 9174 5c03 3dfe 3f82 cdf0 903b a9d6 55f1
+# includeObject 01
+#
+# policymaker -if policies/policydupsel-yes.txt -of policies/policydupsel-yes.bin -pr -v
+# 14 64 06 4c 80 cb e3 4f f5 03 82 15 38 62 43 17 
+# 93 94 8f f1 e8 8a c6 23 4d d1 b0 c5 4c 05 f7 3b 
+
+# 80000000 SK storage primary key
+# 80000001 NP new parent, the target of the duplication
+# 80000002 SI signing key, duplicate from SK to NP
+# 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI with objectName 000b 6319 28da at 80000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy duplication select, object SI 80000002 to new parent NP 80000001 with includeObject"
+${PREFIX}policyduplicationselect -ha 03000000 -inpn h80000001.bin -ion h80000002.bin -io > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policy to approve, aHash input 14 64 06 4c same as policies/policydupsel-yes.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the original SI at 80000002 to free object slot for loadexternal "
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policydupsel-yes.bin > run.out 2>&1
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Verify the signature against 80000002 to generate ticket"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/policydupsel-yes.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policydupsel-yes.bin -skn ${TPM_DATA_DIR}/h80000002.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the PEM authorizing verification key at 80000002 to free object slot for import"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Load the original signing key SI at 80000002"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Duplicate signing key SI at 80000002 under new parent TPM storage key NP 80000001 000b 1a5d f667"
+${PREFIX}duplicate -ho 80000002 -hp 80000001 -od tmpdup.bin -oss tmpss.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the original SI at 80000002 to free object slot for import"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Import signing key SI under new parent TPM storage key NP 80000001"
+${PREFIX}import -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -id tmpdup.bin -iss tmpss.bin -opr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000002"
+${PREFIX}load -hp 80000001 -pwdp rrrr -ipu tmpsipub.bin -ipr tmpsipriv1.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest"
+${PREFIX}sign -hk 80000002 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush the duplicated SI at 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the new parent TPM storage key NP 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Name Hash"
+echo ""
+
+# signing key SI Name
+# 000b
+# 6319 28da 1624 3135 3a59 c03a 2ca7 dbb7 
+# 0989 1440 4236 3c7f a838 39d9 da6c 437a 
+
+# compute nameHash
+
+# nameHash - just a hash, not an extend
+# policymaker -if policies/pnhnamehash.txt -of policies/pnhnamehash.bin -nz -pr -v -ns
+# 18 e0 0c 62 77 18 d9 fc 81 22 3d 8a 56 33 7e eb 
+# 0e 7d 98 28 bd 7b c7 29 1d 3c 27 3f 7a c4 04 f1 
+# 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+
+# compute policy (based on 
+
+# 00000170 TPM_CC_PolicyNameHash
+# signing key SI Name
+# 18e00c627718d9fc81223d8a56337eeb0e7d9828bd7bc7291d3c273f7ac404f1
+
+# policymaker -if policies/policynamehash.txt -of policies/policynamehash.bin -pr -v
+# 96 30 f9 00 c3 4c 66 09 c1 c5 92 41 78 c1 b2 3d 
+# 9f d4 93 f4 f9 c2 98 c8 30 4a e3 0f 97 a2 fd 49 
+
+# 80000000 SK storage primary key
+# 80000001 SI signing key
+# 80000002 Authorizing public key
+# 03000000 policy session
+
+echo "Import a signing key SI under the primary key 80000000, with policy authorize"
+${PREFIX}importpem -hp 80000000 -pwdp sto -ipem policies/rsaprivkey.pem -si -pwdk rrrr -opr tmpsipriv.bin -opu tmpsipub.bin -pol policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key SI at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipu tmpsipub.bin -ipr tmpsipriv.bin > run.out
+checkSuccess $?
+
+echo "Sign a digest using the password"
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -pwdk rrrr > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy name hash, object SI 80000001"
+${PREFIX}policynamehash -ha 03000000 -nh policies/pnhnamehash.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest,should be policy to approve, 96 30 f9 00"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policynamehash.bin > run.out 2>&1
+
+echo "Load external just the public part of PEM authorizing key 80000002"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Verify the signature against 80000002 to generate ticket"
+${PREFIX}verifysignature -hk 80000002 -halg sha256 -if policies/policynamehash.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policynamehash.bin -skn ${TPM_DATA_DIR}/h80000002.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be eb a3 f9 8c ...."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest using the policy"
+${PREFIX}sign -hk 80000001 -halg sha256 -if policies/aaa -os tmpsig.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Verify the signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/aaa -is tmpsig.bin > run.out
+checkSuccess $?
+
+echo "Flush the signing key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the authorizing key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+# test using clockrateadjust and platform policy
+
+# operand A time is 64 bits at offset 0, operation GT (2)
+# 0000016d 0000 0000 0000 0000 | 0000 | 0002
+# 
+# convert to binary policy
+# > policymaker -halg sha1 -if policies/policycountertimer.txt -of policies/policycountertimer.bin -pr -v
+# e6 84 81 27 55 c0 39 d3 68 63 21 c8 93 50 25 dd 
+# aa 26 42 9a 
+
+echo ""
+echo "Policy Counter Timer"
+echo ""
+
+echo "Set the platform policy to policy "
+${PREFIX}setprimarypolicy -hi p -pol policies/policycountertimer.bin -halg sha1 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust using wrong password - should fail"
+${PREFIX}clockrateadjust -hi p -pwdp ppp -adj 0 > run.out
+checkFailure $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p -halg sha1 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust, policy not satisfied - should fail"
+${PREFIX}clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy counter timer, zero operandB, op EQ satisfy policy - should fail"
+${PREFIX}policycountertimer -ha 03000000 -if policies/zero8.bin -op 0 > run.out
+checkFailure $?
+ 
+echo "Policy counter timer, zero operandB, op GT satisfy policy"
+${PREFIX}policycountertimer -ha 03000000 -if policies/zero8.bin -op 2 > run.out 
+checkSuccess $?
+ 
+echo "Policy get digest, should be e6 84 81 27"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Clockrate adjust, policy satisfied"
+${PREFIX}clockrateadjust -hi p -adj 0 -se0 03000000 1 > run.out 
+checkSuccess $?
+
+echo "Clear the platform policy"
+${PREFIX}setprimarypolicy -hi p > run.out 
+checkSuccess $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out 
+checkSuccess $?
+
+
+# policyccsign.txt  0000016c 0000015d (policy command code | sign)
+# policyccquote.txt 0000016c 00000158 (policy command code | quote)
+#
+# > policymaker -if policies/policyccsign.txt -of policies/policyccsign.bin -pr -v
+# cc6918b226273b08f5bd406d7f10cf160f0a7d13dfd83b7770ccbcd1aa80d811
+#
+# > policymaker -if policies/policyccquote.txt -of policies/policyccquote.bin -pr -v
+# a039cad5fe68870688f8233c3e3ee3cf27aac9e2efe3486aeb4e304c0e90cd27
+#
+# policyor.txt is CC_PolicyOR || digests
+# 00000171 | cc69 ... | a039 ...
+# > policymaker -if  policies/policyor.txt -of  policies/policyor.bin -pr -v
+# 6b fe c2 3a be 57 b0 2a ce 39 dd 13 bb 60 fa 39 
+# 4d ac 7b 38 96 56 57 84 b3 73 fc 61 92 94 29 db 
+
+echo ""
+echo "PolicyOR"
+echo ""
+
+echo "Create an unrestricted signing key, policy command code sign or quote"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyor.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy get digest"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - should fail"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Quote - should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Get time - should fail, policy not set"
+${PREFIX}gettime -hk 80000001 -qd policies/aaa -se1 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy OR - should fail"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkFailure $?
+
+echo "Policy Command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000015d > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be cc 69 18 b2"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest, should be 6b fe c2 3a"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign with policy OR"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000015d > run.out
+checkSuccess $?
+
+echo "Policy OR"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkSuccess $?
+
+echo "Quote - should fail, wrong command code"
+${PREFIX}quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Policy Command code - quote, digest a0 39 ca d5"
+${PREFIX}policycommandcode -ha 03000000 -cc 00000158 > run.out
+checkSuccess $?
+
+echo "Policy OR, digest 6b fe c2 3a"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkSuccess $?
+
+echo "Quote with policy OR"
+${PREFIX}quote -hp 0 -hk 80000001 -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Policy Command code - gettime 7a 3e bd aa"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000014c > run.out
+checkSuccess $?
+
+echo "Policy OR, gettime not an AND term - should fail"
+${PREFIX}policyor -ha 03000000 -if policies/policyccsign.bin -if policies/policyccquote.bin > run.out
+checkFailure $?
+
+echo "Flush policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# There are times that a policy creator has TPM, PEM, or DER format
+# information, but does not have access to a TPM.  The publicname
+# utility accepts these inputs and outputs the name in the 'no spaces'
+# format suitable for pasting into a policy.
+
+echo ""
+echo "publicname RSA"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Create an rsa ${HALG} key under the primary key"
+    ${PREFIX}create -hp 80000000 -rsa 2048 -nalg ${HALG} -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Load the rsa ${HALG} key 80000001"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Compute the TPM2B_PUBLIC Name"
+    ${PREFIX}publicname -ipu tmppub.bin -on tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the TPM2B_PUBLIC result"
+    diff tmp.bin h80000001.bin > run.out
+    checkSuccess $?
+
+    echo "Convert the rsa public key to PEM format"
+    ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+    checkSuccess $?
+
+    echo "Flush the rsa ${HALG} key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "loadexternal the rsa PEM public key"
+    ${PREFIX}loadexternal -ipem tmppub.pem -si -rsa -nalg ${HALG} -halg ${HALG} -scheme rsassa > run.out
+    checkSuccess $?
+
+    echo "Compute the PEM Name"
+    ${PREFIX}publicname -ipem tmppub.pem -rsa -si -nalg ${HALG} -halg ${HALG} -on tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the PEM result"
+    diff tmp.bin h80000001.bin > run.out
+    checkSuccess $?
+
+    echo "Convert the TPM PEM key to DER"
+    openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin > run.out 2>&1
+    echo "INFO:"
+
+    echo "Compute the DER Name"
+    ${PREFIX}publicname -ider tmppub.der -rsa -si -nalg ${HALG} -halg ${HALG} -on tmp.bin -v > run.out
+    checkSuccess $?
+
+    echo "Verify the DER result"
+    diff tmp.bin h80000001.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the rsa ${HALG} key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "publicname ECC"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Create an ecc nistp256 ${HALG} key under the primary key"
+    ${PREFIX}create -hp 80000000 -ecc nistp256 -nalg ${HALG} -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Load the ecc ${HALG} key 80000001"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Compute the TPM2B_PUBLIC Name"
+    ${PREFIX}publicname -ipu tmppub.bin -on tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the TPM2B_PUBLIC result"
+    diff tmp.bin h80000001.bin > run.out
+    checkSuccess $?
+
+    echo "Convert the ecc public key to PEM format"
+    ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+    checkSuccess $?
+
+    echo "Flush the ecc ${HALG} key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "loadexternal the ecc PEM public key"
+    ${PREFIX}loadexternal -ipem tmppub.pem -si -ecc -nalg ${HALG} -halg ${HALG} > run.out
+    checkSuccess $?
+
+    echo "Compute the PEM Name"
+    ${PREFIX}publicname -ipem tmppub.pem -ecc -si -nalg ${HALG} -halg ${HALG} -on tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the PEM result"
+    diff tmp.bin h80000001.bin > run.out
+    checkSuccess $?
+
+    echo "Convert the TPM PEM key to DER"
+    openssl pkey -inform pem -outform der -in tmppub.pem -out tmppub.der -pubin -pubout > run.out 2>&1
+    echo "INFO:"
+
+    echo "Compute the DER Name"
+    ${PREFIX}publicname -ider tmppub.der -ecc -si -nalg ${HALG} -halg ${HALG} -on tmp.bin -v > run.out
+    checkSuccess $?
+
+    echo "Verify the DER result"
+    diff tmp.bin h80000001.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the ecc ${HALG} key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "publicname NV"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "NV Define Space ${HALG}"
+    ${PREFIX}nvdefinespace -hi o -ha 01000000 -sz 16 -nalg ${HALG} > run.out
+    checkSuccess $?
+
+    echo "NV Read Public"
+    ${PREFIX}nvreadpublic -ha 01000000 -opu tmppub.bin -on tmpname.bin > run.out
+    checkSuccess $?
+
+    echo "Compute the NV Index Name"
+    ${PREFIX}publicname -invpu tmppub.bin -on tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the NV Index result"
+    diff tmp.bin tmpname.bin > run.out
+    checkSuccess $?
+
+    echo "NV Undefine Space"
+    ${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+    checkSuccess $?
+
+done
+
+# cleanup
+
+rm -f pssig.bin
+rm -f run.out
+rm -f sig.bin
+rm -f tkt.bin
+rm -f tmp.bin
+rm -f tmpdup.bin
+rm -f tmphkey.bin
+rm -f tmpname.bin
+rm -f tmppol.bin
+rm -f tmppriv.bin
+rm -f tmppriv.bin 
+rm -f tmppub.bin
+rm -f tmppub.der
+rm -f tmppub.pem
+rm -f tmpsig.bin
+rm -f tmpsipriv.bin
+rm -f tmpsipriv1.bin
+rm -f tmpsipub.bin
+rm -f tmpss.bin
+rm -f tmpstpriv.bin
+rm -f tmpstpub.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 01000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+# ${PREFIX}getcapability -cap 1 -pr 03000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.bat
new file mode 100644
index 0000000..08a45d7
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.bat
@@ -0,0 +1,600 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #		$Id: testpolicy138.sh 793 2016-11-10 21:27:40Z kgoldman $	#
+REM #										#
+REM # (c) Copyright IBM Corporation 2016					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+REM 
+REM # Policy command code - sign
+REM 
+REM # cc69 18b2 2627 3b08 f5bd 406d 7f10 cf16
+REM # 0f0a 7d13 dfd8 3b77 70cc bcd1 aa80 d811
+REM 
+REM # NV index name after written
+REM 
+REM # 000b 
+REM # 5e8e bdf0 4581 9419 070c 7d57 77bf eb61 
+REM # ffac 4996 ea4b 6fba de6d a42b 632d 4918   
+REM 
+REM # Policy Authorize NV with above Name
+REM                               
+REM # 66 1f a1 02 db cd c2 f6 a0 61 7b 33 a0 ee 6d 95 
+REM # ab f6 2c 76 b4 98 b2 91 10 0d 30 91 19 f4 11 fa 
+REM 
+REM # Policy in NV index 01000000
+REM # signing key 80000001 
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Policy Authorize NV"
+echo ""
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key, policyauthnv"
+%TPM_EXE_PATH%create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizenv.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -sz 50 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+    
+echo "NV not written, policyauthorizenv - should fail"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Write algorithm ID into NV index 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -off 0 -if policies/sha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write policy command code sign into NV index 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -off 2 -if policies/policyccsign.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be cc 69 ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Authorize NV against 01000000"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be 66 1f ..."
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - policy and wrong password"
+%TPM_EXE_PATH%sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code - sign"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 15d > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Authorize NV against 01000000"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Quote - policy, should fail"
+%TPM_EXE_PATH%quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code - quote"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 158 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Authorize NV against 01000000 - should fail"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi o -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the policy session 03000000"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key 80000001 "
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Template"
+echo ""
+
+REM # create template hash
+REM 
+REM # run createprimary -si -v, extract template 
+REM 
+REM # policies/policytemplate.txt
+REM 
+REM # 00 01 00 0b 00 04 04 72 00 00 00 10 00 10 08 00 
+REM # 00 00 00 00 00 00
+REM 
+REM # policymaker -if policies/policytemplate.txt -pr -of policies/policytemplate.bin -nz
+REM # -nz says do not extend, just hash the hexascii line
+REM # yields a template hash for policytemplate
+REM 
+REM # ef 64 da 91 18 fc ac 82 f4 36 1b 28 84 28 53 d8 
+REM # aa f8 7d fc e1 45 e9 25 cf fe 58 68 aa 2d 22 b6 
+REM 
+REM # prepend the command code 00000190 to ef 64 ... and construct the actual object policy
+REM # policymaker -if policies/policytemplatehash.txt -pr -of policies/policytemplatehash.bin
+REM 
+REM # fb 94 b1 43 e5 2b 07 95 b7 ec 44 37 79 99 d6 47 
+REM # 70 1c ae 4b 14 24 af 5a b8 7e 46 f2 58 af eb de 
+
+echo ""
+echo "Policy Template with TPM2_Create"
+echo ""
+
+echo "Create a primary storage key policy template, 80000001"
+%TPM_EXE_PATH%createprimary -hi p -pol policies/policytemplatehash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a policy session 03000000"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Template"
+%TPM_EXE_PATH%policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be fb 94 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create signing key under primary key"
+%TPM_EXE_PATH%create -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Template with TPM2_CreateLoaded"
+echo ""
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Template"
+%TPM_EXE_PATH%policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be fb 94 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create loaded signing key under primary key"
+%TPM_EXE_PATH%createloaded -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the primary key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the created key 80000002"
+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Policy Template with TPM2_CreatePrimary"
+echo ""
+
+echo "Set primary policy for platform hierarchy"
+%TPM_EXE_PATH%setprimarypolicy -hi p -halg sha256 -pol policies/policytemplatehash.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy restart, set back to zero"
+%TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Template"
+%TPM_EXE_PATH%policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be fb 94 ... "
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create loaded primary signing key policy template, 80000001"
+%TPM_EXE_PATH%createprimary -si -hi p -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the primary key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM #
+REM # Use case of the PCR brittleness solution using PolicyAuthorize, but
+REM # where the authorizing public key is not hard coded in the sealed
+REM # blob policy.  Rather, it's in an NV Index, so that the authorizing
+REM # key can be changed.  Here, the authorization to change is platform
+REM # auth.  The NV index is locked until reboot as a second level of
+REM # protection.
+REM #
+
+REM # Policy design
+
+REM # PolicyAuthorizeNV and Name of NV index AND Unseal
+REM # where the NV index holds PolicyAuthorize with the Name of the authorizing signing key
+REM # where PolicyAuthorize will authorize command Unseal AND PCR values
+
+REM # construct Policies
+
+REM # Provision the NV Index data first.  The NV Index Name is needed for the policy
+REM # PolicyAuthorize with the Name of the authorizing signing key.  
+
+REM # The authorizing signing key Name can be obtained using the TPM from
+REM # loadexternal below.  It can also be calculated off line using this
+REM # utility
+
+REM # > publicname -ipem policies/rsapubkey.pem -halg sha256 -nalg sha256 -v -ns
+
+REM # policyauthorize and CA public key
+REM # policies/policyauthorizesha256.txt
+REM # 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # (need blank line for policyRef)
+REM # > policymaker -halg sha256 -if policies/policyauthorizesha256.txt -pr -v -ns -of policies/policyauthorizesha256.bin
+REM #  intermediate policy digest length 32
+REM #  fc 17 cd 86 c0 4f be ca d7 17 5f ef c7 75 5b 63 
+REM #  a8 90 49 12 c3 2e e6 9a 4c 99 1a 7b 5a 59 bd 82 
+REM #  intermediate policy digest length 32
+REM #  eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+REM #  ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+REM #  policy digest length 32
+REM #  eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+REM #  ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+REM # policy digest:
+REM # eba3f98c5eaf1ea8f94f519b4d2a3183ee79876672398e2315d933c288a8e503
+
+REM # Once the NV Index Name is known, calculated the sealed blob policy.
+
+REM # PolicyAuthorizeNV and Name of NV Index AND Unseal
+REM #
+REM # get NV Index Name from nvreadpublic after provisioning
+REM # 000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+REM #
+REM # policies/policyauthorizenv-unseal.txt
+REM # 
+REM # policyauthorizenv and Name of NV Index
+REM # 00000192000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+REM # policy command code unseal
+REM # 0000016c0000015e
+REM #
+REM # > policymaker -halg sha256 -if policies/policyauthorizenv-unseal.txt -of policies/policyauthorizenv-unseal.bin -pr -v -ns
+REM # intermediate policy digest length 32
+REM #  2f 7a d9 b7 53 26 35 e5 03 8c e7 7b 8f 63 5e 4c 
+REM #  f9 96 c8 62 18 13 98 94 c2 71 45 e7 7d d5 e8 e8 
+REM #  intermediate policy digest length 32
+REM #  cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69 
+REM #  33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d 
+REM #  policy digest length 32
+REM #  cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69 
+REM #  33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d 
+REM # policy digest:
+REM # cd1b2426fe10086c5235859422a05969334b8847820d0bd98c431f7ff736345d
+
+REM # The authorizing signer signs the PCR white list, here just PCR 16 extended with aaa
+REM # PCR 16 is the resettable debug PCR, convenient for development
+
+echo ""
+echo "PolicyAuthorizeNV -> PolicyAuthorize -> PolicyPCR"
+echo ""
+
+REM # Initial provisioning (NV Index)
+
+echo "NV Define Space"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p -hia p -sz 34 +at wst +at ar > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write algorithm ID into NV index 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -off 0 -if policies/sha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write the NV index at offset 2 with policy authorize and the Name of the CA signing key"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -hia p -off 2 -if policies/policyauthorizesha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Lock the NV Index"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read the NV Index Name to be used above in Policy"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # Initial provisioning (Sealed Data)
+
+echo "Create a sealed data object"
+%TPM_EXE_PATH%create -hp 80000000 -nalg sha256 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto  -uwa -if msg.bin -pol policies/policyauthorizenv-unseal.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # Once per new PCR approved values, signer authorizing PCRs in policysha256.bin
+
+echo "Openssl generate and sign aHash (empty policyRef)"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaasha256.bin
+
+REM # Once per boot, simulating setting PCRs to authorized values, lock
+REM # the NV index, which is unloaded at reboot to permit platform auth to
+REM # roll the authorized signing key
+
+echo "Lock the NV Index"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -hia p
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "PCR 16 Reset"
+%TPM_EXE_PATH%pcrreset -ha 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Extend PCR 16 to correct value"
+%TPM_EXE_PATH%pcrextend -halg sha256 -ha 16 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # At each unseal, or reuse the ticket tkt.bin for its lifetime
+
+echo "Load external just the public part of PEM authorizing key sha256 80000001"
+%TPM_EXE_PATH%loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem -ns > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the signature to generate ticket 80000001 sha256"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha256 -if policies/policypcr16aaasha256.bin -is pssig.bin -raw -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # Run time unseal
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p -halg sha256 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy PCR, update with the correct PCR 16 value"
+%TPM_EXE_PATH%policypcr -halg sha256 -ha 03000000 -bm 10000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy get digest - should be policies/policypcr16aaasha256.bin"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # policyauthorize process
+
+echo "Policy authorize using the ticket"
+%TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policypcr16aaasha256.bin -skn h80000001.bin -tk tkt.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be policies/policyauthorizesha256.bin"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the authorizing public key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy Authorize NV against NV Index 01000000"
+%TPM_EXE_PATH%policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin intermediate"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code - unseal"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 0000015e > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin final"
+%TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the sealed data object"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Unseal the data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM cleanup 
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.sh
new file mode 100755
index 0000000..e391207
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testpolicy138.sh
@@ -0,0 +1,477 @@
+#!/bin/bash
+
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2016 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# used for the name in policy ticket
+
+if [ -z $TPM_DATA_DIR ]; then
+    TPM_DATA_DIR=.
+fi
+
+# PolicyCommandCode - sign
+
+# cc69 18b2 2627 3b08 f5bd 406d 7f10 cf16
+# 0f0a 7d13 dfd8 3b77 70cc bcd1 aa80 d811
+
+# NV index name after written
+
+# 000b 
+# 5e8e bdf0 4581 9419 070c 7d57 77bf eb61 
+# ffac 4996 ea4b 6fba de6d a42b 632d 4918   
+
+# PolicyAuthorizeNV with above Name
+                              
+# 66 1f a1 02 db cd c2 f6 a0 61 7b 33 a0 ee 6d 95 
+# ab f6 2c 76 b4 98 b2 91 10 0d 30 91 19 f4 11 fa 
+
+# Policy in NV index 01000000
+# signing key 80000001 
+
+echo ""
+echo "Policy Authorize NV"
+echo ""
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Create a signing key, policyauthnv"
+${PREFIX}create -hp 80000000 -si -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sig -pol policies/policyauthorizenv.bin > run.out
+checkSuccess $?
+
+echo "Load the signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -sz 50 > run.out
+checkSuccess $?
+    
+echo "NV not written, policyauthorizenv - should fail"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkFailure $?
+
+echo "Write algorithm ID into NV index 01000000"
+${PREFIX}nvwrite -ha 01000000 -off 0 -if policies/sha256.bin > run.out
+checkSuccess $?
+
+echo "Write policy command code sign into NV index 01000000"
+${PREFIX}nvwrite -ha 01000000 -off 2 -if policies/policyccsign.bin > run.out
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be cc 69 ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against 01000000"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be 66 1f ..."
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Sign a digest - policy and wrong password"
+${PREFIX}sign -hk 80000001 -if msg.bin -os sig.bin -se0 03000000 1 -pwdk xxx > run.out
+checkSuccess $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Policy command code - sign"
+${PREFIX}policycommandcode -ha 03000000 -cc 15d > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against 01000000"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Quote - policy, should fail"
+${PREFIX}quote -hp 0 -hk 80000001 -os sig.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Policy command code - quote"
+${PREFIX}policycommandcode -ha 03000000 -cc 158 > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against 01000000 - should fail"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkFailure $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi o -ha 01000000 > run.out
+checkSuccess $?
+
+echo "Flush the policy session 03000000"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the signing key 80000001 "
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Template"
+echo ""
+
+# create template hash
+
+# run createprimary -si -v, extract template 
+
+# policies/policytemplate.txt
+
+# 00 01 00 0b 00 04 04 72 00 00 00 10 00 10 08 00 
+# 00 00 00 00 00 00
+
+# policymaker -if policies/policytemplate.txt -pr -of policies/policytemplate.bin -nz
+# -nz says do not extend, just hash the hexascii line
+# yields a template hash for policytemplate
+
+# ef 64 da 91 18 fc ac 82 f4 36 1b 28 84 28 53 d8 
+# aa f8 7d fc e1 45 e9 25 cf fe 58 68 aa 2d 22 b6 
+
+# prepend the command code 00000190 to ef 64 ... and construct the actual object policy
+# policymaker -if policies/policytemplatehash.txt -pr -of policies/policytemplatehash.bin
+
+# fb 94 b1 43 e5 2b 07 95 b7 ec 44 37 79 99 d6 47 
+# 70 1c ae 4b 14 24 af 5a b8 7e 46 f2 58 af eb de 
+
+echo ""
+echo "Policy Template with TPM2_Create"
+echo ""
+
+echo "Create a primary storage key policy template, 80000001"
+${PREFIX}createprimary -hi p -pol policies/policytemplatehash.bin > run.out
+checkSuccess $?
+
+echo "Start a policy session 03000000"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Policy Template"
+${PREFIX}policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be fb 94 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create signing key under primary key"
+${PREFIX}create -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Template with TPM2_CreateLoaded"
+echo ""
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Policy Template"
+${PREFIX}policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be fb 94 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create loaded signing key under primary key"
+${PREFIX}createloaded -si -hp 80000001 -kt f -kt p -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Flush the primary key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the created key 80000002"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo ""
+echo "Policy Template with TPM2_CreatePrimary"
+echo ""
+
+echo "Set primary policy for platform hierarchy"
+${PREFIX}setprimarypolicy -hi p -halg sha256 -pol policies/policytemplatehash.bin > run.out
+checkSuccess $?
+
+echo "Policy restart, set back to zero"
+${PREFIX}policyrestart -ha 03000000 > run.out 
+checkSuccess $?
+
+echo "Policy Template"
+${PREFIX}policytemplate -ha 03000000 -te policies/policytemplate.bin > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be fb 94 ... "
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create loaded primary signing key policy template, 80000001"
+${PREFIX}createprimary -si -hi p -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the primary key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+#
+# Use case of the PCR brittleness solution using PolicyAuthorize, but
+# where the authorizing public key is not hard coded in the sealed
+# blob policy.  Rather, it's in an NV Index, so that the authorizing
+# key can be changed.  Here, the authorization to change is platform
+# auth.  The NV index is locked until reboot as a second level of
+# protection.
+#
+
+# Policy design
+
+# PolicyAuthorizeNV and Name of NV index AND Unseal
+# where the NV index holds PolicyAuthorize with the Name of the authorizing signing key
+# where PolicyAuthorize will authorize command Unseal AND PCR values
+
+# construct Policies
+
+# Provision the NV Index data first.  The NV Index Name is needed for the policy
+# PolicyAuthorize with the Name of the authorizing signing key.  
+
+# The authorizing signing key Name can be obtained using the TPM from
+# loadexternal below.  It can also be calculated off line using this
+# utility
+
+# > publicname -ipem policies/rsapubkey.pem -halg sha256 -nalg sha256 -v -ns
+
+# policyauthorize and CA public key
+# policies/policyauthorizesha256.txt
+# 0000016a000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# (need blank line for policyRef)
+# > policymaker -halg sha256 -if policies/policyauthorizesha256.txt -pr -v -ns -of policies/policyauthorizesha256.bin
+#  intermediate policy digest length 32
+#  fc 17 cd 86 c0 4f be ca d7 17 5f ef c7 75 5b 63 
+#  a8 90 49 12 c3 2e e6 9a 4c 99 1a 7b 5a 59 bd 82 
+#  intermediate policy digest length 32
+#  eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+#  ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+#  policy digest length 32
+#  eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+#  ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+# policy digest:
+# eba3f98c5eaf1ea8f94f519b4d2a3183ee79876672398e2315d933c288a8e503
+
+# Once the NV Index Name is known, calculated the sealed blob policy.
+
+# PolicyAuthorizeNV and Name of NV Index AND Unseal
+#
+# get NV Index Name from nvreadpublic after provisioning
+# 000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+#
+# policies/policyauthorizenv-unseal.txt
+# 
+# policyauthorizenv and Name of NV Index
+# 00000192000b56e16f0b810a6418daab06822be142858beaf9a79d66f66ad7e8e541f142498e
+# policy command code unseal
+# 0000016c0000015e
+#
+# > policymaker -halg sha256 -if policies/policyauthorizenv-unseal.txt -of policies/policyauthorizenv-unseal.bin -pr -v -ns
+# intermediate policy digest length 32
+#  2f 7a d9 b7 53 26 35 e5 03 8c e7 7b 8f 63 5e 4c 
+#  f9 96 c8 62 18 13 98 94 c2 71 45 e7 7d d5 e8 e8 
+#  intermediate policy digest length 32
+#  cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69 
+#  33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d 
+#  policy digest length 32
+#  cd 1b 24 26 fe 10 08 6c 52 35 85 94 22 a0 59 69 
+#  33 4b 88 47 82 0d 0b d9 8c 43 1f 7f f7 36 34 5d 
+# policy digest:
+# cd1b2426fe10086c5235859422a05969334b8847820d0bd98c431f7ff736345d
+
+# The authorizing signer signs the PCR white list, here just PCR 16 extended with aaa
+# PCR 16 is the resettable debug PCR, convenient for development
+
+echo ""
+echo "PolicyAuthorizeNV -> PolicyAuthorize -> PolicyPCR"
+echo ""
+
+# Initial provisioning (NV Index)
+
+echo "NV Define Space"
+${PREFIX}nvdefinespace -ha 01000000 -hi p -hia p -sz 34 +at wst +at ar > run.out
+checkSuccess $?
+
+echo "Write algorithm ID into NV index 01000000"
+${PREFIX}nvwrite -ha 01000000 -hia p -off 0 -if policies/sha256.bin > run.out
+checkSuccess $?
+
+echo "Write the NV index at offset 2 with policy authorize and the Name of the CA signing key"
+${PREFIX}nvwrite -ha 01000000 -hia p -off 2 -if policies/policyauthorizesha256.bin > run.out
+checkSuccess $?
+
+echo "Lock the NV Index"
+${PREFIX}nvwritelock -ha 01000000 -hia p
+checkSuccess $?
+
+echo "Read the NV Index Name to be used above in Policy"
+${PREFIX}nvreadpublic -ha 01000000 -ns > run.out
+checkSuccess $?
+
+# Initial provisioning (Sealed Data)
+
+echo "Create a sealed data object"
+${PREFIX}create -hp 80000000 -nalg sha256 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto  -uwa -if msg.bin -pol policies/policyauthorizenv-unseal.bin > run.out
+checkSuccess $?
+
+# Once per new PCR approved values, signer authorizing PCRs in policysha256.bin
+
+echo "Openssl generate and sign aHash (empty policyRef) ${HALG}"
+openssl dgst -sha256 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaasha256.bin > run.out 2>&1
+echo " INFO:"
+
+# Once per boot, simulating setting PCRs to authorized values, lock
+# the NV index, which is unloaded at reboot to permit platform auth to
+# roll the authorized signing key
+
+echo "Lock the NV Index"
+${PREFIX}nvwritelock -ha 01000000 -hia p
+checkSuccess $?
+
+echo "PCR 16 Reset"
+${PREFIX}pcrreset -ha 16 > run.out
+checkSuccess $?
+
+echo "Extend PCR 16 to correct value"
+${PREFIX}pcrextend -halg sha256 -ha 16 -if policies/aaa > run.out
+checkSuccess $?
+
+# At each unseal, or reuse the ticket tkt.bin for its lifetime
+
+echo "Load external just the public part of PEM authorizing key sha256 80000001"
+${PREFIX}loadexternal -hi p -halg sha256 -nalg sha256 -ipem policies/rsapubkey.pem -ns > run.out
+checkSuccess $?
+
+echo "Verify the signature to generate ticket 80000001 sha256"
+${PREFIX}verifysignature -hk 80000001 -halg sha256 -if policies/policypcr16aaasha256.bin -is pssig.bin -raw -tk tkt.bin > run.out
+checkSuccess $?
+
+# Run time unseal
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p -halg sha256 > run.out
+checkSuccess $?
+
+echo "Policy PCR, update with the correct PCR 16 value"
+${PREFIX}policypcr -halg sha256 -ha 03000000 -bm 10000 > run.out
+checkSuccess $?
+
+echo "Policy get digest - should be policies/policypcr16aaasha256.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+# policyauthorize process
+
+echo "Policy authorize using the ticket"
+${PREFIX}policyauthorize -ha 03000000 -appr policies/policypcr16aaasha256.bin -skn ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policies/policyauthorizesha256.bin"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Flush the authorizing public key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Policy Authorize NV against NV Index 01000000"
+${PREFIX}policyauthorizenv -ha 01000000 -hs 03000000 > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin intermediate"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Policy command code - unseal"
+${PREFIX}policycommandcode -ha 03000000 -cc 0000015e > run.out
+checkSuccess $?
+
+echo "Get policy digest, should be policies/policyauthorizenv-unseal.bin final"
+${PREFIX}policygetdigest -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Load the sealed data object"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Unseal the data blob"
+${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+# cleanup 
+
+
+rm -f tmppriv.bin
+rm -f tmppub.bin
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.bat
new file mode 100644
index 0000000..ab8d985
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.bat
@@ -0,0 +1,224 @@
+REM #############################################################################

+REM										#

+REM			TPM2 regression test					#

+REM			     Written by Ken Goldman				#

+REM		       IBM Thomas J. Watson Research Center			#

+REM		$Id: testprimary.bat 1278 2018-07-23 21:20:42Z kgoldman $	#

+REM										#

+REM (c) Copyright IBM Corporation 2015						#

+REM 										#

+REM All rights reserved.							#

+REM 										#

+REM Redistribution and use in source and binary forms, with or without		#

+REM modification, are permitted provided that the following conditions are	#

+REM met:									#

+REM 										#

+REM Redistributions of source code must retain the above copyright notice,	#

+REM this list of conditions and the following disclaimer.			#

+REM 										#

+REM Redistributions in binary form must reproduce the above copyright		#

+REM notice, this list of conditions and the following disclaimer in the		#

+REM documentation and/or other materials provided with the distribution.	#

+REM 										#

+REM Neither the names of the IBM Corporation nor the names of its		#

+REM contributors may be used to endorse or promote products derived from	#

+REM this software without specific prior written permission.			#

+REM 										#

+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#

+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#

+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#

+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#

+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#

+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#

+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#

+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#

+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#

+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#

+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#

+REM										#

+REM #############################################################################

+

+setlocal enableDelayedExpansion

+

+echo ""

+echo "Primary key - CreatePrimary"

+echo ""

+

+echo "Create a primary storage key"

+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Read the public part"

+%TPM_EXE_PATH%readpublic -ho 80000001  > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Create a storage key under the primary key"

+%TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Load the storage key under the primary key"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the primary storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Load the storage key under the primary key - should fail"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! EQU 0 (

+  exit /B 1

+  )

+

+echo ""

+echo "Primary key - CreatePrimary with no unique field"

+echo ""

+

+REM no unique 

+

+echo "Create a primary storage key with no unique field"

+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Create a storage key under the primary key"

+%TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Load the storage key under the primary key"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the primary storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+REM empty unique

+

+echo "Create a primary storage key with no unique field"

+touch empty.bin

+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -iu empty.bin > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Load the original storage key under the primary key with empty unique field"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the primary storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo ""

+echo "Primary key - CreatePrimary with unique field"

+echo ""

+

+REM unique

+

+echo "Create a primary storage key with unique field"

+touch empty.bin

+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -iu policies/aaa > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Load the original storage key under the primary key - should fail"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! EQU 0 (

+  exit /B 1

+  )

+

+echo "Create a storage key under the primary key"

+%TPM_EXE_PATH%create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Load the storage key under the primary key"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the primary storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+REM same unique

+

+echo "Create a primary storage key with same unique field"

+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -iu policies/aaa > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Load the previous storage key under the primary key"

+%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+echo "Flush the primary storage key"

+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+  )

+

+exit /B 0

+

+REM getcapability  -cap 1 -pr 80000000

+

diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.sh
new file mode 100755
index 0000000..073d04f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testprimary.sh
@@ -0,0 +1,175 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	$Id: testprimary.sh 1277 2018-07-23 20:30:23Z kgoldman $			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2018					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Primary key - CreatePrimary"
+echo ""
+
+echo "Create a primary storage key"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo "Read the public part"
+${PREFIX}readpublic -ho 80000001 > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key - should fail"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkFailure $?
+
+echo ""
+echo "Primary key - CreatePrimary with no unique field"
+echo ""
+
+# no unique 
+
+echo "Create a primary storage key with no unique field"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# empty unique
+
+echo "Create a primary storage key with empty unique field"
+touch empty.bin
+${PREFIX}createprimary -hi p -pwdk sto -iu empty.bin > run.out
+checkSuccess $?
+
+echo "Load the original storage key under the primary key with empty unique field"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary key - CreatePrimary with unique field"
+echo ""
+
+# unique
+
+echo "Create a primary storage key with unique field"
+touch empty.bin
+${PREFIX}createprimary -hi p -pwdk sto -iu policies/aaa > run.out
+checkSuccess $?
+
+echo "Load the original storage key under the primary key - should fail"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkFailure $?
+
+echo "Create a storage key under the primary key"
+${PREFIX}create -hp 80000001 -st -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sto > run.out
+checkSuccess $?
+
+echo "Load the storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# same unique
+
+echo "Create a primary storage key with same unique field"
+${PREFIX}createprimary -hi p -pwdk sto -iu policies/aaa > run.out
+checkSuccess $?
+
+echo "Load the previous storage key under the primary key"
+${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000002 > run.out
+checkSuccess $?
+
+echo "Flush the primary storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f empty.bin
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.bat
new file mode 100644
index 0000000..5422a78
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.bat
@@ -0,0 +1,59 @@
+REM #############################################################################

+REM										#

+REM			TPM2 regression test					#

+REM			     Written by Ken Goldman				#

+REM		       IBM Thomas J. Watson Research Center			#

+REM		$Id: testrng.bat 480 2015-12-29 22:41:45Z kgoldman $	#

+REM										#

+REM (c) Copyright IBM Corporation 2015						#

+REM 										#

+REM All rights reserved.							#

+REM 										#

+REM Redistribution and use in source and binary forms, with or without		#

+REM modification, are permitted provided that the following conditions are	#

+REM met:									#

+REM 										#

+REM Redistributions of source code must retain the above copyright notice,	#

+REM this list of conditions and the following disclaimer.			#

+REM 										#

+REM Redistributions in binary form must reproduce the above copyright		#

+REM notice, this list of conditions and the following disclaimer in the		#

+REM documentation and/or other materials provided with the distribution.	#

+REM 										#

+REM Neither the names of the IBM Corporation nor the names of its		#

+REM contributors may be used to endorse or promote products derived from	#

+REM this software without specific prior written permission.			#

+REM 										#

+REM THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#

+REM "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#

+REM LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#

+REM A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#

+REM HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#

+REM SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#

+REM LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#

+REM DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#

+REM THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#

+REM (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#

+REM OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#

+REM										#

+REM #############################################################################

+

+setlocal enableDelayedExpansion

+

+echo ""

+echo "Random Number Generator"

+echo ""

+

+echo "Stir Random"

+%TPM_EXE_PATH%stirrandom -if policies/aaa > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+echo "Get Random"

+%TPM_EXE_PATH%getrandom -by 64 > run.out

+IF !ERRORLEVEL! NEQ 0 (

+  exit /B 1

+)

+

+exit /B 0

diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.sh
new file mode 100755
index 0000000..5da840d
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testrng.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#	$Id: testrng.sh 979 2017-04-04 17:57:18Z kgoldman $			#
+#										#
+# (c) Copyright IBM Corporation 2015, 2016					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Random Number Generator"
+echo ""
+
+echo "Stir Random"
+${PREFIX}stirrandom -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Get Random"
+${PREFIX}getrandom -by 64 > run.out
+checkSuccess $?
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.bat
new file mode 100644
index 0000000..789f028
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.bat
@@ -0,0 +1,432 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+for %%B in (2048 3072) do (
+
+    echo "generate the %%B encryption key with openssl"
+    openssl genrsa -out tmpkeypairrsa%%B.pem -aes256 -passout pass:rrrr 2048
+
+    echo "Convert key pair to plaintext DER format"
+    openssl rsa -inform pem -outform der -in tmpkeypairrsa%%B.pem -out tmpkeypairrsa%%B.der -passin pass:rrrr > run.out
+)
+
+echo ""
+echo "RSA decryption key"
+echo ""
+
+for %%B in (2048 3072) do (
+
+    echo "Load the RSA %%B decryption key under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr derrsa%%Bpriv.bin -ipu derrsa%%Bpub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "RSA encrypt with the %%B encryption key"
+    %TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "RSA decrypt with the %%B decryption key"
+    %TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin -pwdk dec > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the decrypt result"
+    tail --bytes=3 dec.bin > tmp.bin
+    diff policies/aaa tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the  %%B decryption key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo ""
+echo "RSA decryption key to sign with OID"
+echo ""
+
+for %%B in (2048 3072) do (
+
+    echo "Load the RSA %%B decryption key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipu derrsa%%Bpub.bin -ipr derrsa%%Bpriv.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    set HSIZ=20 32 48 64
+    set HALG=%ITERATE_ALGS%
+
+    set i=0
+    for %%a in (!HSIZ!) do set /A i+=1 & set HSIZ[!i!]=%%a
+    set i=0
+    for %%b in (!HALG!) do set /A i+=1 & set HALG[!i!]=%%b
+    set L=!i!
+
+    for /L %%i in (1,1,!L!) do (
+
+    	echo "Decrypt/Sign with a caller specified OID - !HALG[%%i]!"
+	%TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk dec -ie policies/!HALG[%%i]!aaa.bin -od tmpsig.bin -oid !HALG[%%i]! > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+	)
+
+    	echo "Encrypt/Verify - !HALG[%%i]!"
+    	%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id tmpsig.bin -oe tmpmsg.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+    	    exit /B 1
+    	)
+
+    	echo "Verify Result - !HALG[%%i]! !HSIZ[%%i]! bytes"
+    	tail --bytes=!HSIZ[%%i]! tmpmsg.bin > tmpdig.bin
+    	diff tmpdig.bin policies/!HALG[%%i]!aaa.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+	)
+
+    )
+
+    echo "Flush the RSA %%B signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+)
+
+echo ""
+echo "Import PEM RSA encryption key"
+echo ""
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%B in (2048 3072) do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+    	echo "Import the %%B encryption key under the primary key"
+    	%TPM_EXE_PATH%importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa%%B.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+
+    	echo "Load the TPM encryption key"
+    	%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+
+    	echo "Sign the message %%~S - should fail"
+    	%TPM_EXE_PATH%sign -hk 80000001 -pwdk rrrr -if policies/aaa -os tmpsig.bin %%~S > run.out
+    	IF !ERRORLEVEL! EQU 0 (
+       	   exit /B 1
+	)
+
+    	echo "RSA encrypt with the encryption key"
+    	%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+
+    	echo "RSA decrypt with the decryption key %%~S"
+    	%TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin %%~S > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+
+    	echo "Verify the decrypt result"
+    	tail --bytes=3 dec.bin > tmp.bin
+    	diff policies/aaa tmp.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+	    exit /B 1
+        )
+
+	echo "Flush the encryption key"
+    	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+    )
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Loadexternal DER encryption key"
+echo ""
+
+for %%B in (2048 3072) do (
+
+    echo "Start an HMAC auth session"
+    %TPM_EXE_PATH%startauthsession -se h > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+    	echo "Load the openssl key pair in the NULL hierarchy 80000001"
+    	%TPM_EXE_PATH%loadexternal -den -ider tmpkeypairrsa%%B.der -pwdk rrrr > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+
+    	echo "RSA encrypt with the encryption key"
+    	%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+
+    	echo "RSA decrypt with the decryption key %%~S"
+    	%TPM_EXE_PATH%rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin %%~S > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+
+    	echo "Verify the decrypt result"
+    	tail --bytes=3 dec.bin > tmp.bin
+    	diff policies/aaa tmp.bin > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+        )
+
+    	echo "Flush the encryption key"
+    	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    	IF !ERRORLEVEL! NEQ 0 (
+       	   exit /B 1
+	)
+    )
+
+    echo "Flush the session"
+    %TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo ""
+echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
+echo ""
+
+echo "Create OAEP encryption key"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out	
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load encryption key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Encrypt using OpenSSL and the PEM public key"
+openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Decrypt using TPM key at 80000001"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the decrypt result"
+diff policies/aaa dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Child RSA decryption key RSAES"
+echo ""
+
+echo "Create RSAES encryption key"
+%TPM_EXE_PATH%create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out	
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load encryption key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -pwdp sto -ipr deepriv.bin -ipu deepub.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA encrypt with the encryption key"
+%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA decrypt with the decryption key"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the decrypt result"
+tail --bytes=3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Primary RSA decryption key RSAES"
+echo ""
+
+echo "Create Primary RSAES encryption key"
+%TPM_EXE_PATH%createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out	
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA encrypt with the encryption key"
+%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA decrypt with the decryption key"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the decrypt result"
+tail --bytes=3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Primary Create Loaded RSA decryption key RSAES"
+echo ""
+
+echo "CreateLoaded primary key, storage parent 80000001"
+%TPM_EXE_PATH%createloaded -hp 40000001 -dee > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA encrypt with the encryption key"
+%TPM_EXE_PATH%rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "RSA decrypt with the decryption key"
+%TPM_EXE_PATH%rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+echo "Verify the decrypt result"
+tail --bytes=3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the encryption key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM cleanup
+
+rm -f tmp.bin
+rm -f enc.bin
+rm -f dec.bin
+rm -f deepub.bin
+rm -f deepriv.bin
+rm -f tmpmsg.bin
+rm -f tmpdig.bin
+rm -f tmpsig.bin
+rm -f tmpkeypairrsa2048.der
+rm -f tmpkeypairrsa2048.pem
+rm -f tmpkeypairrsa3072.der
+rm -f tmpkeypairrsa3072.pem
+rm -f tmppubkey.bin
+rm -f tmppubkey.pem
+rm -f tmpprivkey.bin
+
+exit /B 0
+
+REM  getcapability -cap 1 -pr 80000000
+REM  getcapability -cap 1 -pr 02000000
+REM 
+REM  flushcontext -ha 80000001
+ 
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.sh
new file mode 100755
index 0000000..23bf894
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testrsa.sh
@@ -0,0 +1,350 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# openssl keys to use in this file
+
+echo ""
+echo "Test RSA"
+echo ""
+
+for BITS in 2048 3072
+do
+
+    echo "generate the RSA $BITS encryption key with openssl"
+    openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+
+    echo "Convert key pair to plaintext DER format"
+    openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
+
+done
+
+echo ""
+echo "RSA decryption key"
+echo ""
+
+for BITS in 2048 3072
+do
+
+    echo "Load the RSA $BITS decryption key under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr derrsa${BITS}priv.bin -ipu derrsa${BITS}pub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "RSA encrypt with the $BITS encryption key"
+    ${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+    checkSuccess $?
+
+    echo "RSA decrypt with the ${BITS} decryption key"
+    ${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin -pwdk dec > run.out
+    checkSuccess $?
+
+    echo "Verify the decrypt result"
+    tail -c 3 dec.bin > tmp.bin
+    diff policies/aaa tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the $BITS decryption key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "RSA decryption key to sign with OID"
+echo ""
+
+for BITS in 2048 3072
+do
+
+    echo "Load the RSA $BITS decryption key"
+    ${PREFIX}load -hp 80000000 -ipu derrsa${BITS}pub.bin -ipr derrsa${BITS}priv.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    HALG=(${ITERATE_ALGS})
+    HSIZ=("20" "32" "48" "64")
+
+    for ((i = 0 ; i < 4 ; i++))
+    do
+
+	echo "Decrypt/Sign with a caller specified OID - ${HALG[i]}"
+	${PREFIX}rsadecrypt -hk 80000001 -pwdk dec -ie policies/${HALG[i]}aaa.bin -od tmpsig.bin -oid ${HALG[i]} > run.out
+	checkSuccess $?
+
+	echo "Encrypt/Verify - ${HALG[i]}"
+	${PREFIX}rsaencrypt -hk 80000001 -id tmpsig.bin -oe tmpmsg.bin > run.out
+	checkSuccess $?
+
+	echo "Verify Result - ${HALG[i]} ${HSIZ[i]} bytes"
+	tail -c ${HSIZ[i]} tmpmsg.bin > tmpdig.bin
+	diff tmpdig.bin policies/${HALG[i]}aaa.bin > run.out
+	checkSuccess $?
+
+    done
+
+    echo "Flush the RSA ${BITS} decryption key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Import PEM RSA encryption key"
+echo ""
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for BITS in 2048 3072
+do
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Import the $BITS encryption key under the primary key"
+	${PREFIX}importpem -hp 80000000 -den -pwdp sto -ipem tmpkeypairrsa${BITS}.pem -pwdk rrrr -opu tmppub.bin -opr tmppriv.bin > run.out
+	checkSuccess $?
+
+	echo "Load the TPM encryption key"
+	${PREFIX}load -hp 80000000 -pwdp sto -ipu tmppub.bin -ipr tmppriv.bin > run.out
+	checkSuccess $?
+
+	echo "Sign the message ${SESS} - should fail"
+	${PREFIX}sign -hk 80000001 -pwdk rrrr -if policies/aaa -os tmpsig.bin ${SESS} > run.out
+	checkFailure $?
+
+	echo "RSA encrypt with the encryption key"
+	${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+	checkSuccess $?
+
+	echo "RSA decrypt with the decryption key ${SESS}"
+	${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the decrypt result"
+	tail -c 3 dec.bin > tmp.bin
+	diff policies/aaa tmp.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the encryption key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+    done
+
+done
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo ""
+echo "Loadexternal DER encryption key"
+echo ""
+
+for BITS in 2048 3072
+do
+
+    echo "Start an HMAC auth session"
+    ${PREFIX}startauthsession -se h > run.out
+    checkSuccess $?
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Load the openssl key pair in the NULL hierarchy 80000001"
+	${PREFIX}loadexternal -den -ider tmpkeypairrsa${BITS}.der -pwdk rrrr > run.out
+	checkSuccess $?
+
+	echo "RSA encrypt with the encryption key"
+	${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+	checkSuccess $?
+
+	echo "RSA decrypt with the decryption key ${SESS}"
+	${PREFIX}rsadecrypt -hk 80000001 -pwdk rrrr -ie enc.bin -od dec.bin ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Verify the decrypt result"
+	tail -c 3 dec.bin > tmp.bin
+	diff policies/aaa tmp.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the encryption key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+    done
+
+    echo "Flush the session"
+    ${PREFIX}flushcontext -ha 02000000 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Encrypt with OpenSSL OAEP, decrypt with TPM"
+echo ""
+
+echo "Create OAEP encryption key"
+${PREFIX}create -hp 80000000 -pwdp sto -deo -kt f -kt p -halg sha1 -opr tmpprivkey.bin -opu tmppubkey.bin -opem tmppubkey.pem > run.out	
+checkSuccess $?
+
+echo "Load encryption key at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr tmpprivkey.bin -ipu tmppubkey.bin  > run.out
+checkSuccess $?
+
+echo "Encrypt using OpenSSL and the PEM public key"
+openssl rsautl -oaep -encrypt -inkey tmppubkey.pem -pubin -in policies/aaa -out enc.bin > run.out 2>&1
+checkSuccess $?
+
+echo "Decrypt using TPM key at 80000001"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+diff policies/aaa dec.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Child RSA decryption key RSAES"
+echo ""
+
+echo "Create RSAES encryption key"
+${PREFIX}create -hp 80000000 -pwdp sto -dee -opr deepriv.bin -opu deepub.bin > run.out	
+checkSuccess $?
+
+echo "Load encryption key at 80000001"
+${PREFIX}load -hp 80000000 -pwdp sto -ipr deepriv.bin -ipu deepub.bin > run.out
+checkSuccess $?
+
+echo "RSA encrypt with the encryption key"
+${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+checkSuccess $?
+
+echo "RSA decrypt with the decryption key"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+tail -c 3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary RSA decryption key RSAES"
+echo ""
+
+echo "Create Primary RSAES encryption key"
+${PREFIX}createprimary -hi p -dee -halg sha256 -opem tmppubkey.pem > run.out	
+checkSuccess $?
+
+echo "RSA encrypt with the encryption key"
+${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+checkSuccess $?
+
+echo "RSA decrypt with the decryption key"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+tail -c 3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary Create Loaded RSA decryption key RSAES"
+echo ""
+
+echo "CreateLoaded primary key, storage parent 80000001"
+${PREFIX}createloaded -hp 40000001 -dee > run.out
+checkSuccess $?
+
+echo "RSA encrypt with the encryption key"
+${PREFIX}rsaencrypt -hk 80000001 -id policies/aaa -oe enc.bin > run.out
+checkSuccess $?
+
+echo "RSA decrypt with the decryption key"
+${PREFIX}rsadecrypt -hk 80000001 -ie enc.bin -od dec.bin > run.out
+checkSuccess $?
+
+echo "Verify the decrypt result"
+tail -c 3 dec.bin > tmp.bin
+diff policies/aaa tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the encryption key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# cleanup
+
+rm -f tmp.bin
+rm -f enc.bin
+rm -f dec.bin
+rm -f deepriv.bin
+rm -f deepub.bin
+rm -f tmpmsg.bin
+rm -f tmpdig.bin
+rm -f tmpsig.bin
+rm -f tmpkeypairrsa2048.der
+rm -f tmpkeypairrsa2048.pem
+rm -f tmpkeypairrsa3072.der
+rm -f tmpkeypairrsa3072.pem
+rm -f tmppubkey.bin
+rm -f tmppubkey.pem
+rm -f tmpprivkey.bin 
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+# ${PREFIX}getcapability -cap 1 -pr 02000000
+
+# ${PREFIX}flushcontext -ha 80000001
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.bat
new file mode 100644
index 0000000..774751b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.bat
@@ -0,0 +1,433 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Salt Session - Load"
+echo ""
+
+for %%A in ("-rsa 2048" "-rsa 3072" "-ecc nistp256") do (
+
+    for %%H in (%ITERATE_ALGS%) do (
+
+	REM In general a storage key can be used.  A decryption key is
+	REM used here because the hash algorithm doesn't have to match
+	REM that of the parent.
+
+    	echo "Create a %%A %%H storage key under the primary key "
+	%TPM_EXE_PATH%create -hp 80000000 -nalg %%H -halg %%H %%~A -deo -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 222 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+	
+	echo "Load the %%A storage key 80000001 under the primary key"
+	%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+	
+	echo "Start a %%A salted HMAC auth session"
+	%TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+	
+	echo "Create a signing key using the salt"
+	%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+	
+	echo "Flush the storage key"
+	%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+	   exit /B 1
+	)
+    )
+)
+
+echo ""
+echo "Salt Session - Load External"
+echo ""
+
+echo "Create RSA and ECC key pairs in PEM format using openssl"
+  
+openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > run.out
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out
+
+echo "Convert key pair to plaintext DER format"
+
+openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out tmpkeypairrsa.der -passin pass:rrrr > run.out
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Load the RSA openssl key pair in the NULL hierarchy 80000001 - %%H"
+    %TPM_EXE_PATH%loadexternal -halg %%H -st -ider tmpkeypairrsa.der > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Start a salted HMAC auth session"
+    %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a signing key using the salt"
+    %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the storage key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Load the ECC openssl key pair in the NULL hierarchy 80000001 - %%H"
+    %TPM_EXE_PATH%loadexternal -ecc -halg %%H -st -ider tmpkeypairecc.der > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Start a salted HMAC auth session"
+    %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a signing key using the salt"
+    %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the storage key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo ""
+echo "Salt Session - CreatePrimary storage key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+    
+    echo "Create a primary storage key - %%H"
+    %TPM_EXE_PATH%createprimary -nalg %%H -hi p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Start a salted HMAC auth session"
+    %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a signing key using the salt"
+    %TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the storage key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo ""
+echo "Salt Session - CreatePrimary RSA key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+    
+    echo "Create a primary RSA key - %%H"
+    %TPM_EXE_PATH%createprimary -nalg %%H -halg %%H -hi p -deo > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Start a salted HMAC auth session"
+    %TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Create a primary HMAC key using the salt"
+    %TPM_EXE_PATH%createprimary -kh -se0 02000000 0 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the HMAC key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the RSA key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo ""
+echo "Salt Session - EvictControl"
+echo ""
+
+echo "Load the storage key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Make the storage key persistent"
+%TPM_EXE_PATH%evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a salted HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 81800000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the storage key from transient memory"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the storage key from persistent memory"
+%TPM_EXE_PATH%evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Salt Session - ContextSave and ContextLoad"
+echo ""
+
+echo "Load the storage key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Save context for the key at 80000001"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the storage key at 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load context, new storage key at 80000001"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a salted HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the context loaded key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Salt Audit Session - PCR Read, Read Public, NV Read Public"
+echo ""
+
+echo "Load the storage key at 80000001"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a salted HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h -hs 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "PCR read with salted audit session"
+%TPM_EXE_PATH%pcrread -ha 16 -se0 02000000 81 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read public with salted audit session"
+%TPM_EXE_PATH%readpublic -ho 80000001 -se0 02000000 81 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV define space"
+%TPM_EXE_PATH%nvdefinespace -ha 01000000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Read public with salted audit session"
+%TPM_EXE_PATH%nvreadpublic -ha 01000000 -se0 02000000 81 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the storage key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the salt session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV undefine space"
+%TPM_EXE_PATH%nvundefinespace -ha 01000000 -hi p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+
+echo ""
+echo "Salt Policy Session with policyauthvalue"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key 80000000"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start a salted policy session"
+%TPM_EXE_PATH%startauthsession -se p -hs 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy command code - create"
+%TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 153 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Policy authvalue"
+%TPM_EXE_PATH%policyauthvalue -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the storage key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Salt Policy Session with no policyauthvalue"
+echo ""
+
+echo "Start a salted policy session"
+%TPM_EXE_PATH%startauthsession -se p -hs 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Create a signing key using the salt"
+%TPM_EXE_PATH%create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -se0 03000000 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+rm -f tmpkeypairrsa.pem
+rm -f tmpkeypairecc.pem
+rm -f tmpkeypairrsa.der
+rm -f tmpkeypairecc.der
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.sh
new file mode 100755
index 0000000..05e0b30
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testsalt.sh
@@ -0,0 +1,347 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "Salt Session - Load"
+echo ""
+
+# mbedtls port does not support ECC salted sessions yet
+
+if   [ ${CRYPTOLIBRARY} == "openssl" ]; then
+    SALTALGS=("-rsa 2048" "-rsa 3072" "-ecc nistp256")
+elif [ ${CRYPTOLIBRARY} == "mbedtls" ]; then
+    SALTALGS=("-rsa 2048")
+else
+    echo "Error: crypto library ${CRYPTOLIBRARY} not supported"
+    exit 255
+fi
+
+for ASY in "${SALTALGS[@]}"
+do
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	# In general a storage key can be used.  A decryption key is
+	# used here because the hash algorithm doesn't have to match
+	# that of the parent.
+
+	echo "Create a ${ASY} ${HALG} decryption key under the primary key "
+	${PREFIX}create -hp 80000000 -nalg ${HALG} -halg ${HALG} ${ASY} -deo -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 222 > run.out
+	checkSuccess $?
+
+	echo "Load the ${ASY} storage key 80000001 under the primary key"
+	${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+	checkSuccess $?
+
+	echo "Start a ${ASY} salted HMAC auth session"
+	${PREFIX}startauthsession -se h -hs 80000001 > run.out
+	checkSuccess $?
+
+	echo "Create a signing key using the salt"
+	${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+	checkSuccess $?
+
+	echo "Flush the storage key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+    done
+done
+
+echo ""
+echo "Salt Session - Load External"
+echo ""
+
+echo "Create RSA and ECC key pairs in PEM format using openssl"
+  
+openssl genrsa -out tmpkeypairrsa.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
+
+echo "Convert key pair to plaintext DER format"
+
+openssl rsa -inform pem -outform der -in tmpkeypairrsa.pem -out tmpkeypairrsa.der -passin pass:rrrr > run.out 2>&1
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Load the RSA openssl key pair in the NULL hierarchy 80000001 - ${HALG}"
+    ${PREFIX}loadexternal -rsa -halg ${HALG} -st -ider tmpkeypairrsa.der > run.out
+    checkSuccess $?
+
+    echo "Start a salted HMAC auth session"
+    ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+    checkSuccess $?
+
+    echo "Create a signing key using the salt"
+    ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+    checkSuccess $?
+
+    echo "Flush the storage key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	echo "Load the ECC openssl key pair in the NULL hierarchy 80000001 - ${HALG}"
+	${PREFIX}loadexternal -ecc -halg ${HALG} -st -ider tmpkeypairecc.der > run.out
+	checkSuccess $?
+
+	echo "Start a salted HMAC auth session"
+	${PREFIX}startauthsession -se h -hs 80000001 > run.out
+	checkSuccess $?
+
+	echo "Create a signing key using the salt"
+	${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+	checkSuccess $?
+
+	echo "Flush the storage key"
+	${PREFIX}flushcontext -ha 80000001 > run.out
+	checkSuccess $?
+
+    done
+fi
+
+echo ""
+echo "Salt Session - CreatePrimary storage key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+    
+    echo "Create a primary storage key - $HALG"
+    ${PREFIX}createprimary -nalg $HALG -hi p > run.out
+    checkSuccess $?
+
+    echo "Start a salted HMAC auth session"
+    ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+    checkSuccess $?
+
+    echo "Create a signing key using the salt"
+    ${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+    checkSuccess $?
+
+    echo "Flush the storage key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Salt Session - CreatePrimary RSA key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+    
+    echo "Create a primary RSA key - $HALG"
+    ${PREFIX}createprimary -nalg $HALG -halg $HALG -hi p -deo > run.out
+    checkSuccess $?
+
+    echo "Start a salted HMAC auth session"
+    ${PREFIX}startauthsession -se h -hs 80000001 > run.out
+    checkSuccess $?
+
+    echo "Create a primary HMAC key using the salt"
+    ${PREFIX}createprimary -kh -se0 02000000 0 > run.out
+    checkSuccess $?
+
+    echo "Flush the HMAC key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+    echo "Flush the RSA key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Salt Session - EvictControl"
+echo ""
+
+echo "Load the storage key"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Make the storage key persistent"
+${PREFIX}evictcontrol -ho 80000001 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo "Start a salted HMAC auth session"
+${PREFIX}startauthsession -se h -hs 81800000 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the storage key from transient memory"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the storage key from persistent memory"
+${PREFIX}evictcontrol -ho 81800000 -hp 81800000 -hi p > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Session - ContextSave and ContextLoad"
+echo ""
+
+echo "Load the storage key at 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Save context for the key at 80000001"
+${PREFIX}contextsave -ha 80000001 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the storage key at 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Load context, new storage key at 80000001"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Start a salted HMAC auth session"
+${PREFIX}startauthsession -se h -hs 80000001 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 333 -se0 02000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the context loaded key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Audit Session - PCR Read, Read Public, NV Read Public"
+echo ""
+
+echo "Load the storage key at 80000001"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a salted HMAC auth session"
+${PREFIX}startauthsession -se h -hs 80000001 > run.out
+checkSuccess $?
+
+echo "PCR read with salted audit session"
+${PREFIX}pcrread -ha 16 -se0 02000000 81 > run.out
+checkSuccess $?
+
+echo "Read public with salted audit session"
+${PREFIX}readpublic -ho 80000001 -se0 02000000 81 > run.out
+checkSuccess $?
+
+echo "NV define space"
+${PREFIX}nvdefinespace -ha 01000000 -hi p > run.out
+checkSuccess $?
+
+echo "NV Read public with salted audit session"
+${PREFIX}nvreadpublic -ha 01000000 -se0 02000000 81 > run.out
+checkSuccess $?
+
+echo "Flush the storage key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the salt session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "NV undefine space"
+${PREFIX}nvundefinespace -ha 01000000 -hi p > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Policy Session with policyauthvalue"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key 80000000"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a salted policy session"
+${PREFIX}startauthsession -se p -hs 80000001 > run.out
+checkSuccess $?
+
+echo "Policy command code - create"
+${PREFIX}policycommandcode -ha 03000000 -cc 153 > run.out
+checkSuccess $?
+
+echo "Policy authvalue"
+${PREFIX}policyauthvalue -ha 03000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -se0 03000000 0 > run.out
+checkSuccess $?
+
+echo "Flush the storage key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Salt Policy Session with no policyauthvalue"
+echo ""
+
+echo "Start a salted policy session"
+${PREFIX}startauthsession -se p -hs 80000000 > run.out
+checkSuccess $?
+
+echo "Create a signing key using the salt"
+${PREFIX}create -hp 80000000 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -se0 03000000 0 > run.out
+checkSuccess $?
+
+rm -f tmpkeypairrsa.pem
+rm -f tmpkeypairecc.pem
+rm -f tmpkeypairrsa.der
+rm -f tmpkeypairecc.der
+# ${PREFIX}getcapability -cap 1 -pr 80000000
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.bat
new file mode 100644
index 0000000..0521261
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.bat
@@ -0,0 +1,541 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+REM 01000000    WST
+REM 01000001 WD WST
+REM 01000002 GL
+REM 01000003 GL WD
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "TPM Resume (state/state) - suspend"
+echo ""
+
+echo "PCR 0 Extend"
+%TPM_EXE_PATH%pcrextend -ha 0 -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "PCR 0 Read"
+%TPM_EXE_PATH%pcrread -ha 0 -of tmp1.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Save the session context"
+%TPM_EXE_PATH%contextsave -ha 02000001 -of tmp.bin > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Context save the signing key"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmpsk.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Define index 01000000 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst +at wst > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Define index 01000001 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at rst +at wst +at wd > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Define index 01000002 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000002 -pwdn nnn -sz 16 +at rst +at gl > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Define index 01000003 with write stclear, read stclear"
+%TPM_EXE_PATH%nvdefinespace -hi o -ha 01000003 -pwdn nnn -sz 16 +at rst +at gl +at wd > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000000"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000001"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000002"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000003"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Read lock"
+%TPM_EXE_PATH%nvreadlock -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write lock 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write lock 01000001"
+%TPM_EXE_PATH%nvwritelock -ha 01000001 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV global lock (01000002 and 01000003)"
+%TPM_EXE_PATH%nvglobalwritelock -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000001 - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV write 01000002 - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV write 01000003 - should fail"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Shutdown state"
+%TPM_EXE_PATH%shutdown -s > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Startup state"
+%TPM_EXE_PATH%startup -s > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "PCR 0 Read"
+%TPM_EXE_PATH%pcrread -ha 0 -of tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify that PCR 0 is restored"
+diff tmp1.bin tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Context load the signing key"
+%TPM_EXE_PATH%contextload -if tmpsk.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Signing Key Self Certify"
+%TPM_EXE_PATH%certify -hk 80000000 -ho 80000000 -pwdk sig -pwdo sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Load the signing key - should fail, primary key missing"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Create a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto -pol policies/zerosha256.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Signing Key Self Certify - should fail, session missing"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Load the saved session context"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Signing Key Self Certify"
+%TPM_EXE_PATH%certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000001 0 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000000 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV write 01000001 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV write 01000002 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV write 01000003 - should fail, still locked after TPM Resume"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV read - should fail, still locked"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "TPM Restart (state/clear) - hibernate"
+echo ""
+
+echo "Load the signing key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Context save the signing key"
+%TPM_EXE_PATH%contextsave -ha 80000001 -of tmpsk.bin > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Start a session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Save the session"
+%TPM_EXE_PATH%contextsave -ha 02000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Shutdown state"
+%TPM_EXE_PATH%shutdown -s > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Startup clear"
+%TPM_EXE_PATH%startup -c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the session"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Context load the signing key"
+%TPM_EXE_PATH%contextload -if tmpsk.bin > run.out 
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "PCR 0 Read"
+%TPM_EXE_PATH%pcrread -ha 0 -halg sha1 -of tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify that PCR 0 is reset"
+diff policies/policypcr0.bin tmp2.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000000 - unlocked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000001 - should fail, still locked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV write 01000002 - unlocked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000003 - should fail, still locked after TPM Restart"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV read"
+%TPM_EXE_PATH%nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Write lock 01000000"
+%TPM_EXE_PATH%nvwritelock -ha 01000000 -pwdn nnn > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV global lock (01000002 and 01000003)"
+%TPM_EXE_PATH%nvglobalwritelock -hia p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Recreate a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "TPM Reset (clear/clear) - cold boot"
+echo ""
+
+echo "Start a session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Save the session"
+%TPM_EXE_PATH%contextsave -ha 02000000 -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Shutdown clear"
+%TPM_EXE_PATH%shutdown -c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Power cycle"
+%TPM_EXE_PATH%powerup > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Startup clear"
+%TPM_EXE_PATH%startup -c > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the session - should fail"
+%TPM_EXE_PATH%contextload -if tmp.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Recreate a platform primary storage key"
+%TPM_EXE_PATH%createprimary -hi p -pwdk sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000000 - unlocked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000001 - should fail, still locked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV write 01000002 - unlocked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV write 01000003 - should fail, still locked after TPM Reset"
+%TPM_EXE_PATH%nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "NV Undefine Space 01000000"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space 01000001"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space 01000002"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000002 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "NV Undefine Space 01000003"
+%TPM_EXE_PATH%nvundefinespace -hi p -ha 01000003 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM shutdown removes the session
+rm h02000000.bin
+rm tmpsk.bin
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
+REM getcapability  -cap 1 -pr 01000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.sh
new file mode 100755
index 0000000..c73481c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testshutdown.sh
@@ -0,0 +1,396 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# NV Index
+# 01000000    WST
+# 01000001 WD WST
+# 01000002 GL
+# 01000003 GL WD
+
+echo ""
+echo "TPM Resume (state/state) - suspend"
+echo ""
+
+echo "PCR 0 Extend"
+${PREFIX}pcrextend -ha 0 -if policies/aaa > run.out
+checkSuccess $?
+
+echo "PCR 0 Read"
+${PREFIX}pcrread -ha 0 -of tmp1.bin > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Start an HMAC session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Save the session context"
+${PREFIX}contextsave -ha 02000001 -of tmp.bin > run.out 
+checkSuccess $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Context save the signing key"
+${PREFIX}contextsave -ha 80000001 -of tmpsk.bin > run.out 
+checkSuccess $?
+
+echo "Define index 01000000 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000000 -pwdn nnn -sz 16 +at rst +at wst > run.out
+checkSuccess $?
+
+echo "Define index 01000001 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000001 -pwdn nnn -sz 16 +at rst +at wst +at wd > run.out
+checkSuccess $?
+
+echo "Define index 01000002 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000002 -pwdn nnn -sz 16 +at rst +at gl > run.out
+checkSuccess $?
+
+echo "Define index 01000003 with write stclear, read stclear"
+${PREFIX}nvdefinespace -hi o -ha 01000003 -pwdn nnn -sz 16 +at rst +at gl +at wd > run.out
+checkSuccess $?
+
+echo "NV write 01000000"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000001"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000002"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000003"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "Read lock"
+${PREFIX}nvreadlock -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Write lock 01000000"
+${PREFIX}nvwritelock -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "Write lock 01000001"
+${PREFIX}nvwritelock -ha 01000001 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "NV global lock (01000002 and 01000003)"
+${PREFIX}nvglobalwritelock -hia p > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - should fail"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000001 - should fail"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - should fail"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000003 - should fail"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "Shutdown state"
+${PREFIX}shutdown -s > run.out
+checkSuccess $?
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup state"
+${PREFIX}startup -s > run.out
+checkSuccess $?
+
+echo "PCR 0 Read"
+${PREFIX}pcrread -ha 0 -of tmp2.bin > run.out
+checkSuccess $?
+
+echo "Verify that PCR 0 is restored"
+diff tmp1.bin tmp2.bin > run.out
+checkSuccess $?
+
+echo "Context load the signing key"
+${PREFIX}contextload -if tmpsk.bin > run.out 
+checkSuccess $?
+
+echo "Signing Key Self Certify"
+${PREFIX}certify -hk 80000000 -ho 80000000 -pwdk sig -pwdo sig > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000000 > run.out
+checkSuccess $?
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load the signing key - should fail, primary key missing"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkFailure $?
+
+# Create a platform primary storage key
+initprimary
+checkSuccess $?
+
+echo "Signing Key Self Certify - should fail, signing key missing"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Signing Key Self Certify - should fail, session missing"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000000 1 > run.out
+checkFailure $?
+
+echo "Load the saved session context"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Signing Key Self Certify"
+${PREFIX}certify -hk 80000001 -ho 80000001 -pwdk sig -pwdo sig -se0 02000001 0 > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000001 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000003 - should fail, still locked after TPM Resume"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV read - should fail, still locked"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkFailure $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "TPM Restart (state/clear) - hibernate"
+echo ""
+
+echo "Load the signing key"
+${PREFIX}load -hp 80000000 -ipr signrsa2048priv.bin -ipu signrsa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Context save the signing key"
+${PREFIX}contextsave -ha 80000001 -of tmpsk.bin > run.out 
+checkSuccess $?
+
+echo "Start a session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Save the session"
+${PREFIX}contextsave -ha 02000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Shutdown state"
+${PREFIX}shutdown -s > run.out
+checkSuccess $?
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup clear"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
+echo "Load the session"
+${PREFIX}contextload -if tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+echo "Context load the signing key"
+${PREFIX}contextload -if tmpsk.bin > run.out 
+checkSuccess $?
+
+echo "PCR 0 Read"
+${PREFIX}pcrread -ha 0 -halg sha1 -of tmp2.bin > run.out
+checkSuccess $?
+
+echo "Verify that PCR 0 is reset"
+diff policies/policypcr0.bin tmp2.bin > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - unlocked after TPM Restart"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000001 - should fail, still locked after TPM Restart"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - unlocked after TPM Restart"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000003 - should fail, still locked after TPM Restart"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV read"
+${PREFIX}nvread -ha 01000000 -pwdn nnn -sz 16 > run.out
+checkSuccess $?
+
+echo "Write lock 01000000"
+${PREFIX}nvwritelock -ha 01000000 -pwdn nnn > run.out
+checkSuccess $?
+
+echo "NV global lock (01000002 and 01000003)"
+${PREFIX}nvglobalwritelock -hia p > run.out
+checkSuccess $?
+
+echo "Recreate a platform primary storage key"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo ""
+echo "TPM Reset (clear/clear) - cold boot"
+echo ""
+
+echo "Start a session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+echo "Save the session"
+${PREFIX}contextsave -ha 02000000 -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Shutdown clear"
+${PREFIX}shutdown -c > run.out
+checkSuccess $?
+
+echo "Power cycle"
+${PREFIX}powerup > run.out
+checkSuccess $?
+
+echo "Startup clear"
+${PREFIX}startup -c > run.out
+checkSuccess $?
+
+echo "Load the session - should fail"
+${PREFIX}contextload -if tmp.bin > run.out
+checkFailure $?
+
+echo "Recreate a platform primary storage key"
+${PREFIX}createprimary -hi p -pwdk sto > run.out
+checkSuccess $?
+
+echo "NV write - unlocked after TPM Reset"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000000 - unlocked after TPM Reset"
+${PREFIX}nvwrite -ha 01000000 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000001 - should fail, still locked after TPM Reset"
+${PREFIX}nvwrite -ha 01000001 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+echo "NV write 01000002 - unlocked after TPM Reset"
+${PREFIX}nvwrite -ha 01000002 -pwdn nnn -if policies/aaa > run.out
+checkSuccess $?
+
+echo "NV write 01000003 - should fail, still locked after TPM Reset"
+${PREFIX}nvwrite -ha 01000003 -pwdn nnn -if policies/aaa > run.out
+checkFailure $?
+
+# cleanup 
+
+echo "NV Undefine Space 01000000"
+${PREFIX}nvundefinespace -hi p -ha 01000000 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000001"
+${PREFIX}nvundefinespace -hi p -ha 01000001 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000002"
+${PREFIX}nvundefinespace -hi p -ha 01000002 > run.out
+checkSuccess $?
+
+echo "NV Undefine Space 01000003"
+${PREFIX}nvundefinespace -hi p -ha 01000003 > run.out
+checkSuccess $?
+
+# shutdown removes the session
+rm h02000000.bin
+rm tmpsk.bin
+
+exit
+
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
+# ${PREFIX}getcapability  -cap 1 -pr 01000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.bat
new file mode 100644
index 0000000..18b331b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.bat
@@ -0,0 +1,504 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "RSA Signing key"
+echo ""
+
+for %%B in (2048 3072) do (
+
+    echo "Create an RSA key pair in PEM format using openssl"
+    openssl genrsa -out tmpkeypairrsa%%B.pem -aes256 -passout pass:rrrr 2048 > run.out
+
+    echo "Convert key pair to plaintext DER format"
+    openssl rsa -inform pem -outform der -in tmpkeypairrsa%%B.pem -out tmpkeypairrsa%%B.der -passin pass:rrrr > run.out
+
+    echo "Load the RSA signing key under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr signrsa%%Bpriv.bin -ipu signrsa%%Bpub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    for %%H in (%ITERATE_ALGS%) do (
+    	for %%S in (rsassa rsapss) do (
+
+	    echo "Sign a digest - %%H %%S %%B"
+	    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -scheme %%S -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa%%Bpub.bin  > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Verify the signature signature using the TPM - %%H"
+	    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/aaa -is sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Verify the signature using PEM - %%H"
+	    %TPM_EXE_PATH%verifysignature -ipem signrsa%%Bpub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Read the public part"
+	    %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Verify the signature using readpublic PEM - %%H"
+	    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Load the openssl key pair in the NULL hierarchy - %%H %%S %%B"
+	    %TPM_EXE_PATH%loadexternal -halg %%H -scheme %%S -ider tmpkeypairrsa%%B.der > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Use the TPM as a crypto coprocessor to sign - %%H" 
+	    %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -scheme %%S -if policies/aaa -os sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Verify the signature - %%H"
+	    %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -if policies/aaa -is sig.bin > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+	
+	    echo "Flush the openssl signing key"
+	    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	    IF !ERRORLEVEL! NEQ 0 (
+	       exit /B 1
+	    )
+       	)
+    )
+    echo "Flush the signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo ""
+echo "ECC Signing key"
+echo ""
+
+echo "Create an ECC key pair in PEM format using openssl"
+  
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out
+
+echo "Convert key pair to plaintext DER format"
+
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out
+
+echo "Load the ECC signing key under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Sign a digest - %%H"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the ECC signature using the TPM - %%H"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -ecc -if policies/aaa -is sig.bin  > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using PEM - %%H"
+    %TPM_EXE_PATH%verifysignature -ipem signeccpub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+   
+    echo "Read the public part"
+    %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using readpublic PEM - %%H"
+    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Load the openssl key pair in the NULL hierarchy 80000002 - %%H"
+    %TPM_EXE_PATH%loadexternal -halg %%H -ecc -ider tmpkeypairecc.der > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Use the TPM as a crypto coprocessor to sign - %%H" 
+    %TPM_EXE_PATH%sign -hk 80000002 -halg %%H -salg ecc -if policies/aaa -os sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature - %%H"
+    %TPM_EXE_PATH%verifysignature -hk 80000002 -halg %%H -ecc -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Flush the openssl signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+)
+
+echo "Flush the ECC signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+echo ""
+echo "Primary RSA Signing Key 80000001"
+echo ""
+
+echo "Create primary signing key - RSA"
+%TPM_EXE_PATH%createprimary -si -opu tmppub.bin -opem tmppub.pem -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+    
+    echo "Sign a digest - %%H"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature - %%H"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using PEM - %%H"
+    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Read the public part"
+    %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using readpublic PEM - %%H"
+    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Convert TPM public key to PEM"
+    %TPM_EXE_PATH%tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using createprimary converted PEM -  %%H"
+    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg  %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the primary signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Primary ECC Signing Key"
+echo ""
+
+echo "Create primary signing key - ECC 80000001"
+%TPM_EXE_PATH%createprimary -si -opu tmppub.bin -opem tmppub.pem -ecc nistp256 -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%H in (%ITERATE_ALGS%) do (
+    
+    echo "Sign a digest - %%H"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature - %%H"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using PEM - %%H"
+    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Read the public part"
+    %TPM_EXE_PATH%readpublic -ho 80000001 -opem tmppub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using readpublic PEM - %%H"
+    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+    echo "Convert TPM public key to PEM"
+    %TPM_EXE_PATH%tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+    echo "Verify the signature using createprimary converted PEM -  %%H"
+    %TPM_EXE_PATH%verifysignature -ipem tmppub.pem -halg  %%H -if policies/aaa -is sig.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+       exit /B 1
+    )
+
+)
+
+echo "Flush the primary signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Restricted Signing Key"
+echo ""
+
+echo "Create primary signing key - restricted"
+%TPM_EXE_PATH%createprimary -sir -opu tmppub.bin -pwdk sig > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a digest - SHA256 - should fail TPM_RC_TICKET"
+%TPM_EXE_PATH%sign -hk 80000001 -halg sha256  -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+IF !ERRORLEVEL! EQU 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "External Verification Key"
+echo ""
+
+REM # create rsaprivkey.pem
+REM # > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+REM # extract the public key
+REM # > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem 
+REM # sign a test message msg.bin
+REM # > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+echo "Load external just the public part of PEM RSA"
+%TPM_EXE_PATH%loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a test message with openssl RSA"
+openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+echo "Verify the RSA signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+REM # generate the p256 key
+REM # > openssl ecparam -name prime256v1 -genkey -noout -out p256privkey.pem
+REM # extract public key
+REM # > openssl pkey -inform pem -outform pem -in p256privkey.pem -pubout -out p256pubkey.pem
+
+echo "Load external just the public part of PEM ECC"
+%TPM_EXE_PATH%loadexternal -halg sha1 -nalg sha1 -ipem policies/p256pubkey.pem -ecc > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Sign a test message with openssl ECC"
+openssl dgst -sha1 -sign policies/p256privkey.pem -out pssig.bin msg.bin
+
+echo "Verify the ECC signature"
+%TPM_EXE_PATH%verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Flush the signing key"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "Sign with restricted HMAC key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create a %%H restricted keyed hash key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -khr -kt f -kt p -opr khrpriv%%H.bin -opu khrpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the signing key under the primary key 80000001"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr  khrpriv%%H.bin -ipu khrpub%%H.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Hash and create ticket"
+    %TPM_EXE_PATH%hash -hi p -halg %%H -if msg.bin -tk tkt.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Sign a digest with a restricted signing key and ticket"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg hmac -if msg.bin -tk tkt.bin -os sig.bin -pwdk khk > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Sign a digest with a restricted signing key and no ticket - should fail"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+    IF !ERRORLEVEL! EQU 0 (
+        exit /B 1
+    )
+    
+    echo "Flush the signing key 80000001 "
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+)
+
+echo ""
+echo "Sign with unrestricted HMAC key"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create a %%H unrestricted keyed hash key under the primary key"
+    %TPM_EXE_PATH%create -hp 80000000 -kh -kt f -kt p -opr khpriv%%H.bin -opu khpub%%H.bin -pwdp sto -pwdk khk -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the signing key under the primary key 80000001"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr  khpriv%%H.bin -ipu khpub%%H.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Hash"
+    %TPM_EXE_PATH%hash -hi p -halg %%H -if msg.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Sign a digest with an unrestricted signing key"
+    %TPM_EXE_PATH%sign -hk 80000001 -halg %%H -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+    
+    echo "Flush the signing key 80000001 "
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+rm tmpkeypairrsa2048.pem
+rm tmpkeypairrsa2048.der
+rm tmpkeypairrsa3072.pem
+rm tmpkeypairrsa3072.der
+rm tmpkeypairecc.pem
+rm tmpkeypairecc.der
+rm pssig.bin
+rm tmppub.bin
+rm tmppub.pem
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.sh
new file mode 100755
index 0000000..98841e3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testsign.sh
@@ -0,0 +1,402 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+echo ""
+echo "RSA Signing key"
+echo ""
+
+for BITS in 2048 3072
+do
+
+    echo "Create an RSA $BITS key pair in PEM format using openssl"
+    openssl genrsa -out tmpkeypairrsa${BITS}.pem -aes256 -passout pass:rrrr 2048 > run.out 2>&1
+
+    echo "Convert RSA $BITS key pair to plaintext DER format"
+    openssl rsa -inform pem -outform der -in tmpkeypairrsa${BITS}.pem -out tmpkeypairrsa${BITS}.der -passin pass:rrrr > run.out 2>&1
+
+    echo "Load the RSA $BITS signing key under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr signrsa${BITS}priv.bin -ipu signrsa${BITS}pub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    for HALG in ${ITERATE_ALGS}
+    do
+
+	for SCHEME in rsassa rsapss
+	do
+
+	    echo "Sign a digest - $HALG $SCHEME $BITS"
+	    ${PREFIX}sign -hk 80000001 -halg $HALG -scheme $SCHEME -if policies/aaa -os sig.bin -pwdk sig -ipu signrsa${BITS}pub.bin > run.out
+	    checkSuccess $?
+
+	    echo "Verify the signature using the TPM - $HALG"
+	    ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if policies/aaa -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Verify the signature using PEM - $HALG"
+	    ${PREFIX}verifysignature -ipem signrsa${BITS}pub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Read the public part"
+	    ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+	    checkSuccess $?
+
+	    echo "Verify the signature using readpublic PEM - $HALG"
+	    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Load the openssl key pair in the NULL hierarchy 80000002 - $HALG $SCHEME $BITS"
+	    ${PREFIX}loadexternal -halg $HALG -scheme $SCHEME -ider tmpkeypairrsa${BITS}.der > run.out
+	    checkSuccess $?
+
+	    echo "Use the TPM as a crypto coprocessor to sign - $HALG $SCHEME" 
+	    ${PREFIX}sign -hk 80000002 -halg $HALG -scheme $SCHEME -if policies/aaa -os sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Verify the signature - $HALG"
+	    ${PREFIX}verifysignature -hk 80000002 -halg $HALG -if policies/aaa -is sig.bin > run.out
+	    checkSuccess $?
+
+	    echo "Flush the openssl signing key"
+	    ${PREFIX}flushcontext -ha 80000002 > run.out
+	    checkSuccess $?
+
+	done
+    
+    done
+
+    echo "Flush the RSA signing key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "ECC Signing key"
+echo ""
+
+echo "Load the ECC signing key under the primary key"
+${PREFIX}load -hp 80000000 -ipr signeccpriv.bin -ipu signeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Create an ECC key pair in PEM format using openssl"
+  
+openssl ecparam -name prime256v1 -genkey -noout -out tmpkeypairecc.pem > run.out 2>&1
+
+echo "Convert key pair to plaintext DER format"
+
+openssl ec -inform pem -outform der -in tmpkeypairecc.pem -out tmpkeypairecc.der -passin pass:rrrr > run.out 2>&1
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Sign a digest - $HALG"
+    ${PREFIX}sign -hk 80000001 -halg $HALG -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out
+    checkSuccess $?
+
+    echo "Verify the ECC signature using the TPM - $HALG"
+    ${PREFIX}verifysignature -hk 80000001 -halg $HALG -ecc -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using PEM - $HALG"
+    ${PREFIX}verifysignature -ipem signeccpub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Read the public part"
+    ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using readpublic PEM - $HALG"
+    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Load the openssl key pair in the NULL hierarchy 80000002 - $HALG"
+    ${PREFIX}loadexternal -halg $HALG -ecc -ider tmpkeypairecc.der > run.out
+    checkSuccess $?
+
+    echo "Use the TPM as a crypto coprocessor to sign - $HALG" 
+    ${PREFIX}sign -hk 80000002 -halg $HALG -salg ecc -if policies/aaa -os sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature - $HALG"
+    ${PREFIX}verifysignature -hk 80000002 -halg $HALG -ecc -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the openssl signing key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the ECC signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary RSA Signing Key"
+echo ""
+
+echo "Create primary signing key - RSA 80000001"
+${PREFIX}createprimary -si -opu tmppub.bin -opem tmppub.pem -pwdk sig > run.out
+checkSuccess $?
+
+for HALG in ${ITERATE_ALGS}
+do
+    
+    echo "Sign a digest - $HALG"
+    ${PREFIX}sign -hk 80000001 -halg $HALG -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature - $HALG"
+    ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using PEM - $HALG"
+    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Read the public part and convert to PEM"
+    ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using readpublic PEM - $HALG"
+    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Convert TPM public key to PEM"
+    ${PREFIX}tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using createprimary converted PEM - $HALG"
+    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the primary signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Primary ECC Signing Key"
+echo ""
+
+echo "Create primary signing key - ECC 80000001"
+${PREFIX}createprimary -si -opu tmppub.bin -opem tmppub.pem -ecc nistp256 -pwdk sig > run.out
+checkSuccess $?
+
+for HALG in ${ITERATE_ALGS}
+do
+    
+    echo "Sign a digest - $HALG"
+    ${PREFIX}sign -hk 80000001 -halg $HALG -salg ecc -if policies/aaa -os sig.bin -pwdk sig > run.out 
+    checkSuccess $?
+
+    echo "Verify the signature - $HALG"
+    ${PREFIX}verifysignature -hk 80000001 -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using PEM - $HALG"
+    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Read the public part"
+    ${PREFIX}readpublic -ho 80000001 -opem tmppub.pem > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using readpublic PEM - $HALG"
+    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+    echo "Convert TPM public key to PEM"
+    ${PREFIX}tpm2pem -ipu tmppub.bin -opem tmppub.pem > run.out
+    checkSuccess $?
+
+    echo "Verify the signature using createprimary converted PEM - $HALG"
+    ${PREFIX}verifysignature -ipem tmppub.pem -halg $HALG -if policies/aaa -is sig.bin > run.out
+    checkSuccess $?
+
+done
+
+echo "Flush the primary signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Restricted Signing Key"
+echo ""
+
+echo "Create primary signing key - restricted"
+${PREFIX}createprimary -sir -opu tmppub.bin -pwdk sig > run.out
+checkSuccess $?
+
+echo "Sign a digest - SHA256 - should fail TPM_RC_TICKET"
+${PREFIX}sign -hk 80000001 -halg sha256  -if policies/aaa -os sig.bin -pwdk sig -ipu tmppub.bin > run.out
+checkFailure $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "External Verification Key"
+echo ""
+
+# create rsaprivkey.pem
+# > openssl genrsa -out rsaprivkey.pem -aes256 -passout pass:rrrr 2048
+# convert to der
+# > openssl rsa -inform pem -outform der -in rsaprivkey.pem -out rsaprivkey.der -passin pass:rrrr
+# extract the public key
+# > openssl pkey -inform pem -outform pem -in rsaprivkey.pem -passin pass:rrrr -pubout -out rsapubkey.pem 
+# sign a test message msg.bin
+# > openssl dgst -sha1 -sign rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin
+
+echo "Load external just the public part of PEM RSA"
+${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/rsapubkey.pem > run.out
+checkSuccess $?
+
+echo "Sign a test message with openssl RSA"
+openssl dgst -sha1 -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin msg.bin > run.out 2>&1
+
+echo "Verify the RSA signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+# generate the p256 key
+# > openssl ecparam -name prime256v1 -genkey -noout -out p256privkey.pem
+# extract public key
+# > openssl pkey -inform pem -outform pem -in p256privkey.pem -pubout -out p256pubkey.pem
+
+echo "Load external just the public part of PEM ECC"
+${PREFIX}loadexternal -halg sha1 -nalg sha1 -ipem policies/p256pubkey.pem -ecc > run.out
+checkSuccess $?
+
+echo "Sign a test message with openssl ECC"
+openssl dgst -sha1 -sign policies/p256privkey.pem -out pssig.bin msg.bin > run.out 2>&1
+
+echo "Verify the ECC signature"
+${PREFIX}verifysignature -hk 80000001 -halg sha1 -if msg.bin -is pssig.bin -raw -ecc > run.out
+checkSuccess $?
+
+echo "Flush the signing key"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Sign with restricted HMAC key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+
+do
+
+    echo "Create a ${HALG} restricted keyed hash key under the primary key"
+    ${PREFIX}create -hp 80000000 -khr -kt f -kt p -opr khrpriv${HALG}.bin -opu khrpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+    checkSuccess $?
+
+    echo "Load the signing key under the primary key 80000001"
+    ${PREFIX}load -hp 80000000 -ipr  khrpriv${HALG}.bin -ipu khrpub${HALG}.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Hash and create ticket"
+    ${PREFIX}hash -hi p -halg ${HALG} -if msg.bin -tk tkt.bin > run.out
+    checkSuccess $?
+
+    echo "Sign a digest with a restricted signing key and ticket"
+    ${PREFIX}sign -hk 80000001 -halg ${HALG} -salg hmac -if msg.bin -tk tkt.bin -os sig.bin -pwdk khk > run.out
+    checkSuccess $?
+
+    echo "Sign a digest with a restricted signing key and no ticket - should fail"
+    ${PREFIX}sign -hk 80000001 -halg ${HALG} -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+    checkFailure $?
+    
+    echo "Flush the signing key 80000001 "
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Sign with unrestricted HMAC key"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+
+do
+
+    echo "Create a ${HALG} unrestricted keyed hash key under the primary key"
+    ${PREFIX}create -hp 80000000 -kh -kt f -kt p -opr khpriv${HALG}.bin -opu khpub${HALG}.bin -pwdp sto -pwdk khk -halg ${HALG} > run.out
+    checkSuccess $?
+
+    echo "Load the signing key under the primary key 80000001"
+    ${PREFIX}load -hp 80000000 -ipr  khpriv${HALG}.bin -ipu khpub${HALG}.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Hash"
+    ${PREFIX}hash -hi p -halg ${HALG} -if msg.bin > run.out
+    checkSuccess $?
+
+    echo "Sign a digest with an unrestricted signing key"
+    ${PREFIX}sign -hk 80000001 -halg ${HALG} -salg hmac -if msg.bin -os sig.bin -pwdk khk > run.out
+    checkSuccess $?
+    
+    echo "Flush the signing key 80000001 "
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+done
+
+rm -f tmpkeypairrsa2048.pem
+rm -f tmpkeypairrsa2048.der
+rm -f tmpkeypairrsa3072.pem
+rm -f tmpkeypairrsa3072.der
+rm -f tmpkeypairecc.pem
+rm -f tmpkeypairecc.der
+rm -r pssig.bin
+rm -r tmppub.bin
+rm -r tmppub.pem
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.bat
new file mode 100644
index 0000000..11a6e16
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.bat
@@ -0,0 +1,205 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+REM Primary storage key at 80000000 password sto
+REM storage key at 80000001 password sto
+
+echo ""
+echo "RSA Storage key"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Start an HMAC auth session"
+%TPM_EXE_PATH%startauthsession -se h > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%N in (%ITERATE_ALGS%) do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+        echo "Create an unrestricted signing key under the RSA storage key 80000001 %%N %%~S"
+        %TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg %%N %%~S > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+    
+        echo "Load the signing key 80000002 under the storage key 80000001 %%~S"
+        %TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto %%~S > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+    
+	echo "Read the signing key 80000002 public area"
+	%TPM_EXE_PATH%readpublic -ho 80000002 -opu tmppub2.bin > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+
+        echo "Flush the signing key 80000002"
+        %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+    
+        echo "Load external just the storage key public part 80000002 %%N"
+        %TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu storersa2048pub.bin > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+    
+        echo "Flush the public key 80000002"
+        %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+    
+	echo "Load external, signing key public part 80000002 %%N"
+	%TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu tmppub2.bin > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+
+	echo "Flush the public key 80000002"
+	%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+        IF !ERRORLEVEL! NEQ 0 (
+           exit /B 1
+        )
+    )
+)
+
+echo "Flush the RSA storage key 80000001"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo ""
+echo "ECC Storage key"
+echo ""
+
+echo "Load ECC the storage key 80000001 under the primary key 80000000"
+%TPM_EXE_PATH%load -hp 80000000 -ipr storeeccpriv.bin -ipu storeeccpub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+for %%N in (%ITERATE_ALGS%) do (
+
+    for %%S in ("" "-se0 02000000 1") do (
+
+	echo "Create an unrestricted signing key under the ECC storage key 80000001 %%N %%~S"
+	%TPM_EXE_PATH%create -hp 80000001 -si -kt f -kt p -ecc nistp256 -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg %%N %%~S > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+
+	echo "Load the ECC signing key 80000002 under the ECC storage key 80000001 %%~S"
+	%TPM_EXE_PATH%load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto %%~S> run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+
+	echo "Read the signing key 80000002 public area"
+	%TPM_EXE_PATH%readpublic -ho 80000002 -opu tmppub2.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+
+	echo "Flush the signing key 80000002"
+	%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+
+	echo "Load external, storage key public part 80000002 %%N"
+	%TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu storeeccpub.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+
+	echo "Flush the public key 80000002"
+	%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+
+	echo "Load external, signing key public part 80000002 %%N"
+	%TPM_EXE_PATH%loadexternal -halg sha256 -nalg %%N -ipu tmppub2.bin > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+
+	echo "Flush the signing key 80000002"
+	%TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+	IF !ERRORLEVEL! NEQ 0 (
+   	    exit /B 1
+	)
+    )
+)
+
+echo "Flush the ECC storage key 80000001 "
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the auth session"
+%TPM_EXE_PATH%flushcontext -ha 02000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+rm -f tmppub2.bin
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpsig.bin
+
+exit /B 0
+
+REM getcapability  -cap 1 -pr 80000000
+REM getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.sh
new file mode 100755
index 0000000..f2b91f4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/teststorage.sh
@@ -0,0 +1,164 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# Primary storage key at 80000000 password sto
+# storage key at 80000001 password sto
+
+echo ""
+echo "RSA Storage key"
+echo ""
+
+echo "Load the RSA storage key 80000001 under the primary key 80000000"
+${PREFIX}load -hp 80000000 -ipr storersa2048priv.bin -ipu storersa2048pub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start an HMAC auth session"
+${PREFIX}startauthsession -se h > run.out
+checkSuccess $?
+
+for NALG in ${ITERATE_ALGS}
+do
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Create an unrestricted signing key under the RSA storage key 80000001 ${NALG} ${SESS}"
+	${PREFIX}create -hp 80000001 -si -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg ${NALG} ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Load the signing key 80000002 under the storage key 80000001 ${SESS}"
+	${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Read the signing key 80000002 public area"
+	${PREFIX}readpublic -ho 80000002 -opu tmppub2.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the signing key 80000002"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+
+	echo "Load external just the storage key public part 80000002 ${NALG}"
+	${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu storersa2048pub.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the public key 80000002"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+
+	echo "Load external, signing key public part 80000002 ${NALG}"
+	${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu tmppub2.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the public key 80000002"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+    done
+done
+
+echo "Flush the RSA storage key 80000001"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "ECC Storage key"
+echo ""
+
+echo "Load ECC the storage key 80000001 under the primary key 80000000"
+${PREFIX}load -hp 80000000 -ipr storeeccpriv.bin -ipu storeeccpub.bin -pwdp sto > run.out
+checkSuccess $?
+
+for NALG in ${ITERATE_ALGS}
+do
+
+    for SESS in "" "-se0 02000000 1"
+    do
+
+	echo "Create an unrestricted signing key under the ECC storage key 80000001 ${NALG} ${SESS}"
+	${PREFIX}create -hp 80000001 -si -kt f -kt p -ecc nistp256 -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk 111 -nalg ${NALG} ${SESS} > run.out
+	checkSuccess $?
+
+	echo "Load the ECC signing key 80000002 under the ECC storage key 80000001 ${SESS}"
+	${PREFIX}load -hp 80000001 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto ${SESS}> run.out
+	checkSuccess $?
+
+	echo "Read the signing key 80000002 public area"
+	${PREFIX}readpublic -ho 80000002 -opu tmppub2.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the signing key 80000002"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+
+	echo "Load external, storage key public part 80000002 ${NALG}"
+	${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu storeeccpub.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the public key 80000002"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+
+	echo "Load external, signing key public part 80000002 ${NALG}"
+	${PREFIX}loadexternal -halg sha256 -nalg ${NALG} -ipu tmppub2.bin > run.out
+	checkSuccess $?
+
+	echo "Flush the signing key 80000002"
+	${PREFIX}flushcontext -ha 80000002 > run.out
+	checkSuccess $?
+    done
+done
+
+echo "Flush the ECC storage key 80000001 "
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the auth session"
+${PREFIX}flushcontext -ha 02000000 > run.out
+checkSuccess $?
+
+rm -f tmppub2.bin
+rm -f tmppub.bin
+rm -f tmppriv.bin
+rm -f tmpsig.bin
+
+# ${PREFIX}getcapability  -cap 1 -pr 80000000
+# ${PREFIX}getcapability  -cap 1 -pr 02000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.bat
new file mode 100644
index 0000000..03449e2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.bat
@@ -0,0 +1,765 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2015 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "Seal and Unseal to Password"
+echo ""
+
+echo "Create a sealed data object"
+%TPM_EXE_PATH%create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Load the sealed data object"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Unseal the data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+   exit /B 1
+)
+
+echo "Unseal with bad password - should fail"
+%TPM_EXE_PATH%unseal -ha 80000001 -pwd xxx > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Create a primary sealed data object"
+%TPM_EXE_PATH%createprimary -bl -kt f -kt p -pwdk seap -if msg.bin  > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Unseal the primary data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -pwd seap -of tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the primary sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo ""
+echo "Seal and Unseal to PolicySecret Platform Auth"
+echo ""
+
+REM # policy is policy secret pointing to platform auth
+REM # 000001514000000C plus newline for policyRef
+
+echo "Change platform hierarchy auth"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwdn ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Create a sealed data object with policysecret platform auth under primary key"
+%TPM_EXE_PATH%create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Load the sealed data object under primary key"
+%TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Start a policy session"
+%TPM_EXE_PATH%startauthsession -se p > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Unseal the data blob - policy failure, policysecret not run"
+%TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! EQU 0 (
+    exit /B 1
+)
+
+echo "Policy Secret with PWAP session and platform auth"
+%TPM_EXE_PATH%policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Unseal the data blob"
+%TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Change platform hierarchy auth back to null"
+%TPM_EXE_PATH%hierarchychangeauth -hi p -pwda ppp > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the sealed object"
+%TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+echo "Flush the policy session"
+%TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+IF !ERRORLEVEL! NEQ 0 (
+    exit /B 1
+)
+
+REM # extend of aaa + 0 pad to digest length
+REM # pcrreset -ha 16
+REM # pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+REM # pcrread   -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+REM #
+REM # 1d47f68aced515f7797371b554e32d47981aa0a0
+REM # c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+REM # 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+REM # 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+REM #
+REM # paste that with no white space to file policypcr16aaasha1.txt, etc.
+REM #
+REM # create AND term for policy PCR, PCR 16
+REM # and then convert to binary policy
+REM 
+REM # > policymakerpcr -halg sha1   -bm 10000 -if policies/policypcr16aaasha1.txt   -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+REM # convert to binary policy
+REM # > policymaker -halg sha1   -if policies/policypcr.txt -of policies/policypcr16aaasha1.bin -pr -v
+REM # 12 b6 dd 16 43 82 ca e4 5d 0e d0 7f 9e 51 d1 63 
+REM # a4 24 f5 f2 
+REM 
+REM # > policymakerpcr -halg sha256 -bm 10000 -if policies/policypcr16aaasha256.txt -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+REM # > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr16aaasha256.bin -pr -v
+REM # 76 44 f6 11 ea 10 d7 60 da b9 36 c3 95 1e 1d 85 
+REM # ec db 84 ce 9a 79 03 dd e1 c7 e0 a2 d9 09 a0 13 
+REM 
+REM # > policymakerpcr -halg sha384 -bm 10000 -if policies/policypcr16aaasha384.txt -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+REM # > policymaker -halg sha384 -if policies/policypcr.txt -of policies/policypcr16aaasha384.bin -pr -v
+REM # ea aa 8b 90 d2 69 b6 31 c0 85 91 e4 bf 29 a3 12 
+REM # 87 04 f2 18 4c 02 ee 83 6a fb c4 c6 7f 28 c1 7f 
+REM # 86 ea 22 b7 00 3d 06 fc b4 57 a3 b5 c4 f7 3c 95 
+REM 
+REM # > policymakerpcr -halg sha512 -bm 10000 -if policies/policypcr16aaasha512.txt -v -pr -of policies/policypcr.txt
+REM # 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+REM # policymaker -halg sha512 -if policies/policypcr.txt -of policies/policypcr16aaasha512.bin -pr -v
+REM # 1a 57 25 8d 99 64 d8 74 f0 85 0f 2c 8d 70 41 cc 
+REM # be 21 c2 0f df 7e 07 e6 b1 99 ea 05 66 46 b7 fb 
+REM # 23 55 77 4b 96 7e ab e2 65 db 5a 52 82 08 9c af 
+REM # 3c c0 10 e4 99 36 5d ec 7f 0d 3e 6d 2a 62 6d 2e 
+
+REM sealed blob    80000001
+REM policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create a sealed data object %%H"
+    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa%%H.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the sealed data object"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Start a policy session %%H"
+    %TPM_EXE_PATH%startauthsession -se p -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "PCR 16 Reset"
+    %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Unseal the data blob - policy failure, policypcr not run"
+    %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! EQU 0 (
+        exit /B 1
+    )
+
+    echo "Policy PCR, update with the wrong PCR 16 value"
+    %TPM_EXE_PATH%policypcr -halg %%H -ha 03000000 -bm 10000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Unseal the data blob - policy failure, PCR 16 incorrect"
+    %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! EQU 0 (
+        exit /B 1
+    )
+
+    echo "Extend PCR 16 to correct value"
+    %TPM_EXE_PATH%pcrextend -halg %%H -ha 16 -if policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy restart, set back to zero"
+    %TPM_EXE_PATH%policyrestart -ha 03000000 > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy PCR, update with the correct PCR 16 value"
+    %TPM_EXE_PATH%policypcr -halg %%H -ha 03000000 -bm 10000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Unseal the data blob"
+    %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the sealed object"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+    
+    echo "Flush the policy session"
+    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+rem # This test uses the same values for PCR 16 and PCR 23 for simplicity.
+rem # For different values, calculate the PCR white list value and change
+rem # the cat line to use two different values.
+
+rem # extend of aaa + 0 pad to digest length
+rem # pcrreset -ha 16
+rem # pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+rem # pcrread   -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+rem #
+rem # 1d47f68aced515f7797371b554e32d47981aa0a0
+rem # c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+rem # 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+rem # 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+rem #
+rem # paste that with no white space to file policypcr16aaasha1.txt, etc.
+rem #
+rem # create AND term for policy PCR, PCR 16 and 23
+rem # and then convert to binary policy
+
+rem # > cat policies/policypcr16aaasha1.txt policies/policypcr16aaasha1.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha1   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem #0000017f0000000100040300008173820c1f0f279933a5a58629fe44d081e740d4ae
+rem # > policymaker -halg sha1   -if policypcr.txt -of policies/policypcr1623aaasha1.bin -pr -v
+rem  # policy digest length 20
+rem  # b4 ed de a3 35 87 d7 43 29 f6 a8 d1 e7 89 92 64 
+rem  # 46 f0 4c 85 
+
+rem # > cat policies/policypcr16aaasha256.txt policies/policypcr16aaasha256.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha256   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem # 0000017f00000001000b030000815a9f104273886b7ec8919a449d440d107d0da5df367e28c6ac145c9023cb5e76
+rem # > policymaker -halg sha256   -if policypcr.txt -of policies/policypcr1623aaasha256.bin -pr -v
+rem  # policy digest length 32
+rem  # 84 ff 2f f1 2d 37 cb 23 fb 3d 14 d9 66 77 ca ec 
+rem  # 48 94 5c 0b 83 e5 ea a2 be 98 e9 75 aa 21 e3 d6 
+
+rem # > cat policies/policypcr16aaasha384.txt policies/policypcr16aaasha384.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha384   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem # 0000017f00000001000c0300008105f7f12c86c3b0ed988d369a96d401bb4a58b74f982eb03e8474cb66076114ba2b933dd95cde1c7ea69d0a797abc99d4
+rem # > policymaker -halg sha384   -if policypcr.txt -of policies/policypcr1623aaasha384.bin -pr -v
+rem  # policy digest length 48
+rem  # 4b 03 cd b3 eb 07 15 14 7c 49 93 43 a5 65 ee dc 
+rem  # 86 22 7c 86 36 20 97 a2 5e 0f 34 2e d2 4f 7e ad 
+rem  # a0 61 8b 5e d7 ba bb e3 5e f0 ab ea 99 55 df 84 
+
+rem # > cat policies/policypcr16aaasha512.txt policies/policypcr16aaasha512.txt >! policypcra.txt
+rem # > policymakerpcr -halg sha512   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+rem # 0000017f00000001000d03000081266ae24c92f63b30322e9c22e44e9540313a2223ae79b27eafe798168bef373ac55de22a0ca78ec8b2e9402aa1f8b47b6ef40e9e53aebaa694af58f240efa0fd
+rem # > policymaker -halg sha512   -if policypcr.txt -of policies/policypcr1623aaasha512.bin -pr -v
+rem  # policy digest length 64
+rem  # 13 84 59 76 b8 d4 d8 a9 a4 7d 75 0e 3e 81 cd c2 
+rem  # 78 08 ec 95 d7 13 e8 ef 0c 0b 85 c7 38 2e ad 46 
+rem  # e4 72 31 1d 11 a3 38 17 54 e5 cf 2e 6d 23 67 6d 
+rem  # 39 5a 93 51 9d f3 f0 90 56 4d 66 f8 7b 90 fc 61 
+
+rem # sealed blob    80000001
+rem # policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16 and 23"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    echo "Create a sealed data object %%H"
+    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa%%H.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the sealed data object"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Start a policy session %%H"
+    %TPM_EXE_PATH%startauthsession -se p -halg %%H > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "PCR 16 Reset"
+    %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "PCR 23 Reset"
+    %TPM_EXE_PATH%pcrreset -ha 23 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Extend PCR 16 to correct value"
+    %TPM_EXE_PATH%pcrextend -halg %%H -ha 16 -if policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Extend PCR 23 to correct value"
+    %TPM_EXE_PATH%pcrextend -halg %%H -ha 23 -if policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy PCR, update with the correct PCR 16 and 23 values"
+    %TPM_EXE_PATH%policypcr -halg %%H -ha 03000000 -bm 810000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Unseal the data blob"
+    %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the sealed object"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the policy session"
+    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+)
+
+
+REM #
+REM # Sample application to demonstrate the policy authorize solution to
+REM # the PCR brittleness problem when sealing.  Rather than sealing
+REM # directly to the PCRs, the blob is sealed to an authorizing public
+REM # key.  The authorizing private key signs the approved policy PCR
+REM # digest.
+REM #
+REM # Name for 80000001 authorizing key (output of loadexternal below) is
+REM # used to calculate the policy authorize policy
+REM #
+REM # 00044234c24fc1b9de6693a62453417d2734d7538f6f
+REM # 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+REM # 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+REM # 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+REM #
+REM # Use 0000016a || the above Name, with a following blank line for
+REM # policyRef to make policies/policyauthorizesha[].txt. Use policymaker
+REM # to create the binary policy.  This will be the session digest after
+REM # the policyauthorize command.
+REM #
+REM # > policymaker -halg sha[] -if policies/policyauthorizesha[].txt -of policies/policyauthorizesha[].bin -pr
+REM # 16 82 10 58 c0 32 8c c4 e5 2e c4 ec ce 61 6c 0a 
+REM # f4 8a 30 88 
+REM #
+REM # eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+REM # ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+REM #
+REM # 5c c6 34 89 fe f9 c8 42 7e fe 2c 5f 08 39 74 b6 
+REM # d9 a8 36 02 4a cd d9 70 7e f0 b9 fd 15 26 56 da 
+REM # a5 07 0a 9b bf d6 66 df 49 d2 5b 8d 50 8e 16 38 
+REM #
+REM # c9 c8 29 fb bc 75 54 99 db 48 b7 26 88 24 d1 f8 
+REM # 29 72 01 60 6b d6 5f 41 8e 06 98 7e f7 3e 6a 7e 
+REM # 25 82 c7 6d 8f 1c 36 43 68 01 ee 56 51 d5 06 b4 
+REM # 68 4c fe d1 d0 6a d7 65 23 3f c2 92 94 fd 2c c5 
+
+REM # setup and policy PCR calculations
+REM #
+REM # 16 is the debug PCR, a typical application may seal to PCR 0-7
+REM # > pcrreset -ha 16
+REM #
+REM # policies/aaa represents the new 'BIOS' measurement hash extended
+REM # into all PCR banks
+REM #
+REM # > pcrextend -ha 16 -halg [] -if policies/aaa
+REM #
+REM # These are the new PCR values to be authorized.  Typically, these are
+REM # calculated by other software based on the enterprise.  Here, they're
+REM # just read from the TPM.
+REM #
+REM # > pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+REM #
+REM # 1d47f68aced515f7797371b554e32d47981aa0a0
+REM # c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+REM # 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+REM # 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+REM #
+REM # Put the above authorized PCR value in an intermediate file
+REM # policies/policypcr16aaasha1.txt for policymakerpcr, and create the
+REM # policypcr AND term policies/policypcr.txt.  policymakerpcr prepends the command code and
+REM # PCR select bit mask.
+REM #
+REM # > policymakerpcr -halg sha[] -bm 010000 -if policies/policypcr16aaasha1.txt -of policies/policypcr.txt -pr -v
+REM #
+REM # 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+REM # 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+REM # 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+REM # 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+REM #
+REM # Send the policymakerpcr AND term result to policymaker to create the
+REM # Policy PCR digest.  This is the authorized policy signed by the
+REM # authorizing private key.
+REM #
+REM # > policymaker -halg sha[] -if policies/policypcr.txt -of policies/policypcr16aaasha[].bin -v -pr -ns
+REM #
+REM # 12b6dd164382cae45d0ed07f9e51d163a424f5f2
+REM # 7644f611ea10d760dab936c3951e1d85ecdb84ce9a7903dde1c7e0a2d909a013
+REM # eaaa8b90d269b631c08591e4bf29a3128704f2184c02ee836afbc4c67f28c17f86ea22b7003d06fcb457a3b5c4f73c95
+REM # 1a57258d9964d874f0850f2c8d7041ccbe21c20fdf7e07e6b199ea056646b7fb2355774b967eabe265db5a5282089caf3cc010e499365dec7f0d3e6d2a626d2e
+
+echo ""
+echo "Policy PCR with Policy Authorize (PCR brittleness solution)"
+echo ""
+
+for %%H in (%ITERATE_ALGS%) do (
+
+    REM # One time task, create sealed blob with policy of policyauthorize
+    REM # with Name of authorizing key
+
+    echo "Create a sealed data object %%H"
+    %TPM_EXE_PATH%create -hp 80000000 -nalg %%H -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize%%H.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    REM # Once per new PCR approved values, authorizing PCRs in policy%%H.bin
+
+    echo "Openssl generate and sign aHash (empty policyRef) %%H"
+    openssl dgst -%%H -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaa%%H.bin
+
+    REM # Once per boot, simulating setting PCRs to authorized values
+
+    echo "Reset PCR 16 back to zero"
+    %TPM_EXE_PATH%pcrreset -ha 16 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "PCR extend PCR 16 %%H"
+    %TPM_EXE_PATH%pcrextend -ha 16 -halg %%H -if policies/aaa > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    REM # beginning of unseal process, policy PCR
+
+    echo "Start a policy session %%H"
+    %TPM_EXE_PATH%startauthsession -halg %%H -se p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy PCR, update with the correct digest %%H"
+    %TPM_EXE_PATH%policypcr -ha 03000000 -halg %%H -bm 10000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy get digest, should be policies/policypcr16aaa%%H.bin"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    REM # policyauthorize process
+
+    echo "Load external just the public part of PEM authorizing key %%H 80000001"
+    %TPM_EXE_PATH%loadexternal -hi p -halg %%H -nalg %%H -ipem policies/rsapubkey.pem -ns > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the signature to generate ticket 80000001 %%H"
+    %TPM_EXE_PATH%verifysignature -hk 80000001 -halg %%H -if policies/policypcr16aaa%%H.bin -is pssig.bin -raw -tk tkt.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy authorize using the ticket"
+    %TPM_EXE_PATH%policyauthorize -ha 03000000 -appr policies/policypcr16aaa%%H.bin -skn h80000001.bin -tk tkt.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get policy digest, should be policies/policyauthorize%%H.bin"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the verification public key 80000001"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    REM # load the sealed blob and unseal
+
+    echo "Load the sealed data object 80000001"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Unseal the data blob using the policy session"
+    %TPM_EXE_PATH%unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the sealed object"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the policy session"
+    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+echo ""
+echo "Import and Unseal"
+echo ""
+
+REM # primary key P1 80000000
+REM # sealed data S1 80000001 originally under 80000000
+REM # target storage key K1 80000002
+
+for %%A in ("rsa2048" "ecc") do (
+
+    echo "Create a sealed data object S1 under the primary key P1 80000000"
+    %TPM_EXE_PATH%create -hp 80000000 -bl -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policyccduplicate.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the sealed data object S1 at 80000001"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the %%~A storage key K1 80000002"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr store%%~Apriv.bin -ipu store%%~Apub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Start a policy session 03000000"
+    %TPM_EXE_PATH%startauthsession -se p > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Policy command code, duplicate"
+    %TPM_EXE_PATH%policycommandcode -ha 03000000 -cc 14b > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Get policy digest"
+    %TPM_EXE_PATH%policygetdigest -ha 03000000 > run.out 
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Duplicate sealed data object S1 80000001 under %%~A K1 80000002"
+    %TPM_EXE_PATH%duplicate -ho 80000001 -pwdo sig -hp 80000002 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the original S1 to free object slot for import"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Import S1 under %%~A K1 80000002"
+    %TPM_EXE_PATH%import -hp 80000002 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv1.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Load the duplicated sealed data object S1 at 80000001 under %%~A K1 80000002"
+    %TPM_EXE_PATH%load -hp 80000002 -ipr tmppriv1.bin -ipu tmppub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Unseal the data blob"
+    %TPM_EXE_PATH%unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the sealed data object at 80000001"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the storage key at 80000002"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+    echo "Flush the session"
+    %TPM_EXE_PATH%flushcontext -ha 03000000 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+        exit /B 1
+    )
+
+)
+
+rm tmppriv.bin
+rm tmppub.bin
+rm tmp.bin
+rm tmpdup.bin
+rm tmpss.bin
+rm tmppriv1.bin
+
+exit /B 0
+
+REM getcapability -cap 1 -pr 80000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.sh
new file mode 100755
index 0000000..c48458e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testunseal.sh
@@ -0,0 +1,619 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2015 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# used for the name in policy authorize
+
+if [ -z $TPM_DATA_DIR ]; then
+    TPM_DATA_DIR=.
+fi
+
+echo ""
+echo "Seal and Unseal to Password"
+echo ""
+
+echo "Create a sealed data object"
+${PREFIX}create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin > run.out
+checkSuccess $?
+
+echo "Load the sealed data object"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Unseal the data blob"
+${PREFIX}unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Unseal with bad password - should fail"
+${PREFIX}unseal -ha 80000001 -pwd xxx > run.out
+checkFailure $?
+
+echo "Flush the sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Create a primary sealed data object"
+${PREFIX}createprimary -bl -kt f -kt p -pwdk seap -if msg.bin > run.out
+checkSuccess $?
+
+echo "Unseal the primary data blob"
+${PREFIX}unseal -ha 80000001 -pwd seap -of tmp.bin > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Flush the primary sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo ""
+echo "Seal and Unseal to PolicySecret Platform Auth"
+echo ""
+
+# policy is policy secret pointing to platform auth
+# 000001514000000C plus newline for policyRef
+
+echo "Change platform hierarchy auth"
+${PREFIX}hierarchychangeauth -hi p -pwdn ppp > run.out
+checkSuccess $?
+
+echo "Create a sealed data object with policysecret platform auth under primary key"
+${PREFIX}create -hp 80000000 -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policysecretp.bin > run.out
+checkSuccess $?
+
+echo "Load the sealed data object under primary key"
+${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+checkSuccess $?
+
+echo "Start a policy session"
+${PREFIX}startauthsession -se p > run.out
+checkSuccess $?
+
+echo "Unseal the data blob - policy failure, policysecret not run"
+${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+checkFailure $?
+
+echo "Policy Secret with PWAP session and platform auth"
+${PREFIX}policysecret -ha 4000000c -hs 03000000 -pwde ppp > run.out
+checkSuccess $?
+
+echo "Unseal the data blob"
+${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+checkSuccess $?
+
+echo "Verify the unsealed result"
+diff msg.bin tmp.bin > run.out
+checkSuccess $?
+
+echo "Change platform hierarchy auth back to null"
+${PREFIX}hierarchychangeauth -hi p -pwda ppp > run.out
+checkSuccess $?
+
+echo "Flush the sealed object"
+${PREFIX}flushcontext -ha 80000001 > run.out
+checkSuccess $?
+
+echo "Flush the policy session"
+${PREFIX}flushcontext -ha 03000000 > run.out
+checkSuccess $?
+
+# extend of aaa + 0 pad to digest length
+# pcrreset -ha 16
+# pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+# pcrread   -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+#
+# 1d47f68aced515f7797371b554e32d47981aa0a0
+# c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+# 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+# 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+#
+# paste that with no white space to file policypcr16aaasha1.txt, etc.
+#
+# create AND term for policy PCR, PCR 16
+# and then convert to binary policy
+
+# > policymakerpcr -halg sha1   -bm 10000 -if policies/policypcr16aaasha1.txt   -v -pr -of policies/policypcr.txt
+# 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+# convert to binary policy
+# > policymaker -halg sha1   -if policies/policypcr.txt -of policies/policypcr16aaasha1.bin -pr -v
+# 12 b6 dd 16 43 82 ca e4 5d 0e d0 7f 9e 51 d1 63 
+# a4 24 f5 f2 
+
+# > policymakerpcr -halg sha256 -bm 10000 -if policies/policypcr16aaasha256.txt -v -pr -of policies/policypcr.txt
+# 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+# > policymaker -halg sha256 -if policies/policypcr.txt -of policies/policypcr16aaasha256.bin -pr -v
+# 76 44 f6 11 ea 10 d7 60 da b9 36 c3 95 1e 1d 85 
+# ec db 84 ce 9a 79 03 dd e1 c7 e0 a2 d9 09 a0 13 
+
+# > policymakerpcr -halg sha384 -bm 10000 -if policies/policypcr16aaasha384.txt -v -pr -of policies/policypcr.txt
+# 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+# > policymaker -halg sha384 -if policies/policypcr.txt -of policies/policypcr16aaasha384.bin -pr -v
+# ea aa 8b 90 d2 69 b6 31 c0 85 91 e4 bf 29 a3 12 
+# 87 04 f2 18 4c 02 ee 83 6a fb c4 c6 7f 28 c1 7f 
+# 86 ea 22 b7 00 3d 06 fc b4 57 a3 b5 c4 f7 3c 95 
+
+# > policymakerpcr -halg sha512 -bm 10000 -if policies/policypcr16aaasha512.txt -v -pr -of policies/policypcr.txt
+# 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+# policymaker -halg sha512 -if policies/policypcr.txt -of policies/policypcr16aaasha512.bin -pr -v
+# 1a 57 25 8d 99 64 d8 74 f0 85 0f 2c 8d 70 41 cc 
+# be 21 c2 0f df 7e 07 e6 b1 99 ea 05 66 46 b7 fb 
+# 23 55 77 4b 96 7e ab e2 65 db 5a 52 82 08 9c af 
+# 3c c0 10 e4 99 36 5d ec 7f 0d 3e 6d 2a 62 6d 2e 
+
+# sealed blob    80000001
+# policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Create a sealed data object ${HALG}"
+    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr16aaa${HALG}.bin > run.out
+    checkSuccess $?
+
+    echo "Load the sealed data object"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Start a policy session ${HALG}"
+    ${PREFIX}startauthsession -se p -halg ${HALG} > run.out
+    checkSuccess $?
+
+    echo "PCR 16 Reset"
+    ${PREFIX}pcrreset -ha 16 > run.out
+    checkSuccess $?
+
+    echo "Unseal the data blob - policy failure, policypcr not run"
+    ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    checkFailure $?
+
+    echo "Policy PCR, update with the wrong PCR 16 value"
+    ${PREFIX}policypcr -halg ${HALG} -ha 03000000 -bm 10000 > run.out
+    checkSuccess $?
+
+    echo "Unseal the data blob - policy failure, PCR 16 incorrect"
+    ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    checkFailure $?
+
+    echo "Extend PCR 16 to correct value"
+    ${PREFIX}pcrextend -halg ${HALG} -ha 16 -if policies/aaa > run.out
+    checkSuccess $?
+
+    echo "Policy restart, set back to zero"
+    ${PREFIX}policyrestart -ha 03000000 > run.out 
+    checkSuccess $?
+
+    echo "Policy PCR, update with the correct PCR 16 value"
+    ${PREFIX}policypcr -halg ${HALG} -ha 03000000 -bm 10000 > run.out
+    checkSuccess $?
+
+    echo "Unseal the data blob"
+    ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    checkSuccess $?
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the sealed object"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the policy session"
+    ${PREFIX}flushcontext -ha 03000000 > run.out
+    checkSuccess $?
+
+done
+
+# This test uses the same values for PCR 16 and PCR 23 for simplicity.
+# For different values, calculate the PCR white list value and change
+# the cat line to use two different values.
+
+# extend of aaa + 0 pad to digest length
+# pcrreset -ha 16
+# pcrextend -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ic aaa
+# pcrread   -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+#
+# 1d47f68aced515f7797371b554e32d47981aa0a0
+# c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+# 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+# 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+#
+# paste that with no white space to file policypcr16aaasha1.txt, etc.
+#
+# create AND term for policy PCR, PCR 16 and 23
+# and then convert to binary policy
+
+# > cat policies/policypcr16aaasha1.txt policies/policypcr16aaasha1.txt >! policypcra.txt
+# > policymakerpcr -halg sha1   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+#0000017f0000000100040300008173820c1f0f279933a5a58629fe44d081e740d4ae
+# > policymaker -halg sha1   -if policypcr.txt -of policies/policypcr1623aaasha1.bin -pr -v
+ # policy digest length 20
+ # b4 ed de a3 35 87 d7 43 29 f6 a8 d1 e7 89 92 64 
+ # 46 f0 4c 85 
+
+# > cat policies/policypcr16aaasha256.txt policies/policypcr16aaasha256.txt >! policypcra.txt
+# > policymakerpcr -halg sha256   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+# 0000017f00000001000b030000815a9f104273886b7ec8919a449d440d107d0da5df367e28c6ac145c9023cb5e76
+# > policymaker -halg sha256   -if policypcr.txt -of policies/policypcr1623aaasha256.bin -pr -v
+ # policy digest length 32
+ # 84 ff 2f f1 2d 37 cb 23 fb 3d 14 d9 66 77 ca ec 
+ # 48 94 5c 0b 83 e5 ea a2 be 98 e9 75 aa 21 e3 d6 
+
+# > cat policies/policypcr16aaasha384.txt policies/policypcr16aaasha384.txt >! policypcra.txt
+# > policymakerpcr -halg sha384   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+# 0000017f00000001000c0300008105f7f12c86c3b0ed988d369a96d401bb4a58b74f982eb03e8474cb66076114ba2b933dd95cde1c7ea69d0a797abc99d4
+# > policymaker -halg sha384   -if policypcr.txt -of policies/policypcr1623aaasha384.bin -pr -v
+ # policy digest length 48
+ # 4b 03 cd b3 eb 07 15 14 7c 49 93 43 a5 65 ee dc 
+ # 86 22 7c 86 36 20 97 a2 5e 0f 34 2e d2 4f 7e ad 
+ # a0 61 8b 5e d7 ba bb e3 5e f0 ab ea 99 55 df 84 
+
+# > cat policies/policypcr16aaasha512.txt policies/policypcr16aaasha512.txt >! policypcra.txt
+# > policymakerpcr -halg sha512   -bm 810000 -if policypcra.txt -v -pr -of policypcr.txt
+# 0000017f00000001000d03000081266ae24c92f63b30322e9c22e44e9540313a2223ae79b27eafe798168bef373ac55de22a0ca78ec8b2e9402aa1f8b47b6ef40e9e53aebaa694af58f240efa0fd
+# > policymaker -halg sha512   -if policypcr.txt -of policies/policypcr1623aaasha512.bin -pr -v
+ # policy digest length 64
+ # 13 84 59 76 b8 d4 d8 a9 a4 7d 75 0e 3e 81 cd c2 
+ # 78 08 ec 95 d7 13 e8 ef 0c 0b 85 c7 38 2e ad 46 
+ # e4 72 31 1d 11 a3 38 17 54 e5 cf 2e 6d 23 67 6d 
+ # 39 5a 93 51 9d f3 f0 90 56 4d 66 f8 7b 90 fc 61 
+
+# sealed blob    80000001
+# policy session 03000000
+
+echo ""
+echo "Seal and Unseal to PCR 16 and 23"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+
+    echo "Create a sealed data object ${HALG}"
+    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policypcr1623aaa${HALG}.bin > run.out
+    checkSuccess $?
+
+    echo "Load the sealed data object"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Start a policy session ${HALG}"
+    ${PREFIX}startauthsession -se p -halg ${HALG} > run.out
+    checkSuccess $?
+
+    echo "PCR 16 Reset"
+    ${PREFIX}pcrreset -ha 16 > run.out
+    checkSuccess $?
+
+    echo "PCR 23 Reset"
+    ${PREFIX}pcrreset -ha 23 > run.out
+    checkSuccess $?
+
+    echo "Extend PCR 16 to correct value"
+    ${PREFIX}pcrextend -halg ${HALG} -ha 16 -if policies/aaa > run.out
+    checkSuccess $?
+
+    echo "Extend PCR 23 to correct value"
+    ${PREFIX}pcrextend -halg ${HALG} -ha 23 -if policies/aaa > run.out
+    checkSuccess $?
+
+    echo "Policy PCR, update with the correct PCR 16 and 23 values"
+    ${PREFIX}policypcr -halg ${HALG} -ha 03000000 -bm 810000 > run.out
+    checkSuccess $?
+
+    echo "Unseal the data blob"
+    ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    checkSuccess $?
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the sealed object"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the policy session"
+    ${PREFIX}flushcontext -ha 03000000 > run.out
+    checkSuccess $?
+
+done
+
+#
+# Sample application to demonstrate the policy authorize solution to
+# the PCR brittleness problem when sealing.  Rather than sealing
+# directly to the PCRs, the blob is sealed to an authorizing public
+# key.  The authorizing private key signs the approved policy PCR
+# digest.
+#
+# Name for 80000001 authorizing key (output of loadexternal below) is
+# used to calculate the policy authorize policy
+#
+# 00044234c24fc1b9de6693a62453417d2734d7538f6f
+# 000b64ac921a035c72b3aa55ba7db8b599f1726f52ec2f682042fc0e0d29fae81799
+# 000ca8bfb42e75b4c22b366b372cd9994bafe8558aa182cf12c258406d197dab63ac46f5a5255b1deb2993a4e9fc92b1e26c
+# 000d0c36b2a951eccc7e3e12d03175a71304dc747f222a02af8fa2ac8b594ef973518d20b9a5452d0849e325710f587d8a55082e7ae321173619bc12122f3ad71466
+#
+# Use 0000016a || the above Name, with a following blank line for
+# policyRef to make policies/policyauthorizesha[].txt. Use policymaker
+# to create the binary policy.  This will be the session digest after
+# the policyauthorize command.
+#
+# > policymaker -halg sha[] -if policies/policyauthorizesha[].txt -of policies/policyauthorizesha[].bin -pr
+# 16 82 10 58 c0 32 8c c4 e5 2e c4 ec ce 61 6c 0a 
+# f4 8a 30 88 
+#
+# eb a3 f9 8c 5e af 1e a8 f9 4f 51 9b 4d 2a 31 83 
+# ee 79 87 66 72 39 8e 23 15 d9 33 c2 88 a8 e5 03 
+#
+# 5c c6 34 89 fe f9 c8 42 7e fe 2c 5f 08 39 74 b6 
+# d9 a8 36 02 4a cd d9 70 7e f0 b9 fd 15 26 56 da 
+# a5 07 0a 9b bf d6 66 df 49 d2 5b 8d 50 8e 16 38 
+#
+# c9 c8 29 fb bc 75 54 99 db 48 b7 26 88 24 d1 f8 
+# 29 72 01 60 6b d6 5f 41 8e 06 98 7e f7 3e 6a 7e 
+# 25 82 c7 6d 8f 1c 36 43 68 01 ee 56 51 d5 06 b4 
+# 68 4c fe d1 d0 6a d7 65 23 3f c2 92 94 fd 2c c5 
+
+# setup and policy PCR calculations
+#
+# 16 is the debug PCR, a typical application may seal to PCR 0-7
+# > pcrreset -ha 16
+#
+# policies/aaa represents the new 'BIOS' measurement hash extended
+# into all PCR banks
+#
+# > pcrextend -ha 16 -halg [] -if policies/aaa
+#
+# These are the new PCR values to be authorized.  Typically, these are
+# calculated by other software based on the enterprise.  Here, they're
+# just read from the TPM.
+#
+# > pcrread -ha 16 -halg sha1 -halg sha256 -halg sha384 -halg sha512 -ns
+#
+# 1d47f68aced515f7797371b554e32d47981aa0a0
+# c2119764d11613bf07b7e204c35f93732b4ae336b4354ebc16e8d0c3963ebebb
+# 292963e31c34c272bdea27154094af9250ad97d9e7446b836d3a737c90ca47df2c399021cedd00853ef08497c5a42384
+# 7fe1e4cf015293136bf130183039b6a646ea008b75afd0f8466a9bfe531af8ada867a65828cfce486077529e54f1830aa49ab780562baea49c67a87334ffe778
+#
+# Put the above authorized PCR value in an intermediate file
+# policies/policypcr16aaasha1.txt for policymakerpcr, and create the
+# policypcr AND term policies/policypcr.txt.  policymakerpcr prepends the command code and
+# PCR select bit mask.
+#
+# > policymakerpcr -halg sha[] -bm 010000 -if policies/policypcr16aaasha1.txt -of policies/policypcr.txt -pr -v
+#
+# 0000017f00000001000403000001cbf1e9f771d215a017e17979cfd7184f4b674a4d
+# 0000017f00000001000b030000012c28901f71751debfba3f3b5bf3be9c54b8b2f8c1411f2c117a0e838ee4e6c13
+# 0000017f00000001000c0300000132edb1c501cb0af4f958c9d7f04a8f3122c1025067e3832a5137234ee0d875e9fa99d8d400ca4a37fe13a6f53aeb4932
+# 0000017f00000001000d03000001ea5218788d9d3a79e6f58608e321880aeb33e2282a3a0a87fb5b8868e7c6b3eedb9b66019409d8ea52d77e0dbfee5822c10ad0de3fd5cc776813a60423a7531f
+#
+# Send the policymakerpcr AND term result to policymaker to create the
+# Policy PCR digest.  This is the authorized policy signed by the
+# authorizing private key.
+#
+# > policymaker -halg sha[] -if policies/policypcr.txt -of policies/policypcr16aaasha[].bin -v -pr -ns
+#
+# 12b6dd164382cae45d0ed07f9e51d163a424f5f2
+# 7644f611ea10d760dab936c3951e1d85ecdb84ce9a7903dde1c7e0a2d909a013
+# eaaa8b90d269b631c08591e4bf29a3128704f2184c02ee836afbc4c67f28c17f86ea22b7003d06fcb457a3b5c4f73c95
+# 1a57258d9964d874f0850f2c8d7041ccbe21c20fdf7e07e6b199ea056646b7fb2355774b967eabe265db5a5282089caf3cc010e499365dec7f0d3e6d2a626d2e
+
+echo ""
+echo "Policy PCR with Policy Authorize (PCR brittleness solution)"
+echo ""
+
+for HALG in ${ITERATE_ALGS}
+do
+    # One time task, create sealed blob with policy of policyauthorize
+    # with Name of authorizing key
+
+    echo "Create a sealed data object ${HALG}"
+    ${PREFIX}create -hp 80000000 -nalg ${HALG} -bl -kt f -kt p -opr tmppriv.bin -opu tmppub.bin -pwdp sto -if msg.bin -pol policies/policyauthorize${HALG}.bin > run.out
+    checkSuccess $?
+
+    # Once per new PCR approved values, authorizing PCRs in policy${HALG}.bin
+
+    echo "Openssl generate and sign aHash (empty policyRef) ${HALG}"
+    openssl dgst -${HALG} -sign policies/rsaprivkey.pem -passin pass:rrrr -out pssig.bin policies/policypcr16aaa${HALG}.bin > run.out 2>&1
+
+    # Once per boot, simulating setting PCRs to authorized values
+
+    echo "Reset PCR 16 back to zero"
+    ${PREFIX}pcrreset -ha 16 > run.out
+    checkSuccess $?
+
+    echo "PCR extend PCR 16 ${HALG}"
+    ${PREFIX}pcrextend -ha 16 -halg ${HALG} -if policies/aaa > run.out
+    checkSuccess $?
+
+    # beginning of unseal process, policy PCR
+
+    echo "Start a policy session ${HALG}"
+    ${PREFIX}startauthsession -halg ${HALG} -se p > run.out
+    checkSuccess $?
+
+    echo "Policy PCR, update with the correct digest ${HALG}"
+    ${PREFIX}policypcr -ha 03000000 -halg ${HALG} -bm 10000 > run.out
+    checkSuccess $?
+
+    echo "Policy get digest, should be policies/policypcr16aaa${HALG}.bin"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    # policyauthorize process
+
+    echo "Load external just the public part of PEM authorizing key ${HALG} 80000001"
+    ${PREFIX}loadexternal -hi p -halg ${HALG} -nalg ${HALG} -ipem policies/rsapubkey.pem -ns > run.out
+    checkSuccess $?
+
+    echo "Verify the signature to generate ticket 80000001 ${HALG}"
+    ${PREFIX}verifysignature -hk 80000001 -halg ${HALG} -if policies/policypcr16aaa${HALG}.bin -is pssig.bin -raw -tk tkt.bin > run.out
+    checkSuccess $?
+
+    echo "Policy authorize using the ticket"
+    ${PREFIX}policyauthorize -ha 03000000 -appr policies/policypcr16aaa${HALG}.bin -skn ${TPM_DATA_DIR}/h80000001.bin -tk tkt.bin > run.out
+    checkSuccess $?
+
+    echo "Get policy digest, should be policies/policyauthorize${HALG}.bin"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out
+    checkSuccess $?
+
+    echo "Flush the verification public key 80000001"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    # load the sealed blob and unseal
+
+    echo "Load the sealed data object 80000001"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Unseal the data blob using the policy session"
+    ${PREFIX}unseal -ha 80000001 -of tmp.bin -se0 03000000 1 > run.out
+    checkSuccess $?
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the sealed object"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the policy session"
+    ${PREFIX}flushcontext -ha 03000000 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "Import and Unseal"
+echo ""
+
+# primary key P1 80000000
+# sealed data S1 80000001 originally under 80000000
+# target storage key K1 80000002
+
+for ALG in "rsa2048" "ecc"
+do 
+
+    echo "Create a sealed data object S1 under the primary key P1 80000000"
+    ${PREFIX}create -hp 80000000 -bl -opr tmppriv.bin -opu tmppub.bin -pwdp sto -pwdk sea -if msg.bin -pol policies/policyccduplicate.bin > run.out
+    checkSuccess $?
+
+    echo "Load the sealed data object S1 at 80000001"
+    ${PREFIX}load -hp 80000000 -ipr tmppriv.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Load the ${ALG} storage key K1 80000002"
+    ${PREFIX}load -hp 80000000 -ipr store${ALG}priv.bin -ipu store${ALG}pub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Start a policy session 03000000"
+    ${PREFIX}startauthsession -se p > run.out
+    checkSuccess $?
+
+    echo "Policy command code, duplicate"
+    ${PREFIX}policycommandcode -ha 03000000 -cc 14b > run.out
+    checkSuccess $?
+
+    echo "Get policy digest"
+    ${PREFIX}policygetdigest -ha 03000000 > run.out 
+    checkSuccess $?
+
+    echo "Duplicate sealed data object S1 80000001 under ${ALG} K1 80000002"
+    ${PREFIX}duplicate -ho 80000001 -pwdo sig -hp 80000002 -od tmpdup.bin -oss tmpss.bin -se0 03000000 1 > run.out
+    checkSuccess $?
+
+    echo "Flush the original S1 to free object slot for import"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Import S1 under ${ALG} K1 80000002"
+    ${PREFIX}import -hp 80000002 -pwdp sto -ipu tmppub.bin -id tmpdup.bin -iss tmpss.bin -opr tmppriv1.bin > run.out
+    checkSuccess $?
+
+    echo "Load the duplicated sealed data object S1 at 80000001 under ${ALG} K1 80000002"
+    ${PREFIX}load -hp 80000002 -ipr tmppriv1.bin -ipu tmppub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Unseal the data blob"
+    ${PREFIX}unseal -ha 80000001 -pwd sea -of tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Verify the unsealed result"
+    diff msg.bin tmp.bin > run.out
+    checkSuccess $?
+
+    echo "Flush the sealed data object at 80000001"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+    echo "Flush the storage key at 80000002"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the session"
+    ${PREFIX}flushcontext -ha 03000000 > run.out
+    checkSuccess $?
+
+done
+
+rm -r tmppriv.bin
+rm -r tmppub.bin
+rm -r tmp.bin
+rm -f tmpdup.bin
+rm -f tmpss.bin
+rm -f tmppriv1.bin
+rm -f pssig.bin
+rm -f tkt.bin
+
+# ${PREFIX}getcapability -cap 1 -pr 80000000
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.bat b/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.bat
new file mode 100644
index 0000000..d6a677f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.bat
@@ -0,0 +1,426 @@
+REM #############################################################################
+REM #										#
+REM #			TPM2 regression test					#
+REM #			     Written by Ken Goldman				#
+REM #		       IBM Thomas J. Watson Research Center			#
+REM #										#
+REM # (c) Copyright IBM Corporation 2018 - 2020					#
+REM # 										#
+REM # All rights reserved.							#
+REM # 										#
+REM # Redistribution and use in source and binary forms, with or without	#
+REM # modification, are permitted provided that the following conditions are	#
+REM # met:									#
+REM # 										#
+REM # Redistributions of source code must retain the above copyright notice,	#
+REM # this list of conditions and the following disclaimer.			#
+REM # 										#
+REM # Redistributions in binary form must reproduce the above copyright		#
+REM # notice, this list of conditions and the following disclaimer in the	#
+REM # documentation and/or other materials provided with the distribution.	#
+REM # 										#
+REM # Neither the names of the IBM Corporation nor the names of its		#
+REM # contributors may be used to endorse or promote products derived from	#
+REM # this software without specific prior written permission.			#
+REM # 										#
+REM # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS	#
+REM # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+REM # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	#
+REM # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT	#
+REM # HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+REM # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+REM # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	#
+REM # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	#
+REM # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT	#
+REM # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	#
+REM # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	#
+REM #										#
+REM #############################################################################
+
+setlocal enableDelayedExpansion
+
+echo ""
+echo "TPM2_CertifyX509"
+echo ""
+
+rem # basic test
+
+rem # sign%%Arpriv.bin is a restricted signing key
+rem # sign%%Apriv.bin is an unrestricted signing key
+
+set SALG=rsa ecc
+set SKEY=rsa2048 ecc
+
+set i=0
+for %%a in (!SALG!) do set /A i+=1 & set SALG[!i!]=%%a
+set i=0
+for %%b in (!SKEY!) do set /A i+=1 & set SKEY[!i!]=%%b
+set L=!i!
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Load the !SALG[%%i]! issuer key 80000001 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!rpriv.bin -ipu sign!SKEY[%%i]!rpub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Load the !SALG[%%i]! subject key 80000002 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!priv.bin -ipu sign!SKEY[%%i]!pub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Self Certify CA Root !SKEY[%%i]!"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000001 -halg sha256 -pwdk sig -pwdo sig -opc tmppart1.bin -os tmpsig1.bin -oa tmpadd1.bin -otbs tmptbs1.bin -ocert tmpx5091.bin -salg !SALG[%%i]! -sub -v -iob 00050472 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+
+    rem # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i1.dump
+    rem # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
+    rem # dumpasn1 -a -l -d     tmppart1.bin > tmppart1.dump
+    rem # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
+    rem # dumpasn1 -a -l -d     tmpadd1.bin  > tmpadd1.dump
+    rem # dumpasn1 -a -l -d -hh tmpadd1.bin  > tmpadd1.dumphh
+    rem # dumpasn1 -a -l -d     tmpx5091.bin > tmpx5091.dump
+    rem # dumpasn1 -a -l -d -hh tmpx5091.bin > tmpx5091.dumphh
+    rem # openssl x509 -text -inform der -in tmpx5091.bin -noout > tmpx5091.txt
+
+    echo "Convert issuer X509 DER to PEM"
+    openssl x509 -inform der -in tmpx5091.bin -out tmpx5091.pem
+
+    echo "Verify !SKEY[%%i]! self signed issuer root" 
+    openssl verify -CAfile tmpx5091.pem tmpx5091.pem
+
+    echo "Signing Key Certify !SALG[%%i]!"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -iob 00040472 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+rem     # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i2.dump
+rem     # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
+rem     # dumpasn1 -a -l -d     tmppart2.bin > tmppart2.dump
+rem     # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe 
+rem     # dumpasn1 -a -l -d     tmpadd2.bin  > tmpadd2.dump
+rem     # dumpasn1 -a -l -d -hh tmpadd2.bin  > tmpadd2.dumphh
+rem     # dumpasn1 -a -l -d     tmpx5092.bin > tmpx5092.dump
+rem     # dumpasn1 -a -l -d -hh tmpx5092.bin > tmpx5092.dumphh
+rem     # openssl x509 -text -inform der -in tmpx5092.bin -noout > tmpx5092.txt
+
+    echo "Convert subject X509 DER to PEM"
+    openssl x509 -inform der -in tmpx5092.bin -out tmpx5092.pem
+
+    echo "Verify !SKEY[%%i]! subject against issuer" 
+    openssl verify -CAfile tmpx5091.pem tmpx5092.pem
+
+
+    echo "Signing Key Certify !SALG[%%i]! with bad OID"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -iob ffffffff > run.out
+    IF !ERRORLEVEL! EQU 0 (
+       exit /B 1
+    )
+rem # bad der, test bits for 250 bytes
+rem # better to get size from tmppart2.bin
+
+rem     # for bit in {0..2}
+rem     # do
+rem     # 	echo "Signing Key Certify !SKEY[%%i]! testing bit $bit"
+rem     # 	%TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -bit $bit > run.out
+    rem IF !ERRORLEVEL! NEQ 0 (
+    rem 	exit /B 1
+    rem )
+
+    echo "Flush the root CA issuer signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Flush the subject signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+)
+
+rem # bad extensions for key type
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTPM signing key"
+echo ""
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Load the !SKEY[%%i]! issuer key 80000001 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!rpriv.bin -ipu sign!SKEY[%%i]!rpub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Load the !SKEY[%%i]! subject key 80000002 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!priv.bin -ipu sign!SKEY[%%i]!pub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! digitalSignature"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,digitalSignature > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! nonRepudiation"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,nonRepudiation > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyEncipherment"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyEncipherment > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+   echo "Signing Key Certify !SALG[%%i]! dataEncipherment"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,dataEncipherment > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyAgreement"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyAgreement > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyCertSign"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyCertSign > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! cRLSign"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,cRLSign > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! encipherOnly"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,encipherOnly > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! decipherOnly"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,decipherOnly > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Flush the root CA issuer signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Flush the subject signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+)
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for not fixedTPM signing key"
+echo ""
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Load the !SKEY[%%i]! issuer key 80000001 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!nfpriv.bin -ipu sign!SKEY[%%i]!nfpub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Load the !SKEY[%%i]! subject key 80000002 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!nfpriv.bin -ipu sign!SKEY[%%i]!nfpub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! digitalSignature"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,digitalSignature > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! nonRepudiation"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,nonRepudiation > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyEncipherment"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyEncipherment > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+   echo "Signing Key Certify !SALG[%%i]! dataEncipherment"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,dataEncipherment > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyAgreement"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyAgreement > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyCertSign"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyCertSign > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! cRLSign"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,cRLSign > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! encipherOnly"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,encipherOnly > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! decipherOnly"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg!SALG[%%i]!A -ku critical,decipherOnly > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Flush the root CA issuer signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Flush the subject signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+)
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTpm restricted encryption key"
+echo ""
+
+for /L %%i in (1,1,!L!) do (
+
+    echo "Load the !SKEY[%%i]! issuer key 80000001 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr sign!SKEY[%%i]!rpriv.bin -ipu sign!SKEY[%%i]!rpub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Load the !SKEY[%%i]! subject key 80000002 under the primary key"
+    %TPM_EXE_PATH%load -hp 80000000 -ipr store!SKEY[%%i]!priv.bin -ipu store!SKEY[%%i]!pub.bin -pwdp sto > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! digitalSignature"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,digitalSignature > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! nonRepudiation"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,nonRepudiation > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyEncipherment"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyEncipherment > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! dataEncipherment"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,dataEncipherment > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyAgreement"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyAgreement > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! keyCertSign"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,keyCertSign > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! cRLSign"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,cRLSign > run.out
+    IF !ERRORLEVEL! EQU 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! encipherOnly"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,encipherOnly > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Signing Key Certify !SALG[%%i]! decipherOnly"
+    %TPM_EXE_PATH%certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg !SALG[%%i]! -ku critical,decipherOnly > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Flush the root CA issuer signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000001 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+    echo "Flush the subject signing key"
+    %TPM_EXE_PATH%flushcontext -ha 80000002 > run.out
+    IF !ERRORLEVEL! NEQ 0 (
+	exit /B 1
+    )
+
+)
+
+rem # cleanup
+
+rm tmppart1.bin
+rm tmpadd1.bin
+rm tmptbs1.bin
+rm tmpsig1.bin
+rm tmpx5091.bin
+rm tmpx5091.pem
+rm tmpx5092.pem
+rm tmpx509i.bin
+rm tmppart2.bin
+rm tmpadd2.bin
+rm tmptbs2.bin
+rm tmpsig2.bin
+rm tmpx5092.bin
+
+exit /B 0
diff --git a/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.sh b/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.sh
new file mode 100755
index 0000000..a41cfcc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/regtests/testx509.sh
@@ -0,0 +1,342 @@
+#!/bin/bash
+#
+
+#################################################################################
+#										#
+#			TPM2 regression test					#
+#			     Written by Ken Goldman				#
+#		       IBM Thomas J. Watson Research Center			#
+#										#
+# (c) Copyright IBM Corporation 2019 - 2020					#
+# 										#
+# All rights reserved.								#
+# 										#
+# Redistribution and use in source and binary forms, with or without		#
+# modification, are permitted provided that the following conditions are	#
+# met:										#
+# 										#
+# Redistributions of source code must retain the above copyright notice,	#
+# this list of conditions and the following disclaimer.				#
+# 										#
+# Redistributions in binary form must reproduce the above copyright		#
+# notice, this list of conditions and the following disclaimer in the		#
+# documentation and/or other materials provided with the distribution.		#
+# 										#
+# Neither the names of the IBM Corporation nor the names of its			#
+# contributors may be used to endorse or promote products derived from		#
+# this software without specific prior written permission.			#
+# 										#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		#
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		#
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR		#
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		#
+# HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	#
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		#
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,		#
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY		#
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		#
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE		#
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		#
+#										#
+#################################################################################
+
+# The mbedtls port does not support TPM2_CertifyX509 yet */
+
+if [ ${CRYPTOLIBRARY} == "openssl" ]; then
+
+echo ""
+echo "TPM2_CertifyX509"
+echo ""
+
+# basic test
+
+# sign${SKEY[i]}rpriv.bin is a restricted signing key
+# sign${SKEY[i]}priv.bin is an unrestricted signing key
+
+SALG=(rsa ecc)
+SKEY=(rsa2048 ecc)
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+    echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}rpriv.bin -ipu sign${SKEY[i]}rpub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}priv.bin -ipu sign${SKEY[i]}pub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Signing Key Self Certify CA Root ${SALG[i]}"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000001 -halg sha256 -pwdk sig -pwdo sig -opc tmppart1.bin -os tmpsig1.bin -oa tmpadd1.bin -otbs tmptbs1.bin -ocert tmpx5091.bin -salg ${SALG[i]} -sub -v -iob 00050472 > run.out
+    checkSuccess $?
+
+
+    # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i1.dump
+    # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i1.dumphh
+    # dumpasn1 -a -l -d     tmppart1.bin > tmppart1.dump
+    # dumpasn1 -a -l -d -hh tmppart1.bin > tmppart1.dumphh
+    # dumpasn1 -a -l -d     tmpadd1.bin  > tmpadd1.dump
+    # dumpasn1 -a -l -d -hh tmpadd1.bin  > tmpadd1.dumphh
+    # dumpasn1 -a -l -d     tmpx5091.bin > tmpx5091.dump
+    # dumpasn1 -a -l -d -hh tmpx5091.bin > tmpx5091.dumphh
+    # openssl x509 -text -inform der -in tmpx5091.bin -noout > tmpx5091.txt
+
+    echo "Convert issuer X509 DER to PEM"
+    openssl x509 -inform der -in tmpx5091.bin -out tmpx5091.pem > run.out 2>&1
+    echo " INFO:"
+
+    echo "Verify ${SALG[i]} self signed issuer root" 
+    echo -n " INFO: "
+    openssl verify -CAfile tmpx5091.pem tmpx5091.pem > run.out 2>&1
+
+    echo "Signing Key Certify ${SALG[i]}"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -iob 00040472 > run.out
+    checkSuccess $?
+
+    # dumpasn1 -a -l -d     tmpx509i.bin > tmpx509i2.dump
+    # dumpasn1 -a -l -d -hh tmpx509i.bin > tmpx509i2.dumphh
+    # dumpasn1 -a -l -d     tmppart2.bin > tmppart2.dump
+    # dumpasn1 -a -l -d -hh tmppart2.bin > tmppart2.dumphhe 
+    # dumpasn1 -a -l -d     tmpadd2.bin  > tmpadd2.dump
+    # dumpasn1 -a -l -d -hh tmpadd2.bin  > tmpadd2.dumphh
+    # dumpasn1 -a -l -d     tmpx5092.bin > tmpx5092.dump
+    # dumpasn1 -a -l -d -hh tmpx5092.bin > tmpx5092.dumphh
+    # openssl x509 -text -inform der -in tmpx5092.bin -noout > tmpx5092.txt
+
+    echo "Convert subject X509 DER to PEM"
+    openssl x509 -inform der -in tmpx5092.bin -out tmpx5092.pem > run.out 2>&1
+    echo " INFO:"
+
+    echo "Verify ${SALG[i]} subject against issuer" 
+    echo -n " INFO: "
+    openssl verify -CAfile tmpx5091.pem tmpx5092.pem > run.out 2>&1
+
+
+    echo "Signing Key Certify ${SALG[i]} with bad OID"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -iob ffffffff > run.out
+    checkFailure $?
+
+# bad der, test bits for 250 bytes
+# better to get size from tmppart2.bin
+
+    # for bit in {0..2}
+    # do
+    # 	echo "Signing Key Certify ${SALG[i]} testing bit $bit"
+    # 	${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -bit $bit > run.out
+    # 	checkSuccess0 $?
+    # done
+
+    echo "Flush the root CA issuer signing key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the subject signing key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+done
+
+# bad extensions for key type
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTPM signing key"
+echo ""
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+    echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}rpriv.bin -ipu sign${SKEY[i]}rpub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}priv.bin -ipu sign${SKEY[i]}pub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} digitalSignature"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,digitalSignature > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} nonRepudiation"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,nonRepudiation > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} keyEncipherment"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyEncipherment > run.out
+    checkFailure $?
+
+   echo "Signing Key Certify ${SALG[i]} dataEncipherment"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,dataEncipherment > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} keyAgreement"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyAgreement > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} keyCertSign"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyCertSign > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} cRLSign"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,cRLSign > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} encipherOnly"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,encipherOnly > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} decipherOnly"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,decipherOnly > run.out
+    checkFailure $?
+
+    echo "Flush the root CA issuer signing key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the subject signing key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for not fixedTPM signing key"
+echo ""
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+    echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}nfpriv.bin -ipu sign${SKEY[i]}nfpub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}nfpriv.bin -ipu sign${SKEY[i]}nfpub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} digitalSignature"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,digitalSignature > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} nonRepudiation"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,nonRepudiation > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} keyEncipherment"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SAL[i]} -ku critical,keyEncipherment > run.out
+    checkFailure $?
+
+   echo "Signing Key Certify ${SALG[i]} dataEncipherment"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,dataEncipherment > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} keyAgreement"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyAgreement > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} keyCertSign"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyCertSign > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} cRLSign"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,cRLSign > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} encipherOnly"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,encipherOnly > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} decipherOnly"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sig -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,decipherOnly > run.out
+    checkFailure $?
+
+    echo "Flush the root CA issuer signing key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the subject signing key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+done
+
+echo ""
+echo "TPM2_CertifyX509 Key Usage Extension for fixedTpm restricted encryption key"
+echo ""
+
+for ((i = 0 ; i < 2 ; i++))
+do
+
+    echo "Load the ${SALG[i]} issuer key 80000001 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr sign${SKEY[i]}rpriv.bin -ipu sign${SKEY[i]}rpub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Load the ${SALG[i]} subject key 80000002 under the primary key"
+    ${PREFIX}load -hp 80000000 -ipr store${SKEY[i]}priv.bin -ipu store${SKEY[i]}pub.bin -pwdp sto > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} digitalSignature"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,digitalSignature > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} nonRepudiation"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,nonRepudiation > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} keyEncipherment"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyEncipherment > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} dataEncipherment"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,dataEncipherment > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} keyAgreement"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyAgreement > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} keyCertSign"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,keyCertSign > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} cRLSign"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,cRLSign > run.out
+    checkFailure $?
+
+    echo "Signing Key Certify ${SALG[i]} encipherOnly"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,encipherOnly > run.out
+    checkSuccess $?
+
+    echo "Signing Key Certify ${SALG[i]} decipherOnly"
+    ${PREFIX}certifyx509 -hk 80000001 -ho 80000002 -halg sha256 -pwdk sig -pwdo sto -opc tmppart2.bin -os tmpsig2.bin -oa tmpadd2.bin -otbs tmptbs2.bin -ocert tmpx5092.bin -salg ${SALG[i]} -ku critical,decipherOnly > run.out
+    checkSuccess $?
+
+    echo "Flush the root CA issuer signing key"
+    ${PREFIX}flushcontext -ha 80000001 > run.out
+    checkSuccess $?
+
+    echo "Flush the subject signing key"
+    ${PREFIX}flushcontext -ha 80000002 > run.out
+    checkSuccess $?
+
+done
+
+# cleanup
+
+rm -r tmppart1.bin
+rm -r tmpadd1.bin
+rm -r tmptbs1.bin
+rm -r tmpsig1.bin
+rm -r tmpx5091.bin
+rm -r tmpx5091.pem
+rm -r tmpx5092.pem
+rm -r tmpx509i.bin
+rm -r tmppart2.bin
+rm -r tmpadd2.bin
+rm -r tmptbs2.bin
+rm -r tmpsig2.bin
+rm -r tmpx5092.bin
+
+# openssl only
+fi
diff --git a/libstb/tss2/ibmtpm20tss/utils/returncode.c b/libstb/tss2/ibmtpm20tss/utils/returncode.c
new file mode 100644
index 0000000..4285176
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/returncode.c
@@ -0,0 +1,78 @@
+/********************************************************************************/
+/*										*/
+/*			Return Code Hex to String     				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: returncode.c 1290 2018-08-01 14:45:24Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2017.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+int main(int argc, char *argv[])
+{
+    TPM_RC rc;
+    const char *msg;
+    const char *submsg;
+    const char *num;
+
+    if (argc < 2) {
+	printf("returncode: needs argument\n");
+	return EXIT_FAILURE;
+    }
+    if (strcmp(argv[1], "-h") == 0) {
+	printUsage();
+    }	    
+
+    rc = strtoul(argv[1], NULL, 16);
+    TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+    printf("%s%s%s\n", msg, submsg, num);
+    return 0;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("Usage: returncode hex-number\n");
+    printf("\n");
+    printf("Returns the TPM_RC name and text for the return code\n");
+    printf("\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/rewrap.c b/libstb/tss2/ibmtpm20tss/utils/rewrap.c
new file mode 100644
index 0000000..7a996b2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/rewrap.c
@@ -0,0 +1,349 @@
+/********************************************************************************/
+/*										*/
+/*			   Rewrap		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Rewrap_In 			in;
+    Rewrap_Out 			out;
+    TPMI_DH_OBJECT		oldParent = 0;
+    TPMI_DH_OBJECT		newParent = 0;
+    const char			*oldParentPassword = NULL; 
+    const char			*inDuplicateFilename = NULL;
+    const char			*nameFilename = NULL;			
+    const char			*inSymSeedFilename = NULL;
+    const char			*outDuplicateFilename = NULL;
+    const char			*outSymSeedFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ho") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &oldParent);
+	    }
+	    else {
+		printf("Missing parameter for -ho\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdo") == 0) {
+	    i++;
+	    if (i < argc) {
+		oldParentPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdo option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hn") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &newParent);
+	    }
+	    else {
+		printf("Missing parameter for -hp\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-id") == 0) {
+	    i++;
+	    if (i < argc) {
+		inDuplicateFilename = argv[i];
+	    }
+	    else {
+		printf("-id option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-in") == 0) {
+	    i++;
+	    if (i < argc) {
+		nameFilename = argv[i];
+	    }
+	    else {
+		printf("-in option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-iss") == 0) {
+	    i++;
+	    if (i < argc) {
+		inSymSeedFilename = argv[i];
+	    }
+	    else {
+		printf("-iss option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-od") == 0) {
+	    i++;
+	    if (i < argc) {
+		outDuplicateFilename = argv[i];
+	    }
+	    else {
+		printf("-od option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oss") == 0) {
+	    i++;
+	    if (i < argc) {
+		outSymSeedFilename = argv[i];
+	    }
+	    else {
+		printf("-oss option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (oldParent == 0) {
+	printf("Missing or bad object old parent handle -ho\n");
+	printUsage();
+    }
+    if (newParent == 0) {
+	printf("Missing or bad object new parent handle -hn\n");
+	printUsage();
+    }
+    if (inDuplicateFilename == NULL) {
+	printf("Missing duplicate private area parameter -id\n");
+	printUsage();
+    }
+    if (nameFilename == NULL) {
+	printf("Missing name parameter -in\n");
+	printUsage();
+    }
+    if (inSymSeedFilename == NULL) {
+	printf("Missing input symmetric seed parameter -iss\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.oldParent = oldParent;
+	in.newParent = newParent;
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.inDuplicate.b,
+			     sizeof(in.inDuplicate.t.buffer),
+			     inDuplicateFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.name.b,
+			     sizeof(in.name.t.name),
+			     nameFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_Read2B(&in.inSymSeed.b,
+			     sizeof(in.inSymSeed.t.secret),
+			     inSymSeedFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Rewrap,
+			 sessionHandle0, oldParentPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (outDuplicateFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.outDuplicate.t.buffer,
+				      out.outDuplicate.t.size,
+				      outDuplicateFilename);
+    }
+    if ((rc == 0) && (outSymSeedFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.outSymSeed.t.secret,
+				      out.outSymSeed.t.size,
+				      outSymSeedFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("rewrap: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("rewrap: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("rewrap\n");
+    printf("\n");
+    printf("Runs TPM2_Rewrap\n");
+    printf("\n");
+    printf("\t-ho\thandle of object old parent\n");
+    printf("\t[-pwdo\tpassword for old parent (default empty)]\n");
+    printf("\t-hn\thandle of object new parent\n");
+    printf("\t-id\tduplicate private area file name\n");
+    printf("\t-in\tobject name file name\n");
+    printf("\t-iss\tinput symmetric seed file name");
+    printf("\n");
+    printf("\t[-od\trewrap private area file name (default do not save)]\n");
+    printf("\t[-oss\tsymmetric seed file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/rsadecrypt.c b/libstb/tss2/ibmtpm20tss/utils/rsadecrypt.c
new file mode 100644
index 0000000..f43fb17
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/rsadecrypt.c
@@ -0,0 +1,512 @@
+/********************************************************************************/
+/*										*/
+/*			   RSA_Decrypt						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscryptoh.h>
+
+static void printRsaDecrypt(RSA_Decrypt_Out *out);
+static TPM_RC getKeySize(TSS_CONTEXT 		*tssContext,
+			 TPMI_RSA_KEY_BITS	*keyBits,
+			 TPMI_DH_PCR		objectHandle);
+static TPM_RC padData(uint8_t 		**buffer,
+		      size_t		*padLength,
+		      TPMI_ALG_HASH 	halg,
+		      TPMI_RSA_KEY_BITS	keyBits);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    RSA_Decrypt_In 		in;
+    RSA_Decrypt_Out 		out;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    TPMI_RSA_KEY_BITS		keyBits;
+    const char			*encryptFilename = NULL;
+    const char			*decryptFilename = NULL;
+    const char			*keyPassword = NULL;
+    const char			*keyPasswordFilename = NULL;
+    uint8_t			*keyPasswordBuffer = NULL;
+    size_t 			keyPasswordBufferLength = 0;
+    const char			*keyPasswordPtr = NULL;
+    TPMI_ALG_HASH 		halg = TPM_ALG_NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+ 
+    uint16_t			written;
+    size_t			length;			/* input data */
+    uint8_t			*buffer = NULL;		/* for the free */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPasswordFilename = argv[i];
+	    }
+	    else {
+		printf("-ipwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oid") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -oid\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-oid option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ie") == 0) {
+	    i++;
+	    if (i < argc) {
+		encryptFilename = argv[i];
+	    }
+	    else {
+		printf("-ie option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-od") == 0) {
+	    i++;
+	    if (i < argc) {
+		decryptFilename = argv[i];
+	    }
+	    else {
+		printf("-od option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if (encryptFilename == NULL) {
+	printf("Missing encrypted message -ie\n");
+	printUsage();
+    }
+    if ((keyPassword != NULL) && (keyPasswordFilename != NULL)) {
+	printf("Only one of -pwdk and -ipwdk can be specified\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* use passsword from command line */
+	if (keyPassword != NULL) {
+	    keyPasswordPtr = keyPassword;
+	}
+	/* use password from file */
+	else if (keyPasswordFilename != NULL) {
+	    rc = TSS_File_ReadBinaryFile(&keyPasswordBuffer,     /* freed @2 */
+					 &keyPasswordBufferLength,
+					 keyPasswordFilename);
+	    keyPasswordPtr = (const char *)keyPasswordBuffer;
+	}
+	/* empty password */
+	else {
+	    keyPasswordPtr = NULL;
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* get the public modulus size for checks and padding */
+    if (rc == 0) {
+	rc = getKeySize(tssContext, &keyBits, keyHandle);
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     encryptFilename);
+    }
+    if (rc == 0) {
+	if (length > (keyBits / 8U)) {
+	    printf("Input data too long %u\n", (unsigned int)length);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* if an OID was requested, treat the encryptFilename as a hash to be signed */
+    if ((rc == 0) && (halg != TPM_ALG_NULL)) {
+	rc = padData(&buffer,		/* realloced to fit */
+		     &length,		/* resized for OID and pad */
+		     halg,		/* gigest algorithm for size and OID */
+		     keyBits);		/* RSA modulus length in bits */
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform rsa decrypt */
+	in.keyHandle = keyHandle;
+
+	/* Table 158 - Definition of {RSA} TPM2B_PUBLIC_KEY_RSA Structure */
+	{
+	    in.cipherText.t.size = (uint16_t)length;	/* cast safe, range tested above */
+	    memcpy(in.cipherText.t.buffer, buffer, length);
+	}
+	/* padding scheme */
+	{
+	    /* Table 157 - Definition of {RSA} TPMT_RSA_DECRYPT Structure */
+	    in.inScheme.scheme = TPM_ALG_NULL;
+	}
+	/* label */
+	{
+	    /* Table 73 - Definition of TPM2B_DATA Structure */
+	    in.label.t.size = 0;
+	}
+    }
+    free(buffer);		/* @1 */
+    buffer = NULL;
+
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_RSA_Decrypt,
+			 sessionHandle0, keyPasswordPtr, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (decryptFilename != NULL)) {
+	rc = TSS_Structure_Marshal(&buffer,	/* freed @1 */
+				   &written,
+				   &out.message,
+				   (MarshalFunction_t)TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu);
+    }
+    if ((rc == 0) && (decryptFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(buffer + sizeof(uint16_t),
+				      written - sizeof(uint16_t),
+				      decryptFilename); 
+    }    
+    if (rc == 0) {
+	if (tssUtilsVerbose) printRsaDecrypt(&out);
+	if (tssUtilsVerbose) printf("rsadecrypt: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("rsadecrypt: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(buffer);		/* @1 */
+    free(keyPasswordBuffer);	/* @2 */
+    return rc;
+}
+
+/* padData() is used then the private key operation is a signing operation over a hash.  It takes a
+   'buffer' of original 'length'.  The original length should match the hash algorithm digest size.
+
+   buffer is realloc'ed to the key size, than then padded with the OID for the hash algorithm and
+   the PKCS1 padding.
+*/
+
+static TPM_RC padData(uint8_t 			**buffer,
+		      size_t			*padLength,
+		      TPMI_ALG_HASH 		halg,
+		      TPMI_RSA_KEY_BITS		keyBits)
+{
+    TPM_RC		rc = 0;
+    uint16_t 		digestSize;
+    const uint8_t	*oid;
+    uint16_t		oidSize;
+    const uint8_t	sha1Oid[] = {SHA1_DER};
+    const uint8_t	sha256Oid[] = {SHA256_DER};
+    const uint8_t	sha384Oid[] = {SHA384_DER};
+    const uint8_t	sha512Oid[] = {SHA512_DER};
+    
+    /* check that the original buffer length matches the hash algorithm */
+    if (rc == 0) {
+	digestSize = TSS_GetDigestSize(halg);
+	if (digestSize == 0) {
+	    printf("padData: Unsupported hash algorithm %04x\n", halg);
+	    rc = TPM_RC_HASH;
+	}
+    }
+    if (rc == 0) {
+	if (digestSize != *padLength) {
+	    unsigned long pl = *padLength;
+	    printf("paddata: hash algorithm length %u not equal data length %lu\n",
+		   digestSize, pl);
+	    rc = TPM_RC_VALUE;
+	}
+    }
+    /* realloc the buffer to the key size in bytes */
+    if (rc == 0) {
+	*padLength = keyBits / 8;
+	rc = TSS_Realloc(buffer, *padLength);
+    }
+    /* determine the OID */
+    if (rc == 0) {
+	switch (halg) {
+	  case TPM_ALG_SHA1:
+	    oid = sha1Oid;
+	    oidSize = SHA1_DER_SIZE;
+	    break;
+	  case TPM_ALG_SHA256:
+	    oid = sha256Oid;
+	    oidSize = SHA256_DER_SIZE;
+	    break;
+	  case TPM_ALG_SHA384:
+	    oid = sha384Oid;
+	    oidSize = SHA384_DER_SIZE;
+	    break;
+	  case TPM_ALG_SHA512:
+	    oid = sha512Oid;
+	    oidSize = SHA512_DER_SIZE;
+	    break;
+	  default:
+	    printf("padData: Unsupported hash algorithm %04x\n", halg);
+	    rc = TPM_RC_HASH;
+	}
+    }
+    if (rc == 0) {
+	/* move the hash to the end */
+	memmove(*buffer + *padLength - digestSize, *buffer, digestSize);
+	/* prepend the OID */
+	memcpy(*buffer + *padLength - digestSize - oidSize, oid, oidSize);
+	/* prepend the PKCS1 pad */
+	(*buffer)[0] = 0x00;
+	(*buffer)[1] = 0x01;
+	memset(&(*buffer)[2], 0xff, *padLength - 3 - oidSize - digestSize);
+	(*buffer)[*padLength - oidSize - digestSize - 1] = 0x00;
+	if (tssUtilsVerbose) TSS_PrintAll("padData: padded data", *buffer, *padLength);
+    }
+    return rc;
+}
+
+/* getKeySize() gets the key size in bits */
+
+static TPM_RC getKeySize(TSS_CONTEXT 		*tssContext,
+			 TPMI_RSA_KEY_BITS	*keyBits,
+			 TPMI_DH_PCR		objectHandle)
+{
+    TPM_RC			rc = 0;
+    ReadPublic_In 		in;
+    ReadPublic_Out 		out;
+
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	in.objectHandle = objectHandle;
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ReadPublic,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    if (rc == 0) {
+	*keyBits = out.outPublic.publicArea.parameters.rsaDetail.keyBits;
+	if (tssUtilsVerbose) printf("getKeySize: size %u\n", *keyBits);
+    }
+    return rc;
+}
+
+static void printRsaDecrypt(RSA_Decrypt_Out *out)
+{
+    TSS_PrintAll("outData", out->message.t.buffer, out->message.t.size);
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("rsadecrypt\n");
+    printf("\n");
+    printf("Runs TPM2_RSA_Decrypt\n");
+    printf("\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)[\n");
+    printf("\t[-ipwdk\tpassword file for key, nul terminated (default empty)]\n");
+    printf("\t-ie\tencrypt file name\n");
+    printf("\t-od\tdecrypt file name (default do not save)\n");
+    printf("\t[-oid\t(sha1, sha256, sha384 sha512)]\n");
+    printf("\t\toptionally add OID and PKCS1 padding to the\n");
+    printf("\t\tencrypt data (demo of signing with arbitrary OID)\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/rsaencrypt.c b/libstb/tss2/ibmtpm20tss/utils/rsaencrypt.c
new file mode 100644
index 0000000..1ef17c2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/rsaencrypt.c
@@ -0,0 +1,262 @@
+/********************************************************************************/
+/*										*/
+/*			   RSA_Encrypt						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static TPM_RC getKeySize(TSS_CONTEXT 		*tssContext,
+			 TPMI_RSA_KEY_BITS	*keyBits,
+			 TPMI_DH_PCR		objectHandle);
+static void printRsaEncrypt(RSA_Encrypt_Out *out);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    RSA_Encrypt_In 		in;
+    RSA_Encrypt_Out 		out;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    TPMI_RSA_KEY_BITS		keyBits;
+    const char			*decryptFilename = NULL;
+    const char			*encryptFilename = NULL;
+
+    uint16_t			written = 0;
+    size_t 			length = 0;
+    uint8_t			*buffer = NULL;	/* for the free */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-id") == 0) {
+	    i++;
+	    if (i < argc) {
+		decryptFilename = argv[i];
+	    }
+	    else {
+		printf("-id option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-oe") == 0) {
+	    i++;
+	    if (i < argc) {
+		encryptFilename = argv[i];
+	    }
+	    else {
+		printf("-oe option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if (decryptFilename == NULL) {
+	printf("Missing decrypted file -id\n");
+	printUsage();
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* get the public modulus size for checks and padding */
+    if (rc == 0) {
+	rc = getKeySize(tssContext, &keyBits, keyHandle);
+    }
+     if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     decryptFilename);
+    }
+    if (rc == 0) {
+	if (length > (keyBits / 8U)) {
+	    printf("Input data too long %u\n", (unsigned int)length);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform rsaencrypting */
+	in.keyHandle = keyHandle;
+
+	/* Table 158 - Definition of {RSA} TPM2B_PUBLIC_KEY_RSA Structure */
+	{
+	    in.message.t.size = (uint16_t)length;	/* cast safe, range tested above */
+	    memcpy(in.message.t.buffer, buffer, length);
+	}
+	/* padding scheme */
+	{
+	    /* Table 157 - Definition of {RSA} TPMT_RSA_DECRYPT Structure */
+	    in.inScheme.scheme = TPM_ALG_NULL;
+	}
+	/* label */
+	{
+	    /* NOTE: label requires the last byte to be zero.  I.e., when implemented, do not set
+	       the in.label.t.size to strlen() */
+	    /* Table 73 - Definition of TPM2B_DATA Structure */
+	    in.label.t.size = 0;
+	}
+    }
+    free (buffer);	/* @1 */
+    buffer = NULL;
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_RSA_Encrypt,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (encryptFilename != NULL)) {
+	rc = TSS_Structure_Marshal(&buffer,	/* freed @1 */
+				   &written,
+				   &out.outData,
+				   (MarshalFunction_t)TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu);
+    }
+    if ((rc == 0) && (encryptFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(buffer + sizeof(uint16_t),
+				      written - sizeof(uint16_t),
+				      encryptFilename); 
+    }    
+    if (rc == 0) {
+	if (tssUtilsVerbose) printRsaEncrypt(&out);
+	if (tssUtilsVerbose) printf("rsaencrypt: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("rsaencrypt: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+/* getKeySize() gets the key size in bits */
+
+static TPM_RC getKeySize(TSS_CONTEXT 		*tssContext,
+			 TPMI_RSA_KEY_BITS	*keyBits,
+			 TPMI_DH_PCR		objectHandle)
+{
+    TPM_RC			rc = 0;
+    ReadPublic_In 		in;
+    ReadPublic_Out 		out;
+
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	in.objectHandle = objectHandle;
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ReadPublic,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    if (rc == 0) {
+	*keyBits = out.outPublic.publicArea.parameters.rsaDetail.keyBits;
+	if (tssUtilsVerbose) printf("getKeySize: size %u\n", *keyBits);
+    }
+    return rc;
+}
+
+static void printRsaEncrypt(RSA_Encrypt_Out *out)
+{
+    TSS_PrintAll("outData", out->outData.t.buffer, out->outData.t.size);
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("rsaencrypt\n");
+    printf("\n");
+    printf("Runs TPM2_RSA_Encrypt\n");
+    printf("\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t-id\tdecrypt file name\n");
+    printf("\t[-oe\tencrypt file name (default do not save)]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/sequencecomplete.c b/libstb/tss2/ibmtpm20tss/utils/sequencecomplete.c
new file mode 100644
index 0000000..20076cb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/sequencecomplete.c
@@ -0,0 +1,336 @@
+/********************************************************************************/
+/*										*/
+/*			    SequenceComplete					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    SequenceComplete_In 	in;
+    SequenceComplete_Out	out;
+    char 			hierarchyChar = 'n';
+    TPMI_RH_HIERARCHY		hierarchy = TPM_RH_NULL;
+    TPMI_DH_OBJECT		sequenceHandle = 0;
+    const char			*inFilename = NULL;
+    const char			*outFilename = NULL;
+    const char			*ticketFilename = NULL;
+    const char			*sequencePassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    size_t 			length = 0;
+    uint8_t			*buffer = NULL;	/* for the free */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		hierarchyChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else 	if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sequenceHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwds") == 0) {
+	    i++;
+	    if (i < argc) {
+		sequencePassword = argv[i];
+	    }
+	    else {
+		printf("-pwds option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		outFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (hierarchyChar == 'e') {
+	    hierarchy = TPM_RH_ENDORSEMENT;
+	}
+	else if (hierarchyChar == 'o') {
+	    hierarchy = TPM_RH_OWNER;
+	}
+	else if (hierarchyChar == 'p') {
+	    hierarchy = TPM_RH_PLATFORM;
+	}
+	else if (hierarchyChar == 'n') {
+	    hierarchy = TPM_RH_NULL;
+	}
+	else {
+	    printf("Bad parameter %c for -hi\n", hierarchyChar);
+	    printUsage();
+	}
+ 	in.hierarchy = hierarchy;
+    }
+    if (sequenceHandle == 0) {
+	printf("Missing sequence handle parameter -hs\n");
+	printUsage();
+    }
+    if ((rc == 0) && (inFilename != NULL)) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     inFilename);
+    }
+    if (rc == 0) {
+	if (length >  sizeof(in.buffer.t.buffer)) {
+	    printf("Input data too long %u\n", (unsigned int)length);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform update */
+	in.sequenceHandle = sequenceHandle;
+
+	/* data for update */
+	in.buffer.t.size = (uint16_t)length;
+	if (length > 0) {
+	    memcpy(in.buffer.t.buffer, buffer, length);
+	}
+    }
+    free(buffer);	/* @1 */
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_SequenceComplete,
+			 sessionHandle0, sequencePassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (outFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.result.t.buffer,
+				      out.result.t.size,
+				      outFilename); 
+    }    
+    if ((rc == 0) && (ticketFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.validation,
+				     (MarshalFunction_t)TSS_TPMT_TK_HASHCHECK_Marshalu,
+				     ticketFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_PrintAll("Result", out.result.t.buffer, out.result.t.size);
+	if (tssUtilsVerbose) printf("sequencecomplete: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("sequencecomplete: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("sequencecomplete\n");
+    printf("\n");
+    printf("Runs TPM2_SequenceComplete\n");
+    printf("\n");
+    printf("\t-hs\tsequence handle\n");
+    printf("\t[-pwds\tpassword for sequence (default empty)]\n");
+    printf("\t[-if\tinput file to be added (default no data)]\n");
+    printf("\t[-of\tresult file name]\n");
+    printf("\t[-tk\tticket file name]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/sequenceupdate.c b/libstb/tss2/ibmtpm20tss/utils/sequenceupdate.c
new file mode 100644
index 0000000..c29698b
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/sequenceupdate.c
@@ -0,0 +1,268 @@
+/********************************************************************************/
+/*										*/
+/*			    SequenceUpdate					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    SequenceUpdate_In 		in;
+    TPMI_DH_OBJECT		sequenceHandle = 0;
+    const char			*inFilename = NULL;
+    const char			*sequencePassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    size_t 			length = 0;
+    uint8_t			*buffer = NULL;	/* for the free */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sequenceHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwds") == 0) {
+	    i++;
+	    if (i < argc) {
+		sequencePassword = argv[i];
+	    }
+	    else {
+		printf("-pwds option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (sequenceHandle == 0) {
+	printf("Missing sequence handle parameter -hs\n");
+	printUsage();
+    }
+    if (inFilename == NULL) {
+	printf("Missing input file -if\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     inFilename);
+    }
+    if (rc == 0) {
+	if (length > sizeof(in.buffer.t.buffer)) {
+	    printf("Input data too long %u\n", (unsigned int)length);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform update */
+	in.sequenceHandle = sequenceHandle;
+
+	/* data for update */
+	in.buffer.t.size = (uint16_t)length;
+	memcpy(in.buffer.t.buffer, buffer, length);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_SequenceUpdate,
+			 sessionHandle0, sequencePassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    free(buffer);	/* @1 */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("sequenceupdate: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("sequenceupdate: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("sequenceupdate\n");
+    printf("\n");
+    printf("Runs TPM2_SequenceUpdate\n");
+    printf("\n");
+    printf("\t-hs\tsequence handle\n");
+    printf("\t[-pwds\tpassword for sequence (default empty)]\n");
+    printf("\t-if\tinput file to be HMACed\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t\t01 continue\n");
+    printf("\t\t20 command decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/setcommandcodeauditstatus.c b/libstb/tss2/ibmtpm20tss/utils/setcommandcodeauditstatus.c
new file mode 100644
index 0000000..7a880ae
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/setcommandcodeauditstatus.c
@@ -0,0 +1,298 @@
+/********************************************************************************/
+/*										*/
+/*			    SetCommandCodeAuditStatus				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    SetCommandCodeAuditStatus_In 	in;
+    TPM_CC			commandCode;
+    char 			authHandleChar = 'p';
+    const char			*authPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    in.auditAlg = TPM_ALG_NULL;	/* default, don't change */
+    in.setList.count = 0;
+    in.clearList.count = 0;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		authHandleChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-set") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &commandCode);
+		in.setList.commandCodes[in.setList.count] = commandCode;
+		in.setList.count++;
+	    }
+	    else {
+		printf("-set option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-clr") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &commandCode);
+		in.clearList.commandCodes[in.clearList.count] = commandCode;
+		in.clearList.count++;
+	    }
+	    else {
+		printf("-clr option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    in.auditAlg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    in.auditAlg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    in.auditAlg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    in.auditAlg = TPM_ALG_SHA512;
+		}
+		else if (strcmp(argv[i],"null") == 0) {
+		    in.auditAlg = TPM_ALG_NULL;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (authHandleChar == 'o') {
+	    in.auth = TPM_RH_OWNER;
+	}
+	else if (authHandleChar == 'p') {
+	    in.auth = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_SetCommandCodeAuditStatus,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("setcommandcodeauditstatus: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("setcommandcodeauditstatus: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("setprimarypolicy\n");
+    printf("\n");
+    printf("Runs TPM2_SetCommandCodeAuditStatus\n");
+    printf("\n");
+    printf("\t[-hi\tauthhandle hierarchy (o, p) (default platform)]\n");
+    printf("\t[-pwda\tauthorization password (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512, null) (default null)]\n");
+    printf("\t[-set\tcommand code to set (may be specified more than once (default none)]\n");
+    printf("\t[-clr\tcommand code to clear (may be specified more than once (default none)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/setprimarypolicy.c b/libstb/tss2/ibmtpm20tss/utils/setprimarypolicy.c
new file mode 100644
index 0000000..619937f
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/setprimarypolicy.c
@@ -0,0 +1,300 @@
+/********************************************************************************/
+/*										*/
+/*			    SetPrimaryPolicy 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2018
+   9.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    SetPrimaryPolicy_In 	in;
+    char 			authHandleChar = 'p';
+    const char			*authPassword = NULL; 
+    const char			*policyFilename = NULL;
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    in.hashAlg = TPM_ALG_NULL;	/* default */
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hi") == 0) {
+	    i++;
+	    if (i < argc) {
+		authHandleChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -hi\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwda") == 0) {
+	    i++;
+	    if (i < argc) {
+		authPassword = argv[i];
+	    }
+	    else {
+		printf("-pwda option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pol") == 0) {
+	    i++;
+	    if (i < argc) {
+		policyFilename = argv[i];
+	    }
+	    else {
+		printf("-pol option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha256") == 0) {
+		    in.hashAlg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha1") == 0) {
+		    in.hashAlg = TPM_ALG_SHA1;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (policyFilename != NULL) {
+	if (in.hashAlg == TPM_ALG_NULL) {
+	    printf("-pol requires -halg\n");
+	    printUsage();
+	}
+    }
+    else {
+	if (in.hashAlg != TPM_ALG_NULL) {
+	    printf("-halg requires -pol\n");
+	    printUsage();
+	}
+    }
+    /* Table 50 - TPMI_RH_HIERARCHY primaryHandle */
+    if (rc == 0) {
+	if (authHandleChar == 'l') {
+	    in.authHandle = TPM_RH_LOCKOUT;
+	}
+	else if (authHandleChar == 'e') {
+	    in.authHandle = TPM_RH_ENDORSEMENT;
+	}
+	else if (authHandleChar == 'o') {
+	    in.authHandle = TPM_RH_OWNER;
+	}
+	else if (authHandleChar == 'p') {
+	    in.authHandle = TPM_RH_PLATFORM;
+	}
+	else {
+	    printf("Missing or illegal -hi\n");
+	    printUsage();
+	}
+    }
+    /* authorization policy */
+    if (policyFilename != NULL) {
+	rc = TSS_File_Read2B(&in.authPolicy.b,
+			     sizeof(in.authPolicy.t.buffer),
+			     policyFilename);
+    }
+    else {
+	in.authPolicy.t.size = 0;	/* default empty policy */
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_SetPrimaryPolicy,
+			 sessionHandle0, authPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("setprimarypolicy: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("setprimarypolicy: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("setprimarypolicy\n");
+    printf("\n");
+    printf("Runs TPM2_SetPrimaryPolicy\n");
+    printf("\n");
+    printf("\t[-hi\tauthhandle hierarchy (l, e, o, p) (default platform)]\n");
+    printf("\t[-pwda\tauthorization password (default empty)]\n");
+    printf("\t[-pol\tpolicy file (default empty policy)]\n");
+    printf("\t[-halg\t(sha1, sha256) (default null)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/shutdown.c b/libstb/tss2/ibmtpm20tss/utils/shutdown.c
new file mode 100644
index 0000000..8a3cb63
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/shutdown.c
@@ -0,0 +1,129 @@
+/********************************************************************************/
+/*										*/
+/*			    Shutdown		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+TPM_RC shutdownCommand(TPM_SU shutdownType);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC 			rc = 0;
+    int				i;			/* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Shutdown_In 		in;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+
+    in.shutdownType = TPM_SU_CLEAR;			/* default */
+
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-c") == 0) {
+	    in.shutdownType = TPM_SU_CLEAR;
+	}
+	else if (strcmp(argv[i],"-s") == 0) {
+	    in.shutdownType = TPM_SU_STATE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Shutdown,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("shutdown: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("shutdown: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("shutdown\n");
+    printf("\n");
+    printf("Runs TPM2_Shutdown\n");
+    printf("\n");
+    printf("\t[-c\tshutdown clear (default)]\n");
+    printf("\t[-s\tshutdown state]\n");
+    exit(1);	
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/sign.c b/libstb/tss2/ibmtpm20tss/utils/sign.c
new file mode 100644
index 0000000..0635366
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/sign.c
@@ -0,0 +1,489 @@
+/********************************************************************************/
+/*										*/
+/*			    Sign						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Sign_In 			in;
+    Sign_Out 			out;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_SIG_SCHEME		scheme = TPM_ALG_RSASSA;
+    const char			*messageFilename = NULL;
+    const char                  *counterFilename = NULL;
+    const char			*ticketFilename = NULL;
+    const char			*publicKeyFilename = NULL;
+    const char			*signatureFilename = NULL;
+    const char			*keyPassword = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+ 
+    unsigned char 		*data = NULL;	/* message */
+    size_t 			length;
+    uint32_t           		sizeInBytes;	/* hash algorithm mapped to size */
+    TPMT_HA 			digest;		/* digest of the message */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x",&keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdk") == 0) {
+	    i++;
+	    if (i < argc) {
+		keyPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-salg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsa") == 0) {
+		    scheme = TPM_ALG_RSASSA;
+		}
+		else if (strcmp(argv[i],"ecc") == 0) {
+		    scheme = TPM_ALG_ECDSA;
+		}
+		else if (strcmp(argv[i],"hmac") == 0) {
+		    scheme = TPM_ALG_HMAC;
+		}
+		else {
+		    printf("Bad parameter %s for -salg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-salg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-scheme") == 0) {
+            i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"rsassa") == 0) {
+		    scheme = TPM_ALG_RSASSA;
+		}
+		else if (strcmp(argv[i],"rsapss") == 0) {
+		    scheme = TPM_ALG_RSAPSS;
+		}
+		else if (strcmp(argv[i],"ecdsa") == 0) {
+		    scheme = TPM_ALG_ECDSA;
+		}
+		else if (strcmp(argv[i],"ecdaa") == 0) {
+		    scheme = TPM_ALG_ECDAA;
+		}
+		else if (strcmp(argv[i],"hmac") == 0) {
+		    scheme = TPM_ALG_HMAC;
+		}
+		else {
+		    printf("Bad parameter %s for -scheme\n", argv[i]);
+		    printUsage();
+		}
+	    }
+        }
+	else if (strcmp(argv[i],"-cf") == 0) {
+	    i++;
+	    if (i < argc) {
+	        counterFilename = argv[i];
+	    }
+	    else {
+		printf("-cf option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		messageFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-os") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-os option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (messageFilename == NULL) {
+	printf("Missing message file name -if\n");
+	printUsage();
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if ((scheme == TPM_ALG_ECDAA) && (counterFilename == NULL)) {
+	printf("Missing counter file name -cf for ECDAA algorithm\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&data,     /* freed @1 */
+				     &length,
+				     messageFilename);
+    }
+    /* hash the file */
+    if (rc == 0) {
+	digest.hashAlg = halg;
+	sizeInBytes = TSS_GetDigestSize(digest.hashAlg);
+	rc = TSS_Hash_Generate(&digest,
+			       length, data,
+			       0, NULL);
+    }
+    if (rc == 0) {
+	/* Handle of key that will perform signing */
+	in.keyHandle = keyHandle;
+
+	/* digest to be signed */
+	in.digest.t.size = sizeInBytes;
+	memcpy(&in.digest.t.buffer, (uint8_t *)&digest.digest, sizeInBytes);
+	/* Table 145 - Definition of TPMT_SIG_SCHEME inScheme */
+	in.inScheme.scheme = scheme;
+	/* Table 144 - Definition of TPMU_SIG_SCHEME details > */
+	/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+	/* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
+	if ((scheme == TPM_ALG_RSASSA) ||
+	    (scheme == TPM_ALG_RSAPSS)) {
+	    in.inScheme.details.rsassa.hashAlg = halg;
+	}
+	else if (scheme == TPM_ALG_ECDAA) {
+	    in.inScheme.details.ecdaa.hashAlg = halg;
+	    rc = TSS_File_ReadStructure(&in.inScheme.details.ecdaa.count, 
+					(UnmarshalFunction_t)TSS_UINT16_Unmarshalu,
+					counterFilename);
+	}
+	else {	/* scheme TPM_ALG_ECDSA */
+	    in.inScheme.details.ecdsa.hashAlg = halg;
+	}
+    }
+    if (rc == 0) {
+	if (ticketFilename == NULL) {
+	    /* proof that digest was created by the TPM (NULL ticket) */
+	    /* Table 91 - Definition of TPMT_TK_HASHCHECK Structure */
+	    in.validation.tag = TPM_ST_HASHCHECK;
+	    in.validation.hierarchy = TPM_RH_NULL;
+	    in.validation.digest.t.size = 0;
+	}
+	else {
+	    rc = TSS_File_ReadStructure(&in.validation,
+					(UnmarshalFunction_t)TSS_TPMT_TK_HASHCHECK_Unmarshalu,
+					ticketFilename);
+	}
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Sign,
+			 sessionHandle0, keyPassword, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (signatureFilename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.signature,
+				     (MarshalFunction_t)TSS_TPMT_SIGNATURE_Marshalu,
+				     signatureFilename);
+    }
+    /* if a public key was specified, use openssl to verify the signature using an openssl RSA
+       format key token */
+    if (publicKeyFilename != NULL) {
+	TPM2B_PUBLIC 	public;
+	void         	*rsaPubKey = NULL;
+	if (rc == 0) {
+	    rc = TSS_File_ReadStructureFlag(&public,
+					    (UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					    TRUE,			/* NULL permitted */
+					    publicKeyFilename);
+	}
+	/* construct the OpenSSL RSA public key token */
+	if (rc == 0) {
+	    unsigned char earr[3] = {0x01, 0x00, 0x01};
+	    rc = TSS_RSAGeneratePublicTokenI
+		 (&rsaPubKey,					/* freed @2 */
+		  public.publicArea.unique.rsa.t.buffer, 	/* public modulus */
+		  public.publicArea.unique.rsa.t.size,
+		  earr,      					/* public exponent */
+		  sizeof(earr));
+	}
+	/*
+	  verify the TPM signature
+	*/
+	if (rc == 0) {
+	    rc = verifyRSASignatureFromRSA((uint8_t *)&in.digest.t.buffer,
+					   in.digest.t.size,
+					   &out.signature,
+					   halg,
+					   rsaPubKey);
+
+	}
+	TSS_RsaFree(rsaPubKey); 		/* @2 */
+    }
+    free(data);					/* @1 */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("sign: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("sign: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+    
+static void printUsage(void)
+{
+    printf("\n");
+    printf("sign\n");
+    printf("\n");
+    printf("Runs TPM2_Sign\n");
+    printf("\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t-if\tinput message to hash and sign\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-salg\tsignature algorithm (rsa, ecc, hmac) (default rsa)]\n");
+    printf("\t[-scheme signing scheme (rsassa, rsapss, ecdsa, ecdaa, hmac)]\n");
+    printf("\t\t(default rsassa, ecdsa, hmac)]\n");
+    printf("\t[-cf\tinput counter file (commit count required for ECDAA scheme]\n");
+    printf("\t[-ipu\tpublic key file name to verify signature (default no verify)]\n");
+    printf("\t\tVerify only supported for RSA now\n");
+    printf("\t[-os\tsignature file name (default do not save)]\n");
+    printf("\t[-tk\tticket file name]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/signapp.c b/libstb/tss2/ibmtpm20tss/utils/signapp.c
new file mode 100644
index 0000000..29514eb
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/signapp.c
@@ -0,0 +1,836 @@
+/********************************************************************************/
+/*										*/
+/*			    Sign Application					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+   Demo application, and test of "no file TSS"
+
+   Prerequisite: A provisioned EK certificate.  Use 'clientek' in the acs directory to provision a
+   software TPM EK certificate.
+
+   Program steps:
+
+   Create an EK.  The EK would not normally be the storage root key, but this demonstrates use of a
+   policy session, creating an EK primary key using the EK template, and validation of the EK
+   against the EK certificate.
+
+   Start a policy session, salt with EK
+
+   Create a signing key, salted policy session
+   
+   Load the signing key, salted policy session
+
+   Start an HMAC session, salt with EK, bind to signing key
+
+   Sign a message, verify the signature
+
+   Flush the signing key
+
+   Flush the EK
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include "ekutils.h"
+#include "objecttemplates.h"
+
+#define KEYPWD	"keypwd" 
+
+static TPM_RC startSession(TSS_CONTEXT *tssContext,
+			   TPMI_SH_AUTH_SESSION *sessionHandle,
+			   TPM_SE sessionType,
+			   TPMI_DH_OBJECT tpmKey,
+			   TPMI_DH_ENTITY bind,
+			   const char *bindPassword);
+static TPM_RC policyRestart(TSS_CONTEXT *tssContext,
+			    TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC policyCommandCode(TSS_CONTEXT *tssContext,
+				TPM_CC	commandCode,
+				TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC policyAuthValue(TSS_CONTEXT *tssContext,
+			      TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC policyPassword(TSS_CONTEXT *tssContext,
+			     TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC policySecret(TSS_CONTEXT *tssContext,
+			   TPMI_DH_ENTITY authHandle,
+			   TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC policyGetDigest(TSS_CONTEXT *tssContext,
+			      TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC createKey(TSS_CONTEXT *tssContext,
+			TPM2B_PRIVATE *outPrivate,
+			TPM2B_PUBLIC *outPublic,
+			TPMI_SH_AUTH_SESSION policySessionHandle,
+			TPM_HANDLE parentHandle,
+			const char *keyPassword,
+			int pwSession);
+static TPM_RC loadKey(TSS_CONTEXT *tssContext,
+		      TPM_HANDLE *keyHandle,
+		      TPM_HANDLE parentHandle,
+		      TPMI_SH_AUTH_SESSION policySessionHandle,
+		      TPM2B_PRIVATE *outPrivate,
+		      TPM2B_PUBLIC *outPublic,
+		      int pwSession);
+static TPM_RC sign(TSS_CONTEXT *tssContext,
+		   TPMT_SIGNATURE *signature,
+		   TPM_HANDLE keyHandle,
+		   TPMI_SH_AUTH_SESSION sessionHandle,
+		   uint32_t sizeInBytes,
+		   TPMT_HA *messageDigest);
+static TPM_RC verify(TSS_CONTEXT *tssContext,
+		     TPM_HANDLE keyHandle,
+		     uint32_t sizeInBytes,
+		     TPMT_HA *messageDigest,
+		     TPMT_SIGNATURE *signature);
+static TPM_RC flush(TSS_CONTEXT *tssContext,
+		    TPMI_DH_CONTEXT flushHandle);
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    int 			pwSession = FALSE;		/* default HMAC session */
+    const char 			*messageString = NULL;
+    uint32_t 			sizeInBytes;
+    TPMT_HA 			messageDigest;			/* digest of the message */
+    TPMI_SH_AUTH_SESSION 	policySessionHandle = TPM_RH_NULL;
+    TPMI_SH_AUTH_SESSION 	sessionHandle = TPM_RH_NULL;
+    TPM_HANDLE 			ekKeyHandle = TPM_RH_NULL;	/* primary key handle */
+    TPM2B_PRIVATE 		outPrivate;
+    TPM2B_PUBLIC 		outPublic;
+    TPM_HANDLE 			keyHandle = TPM_RH_NULL;	/* signing key handle */
+    TPMT_SIGNATURE		signature;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwsess") == 0) {
+	    pwSession = TRUE;
+	}
+	else if (strcmp(argv[i],"-ic") == 0) {
+	    i++;
+	    if (i < argc) {
+		messageString = argv[i];
+	    }
+	    else {
+		printf("-ic option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (messageString == NULL) {
+	printf("Missing message -ic\n");
+	printUsage();
+    }
+    /* hash the message file */
+    if (rc == 0) {
+	messageDigest.hashAlg = TPM_ALG_SHA256;
+	/* hash algorithm mapped to size */
+	sizeInBytes = TSS_GetDigestSize(messageDigest.hashAlg);
+	rc = TSS_Hash_Generate(&messageDigest,
+			       strlen(messageString), messageString,
+			       0, NULL);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Create a TSS context\n");
+	rc = TSS_Create(&tssContext);
+    }
+    /* createprimary first for salt.  processPrimary() also reads the EK certificate and validates
+       it against the primary key.  It doesn't walk the certificate chain.  */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Create a primary EK for the salt\n");
+	rc = processPrimary(tssContext,
+			    &ekKeyHandle,
+			    EK_CERT_RSA_INDEX, EK_NONCE_RSA_INDEX, EK_TEMPLATE_RSA_INDEX,
+			    TRUE, tssUtilsVerbose);		/* do not flush */
+	if (tssUtilsVerbose) printf("INFO: Primary EK handle %08x\n", ekKeyHandle);
+    }
+    /* start a policy session */
+    if (rc == 0) {
+	TPM_HANDLE	saltHandle;
+	if (tssUtilsVerbose) printf("INFO: Start a policy session\n");
+	if (!pwSession) {
+	    saltHandle = ekKeyHandle;
+	}
+	else {
+	    saltHandle = TPM_RH_NULL;	/* primary key handle */
+	}
+	rc = startSession(tssContext,
+			  &policySessionHandle,
+			  TPM_SE_POLICY,
+			  saltHandle, TPM_RH_NULL,	/* salt, no bind */
+			  NULL);			/* no bind password */
+	if (tssUtilsVerbose) printf("INFO: Policy session %08x\n", policySessionHandle);
+    }
+    /* EK needs policy secret with endorsement auth */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Satisfy the policy session %08x\n", policySessionHandle);
+	rc = policySecret(tssContext,
+			  TPM_RH_ENDORSEMENT,
+			  policySessionHandle);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Dump the policy session %08x\n", policySessionHandle);
+	rc = policyGetDigest(tssContext,
+			     policySessionHandle);
+    }
+    /* Create the signing key */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Create a signing key under the EK %08x\n", ekKeyHandle);
+	rc = createKey(tssContext,
+		       &outPrivate,
+		       &outPublic,
+		       policySessionHandle,	/* continue */
+		       ekKeyHandle,		/* parent */
+		       KEYPWD,			/* password for the signing key */
+		       pwSession);
+    }
+    /* reuse the policy session to load the signing key under the EK storage key */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Restart the policy session %08x\n", policySessionHandle);
+	rc = policyRestart(tssContext,
+			   policySessionHandle);
+    }
+    /* EK needs policy secret with endorsement auth */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Satisfy the policy session %08x\n", policySessionHandle);
+	rc = policySecret(tssContext,
+			  TPM_RH_ENDORSEMENT,
+			  policySessionHandle);
+    }
+    /* Load the signing key.  flush the policy session. */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Load a signing key under the EK %08x\n", ekKeyHandle);
+	rc = loadKey(tssContext,
+		     &keyHandle,		/* signing key */
+		     ekKeyHandle,		/* parent */
+		     policySessionHandle,	/* no flush */
+		     &outPrivate,
+		     &outPublic,
+		     pwSession);
+	if (tssUtilsVerbose) printf("INFO: Loaded key handle %08x\n", keyHandle);
+    }
+    /* start an HMAC session, salt with EK, bind with signing key */
+    if (rc == 0) {
+	if (!pwSession) {
+	    if (tssUtilsVerbose) printf("INFO: Start a salt and bind session\n");
+	    rc = startSession(tssContext,
+			      &sessionHandle,	/* salt, bind */
+			      TPM_SE_HMAC,
+			      ekKeyHandle,	/* salt */
+			      keyHandle,	/* bind */
+			      KEYPWD);		/* bind with signing key password */
+
+	    if (tssUtilsVerbose) printf("INFO: Salt and bind session %08x\n", sessionHandle);
+	}
+	else {
+	    sessionHandle = TPM_RS_PW;
+	}
+    }
+    /*
+      sign and verify using an HMAC or password
+    */
+    /* Sign the message digest */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Sign with the signing key %08x\n", keyHandle);
+	rc = sign(tssContext,
+		  &signature,
+		  keyHandle,		/* signing key */
+		  sessionHandle,	/* continue */
+		  sizeInBytes,		/* hash algorithm mapped to size */
+		  &messageDigest);	/* digest of the message */
+    }
+    /* Verify the signature */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Verify the signature %08x\n", keyHandle);
+	rc = verify(tssContext,
+		    keyHandle,		/* verification public key */
+		    sizeInBytes,	/* hash algorithm mapped to size */
+		    &messageDigest,	/* digest of the message */
+		    &signature);
+    }
+    /*
+      sign and verify using a policy session, policy authvalue or policy password
+    */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Restart the policy session %08x\n", policySessionHandle);
+	rc = policyRestart(tssContext,
+			   policySessionHandle);
+    }
+    /* policy command code */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Satisfy the policy session %08x\n", policySessionHandle);
+	rc = policyCommandCode(tssContext,
+			       TPM_CC_Sign,
+			       policySessionHandle);
+    }
+    /* policy authvalue or policypassword */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Satisfy the policy session %08x\n", policySessionHandle);
+	if (!pwSession) {
+	    rc = policyAuthValue(tssContext,
+				 policySessionHandle);
+	}
+	else {
+	    rc = policyPassword(tssContext,
+				policySessionHandle);
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Dump the policy session %08x\n", policySessionHandle);
+	rc = policyGetDigest(tssContext,
+			     policySessionHandle);
+    }
+    /* Sign the message digest */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Sign with the signing key %08x\n", keyHandle);
+	rc = sign(tssContext,
+		  &signature,
+		  keyHandle,		/* signing key */
+		  policySessionHandle,	/* continue */
+		  sizeInBytes,		/* hash algorithm mapped to size */
+		  &messageDigest);	/* digest of the message */
+    }
+    /* Verify the signature */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Verify the signature %08x\n", keyHandle);
+	rc = verify(tssContext,
+		    keyHandle,		/* verification public key */
+		    sizeInBytes,	/* hash algorithm mapped to size */
+		    &messageDigest,	/* digest of the message */
+		    &signature);
+    }
+    /* flush the policy session, normally fails */
+    if (policySessionHandle != TPM_RH_NULL) {
+	if (tssUtilsVerbose) printf("INFO: Flush the policy session %08x\n", policySessionHandle);
+	flush(tssContext, policySessionHandle);
+    }
+    /* flush the salt and bind session */
+    if (!pwSession) {
+	if (sessionHandle != TPM_RH_NULL) {
+	    if (tssUtilsVerbose) printf("INFO: Flush the salt session %08x\n", sessionHandle);
+	    flush(tssContext, sessionHandle);
+	}
+    }
+    /* flush the primary key */
+    if (ekKeyHandle != TPM_RH_NULL) {
+	if (tssUtilsVerbose) printf("INFO: Flush the primary key %08x\n", ekKeyHandle);
+	flush(tssContext, ekKeyHandle);
+    }
+    /* flush the signing key */
+    if (keyHandle != TPM_RH_NULL) {
+	if (tssUtilsVerbose) printf("INFO: Flush the signing key %08x\n", keyHandle);
+	flush(tssContext, keyHandle);
+    }
+    {  
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("signapp: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("signapp: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+/* startSession() starts either a policy or HMAC session.
+
+   If tpmKey is not null, a salted session is used.
+
+   If bind is not null, a bind session is used.
+*/
+
+static TPM_RC startSession(TSS_CONTEXT *tssContext,
+			   TPMI_SH_AUTH_SESSION *sessionHandle,
+			   TPM_SE sessionType,			/* policy or HMAC */
+			   TPMI_DH_OBJECT tpmKey,		/* salt key, can be null */
+			   TPMI_DH_ENTITY bind,			/* bind object, can be null */
+			   const char *bindPassword)		/* bind object password, can be null */
+{
+    TPM_RC			rc = 0;
+    StartAuthSession_In 	startAuthSessionIn;
+    StartAuthSession_Out 	startAuthSessionOut;
+    StartAuthSession_Extra	startAuthSessionExtra;
+     
+    /*	Start an authorization session */
+    if (rc == 0) {
+	startAuthSessionIn.tpmKey = tpmKey;			/* salt key */
+	startAuthSessionIn.bind = bind;				/* bind object */
+	startAuthSessionExtra.bindPassword = bindPassword;	/* bind object password */
+	startAuthSessionIn.sessionType = sessionType;		/* HMAC or policy session */
+	startAuthSessionIn.authHash = TPM_ALG_SHA256;		/* HMAC algorithm */
+	startAuthSessionIn.symmetric.algorithm = TPM_ALG_AES;	/* parameter encryption */
+	startAuthSessionIn.symmetric.keyBits.aes = 128;
+	startAuthSessionIn.symmetric.mode.aes = TPM_ALG_CFB;
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&startAuthSessionOut, 
+			 (COMMAND_PARAMETERS *)&startAuthSessionIn,
+			 (EXTRA_PARAMETERS *)&startAuthSessionExtra,
+			 TPM_CC_StartAuthSession,
+			 TPM_RH_NULL, NULL, 0);
+	*sessionHandle = startAuthSessionOut.sessionHandle;
+    }
+    return rc;
+}
+
+static TPM_RC policyRestart(TSS_CONTEXT *tssContext,
+			    TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC			rc = 0;
+    PolicyRestart_In 		policyRestartIn;
+
+    if (rc == 0) {
+    	policyRestartIn.sessionHandle = sessionHandle;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&policyRestartIn,
+			 NULL,
+			 TPM_CC_PolicyRestart,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static TPM_RC policyCommandCode(TSS_CONTEXT *tssContext,
+				TPM_CC	commandCode,
+				TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC			rc = 0;
+    PolicyCommandCode_In 	policyCommandCodeIn;
+
+    if (rc == 0) {
+ 	policyCommandCodeIn.policySession = sessionHandle;
+	policyCommandCodeIn.code = commandCode;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&policyCommandCodeIn,
+			 NULL,
+			 TPM_CC_PolicyCommandCode,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static TPM_RC policyAuthValue(TSS_CONTEXT *tssContext,
+			      TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC		rc = 0;
+    PolicyAuthValue_In 	policyAuthValueIn;
+
+    if (rc == 0) {
+	policyAuthValueIn.policySession = sessionHandle;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&policyAuthValueIn,
+			 NULL,
+			 TPM_CC_PolicyAuthValue,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static TPM_RC policyPassword(TSS_CONTEXT *tssContext,
+			     TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC		rc = 0;
+    PolicyPassword_In 	policyPasswordIn;
+
+    if (rc == 0) {
+ 	policyPasswordIn.policySession = sessionHandle;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&policyPasswordIn,
+			 NULL,
+			 TPM_CC_PolicyPassword,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+/* policySecret() runs policy secret against the session.  It assumes that the secret (the
+   endorsement authorization in this example) is Empty.
+
+*/
+
+static TPM_RC policySecret(TSS_CONTEXT *tssContext,
+			   TPMI_DH_ENTITY authHandle,
+			   TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC			rc = 0;
+    PolicySecret_In 		policySecretIn;
+    PolicySecret_Out 		policySecretOut;
+     
+    if (rc == 0) {
+	policySecretIn.authHandle = authHandle;
+	policySecretIn.policySession = sessionHandle;
+	policySecretIn.nonceTPM.b.size = 0;
+	policySecretIn.cpHashA.b.size = 0;
+	policySecretIn.policyRef.b.size = 0;
+	policySecretIn.expiration = 0;
+    }   
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&policySecretOut, 
+			 (COMMAND_PARAMETERS *)&policySecretIn,
+			 NULL,
+			 TPM_CC_PolicySecret,
+			 TPM_RS_PW, NULL, 0,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+/* policyGetDigest() traces the session policy digest for debugging.  It should be the same as the
+   policy in the EK template.
+   
+*/
+
+static TPM_RC policyGetDigest(TSS_CONTEXT *tssContext,
+			      TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC			rc = 0;
+    PolicyGetDigest_In 		policyGetDigestIn;
+    PolicyGetDigest_Out 	policyGetDigestOut;
+     
+    if (rc == 0) {
+	policyGetDigestIn.policySession = sessionHandle;
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&policyGetDigestOut, 
+			 (COMMAND_PARAMETERS *)&policyGetDigestIn,
+			 NULL,
+			 TPM_CC_PolicyGetDigest,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    if (tssUtilsVerbose) TSS_PrintAll("policyGetDigest",
+			      policyGetDigestOut.policyDigest.t.buffer,
+			      policyGetDigestOut.policyDigest.t.size);
+    return rc;
+}
+
+/* createKey() creates a signing key under the EK storage key parentHandle.
+
+   policySessionHandle is a previously satisfied policy session.  continue is SET.
+
+   A command decrypt session is used to transfer the signing key userAuth encrypted.  A response
+   encrypt session is used just as a demo.
+
+*/
+
+static TPM_RC createKey(TSS_CONTEXT *tssContext,
+			TPM2B_PRIVATE *outPrivate,
+			TPM2B_PUBLIC *outPublic,
+			TPMI_SH_AUTH_SESSION policySessionHandle,
+			TPM_HANDLE parentHandle,
+			const char *keyPassword,
+			int pwSession)
+{
+    TPM_RC	rc = 0;
+    Create_In 	createIn;
+    Create_Out 	createOut;
+    int 	attributes;
+    /* hard code the policy since this test is also used for the no file support case */
+    const uint8_t policy[] = {0x7e, 0xa1, 0x0d, 0xe0, 0x05, 0xfc, 0xb2, 0x1d,
+			      0x44, 0xf2, 0x4b, 0xc8, 0xf7, 0x4c, 0x28, 0xa8,
+			      0xb9, 0xed, 0xf1, 0x4b, 0x1c, 0x53, 0xea, 0x4c,
+			      0xcf, 0x3c, 0x5a, 0x4c, 0xe3, 0x8c, 0x75, 0x6e};
+    if (rc == 0) {
+	createIn.parentHandle = parentHandle;
+	rc = TSS_TPM2B_StringCopy(&createIn.inSensitive.sensitive.userAuth.b,
+				  keyPassword,
+				  sizeof(createIn.inSensitive.sensitive.userAuth.t.buffer));
+    }
+    /* policy command code sign + policy authvalue or policy password */
+    if (rc == 0) {
+	memcpy(&createIn.inPublic.publicArea.authPolicy.b.buffer, policy, sizeof(policy));
+	createIn.inPublic.publicArea.authPolicy.b.size = sizeof(policy);
+    }
+    if (rc == 0) {
+	createIn.inSensitive.sensitive.data.t.size = 0;
+	createIn.inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+	createIn.inPublic.publicArea.type = TPM_ALG_RSA;	/* for the RSA template */
+	createIn.inPublic.publicArea.objectAttributes.val = 0;
+	createIn.inPublic.publicArea.objectAttributes.val |= TPMA_OBJECT_NODA;
+	createIn.inPublic.publicArea.objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
+	createIn.inPublic.publicArea.objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
+	createIn.inPublic.publicArea.objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
+	createIn.inPublic.publicArea.objectAttributes.val |= TPMA_OBJECT_SIGN;
+	createIn.inPublic.publicArea.objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
+	createIn.inPublic.publicArea.objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
+	createIn.inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
+	createIn.inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+	createIn.inPublic.publicArea.parameters.rsaDetail.keyBits = 2048;
+	createIn.inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+	createIn.inPublic.publicArea.unique.rsa.t.size = 0;
+	createIn.outsideInfo.t.size = 0;
+	createIn.creationPCR.count = 0;
+	if (pwSession) {
+	    attributes = TPMA_SESSION_CONTINUESESSION;
+	}
+	else {
+	    attributes = TPMA_SESSION_ENCRYPT | TPMA_SESSION_DECRYPT | TPMA_SESSION_CONTINUESESSION;
+	}
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&createOut,
+			 (COMMAND_PARAMETERS *)&createIn,
+			 NULL,
+			 TPM_CC_Create,
+			 policySessionHandle, NULL, attributes, 
+			 TPM_RH_NULL, NULL, 0);
+    }
+    if (rc == 0) {
+	*outPrivate = createOut.outPrivate;
+	*outPublic = createOut.outPublic;
+    }
+    return rc;
+}
+
+/* loadKey() loads the signing key under the EK storage key parentHandle.
+
+   policySessionHandle is a previously satisfied policy session.  continue is SET.
+
+   A command decrypt and response encrypt session is used just as a demo.
+*/
+
+static TPM_RC loadKey(TSS_CONTEXT *tssContext,
+		      TPM_HANDLE *keyHandle,
+		      TPM_HANDLE parentHandle,
+		      TPMI_SH_AUTH_SESSION policySessionHandle,
+		      TPM2B_PRIVATE *outPrivate,
+		      TPM2B_PUBLIC *outPublic,
+		      int pwSession)
+{
+    TPM_RC	rc = 0;
+    Load_In 	loadIn;
+    Load_Out 	loadOut;
+    int 	attributes;
+
+    if (rc == 0) {
+	loadIn.parentHandle = parentHandle;
+	loadIn.inPrivate = *outPrivate;
+	loadIn.inPublic = *outPublic;
+	if (pwSession) {
+	    attributes = TPMA_SESSION_CONTINUESESSION;
+	}
+	else {
+	    attributes = TPMA_SESSION_DECRYPT | TPMA_SESSION_CONTINUESESSION;
+	}
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&loadOut,
+			 (COMMAND_PARAMETERS *)&loadIn,
+			 NULL,
+			 TPM_CC_Load,
+			 policySessionHandle, NULL, attributes,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    if (rc == 0) {
+	*keyHandle = loadOut.objectHandle;
+    }
+    return rc;
+}
+
+/* sign() signs messageDigest with the signing key keyHandle.
+
+   sessionHandle is a salt and bind session. continue is SET.
+
+   Note that the signing key password is not supplied here.  It is supplied when the bind session is
+   created.
+
+*/
+
+static TPM_RC sign(TSS_CONTEXT *tssContext,
+		   TPMT_SIGNATURE *signature,
+		   TPM_HANDLE keyHandle,
+		   TPMI_SH_AUTH_SESSION sessionHandle,
+		   uint32_t sizeInBytes,	/* hash algorithm mapped to size */
+		   TPMT_HA *messageDigest)	/* digest of the message */
+{
+    TPM_RC			rc = 0;
+    Sign_In 			signIn;
+    Sign_Out 			signOut;
+    const char 			*pwd;
+    TPM_HT 			handleType = (TPM_HT) ((sessionHandle & HR_RANGE_MASK) >> HR_SHIFT);
+
+    if (rc == 0) {
+	signIn.keyHandle = keyHandle;
+	signIn.digest.t.size = sizeInBytes;
+	memcpy(&signIn.digest.t.buffer, (uint8_t *)&messageDigest->digest, sizeInBytes);
+	signIn.inScheme.scheme = TPM_ALG_RSASSA;
+	signIn.inScheme.details.rsassa.hashAlg = TPM_ALG_SHA256;
+	signIn.validation.tag = TPM_ST_HASHCHECK;	/* optional, to make a ticket */
+	signIn.validation.hierarchy = TPM_RH_NULL;
+	signIn.validation.digest.t.size = 0;
+	/* password session */
+	if (sessionHandle == TPM_RS_PW) {
+	    pwd = KEYPWD;
+	}
+	/* policy session is policy password or policy authvalue */
+	else if (handleType == TPM_HT_POLICY_SESSION) {
+	    pwd = KEYPWD;
+	}
+	/* HMAC session - bound (password ignored) */
+	else {
+	    pwd = NULL;
+	}
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&signOut,
+			 (COMMAND_PARAMETERS *)&signIn,
+			 NULL,
+			 TPM_CC_Sign,
+			 /* bind, observe that no password is required here */
+			 sessionHandle, pwd, TPMA_SESSION_CONTINUESESSION,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    if (rc == 0) {
+	*signature = signOut.signature;
+    }
+    return rc;
+}
+
+/* verify() verifies the signature against the message digest using the previously loaded key in
+   keyHandle.
+
+ */
+
+static TPM_RC verify(TSS_CONTEXT *tssContext,
+		     TPM_HANDLE keyHandle,
+		     uint32_t sizeInBytes,	/* hash algorithm mapped to size */
+		     TPMT_HA *messageDigest,	/* digest of the message */
+		     TPMT_SIGNATURE *signature)
+{
+    TPM_RC			rc = 0;
+    VerifySignature_In 		verifySignatureIn;
+    VerifySignature_Out 	verifySignatureOut;
+
+    if (rc == 0) {
+	verifySignatureIn.keyHandle = keyHandle;
+	verifySignatureIn.digest.t.size = sizeInBytes;
+	memcpy(&verifySignatureIn.digest.t.buffer, (uint8_t *)&messageDigest->digest, sizeInBytes);
+	verifySignatureIn.signature = *signature;
+    }
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&verifySignatureOut,
+			 (COMMAND_PARAMETERS *)&verifySignatureIn,
+			 NULL,
+			 TPM_CC_VerifySignature,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+/* flush() flushes some handle, either a session or the signing key in this demo.
+
+ */
+
+static TPM_RC flush(TSS_CONTEXT *tssContext,
+		    TPMI_DH_CONTEXT flushHandle)
+{
+    TPM_RC			rc = 0;
+    FlushContext_In 		in;
+
+    if (rc == 0) {
+	in.flushHandle = flushHandle;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_FlushContext,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("signapp\n");
+    printf("\n");
+    printf("Runs a TPM2_Sign application, including creating a primary storage key\n");
+    printf("and creating and loading a signing key\n");
+    printf("\n");
+    printf("\t-ic\tinput message to hash and sign\n");
+    printf("\n");
+    printf("\t[-pwsess\tUse a password session, no HMAC or parameter encryption]\n");
+    printf("\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/startauthsession.c b/libstb/tss2/ibmtpm20tss/utils/startauthsession.c
new file mode 100644
index 0000000..d47c731
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/startauthsession.c
@@ -0,0 +1,301 @@
+/********************************************************************************/
+/*										*/
+/*			    StartAuthSession	 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    StartAuthSession_In 	in;
+    StartAuthSession_Out 	out;
+    StartAuthSession_Extra	extra;
+    TPMI_DH_OBJECT		tpmKey = TPM_RH_NULL;		/* salt key */
+    TPMI_DH_ENTITY		bindHandle = TPM_RH_NULL;	/* default */
+    const char 			*bindPassword = NULL;
+    char 			seChar = 0;			/* session type */
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;		/* default */
+    TPMI_ALG_SYM		algorithm = TPM_ALG_XOR;	/* default symmetric algorithm */
+    const char			*nonceTPMFilename = NULL;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-se") == 0) {
+	    i++;
+	    if (i < argc) {
+		seChar = argv[i][0];
+	    }
+	    else {
+		printf("Missing parameter for -se\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-hs") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i], "%x", &tpmKey);
+	    }
+	    else {
+		printf("Bad parameter %s for -hs\n", argv[i]);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-bi") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i], "%x", &bindHandle);
+	    }
+	    else {
+		printf("Bad parameter %s for -bi\n", argv[i]);
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-sym") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"xor") == 0) {
+		    algorithm = TPM_ALG_XOR;
+		}
+		else if (strcmp(argv[i],"aes") == 0) {
+		    algorithm = TPM_ALG_AES;
+		}
+		else {
+		    printf("Bad parameter %s for -sym\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -sym\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-on") == 0) {
+	    i++;
+	    if (i < argc) {
+		nonceTPMFilename = argv[i];
+	    }
+	    else {
+		printf("-on option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwdb") == 0) {
+	    i++;
+	    if (i < argc) {
+		bindPassword = argv[i];
+	    }
+	    else {
+		printf("-pwdb option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((bindHandle == TPM_RH_NULL) && (bindPassword != NULL)) {
+	printf("-pwdb (bind password) unused without -bi (bind handle)\n");
+	printUsage();
+    }
+    /* sessionType */
+    switch (seChar) {
+      case 'h':
+	in.sessionType = TPM_SE_HMAC;
+	break;
+      case 'p':
+	in.sessionType = TPM_SE_POLICY;
+	break;
+      case 't':
+	in.sessionType = TPM_SE_TRIAL;
+	break;
+      default:
+	printf("Missing or illegal parameter for -se\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	/* salt key */
+	in.tpmKey = tpmKey;
+	/* encryptedSalt (not required) */
+	in.encryptedSalt.b.size = 0;
+	/* bind handle */
+	in.bind = bindHandle;
+	/* nonceCaller (not required) */
+	in.nonceCaller.t.size = 0;
+	/* for parameter encryption */
+	in.symmetric.algorithm = algorithm;
+	/* authHash */
+	in.authHash = halg;
+    }
+    /* symmetric */
+    /* Table 128 - Definition of TPMT_SYM_DEF Structure */
+    if (rc == 0) {	/* XOR */
+	if (in.symmetric.algorithm == TPM_ALG_XOR) {
+	    /* Table 61 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM Type */
+	    /* Table 125 - Definition of TPMU_SYM_KEY_BITS Union */
+	    in.symmetric.keyBits.xorr = halg;
+	    /* Table 126 - Definition of TPMU_SYM_MODE Union */
+	    in.symmetric.mode.sym = TPM_ALG_NULL;		/* none for xor */
+	}
+	else {		/* AES */
+	    /* Table 61 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM Type */
+	    /* Table 125 - Definition of TPMU_SYM_KEY_BITS Union */
+	    in.symmetric.keyBits.aes = 128;
+	    /* Table 126 - Definition of TPMU_SYM_MODE Union */
+	    /* Table 63 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_MODE Type */
+	    in.symmetric.mode.aes = TPM_ALG_CFB;
+	}
+    }
+    /* pass the bind password to the TSS post processor for the session key calculation */
+    if (rc == 0) {
+	extra.bindPassword = bindPassword;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out, 
+			 (COMMAND_PARAMETERS *)&in,
+			 (EXTRA_PARAMETERS *)&extra,
+			 TPM_CC_StartAuthSession,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    /* optionally store the nonceTPM for use in policy commands */
+    if ((rc == 0) && (nonceTPMFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile((uint8_t *)&out.nonceTPM.t.buffer,
+				      out.nonceTPM.t.size,
+				      nonceTPMFilename); 
+    }
+    if (rc == 0) {
+	printf("Handle %08x\n", out.sessionHandle);
+	if (tssUtilsVerbose) printf("startauthsession: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("startauthsession: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("startauthsession\n");
+    printf("\n");
+    printf("Runs TPM2_StartAuthSession\n");
+    printf("\n");
+    printf("\t-se\n");
+    printf("\n");
+    printf("\t\th  HMAC session\n");
+    printf("\t\tp  Policy session\n");
+    printf("\t\tt  Trial policy session\n");
+    printf("\n");
+    printf("\t[-halg\t(sha1, sha256, sha384, sha512) (default sha256)]\n");
+    printf("\t[-hs\tsalt handle (default TPM_RH_NULL)]\n");
+    printf("\t[-bi\tbind handle (default TPM_RH_NULL)]\n");
+    printf("\t[-pwdb\tbind password for bind handle (default empty)]\n");
+    printf("\t[-sym\t(xor, aes) symmetric parameter encryption algorithm (default xor)]\n");
+    printf("\t[-on\tnonceTPM file for policy session (default do not save)]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/startup.c b/libstb/tss2/ibmtpm20tss/utils/startup.c
new file mode 100644
index 0000000..fe08ed2
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/startup.c
@@ -0,0 +1,191 @@
+/********************************************************************************/
+/*										*/
+/*			    Startup		 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+TPM_RC selftestCommand(void);
+TPM_RC startupCommand(TPM_SU startupType);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC 		rc = 0;
+    int			i;				/* argc iterator */
+    int                 doStartup = TRUE;		/* default startup */
+    int                 doSelftest = FALSE;		/* default no self test */
+    TPM_SU		startupType = TPM_SU_CLEAR;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-c") == 0) {
+	    startupType = TPM_SU_CLEAR;
+	    doStartup = TRUE;
+	}
+	else if (strcmp(argv[i],"-s") == 0) {
+	    doStartup = TRUE;
+	    startupType = TPM_SU_STATE;
+	}
+	else if (strcmp(argv[i],"-st") == 0) {
+	    doSelftest = TRUE;
+	}
+	else if (strcmp(argv[i],"-sto") == 0) {
+	    doStartup = FALSE;
+	    doSelftest = TRUE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((rc == 0) && doStartup) {
+	rc = startupCommand(startupType);
+    }
+    if ((rc == 0) && doSelftest ) {
+	rc = selftestCommand();
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("startup: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("startup: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+TPM_RC startupCommand(TPM_SU startupType)
+{
+    TPM_RC 		rc = 0;
+    TSS_CONTEXT		*tssContext = NULL;
+    Startup_In 		in;
+
+    /*
+      Start a TSS context
+    */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	in.startupType = startupType;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Startup,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    return rc;
+}
+
+TPM_RC selftestCommand(void)
+{
+    TPM_RC 		rc = 0;
+    TSS_CONTEXT		*tssContext = NULL;
+    SelfTest_In 	in;
+
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	in.fullTest = YES;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_SelfTest,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    /* Delete the TSS context */
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("selftest: success\n");
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("startup\n");
+    printf("\n");
+    printf("Runs TPM2_Startup\n");
+    printf("\n");
+    printf("\t[-c\tstartup clear (default)]\n");
+    printf("\t[-s\tstartup state]\n");
+    printf("\t[-st\trun TPM2_SelfTest]\n");
+    printf("\t[-sto\trun only TPM2_SelfTest (no startup)]\n");
+    exit(1);	
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/stirrandom.c b/libstb/tss2/ibmtpm20tss/utils/stirrandom.c
new file mode 100644
index 0000000..180eca1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/stirrandom.c
@@ -0,0 +1,161 @@
+/********************************************************************************/
+/*										*/
+/*			   StirRandom						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    StirRandom_In 		in;
+    const char			*inputFilename = NULL;
+    
+    uint8_t			*buffer = NULL;		/* for the free */
+    size_t 			length = 0;
+   
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		inputFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (inputFilename == NULL) {
+	printf("Missing private key parameter -if\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     inputFilename);
+    }
+    if (rc == 0) {
+	if (length > sizeof(in.inData.t.buffer)) {
+	    printf("Input data too long %u\n", (uint32_t)length);
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	in.inData.t.size =  (uint16_t)length;	/* cast safe, range tested above */
+	memcpy(in.inData.t.buffer, buffer, length);
+    }
+    free(buffer);	/* @1 */
+    buffer = NULL;
+    
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_StirRandom,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("stirrandom: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("stirrandom: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("stirrandom\n");
+    printf("\n");
+    printf("Runs TPM2_StirRandom\n");
+    printf("\n");
+    printf("\t-if\tinput file name\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/timepacket.c b/libstb/tss2/ibmtpm20tss/utils/timepacket.c
new file mode 100644
index 0000000..a105d55
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/timepacket.c
@@ -0,0 +1,210 @@
+/********************************************************************************/
+/*										*/
+/*			   Time a TPM Command					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <time.h>
+
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#include <windows.h>
+#endif
+
+#ifdef TPM_POSIX
+#include <unistd.h>
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tsstransmit.h>
+#include <ibmtss/tssfile.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsscrypto.h>
+
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    	/* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    const char			*commandFilename = NULL;
+    unsigned char 		*commandBufferString = NULL;
+    unsigned char 		*commandBuffer = NULL;
+    size_t 			commandStringLength;
+    size_t 			commandLength;
+    unsigned int 		loops = 1;
+    unsigned int 		count;
+    uint8_t 			responseBuffer[MAX_RESPONSE_SIZE];
+    uint32_t 			responseLength;
+    time_t 			startTime;
+    time_t			endTime;
+    double 			timeDiff = 0;
+    
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		commandFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-l") == 0) {
+	    i++;
+	    if (i < argc) {
+		loops = atoi(argv[i]);
+	    }
+	    else {
+		printf("-l option needs a value\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (commandFilename == NULL) {
+	printf("Missing parameter -if\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&commandBufferString,	/* freed @2 */
+				     &commandStringLength, commandFilename);
+    }
+    if (rc == 0) {
+	if (commandBufferString[commandStringLength-1] != ' ') {
+	    printf("packet string does not end in a space\n");
+	}
+	else {
+	    /* nul terminate the string */
+	    commandBufferString[commandStringLength-1] = '\0';
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Scan(&commandBuffer,		/* freed @1 */
+			    &commandLength, (char *)commandBufferString);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    for (count = 0 ; (rc == 0) && (count < loops) ; count++) {
+	uint32_t usec;
+	if (rc == 0) {
+	    rc = TSS_RandBytes((unsigned char *)&usec, sizeof(uint32_t));
+	}
+	if (rc == 0) {
+	    usec %= 1000000;
+#ifdef TPM_POSIX
+	    usleep(usec);	/* usleep() units are usec */
+#endif
+#ifdef TPM_WINDOWS
+	    Sleep(usec/1000);	/* Sleep units are msec */
+#endif
+	    startTime = time(NULL);
+	    rc = TSS_Transmit(tssContext,
+			      responseBuffer, &responseLength,
+			      commandBuffer, commandLength,
+			      NULL);
+	    endTime = time(NULL);
+	    printf("End Pass %u\n", count +1);
+	    timeDiff += difftime(endTime, startTime);
+	}
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("Loops %u time %f time per pass %f\n", loops, timeDiff, timeDiff/loops);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("timepacket: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("timepacket: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(commandBufferString);		/* @2 */
+    free(commandBuffer);		/* @1 */
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("timepacket\n");
+    printf("\n");
+    printf("Times the supplied packet\n");
+    printf("\n");
+    printf("\t-if\tpacket in hexascii (requires one space at end of packet)\n");
+    printf("\t[-l\tnumber of loops to time (default 1)]\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tpm2pem.c b/libstb/tss2/ibmtpm20tss/utils/tpm2pem.c
new file mode 100644
index 0000000..e01de3a
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tpm2pem.c
@@ -0,0 +1,150 @@
+/********************************************************************************/
+/*										*/
+/*		    TPM public key TPM2B_PUBLIC to PEM 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2016 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* Converts a TPM public key TPM2B_PUBLIC to PEM */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+/* Windows 10 crypto API clashes with openssl */
+#ifdef TPM_WINDOWS
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+#include "cryptoutils.h"
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    const char			*publicKeyFilename = NULL;
+    const char			*pemFilename = NULL;
+    TPM2B_PUBLIC 		public;
+
+    tssUtilsVerbose = FALSE;
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ipu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-opem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemFilename = argv[i];
+	    }
+	    else {
+		printf("-opem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (publicKeyFilename == NULL) {
+	printf("Missing private key parameter -ipu\n");
+	printUsage();
+    }
+    if (pemFilename == NULL) {
+	printf("Missing PEM file name parameter -opem\n");
+	printUsage();
+    }
+    /* read the TPM public key to a structure */
+    if (rc == 0) {
+	rc = TSS_File_ReadStructureFlag(&public,
+					(UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					TRUE,			/* NULL permitted */
+					publicKeyFilename);
+    }
+    /* convert to PEM format and write file */
+    if (rc == 0) {
+	rc = convertPublicToPEM(&public, pemFilename);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("tpm2pem: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("tpm2pem: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("tpm2pem\n");
+    printf("\n");
+    printf("Converts an RSA or EC TPM2B_PUBLIC to PEM\n");
+    printf("\n");
+    printf("\t-ipu\tpublic key input file in TPM format\n");
+    printf("\t-opem\tpublic key output file in PEM format\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tpmcmd.c b/libstb/tss2/ibmtpm20tss/utils/tpmcmd.c
new file mode 100644
index 0000000..d601e7c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tpmcmd.c
@@ -0,0 +1,131 @@
+/********************************************************************************/
+/*										*/
+/*			    Simulator In Band Commands 				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* FIXME should really be in tpmtcpprotocol.h */
+#ifdef TPM_WINDOWS
+#include <winsock2.h>		/* for simulator startup */
+#endif
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsstransmit.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC 		rc = 0;
+    int			i;				/* argc iterator */
+    TSS_CONTEXT		*tssContext = NULL;
+    uint32_t 		command = 0;
+    const char 		*message = "";
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-stop") == 0) {
+	    command = TPM_STOP;
+	    message = "TPM Stop";
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (command == 0) {
+	printf("Missing command specifier\n");
+	printUsage();
+    }
+    /*
+      Start a TSS context
+    */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* Send in band command */
+    if (rc == 0) {
+	rc = TSS_TransmitCommand(tssContext, command, message);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("tpmcmd: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("tpmcmd: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("tpmcmd\n");
+    printf("\n");
+    printf("Sends an in-band TPM simulator signal\n");
+    printf("\n");
+    printf("\t-stop\tStop the TPM simulator\n");
+    exit(1);	
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tpmproxy.c b/libstb/tss2/ibmtpm20tss/utils/tpmproxy.c
new file mode 100644
index 0000000..740c926
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tpmproxy.c
@@ -0,0 +1,972 @@
+/********************************************************************************/
+/*										*/
+/*			    Windows 10 TPM Proxy	 			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2006 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+
+/*
+  Use this proxy when using the TSS command line utilities on Windows.  It keeps the connection to
+  the Windows TPM device driver open.  This prevents its resource manager from flushing resources
+  after each utiity exits.
+
+  The server type (mssim or raw) should agree with the TSS configuration.  mssim wrapes the packets
+  in the MS simulator bytes.  raw does not.
+
+  The proxy is unnecessary when using a compiled application.
+
+  Link with:
+  
+  tbs.lib
+  ws2_32.lib 
+*/
+
+#include <limits.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <time.h>
+
+#include <windows.h>
+#include <specstrings.h>
+
+#include <tbs.h>
+
+#define LOAD32(buffer,offset)         ( ntohl(*(uint32_t *)&(buffer)[(offset)]) )
+
+#ifndef SSIZE_MAX
+#define SSIZE_MAX INT_MAX
+#endif
+
+/* standard TCG definitions */
+
+typedef unsigned long 	TSS_RESULT;
+typedef unsigned char 	BYTE;
+typedef unsigned short 	TPM_TAG;
+
+/* local constants */
+
+#define ERROR_CODE	-1
+#define DEFAULT_PORT 	2321
+#define PACKET_SIZE	4096
+#define TRACE_SIZE	(PACKET_SIZE * 4)
+
+#define SERVER_TYPE_MSSIM	0
+#define SERVER_TYPE_RAW		1
+#define TPM_SEND_COMMAND        8	/* simulator command preamble */
+
+/* local prototypes */
+
+void printUsage(void);
+long getArgs(short *port,
+	     int *verbose,
+	     char **logFileName,
+	     int argc,
+	     char **argv);
+void logAll(const char *message, unsigned long length, const unsigned char* buff);
+
+TSS_RESULT socketInit(SOCKET *sock_fd, short port);
+TSS_RESULT socketConnect(SOCKET *accept_fd,
+			 SOCKET sock_fd,
+			 short port);
+TSS_RESULT socketRead(SOCKET accept_fd,
+		      char *buffer,
+		      uint32_t *bufferLength,
+		      size_t bufferSize);
+TSS_RESULT socketReadBytes(SOCKET accept_fd,
+			   char *buffer,
+			   size_t nbytes);
+TSS_RESULT socketWrite(SOCKET accept_fd,
+		       const char *buffer,
+		       size_t buffer_length);
+TSS_RESULT socketDisconnect(SOCKET accept_fd);
+
+void TPM_HandleWsaStartupError(const char *prefix,
+			       int irc);
+void TPM_HandleWsaError(const char *prefix);
+void TPM_GetWsaStartupError(int status,
+			    const char **error_string);
+void TPM_GetWsaError(const char **error_string);
+
+void TPM_GetTBSError(const char *prefix,
+		     TBS_RESULT rc);
+void CheckTPMError(const char *prefix,
+		     unsigned char *response);
+
+/* global variable for trace logging */
+
+int 	verbose;		/* verbose debug tracing */
+char 	*logFilename;		/* trace log file name */
+char	logMsg[TRACE_SIZE];	/* since it's big, put it here rather than on the stack */
+
+/* global socket server format type */
+
+int serverType = SERVER_TYPE_MSSIM;	/* default MS simulator format */
+
+#define false 0
+#define true 1
+
+int main(int argc, char** argv)
+{
+    TBS_RESULT 		rc = 0;
+    TBS_RESULT 		rc1 = 0;
+    time_t 		start_time;
+    int 		contextOpened = false;
+    SOCKET 		sock_fd;		/* server socket */
+    SOCKET 		accept_fd;    		/* server accept socket for a packet */
+    int 		socketOpened = FALSE;
+
+    TBS_HCONTEXT 	hContext = 0;
+    TBS_CONTEXT_PARAMS2 contextParams;
+
+    /* TPM command and response */
+    BYTE command[PACKET_SIZE]; 
+    uint32_t commandLength;
+    BYTE response[PACKET_SIZE];
+    uint32_t responseLength;
+		      
+    /* command line arguments */
+    short port;			/* TCPIP server port */
+
+    /* command line argument defaults */
+    port = DEFAULT_PORT;
+    logFilename = NULL;
+    verbose = FALSE;
+
+    /* initialization */
+    setvbuf(stdout, 0, _IONBF, 0);	/* output may be going through pipe */
+    start_time = time(NULL);
+    
+    /* get command line arguments */
+    if (rc == 0) {
+	rc = getArgs(&port, &verbose, &logFilename,
+		     argc, argv);
+    }
+    /* open HW TPM device driver */
+    if (rc == 0) {
+	if (verbose) printf("tpmproxy: start at %s", ctime(&start_time));
+	if (verbose) printf("tpmproxy: server type %s\n",
+			    (serverType == SERVER_TYPE_MSSIM) ? "MS simulator" : "raw");
+	contextParams.version = TBS_CONTEXT_VERSION_TWO;
+	contextParams.includeTpm12 = 0;
+	contextParams.includeTpm20 = 1;
+	rc = Tbsi_Context_Create((TBS_CONTEXT_PARAMS *)&contextParams,
+				 &hContext);
+
+	if (verbose) printf("tpmproxy: Tbsi_Context_Create rc %08x\n", rc);
+	if (rc == 0) {
+	    contextOpened = true;
+	}
+	else {
+	    TPM_GetTBSError("Tbsi_Context_Create ", rc);
+	}
+    }
+    /* open / initialize server socket */
+    if (rc == 0) {
+	if (verbose) printf("Opening socket at port %hu\n", port);
+	rc = socketInit(&sock_fd, port);
+	if (rc != 0) {
+	    printf("tpmproxy: socket open failed\n");
+	}
+	else {
+	    socketOpened = TRUE;
+	}
+    }
+    /* main loop */
+    while (rc == 0) {
+	/* connect to the client application */
+	if (rc == 0) {
+	    if (verbose) printf("Connecting on socket %hu\n", port);
+	    rc = socketConnect(&accept_fd, sock_fd, port);
+	}
+	/* read a command from client */
+	if (rc == 0) {
+	    rc = socketRead(accept_fd,
+			    (char *)command,	/* windows wants signed */
+			    &commandLength,
+			    sizeof(command));
+	    logAll("Command", commandLength, command);
+	}
+	/* send command to TPM and receive response */
+	if (rc == 0) {
+	    responseLength = sizeof(response);
+	    rc = Tbsip_Submit_Command(hContext,
+				      TBS_COMMAND_LOCALITY_ZERO,
+				      TBS_COMMAND_PRIORITY_NORMAL,
+				      command,
+				      commandLength,
+				      response,
+				      &responseLength);
+	    if (rc != 0) {
+		TPM_GetTBSError("Tbsi_Context_Create ", rc);
+	    }
+	}
+	/* send response to client */
+	if (rc == 0) {
+	    logAll("Response", responseLength, response);
+	    rc = socketWrite(accept_fd,
+			     (char *)response,	/* windows wants signed char */
+			     responseLength);
+	}
+	/* disconnect from client */
+	if (rc == 0) {
+	    rc = socketDisconnect(accept_fd);
+	}
+    }
+    /* close socket */
+    if (socketOpened) {
+	socketDisconnect(sock_fd);
+    }
+    /* close TPM */
+    if (contextOpened) {
+	rc1 = Tbsip_Context_Close(hContext);
+	if (verbose) printf("tpmproxy:Tbsip_Context_Close rc1 %08x\n", rc1);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (verbose) printf("tpmproxy: exit rc %08x\n", rc);
+    return rc;
+}
+
+/*
+  All the socket code is basically a cut and paste from the TPM 1.2 tpm_io.c
+*/
+
+TSS_RESULT socketInit(SOCKET *sock_fd, short port)
+{
+    TSS_RESULT   	rc = 0;
+    int			irc;
+    struct sockaddr_in 	serv_addr;
+    int 		opt;
+    WSADATA 		wsaData;
+
+    /* initiate use of the Windows Sockets DLL 2.0 */
+    if (rc == 0) {
+	if ((irc = WSAStartup(0x202,&wsaData)) != 0) {		/* if not successful */
+	    printf("socketInit: Error, WSAStartup()\n");
+	    TPM_HandleWsaStartupError("socketInit:", irc);
+	    rc = ERROR_CODE;
+	}
+    }
+    /* create a tcpip protocol socket */
+    if (rc == 0) {
+	/* if (verbose) printf(" socketInit: Port %hu\n", port); */
+	*sock_fd = socket(AF_INET, SOCK_STREAM, 0);	/* tcpip socket */
+	if (*sock_fd == INVALID_SOCKET) {
+	    printf("socketInit: Error, server socket()\n");
+	    TPM_HandleWsaError("socketInit:");
+	    rc = ERROR_CODE;
+	}
+    }
+    if (rc == 0) {
+	memset(&serv_addr, 0, sizeof(serv_addr));
+	serv_addr.sin_family = AF_INET;			/* Internet socket */
+	serv_addr.sin_port = htons(port);		/* host to network byte order for short */
+	serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);	/* host to network byte order for long */
+	opt = 1;
+	/* Set SO_REUSEADDR before calling bind() for servers that bind to a fixed port number. */
+	/* For boolean values, opt must be an int, but the setsockopt prototype is IMHO wrong.
+	   It should take void *, but uses char *.  Hence the type cast. */       
+	irc = setsockopt(*sock_fd, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(opt));
+	if (irc == SOCKET_ERROR) {
+	    printf("socketInit: Error, server setsockopt()\n");
+	    TPM_HandleWsaError("socketInit:");
+	    closesocket(*sock_fd);
+	    rc = ERROR_CODE;
+	}
+    }
+    /* bind the (local) server port name to the socket */
+    if (rc == 0) {
+	irc = bind(*sock_fd, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
+	if (irc == SOCKET_ERROR) {
+	    printf("socketInit: Error, server bind()\n");
+	    printf("socketInit: Is SW TPM listening on this port?\n");
+	    TPM_HandleWsaError("socketInit:");
+	    closesocket(*sock_fd);
+	    rc = ERROR_CODE;
+	}
+    }
+    /* listen for a connection to the socket */
+    if (rc == 0) {
+	irc = listen(*sock_fd, SOMAXCONN);
+	if (irc == SOCKET_ERROR) {
+	    printf("socketInit: Error, server listen()\n");
+	    TPM_HandleWsaError("socketInit:");
+	    closesocket(*sock_fd);
+	    rc = ERROR_CODE;
+	}
+    }
+    if (rc != 0) {
+	WSACleanup();
+    }
+    return rc;
+}
+
+TSS_RESULT socketConnect(SOCKET *accept_fd,
+			 SOCKET sock_fd,
+			 short port)
+{
+    TSS_RESULT		rc = 0;
+    int			cli_len;
+    struct sockaddr_in 	cli_addr;		/* Internet version of sockaddr */
+    
+    /* accept a connection */
+    if (rc == 0) {
+	cli_len = sizeof(cli_addr);
+	/* block until connection from client */
+	/* printf(" socketConnect: Waiting for connection on port %hu ...\n", port); */
+	*accept_fd = accept(sock_fd, (struct sockaddr *)&cli_addr, &cli_len);
+	if (*accept_fd == SOCKET_ERROR) { 
+	    printf("socketConnect: Error, accept()\n");
+	    TPM_HandleWsaError("socketConnect: ");
+	    closesocket(sock_fd);
+	    WSACleanup();
+	    rc = ERROR_CODE;
+	}
+    }
+    return rc;
+}
+
+/* socketRead() reads a TPM command packet from the host
+
+   Puts the result in 'buffer' up to 'bufferSize' bytes.
+
+   On success, the number of bytes in the buffer is equal to 'bufferLength' bytes
+
+   This function is intended to be platform independent.
+*/
+
+TSS_RESULT socketRead(SOCKET accept_fd,		/* read/write file descriptor */
+		      char *buffer,		/* output: command stream */
+		      uint32_t *bufferLength,	/* output: command stream length */
+		      size_t bufferSize)	/* input: max size of output buffer */
+{	
+    TSS_RESULT		rc = 0;
+    uint32_t		headerSize;	/* minimum required bytes in command through paramSize */
+    uint32_t		paramSize;	/* from command stream */
+    uint32_t		commandTypeNbo;	/* MS simulator format preamble */ 	
+    uint32_t		commandType;	/* MS simulator format preamble */ 	
+    uint8_t 		locality;	/* MS simulator format preamble */ 
+    uint32_t 		lengthNbo;	/* MS simulator format preamble */ 
+    
+    /* if the MS simulator packet format */
+    if (serverType == SERVER_TYPE_MSSIM) {
+	/* read and check the command */
+	if (rc == 0) {
+	    rc = socketReadBytes(accept_fd, (char *)&commandTypeNbo, sizeof(uint32_t));
+	}
+	if (rc == 0) {
+	    commandType = LOAD32(&commandTypeNbo, 0);
+	    if (commandType != TPM_SEND_COMMAND) {
+		printf("socketRead: Error, -mssim preamble is %08x not %08x\n",
+		       commandType,TPM_SEND_COMMAND); 
+		rc = ERROR_CODE;
+	    }
+	}
+	/* read and discard the locality */
+	if (rc == 0) {
+	    rc = socketReadBytes(accept_fd, &locality, sizeof(uint8_t));
+	}
+	/* read and discard the redundant length */
+	if (rc == 0) {
+	    rc = socketReadBytes(accept_fd, (char *)&lengthNbo, sizeof(uint32_t));
+	}
+    }
+    /* check that the buffer can at least fit the command through the paramSize */
+    if (rc == 0) {
+	headerSize = sizeof(TPM_TAG) + sizeof(uint32_t);	
+	if (bufferSize < headerSize) {
+	    printf("socketRead: Error, buffer size %u less than minimum %u\n",
+		   bufferSize, headerSize);
+	    rc = ERROR_CODE;
+	}
+    }
+    /* read the command through the paramSize from the socket stream */
+    if (rc == 0) {
+	rc = socketReadBytes(accept_fd, buffer, headerSize);
+    }
+    if (rc == 0) {
+	/* extract the paramSize value, last field in header */
+	paramSize = LOAD32(buffer, headerSize - sizeof(uint32_t));
+	*bufferLength = headerSize + paramSize - (sizeof(TPM_TAG) + sizeof(uint32_t));
+	if (bufferSize < *bufferLength) {
+	    printf("socketRead: Error, buffer size %u is less than required %u\n",
+		   bufferSize, *bufferLength);
+	    rc = ERROR_CODE;
+	}
+    }
+    /* read the rest of the command (already read tag and paramSize) */
+    if (rc == 0) {
+	rc = socketReadBytes(accept_fd,
+			     buffer + headerSize,
+			     paramSize - (sizeof(TPM_TAG) + sizeof(uint32_t)));
+    }
+    return rc;
+}
+
+/* socketReadBytes() reads nbytes from accept_fd and puts them in buffer.
+
+   The buffer has already been checked for sufficient size.
+*/
+
+TSS_RESULT socketReadBytes(SOCKET accept_fd,	/* read/write file descriptor */
+			   char *buffer,
+			   size_t nbytes)
+{
+    TSS_RESULT rc = 0;
+    int nread = 0;
+    size_t nleft = nbytes;
+
+    /* read() is unspecified with nbytes too large */
+    if (rc == 0) {
+	if (nleft > SSIZE_MAX) {
+	    rc = ERROR_CODE;
+	}
+    }
+    while ((rc == 0) && (nleft > 0)) {
+	nread = recv(accept_fd, buffer, nleft, 0);
+	if ((nread == SOCKET_ERROR) ||
+	    (nread < 0)) {       		/* error */
+	    printf("socketReadBytes: Error, read() error\n");
+	    TPM_HandleWsaError("socketReadBytes:");
+	    socketDisconnect(accept_fd);
+            rc = ERROR_CODE;
+	}
+	else if (nread > 0) {
+	    nleft -= nread;
+	    buffer += nread;
+	}	    
+	else if (nread == 0) {  	/* EOF */
+	    printf("socketReadBytes: Error, read EOF, read %u bytes\n", nbytes - nleft);
+            rc = ERROR_CODE;
+	}
+    }
+    return rc;
+}
+
+/* socketWrite() writes buffer_length bytes from buffer to accept_fd.
+
+   In mmssim mode, it prepends the size and appends the acknowledgement.
+ */
+
+TSS_RESULT socketWrite(SOCKET accept_fd,	/* read/write file descriptor */
+		       const char *buffer,
+		       size_t buffer_length)
+{	
+    TSS_RESULT 	rc = 0;
+    int		nwritten = 0;
+    
+    /* write() is unspecified with buffer_length too large */
+    if (rc == 0) {
+	if (buffer_length > SSIZE_MAX) {
+	    rc = ERROR_CODE;
+	}
+    }
+    /* if the MS simulator packet format */
+    if (serverType == SERVER_TYPE_MSSIM) {
+	/* prepend the leading size */
+	if (rc == 0) {
+	    uint32_t bufferLengthNbo = htonl(buffer_length);
+	    send(accept_fd, (const char *)&bufferLengthNbo, sizeof(uint32_t), 0);
+	}	
+    }
+   /* test that connection is open to write */
+    if (rc == 0) {
+	if (accept_fd == SOCKET_ERROR) {
+	    printf("socketWrite: Error, connection not open, fd %d\n",
+		   accept_fd);
+	    rc = ERROR_CODE;
+	}
+    }
+    while ((rc == 0) && (buffer_length > 0)) {
+	nwritten = send(accept_fd, buffer, buffer_length, 0);
+	if ((nwritten == SOCKET_ERROR) ||
+	    (nwritten < 0)) {
+	    printf("socketWrite: Error, send()\n");
+	    TPM_HandleWsaError("socketWrite:");	/* report the error */
+	    socketDisconnect(accept_fd);
+	    rc = ERROR_CODE;
+	}	    
+	else {
+	    buffer_length -= nwritten;
+	    buffer += nwritten;
+	}
+    }
+    /* if the MS simulator packet format */
+    if (serverType == SERVER_TYPE_MSSIM) {
+	/* append the trailing acknowledgement */
+	if (rc == 0) {
+	    uint32_t acknowledgement = 0;
+	    send(accept_fd, (const char *)&acknowledgement, sizeof(uint32_t), 0);
+	}	
+    }
+    return rc;
+}
+
+/* socketDisconnect() breaks the connection between the TPM server and the host client
+
+   This is the Windows platform dependent socket version.
+*/
+
+TSS_RESULT socketDisconnect(SOCKET accept_fd)
+{
+    TSS_RESULT 	rc = 0;
+    int		irc;
+
+    /* close the connection to the client */
+    if (verbose) printf("Closing socket\n");
+    if (rc == 0) {
+	irc = closesocket(accept_fd);
+	accept_fd = SOCKET_ERROR;	/* mark the connection closed */
+	if (irc == SOCKET_ERROR) {
+	    printf("socketDisconnect: Error, closesocket()\n");
+	    rc = ERROR_CODE;
+	}
+    }
+    return rc;
+}
+
+void TPM_HandleWsaStartupError(const char *prefix,
+			       int irc)
+{
+    const char *error_string;
+
+    TPM_GetWsaStartupError(irc, &error_string);
+    printf("%s %s\n", prefix, error_string);
+    return;
+}
+
+void TPM_HandleWsaError(const char *prefix)
+{
+    const char *error_string;
+
+    TPM_GetWsaError(&error_string);
+    printf("%s %s\n", prefix, error_string);
+    return;
+}
+
+void TPM_GetWsaStartupError(int status,
+			    const char **error_string)
+{
+    /* convert WSAStartup status to more useful text.  Copy the text to error_string */
+       
+    switch(status) {
+      case WSASYSNOTREADY:
+	*error_string = "WSAStartup error: WSASYSNOTREADY underlying network subsystem not ready for "
+			"network communication";
+	break;
+      case WSAVERNOTSUPPORTED:
+	*error_string = "WSAStartup error: WSAVERNOTSUPPORTED version requested not provided by WinSock "
+			"implementation";
+	break;
+      case WSAEINPROGRESS:
+	*error_string = "WSAStartup error: WSAEINPROGRESS blocking WinSock 1.1 operation in progress";
+	break;
+      case WSAEPROCLIM:
+	*error_string = "WSAStartup error: WSAEPROCLIM Limit on number of tasks supported by WinSock "
+			"implementation has been reached";
+	break;
+      case WSAEFAULT:
+	*error_string = "WSAStartup error: WSAEFAULT lpWSAData is not a valid pointer";
+	break;
+      default:
+	*error_string = "WSAStartup error: return code unknown";
+	break;
+    }
+    return;
+}
+
+void TPM_GetWsaError(const char **error_string)
+{
+    /* Use WSAGetLastError, and convert the resulting number
+       to more useful text.  Copy the text to error_string */
+    
+    int error;
+	
+    error = WSAGetLastError();
+    switch(error) {
+
+      case WSANOTINITIALISED :
+	*error_string = "A successful WSAStartup must occur before using this function";
+	break;
+      case WSAENETDOWN :
+	*error_string = "The network subsystem or the associated service provider has failed";
+	break;
+      case WSAEAFNOSUPPORT :
+	*error_string = "The specified address family is not supported";
+	break;
+      case WSAEINPROGRESS :
+	*error_string = "A blocking Windows Sockets 1.1 call is in progress, "
+			"or the service provider is still processing a callback function";
+	break;
+      case WSAEMFILE:
+	*error_string = "No more socket descriptors are available";
+	break;
+      case WSAENOBUFS:
+	*error_string = "No buffer space is available";
+	break;
+      case WSAEPROTONOSUPPORT:
+	*error_string = "The specified protocol is not supported";
+	break;
+      case WSAEPROTOTYPE:
+	*error_string = "The specified protocol is the wrong type for this socket";
+	break;
+      case WSAESOCKTNOSUPPORT :
+	*error_string = "The specified socket type is not supported in this address family";
+	break;
+      case WSAEFAULT:
+	*error_string = "A parameter is too small, bad format, or bad value";
+	break;
+      case WSAEINVAL:
+	*error_string = "The socket has not been bound with bind, or listen not called";
+	break;
+      case WSAENETRESET:
+	*error_string = "The connection has been broken due to the remote host resetting";
+	break;
+      case WSAENOPROTOOPT:
+	*error_string = "The option is unknown or unsupported for the specified provider";
+	break;
+      case WSAENOTCONN:
+	*error_string = "Connection has been reset when SO_KEEPALIVE is set";
+	break;
+      case WSAENOTSOCK:
+	*error_string = "The descriptor is not a socket";
+	break;
+      case WSAEADDRINUSE:
+	*error_string = "The specified address is already in use";
+	break;
+      case WSAEISCONN:
+	*error_string = "The socket is already connected";
+	break;
+      case WSAEOPNOTSUPP:
+	*error_string = "The referenced socket is not of a type that supports the operation";
+	break;
+      case WSAEINTR:
+	*error_string = "The (blocking) call was canceled through WSACancelBlockingCall";
+      case WSAEWOULDBLOCK:
+	*error_string = "The socket is marked as nonblocking and no connections are present to be accepted";
+	break;
+      case WSAESHUTDOWN:
+	*error_string = "The socket has been shut down; it is not possible to recv or send on a socket "
+			"after shutdown has been invoked with how set to SD_RECEIVE or SD_BOTH";
+	break;
+      case WSAEMSGSIZE:
+	*error_string = "The message was too large to fit into the specified buffer and was truncated";
+	break;
+      case WSAECONNABORTED:
+	*error_string = "The virtual circuit was terminated due to a time-out or other failure. "
+			"The application should close the socket as it is no longer usable";
+	break;
+      case WSAETIMEDOUT:
+	*error_string = "The connection has been dropped because of a network failure or because "
+			"the peer system failed to respond";
+	break;
+      case WSAECONNRESET:
+	*error_string = "The virtual circuit was reset by the remote side executing a hard or abortive close. "
+			"The application should close the socket as it is no longer usable. On a UDP datagram "
+			"socket this error would indicate that a previous send operation resulted in an ICMP "
+			"Port Unreachable message";
+	break;
+      case WSAEACCES:
+	*error_string = "The requested address is a broadcast address, but the appropriate flag was not set";
+	break;
+      case WSAEHOSTUNREACH:
+	*error_string = "The remote host cannot be reached from this host at this time";
+	break;
+		
+      default:
+	*error_string = "unknown error type\n";
+	break;
+    }
+    return;
+}
+
+void TPM_GetTBSError(const char *prefix,
+		     TBS_RESULT rc)
+{
+    const char *error_string;
+		     
+    switch (rc) {
+
+	/* error codes from the TBS html docs */
+      case TBS_SUCCESS:
+	error_string = "The function succeeded.";
+	break;
+      case TBS_E_INTERNAL_ERROR:
+	error_string = "An internal software error occurred.";
+	break;
+      case TBS_E_BAD_PARAMETER:
+	error_string = "One or more parameter values are not valid.";
+	break;
+      case TBS_E_INVALID_OUTPUT_POINTER:
+	error_string = "A specified output pointer is bad.";
+	break;
+      case TBS_E_INVALID_CONTEXT:
+	error_string = "The specified context handle does not refer to a valid context.";
+	break;
+      case TBS_E_INSUFFICIENT_BUFFER:
+	error_string = "The specified output buffer is too small.";
+	break;
+      case TBS_E_IOERROR:
+	error_string = "An error occurred while communicating with the TPM.";
+	break;
+      case TBS_E_INVALID_CONTEXT_PARAM:
+	error_string = "A context parameter that is not valid was passed when attempting to create a "
+			"TBS context.";
+	break;
+      case TBS_E_SERVICE_NOT_RUNNING:
+	error_string = "The TBS service is not running and could not be started.";
+	break;
+      case TBS_E_TOO_MANY_TBS_CONTEXTS:
+	error_string = "A new context could not be created because there are too many open contexts.";
+	break;
+      case TBS_E_TOO_MANY_RESOURCES:
+	error_string = "A new virtual resource could not be created because there are too many open "
+			"virtual resources.";
+	break;
+      case TBS_E_SERVICE_START_PENDING:
+	error_string = "The TBS service has been started but is not yet running.";
+	break;
+      case TBS_E_PPI_NOT_SUPPORTED:
+	error_string = "The physical presence interface is not supported.";
+	break;
+      case TBS_E_COMMAND_CANCELED:
+	error_string = "The command was canceled.";
+	break;
+      case TBS_E_BUFFER_TOO_LARGE:
+	error_string = "The input or output buffer is too large.";
+	break;
+      case TBS_E_TPM_NOT_FOUND:
+	error_string = "A compatible Trusted Platform Module (TPM) Security Device cannot be found "
+			"on this computer.";
+	break;
+      case TBS_E_SERVICE_DISABLED:
+	error_string = "The TBS service has been disabled.";
+	break;
+      case TBS_E_NO_EVENT_LOG:
+	error_string = "The TBS event log is not available.";
+	break;
+      case TBS_E_ACCESS_DENIED:
+	error_string = "The caller does not have the appropriate rights to perform the requested operation.";
+	break;
+      case TBS_E_PROVISIONING_NOT_ALLOWED:
+	error_string = "The TPM provisioning action is not allowed by the specified flags.";
+	break;
+      case TBS_E_PPI_FUNCTION_UNSUPPORTED:
+	error_string = "The Physical Presence Interface of this firmware does not support the "
+			"requested method.";
+	break;
+      case TBS_E_OWNERAUTH_NOT_FOUND:
+	error_string = "The requested TPM OwnerAuth value was not found.";
+	break;
+
+	/* a few error codes from WinError.h */
+      case TPM_E_COMMAND_BLOCKED:
+	error_string = "The command was blocked.";
+	break;
+
+      default:
+	error_string = "unknown error type\n";
+	break;
+
+	
+    }
+    printf("%s %s\n", prefix, error_string);
+    return;
+}
+
+void CheckTPMError(const char *prefix,
+		   unsigned char *response)
+{
+    const char *error_string;
+    uint32_t tpmError = htonl(*(uint32_t *)(response+6));
+
+    if (tpmError != 0) {
+
+	switch (tpmError) {
+	    /* a few error codes from WinError.h */
+	  case TPM_E_COMMAND_BLOCKED:
+	    error_string = "The command was blocked.";
+	    break;
+	  default:
+	    error_string = "unknown error type\n";
+	    printf("TPM error %08x\n", tpmError);
+	    break;
+	}
+	printf("%s %s\n", prefix, error_string);
+    }    
+    return;
+}
+
+/* logging, tracing */
+
+void logAll(const char *message, unsigned long length, const unsigned char* buff)
+{
+    unsigned long i;
+    size_t 	nextChar = 0;
+    FILE 	*logFile;	/* trace log file descriptor */
+
+    /* construct the log message, keep appending to the character string */
+    if (buff != NULL) {
+	nextChar += sprintf(logMsg + nextChar, "%s length %lu\n ", message, length);
+	for (i = 0 ; i < length ; i++) {
+	    if (i && !( i % 16 )) {
+		nextChar += sprintf(logMsg + nextChar, "\n ");
+	    }
+	    nextChar += sprintf(logMsg + nextChar, "%.2X ",buff[i]);
+	}
+	nextChar += sprintf(logMsg + nextChar, "\n");
+    }
+    else {
+	nextChar += sprintf(logMsg + nextChar, "%s null\n", message);
+    }
+    if (verbose) printf("%s", logMsg);
+    if (logFilename != NULL) {
+	/* Open the log file if specified.  It's a hack to keep opening and closing the file for
+	   each append, but it's easier that trying to catch a signal to close the file.  Windows
+	   evidently doesn't automatically close the file when the program exits. */
+	logFile = fopen(logFilename, "a");
+	if (logFile == NULL) {
+	    printf("Error, opening %s for write failed, %s\n",
+		   logFilename, strerror(errno));
+	}
+	/* if success, print and close */
+	else {
+	    fprintf(logFile, "%s", logMsg);
+	    fclose(logFile);
+	}
+    }
+    return;
+}
+
+/* parse the command line arguments */
+
+long getArgs(short *port,
+	     int *verbose,
+	     char **logFilename,
+	     int argc,
+	     char **argv)
+{
+    long 	rc = 0;
+    int		irc;
+    int 	i;
+    FILE 	*logFile;	/* trace log file descriptor */
+
+    /* get the command line arguments */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if ((strcmp(argv[i],"-p") == 0) ||
+	    (strcmp(argv[i],"--port") == 0)) {
+	    i++;
+	    if (i < argc) {
+		irc = sscanf(argv[i], "%hu", port);
+		if (irc != 1) {
+		    printf("-p --port (socket port) illegal value %s\n", argv[i]);
+		    rc = ERROR_CODE;
+		}
+	    } else {
+		printf("-p --port (socket port) needs a value\n");
+		rc = ERROR_CODE;
+	    }
+	}
+	else if (strcmp(argv[i],"-raw") == 0) {
+	    serverType = SERVER_TYPE_RAW;
+	}
+	else if (strcmp(argv[i],"-mssim") == 0) {
+	    serverType = SERVER_TYPE_MSSIM;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	    rc = ERROR_CODE;
+	}
+	else if ((strcmp(argv[i],"-v") == 0) ||
+		 (strcmp(argv[i],"--verbose") == 0)) {
+	    *verbose = TRUE;
+	}
+	else if ((strcmp(argv[i],"-l") == 0) ||
+		 (strcmp(argv[i],"--log") == 0)) {
+	    i++;
+	    if (i < argc) {
+		if (strlen(argv[i]) < FILENAME_MAX) {
+		    *logFilename = argv[i];
+		}
+		else {
+		    printf("-l --log (log file name) too long\n");
+		    rc = ERROR_CODE;
+		}
+	    }
+	    else {
+		printf("-l --log option (log file name) needs a value\n");
+		rc = ERROR_CODE;
+	    }
+	}
+	else {
+	    printf("\n%s is not a valid option\n",argv[i]);
+	    printUsage();
+	    rc = ERROR_CODE;
+	}
+    }
+    /* erase old contents of log file */
+    if ((rc == 0) && (*logFilename != NULL)) {
+	logFile = fopen(*logFilename, "w");
+	if (logFile == NULL) {
+	    printf("Cannot open log file %s\n", *logFilename);
+	    rc = ERROR_CODE;
+	}
+	else {
+	    fclose(logFile);
+	}
+    }
+    return rc;
+}
+
+void printUsage()
+{
+    printf("\n");
+    printf("tpmproxy\n");
+    printf("\n");
+    printf("Pass through connecting a TCPIP port to a hardware TPM\n");
+    printf("\n");
+    printf("\t--port,-p <n> TCPIP server port (default 2321)\n");
+    printf("\t-mssim use MS TPM 2.0 socket simulator packet format (default)\n");
+    printf("\t\twith TSS env variable TPM_SERVER_TYPE=mssim (default)\n");
+    printf("\t-raw use TPM 2.0 packet format\n");
+    printf("\t\twith TSS env variable TPM_SERVER_TYPE=raw\n");
+    printf("\t--verbose,-v verbose mode (default false)\n");
+    printf("\t--log,-l log transactions into given file (default none)\n");
+    printf("\t \n");
+    return;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tpmpublic2eccpoint.c b/libstb/tss2/ibmtpm20tss/utils/tpmpublic2eccpoint.c
new file mode 100644
index 0000000..6c310da
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tpmpublic2eccpoint.c
@@ -0,0 +1,155 @@
+/********************************************************************************/
+/*										*/
+/*		    TPM public key TPM2B_PUBLIC to TPM2B_ECC_POINT 		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tssmarshal.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    const char			*publicKeyFilename = NULL;
+    const char			*pointFilename = NULL;
+    TPM2B_PUBLIC		public;
+    TPM2B_ECC_POINT 		eccPoint2b;
+
+    tssUtilsVerbose = FALSE;
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ipu") == 0) {
+	    i++;
+	    if (i < argc) {
+		publicKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ipu option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pt") == 0) {
+	    i++;
+	    if (i < argc) {
+		pointFilename = argv[i];
+	    }
+	    else {
+		printf("-pt option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (publicKeyFilename == NULL) {
+	printf("Missing public key parameter -ipu\n");
+	printUsage();
+    }
+    if (pointFilename == NULL) {
+	printf("Missing point file name parameter -pt\n");
+	printUsage();
+    }
+    /* read the TPM public key to a structure */
+    if (rc == 0) {
+	rc = TSS_File_ReadStructureFlag(&public,
+					(UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					TRUE,			/* NULL permitted */
+					publicKeyFilename);
+    }
+    if (rc == 0) {
+	if (public.publicArea.type != TPM_ALG_ECC) {
+	    printf("Public key parameter -ipu type %04x is not TPM_ALG_ECC\n",
+		   public.publicArea.type);
+	    printUsage();
+	}
+    }
+    if (rc == 0) {
+	/* copy the TPMS_ECC_POINT */
+	eccPoint2b.point = public.publicArea.unique.ecc;
+	/* TSS_TPM2B_ECC_POINT_Marshal() fills in the redundant TPM2B_ECC_POINT size */
+	rc = TSS_File_WriteStructure(&eccPoint2b,
+				     (MarshalFunction_t)TSS_TPM2B_ECC_POINT_Marshalu,
+				     pointFilename);
+	
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("tpmpublic2eccpoint: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("tpmpublic2eccpoint: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("tpmpublic2eccpoint\n");
+    printf("\n");
+    printf("Converts an EC TPM2B_PUBLIC to TPM2B_ECC_POINT.  The intended use case\n");
+    printf("is to convert the public key output of certain commands (TPM2_CreatePrimary,\n");
+    printf("TPM2_Create, TPM2_CreateLoaded, TPM2_ReadPublic) to a format useful for\n");
+    printf("TPM2_ZGen_2Phase.\n");
+    printf("\n");
+    printf("\t-ipu\tEC public key input file in TPM TPM2B_PUBLIC format\n");
+    printf("\t-pt\tEC public key output file in TPM TPM2B_ECC_POINT format\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tss.c b/libstb/tss2/ibmtpm20tss/utils/tss.c
new file mode 100644
index 0000000..b3d6745
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tss.c
@@ -0,0 +1,282 @@
+/********************************************************************************/
+/*										*/
+/*			    TSS Primary API 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2018.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <errno.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tss.h>
+#include "tssproperties.h"
+#include <ibmtss/tsstransmit.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+#ifndef TPM_TSS_NOCRYPTO
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tsscryptoh.h>
+#endif
+#include <ibmtss/tssprintcmd.h>
+#ifdef TPM_TPM20
+#include "tss20.h"
+#endif
+#ifdef TPM_TPM12
+#include "tss12.h"
+#endif
+
+/* local prototypes */
+
+static TPM_RC TSS_Context_Init(TSS_CONTEXT *tssContext);
+
+extern int tssVerbose;
+extern int tssVverbose;
+extern int tssFirstCall;
+
+/* TSS_Create() creates and initializes the TSS Context.  It does NOT open a connection to the
+   TPM.*/
+
+TPM_RC TSS_Create(TSS_CONTEXT **tssContext)
+{
+    TPM_RC		rc = 0;
+
+    /* allocate the high level TSS structure */
+    if (rc == 0) {
+	/* set to NULL for backward compatibility, caller may not have set tssContext to NULL before
+	   the call */
+	*tssContext = NULL;
+	rc = TSS_Malloc((unsigned char **)tssContext, sizeof(TSS_CONTEXT));
+    }
+    /* initialize the high level TSS structure */
+    if (rc == 0) {
+	rc = TSS_Context_Init(*tssContext);
+	/* the likely cause of a failure is a bad environment variable */
+	if (rc != 0) {
+	    if (tssVerbose) printf("TSS_Create: TSS_Context_Init() failed\n");
+	    free(*tssContext);
+	    *tssContext = NULL;
+	}
+    }
+    /* allocate and initialize the lower layer TSS context */
+    if (rc == 0) {
+	rc = TSS_AuthCreate(&((*tssContext)->tssAuthContext));
+    }
+    return rc;
+}
+
+/* TSS_Context_Init() on first call is used for any global library initialization.
+
+   On every call, it initializes the TSS context.
+*/
+
+static TPM_RC TSS_Context_Init(TSS_CONTEXT *tssContext)
+{
+    TPM_RC		rc = 0;
+#ifndef TPM_TSS_NOCRYPTO
+#ifndef TPM_TSS_NOFILE
+    size_t		tssSessionEncKeySize;
+    size_t		tssSessionDecKeySize;
+#endif
+#endif
+    /* at the first call to the TSS, initialize global variables */
+    if (tssFirstCall) {		/* tssFirstCall is a library global */
+#ifndef TPM_TSS_NOCRYPTO
+	/* crypto module initializations, crypto library specific */
+	if (rc == 0) {
+	    rc = TSS_Crypto_Init();
+	}
+#endif
+	/* TSS properties that are global, not per TSS context */
+	if (rc == 0) {
+	    rc = TSS_GlobalProperties_Init();
+	}
+	tssFirstCall = FALSE;
+    }
+    /* TSS properties that are per context */
+    if (rc == 0) {
+	rc = TSS_Properties_Init(tssContext);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+#ifndef TPM_TSS_NOFILE
+    /* crypto library dependent code to allocate the session state encryption and decryption keys.
+       They are probably always the same size, but it's safer not to assume that. */
+    if (rc == 0) {
+	rc = TSS_AES_GetEncKeySize(&tssSessionEncKeySize);
+    }
+    if (rc == 0) {
+	rc = TSS_AES_GetDecKeySize(&tssSessionDecKeySize);
+    }
+    if (rc == 0) {
+        rc = TSS_Malloc((uint8_t **)&tssContext->tssSessionEncKey, tssSessionEncKeySize);
+    }
+    if (rc == 0) {
+        rc = TSS_Malloc((uint8_t **)&tssContext->tssSessionDecKey, tssSessionDecKeySize);
+    }
+    /* build the session encryption and decryption keys */
+    if (rc == 0) {
+	rc = TSS_AES_KeyGenerate(tssContext->tssSessionEncKey,
+				 tssContext->tssSessionDecKey);
+    }
+#endif
+#endif
+    return rc;
+}
+
+/* TSS_Delete() closes an open TPM connection, then free the TSS context memory.
+ */
+
+TPM_RC TSS_Delete(TSS_CONTEXT *tssContext)
+{
+    TPM_RC rc = 0;
+
+    if (tssContext != NULL) {
+	TSS_AuthDelete(tssContext->tssAuthContext);
+#ifdef TPM_TSS_NOFILE
+	{
+	    size_t i;
+	    for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
+		tssContext->sessions[i].sessionHandle = TPM_RH_NULL;
+		/* erase any secrets */
+		memset(tssContext->sessions[i].sessionData,
+		       0, tssContext->sessions[i].sessionDataLength);
+		free(tssContext->sessions[i].sessionData);
+		tssContext->sessions[i].sessionData = NULL;
+		tssContext->sessions[i].sessionDataLength = 0;
+	    }
+	}
+#endif
+#ifndef TPM_TSS_NOCRYPTO
+#ifndef TPM_TSS_NOFILE
+	free(tssContext->tssSessionEncKey);
+	free(tssContext->tssSessionDecKey);
+#endif
+#endif
+	rc = TSS_Close(tssContext);
+	free(tssContext);
+    }
+    return rc;
+}
+
+/* TSS_Execute() performs the complete command / response process.
+
+   It sends the command specified by commandCode and the parameters 'in', returning the response
+   parameters 'out'.
+
+   ... varargs are
+
+   TPMI_SH_AUTH_SESSION sessionHandle,
+   const char *password,
+   unsigned int sessionAttributes
+
+   Terminates with TPM_RH_NULL, NULL, 0
+
+   Processes up to MAX_SESSION_NUM sessions.
+*/
+
+TPM_RC TSS_Execute(TSS_CONTEXT *tssContext,
+		   RESPONSE_PARAMETERS *out,
+		   COMMAND_PARAMETERS *in,
+		   EXTRA_PARAMETERS *extra,
+		   TPM_CC commandCode,
+		   ...)
+{
+    TPM_RC		rc = 0;
+    va_list		ap;
+    int 		tpm20Command;
+    int 		tpm12Command;
+
+    if (rc == 0) {
+	tpm20Command = (((commandCode >= TPM_CC_FIRST) && (commandCode <=TPM_CC_LAST)) || /* base */
+			((commandCode >= 0x20000000) && (commandCode <= 0x2000ffff)));	/* vendor */
+	tpm12Command = ((commandCode <= 0x000000ff) ||		/* base */
+			((commandCode >= 0x40000000) && (commandCode <= 0x4000ffff)));	/* TSC */
+	if (!tpm20Command && !tpm12Command) {
+	    if (tssVerbose) printf("TSS_Execute: commandCode %08x unsupported\n",
+				   commandCode);
+	    rc = TSS_RC_COMMAND_UNIMPLEMENTED;
+	    
+	}
+	if (tpm20Command && tpm12Command) {
+	    if (tssVerbose) printf("TSS_Execute: commandCode %08x is both TPM 1.2 and TPM 2.0\n",
+				   commandCode);
+	    rc = TSS_RC_FAIL;
+	}
+    }
+    if (rc == 0) {
+	va_start(ap, commandCode);
+	if (tpm20Command) {
+#ifdef TPM_TPM20
+	    tssContext->tpm12Command = FALSE;
+	    rc = TSS_Execute20(tssContext,
+			       out,
+			       in,
+			       (EXTRA_PARAMETERS *)extra,
+			       commandCode,
+			       ap);
+#else
+	    if (tssVerbose) printf("TSS_Execute: commandCode is TPM 1.2, TSS is TPM 2.0 only\n");
+	    rc = TSS_RC_COMMAND_UNIMPLEMENTED;
+#endif
+	}
+	if (tpm12Command) {
+#ifdef TPM_TPM12
+	    tssContext->tpm12Command = TRUE;
+	    rc = TSS_Execute12(tssContext,
+			       out,
+			       in,
+			       (EXTRA12_PARAMETERS *)extra,
+			       commandCode,
+			       ap);
+#else
+	    if (tssVerbose) printf("TSS_Execute: commandCode is TPM 2.0, TSS is TPM 1.2 only\n");
+	    rc = TSS_RC_COMMAND_UNIMPLEMENTED;
+#endif
+	}	
+	va_end(ap);
+    }
+    return rc;
+}
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tss12.c b/libstb/tss2/ibmtpm20tss/utils/tss12.c
new file mode 100644
index 0000000..6231933
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tss12.c
@@ -0,0 +1,1423 @@
+/********************************************************************************/
+/*										*/
+/*			    TSS Primary API for TPM 1.2				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <errno.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include "tssauth.h"
+#include <ibmtss/tss.h>
+#include "tssproperties.h"
+#include <ibmtss/tsstransmit.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tssprintcmd.h>
+#include <ibmtss/tpmconstants12.h>
+#include "tss12.h"
+#include "tssauth12.h"
+
+/* Files:
+
+   hxxxxxxxx.bin - session context
+*/
+
+/* NOTE Synchronize with
+
+   TSS_HmacSession12_InitContext
+   TSS_HmacSession12_Unmarshal
+   TSS_HmacSession12_Marshal
+*/
+
+typedef struct TSS_HMAC12_CONTEXT {
+    TPM_AUTHHANDLE		authHandle;		/* the authorization session handle */
+    TPM_NONCE			nonceEven;		/* from the TPM in response */
+    TPM_NONCE			nonceEvenOSAP;		/* from the TPM for OSAP in response */
+    TPMT_HA 			sharedSecret;		/* from KDF at OSAP session creation */
+    /* uint16 */
+    /* LSB is type of entityValue */
+    /* MSB is ADIP encryption scheme */
+    TPM_ENTITY_TYPE 		entityType;		/* The type of entity in use */
+    UINT32 			entityValue; 		/* The selection value based on entityType,
+							   e.g. a keyHandle #, TPM_RH_NULL for OIAP
+							   session  */
+    /* Items below this line are for the lifetime of one command.  They are not saved and loaded. */
+    TPM_NONCE			nonceOdd;		/* from the TSS in command */
+    TPM_NONCE			nonceOddOSAP;		/* from the TSS for OSAP in command */
+    /* for TPM 1.2, OIAP SHA-1 of password, OSAP sharedSecret */
+    TPMT_HA 			hmacKey;
+} TSS_HMAC12_CONTEXT;
+
+
+/* functions for command pre- and post- processing */
+
+typedef TPM_RC (*TSS_PreProcessFunction_t)(TSS_CONTEXT *tssContext,
+					   COMMAND_PARAMETERS *in,
+					   EXTRA12_PARAMETERS *extra);
+typedef TPM_RC (*TSS_ChangeAuthFunction_t)(TSS_CONTEXT *tssContext,
+					   TSS_HMAC12_CONTEXT *session,
+					   size_t handleNumber,
+					   COMMAND_PARAMETERS *in);
+typedef TPM_RC (*TSS_PostProcessFunction_t)(TSS_CONTEXT *tssContext,
+					    COMMAND_PARAMETERS *in,
+					    RESPONSE_PARAMETERS *out,
+					    EXTRA12_PARAMETERS *extra);
+
+static TPM_RC TSS_PR_CreateWrapKey(TSS_CONTEXT *tssContext,
+				   CreateWrapKey_In *in,
+				   void *extra);
+static TPM_RC TSS_PR_MakeIdentity(TSS_CONTEXT *tssContext,
+				  MakeIdentity_In *in,
+				  void *extra);
+static TPM_RC TSS_PR_NV_DefineSpace(TSS_CONTEXT *tssContext,
+				    NV_DefineSpace_In *in,
+				    void *extra);
+#if 0
+static TPM_RC TSS_PR_Seal(TSS_CONTEXT *tssContext,
+			  Seal_in *In,
+			  void *extra);
+static TPM_RC TSS_PR_Sealx(TSS_CONTEXT *tssContext,
+			   Sealx_in *In,
+			   void *extra);
+
+#endif
+static TPM_RC TSS_PO_FlushSpecific(TSS_CONTEXT *tssContext,
+				   FlushSpecific_In *in,
+				   void *out,
+				   void *extra);
+static TPM_RC TSS_PR_OSAP(TSS_CONTEXT *tssContext,
+			  OSAP_In *in,
+			  OSAP_Extra *extra);
+static TPM_RC TSS_PO_OIAP(TSS_CONTEXT *tssContext,
+			  void *in,
+			  OIAP_Out *out,
+			  void *extra);
+static TPM_RC TSS_PO_OSAP(TSS_CONTEXT *tssContext,
+			  OSAP_In *in,
+			  OSAP_Out *out,
+			  OSAP_Extra *extra);
+
+typedef struct TSS_TABLE {
+    TPM_CC 			commandCode;
+    TSS_PreProcessFunction_t	preProcessFunction;
+    TSS_ChangeAuthFunction_t	changeAuthFunction;
+    TSS_PostProcessFunction_t 	postProcessFunction;
+} TSS_TABLE;
+
+/* FIXME offsets
+   changeauth +16, createownerdel, createkeydel -45
+   createwrapkey +14, +34
+   cmkcreatekey, changeauthowner +14
+   changeauth 16
+*/
+
+/* session handles numbers
+   #0 of 1 seal, sealx, createwrapkey, cmk_create, changeauthowner, del_ckd, del_cod, nv_define, createctr
+   #1 of 2 changeauth
+*/
+   
+
+static const TSS_TABLE tssTable [] = {
+				 
+    {TPM_ORD_Init, NULL, NULL, NULL},
+    {TPM_ORD_ActivateIdentity, NULL, NULL, NULL},
+    {TPM_ORD_ContinueSelfTest, NULL, NULL, NULL},
+    {TPM_ORD_CreateWrapKey, (TSS_PreProcessFunction_t)TSS_PR_CreateWrapKey, NULL, NULL},
+    {TPM_ORD_CreateEndorsementKeyPair, NULL, NULL, NULL},
+    {TPM_ORD_Extend, NULL, NULL, NULL},
+    {TPM_ORD_FlushSpecific, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushSpecific},
+    {TPM_ORD_GetCapability, NULL, NULL, NULL},
+    {TPM_ORD_MakeIdentity, (TSS_PreProcessFunction_t)TSS_PR_MakeIdentity, NULL, NULL},
+    {TPM_ORD_OIAP, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_OIAP},
+    {TPM_ORD_OSAP, (TSS_PreProcessFunction_t)TSS_PR_OSAP, NULL, (TSS_PostProcessFunction_t)TSS_PO_OSAP},
+    {TPM_ORD_OwnerReadInternalPub, NULL, NULL, NULL},
+    {TPM_ORD_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL, NULL},
+    {TPM_ORD_NV_ReadValue, NULL, NULL, NULL},
+    {TPM_ORD_NV_ReadValueAuth, NULL, NULL, NULL},
+    {TPM_ORD_NV_WriteValue, NULL, NULL, NULL},
+    {TPM_ORD_NV_WriteValueAuth, NULL, NULL, NULL},
+    {TPM_ORD_PcrRead, NULL, NULL, NULL},
+    {TPM_ORD_PCR_Reset, NULL, NULL, NULL},
+#if 0
+    {TPM_ORD_Seal, (TSS_PreProcessFunction_t)TSS_PR_Seal, NULL, NULL},
+    {TPM_ORD_Sealx, (TSS_PreProcessFunction_t)TSS_PR_Sealx, NULL, NULL},
+#endif
+    {TPM_ORD_Startup, NULL, NULL, NULL},
+};
+
+/* local prototypes */
+
+
+static TPM_RC TSS_Execute12_valist(TSS_CONTEXT *tssContext,
+				   COMMAND_PARAMETERS *in,
+				   va_list ap);
+
+static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext,
+				       TPM_CC commandCode,
+				       COMMAND_PARAMETERS *in,
+				       EXTRA12_PARAMETERS *extra);
+static TPM_RC TSS_Response_PostProcessor(TSS_CONTEXT *tssContext,
+					 COMMAND_PARAMETERS *in,
+					 RESPONSE_PARAMETERS *out,
+					 EXTRA12_PARAMETERS *extra);
+
+static TPM_RC TSS_HmacSession12_GetContext(TSS_HMAC12_CONTEXT **session);
+static void TSS_HmacSession12_InitContext(TSS_HMAC12_CONTEXT *session);
+static void TSS_HmacSession12_FreeContext(TSS_HMAC12_CONTEXT *session);
+static TPM_RC TSS_HmacSession12_SaveSession(TSS_CONTEXT *tssContext,
+					    TSS_HMAC12_CONTEXT *session);
+static TPM_RC TSS_HmacSession12_LoadSession(TSS_CONTEXT *tssContext,
+					    TSS_HMAC12_CONTEXT *session,
+					    TPM_AUTHHANDLE authHandle);
+static TPM_RC TSS_HmacSession12_Marshal(TSS_HMAC12_CONTEXT *source,
+					uint16_t *written,
+					uint8_t **buffer,
+					uint32_t *size);
+static TPM_RC TSS_HmacSession12_DeleteSession(TSS_CONTEXT *tssContext,
+					      TPM_AUTHHANDLE handle);
+static TPM_RC TSS_HmacSession12_Unmarshal(TSS_HMAC12_CONTEXT *target,
+					  uint8_t **buffer, uint32_t *size);
+static TPM_RC TSS_HmacSession12_SetHMAC(TSS_AUTH_CONTEXT *tssAuthContext,
+					size_t numSessions,
+					TSS_HMAC12_CONTEXT *session[],
+					TPMS_AUTH12_COMMAND *authCommand[],
+					TPM_AUTHHANDLE sessionHandle[],
+					unsigned int sessionAttributes[]);
+static TPM_RC TSS_HmacSession12_Verify(TSS_AUTH_CONTEXT *tssAuthContext,
+				       size_t		numSessions,
+				       TSS_HMAC12_CONTEXT *session[],
+				       TPMS_AUTH12_RESPONSE *authResponse[]);
+static TPM_RC TSS_HmacSession12_Continue(TSS_CONTEXT *tssContext,
+					 TSS_HMAC12_CONTEXT *session,
+					 TPMS_AUTH12_RESPONSE *authR);
+static TPM_RC TSS_Command_Decrypt(TSS_AUTH_CONTEXT *tssAuthContext,
+				  struct TSS_HMAC12_CONTEXT *session[],
+				  TPM_AUTHHANDLE sessionHandle[]);
+static TPM_RC TSS_Command_DecryptXor(TSS_AUTH_CONTEXT *tssAuthContext,
+				     TSS_HMAC12_CONTEXT *session,
+				     uint8_t *encAuth,
+				     int parameterNumber);
+
+extern int tssVerbose;
+extern int tssVverbose;
+
+/* TSS_Execute12() performs the complete command / response process.
+
+   It sends the command specified by commandCode and the parameters 'in', returning the response
+   parameters 'out'.
+
+   ... varargs are
+
+   TPM_AUTHHANDLE authHandle,
+   const char *password,
+   unsigned int sessionAttributes
+
+   Terminates with TPM_RH_NULL, NULL, 0
+
+   Processes up to MAX_SESSION_NUM sessions.
+*/
+
+TPM_RC TSS_Execute12(TSS_CONTEXT *tssContext,
+		     RESPONSE_PARAMETERS *out,
+		     COMMAND_PARAMETERS *in,
+		     EXTRA12_PARAMETERS *extra,
+		     TPM_CC commandCode,
+		     va_list ap)
+{
+    TPM_RC		rc = 0;
+
+    /* create a TSS authorization context */
+    if (rc == 0) {
+	TSS_InitAuthContext(tssContext->tssAuthContext);
+    }
+    /* handle any command specific command pre-processing */
+    if (rc == 0) {
+	rc = TSS_Command_PreProcessor(tssContext,
+				      commandCode,
+				      in,
+				      extra);
+    }
+    /* marshal input parameters */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12: Command %08x marshal\n", commandCode);
+	rc = TSS_Marshal12(tssContext->tssAuthContext,
+			   in,
+			   commandCode);
+    }
+    /* execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute12_valist(tssContext, in, ap);
+    }
+    /* unmarshal the response parameters */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12: Command %08x unmarshal\n", commandCode);
+	rc = TSS_Unmarshal12(tssContext->tssAuthContext, out);
+    }
+    /* handle any command specific response post-processing */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12: Command %08x post processor\n", commandCode);
+	rc = TSS_Response_PostProcessor(tssContext,
+					in,
+					out,
+					extra);
+    }
+    return rc;
+}
+
+/* TSS_Execute12_valist() transmits the marshaled command and receives the marshaled response.
+
+   varargs are TPM_AUTHHANDLE sessionHandle, const char *password, unsigned int sessionAttributes
+
+   Terminates with sessionHandle TPM_RH_NULL
+
+   Processes up to MAX_SESSION_NUM sessions.  It handles HMAC generation and command and response
+   parameter encryption.  It loads each session context, rolls nonces, and saves or deletes the
+   session context.
+*/
+
+static TPM_RC TSS_Execute12_valist(TSS_CONTEXT *tssContext,
+				   COMMAND_PARAMETERS *in,
+				   va_list ap)
+{
+    TPM_RC		rc = 0;
+    size_t		i = 0;
+    size_t		numSessions = 0;
+
+    /* the vararg parameters */
+    TPM_AUTHHANDLE 	sessionHandle[MAX_SESSION_NUM];
+    const char 		*password[MAX_SESSION_NUM];
+    unsigned int	sessionAttributes[MAX_SESSION_NUM];
+
+    /* structures filled in */
+    TPMS_AUTH12_COMMAND authCommand[MAX_SESSION_NUM];
+    TPMS_AUTH12_RESPONSE authResponse[MAX_SESSION_NUM];
+    
+    /* pointer to the above structures as used */
+    TPMS_AUTH12_COMMAND *authC[MAX_SESSION_NUM];
+    TPMS_AUTH12_RESPONSE *authR[MAX_SESSION_NUM];
+
+    /* TSS sessions */
+    TSS_HMAC12_CONTEXT 	*session[MAX_SESSION_NUM];
+
+    in = in;
+    ap = ap;
+    
+    /* Step 1: initialization */
+    if (tssVverbose) printf("TSS_Execute12_valist: Step 1: initialization\n");
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) ; i++) {
+	authC[i] = NULL;		/* array of TPMS_AUTH12_COMMAND structures, NULL for
+					   TSS_SetCmdAuths */
+	authR[i] = NULL;		/* array of TPMS_AUTH12_RESPONSE structures, NULL for
+					   TSS_GetRspAuths */
+	session[i] = NULL;		/* for free, used for HMAC and encrypt/decrypt sessions */
+	/* the varargs list inputs */
+	sessionHandle[i] = TPM_RH_NULL;
+	password[i] = NULL;
+	sessionAttributes[i] = 0;
+    }
+    /* Step 2: gather the command authorizations */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) ; i++) {
+ 	sessionHandle[i] = va_arg(ap, TPM_AUTHHANDLE);		/* first vararg is the session
+								   handle */
+	password[i] = va_arg(ap, const char *);			/* second vararg is the password */
+	sessionAttributes[i] = va_arg(ap, unsigned int);	/* third argument is
+								   sessionAttributes */
+	sessionAttributes[i] &= 0xff;				/* is uint8_t */
+
+	if (sessionHandle[i] != TPM_RH_NULL) {			/* varargs termination value */ 
+
+	    if (tssVverbose) printf("TSS_Execute12_valist: Step 2: authorization %u\n",
+				    (unsigned int)i);
+	    if (tssVverbose) printf("TSS_Execute12_valist: session %u handle %08x\n",
+				    (unsigned int)i, sessionHandle[i]);
+	    /* make used, non-NULL for command and response varargs */
+	    authC[i] = &authCommand[i];
+	    authR[i] = &authResponse[i];
+
+	    /* initialize a TSS HMAC session */
+	    if (rc == 0) {
+		rc = TSS_HmacSession12_GetContext(&session[i]);
+	    }
+	    /* load the session created by either OIAP or OSAP */
+	    if (rc == 0) {
+		rc = TSS_HmacSession12_LoadSession(tssContext, session[i], sessionHandle[i]);
+	    }
+	    if (rc == 0) {
+		if (session[i]->entityValue == TPM_RH_NULL) {	/* if OIAP, use password */
+		    if (password[i] != NULL) {	/* if a password was specified, hash it */
+			/* hash the password, algorithm set to SHA-1 at initialization */
+			rc = TSS_Hash_Generate(&session[i]->hmacKey,
+					       strlen(password[i]), (unsigned char *)password[i],
+					       0, NULL);
+		    }
+		    /* TPM 1.2 convention seems to use all zeros as a well known auth */
+		    else {
+			memset((uint8_t *)&session[i]->hmacKey.digest, 0, SHA1_DIGEST_SIZE);
+		    }
+		}
+		else {		/* use shared secret from OSAP setup */
+		    memcpy((uint8_t *)&session[i]->hmacKey.digest,
+			   (uint8_t *)&session[i]->sharedSecret.digest, SHA1_DIGEST_SIZE);
+		}
+	    }
+	}
+	else {
+	    numSessions = i;	/* record the number of auth sessions */
+	    break;
+	}
+    }
+    /* Step 3: Roll nonceOdd, save in the session context for the response */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	if (tssVverbose)
+	    printf("TSS_Execute12_valist: Step 3: nonceOdd for session %08x\n", sessionHandle[i]);
+	if (rc == 0) {
+	    rc = TSS_RandBytes(session[i]->nonceOdd, SHA1_DIGEST_SIZE);
+	    memcpy(authC[i]->nonce, session[i]->nonceOdd, SHA1_DIGEST_SIZE);
+	}
+    }
+    /* Step 4: Calculate the HMAC key */
+    /* not needed for TPM 1.2, HMAC key is either hash of password or OSAP shared secret, calculated
+       in previous step */
+    /* Step 5: TPM_ENCAUTH encryption */
+    if ((rc == 0) && (numSessions > 0)) {
+	if (tssVverbose) printf("TSS_Execute12_valist: Step 5: command ADIP encrypt\n");
+	rc = TSS_Command_Decrypt(tssContext->tssAuthContext,
+				 session,
+				 sessionHandle);
+    }
+    /* Step 6: for each HMAC session, calculate cpHash, calculate the HMAC, and set it in
+       TPMS_AUTH12_COMMAND */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12_valist: Step 6: calculate HMACs\n");
+	rc = TSS_HmacSession12_SetHMAC(tssContext->tssAuthContext,	/* TSS auth context */
+				       numSessions, 
+				       session,		/* TSS session contexts */
+				       authC,		/* output: command authorizations */
+				       sessionHandle,	/* list of session handles for the command */
+				       sessionAttributes /* attributes for this command */
+				       );
+    }
+    /* Step 7: set the command authorizations in the TSS command stream */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12_valist: Step 7: set command authorizations\n");
+	rc = TSS_SetCmdAuths12(tssContext->tssAuthContext,
+			       numSessions, 
+			       authC);
+    }
+    /* Step 8: process the command.  Normally returns the TPM response code. */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12_valist: Step 8: process the command\n");
+	rc = TSS_AuthExecute(tssContext);
+    }
+    /* Step 9: get the response authorizations from the TSS response stream */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12_valist: Step 9: get response authorizations\n");
+	rc = TSS_GetRspAuths12(tssContext->tssAuthContext,
+			       numSessions, 
+			       authR);
+    }
+    /* Step 10: process the response authorizations, validate the HMAC */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute12_valist: Step 10: verify HMAC\n");
+#if 0
+	for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	    rc = TSS_Command_ChangeAuthProcessor(tssContext, session[i], i, in);
+	}
+#endif
+	if (rc == 0) {
+	    rc = TSS_HmacSession12_Verify(tssContext->tssAuthContext, /* authorization
+									 context */
+					  numSessions, 
+					  session,	/* TSS session context */
+					  authR);	/* input: response authorization */
+	}
+    }
+    /* Step 12: process the response continue flag */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	if (tssVverbose) printf("TSS_Execute12_valist: Step 12: process continue flag %08x\n",
+				sessionHandle[i]);
+	rc = TSS_HmacSession12_Continue(tssContext, session[i], authR[i]);
+    }
+    /* cleanup */
+    for (i = 0 ; i < MAX_SESSION_NUM ; i++) {
+	TSS_HmacSession12_FreeContext(session[i]);
+    }
+    return rc;
+}
+
+/*
+  HMAC Session
+*/
+
+/* TSS_HmacSession12_GetContext() allocates and initializes a TSS_HMAC12_CONTEXT structure */
+
+static TPM_RC TSS_HmacSession12_GetContext(TSS_HMAC12_CONTEXT **session)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+        rc = TSS_Malloc((uint8_t **)session, sizeof(TSS_HMAC12_CONTEXT));
+    }
+    if (rc == 0) {
+	TSS_HmacSession12_InitContext(*session);
+    }
+    return rc;
+}
+
+/* TSS_HmacSession12_InitContext() initializes a TSS_HMAC12_CONTEXT structure */
+
+static void TSS_HmacSession12_InitContext(TSS_HMAC12_CONTEXT *session)
+{
+    session->authHandle = TPM_RH_NULL;
+    memset(session->nonceEven, 0, SHA1_DIGEST_SIZE);
+    memset(session->nonceEvenOSAP, 0, SHA1_DIGEST_SIZE);
+    memset(&session->sharedSecret.digest, 0, SHA1_DIGEST_SIZE);
+    memset(session->nonceOdd, 0, SHA1_DIGEST_SIZE);
+    memset(session->nonceOddOSAP, 0, SHA1_DIGEST_SIZE);
+    session->hmacKey.hashAlg = TPM_ALG_SHA1;
+    memset((uint8_t *)&session->hmacKey.digest, 0, SHA1_DIGEST_SIZE);
+    return;
+}
+
+/* TSS_HmacSession12_FreeContext() initializes (to erase secrets) and frees a TSS_HMAC12_CONTEXT
+   structure */
+
+static void TSS_HmacSession12_FreeContext(TSS_HMAC12_CONTEXT *session)
+{
+    if (session != NULL) {
+	TSS_HmacSession12_InitContext(session);
+	free(session);
+    }
+    return;
+}
+
+/* TSS_HmacSession12_SaveSession() marshals, optionally encrypts, and saves a TSS_HMAC12_CONTEXT
+   structure */ 
+
+static TPM_RC TSS_HmacSession12_SaveSession(TSS_CONTEXT *tssContext,
+					    TSS_HMAC12_CONTEXT *session)
+{
+    TPM_RC	rc = 0;
+    uint8_t 	*buffer = NULL;		/* marshaled TSS_HMAC12_CONTEXT */
+    uint16_t	written = 0;
+    char	sessionFilename[TPM_DATA_DIR_PATH_LENGTH];
+    uint8_t 	*outBuffer = NULL;
+    uint32_t 	outLength;
+    
+    if (tssVverbose) printf("TSS_HmacSession12_SaveSession: handle %08x\n", session->authHandle);
+    if (rc == 0) {
+	rc = TSS_Structure_Marshal(&buffer,	/* freed @1 */
+				   &written,
+				   session,
+				   (MarshalFunction_t)TSS_HmacSession12_Marshal);
+    }
+    if (rc == 0) {
+	/* if the flag is set, encrypt the session state before store */
+	if (tssContext->tssEncryptSessions) {
+	    rc = TSS_AES_Encrypt(tssContext->tssSessionEncKey,
+				 &outBuffer,   	/* output, freed @2 */
+				 &outLength,	/* output */
+				 buffer,	/* input */
+				 written);	/* input */
+	}
+	/* else store the session state in plaintext */
+	else {
+	    outBuffer = buffer;
+	    outLength = written;
+	}
+    }
+    /* save the session in a hard coded file name hxxxxxxxx.bin where xxxxxxxx is the session
+       handle */
+    if (rc == 0) {
+	sprintf(sessionFilename, "%s/h%08x.bin",
+		tssContext->tssDataDirectory, session->authHandle);
+    }
+    if (rc == 0) {
+	rc = TSS_File_WriteBinaryFile(outBuffer,
+				      outLength,
+				      sessionFilename);
+    }
+    if (tssContext->tssEncryptSessions) {
+	free(outBuffer);	/* @2 */
+    }
+    free(buffer);		/* @1 */
+    return rc;
+}
+
+/* TSS_HmacSession12_LoadSession() loads and decrypts an HMAC existing session saved by:
+
+   OIAP and OSAP
+   an update after a TPM response
+*/
+
+static TPM_RC TSS_HmacSession12_LoadSession(TSS_CONTEXT *tssContext,
+					    TSS_HMAC12_CONTEXT *session,
+					    TPM_AUTHHANDLE authHandle)
+{
+    TPM_RC		rc = 0;
+    uint8_t 		*buffer = NULL;
+    uint8_t 		*buffer1 = NULL;
+    size_t 		length = 0;
+    char		sessionFilename[TPM_DATA_DIR_PATH_LENGTH];
+    unsigned char *inData = NULL;		/* output */
+    uint32_t inLength;				/* output */
+
+    if (tssVverbose) printf("TSS_HmacSession12_LoadSession: handle %08x\n", authHandle);
+    /* load the session from a hard coded file name hxxxxxxxx.bin where xxxxxxxx is the session
+       handle */
+    if (rc == 0) {
+	sprintf(sessionFilename, "%s/h%08x.bin", tssContext->tssDataDirectory, authHandle);
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     sessionFilename);
+    }
+    if (rc == 0) {
+	/* if the flag is set, decrypt the session state before unmarshal */
+	if (tssContext->tssEncryptSessions) {
+	    rc = TSS_AES_Decrypt(tssContext->tssSessionDecKey,
+				 &inData,   	/* output, freed @2 */
+				 &inLength,	/* output */
+				 buffer,	/* input */
+				 length);	/* input */
+	}
+	/* else the session was loaded in plaintext */
+	else {
+	    inData = buffer;
+	    inLength = length;
+	}
+    }
+    if (rc == 0) {
+	uint32_t ilength = inLength;
+	buffer1 = inData;
+	rc = TSS_HmacSession12_Unmarshal(session, &buffer1, &ilength);
+    }
+    if (tssContext->tssEncryptSessions) {
+	free(inData);	/* @2 */
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+/* TSS_HmacSession12_DeleteSession() deletes the file corresponding to the HMAC session */
+
+static TPM_RC TSS_HmacSession12_DeleteSession(TSS_CONTEXT *tssContext,
+					      TPM_AUTHHANDLE handle)
+{
+    TPM_RC		rc = 0;
+    char		filename[TPM_DATA_DIR_PATH_LENGTH];
+
+    /* delete the Name */
+    if (rc == 0) {
+	sprintf(filename, "%s/h%08x.bin", tssContext->tssDataDirectory, handle);
+	if (tssVverbose) printf("TSS_HmacSession12_DeleteSession: delete session file %s\n", filename);
+	rc = TSS_File_DeleteFile(filename);
+    }
+    return rc;
+}
+
+/* TSS_HmacSession12_Marshal() serializes a TSS_HMAC12_CONTEXT
+ */
+
+static TPM_RC TSS_HmacSession12_Marshal(TSS_HMAC12_CONTEXT *source,
+					uint16_t *written,
+					uint8_t **buffer,
+					uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->nonceEven, SHA1_DIGEST_SIZE, written, buffer,  size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->nonceEvenOSAP, SHA1_DIGEST_SIZE, written, buffer,  size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu((uint8_t *)&source->sharedSecret.digest, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->entityType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->entityValue, written, buffer, size);
+    }
+    return rc;
+}
+
+/* TSS_HmacSession12_Unmarshal() deserializes a TSS_HMAC12_CONTEXT */
+
+static TPM_RC TSS_HmacSession12_Unmarshal(TSS_HMAC12_CONTEXT *target,
+					  uint8_t **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->authHandle, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->nonceEven, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->nonceEvenOSAP, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu((uint8_t *)&target->sharedSecret.digest, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Unmarshalu(&target->entityType, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->entityValue, buffer, size);
+    }
+    return rc;
+}
+
+/* TSS_HmacSession12_SetHMAC() is used for a command.  It sets all the values in one
+   TPMS_AUTH12_COMMAND, ready for marshaling into the command packet.
+
+   - gets cpBuffer
+   - generates cpHash
+   - generates the HMAC
+   - copies the result into authCommand
+
+   The HMAC key is already in the session structure.
+*/
+
+static TPM_RC TSS_HmacSession12_SetHMAC(TSS_AUTH_CONTEXT *tssAuthContext,	/* authorization context */
+					size_t		numSessions,
+					TSS_HMAC12_CONTEXT *session[],
+					
+					TPMS_AUTH12_COMMAND *authCommand[],	/* output: command
+										   authorization */
+					TPM_AUTHHANDLE sessionHandle[], 	/* session handles in
+										   command */
+					unsigned int sessionAttributes[])	/* attributes for this
+										   command */
+{
+    TPM_RC		rc = 0;
+    unsigned int	i = 0;
+    TPMT_HA 		cpHash;
+    TPMT_HA 		hmac;
+
+    /* Step 6: calculate cpHash.  For TPM 1.2, it is the same for all sessions. Name is not used */
+    if ((rc == 0) && (numSessions > 0))	{
+	uint32_t cpBufferSize;
+	uint8_t *cpBuffer;
+	TPM_CC commandCode = TSS_GetCommandCode(tssAuthContext);
+	TPM_CC commandCodeNbo = htonl(commandCode);
+	
+	rc = TSS_GetCpBuffer(tssAuthContext, &cpBufferSize, &cpBuffer);
+	if (tssVverbose) TSS_PrintAll("TSS_HmacSession12_SetHMAC: cpBuffer",
+				      cpBuffer, cpBufferSize);
+	/* Create cpHash - digest of inputs above the double line. */
+	cpHash.hashAlg = TPM_ALG_SHA1;
+	rc = TSS_Hash_Generate(&cpHash,
+			       sizeof(TPM_CC), &commandCodeNbo,		/* 1S */
+			       cpBufferSize, cpBuffer, 			/* 2S - ... */
+			       0, NULL);
+	if (rc == 0) {
+	    if (tssVverbose) TSS_PrintAll("TSS_HmacSession12_SetHMAC: cpHash",
+					  (uint8_t *)&cpHash.digest,
+					  SHA1_DIGEST_SIZE);
+	}
+    }
+    for (i = 0 ; (rc == 0) && (i < numSessions) ; i++) {
+	uint8_t sessionAttr8;
+	TPM2B_KEY hmacKey;
+	
+	if (tssVverbose) printf("TSS_HmacSession12_SetHMAC: Step 6 session %08x\n",
+				sessionHandle[i]);
+	/* sessionHandle */
+	authCommand[i]->sessionHandle = session[i]->authHandle;
+	/* attributes come from command */
+	sessionAttr8 = (uint8_t)sessionAttributes[i];
+	authCommand[i]->sessionAttributes.val = sessionAttr8;
+
+	if (tssVverbose) printf("TSS_HmacSession12_SetHMAC: calculate HMAC\n");
+	/* auth HMAC = HMAC(cpHash | nonceEven, nonceOdd, attributes */
+
+	/* convert the TPMT_HA hmacKey to a TPM2B_KEY hmac key */
+	if (rc == 0) {
+	    rc = TSS_TPM2B_Create(&hmacKey.b,
+				  (uint8_t *)&session[i]->hmacKey.digest, SHA1_DIGEST_SIZE,
+				  sizeof(hmacKey.t.buffer));
+	}
+	if (rc == 0) {
+	    hmac.hashAlg = TPM_ALG_SHA1;
+	    rc = TSS_HMAC_Generate(&hmac,			/* output hmac */
+				   &hmacKey,			/* input key */
+				   SHA1_DIGEST_SIZE, (uint8_t *)&cpHash.digest,
+				   SHA1_DIGEST_SIZE, session[i]->nonceEven,
+				   SHA1_DIGEST_SIZE, session[i]->nonceOdd,
+				   sizeof(uint8_t), &sessionAttr8,
+				   0, NULL);
+	}
+	if (rc == 0) {
+	    if (tssVverbose) {
+		TSS_PrintAll("TSS_HmacSession12_SetHMAC: HMAC key",
+			     (uint8_t *)&session[i]->hmacKey.digest, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_SetHMAC: cpHash",
+			     (uint8_t *)&cpHash.digest, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_Set: nonceEven",
+			     session[i]->nonceEven, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_SetHMAC: nonceOdd",
+			     session[i]->nonceOdd, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_SetHMAC: sessionAttributes",
+			     &sessionAttr8, sizeof(uint8_t));
+		TSS_PrintAll("TSS_HmacSession12_SetHMAC: HMAC",
+			     (uint8_t *)&hmac.digest, SHA1_DIGEST_SIZE);
+	    }
+	}
+	/* copy HMAC into authCommand TPM2B_AUTH hmac */
+	if (rc == 0) {
+	    memcpy(authCommand[i]->hmac, (uint8_t *)&hmac.digest, SHA1_DIGEST_SIZE);
+	}
+    }
+    return rc;
+}
+
+/* TSS_HmacSession12_Verify() is used for a response.  It uses the values in TPMS_AUTH12_RESPONSE to
+   validate the response HMAC */
+
+static TPM_RC TSS_HmacSession12_Verify(TSS_AUTH_CONTEXT *tssAuthContext,	/* authorization
+										   context */
+				       size_t		numSessions,
+				       TSS_HMAC12_CONTEXT *session[],		/* TSS session
+										   context */
+				       TPMS_AUTH12_RESPONSE *authResponse[])	/* input: response
+										   authorization */
+{
+    TPM_RC		rc = 0;
+    unsigned int	i = 0;
+    TPMT_HA 		rpHash;
+    TPMT_HA 		actualHmac;
+
+    /* Step 10: calculate rpHash.  For TPM 1.2, it is the same for all sessions. Name is not used */
+    if ((rc == 0) && (numSessions > 0))	{
+	uint32_t rpBufferSize;
+	uint8_t *rpBuffer;
+	TPM_CC commandCode = TSS_GetCommandCode(tssAuthContext);
+	TPM_CC commandCodeNbo = htonl(commandCode);
+	
+	rc = TSS_GetRpBuffer12(tssAuthContext, &rpBufferSize, &rpBuffer, numSessions);
+	if (tssVverbose) TSS_PrintAll("TSS_HmacSession12_Verify: rpBuffer",
+				      rpBuffer, rpBufferSize);
+	/* Create rpHash - digest of inputs above the double line. */
+	rpHash.hashAlg = TPM_ALG_SHA1;
+	rc = TSS_Hash_Generate(&rpHash,
+			       sizeof(TPM_RC),  &rc,			/* 1S */
+			       sizeof(TPM_CC), &commandCodeNbo,		/* 2S */
+			       rpBufferSize, rpBuffer, 			/* 3S - ... */
+			       0, NULL);
+	if (rc == 0) {
+	    if (tssVverbose) TSS_PrintAll("TSS_HmacSession12_Verify: rpHash",
+					  (uint8_t *)&rpHash.digest,
+					  SHA1_DIGEST_SIZE);
+	}
+    }
+    for (i = 0 ; (rc == 0) && (i < numSessions) ; i++) {
+	uint8_t sessionAttr8;
+	TPM2B_KEY hmacKey;
+	if (tssVverbose) printf("TSS_HmacSession12_Verify: Step 10 session %u handle %08x\n",
+				i, session[i]->authHandle);
+	/* attributes come from response */
+	sessionAttr8 = (uint8_t)authResponse[i]->sessionAttributes.val;
+	/* save nonceEven in the session context */
+	if (rc == 0) {
+	    memcpy(session[i]->nonceEven, authResponse[i]->nonce, SHA1_DIGEST_SIZE);
+	}
+	if (rc == 0) {
+	    memcpy((uint8_t *)&actualHmac.digest, &authResponse[i]->hmac,
+		   SHA1_DIGEST_SIZE);
+	}
+	/* convert the TPMT_HA hmacKey to a TPM2B_KEY hmac key */
+	if (rc == 0) {
+	    rc = TSS_TPM2B_Create(&hmacKey.b,
+				  (uint8_t *)&session[i]->hmacKey.digest, SHA1_DIGEST_SIZE,
+				  sizeof(hmacKey.t.buffer));
+	}
+	/* verify the HMAC */
+	if (rc == 0) {
+	    if (tssVverbose) {
+		TSS_PrintAll("TSS_HmacSession12_Verify: HMAC key",
+			     (uint8_t *)&session[i]->hmacKey.digest, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_Verify: rpHash",
+			     (uint8_t *)&rpHash.digest, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_Verify: nonceEven",
+			     session[i]->nonceEven, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_Verify: nonceOdd",
+			     session[i]->nonceOdd, SHA1_DIGEST_SIZE);
+		TSS_PrintAll("TSS_HmacSession12_Verify: sessionAttributes",
+			     &sessionAttr8, sizeof(uint8_t));
+		TSS_PrintAll("TSS_HmacSession12_Verify: response HMAC",
+			     (uint8_t *)&authResponse[i]->hmac, SHA1_DIGEST_SIZE);
+	    }
+	    actualHmac.hashAlg = TPM_ALG_SHA1;
+	    rc = TSS_HMAC_Verify(&actualHmac,			/* input response hmac */
+				 &hmacKey,			/* input HMAC key */
+				 SHA1_DIGEST_SIZE,
+				 /* rpHash */
+				 SHA1_DIGEST_SIZE, (uint8_t *)&rpHash.digest,
+				 /* new is nonceEven */
+				 SHA1_DIGEST_SIZE, session[i]->nonceEven,
+				 /* old is nonceOdd */
+				 SHA1_DIGEST_SIZE, session[i]->nonceOdd,
+				 /* 1 byte, no endian conversion */
+				 sizeof(uint8_t), &authResponse[i]->sessionAttributes.val,
+				 0, NULL);
+	    if (rc == 0) {
+		if (tssVverbose) printf("TSS_HmacSession12_Verify: session %u verified\n", i);
+	    }
+	    else {
+		if (tssVerbose) TSS_PrintAll("TSS_HmacSession12_Verify: HMAC verify failed, actual",
+					     (uint8_t *)&actualHmac.digest, SHA1_DIGEST_SIZE);
+	    }
+	}
+    }
+    return rc;
+}
+
+/* TSS_HmacSession12_Continue() handles the response continueSession flag.  It either saves the
+   updated session or deletes the session state. */
+
+static TPM_RC TSS_HmacSession12_Continue(TSS_CONTEXT *tssContext,
+					 TSS_HMAC12_CONTEXT *session,
+					 TPMS_AUTH12_RESPONSE *authR)
+{
+    TPM_RC		rc = 0;
+
+    if (rc == 0) {
+	/* if continue set */
+	if (authR->sessionAttributes.val & TPMA_SESSION_CONTINUESESSION) {
+	    /* save the session */
+	    rc = TSS_HmacSession12_SaveSession(tssContext, session);
+	}
+	else {		/* continue clear */
+	    /* delete the session state */
+	    rc = TSS_HmacSession12_DeleteSession(tssContext, session->authHandle);
+	}
+    }
+    return rc;
+}
+
+/* TSS_Command_Decrypt() does the command ADIP encryption (the TPM does the decrypt).
+
+   It does common error checking, then calls algorithm specific functions.  Currently, only XOR is
+   implemented.
+
+*/
+
+static TPM_RC TSS_Command_Decrypt(TSS_AUTH_CONTEXT *tssAuthContext,
+				  TSS_HMAC12_CONTEXT *session[],
+				  TPM_AUTHHANDLE sessionHandle[])
+{
+    TPM_RC			rc = 0;
+    uint16_t 			sessionNumber;
+    uint8_t			*encAuth0;
+    uint8_t			*encAuth1;
+    TSS_HMAC12_CONTEXT		*decryptSession;
+    int				done = FALSE;
+    int 			isXor;			/* true for XOR, false for AES */
+    
+    /* which session is the OSAP session used for the encryption */
+    if (rc == 0) {
+	rc = TSS_GetSessionNumber(tssAuthContext,
+				  &sessionNumber);
+    }
+    if (rc == 0) {
+	if (sessionNumber == 0xffff) {
+	    done = TRUE;
+	}
+    }
+    /* get the session used for the encryption */
+    if ((rc == 0) && !done) {
+	decryptSession = session[sessionNumber];
+	isXor = (session[sessionNumber]->entityType & 0xff00) == (TPM_ET_XOR << 8);
+	if (!isXor) {
+	    if (tssVerbose) printf("TSS_Command_Decrypt: bad entityType %04x for session %08x\n",
+				   session[sessionNumber]->entityType,
+				   sessionHandle[sessionNumber]);
+	    rc = TSS_RC_BAD_DECRYPT_ALGORITHM;
+	}
+	else {
+	    if (tssVverbose) printf("TSS_Command_Decrypt: using session %08x\n",
+				    sessionHandle[sessionNumber]);
+	}
+
+    }
+    /* get pointers to the parameters to be encrypted */ 
+    if ((rc == 0) && !done) {
+	rc = TSS_GetEncAuths(tssAuthContext,
+			     &encAuth0,
+			     &encAuth1);
+    }
+    if ((rc == 0) && !done) {
+	if (tssVverbose) printf("TSS_Command_Decrypt: TPM_ENC_AUTH's at %p, %p\n",
+				encAuth0, encAuth1);
+    }
+    if ((rc == 0) && !done && (encAuth0 != NULL)) {
+	rc = TSS_Command_DecryptXor(tssAuthContext, decryptSession, encAuth0, 0);
+    }
+    if ((rc == 0) && !done && (encAuth1 != NULL)) {
+	rc = TSS_Command_DecryptXor(tssAuthContext, decryptSession, encAuth1, 1);
+    }
+    return rc;
+}
+
+/*
+  pad = sha1(shared secret || lastnonceeven)
+  enc = xor (auth, pad)
+*/
+
+static TPM_RC TSS_Command_DecryptXor(TSS_AUTH_CONTEXT *tssAuthContext,
+				     TSS_HMAC12_CONTEXT *session,
+				     uint8_t *encAuth,
+				     int parameterNumber)
+{
+    TPM_RC		rc = 0;
+    TPMT_HA 		padHash;
+    unsigned int	i;
+
+    tssAuthContext = tssAuthContext;
+    /* generate the pad */
+    if (rc == 0) {
+	padHash.hashAlg = TPM_ALG_SHA1;
+	if (parameterNumber == 0) {
+	    rc = TSS_Hash_Generate(&padHash,
+				   SHA1_DIGEST_SIZE, (uint8_t *)&session->sharedSecret.digest,
+				   SHA1_DIGEST_SIZE, session->nonceEven,
+				   0, NULL);
+	}
+	else {
+	    rc = TSS_Hash_Generate(&padHash,
+				   SHA1_DIGEST_SIZE, (uint8_t *)&session->sharedSecret.digest,
+				   SHA1_DIGEST_SIZE, session->nonceOdd,
+				   0, NULL);
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptXor: pad",
+				      (uint8_t *)&padHash.digest,
+				      SHA1_DIGEST_SIZE);
+	if (tssVverbose) printf("TSS_Command_DecryptXor: parameter %u\n",
+				parameterNumber);
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptXor: plaintext",
+				      encAuth, SHA1_DIGEST_SIZE);
+    }
+    /* do the XOR */
+    if (rc == 0) {
+	for (i = 0 ; i < SHA1_DIGEST_SIZE ; i++) {
+	    *(encAuth + i) = *(encAuth + i) ^ padHash.digest.sha1[i];
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptXor: ciphertext",
+				      encAuth, SHA1_DIGEST_SIZE);
+    }    
+    return rc;
+}
+
+/*
+  Command Pre-Processor
+*/
+
+static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext,
+				       TPM_CC commandCode,
+				       COMMAND_PARAMETERS *in,
+				       EXTRA12_PARAMETERS *extra)
+{
+    TPM_RC 			rc = 0;
+    size_t 			index;
+    int 			found;
+    TSS_PreProcessFunction_t 	preProcessFunction = NULL;
+
+    /* search the table for a pre-processing function */
+    if (rc == 0) {
+	found = FALSE;
+	for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) {
+	    if (tssTable[index].commandCode == commandCode) {
+		found = TRUE;
+		break;	/* don't increment index if found */
+	    }
+	}
+    }
+    /* found false means there is no pre-processing function.  This permits the table to be smaller
+       if desired. */
+    if ((rc == 0) && found) {
+	preProcessFunction = tssTable[index].preProcessFunction;
+	/* there could also be an entry that is currently NULL, nothing to do */
+	if (preProcessFunction == NULL) {
+	    found = FALSE;
+	}
+    }
+    /* call the pre processing function */
+    if ((rc == 0) && found) {
+	rc = preProcessFunction(tssContext, in, extra);
+    }
+    return rc;
+}
+
+/*
+  Command specific pre processing functions
+*/
+
+static TPM_RC TSS_PR_CreateWrapKey(TSS_CONTEXT *tssContext,
+				   CreateWrapKey_In *in,
+				   void *extra)
+{
+    TPM_RC	rc = 0;
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PR_CreateWrapKey\n");
+    /* TPM_ENCAUTH is predictable distance from start */
+    if (rc == 0) {
+	rc = TSS_SetEncAuthOffset0(tssContext->tssAuthContext,
+				   sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+				   sizeof(TPM_KEY_HANDLE));
+    }
+    if (rc == 0) {
+	rc = TSS_SetEncAuthOffset1(tssContext->tssAuthContext,
+				   sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+				   sizeof(TPM_KEY_HANDLE) +
+				   SHA1_DIGEST_SIZE);
+    }
+    if (rc == 0) {
+	rc = TSS_SetSessionNumber(tssContext->tssAuthContext, 0);
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_PR_CreateWrapKey: ADIP offset at %lu and %lu\n",
+				(unsigned long)(sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+						sizeof(TPM_KEY_HANDLE)),
+				(unsigned long)(sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+						sizeof(TPM_KEY_HANDLE) +
+						SHA1_DIGEST_SIZE));
+    }
+    return rc;
+}
+
+static TPM_RC TSS_PR_MakeIdentity(TSS_CONTEXT *tssContext,
+				  MakeIdentity_In *in,
+				  void *extra)
+{
+    TPM_RC	rc = 0;
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PR_MakeIdentity\n");
+    /* TPM_ENCAUTH is predictable distance from start */
+    if (rc == 0) {
+	rc = TSS_SetEncAuthOffset0(tssContext->tssAuthContext,
+				   sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT));
+    }
+    if (rc == 0) {
+	rc = TSS_SetSessionNumber(tssContext->tssAuthContext, 1);
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_PR_MakeIdentity: ADIP offset at %lu\n",
+				(unsigned long)(sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT)));
+    }
+    return rc;
+}
+
+static TPM_RC TSS_PR_NV_DefineSpace(TSS_CONTEXT *tssContext,
+				    NV_DefineSpace_In *in,
+				    void *extra)
+{
+    TPM_RC	rc = 0;
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PR_NV_DefineSpace\n");
+    /* TPM_ENCAUTH is predictable distance from end */
+    if (rc == 0) {
+	rc = TSS_SetEncAuthOffset0(tssContext->tssAuthContext,
+				   -SHA1_DIGEST_SIZE);		/* encauth */
+		
+    }
+    if (rc == 0) {
+	rc = TSS_SetSessionNumber(tssContext->tssAuthContext, 0);
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_PR_NV_DefineSpace: ADIP offset at %d\n",
+				-SHA1_DIGEST_SIZE);
+    }
+    return rc;
+}
+
+static TPM_RC TSS_PR_OSAP(TSS_CONTEXT *tssContext,
+			  OSAP_In *in,
+			  OSAP_Extra *extra)
+{
+    TPM_RC	rc = 0;
+    tssContext = tssContext;
+    extra = extra;
+
+    if (tssVverbose) printf("TSS_PR_OSAP\n");
+    /* generate nonceOddOSAP */
+    if (rc == 0) {
+	rc = TSS_RandBytes((unsigned char *)in->nonceOddOSAP, SHA1_DIGEST_SIZE);
+    }
+    return rc;
+}
+
+#if 0
+static TPM_RC TSS_PR_Seal(TSS_CONTEXT *tssContext,
+			  Seal_in *In,
+			  void *extra)
+{
+    TPM_RC	rc = 0;
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PR_Seal\n");
+    /* TPM_ENCAUTH is predictable distance from start */
+    if (rc == 0) {
+	rc = TSS_SetEncAuthOffset0(tssContext->tssAuthContext,
+				   sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+				   sizeof(TPM_KEY_HANDLE));
+    }
+    if (rc == 0) {
+	rc = TSS_SetSessionNumber(tssContext->tssAuthContext, 0);
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_PR_Seal: ADIP offset at %u\n",
+				sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+				sizeof(TPM_KEY_HANDLE));
+    }
+    return rc;
+}
+
+static TPM_RC TSS_PR_Sealx(TSS_CONTEXT *tssContext,
+			   Sealx_in *In,
+			   void *extra)
+{
+    TPM_RC	rc = 0;
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PR_Sealx\n");
+    /* TPM_ENCAUTH is predictable distance from start */
+    if (rc == 0) {
+	rc = TSS_SetEncAuthOffset0(tssContext->tssAuthContext,
+				   sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+				   sizeof(TPM_KEY_HANDLE));
+	rc = TSS_SetSessionNumber(tssContext->tssAuthContext, 0);
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_PR_Seal: ADIP offset at %u\n",
+				sizeof(TPM_TAG) + sizeof(UINT32) + sizeof(TPM_RESULT) +
+				sizeof(TPM_KEY_HANDLE));
+    }
+    return rc;
+}
+
+#endif
+
+/*
+  Response Post Processor
+*/
+
+/* TSS_Response_PostProcessor() handles any response specific post processing
+ */
+
+static TPM_RC TSS_Response_PostProcessor(TSS_CONTEXT *tssContext,
+					 COMMAND_PARAMETERS *in,
+					 RESPONSE_PARAMETERS *out,
+					 EXTRA12_PARAMETERS *extra)
+{
+    TPM_RC 			rc = 0;
+    size_t 			index;
+    int 			found;
+    TSS_PostProcessFunction_t 	postProcessFunction = NULL;
+
+    /* search the table for a post processing function */
+    if (rc == 0) {
+	TPM_CC commandCode = TSS_GetCommandCode(tssContext->tssAuthContext);
+	found = FALSE;
+	for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) {
+	    if (tssTable[index].commandCode == commandCode) {
+		found = TRUE;
+		break;	/* don't increment index if found */
+	    }
+	}
+    }
+    /* found false means there is no post processing function.  This permits the table to be smaller
+       if desired. */
+    if ((rc == 0) && found) {
+	postProcessFunction = tssTable[index].postProcessFunction;
+	/* there could also be an entry that it currently NULL, nothing to do */
+	if (postProcessFunction == NULL) {
+	    found = FALSE;
+	}
+    }
+    /* call the function */
+    if ((rc == 0) && found) {
+	rc = postProcessFunction(tssContext, in, out, extra);
+    }
+    return rc;
+}
+
+/*
+  Command specific post processing functions
+*/
+
+static TPM_RC TSS_PO_FlushSpecific(TSS_CONTEXT *tssContext,
+				   FlushSpecific_In *in,
+				   void *out,
+				   void *extra)
+{
+    TPM_RC	rc = 0;
+    out = out;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_FlushSpecific: handle %08x\n", in->handle);
+    if ((rc == 0) && (in->resourceType == TPM_RT_AUTH)) {
+	rc = TSS_HmacSession12_DeleteSession(tssContext, in->handle);
+    }
+    return rc;
+}  
+
+static TPM_RC TSS_PO_OIAP(TSS_CONTEXT *tssContext,
+			  void *in,
+			  OIAP_Out *out,
+			  void *extra)
+{
+    TPM_RC 		rc = 0;
+    TSS_HMAC12_CONTEXT 	*session = NULL;
+
+    in = in;
+    extra = extra;
+    /* allocate a TSS_HMAC_CONTEXT session context */
+    if (rc == 0) {
+	rc = TSS_HmacSession12_GetContext(&session);
+    }
+    if (rc == 0) {
+	/* store OIAP ordinal outputs */
+	session->authHandle = out->authHandle;
+	session->entityValue = TPM_RH_NULL;	/* distinguish OIAP form OSAP */
+	memcpy(session->nonceEven, out->nonceEven, SHA1_DIGEST_SIZE);
+    }
+    /* persist the session */
+    if (rc == 0) {
+	rc = TSS_HmacSession12_SaveSession(tssContext, session);
+    }
+    TSS_HmacSession12_FreeContext(session);
+    return rc;
+}
+
+static TPM_RC TSS_PO_OSAP(TSS_CONTEXT *tssContext,
+			  OSAP_In *in,
+			  OSAP_Out *out,
+			  OSAP_Extra *extra)
+{
+    TPM_RC 		rc = 0;
+    TSS_HMAC12_CONTEXT 	*session = NULL;
+    TPM2B_KEY		hmacKey;
+    TPMT_HA 		usageAuth;		/* digest of the OSAP password */
+
+    /* allocate a TSS_HMAC_CONTEXT session context */
+    if (rc == 0) {
+	rc = TSS_HmacSession12_GetContext(&session);
+    }
+    if (rc == 0) {
+	session->entityType = in->entityType;
+	session->entityValue = in->entityValue;		/* mark OSAP session */
+	memcpy(session->nonceOddOSAP, in->nonceOddOSAP, SHA1_DIGEST_SIZE);
+	/* store OSAP ordinal outputs */
+	session->authHandle = out->authHandle;
+	memcpy(session->nonceEven, out->nonceEven, SHA1_DIGEST_SIZE);
+	memcpy(session->nonceEvenOSAP, out->nonceEvenOSAP, SHA1_DIGEST_SIZE);
+    }
+    /* SHA1 hash the usageAuth */
+    if (rc == 0) {
+	if (extra->usagePassword != NULL) {	/* if a password was specified, hash it */
+	    usageAuth.hashAlg = TPM_ALG_SHA1;
+	    rc = TSS_Hash_Generate(&usageAuth,
+				   strlen(extra->usagePassword),
+				   (unsigned char *)extra->usagePassword,
+				   0, NULL);
+	}
+	/* TPM 1.2 convention seems to use all zeros as a well known auth */
+	else {
+	    memset((uint8_t *)&usageAuth.digest, 0, SHA1_DIGEST_SIZE);
+	}
+    }
+    /* convert the TPMT_HA hash to a TPM2B_KEY hmac key */
+    if (rc == 0) {
+	rc = TSS_TPM2B_Create(&hmacKey.b, (uint8_t *)&usageAuth.digest, SHA1_DIGEST_SIZE,
+			      sizeof(hmacKey.t.buffer));
+    }
+    /* calculate the sharedSecret */
+    if (rc == 0) {
+	session->sharedSecret.hashAlg = TPM_ALG_SHA1;
+	rc = TSS_HMAC_Generate(&session->sharedSecret,		/* output hmac */
+			       &hmacKey,			/* input key */
+			       SHA1_DIGEST_SIZE, session->nonceEvenOSAP,
+			       SHA1_DIGEST_SIZE, in->nonceOddOSAP,
+			       0, NULL);
+    }
+    if ((rc == 0) && tssVverbose) {
+	printf("TSS_PO_OSAP: out->authHandle %08x\n",out->authHandle);
+	printf("TSS_PO_OSAP: in->entityType %08x\n", in->entityType);
+	printf("TSS_PO_OSAP: in->entityValue %08x\n", in->entityValue);
+	TSS_PrintAll("TSS_PO_OSAP: session->nonceEven",
+		     session->nonceEven, SHA1_DIGEST_SIZE);
+	TSS_PrintAll("TSS_PO_OSAP: session->nonceEvenOSAP",
+		     session->nonceEvenOSAP, SHA1_DIGEST_SIZE);
+	TSS_PrintAll("TSS_PO_OSAP: session->nonceOddOSAP",
+		     session->nonceOddOSAP, SHA1_DIGEST_SIZE);
+	TSS_PrintAll("TSS_PO_OSAP: usageAuth",
+		     (uint8_t *)&usageAuth.digest, SHA1_DIGEST_SIZE);
+	TSS_PrintAll("TSS_PO_OSAP: sharedSecret",
+		     (uint8_t *)&session->sharedSecret.digest, SHA1_DIGEST_SIZE);
+    }
+    /* persist the session */
+    if (rc == 0) {
+	rc = TSS_HmacSession12_SaveSession(tssContext, session);
+    }
+    TSS_HmacSession12_FreeContext(session);
+    return rc;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tss12.h b/libstb/tss2/ibmtpm20tss/utils/tss12.h
new file mode 100644
index 0000000..9d64398
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tss12.h
@@ -0,0 +1,58 @@
+/********************************************************************************/
+/*										*/
+/*			   TSS TPM 1.2 API 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id:tss.h 656 2016-06-28 16:49:29Z kgoldman $			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSS12_H
+#define TSS12_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC TSS_Execute12(TSS_CONTEXT *tssContext,
+			 RESPONSE_PARAMETERS *out,
+			 COMMAND_PARAMETERS *in,
+			 EXTRA12_PARAMETERS *extra,
+			 TPM_CC commandCode,
+			 va_list ap);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tss20.c b/libstb/tss2/ibmtpm20tss/utils/tss20.c
new file mode 100644
index 0000000..c38d1ec
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tss20.c
@@ -0,0 +1,4900 @@
+/********************************************************************************/
+/*										*/
+/*			    TSS Primary API for TPM 2.0				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018 - 2020					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <errno.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include "tssauth.h"
+#include "tssauth20.h"
+#include <ibmtss/tss.h>
+#include "tssproperties.h"
+#include <ibmtss/tsstransmit.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include "tssccattributes.h"
+#ifndef TPM_TSS_NOCRYPTO
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tsscryptoh.h>
+#endif
+#include <ibmtss/tssprintcmd.h>
+#include "tss20.h"
+
+/* Files:
+
+   h01xxxxxx.bin - NV index name
+   h02xxxxxx.bin - hmac session context
+   h03xxxxxx.bin - policy session context
+   h80xxxxxx.bin - transient object name
+
+   cxxxx...xxxx.bin - context blob name
+*/
+
+/* NOTE Synchronize with
+
+   TSS_HmacSession_InitContext
+   TSS_HmacSession_Unmarshal
+   TSS_HmacSession_Marshal
+*/
+
+struct TSS_HMAC_CONTEXT {
+    TPMI_SH_AUTH_SESSION	sessionHandle;		/* the session handle */
+    TPMI_ALG_HASH		authHashAlg;		/* hash algorithm to use for the session */
+#ifndef TPM_TSS_NOCRYPTO
+    uint32_t           		sizeInBytes;		/* hash algorithm mapped to size */
+#endif	/* TPM_TSS_NOCRYPTO */
+    TPMT_SYM_DEF 		symmetric;		/* the algorithm and key size for parameter
+							   encryption */
+    TPMI_DH_ENTITY 		bind;			/* bind handle */
+    TPM2B_NAME			bindName;		/* Name corresponding to the the bind
+							   handle */
+    TPM2B_AUTH			bindAuthValue;		/* password corresponding to the bind
+							   handle */
+#ifndef TPM_TSS_NOCRYPTO
+    TPM2B_NONCE 		nonceTPM;		/* from TPM in response */
+    TPM2B_NONCE			nonceCaller;		/* from caller in command */
+    TPM2B_DIGEST		sessionKey;		/* from KDFa at session creation */
+#endif	/* TPM_TSS_NOCRYPTO */
+    TPM_SE			sessionType;		/* HMAC (0), policy (1), or trial policy */
+    uint8_t			isPasswordNeeded;	/* flag set by policy password */
+    uint8_t			isAuthValueNeeded;	/* flag set by policy authvalue */
+    /* Items below this line are for the lifetime of one command.  They are not saved and loaded. */
+    TPM2B_KEY			hmacKey;		/* HMAC key calculated for each command */
+#ifndef TPM_TSS_NOCRYPTO
+    TPM2B_KEY			sessionValue;		/* KDFa secret for parameter encryption */
+#endif	/* TPM_TSS_NOCRYPTO */
+} TSS_HMAC_CONTEXT;
+
+/* functions for command pre- and post- processing */
+
+typedef TPM_RC (*TSS_PreProcessFunction_t)(TSS_CONTEXT *tssContext,
+					   COMMAND_PARAMETERS *in,
+					   EXTRA_PARAMETERS *extra);
+typedef TPM_RC (*TSS_ChangeAuthFunction_t)(TSS_CONTEXT *tssContext,
+					   struct TSS_HMAC_CONTEXT *session,
+					   size_t handleNumber,
+					   COMMAND_PARAMETERS *in);
+typedef TPM_RC (*TSS_PostProcessFunction_t)(TSS_CONTEXT *tssContext,
+					    COMMAND_PARAMETERS *in,
+					    RESPONSE_PARAMETERS *out,
+					    EXTRA_PARAMETERS *extra);
+
+static TPM_RC TSS_PR_StartAuthSession(TSS_CONTEXT *tssContext,
+				      StartAuthSession_In *in,
+				      StartAuthSession_Extra *extra);
+static TPM_RC TSS_PR_NV_DefineSpace(TSS_CONTEXT *tssContext,
+				    NV_DefineSpace_In *in,
+				    void *extra);
+
+static TPM_RC TSS_CA_HierarchyChangeAuth(TSS_CONTEXT *tssContext,
+					 struct TSS_HMAC_CONTEXT *session,
+					 size_t handleNumber,
+					 HierarchyChangeAuth_In *in);
+static TPM_RC TSS_CA_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext,
+					     struct TSS_HMAC_CONTEXT *session,
+					     size_t handleNumber,
+					     NV_UndefineSpaceSpecial_In *in);
+static TPM_RC TSS_CA_NV_ChangeAuth(TSS_CONTEXT *tssContext,
+				   struct TSS_HMAC_CONTEXT *session,
+				   size_t handleNumber,
+				   NV_ChangeAuth_In *in);
+
+
+static TPM_RC TSS_PO_StartAuthSession(TSS_CONTEXT *tssContext,
+				      StartAuthSession_In *in,
+				      StartAuthSession_Out *out,
+				      StartAuthSession_Extra *extra);
+static TPM_RC TSS_PO_ContextSave(TSS_CONTEXT *tssContext,
+				 ContextSave_In *in,
+				 ContextSave_Out *out,
+				 void *extra);
+static TPM_RC TSS_PO_ContextLoad(TSS_CONTEXT *tssContext,
+				 ContextLoad_In *in,
+				 ContextLoad_Out *out,
+				 void *extra);
+static TPM_RC TSS_PO_FlushContext(TSS_CONTEXT *tssContext,
+				  FlushContext_In *in,
+				  void *out,
+				  void *extra);
+static TPM_RC TSS_PO_EvictControl(TSS_CONTEXT *tssContext,
+				  EvictControl_In *in,
+				  void *out,
+				  void *extra);
+static TPM_RC TSS_PO_Load(TSS_CONTEXT *tssContext,
+			  Load_In *in,
+			  Load_Out *out,
+			  void *extra);
+static TPM_RC TSS_PO_LoadExternal(TSS_CONTEXT *tssContext,
+				  LoadExternal_In *in,
+				  LoadExternal_Out *out,
+				  void *extra);
+static TPM_RC TSS_PO_ReadPublic(TSS_CONTEXT *tssContext,
+				ReadPublic_In *in,
+				ReadPublic_Out *out,
+				void *extra);
+static TPM_RC TSS_PO_CreateLoaded(TSS_CONTEXT *tssContext,
+				  CreateLoaded_In *in,
+				  CreateLoaded_Out *out,
+				  void *extra);
+static TPM_RC TSS_PO_HMAC_Start(TSS_CONTEXT *tssContext,
+				HMAC_Start_In *in,
+				HMAC_Start_Out *out,
+				void *extra);
+static TPM_RC TSS_PO_HashSequenceStart(TSS_CONTEXT *tssContext,
+				       HashSequenceStart_In *in,
+				       HashSequenceStart_Out *out,
+				       void *extra);
+static TPM_RC TSS_PO_SequenceComplete(TSS_CONTEXT *tssContext,
+				      SequenceComplete_In *in,
+				      SequenceComplete_Out *out,
+				      void *extra);
+static TPM_RC TSS_PO_EventSequenceComplete(TSS_CONTEXT *tssContext,
+					   EventSequenceComplete_In *in,
+					   EventSequenceComplete_Out *out,
+					   void *extra);
+static TPM_RC TSS_PO_PolicyAuthValue(TSS_CONTEXT *tssContext,
+				     PolicyAuthValue_In *in,
+				     void *out,
+				     void *extra);
+static TPM_RC TSS_PO_PolicyPassword(TSS_CONTEXT *tssContext,
+				    PolicyPassword_In *in,
+				    void *out,
+				    void *extra);
+static TPM_RC TSS_PO_CreatePrimary(TSS_CONTEXT *tssContext,
+				   CreatePrimary_In *in,
+				   CreatePrimary_Out *out,
+				   void *extra);
+static TPM_RC TSS_PO_NV_DefineSpace(TSS_CONTEXT *tssContext,
+				    NV_DefineSpace_In *in,
+				    void *out,
+				    void *extra);
+static TPM_RC TSS_PO_NV_ReadPublic(TSS_CONTEXT *tssContext,
+				   NV_ReadPublic_In *in,
+				   NV_ReadPublic_Out *out,
+				   void *extra);
+static TPM_RC TSS_PO_NV_UndefineSpace(TSS_CONTEXT *tssContext,
+				      NV_UndefineSpace_In *in,
+				      void *out,
+				      void *extra);
+static TPM_RC TSS_PO_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext,
+					     NV_UndefineSpaceSpecial_In *in,
+					     void *out,
+					     void *extra);
+static TPM_RC TSS_PO_NV_Write(TSS_CONTEXT *tssContext,
+			      NV_Write_In *in,
+			      void *out,
+			      void *extra);
+static TPM_RC TSS_PO_NV_WriteLock(TSS_CONTEXT *tssContext,
+				  NV_WriteLock_In *in,
+				  void *out,
+				  void *extra);
+static TPM_RC TSS_PO_NV_ReadLock(TSS_CONTEXT *tssContext,
+				 NV_ReadLock_In *in,
+				 void *out,
+				 void *extra);
+
+typedef struct TSS_TABLE {
+    TPM_CC 			commandCode;
+    TSS_PreProcessFunction_t	preProcessFunction;
+    TSS_ChangeAuthFunction_t	changeAuthFunction;
+    TSS_PostProcessFunction_t 	postProcessFunction;
+} TSS_TABLE;
+
+/* This table indexes from the command to pre- and post- processing functions.  A missing entry is
+   not an error, and indicates a command with no functions. */
+
+static const TSS_TABLE tssTable [] = {
+				 
+    {TPM_CC_Startup, NULL, NULL, NULL},
+    {TPM_CC_Shutdown, NULL, NULL, NULL},
+    {TPM_CC_SelfTest, NULL, NULL, NULL},
+    {TPM_CC_IncrementalSelfTest, NULL, NULL, NULL},
+    {TPM_CC_GetTestResult, NULL, NULL, NULL},
+    {TPM_CC_StartAuthSession, (TSS_PreProcessFunction_t)TSS_PR_StartAuthSession, NULL, (TSS_PostProcessFunction_t)TSS_PO_StartAuthSession},
+    {TPM_CC_PolicyRestart, NULL, NULL, NULL},
+    {TPM_CC_Create, NULL, NULL, NULL},
+    {TPM_CC_Load, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_Load},
+    {TPM_CC_LoadExternal, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_LoadExternal},
+    {TPM_CC_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ReadPublic},
+    {TPM_CC_ActivateCredential, NULL, NULL, NULL},
+    {TPM_CC_MakeCredential, NULL, NULL, NULL},
+    {TPM_CC_Unseal, NULL, NULL, NULL},
+    {TPM_CC_ObjectChangeAuth, NULL, NULL, NULL},
+    {TPM_CC_CreateLoaded, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreateLoaded},
+    {TPM_CC_Duplicate, NULL, NULL, NULL},
+    {TPM_CC_Rewrap, NULL, NULL, NULL},
+    {TPM_CC_Import, NULL, NULL, NULL},
+    {TPM_CC_RSA_Encrypt, NULL, NULL, NULL},
+    {TPM_CC_RSA_Decrypt, NULL, NULL, NULL},
+    {TPM_CC_ECDH_KeyGen, NULL, NULL, NULL},
+    {TPM_CC_ECDH_ZGen, NULL, NULL, NULL},
+    {TPM_CC_ECC_Parameters, NULL, NULL, NULL},
+    {TPM_CC_ZGen_2Phase, NULL, NULL, NULL},
+    {TPM_CC_EncryptDecrypt, NULL, NULL, NULL},
+    {TPM_CC_EncryptDecrypt2, NULL, NULL, NULL},
+    {TPM_CC_Hash, NULL, NULL, NULL},
+    {TPM_CC_HMAC, NULL, NULL, NULL},
+    {TPM_CC_GetRandom, NULL, NULL, NULL},
+    {TPM_CC_StirRandom, NULL, NULL, NULL},
+    {TPM_CC_HMAC_Start, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HMAC_Start},
+    {TPM_CC_HashSequenceStart, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_HashSequenceStart},
+    {TPM_CC_SequenceUpdate, NULL, NULL, NULL},
+    {TPM_CC_SequenceComplete, NULL,NULL, (TSS_PostProcessFunction_t)TSS_PO_SequenceComplete},
+    {TPM_CC_EventSequenceComplete, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EventSequenceComplete},
+    {TPM_CC_Certify, NULL, NULL, NULL},
+    {TPM_CC_CertifyX509, NULL, NULL, NULL},
+    {TPM_CC_CertifyCreation, NULL, NULL, NULL},
+    {TPM_CC_Quote, NULL, NULL, NULL},
+    {TPM_CC_GetSessionAuditDigest, NULL, NULL, NULL},
+    {TPM_CC_GetCommandAuditDigest, NULL, NULL, NULL},
+    {TPM_CC_GetTime, NULL, NULL, NULL},
+    {TPM_CC_Commit, NULL, NULL, NULL},
+    {TPM_CC_EC_Ephemeral, NULL, NULL, NULL},
+    {TPM_CC_VerifySignature, NULL, NULL, NULL},
+    {TPM_CC_Sign, NULL, NULL, NULL},
+    {TPM_CC_SetCommandCodeAuditStatus, NULL, NULL, NULL},
+    {TPM_CC_PCR_Extend, NULL, NULL, NULL},
+    {TPM_CC_PCR_Event, NULL, NULL, NULL},
+    {TPM_CC_PCR_Read, NULL, NULL, NULL},
+    {TPM_CC_PCR_Allocate, NULL, NULL, NULL},
+    {TPM_CC_PCR_SetAuthPolicy, NULL, NULL, NULL},
+    {TPM_CC_PCR_SetAuthValue, NULL, NULL, NULL},
+    {TPM_CC_PCR_Reset, NULL, NULL, NULL},
+    {TPM_CC_PolicySigned, NULL, NULL, NULL},
+    {TPM_CC_PolicySecret, NULL, NULL, NULL},
+    {TPM_CC_PolicyTicket, NULL, NULL, NULL},
+    {TPM_CC_PolicyOR, NULL, NULL, NULL},
+    {TPM_CC_PolicyPCR, NULL, NULL, NULL},
+    {TPM_CC_PolicyLocality, NULL, NULL, NULL},
+    {TPM_CC_PolicyNV, NULL, NULL, NULL},
+    {TPM_CC_PolicyAuthorizeNV, NULL, NULL, NULL},
+    {TPM_CC_PolicyCounterTimer, NULL, NULL, NULL},
+    {TPM_CC_PolicyCommandCode, NULL, NULL, NULL},
+    {TPM_CC_PolicyPhysicalPresence, NULL, NULL, NULL},
+    {TPM_CC_PolicyCpHash, NULL, NULL, NULL},
+    {TPM_CC_PolicyNameHash, NULL, NULL, NULL},
+    {TPM_CC_PolicyDuplicationSelect, NULL, NULL, NULL},
+    {TPM_CC_PolicyAuthorize, NULL, NULL, NULL},
+    {TPM_CC_PolicyAuthValue, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyAuthValue},
+    {TPM_CC_PolicyPassword, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_PolicyPassword},
+    {TPM_CC_PolicyGetDigest, NULL, NULL, NULL},
+    {TPM_CC_PolicyNvWritten, NULL, NULL, NULL},
+    {TPM_CC_PolicyTemplate, NULL, NULL, NULL},
+    {TPM_CC_CreatePrimary, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_CreatePrimary},
+    {TPM_CC_HierarchyControl, NULL, NULL, NULL},
+    {TPM_CC_SetPrimaryPolicy, NULL, NULL, NULL},
+    {TPM_CC_ChangePPS, NULL, NULL, NULL},
+    {TPM_CC_ChangeEPS, NULL, NULL, NULL},
+    {TPM_CC_Clear, NULL, NULL, NULL},
+    {TPM_CC_ClearControl, NULL, NULL, NULL},
+    {TPM_CC_HierarchyChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_HierarchyChangeAuth, NULL},
+    {TPM_CC_DictionaryAttackLockReset, NULL, NULL, NULL},
+    {TPM_CC_DictionaryAttackParameters, NULL, NULL, NULL},
+    {TPM_CC_PP_Commands, NULL, NULL, NULL},
+    {TPM_CC_SetAlgorithmSet, NULL, NULL, NULL},
+    {TPM_CC_ContextSave, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextSave},
+    {TPM_CC_ContextLoad, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_ContextLoad},
+    {TPM_CC_FlushContext, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_FlushContext},
+    {TPM_CC_EvictControl, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_EvictControl},
+    {TPM_CC_ReadClock, NULL, NULL, NULL},
+    {TPM_CC_ClockSet, NULL, NULL, NULL},
+    {TPM_CC_ClockRateAdjust, NULL, NULL, NULL},
+    {TPM_CC_GetCapability, NULL, NULL, NULL},
+    {TPM_CC_TestParms, NULL, NULL, NULL},
+    {TPM_CC_NV_DefineSpace, (TSS_PreProcessFunction_t)TSS_PR_NV_DefineSpace, NULL,  (TSS_PostProcessFunction_t)TSS_PO_NV_DefineSpace},
+    {TPM_CC_NV_UndefineSpace, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpace},
+    {TPM_CC_NV_UndefineSpaceSpecial, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_UndefineSpaceSpecial, (TSS_PostProcessFunction_t)TSS_PO_NV_UndefineSpaceSpecial},
+    {TPM_CC_NV_ReadPublic, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadPublic},
+    {TPM_CC_NV_Write, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+    {TPM_CC_NV_Increment, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+    {TPM_CC_NV_Extend, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+    {TPM_CC_NV_SetBits, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_Write},
+    {TPM_CC_NV_WriteLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_WriteLock},
+    {TPM_CC_NV_GlobalWriteLock, NULL, NULL, NULL},
+    {TPM_CC_NV_Read, NULL, NULL, NULL},
+    {TPM_CC_NV_ReadLock, NULL, NULL, (TSS_PostProcessFunction_t)TSS_PO_NV_ReadLock},
+    {TPM_CC_NV_ChangeAuth, NULL, (TSS_ChangeAuthFunction_t)TSS_CA_NV_ChangeAuth, NULL},
+    {TPM_CC_NV_Certify, NULL, NULL, NULL}
+};
+
+#ifndef TPM_TSS_NO_PRINT
+
+typedef void (*TSS_InPrintFunction_t)(COMMAND_PARAMETERS *in, unsigned int indent);
+
+typedef struct TSS_PRINT_TABLE {
+    TPM_CC 			commandCode;
+    TSS_InPrintFunction_t	inPrintFunction;
+} TSS_PRINT_TABLE;
+
+/* This table indexes from the command to print functions.  A missing entry is
+   not an error, and indicates a command with no function. */
+
+static const TSS_PRINT_TABLE tssPrintTable [] = {
+				 
+    {TPM_CC_Startup, (TSS_InPrintFunction_t)Startup_In_Print},
+    {TPM_CC_Shutdown, (TSS_InPrintFunction_t)Shutdown_In_Print},
+    {TPM_CC_SelfTest, (TSS_InPrintFunction_t)SelfTest_In_Print},
+    {TPM_CC_IncrementalSelfTest, (TSS_InPrintFunction_t)IncrementalSelfTest_In_Print},
+    {TPM_CC_GetTestResult, NULL},
+    {TPM_CC_StartAuthSession, (TSS_InPrintFunction_t)StartAuthSession_In_Print},
+    {TPM_CC_PolicyRestart, (TSS_InPrintFunction_t)PolicyRestart_In_Print},
+    {TPM_CC_Create,(TSS_InPrintFunction_t)Create_In_Print},
+    {TPM_CC_Load, (TSS_InPrintFunction_t)Load_In_Print},
+    {TPM_CC_LoadExternal, (TSS_InPrintFunction_t)LoadExternal_In_Print},
+    {TPM_CC_ReadPublic, (TSS_InPrintFunction_t)ReadPublic_In_Print},
+    {TPM_CC_ActivateCredential, (TSS_InPrintFunction_t)ActivateCredential_In_Print},
+    {TPM_CC_MakeCredential, (TSS_InPrintFunction_t)MakeCredential_In_Print},
+    {TPM_CC_Unseal, (TSS_InPrintFunction_t)Unseal_In_Print},
+    {TPM_CC_ObjectChangeAuth, (TSS_InPrintFunction_t)ObjectChangeAuth_In_Print},
+    {TPM_CC_CreateLoaded, (TSS_InPrintFunction_t)CreateLoaded_In_Print},
+    {TPM_CC_Duplicate, (TSS_InPrintFunction_t)Duplicate_In_Print},
+    {TPM_CC_Rewrap, (TSS_InPrintFunction_t)Rewrap_In_Print},
+    {TPM_CC_Import, (TSS_InPrintFunction_t)Import_In_Print},
+    {TPM_CC_RSA_Encrypt, (TSS_InPrintFunction_t)RSA_Encrypt_In_Print},
+    {TPM_CC_RSA_Decrypt, (TSS_InPrintFunction_t)RSA_Decrypt_In_Print},
+    {TPM_CC_ECDH_KeyGen, (TSS_InPrintFunction_t)ECDH_KeyGen_In_Print},
+    {TPM_CC_ECDH_ZGen, (TSS_InPrintFunction_t)ECDH_ZGen_In_Print},
+    {TPM_CC_ECC_Parameters, (TSS_InPrintFunction_t)ECC_Parameters_In_Print},
+    {TPM_CC_ZGen_2Phase, (TSS_InPrintFunction_t)ZGen_2Phase_In_Print},
+    {TPM_CC_EncryptDecrypt, (TSS_InPrintFunction_t)EncryptDecrypt_In_Print},
+    {TPM_CC_EncryptDecrypt2, (TSS_InPrintFunction_t)EncryptDecrypt2_In_Print},
+    {TPM_CC_Hash, (TSS_InPrintFunction_t)Hash_In_Print},
+    {TPM_CC_HMAC, (TSS_InPrintFunction_t)HMAC_In_Print},
+    {TPM_CC_GetRandom, (TSS_InPrintFunction_t)GetRandom_In_Print},
+    {TPM_CC_StirRandom, (TSS_InPrintFunction_t)StirRandom_In_Print},
+    {TPM_CC_HMAC_Start, (TSS_InPrintFunction_t)HMAC_Start_In_Print},
+    {TPM_CC_HashSequenceStart, (TSS_InPrintFunction_t)HashSequenceStart_In_Print},
+    {TPM_CC_SequenceUpdate, (TSS_InPrintFunction_t)SequenceUpdate_In_Print},
+    {TPM_CC_SequenceComplete, (TSS_InPrintFunction_t)SequenceComplete_In_Print},
+    {TPM_CC_EventSequenceComplete, (TSS_InPrintFunction_t)EventSequenceComplete_In_Print},
+    {TPM_CC_Certify, (TSS_InPrintFunction_t)Certify_In_Print},
+    {TPM_CC_CertifyX509, (TSS_InPrintFunction_t)CertifyX509_In_Print},
+    {TPM_CC_CertifyCreation, (TSS_InPrintFunction_t)CertifyCreation_In_Print},
+    {TPM_CC_Quote, (TSS_InPrintFunction_t)Quote_In_Print},
+    {TPM_CC_GetSessionAuditDigest, (TSS_InPrintFunction_t)GetSessionAuditDigest_In_Print},
+    {TPM_CC_GetCommandAuditDigest, (TSS_InPrintFunction_t)GetCommandAuditDigest_In_Print},
+    {TPM_CC_GetTime, (TSS_InPrintFunction_t)GetTime_In_Print},
+    {TPM_CC_Commit, (TSS_InPrintFunction_t)Commit_In_Print},
+    {TPM_CC_EC_Ephemeral, (TSS_InPrintFunction_t)EC_Ephemeral_In_Print},
+    {TPM_CC_VerifySignature, (TSS_InPrintFunction_t)VerifySignature_In_Print},
+    {TPM_CC_Sign, (TSS_InPrintFunction_t)Sign_In_Print},
+    {TPM_CC_SetCommandCodeAuditStatus, (TSS_InPrintFunction_t)SetCommandCodeAuditStatus_In_Print},
+    {TPM_CC_PCR_Extend, (TSS_InPrintFunction_t)PCR_Extend_In_Print},
+    {TPM_CC_PCR_Event, (TSS_InPrintFunction_t)PCR_Event_In_Print},
+    {TPM_CC_PCR_Read, (TSS_InPrintFunction_t)PCR_Read_In_Print},
+    {TPM_CC_PCR_Allocate, (TSS_InPrintFunction_t)PCR_Allocate_In_Print},
+    {TPM_CC_PCR_SetAuthPolicy, (TSS_InPrintFunction_t)PCR_SetAuthPolicy_In_Print},
+    {TPM_CC_PCR_SetAuthValue, (TSS_InPrintFunction_t)PCR_SetAuthValue_In_Print},
+    {TPM_CC_PCR_Reset, (TSS_InPrintFunction_t)PCR_Reset_In_Print},
+    {TPM_CC_PolicySigned, (TSS_InPrintFunction_t)PolicySigned_In_Print},
+    {TPM_CC_PolicySecret, (TSS_InPrintFunction_t)PolicySecret_In_Print},
+    {TPM_CC_PolicyTicket, (TSS_InPrintFunction_t)PolicyTicket_In_Print},
+    {TPM_CC_PolicyOR, (TSS_InPrintFunction_t)PolicyOR_In_Print},
+    {TPM_CC_PolicyPCR, (TSS_InPrintFunction_t)PolicyPCR_In_Print},
+    {TPM_CC_PolicyLocality, (TSS_InPrintFunction_t)PolicyLocality_In_Print},
+    {TPM_CC_PolicyNV, (TSS_InPrintFunction_t)PolicyNV_In_Print},
+    {TPM_CC_PolicyAuthorizeNV, (TSS_InPrintFunction_t)PolicyAuthorizeNV_In_Print},
+    {TPM_CC_PolicyCounterTimer, (TSS_InPrintFunction_t)PolicyCounterTimer_In_Print},
+    {TPM_CC_PolicyCommandCode, (TSS_InPrintFunction_t)PolicyCommandCode_In_Print},
+    {TPM_CC_PolicyPhysicalPresence, (TSS_InPrintFunction_t)PolicyPhysicalPresence_In_Print},
+    {TPM_CC_PolicyCpHash, (TSS_InPrintFunction_t)PolicyCpHash_In_Print},
+    {TPM_CC_PolicyNameHash, (TSS_InPrintFunction_t)PolicyNameHash_In_Print},
+    {TPM_CC_PolicyDuplicationSelect, (TSS_InPrintFunction_t)PolicyDuplicationSelect_In_Print},
+    {TPM_CC_PolicyAuthorize, (TSS_InPrintFunction_t)PolicyAuthorize_In_Print},
+    {TPM_CC_PolicyAuthValue, (TSS_InPrintFunction_t)PolicyAuthValue_In_Print},
+    {TPM_CC_PolicyPassword, (TSS_InPrintFunction_t)PolicyPassword_In_Print},
+    {TPM_CC_PolicyGetDigest, (TSS_InPrintFunction_t)PolicyGetDigest_In_Print},
+    {TPM_CC_PolicyNvWritten, (TSS_InPrintFunction_t)PolicyNvWritten_In_Print},
+    {TPM_CC_PolicyTemplate, (TSS_InPrintFunction_t)PolicyTemplate_In_Print},
+    {TPM_CC_CreatePrimary, (TSS_InPrintFunction_t)CreatePrimary_In_Print},
+    {TPM_CC_HierarchyControl, (TSS_InPrintFunction_t)HierarchyControl_In_Print},
+    {TPM_CC_SetPrimaryPolicy, (TSS_InPrintFunction_t)SetPrimaryPolicy_In_Print},
+    {TPM_CC_ChangePPS, (TSS_InPrintFunction_t)ChangePPS_In_Print},
+    {TPM_CC_ChangeEPS, (TSS_InPrintFunction_t)ChangeEPS_In_Print},
+    {TPM_CC_Clear, (TSS_InPrintFunction_t)Clear_In_Print},
+    {TPM_CC_ClearControl, (TSS_InPrintFunction_t)ClearControl_In_Print},
+    {TPM_CC_HierarchyChangeAuth, (TSS_InPrintFunction_t)HierarchyChangeAuth_In_Print},
+    {TPM_CC_DictionaryAttackLockReset, (TSS_InPrintFunction_t)DictionaryAttackLockReset_In_Print},
+    {TPM_CC_DictionaryAttackParameters, (TSS_InPrintFunction_t)DictionaryAttackParameters_In_Print},
+    {TPM_CC_PP_Commands, (TSS_InPrintFunction_t)PP_Commands_In_Print},
+    {TPM_CC_SetAlgorithmSet, (TSS_InPrintFunction_t)SetAlgorithmSet_In_Print},
+    {TPM_CC_ContextSave, (TSS_InPrintFunction_t)ContextSave_In_Print},
+    {TPM_CC_ContextLoad, (TSS_InPrintFunction_t)ContextLoad_In_Print},
+    {TPM_CC_FlushContext, (TSS_InPrintFunction_t)FlushContext_In_Print},
+    {TPM_CC_EvictControl, (TSS_InPrintFunction_t)EvictControl_In_Print},
+    {TPM_CC_ReadClock, (TSS_InPrintFunction_t)NULL},
+    {TPM_CC_ClockSet, (TSS_InPrintFunction_t)ClockSet_In_Print},
+    {TPM_CC_ClockRateAdjust, (TSS_InPrintFunction_t)ClockRateAdjust_In_Print},
+    {TPM_CC_GetCapability, (TSS_InPrintFunction_t)GetCapability_In_Print},
+    {TPM_CC_TestParms, (TSS_InPrintFunction_t)TestParms_In_Print},
+    {TPM_CC_NV_DefineSpace, (TSS_InPrintFunction_t)NV_DefineSpace_In_Print},
+    {TPM_CC_NV_UndefineSpace, (TSS_InPrintFunction_t)NV_UndefineSpace_In_Print},
+    {TPM_CC_NV_UndefineSpaceSpecial, (TSS_InPrintFunction_t)NV_UndefineSpaceSpecial_In_Print},
+    {TPM_CC_NV_ReadPublic, (TSS_InPrintFunction_t)NV_ReadPublic_In_Print},
+    {TPM_CC_NV_Write, (TSS_InPrintFunction_t)NV_Write_In_Print},
+    {TPM_CC_NV_Increment, (TSS_InPrintFunction_t)NV_Increment_In_Print},
+    {TPM_CC_NV_Extend, (TSS_InPrintFunction_t)NV_Extend_In_Print},
+    {TPM_CC_NV_SetBits, (TSS_InPrintFunction_t)NV_SetBits_In_Print},
+    {TPM_CC_NV_WriteLock, (TSS_InPrintFunction_t)NV_WriteLock_In_Print},
+    {TPM_CC_NV_GlobalWriteLock, (TSS_InPrintFunction_t)NV_GlobalWriteLock_In_Print},
+    {TPM_CC_NV_Read, (TSS_InPrintFunction_t)NV_Read_In_Print},
+    {TPM_CC_NV_ReadLock, (TSS_InPrintFunction_t)NV_ReadLock_In_Print},
+    {TPM_CC_NV_ChangeAuth, (TSS_InPrintFunction_t)NV_ChangeAuth_In_Print},
+    {TPM_CC_NV_Certify, (TSS_InPrintFunction_t)NV_Certify_In_Print}
+};
+
+#endif /* TPM_TSS_NO_PRINT */
+
+/* local prototypes */
+
+static TPM_RC TSS_Execute_valist(TSS_CONTEXT *tssContext,
+				 COMMAND_PARAMETERS *in,
+				 va_list ap);
+
+
+static TPM_RC TSS_PwapSession_Set(TPMS_AUTH_COMMAND *authCommand,
+				  const char *password);
+static TPM_RC TSS_PwapSession_Verify(TPMS_AUTH_RESPONSE *authResponse);
+
+static TPM_RC TSS_HmacSession_GetContext(struct TSS_HMAC_CONTEXT **session);
+static void   TSS_HmacSession_InitContext(struct TSS_HMAC_CONTEXT *session);
+static void   TSS_HmacSession_FreeContext(struct TSS_HMAC_CONTEXT *session);
+
+#ifndef TPM_TSS_NOCRYPTO
+static TPM_RC TSS_HmacSession_SetSessionKey(TSS_CONTEXT *tssContext,
+					    struct TSS_HMAC_CONTEXT *session,
+					    TPM2B_DIGEST *salt,
+					    TPMI_DH_ENTITY bind,
+					    TPM2B_AUTH *bindAuthValue);
+static TPM_RC TSS_HmacSession_SetNonceCaller(struct TSS_HMAC_CONTEXT *session,
+					     TPMS_AUTH_COMMAND 	*authC);
+static TPM_RC TSS_HmacSession_SetHmacKey(TSS_CONTEXT *tssContext,
+					 struct TSS_HMAC_CONTEXT *session,
+					 size_t handleNumber,
+					 const char *password);
+#endif	/* TPM_TSS_NOCRYPTO */
+static TPM_RC TSS_HmacSession_SetHMAC(TSS_AUTH_CONTEXT *tssAuthContext,
+				      struct TSS_HMAC_CONTEXT *session[],
+				      TPMS_AUTH_COMMAND *authCommand[],
+				      TPMI_SH_AUTH_SESSION sessionHandle[],
+				      unsigned int sessionAttributes[],
+				      const char *password[],
+				      TPM2B_NAME *name0,		  
+				      TPM2B_NAME *name1,		  
+				      TPM2B_NAME *name2);
+#ifndef TPM_TSS_NOCRYPTO
+static TPM_RC TSS_HmacSession_Verify(TSS_AUTH_CONTEXT *tssAuthContext,
+				     struct TSS_HMAC_CONTEXT *session,
+				     TPMS_AUTH_RESPONSE *authResponse);
+#endif	/* TPM_TSS_NOCRYPTO */
+static TPM_RC TSS_HmacSession_Continue(TSS_CONTEXT *tssContext,
+				       struct TSS_HMAC_CONTEXT *session,
+				       TPMS_AUTH_RESPONSE *authR);
+
+
+static TPM_RC TSS_HmacSession_SaveSession(TSS_CONTEXT *tssContext,
+					  struct TSS_HMAC_CONTEXT *session);
+static TPM_RC TSS_HmacSession_LoadSession(TSS_CONTEXT *tssContext,
+					  struct TSS_HMAC_CONTEXT *session,
+					  TPMI_SH_AUTH_SESSION	sessionHandle);
+#ifdef TPM_TSS_NOFILE
+static TPM_RC TSS_HmacSession_SaveData(TSS_CONTEXT *tssContext,
+				       TPMI_SH_AUTH_SESSION sessionHandle,
+				       uint32_t outLength,
+				       uint8_t *outBuffer);
+static TPM_RC TSS_HmacSession_LoadData(TSS_CONTEXT *tssContext,
+				       uint32_t *inLength, uint8_t **inData,
+				       TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC TSS_HmacSession_DeleteData(TSS_CONTEXT *tssContext,
+					 TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC TSS_HmacSession_GetSlotForHandle(TSS_CONTEXT *tssContext,
+					       size_t *slotIndex,
+					       TPMI_SH_AUTH_SESSION sessionHandle);
+#endif
+static TPM_RC TSS_HmacSession_Marshal(struct TSS_HMAC_CONTEXT *source,
+				      uint16_t *written, uint8_t **buffer, uint32_t *size);
+static TPM_RC TSS_HmacSession_Unmarshal(struct TSS_HMAC_CONTEXT *target,
+					uint8_t **buffer, uint32_t *size);
+
+static TPM_RC TSS_Name_GetAllNames(TSS_CONTEXT *tssContext,
+				   TPM2B_NAME **names);
+static TPM_RC TSS_Name_GetName(TSS_CONTEXT *tssContext,
+			       TPM2B_NAME *name,
+			       TPM_HANDLE  handle);
+static TPM_RC TSS_Name_Store(TSS_CONTEXT *tssContext,
+			     TPM2B_NAME *name,
+			     TPM_HANDLE handle,
+			     const char *string);
+static TPM_RC TSS_Name_Load(TSS_CONTEXT *tssContext,
+			    TPM2B_NAME *name,
+			    TPM_HANDLE handle,
+			    const char *string);
+static TPM_RC TSS_Name_Copy(TSS_CONTEXT *tssContext,
+			    TPM_HANDLE outHandle,
+			    const char *outString,
+			    TPM_HANDLE inHandle,
+			    const char *inString);
+static TPM_RC TSS_Public_Store(TSS_CONTEXT *tssContext,
+			       TPM2B_PUBLIC *public,
+			       TPM_HANDLE handle,
+			       const char *string);
+static TPM_RC TSS_Public_Load(TSS_CONTEXT *tssContext,
+			      TPM2B_PUBLIC *public,
+			      TPM_HANDLE handle,
+			      const char *string);
+static TPM_RC TSS_Public_Copy(TSS_CONTEXT *tssContext,
+			      TPM_HANDLE outHandle,
+			      const char *outString,
+			      TPM_HANDLE inHandle,
+			      const char *inString);
+#ifdef TPM_TSS_NOFILE
+static TPM_RC TSS_ObjectPublic_GetSlotForHandle(TSS_CONTEXT *tssContext,
+						size_t *slotIndex,
+						TPM_HANDLE handle);
+static TPM_RC TSS_ObjectPublic_DeleteData(TSS_CONTEXT *tssContext, TPM_HANDLE handle);
+#endif
+static TPM_RC TSS_DeleteHandle(TSS_CONTEXT *tssContext,
+			       TPM_HANDLE handle);
+#ifndef TPM_TSS_NOCRYPTO
+static TPM_RC TSS_ObjectPublic_GetName(TPM2B_NAME *name,
+				       TPMT_PUBLIC *tpmtPublic);
+
+static TPM_RC TSS_NVPublic_Store(TSS_CONTEXT *tssContext,
+				 TPMS_NV_PUBLIC *nvPublic,
+				 TPMI_RH_NV_INDEX handle);
+static TPM_RC TSS_NVPublic_Load(TSS_CONTEXT *tssContext,
+				TPMS_NV_PUBLIC *nvPublic,
+				TPMI_RH_NV_INDEX handle);
+#endif
+static TPM_RC TSS_NVPublic_Delete(TSS_CONTEXT *tssContext,
+				  TPMI_RH_NV_INDEX nvIndex);
+#ifdef TPM_TSS_NOFILE
+static TPM_RC TSS_NvPublic_GetSlotForHandle(TSS_CONTEXT *tssContext,
+					    size_t *slotIndex,
+					    TPMI_RH_NV_INDEX nvIndex);
+#endif
+
+static TPM_RC TSS_Command_Decrypt(TSS_AUTH_CONTEXT *tssAuthContext,
+				  struct TSS_HMAC_CONTEXT *session[],
+				  TPMI_SH_AUTH_SESSION sessionHandle[],
+				  unsigned int sessionAttributes[]);
+#ifndef TPM_TSS_NOCRYPTO
+static TPM_RC TSS_Command_DecryptXor(TSS_AUTH_CONTEXT *tssAuthContext,
+				     struct TSS_HMAC_CONTEXT *session);
+static TPM_RC TSS_Command_DecryptAes(TSS_AUTH_CONTEXT *tssAuthContext,
+				     struct TSS_HMAC_CONTEXT *session);
+
+#endif	/* TPM_TSS_NOCRYPTO */
+static TPM_RC TSS_Response_Encrypt(TSS_AUTH_CONTEXT *tssAuthContext,
+				   struct TSS_HMAC_CONTEXT *session[],
+				   TPMI_SH_AUTH_SESSION sessionHandle[],
+				   unsigned int sessionAttributes[]);
+#ifndef TPM_TSS_NOCRYPTO
+static TPM_RC TSS_Response_EncryptXor(TSS_AUTH_CONTEXT *tssAuthContext,
+				      struct TSS_HMAC_CONTEXT *session);
+static TPM_RC TSS_Response_EncryptAes(TSS_AUTH_CONTEXT *tssAuthContext,
+				      struct TSS_HMAC_CONTEXT *session);
+
+static TPM_RC TSS_Command_ChangeAuthProcessor(TSS_CONTEXT *tssContext,
+					      struct TSS_HMAC_CONTEXT *session,
+					      size_t handleNumber,
+					      COMMAND_PARAMETERS *in);
+#endif	/* TPM_TSS_NOCRYPTO */
+
+static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext,
+				       TPM_CC commandCode,
+				       COMMAND_PARAMETERS *in,
+				       EXTRA_PARAMETERS *extra);
+static TPM_RC TSS_Response_PostProcessor(TSS_CONTEXT *tssContext,
+					 COMMAND_PARAMETERS *in,
+					 RESPONSE_PARAMETERS *out,
+					 EXTRA_PARAMETERS *extra);
+
+static TPM_RC TSS_Sessions_GetDecryptSession(unsigned int *isDecrypt,
+					     unsigned int *decryptSession,
+					     TPMI_SH_AUTH_SESSION sessionHandle[],
+					     unsigned int sessionAttributes[]);
+static TPM_RC TSS_Sessions_GetEncryptSession(unsigned int *isEncrypt,
+					     unsigned int *encryptSession,
+					     TPMI_SH_AUTH_SESSION sessionHandle[],
+					     unsigned int sessionAttributes[]);
+
+#ifndef TPM_TSS_NOFILE
+static TPM_RC TSS_HashToString(char *str, uint8_t *digest);
+#endif
+#ifndef TPM_TSS_NOCRYPTO
+#ifndef TPM_TSS_NORSA
+static TPM_RC TSS_RSA_Salt(TPM2B_DIGEST 		*salt,
+			   TPM2B_ENCRYPTED_SECRET	*encryptedSalt,
+			   TPMT_PUBLIC			*publicArea);
+#endif /* TPM_TSS_NORSA */
+#endif /* TPM_TSS_NOCRYPTO */
+extern int tssVerbose;
+extern int tssVverbose;
+extern int tssFirstCall;
+
+
+TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
+		     RESPONSE_PARAMETERS *out,
+		     COMMAND_PARAMETERS *in,
+		     EXTRA_PARAMETERS *extra,
+		     TPM_CC commandCode,
+		     va_list ap)
+{
+    TPM_RC		rc = 0;
+	
+    /* create a TSS authorization context */
+    if (rc == 0) {
+	TSS_InitAuthContext(tssContext->tssAuthContext);
+    }
+    /* handle any command specific command pre-processing */
+    if (rc == 0) {
+	rc = TSS_Command_PreProcessor(tssContext,
+				      commandCode,
+				      in,
+				      extra);
+    }
+    /* marshal input parameters */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute20: Command %08x marshal\n", commandCode);
+	rc = TSS_Marshal(tssContext->tssAuthContext,
+			 in,
+			 commandCode);
+    }
+    /* execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute_valist(tssContext, in, ap);
+    }
+    /* unmarshal the response parameters */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute20: Command %08x unmarshal\n", commandCode);
+	rc = TSS_Unmarshal(tssContext->tssAuthContext, out);
+    }
+    /* handle any command specific response post-processing */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute20: Command %08x post processor\n", commandCode);
+	rc = TSS_Response_PostProcessor(tssContext,
+					in,
+					out,
+					extra);
+    }
+    return rc;
+}
+
+/* TSS_Execute_valist() transmits the marshaled command and receives the marshaled response.
+
+   varargs are TPMI_SH_AUTH_SESSION sessionHandle, const char *password, unsigned int
+   sessionAttributes
+
+   Terminates with sessionHandle TPM_RH_NULL
+
+   Processes up to MAX_SESSION_NUM sessions.  It handles HMAC generation and command and response
+   parameter encryption.  It loads each session context, rolls nonces, and saves or deletes the
+   session context.
+*/
+
+static TPM_RC TSS_Execute_valist(TSS_CONTEXT *tssContext,
+				 COMMAND_PARAMETERS *in,
+				 va_list ap)
+{
+    TPM_RC		rc = 0;
+    int 		done;
+    int 		haveNames = FALSE;	/* names are common to all HMAC sessions */
+    size_t		i = 0;
+
+    /* the vararg parameters */
+    TPMI_SH_AUTH_SESSION sessionHandle[MAX_SESSION_NUM];
+    const char 		*password[MAX_SESSION_NUM];
+    unsigned int	sessionAttributes[MAX_SESSION_NUM]; 
+
+    /* structures filled in */
+    TPMS_AUTH_COMMAND 	*authCommand[MAX_SESSION_NUM];
+    TPMS_AUTH_RESPONSE 	*authResponse[MAX_SESSION_NUM];
+    
+    /* pointer to the above structures as used */
+    TPMS_AUTH_COMMAND 	*authC[MAX_SESSION_NUM];
+    TPMS_AUTH_RESPONSE 	*authR[MAX_SESSION_NUM];
+
+    /* TSS sessions */
+    struct TSS_HMAC_CONTEXT *session[MAX_SESSION_NUM];
+    TPM2B_NAME *names[MAX_SESSION_NUM];
+	
+    
+    for (i = 0 ; i < MAX_SESSION_NUM ; i++) {
+	authCommand[i] = NULL;		/* for safe free */
+	authResponse[i] = NULL;		/* for safe free */
+ 	names[i] = NULL;		/* for safe free */
+	authC[i] = NULL;		/* array of TPMS_AUTH_COMMAND structures, NULL for
+					   TSS_SetCmdAuths */
+	authR[i] = NULL;		/* array of TPMS_AUTH_RESPONSE structures, NULL for
+					   TSS_GetRspAuths */
+	session[i] = NULL;		/* for free, used for HMAC and encrypt/decrypt sessions */
+	/* the varargs list inputs */
+	sessionHandle[i] = TPM_RH_NULL;
+	password[i] = NULL;
+	sessionAttributes[i] = 0;
+    }
+    /* Step 1: initialization */
+    if (tssVverbose) printf("TSS_Execute_valist: Step 1: initialization\n");
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) ; i++) {
+	if (rc == 0) {
+	    rc = TSS_Malloc((unsigned char **)&authCommand[i],	/* freed @1 */
+			    sizeof(TPMS_AUTH_COMMAND));
+	}
+	if (rc == 0) {
+	    rc = TSS_Malloc((unsigned char **)&authResponse[i],	/* freed @2 */
+			    sizeof(TPMS_AUTH_RESPONSE));
+	}
+	if (rc == 0) {
+	    rc = TSS_Malloc((unsigned char **)&names[i],	/* freed @3 */
+			    sizeof(TPM2B_NAME));
+	}
+	if (rc == 0) {
+	    names[i]->b.size = 0;	/* to ignore unused names in cpHash calculation */
+	}
+    }
+    /* Step 2: gather the command authorizations
+
+       Process PWAP immediately
+       For HMAC, get the session context
+    */
+    done = FALSE;
+    for (i = 0 ; (rc == 0) && !done && (i < MAX_SESSION_NUM) ; i++) {
+ 	sessionHandle[i] = va_arg(ap, TPMI_SH_AUTH_SESSION);	/* first vararg is the session
+								   handle */
+	password[i]= va_arg(ap, const char *);			/* second vararg is the password */
+	sessionAttributes[i] = va_arg(ap, unsigned int);	/* third argument is
+								   sessionAttributes */
+	sessionAttributes[i] &= 0xff;				/* is uint8_t */
+
+	if (sessionHandle[i] != TPM_RH_NULL) {			/* varargs termination value */ 
+
+	    if (tssVverbose) printf("TSS_Execute_valist: Step 2: authorization %u\n",
+				    (unsigned int)i);
+	    if (tssVverbose) printf("TSS_Execute_valist: session %u handle %08x\n",
+				    (unsigned int)i, sessionHandle[i]);
+	    /* make used, non-NULL for command and response varargs */
+	    authC[i] = authCommand[i];
+	    authR[i] = authResponse[i];
+
+	    /* if password session, populate authC with password, etc. immediately */
+	    if (sessionHandle[i] == TPM_RS_PW) {
+		rc = TSS_PwapSession_Set(authC[i], password[i]);
+	    }
+	    /* if HMAC or encrypt/decrypt session  */
+	    else {
+		/* initialize a TSS HMAC session */
+		if (rc == 0) {
+		    rc = TSS_HmacSession_GetContext(&session[i]);
+		}
+		/* load the session created by startauthsession */
+		if (rc == 0) {
+		    rc = TSS_HmacSession_LoadSession(tssContext, session[i], sessionHandle[i]);
+		}
+		/* if there is at least one HMAC session, get the names corresponding to the
+		   handles */
+		if ((session[i]->sessionType == TPM_SE_HMAC) ||		/* HMAC session. OR */
+		    ((session[i]->sessionType == TPM_SE_POLICY) &&	/* Policy session AND */
+
+#ifndef TPM_TSS_NOCRYPTO
+		     ((session[i]->isAuthValueNeeded) || 		/* PolicyAuthValue ran, OR */
+		      (session[i]->sessionKey.b.size != 0)))		/* Already session key (bind or salt) */
+#else
+		    (session[i]->isAuthValueNeeded))		/* PolicyAuthValue ran, OR */
+#endif	/* TPM_TSS_NOCRYPTO */
+		    ) {	
+		    if ((rc == 0) && !haveNames) {
+			rc = TSS_Name_GetAllNames(tssContext, names);
+			haveNames = TRUE;	/* get only once, minor optimization */
+		    }
+		}
+	    }
+	}
+	else {
+	    done = TRUE;
+	}
+    }
+    /* Step 3: Roll nonceCaller, save in the session context for the response */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	if (sessionHandle[i] != TPM_RS_PW) {		/* no nonce for password sessions */
+	    if (tssVverbose)
+		printf("TSS_Execute_valist: Step 3: nonceCaller %08x\n", sessionHandle[i]);
+#ifndef TPM_TSS_NOCRYPTO
+	    rc = TSS_HmacSession_SetNonceCaller(session[i], authC[i]);
+#else
+	    authC[i]->nonce.b.size = 16;
+	    memset(&authC[i]->nonce.b.buffer, 0, 16);
+#endif	/* TPM_TSS_NOCRYPTO */
+	}
+    }
+    
+#ifndef TPM_TSS_NOCRYPTO
+    /* Step 4: Calculate the HMAC key */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	if (sessionHandle[i] != TPM_RS_PW) {		/* no HMAC key for password sessions */
+	    if (tssVverbose) printf("TSS_Execute_valist: Step 4: Session %u HMAC key for %08x\n",
+				    (unsigned int)i, sessionHandle[i]);
+	    rc = TSS_HmacSession_SetHmacKey(tssContext, session[i], i, password[i]);
+	}
+    }
+#endif	/* TPM_TSS_NOCRYPTO */
+    /* Step 5: command parameter encryption */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute_valist: Step 5: command encrypt\n");
+	rc = TSS_Command_Decrypt(tssContext->tssAuthContext,
+				 session,
+				 sessionHandle,
+				 sessionAttributes);
+    }
+    /* Step 6: for each HMAC session, calculate cpHash, calculate the HMAC, and set it in
+       TPMS_AUTH_COMMAND */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute_valist: Step 6 calculate HMACs\n");
+	rc = TSS_HmacSession_SetHMAC(tssContext->tssAuthContext,	/* TSS auth context */
+				     session,		/* TSS session contexts */
+				     authC,		/* output: command authorizations */
+				     sessionHandle,	/* list of session handles for the command */
+				     sessionAttributes, /* attributes for this command */
+				     password,		/* for plaintext password sessions */
+				     names[0],		/* Name */
+				     names[1],		/* Name */
+				     names[2]);		/* Name */
+    }
+    /* Step 7: set the command authorizations in the TSS command stream */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute_valist: Step 7 set command authorizations\n");
+	rc = TSS_SetCmdAuths(tssContext->tssAuthContext,
+			     authC[0],
+			     authC[1],
+			     authC[2],
+			     NULL);
+    }
+    /* Step 8: process the command.  Normally returns the TPM response code. */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute_valist: Step 8: process the command\n");
+	rc = TSS_AuthExecute(tssContext);
+    }
+    /* Step 9: get the response authorizations from the TSS response stream */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute_valist: Step 9 get response authorizations\n");
+	rc = TSS_GetRspAuths(tssContext->tssAuthContext,
+			     authR[0],
+			     authR[1],
+			     authR[2],
+			     NULL);
+    }
+    /* Step 10: process the response authorizations, validate the HMAC */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	if (tssVverbose)
+	    printf("TSS_Execute_valist: Step 10: process response authorization %08x\n",
+		   sessionHandle[i]);
+	if (sessionHandle[i] == TPM_RS_PW) {
+	    rc = TSS_PwapSession_Verify(authR[i]);
+	}
+	/* HMAC session */
+	else {
+#ifndef TPM_TSS_NOCRYPTO
+	    /* save nonceTPM in the session context */
+	    if (rc == 0) {
+		rc = TSS_TPM2B_Copy(&session[i]->nonceTPM.b, &authR[i]->nonce.b, sizeof(TPMU_HA));
+	    }
+#endif	/* TPM_TSS_NOCRYPTO */
+	    /* the HMAC key is already part of the TSS session context.  For policy sessions with
+	       policy password, the response hmac is empty. */
+	    if ((session[i]->sessionType == TPM_SE_HMAC) ||
+		((session[i]->sessionType == TPM_SE_POLICY) && (session[i]->isAuthValueNeeded))) {
+#ifndef TPM_TSS_NOCRYPTO
+		if (rc == 0) {
+		    rc = TSS_Command_ChangeAuthProcessor(tssContext, session[i], i, in);
+		}
+		if (rc == 0) {
+		    rc = TSS_HmacSession_Verify(tssContext->tssAuthContext, /* authorization
+									       context */
+						session[i],	/* TSS session context */
+						authR[i]);	/* input: response authorization */
+		}
+#else
+		in = in;
+		if (tssVerbose)
+		    printf("TSS_Execute_valist: "
+			   "Error, HMAC verify with no crypto not implemented\n");
+		rc = TSS_RC_NOT_IMPLEMENTED;
+#endif	/* TPM_TSS_NOCRYPTO */
+	    }
+	}
+    }
+    /* Step 11: process the audit flag */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	if ((sessionHandle[i] != TPM_RS_PW) &&
+	    (session[i]->bind != TPM_RH_NULL) &&
+	    (authR[i]->sessionAttributes.val & TPMA_SESSION_AUDIT)) {
+	    if (tssVverbose) printf("TSS_Execute_valist: Step 11: process bind audit flag %08x\n",
+				    sessionHandle[i]);
+	    /* if bind audit session, bind value is lost and further use requires authValue */
+	    session[i]->bind = TPM_RH_NULL;
+	}
+    }
+    /* Step 12: process the response continue flag */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	if (sessionHandle[i] != TPM_RS_PW) {
+	    if (tssVverbose) printf("TSS_Execute_valist: Step 12: process continue flag %08x\n",
+				    sessionHandle[i]);
+	    rc = TSS_HmacSession_Continue(tssContext, session[i], authR[i]);
+	}
+    }
+    /* Step 13: response parameter decryption */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Execute_valist: Step 13: response decryption\n");
+	rc = TSS_Response_Encrypt(tssContext->tssAuthContext,
+				  session,
+				  sessionHandle,
+				  sessionAttributes);
+    }
+    /* cleanup */
+    for (i = 0 ; i < MAX_SESSION_NUM ; i++) {
+	TSS_HmacSession_FreeContext(session[i]);
+	free(authCommand[i]);		/* @1 */
+ 	free(authResponse[i]);		/* @2 */
+	free(names[i]);			/* @3 */
+    }
+    return rc;
+}
+
+/*
+  PWAP - Password Session
+*/
+
+/* TSS_PwapSession_Set() sets all members of the TPMS_AUTH_COMMAND structure for a PWAP session.
+ */
+
+static TPM_RC TSS_PwapSession_Set(TPMS_AUTH_COMMAND *authCommand,
+				  const char *password)
+{
+    TPM_RC		rc = 0;
+    
+    if (rc == 0) {
+	authCommand->sessionHandle = TPM_RS_PW;
+	authCommand->nonce.t.size = 0;
+	authCommand->sessionAttributes.val = 0;
+    }
+    if (password != NULL) {
+	rc = TSS_TPM2B_StringCopy(&authCommand->hmac.b,
+				  password, sizeof(authCommand->hmac.t.buffer));
+    }
+    else {
+	authCommand->hmac.t.size = 0;
+    }
+    return rc;
+}
+
+/* TSS_PwapSession_Verify() verifies the PWAP session response. */
+
+static TPM_RC TSS_PwapSession_Verify(TPMS_AUTH_RESPONSE *authResponse)
+{
+    TPM_RC		rc = 0;
+
+    if (rc == 0) {
+	if (authResponse->nonce.t.size != 0) {
+	    if (tssVerbose) printf("TSS_PwapSession_Verify: nonce size %u not zero\n",
+				   authResponse->nonce.t.size);
+	    rc = TSS_RC_BAD_PWAP_NONCE;
+	}
+    }
+    if (rc == 0) {
+	if (authResponse->sessionAttributes.val != TPMA_SESSION_CONTINUESESSION) {
+	    if (tssVerbose) printf("TSS_PwapSession_Verify: continue %02x not set\n",
+				   authResponse->sessionAttributes.val);
+	    rc = TSS_RC_BAD_PWAP_ATTRIBUTES;
+	}
+    }
+    if (rc == 0) {
+	if (authResponse->hmac.t.size != 0) {
+	    if (tssVerbose) printf("TSS_PwapSession_Verify: HMAC size %u not zero\n",
+				   authResponse->hmac.t.size);
+	    rc = TSS_RC_BAD_PWAP_HMAC;
+	}
+    }
+    return rc;
+}
+
+/*
+  HMAC Session
+*/
+
+static TPM_RC TSS_HmacSession_GetContext(struct TSS_HMAC_CONTEXT **session)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+        rc = TSS_Malloc((uint8_t **)session, sizeof(TSS_HMAC_CONTEXT));
+    }
+    if (rc == 0) {
+	TSS_HmacSession_InitContext(*session);
+    }
+    return rc;
+}
+
+static void TSS_HmacSession_InitContext(struct TSS_HMAC_CONTEXT *session)
+{
+    session->sessionHandle = TPM_RH_NULL;
+    session->authHashAlg = TPM_ALG_NULL;
+#ifndef TPM_TSS_NOCRYPTO
+    session->sizeInBytes = 0;
+#endif
+    session->symmetric.algorithm = TPM_ALG_NULL;
+    session->bind = TPM_RH_NULL;
+    session->bindName.b.size = 0;
+    session->bindAuthValue.t.size = 0;
+#ifndef TPM_TSS_NOCRYPTO
+    memset(session->nonceTPM.t.buffer, 0, sizeof(TPMU_HA));
+    session->nonceTPM.b.size = 0;
+    memset(session->nonceCaller.t.buffer, 0, sizeof(TPMU_HA));
+    session->nonceCaller.b.size = 0;
+    memset(session->sessionKey.t.buffer, 0, sizeof(TPMU_HA));
+    session->sessionKey.b.size = 0;
+#endif
+    session->sessionType = 0;
+    session->isPasswordNeeded = FALSE;
+    session->isAuthValueNeeded = FALSE;
+    memset(session->hmacKey.t.buffer, 0, sizeof(TPMU_HA) + sizeof(TPMU_HA));
+    session->hmacKey.b.size = 0;
+#ifndef TPM_TSS_NOCRYPTO
+    memset(session->sessionValue.t.buffer, 0, sizeof(TPMU_HA) + sizeof(TPMU_HA));
+    session->sessionValue.b.size = 0;
+#endif
+}
+
+void TSS_HmacSession_FreeContext(struct TSS_HMAC_CONTEXT *session)
+{
+    if (session != NULL) {
+	TSS_HmacSession_InitContext(session);
+	free(session);
+    }
+    return;
+}
+
+/* TSS_HmacSession_SetSessionKey() is called by the StartAuthSession post processor to calculate and
+   store the session key
+
+   19.6.8	sessionKey Creation
+*/
+
+#ifndef TPM_TSS_NOCRYPTO
+
+static TPM_RC TSS_HmacSession_SetSessionKey(TSS_CONTEXT *tssContext,
+					    struct TSS_HMAC_CONTEXT *session,
+					    TPM2B_DIGEST *salt,
+					    TPMI_DH_ENTITY bind,
+					    TPM2B_AUTH *bindAuthValue)
+{
+    TPM_RC		rc = 0;
+    TPM2B_KEY 		key;		/* HMAC key for the KDFa */
+
+    if (rc == 0) {
+	/* save the bind handle, non-null indicates a bound session */
+	session->bind = bind;
+	/* if bind, save the bind Name in the session context.  The handle might change, but the
+	   name will not */
+	if ((rc == 0) && (bind != TPM_RH_NULL)) {
+	    rc = TSS_Name_GetName(tssContext, &session->bindName, bind);
+	}
+    }
+    if (rc == 0) {
+        if ((bind != TPM_RH_NULL) ||
+	    (salt->b.size != 0)) {
+
+	    /* session key is bindAuthValue || salt */
+	    /* copy bindAuthValue.  This is set during the post processor to either the supplied
+	       bind password or Empty */
+	    if (rc == 0) {
+		rc = TSS_TPM2B_Copy(&key.b, &bindAuthValue->b, sizeof(TPMU_HA) + sizeof(TPMT_HA));
+	    }
+	    /* copy salt.  This is set during the postprocessor to either the salt from the
+	       preprocessor or empty. */
+	    if (rc == 0) {
+		rc = TSS_TPM2B_Append(&key.b, &salt->b, sizeof(TPMU_HA) + sizeof(TPMT_HA));
+	    }
+	    if (rc == 0) {
+		if (tssVverbose) TSS_PrintAll("TSS_HmacSession_SetSessionKey: KDFa HMAC key",
+					      key.b.buffer, key.b.size);
+	    }
+	    /* KDFa for the session key */
+	    if (rc == 0) {
+		rc = TSS_KDFA(session->sessionKey.b.buffer,
+			      session->authHashAlg,
+			      &key.b,
+			      "ATH",
+			      &session->nonceTPM.b,
+			      &session->nonceCaller.b,
+			      session->sizeInBytes * 8);
+	    }
+	    if (rc == 0) {
+		session->sessionKey.b.size = session->sizeInBytes;
+		if (tssVverbose)
+		    TSS_PrintAll("TSS_HmacSession_SetSessionKey: Session key",
+				 session->sessionKey.b.buffer, session->sessionKey.b.size);
+	    }
+	}
+	else {
+	    session->sessionKey.b.size = 0;
+	}
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+/* TSS_HmacSession_SaveSession() saves a session in two cases:
+
+   The initial session from startauthsession
+   The updated session a TPM response
+*/
+
+
+static TPM_RC TSS_HmacSession_SaveSession(TSS_CONTEXT *tssContext,
+					  struct TSS_HMAC_CONTEXT *session)
+{
+    TPM_RC	rc = 0;
+    uint8_t 	*buffer = NULL;		/* marshaled TSS_HMAC_CONTEXT */
+    uint16_t	written = 0;
+#ifndef TPM_TSS_NOFILE
+    char	sessionFilename[TPM_DATA_DIR_PATH_LENGTH];
+    uint8_t *outBuffer = NULL;
+    uint32_t outLength;
+#endif
+    
+    if (tssVverbose) printf("TSS_HmacSession_SaveSession: handle %08x\n", session->sessionHandle);
+    if (rc == 0) {
+	rc = TSS_Structure_Marshal(&buffer,	/* freed @1 */
+				   &written,
+				   session,
+				   (MarshalFunction_t)TSS_HmacSession_Marshal);
+    }
+#ifndef TPM_TSS_NOFILE
+    if (rc == 0) {
+#ifndef TPM_TSS_NOCRYPTO
+	/* if the flag is set, encrypt the session state before store */
+	if (tssContext->tssEncryptSessions) {
+	    rc = TSS_AES_Encrypt(tssContext->tssSessionEncKey,
+				 &outBuffer,   	/* output, freed @2 */
+				 &outLength,	/* output */
+				 buffer,	/* input */
+				 written);	/* input */
+	}
+	/* else store the session state in plaintext */
+	else {
+#endif	/* TPM_TSS_NOCRYPTO */
+	    outBuffer = buffer;
+	    outLength = written;
+#ifndef TPM_TSS_NOCRYPTO
+	}
+#endif	/* TPM_TSS_NOCRYPTO */
+    }
+    /* save the session in a hard coded file name hxxxxxxxx.bin where xxxxxxxx is the session
+       handle */
+    if (rc == 0) {
+	sprintf(sessionFilename, "%s/h%08x.bin",
+		tssContext->tssDataDirectory, session->sessionHandle);
+    }
+    if (rc == 0) {
+	rc = TSS_File_WriteBinaryFile(outBuffer,
+				      outLength,
+				      sessionFilename);
+    }
+    if (tssContext->tssEncryptSessions) {
+	free(outBuffer);	/* @2 */
+    }
+#else		/* no file support, save to context */
+    if (rc == 0) {
+	rc = TSS_HmacSession_SaveData(tssContext,
+				      session->sessionHandle,
+				      written, buffer);
+    }
+#endif
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+/* TSS_HmacSession_LoadSession() loads an existing HMAC session context saved by:
+
+   startauthsession
+   an update after a TPM response
+*/
+
+static TPM_RC TSS_HmacSession_LoadSession(TSS_CONTEXT *tssContext,
+					  struct TSS_HMAC_CONTEXT *session,
+					  TPMI_SH_AUTH_SESSION	sessionHandle)
+{
+    TPM_RC		rc = 0;
+    uint8_t 		*buffer = NULL;
+    uint8_t 		*buffer1 = NULL;
+#ifndef TPM_TSS_NOFILE
+    size_t 		length = 0;
+    char		sessionFilename[TPM_DATA_DIR_PATH_LENGTH];
+#endif    
+    unsigned char 	*inData = NULL;		/* output */
+    uint32_t 		inLength;		/* output */
+
+    if (tssVverbose) printf("TSS_HmacSession_LoadSession: handle %08x\n", sessionHandle);
+#ifndef TPM_TSS_NOFILE
+    /* load the session from a hard coded file name hxxxxxxxx.bin where xxxxxxxx is the session
+       handle */
+    if (rc == 0) {
+	sprintf(sessionFilename, "%s/h%08x.bin", tssContext->tssDataDirectory, sessionHandle);
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     sessionFilename);
+    }
+    if (rc == 0) {
+#ifndef TPM_TSS_NOCRYPTO
+	/* if the flag is set, decrypt the session state before unmarshal */
+	if (tssContext->tssEncryptSessions) {
+	    rc = TSS_AES_Decrypt(tssContext->tssSessionDecKey,
+				 &inData,   	/* output, freed @2 */
+				 &inLength,	/* output */
+				 buffer,	/* input */
+				 length);	/* input */
+	}
+	/* else the session was loaded in plaintext */
+	else {
+#endif	/* TPM_TSS_NOCRYPTO */
+	    inData = buffer;
+	    inLength = length;
+#ifndef TPM_TSS_NOCRYPTO
+	}
+#endif	/* TPM_TSS_NOCRYPTO */
+    }
+#else		/* no file support, load from context */
+    if (rc == 0) {
+	rc = TSS_HmacSession_LoadData(tssContext,
+				      &inLength, &inData,
+				      sessionHandle);
+    }
+#endif
+    if (rc == 0) {
+	uint32_t ilength = inLength;
+	buffer1 = inData;
+	rc = TSS_HmacSession_Unmarshal(session, &buffer1, &ilength);
+    }
+#ifndef TPM_TSS_NOFILE
+    if (tssContext->tssEncryptSessions) {
+	free(inData);	/* @2 */
+    }
+#endif
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+#ifdef TPM_TSS_NOFILE
+
+static TPM_RC TSS_HmacSession_SaveData(TSS_CONTEXT *tssContext,
+				       TPMI_SH_AUTH_SESSION sessionHandle,
+				       uint32_t outLength,
+				       uint8_t *outBuffer)
+{
+    TPM_RC	rc = 0;
+    size_t	slotIndex;
+
+    /* if this handle is already used, overwrite the slot */
+    if (rc == 0) {
+	rc = TSS_HmacSession_GetSlotForHandle(tssContext, &slotIndex, sessionHandle);
+	if (rc != 0) {
+	    rc = TSS_HmacSession_GetSlotForHandle(tssContext, &slotIndex, TPM_RH_NULL);
+	    if (rc == 0) {
+		tssContext->sessions[slotIndex].sessionHandle = sessionHandle;
+	    }
+	    else {
+		if (tssVerbose)
+		    printf("TSS_HmacSession_SaveData: Error, no slot available for handle %08x\n",
+			   sessionHandle);
+	    }
+	}
+    }
+    /* reallocate memory and adjust the size */
+    if (rc == 0) {
+	rc = TSS_Realloc(&tssContext->sessions[slotIndex].sessionData, outLength);
+    }
+    if (rc == 0) {
+	tssContext->sessions[slotIndex].sessionDataLength = outLength;
+	memcpy(tssContext->sessions[slotIndex].sessionData, outBuffer, outLength);
+    }
+    return rc;
+}
+
+static TPM_RC TSS_HmacSession_LoadData(TSS_CONTEXT *tssContext,
+				       uint32_t *inLength, uint8_t **inData,
+				       TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC	rc = 0;
+    size_t	slotIndex;
+
+    if (rc == 0) {
+	rc = TSS_HmacSession_GetSlotForHandle(tssContext, &slotIndex, sessionHandle);
+	if (rc != 0) {
+	    if (tssVerbose)
+		printf("TSS_HmacSession_LoadData: Error, no slot found for handle %08x\n",
+		       sessionHandle);
+	}
+    }
+    if (rc == 0) {
+	*inLength = tssContext->sessions[slotIndex].sessionDataLength;
+	*inData = tssContext->sessions[slotIndex].sessionData;
+    }
+    return rc;
+}
+
+static TPM_RC TSS_HmacSession_DeleteData(TSS_CONTEXT *tssContext,
+					 TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC	rc = 0;
+    size_t	slotIndex;
+
+    if (rc == 0) {
+	rc = TSS_HmacSession_GetSlotForHandle(tssContext, &slotIndex, sessionHandle);
+	if (rc != 0) {
+	    if (tssVerbose)
+		printf("TSS_HmacSession_DeleteData: Error, no slot found for handle %08x\n",
+		       sessionHandle);
+	}
+    }    
+    if (rc == 0) {
+	tssContext->sessions[slotIndex].sessionHandle = TPM_RH_NULL;
+	/* erase any secrets */
+	memset(tssContext->sessions[slotIndex].sessionData, 0,
+	       tssContext->sessions[slotIndex].sessionDataLength);
+	free(tssContext->sessions[slotIndex].sessionData);
+	tssContext->sessions[slotIndex].sessionData = NULL;
+	tssContext->sessions[slotIndex].sessionDataLength = 0;
+    }
+    return rc;
+}
+
+/* TSS_HmacSession_GetSlotForHandle() finds the session slot corresponding to the session handle.
+
+   Returns non-zero if no slot is found.
+*/
+
+static TPM_RC TSS_HmacSession_GetSlotForHandle(TSS_CONTEXT *tssContext,
+					       size_t *slotIndex,
+					       TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    size_t 	i;
+
+    /* search all slots for handle */
+    for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
+	if (tssContext->sessions[i].sessionHandle == sessionHandle) {
+	    *slotIndex = i;
+	    return 0;
+	}
+    }
+    return TSS_RC_NO_SESSION_SLOT;
+}
+
+#endif
+
+static TPM_RC TSS_HmacSession_Marshal(struct TSS_HMAC_CONTEXT *source,
+					uint16_t *written,
+					uint8_t **buffer,
+					uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_AUTH_SESSION_Marshalu(&source->sessionHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->authHashAlg, written, buffer, size);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->sizeInBytes, written, buffer, size);
+    }
+#endif
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_Marshalu(&source->symmetric, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_ENTITY_Marshalu(&source->bind, written, buffer, size);
+    }   
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->bindName, written, buffer, size);
+    }
+#ifdef TPM_WINDOWS
+    /* FIXME Why does a VS release build need a printf here? */
+    if (tssVverbose) printf("");
+#endif
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->bindAuthValue, written, buffer, size);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->nonceTPM, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->nonceCaller, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->sessionKey, written, buffer, size);
+    }
+#endif
+    if (rc == 0) {
+	rc = TSS_TPM_SE_Marshalu(&source->sessionType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->isPasswordNeeded, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->isAuthValueNeeded, written, buffer, size);
+    }  
+    return rc;
+}
+
+static TPM_RC TSS_HmacSession_Unmarshal(struct TSS_HMAC_CONTEXT *target,
+					uint8_t **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_AUTH_SESSION_Unmarshalu(&target->sessionHandle, buffer, size, NO);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Unmarshalu(&target->authHashAlg, buffer, size, NO);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->sizeInBytes, buffer, size);
+    }
+#endif
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_Unmarshalu(&target->symmetric, buffer, size, YES);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_ENTITY_Unmarshalu(&target->bind, buffer, size, YES);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->bindName, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Unmarshalu(&target->bindAuthValue, buffer, size);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->nonceTPM, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->nonceCaller, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->sessionKey, buffer, size);
+    }
+#endif
+    if (rc == 0) {
+	rc = TSS_TPM_SE_Unmarshalu(&target->sessionType, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->isPasswordNeeded, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Unmarshalu(&target->isAuthValueNeeded, buffer, size);
+    }
+    return rc;
+}
+
+/*
+  Name handling
+*/
+
+/* TSS_Name_GetAllNames() files in the names array based on the handles marshaled into the TSS
+   context command stream. */
+
+static TPM_RC TSS_Name_GetAllNames(TSS_CONTEXT *tssContext,
+				   TPM2B_NAME **names)
+{
+    TPM_RC	rc = 0;
+    size_t	i;
+    size_t	commandHandleCount;	/* number of handles in the command stream */
+    TPM_HANDLE  commandHandle;
+
+    /* get the number of handles in the command stream */
+    if (rc == 0) {
+	rc = TSS_GetCommandHandleCount(tssContext->tssAuthContext, &commandHandleCount);
+	if (tssVverbose) printf("TSS_Name_GetAllNames: commandHandleCount %u\n",
+				(unsigned int)commandHandleCount);
+    }
+    for (i = 0 ; (rc == 0) && (i < commandHandleCount) ; i++) {
+	/* get a handle from the command stream */
+	if (rc == 0) {
+	    rc = TSS_GetCommandHandle(tssContext->tssAuthContext,
+				      &commandHandle,
+				      i);
+	}
+	/* get the Name corresponding to the handle */
+	if (rc == 0) {
+	    if (tssVverbose) printf("TSS_Name_GetAllNames: commandHandle %u %08x\n",
+				    (unsigned int)i, commandHandle);
+	    rc = TSS_Name_GetName(tssContext, names[i], commandHandle);
+	}
+    }
+    return rc;
+}
+
+/* TSS_Name_GetName() gets the Name associated with the handle */
+
+static TPM_RC TSS_Name_GetName(TSS_CONTEXT *tssContext,
+			       TPM2B_NAME *name,
+			       TPM_HANDLE  handle)
+{
+    TPM_RC	rc = 0;
+    TPM_HT 	handleType;
+
+    if (tssVverbose) printf("TSS_Name_GetName: Handle %08x\n", handle);
+    handleType = (TPM_HT) ((handle & HR_RANGE_MASK) >> HR_SHIFT);
+
+    /* Table 3 - Equations for Computing Entity Names */
+    switch (handleType) {
+	/* for these, the Name is simply the handle value */
+      case TPM_HT_PCR:
+      case TPM_HT_HMAC_SESSION:
+      case TPM_HT_POLICY_SESSION:
+      case TPM_HT_PERMANENT:
+	rc = TSS_TPM2B_CreateUint32(&name->b, handle, sizeof(name->t.name));
+	break;
+	/* for NV, the Names was calculated at NV read public */
+      case TPM_HT_NV_INDEX:
+	/* for objects, the Name was returned at creation or load */
+      case TPM_HT_TRANSIENT:
+      case TPM_HT_PERSISTENT:
+	rc = TSS_Name_Load(tssContext, name, handle, NULL);
+	break;
+      default:
+	if (tssVerbose) printf("TSS_Name_GetName: not implemented for handle %08x\n", handle);
+	rc = TSS_RC_NAME_NOT_IMPLEMENTED;
+	break;
+    }
+    if (rc == 0) {
+	if (tssVverbose)
+	    TSS_PrintAll("TSS_Name_GetName: ",
+			 name->t.name, name->t.size);
+    }
+    
+    return rc;
+}
+
+/* TSS_Name_Store() stores the 'name' parameter in a file.
+
+   If handle is not 0, the handle is used as the file name.
+
+   If 'string' is not NULL, the string is used as the file name.
+*/
+
+#ifndef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Name_Store(TSS_CONTEXT *tssContext,
+			     TPM2B_NAME *name,
+			     TPM_HANDLE handle,
+			     const char *string)
+{
+    TPM_RC 	rc = 0;
+    char 	nameFilename[TPM_DATA_DIR_PATH_LENGTH];
+
+    if (rc == 0) {
+	if (string == NULL) {
+	    if (handle != 0) {
+		sprintf(nameFilename, "%s/h%08x.bin", tssContext->tssDataDirectory, handle);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Name_Store: handle and string are both null");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+	else {
+	    if (handle == 0) {
+		sprintf(nameFilename, "%s/h%s.bin", tssContext->tssDataDirectory, string);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Name_Store: handle and string are both not null");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Name_Store: File %s\n", nameFilename);
+	rc = TSS_File_WriteBinaryFile(name->b.buffer, name->b.size, nameFilename);
+    }
+    return rc;
+}
+
+#endif
+
+/* TSS_Name_Load() loads the 'name' from a file.
+
+   If handle is not 0, the handle is used as the file name.
+
+   If 'string' is not NULL, the string is used as the file name.
+*/
+   
+#ifndef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Name_Load(TSS_CONTEXT *tssContext,
+			    TPM2B_NAME *name,
+			    TPM_HANDLE handle,
+			    const char *string)
+{
+    TPM_RC 		rc = 0;
+    char 		nameFilename[TPM_DATA_DIR_PATH_LENGTH];
+		
+    if (rc == 0) {
+	if (string == NULL) {
+	    if (handle != 0) {
+		sprintf(nameFilename, "%s/h%08x.bin", tssContext->tssDataDirectory, handle);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Name_Load: handle and string are both null\n");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+	else {
+	    if (handle == 0) {
+		sprintf(nameFilename, "%s/h%s.bin", tssContext->tssDataDirectory, string);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Name_Load: handle and string are both not null\n");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Name_Load: File %s\n", nameFilename);
+	rc = TSS_File_Read2B(&name->b,
+			     sizeof(name->t.name),
+			     nameFilename);
+    }
+    return rc;
+}
+
+#endif
+
+/* TSS_Name_Store() stores the 'name' parameter the TSS context.
+   
+*/
+
+#ifdef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Name_Store(TSS_CONTEXT *tssContext,
+			     TPM2B_NAME *name,
+			     TPM_HANDLE handle,
+			     const char *string)
+{
+    TPM_RC 	rc = 0;
+    TPM_HT 	handleType;
+    size_t	slotIndex;
+
+    if (tssVverbose) printf("TSS_Name_Store: Handle %08x\n", handle);
+    handleType = (TPM_HT) ((handle & HR_RANGE_MASK) >> HR_SHIFT);
+
+    switch (handleType) {
+      case TPM_HT_NV_INDEX:
+	/* for NV, the Name was returned at creation */
+	rc = TSS_NvPublic_GetSlotForHandle(tssContext, &slotIndex, handle);
+	if (rc != 0) {
+	    rc = TSS_NvPublic_GetSlotForHandle(tssContext, &slotIndex, TPM_RH_NULL);
+	    if (rc == 0) {
+		tssContext->nvPublic[slotIndex].nvIndex = handle;
+	    }
+	    else {
+		if (tssVerbose)
+		    printf("TSS_Name_Store: Error, no slot available for handle %08x\n", handle);
+	    }
+	}
+	if (rc == 0) {
+	    tssContext->nvPublic[slotIndex].name = *name;
+	}
+	break;
+      case TPM_HT_TRANSIENT:
+      case TPM_HT_PERSISTENT:
+	if (rc == 0) {
+	    if (string == NULL) {
+		if (handle != 0) {
+		    /* if this handle is already used, overwrite the slot */
+		    rc = TSS_ObjectPublic_GetSlotForHandle(tssContext, &slotIndex, handle);
+		    if (rc != 0) {
+			rc = TSS_ObjectPublic_GetSlotForHandle(tssContext, &slotIndex, TPM_RH_NULL);
+			if (rc == 0) {
+			    tssContext->objectPublic[slotIndex].objectHandle = handle;
+			}
+			else {
+			    if (tssVerbose)
+				printf("TSS_Name_Store: "
+				       "Error, no slot available for handle %08x\n",
+				       handle);
+			}
+		    }
+		}
+		else {
+		    if (tssVerbose) printf("TSS_Name_Store: handle and string are both null");
+		    rc = TSS_RC_NAME_FILENAME;
+		}
+	    }
+	    else {
+		if (handle == 0) {
+		    if (tssVerbose) printf("TSS_Name_Store: string unimplemented");
+		    rc = TSS_RC_NAME_FILENAME;
+		}
+		else {
+		    if (tssVerbose) printf("TSS_Name_Store: handle and string are both not null");
+		    rc = TSS_RC_NAME_FILENAME;
+		}
+	    }
+	}
+	if (rc == 0) {
+	    tssContext->objectPublic[slotIndex].name = *name;
+	}
+	break;
+      default:
+	if (tssVerbose) printf("TSS_Name_Store: handle type %02x unimplemented", handleType);
+	rc = TSS_RC_NAME_FILENAME;
+    }
+    return rc;
+}
+
+#endif
+
+/* TSS_Name_Load() loads the 'name' from the TSS context.
+   
+*/
+   
+#ifdef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Name_Load(TSS_CONTEXT *tssContext,
+			    TPM2B_NAME *name,
+			    TPM_HANDLE handle,
+			    const char *string)
+{
+    TPM_RC 	rc = 0;
+    TPM_HT 	handleType;
+    size_t	slotIndex;
+
+    string = string;
+    
+    if (tssVverbose) printf("TSS_Name_Load: Handle %08x\n", handle);
+    handleType = (TPM_HT) ((handle & HR_RANGE_MASK) >> HR_SHIFT);
+
+    switch (handleType) {
+      case TPM_HT_NV_INDEX:
+	rc = TSS_NvPublic_GetSlotForHandle(tssContext, &slotIndex, handle);
+	if (rc != 0) {
+	    if (tssVerbose)
+		printf("TSS_Name_Load: Error, no slot found for handle %08x\n", handle);
+	}
+	if (rc == 0) {
+	    *name = tssContext->nvPublic[slotIndex].name;
+	}
+	break;
+      case TPM_HT_TRANSIENT:
+      case TPM_HT_PERSISTENT:
+	rc = TSS_ObjectPublic_GetSlotForHandle(tssContext, &slotIndex, handle);
+	if (rc != 0) {
+	    if (tssVerbose)
+		printf("TSS_Name_Load: Error, no slot found for handle %08x\n", handle);
+	}
+	if (rc == 0) {
+	    *name = tssContext->objectPublic[slotIndex].name;
+	}
+	break;
+      default:
+	if (tssVerbose) printf("TSS_Name_Load: handle type %02x unimplemented", handleType);
+	rc = TSS_RC_NAME_FILENAME;
+	
+    }
+    return rc;
+}
+
+#endif
+
+/* TSS_Name_Copy() copies the name from either inHandle or inString to either outHandle or
+   outString */
+
+static TPM_RC TSS_Name_Copy(TSS_CONTEXT *tssContext,
+			    TPM_HANDLE outHandle,
+			    const char *outString,
+			    TPM_HANDLE inHandle,
+			    const char *inString)
+{
+    TPM_RC 		rc = 0;
+    TPM2B_NAME 		name;
+    
+    if (rc == 0) {
+	rc = TSS_Name_Load(tssContext, &name, inHandle, inString);
+    }
+    if (rc == 0) {
+	rc = TSS_Name_Store(tssContext, &name, outHandle, outString);
+    }
+    return rc;
+}
+
+/* TSS_Public_Store() stores the 'public' parameter in a file.
+
+   If handle is not 0, the handle is used as the file name.
+
+   If 'string' is not NULL, the string is used as the file name.
+*/
+
+#ifndef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Public_Store(TSS_CONTEXT *tssContext,
+			       TPM2B_PUBLIC *public,
+			       TPM_HANDLE handle,
+			       const char *string)
+{
+    TPM_RC 	rc = 0;
+    char 	publicFilename[TPM_DATA_DIR_PATH_LENGTH];
+
+    if (rc == 0) {
+	if (string == NULL) {
+	    if (handle != 0) {		/* store by handle */
+		sprintf(publicFilename, "%s/hp%08x.bin", tssContext->tssDataDirectory, handle);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Store: handle and string are both null");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+	else {
+	    if (handle == 0) {		/* store by string */
+		sprintf(publicFilename, "%s/hp%s.bin", tssContext->tssDataDirectory, string);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Store: handle and string are both not null");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Public_Store: File %s\n", publicFilename);
+	rc = TSS_File_WriteStructure(public,
+				     (MarshalFunction_t)TSS_TPM2B_PUBLIC_Marshalu,
+				     publicFilename);
+    }
+    return rc;
+}
+
+#endif
+
+/* TSS_Public_Load() loads the 'public' parameter from a file.
+
+   If handle is not 0, the handle is used as the file name.
+
+   If 'string' is not NULL, the string is used as the file name.
+*/
+   
+#ifndef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Public_Load(TSS_CONTEXT *tssContext,
+			      TPM2B_PUBLIC *public,
+			      TPM_HANDLE handle,
+			      const char *string)
+{
+    TPM_RC 	rc = 0;
+    char 	publicFilename[TPM_DATA_DIR_PATH_LENGTH];
+		
+    if (rc == 0) {
+	if (string == NULL) {
+	    if (handle != 0) {
+		sprintf(publicFilename, "%s/hp%08x.bin", tssContext->tssDataDirectory, handle);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Load: handle and string are both null\n");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+	else {
+	    if (handle == 0) {
+		sprintf(publicFilename, "%s/hp%s.bin", tssContext->tssDataDirectory, string);
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Load: handle and string are both not null\n");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Public_Load: File %s\n", publicFilename);
+	rc = TSS_File_ReadStructureFlag(public,
+					(UnmarshalFunctionFlag_t)TSS_TPM2B_PUBLIC_Unmarshalu,
+					TRUE,			/* NULL permitted */
+					publicFilename);
+    }
+    return rc;
+}
+
+#endif 	/* TPM_TSS_NOFILE */
+
+/* TSS_Public_Copy() copies the TPM2B_PUBLIC from either inHandle or inString to either outHandle or
+   outString */
+
+static TPM_RC TSS_Public_Copy(TSS_CONTEXT *tssContext,
+			      TPM_HANDLE outHandle,
+			      const char *outString,
+			      TPM_HANDLE inHandle,
+			      const char *inString)
+{
+    TPM_RC 		rc = 0;
+    TPM2B_PUBLIC 	public;
+    
+    if (rc == 0) {
+	rc = TSS_Public_Load(tssContext, &public, inHandle, inString);
+    }
+    if (rc == 0) {
+	rc = TSS_Public_Store(tssContext, &public, outHandle, outString);
+    }
+    return rc;
+}
+
+/* TSS_Public_Store() stores the 'public' parameter in the TSS context. 
+ */
+   
+#ifdef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Public_Store(TSS_CONTEXT *tssContext,
+			       TPM2B_PUBLIC *public,
+			       TPM_HANDLE handle,
+			       const char *string)
+{
+    TPM_RC 	rc = 0;
+    size_t	slotIndex;
+
+    if (rc == 0) {
+	if (string == NULL) {
+	    if (handle != 0) {
+		/* if this handle is already used, overwrite the slot */
+		rc = TSS_ObjectPublic_GetSlotForHandle(tssContext, &slotIndex, handle);
+		if (rc != 0) {
+		    rc = TSS_ObjectPublic_GetSlotForHandle(tssContext, &slotIndex, TPM_RH_NULL);
+		    if (rc == 0) {
+			tssContext->objectPublic[slotIndex].objectHandle = handle;
+		    }
+		    else {
+			if (tssVerbose)
+			    printf("TSS_Public_Store: Error, no slot available for handle %08x\n",
+				   handle);
+		    }
+		}
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Store: handle and string are both null");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+	else {
+	    if (handle == 0) {
+		if (tssVerbose) printf("TSS_Public_Store: string not implemented yet");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Store: handle and string are both not null");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+    }
+    if (rc == 0) {
+	tssContext->objectPublic[slotIndex].objectPublic = *public;
+    }
+    return rc;
+}
+
+#endif
+
+/* TSS_Public_Load() loaded the object public from the TSS context.
+   
+ */
+   
+#ifdef TPM_TSS_NOFILE
+
+static TPM_RC TSS_Public_Load(TSS_CONTEXT *tssContext,
+			      TPM2B_PUBLIC *public,
+			      TPM_HANDLE handle,
+			      const char *string)
+{
+    TPM_RC 	rc = 0;
+    size_t	slotIndex;
+		
+    if (rc == 0) {
+	if (string == NULL) {
+	    if (handle != 0) {
+		rc = TSS_ObjectPublic_GetSlotForHandle(tssContext, &slotIndex, handle);
+		if (rc != 0) {
+		    if (tssVerbose)
+			printf("TSS_Public_Load: Error, no slot found for handle %08x\n",
+			       handle);
+		}
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Load: handle and string are both null\n");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+	else {
+	    if (handle == 0) {
+		if (tssVerbose) printf("TSS_Public_Load: string not implemented yet");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	    else {
+		if (tssVerbose) printf("TSS_Public_Load: handle and string are both not null\n");
+		rc = TSS_RC_NAME_FILENAME;
+	    }
+	}
+    }
+    if (rc == 0) {
+	*public = tssContext->objectPublic[slotIndex].objectPublic;
+    }
+    return rc;
+}
+
+#endif 	/* TPM_TSS_NOFILE */
+
+#ifdef TPM_TSS_NOFILE
+
+/* TSS_ObjectPublic_GetSlotForHandle() finds the object public slot corresponding to the handle.
+
+   Returns non-zero if no slot is found.
+*/
+
+static TPM_RC TSS_ObjectPublic_GetSlotForHandle(TSS_CONTEXT *tssContext,
+						size_t *slotIndex,
+						TPM_HANDLE handle)
+{
+    size_t 	i;
+
+    /* search all slots for handle */
+    for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
+	if (tssContext->objectPublic[i].objectHandle == handle) {
+	    *slotIndex = i;
+	    return 0;
+	}
+    }
+    return TSS_RC_NO_OBJECTPUBLIC_SLOT;
+}	
+
+#endif
+
+#ifdef TPM_TSS_NOFILE
+
+static TPM_RC TSS_ObjectPublic_DeleteData(TSS_CONTEXT *tssContext, TPM_HANDLE handle)
+{
+    TPM_RC	rc = 0;
+    size_t	slotIndex;
+
+    if (rc == 0) {
+	rc = TSS_ObjectPublic_GetSlotForHandle(tssContext, &slotIndex, handle);
+	if (rc != 0) {
+	    if (tssVerbose)
+		printf("TSS_ObjectPublic_DeleteData: Error, no slot found for handle %08x\n",
+		       handle);
+	}
+    }    
+    if (rc == 0) {
+	tssContext->objectPublic[slotIndex].objectHandle = TPM_RH_NULL;
+    }
+    return rc;
+}
+
+#endif
+
+
+/* TSS_DeleteHandle() removes retained state stored by the TSS for a handle 
+ */
+
+static TPM_RC TSS_DeleteHandle(TSS_CONTEXT *tssContext,
+			       TPM_HANDLE handle)
+{
+    TPM_RC		rc = 0;
+    TPM_HT 		handleType;
+#ifndef TPM_TSS_NOFILE
+    char		filename[TPM_DATA_DIR_PATH_LENGTH];
+#endif
+
+    handleType = (TPM_HT) ((handle & HR_RANGE_MASK) >> HR_SHIFT);
+#ifndef TPM_TSS_NOFILE
+    /* delete the Name */
+    if (rc == 0) {
+	sprintf(filename, "%s/h%08x.bin", tssContext->tssDataDirectory, handle);
+	if (tssVverbose) printf("TSS_DeleteHandle: delete Name file %s\n", filename);
+	rc = TSS_File_DeleteFile(filename);
+    }
+    /* delete the public if it exists */
+    if (rc == 0) {
+	if ((handleType == TPM_HT_TRANSIENT) ||
+	    (handleType == TPM_HT_PERSISTENT)) {
+	    sprintf(filename, "%s/hp%08x.bin", tssContext->tssDataDirectory, handle);
+	    if (tssVverbose) printf("TSS_DeleteHandle: delete public file %s\n", filename);
+	    TSS_File_DeleteFile(filename);
+	}
+    }
+#else
+    /* sessions persist in the context and can be deleted */
+    if (rc == 0) {
+	switch (handleType) {
+	  case TPM_HT_NV_INDEX:
+	    rc = TSS_RC_NOT_IMPLEMENTED;
+	    break;
+	  case TPM_HT_HMAC_SESSION:
+	  case TPM_HT_POLICY_SESSION:
+	    if (tssVverbose) printf("TSS_DeleteHandle: delete session state %08x\n", handle);
+	    rc = TSS_HmacSession_DeleteData(tssContext, handle);
+	    break;
+	  case TPM_HT_TRANSIENT:
+	  case TPM_HT_PERSISTENT:
+	    rc = TSS_ObjectPublic_DeleteData(tssContext, handle);
+	    break;
+	}
+    }
+#endif
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCRYPTO
+
+/* TSS_ObjectPublic_GetName() calculates the Name from the TPMT_PUBLIC.  The Name provides security,
+   because the Name returned from the TPM2_ReadPublic cannot be trusted.
+*/
+
+static TPM_RC TSS_ObjectPublic_GetName(TPM2B_NAME *name,
+				       TPMT_PUBLIC *tpmtPublic)
+{
+    TPM_RC 	rc = 0;
+    
+    uint16_t 	written = 0;
+    TPMT_HA	digest;
+    uint32_t 	sizeInBytes = 0;
+    uint8_t 	*buffer = NULL;
+
+    if (rc == 0) {
+	rc = TSS_Malloc(&buffer, MAX_RESPONSE_SIZE);	/* freed @1 */
+    }
+    /* marshal the TPMT_PUBLIC */
+    if (rc == 0) {
+	uint32_t 	size = MAX_RESPONSE_SIZE;
+	uint8_t 	*buffer1 = buffer;
+	rc = TSS_TPMT_PUBLIC_Marshalu(tpmtPublic, &written, &buffer1, &size);
+    }
+    /* hash the public area */
+    if (rc == 0) {
+	sizeInBytes = TSS_GetDigestSize(tpmtPublic->nameAlg);
+	digest.hashAlg = tpmtPublic->nameAlg;	/* Name digest algorithm */
+	/* generate the TPMT_HA */
+	rc = TSS_Hash_Generate(&digest,	
+			       written, buffer,
+			       0, NULL);
+    }
+    if (rc == 0) {
+	TPMI_ALG_HASH nameAlgNbo;
+	/* copy the digest */
+	memcpy(name->t.name + sizeof(TPMI_ALG_HASH), (uint8_t *)&digest.digest, sizeInBytes);
+	/* copy the hash algorithm */
+	nameAlgNbo = htons(tpmtPublic->nameAlg);
+	memcpy(name->t.name, (uint8_t *)&nameAlgNbo, sizeof(TPMI_ALG_HASH));
+	/* set the size */
+	name->t.size = sizeInBytes + sizeof(TPMI_ALG_HASH);
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+
+/* TSS_NVPublic_Store() stores the NV public data in a file.
+
+ */
+
+#ifndef TPM_TSS_NOFILE
+#ifndef TPM_TSS_NOCRYPTO
+
+static TPM_RC TSS_NVPublic_Store(TSS_CONTEXT *tssContext,
+				 TPMS_NV_PUBLIC *nvPublic,
+				 TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC 	rc = 0;
+    char 	nvpFilename[TPM_DATA_DIR_PATH_LENGTH];
+
+    if (rc == 0) {
+	sprintf(nvpFilename, "%s/nvp%08x.bin", tssContext->tssDataDirectory, nvIndex);
+	rc = TSS_File_WriteStructure(nvPublic,
+				     (MarshalFunction_t)TSS_TPMS_NV_PUBLIC_Marshalu,
+				     nvpFilename);
+    }
+    return rc;
+}
+
+#endif
+#endif
+
+/* TSS_NVPublic_Load() loads the NV public from a file.
+
+ */
+
+#ifndef TPM_TSS_NOFILE
+#ifndef TPM_TSS_NOCRYPTO
+
+static TPM_RC TSS_NVPublic_Load(TSS_CONTEXT *tssContext,
+				TPMS_NV_PUBLIC *nvPublic,
+				TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC 	rc = 0;
+    char 	nvpFilename[TPM_DATA_DIR_PATH_LENGTH];
+
+    if (rc == 0) {
+	sprintf(nvpFilename, "%s/nvp%08x.bin", tssContext->tssDataDirectory, nvIndex);
+	rc = TSS_File_ReadStructure(nvPublic,
+				    (UnmarshalFunction_t)TSS_TPMS_NV_PUBLIC_Unmarshalu,
+				    nvpFilename);
+    }
+    return rc;
+}
+
+#endif
+#endif
+
+#ifndef TPM_TSS_NOFILE
+
+static TPM_RC TSS_NVPublic_Delete(TSS_CONTEXT *tssContext,
+				  TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC 	rc = 0;
+    char 	nvpFilename[TPM_DATA_DIR_PATH_LENGTH];
+    
+    if (rc == 0) {
+	sprintf(nvpFilename, "%s/nvp%08x.bin", tssContext->tssDataDirectory, nvIndex);
+	rc = TSS_File_DeleteFile(nvpFilename);
+    }
+    return rc;
+}
+
+#endif
+
+#ifdef TPM_TSS_NOFILE
+#ifndef TPM_TSS_NOCRYPTO
+
+/* TSS_NVPublic_Store() stores the NV public data in a file.
+
+ */
+
+static TPM_RC TSS_NVPublic_Store(TSS_CONTEXT *tssContext,
+				 TPMS_NV_PUBLIC *nvPublic,
+				 TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC 	rc = 0;
+    size_t	slotIndex;
+
+    if (rc == 0) {
+	rc = TSS_NvPublic_GetSlotForHandle(tssContext, &slotIndex, nvIndex);
+	if (rc != 0) {
+	    rc = TSS_NvPublic_GetSlotForHandle(tssContext, &slotIndex, TPM_RH_NULL);
+	    if (rc == 0) {
+		tssContext->nvPublic[slotIndex].nvIndex = nvIndex;
+	    }
+	    else {
+		if (tssVerbose)
+		    printf("TSS_NVPublic_Store: Error, no slot available for handle %08x\n",
+			   nvIndex);
+	    }
+	}
+    }
+    if (rc == 0) {
+	tssContext->nvPublic[slotIndex].nvPublic = *nvPublic;
+    }
+    return rc;
+}
+
+#endif
+#endif
+
+#ifdef TPM_TSS_NOFILE
+#ifndef TPM_TSS_NOCRYPTO
+
+/* TSS_NVPublic_Load() loads the NV public from a file.
+
+ */
+
+static TPM_RC TSS_NVPublic_Load(TSS_CONTEXT *tssContext,
+				TPMS_NV_PUBLIC *nvPublic,
+				TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC 	rc = 0;
+    size_t	slotIndex;
+
+    if (rc == 0) {
+	rc = TSS_NvPublic_GetSlotForHandle(tssContext, &slotIndex, nvIndex);
+	if (rc != 0) {
+	    if (tssVerbose)
+		printf("TSS_NVPublic_Load: Error, no slot found for handle %08x\n",
+		       nvIndex);
+	}
+    }
+    if (rc == 0) {
+	*nvPublic = tssContext->nvPublic[slotIndex].nvPublic;
+    }
+    return rc;
+}
+
+#endif
+#endif
+
+#ifdef TPM_TSS_NOFILE
+
+static TPM_RC TSS_NVPublic_Delete(TSS_CONTEXT *tssContext,
+				  TPMI_RH_NV_INDEX nvIndex)
+{
+    TPM_RC 	rc = 0;
+    size_t	slotIndex;
+    
+    if (rc == 0) {
+	rc = TSS_NvPublic_GetSlotForHandle(tssContext, &slotIndex, nvIndex);
+	if (rc != 0) {
+	    if (tssVerbose)
+		printf("TSS_NVPublic_Delete: Error, no slot found for handle %08x\n",
+		       nvIndex);
+	}
+    }
+    if (rc == 0) {
+	tssContext->nvPublic[slotIndex].nvIndex = TPM_RH_NULL;
+    }
+    return rc;
+}
+
+#endif
+
+#ifdef TPM_TSS_NOFILE
+
+/* TSS_NvPublic_GetSlotForHandle() finds the object public slot corresponding to the handle.
+
+   Returns non-zero if no slot is found.
+*/
+
+static TPM_RC TSS_NvPublic_GetSlotForHandle(TSS_CONTEXT *tssContext,
+					    size_t *slotIndex,
+					    TPMI_RH_NV_INDEX nvIndex)
+{
+    size_t 	i;
+
+    /* search all slots for handle */
+    for (i = 0 ; i < (sizeof(tssContext->nvPublic) / sizeof(TSS_NVPUBLIC)) ; i++) {
+	if (tssContext->nvPublic[i].nvIndex == nvIndex) {
+	    *slotIndex = i;
+	    return 0;
+	}
+    }
+    return TSS_RC_NO_NVPUBLIC_SLOT;
+}	
+
+#endif
+
+/* TSS_NVPublic_GetName() calculates the Name from the TPMS_NV_PUBLIC.  The Name provides security,
+   because the Name returned from the TPM2_NV_ReadPublic cannot be trusted.
+*/
+
+#ifndef TPM_TSS_NOCRYPTO
+
+static TPM_RC TSS_NVPublic_GetName(TPM2B_NAME *name,
+				   TPMS_NV_PUBLIC *nvPublic)
+{
+    TPM_RC 	rc = 0;
+    
+    uint16_t 	written = 0;
+    TPMT_HA	digest;
+    uint32_t 	sizeInBytes = 0;
+    uint8_t 	*buffer = NULL;
+
+    if (rc == 0) {
+	rc = TSS_Malloc(&buffer, MAX_RESPONSE_SIZE);	/* freed @1 */
+    }
+    /* marshal the TPMS_NV_PUBLIC */
+    if (rc == 0) {
+	uint32_t 	size = MAX_RESPONSE_SIZE;
+	uint8_t 	*buffer1 = buffer;
+	rc = TSS_TPMS_NV_PUBLIC_Marshalu(nvPublic, &written, &buffer1, &size);
+    }
+    /* hash the public area */
+    if (rc == 0) {
+	sizeInBytes = TSS_GetDigestSize(nvPublic->nameAlg);
+	digest.hashAlg = nvPublic->nameAlg;	/* Name digest algorithm */
+	/* generate the TPMT_HA */
+	rc = TSS_Hash_Generate(&digest,	
+			       written, buffer,
+			       0, NULL);
+    }
+    if (rc == 0) {
+	TPMI_ALG_HASH nameAlgNbo;
+	/* copy the digest */
+	memcpy(name->t.name + sizeof(TPMI_ALG_HASH), (uint8_t *)&digest.digest, sizeInBytes);
+	/* copy the hash algorithm */
+	nameAlgNbo = htons(nvPublic->nameAlg);
+	memcpy(name->t.name, (uint8_t *)&nameAlgNbo, sizeof(TPMI_ALG_HASH));
+	/* set the size */
+	name->t.size = sizeInBytes + sizeof(TPMI_ALG_HASH);
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+#endif
+
+#ifndef TPM_TSS_NOCRYPTO
+
+static TPM_RC TSS_HmacSession_SetNonceCaller(struct TSS_HMAC_CONTEXT *session,
+					     TPMS_AUTH_COMMAND 	*authC)
+{
+    TPM_RC		rc = 0;
+
+    /* generate a new nonceCaller */
+    if (rc == 0) {
+	session->nonceCaller.b.size = session->sizeInBytes;
+	rc = TSS_RandBytes(session->nonceCaller.t.buffer, session->sizeInBytes);
+    }
+    /* nonceCaller for the command */
+    if (rc == 0) {
+	rc = TSS_TPM2B_Copy(&authC->nonce.b, &session->nonceCaller.b, sizeof(TPMU_HA));
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+#ifndef TPM_TSS_NOCRYPTO
+
+/* TSS_HmacSession_SetHmacKey() calculates the session HMAC key.
+
+   handleNumber is index into the session area.  The first sessions, the authorization sessions,
+   have a corresponding handle in the command handle.
+*/
+
+static TPM_RC TSS_HmacSession_SetHmacKey(TSS_CONTEXT *tssContext,
+					 struct TSS_HMAC_CONTEXT *session,
+					 size_t handleNumber,	/* index into the handle area */
+					 const char *password)
+{
+    TPM_RC		rc = 0;
+    TPM_HANDLE 		commandHandle;		/* from handle area, for bound session */
+    TPM2B_NAME		name;
+    TPM2B_AUTH 		authValue;
+    int 		bindMatch = FALSE;
+    int 		done = FALSE;		/* done with authorization sessions */
+
+    /*
+      authHMAC = HMAC sessionAlg ((sessionKey || authValue), 
+      (pHash || nonceNewer || nonceOlder 
+      { || nonceTPMdecrypt } { || nonceTPMencrypt }
+      || sessionAttributes))
+    */
+    /* HMAC key is sessionKey || authValue */
+    /* copy the session key to HMAC key */
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_HmacSession_SetHmacKey: sessionKey",
+				      session->sessionKey.b.buffer, session->sessionKey.b.size);
+	rc = TSS_TPM2B_Copy(&session->hmacKey.b,
+			    &session->sessionKey.b, sizeof(TPMU_HA) + sizeof(TPMT_HA));
+    }
+    /* copy the session key to sessionValue */
+    if (rc == 0) {
+	rc = TSS_TPM2B_Copy(&session->sessionValue.b,
+			    &session->sessionKey.b, sizeof(TPMU_HA) + sizeof(TPMT_HA));
+    }
+    if (rc == 0) {
+	if (tssVverbose)
+	    TSS_PrintAll("TSS_HmacSession_SetHmacKey: preliminary sessionValue",
+			 session->sessionValue.b.buffer, session->sessionValue.b.size);
+    }
+    /* This value is an EmptyAuth if the HMAC is being computed to authorize an action on the
+       object to which the session is bound.
+    */
+    /* The first sessions are authorization sessions.  They can have a bind entity.  All others can
+       be encrypt or decrypt sessions, but the authValue is not included in the session key.
+    */
+    if (rc == 0) {
+	AUTH_ROLE authRole = TSS_GetAuthRole(tssContext->tssAuthContext, handleNumber);
+	if (authRole == AUTH_NONE) {
+	    if (tssVverbose) printf("TSS_HmacSession_SetHmacKey: Done, not auth session\n");
+	    done = TRUE;	/* not an authorization session, could be audit or
+				   encrypt/decrypt */
+	}
+    }
+    /* If not an authorization session, there is no authValue to append to the HMAC key or encrypt
+       sessionValue, regardless of the binding.  Below is for auth sessions. */
+    if (!done) {
+	/* First, if there was a bind handle, check if the name matches.  Else bindMatch remains
+	   FALSE. */
+	if (session->bind != TPM_RH_NULL) {
+	    /* get the handle for this session */
+	    if (tssVverbose)
+		printf("TSS_HmacSession_SetHmacKey: Processing bind handle %08x\n", session->bind);
+	    if (rc == 0) {
+		rc = TSS_GetCommandHandle(tssContext->tssAuthContext,
+					  &commandHandle,
+					  handleNumber);
+	    }
+	    /* get the Name corresponding to the handle */
+	    if (rc == 0) {
+		if (tssVverbose)
+		    printf("TSS_HmacSession_SetHmacKey: commandHandle %08x bindHandle %08x\n",
+			   commandHandle, session->bind);
+		rc = TSS_Name_GetName(tssContext, &name, commandHandle);
+	    }
+	    /* compare the authorized object name to the bind object name */
+	    if (rc == 0) {
+		bindMatch = TSS_TPM2B_Compare(&name.b, &session->bindName.b);
+		if (tssVverbose) printf("TSS_HmacSession_SetHmacKey: bind match %u\n", bindMatch);
+	    }
+	}
+	/* Second, append password to session key for HMAC key if required */
+
+	/* When performing an HMAC for authorization, the HMAC key is normally the concatenation of
+	   the entity's authValue to the sessions sessionKey (created at
+	   TPM2_StartAuthSession(). However, if the authorization is for the entity to
+	   which the session is bound, the authValue is not included in the HMAC key. When
+	   a policy requires that an HMAC be computed, it is always concatenated.
+	*/
+	if ((rc == 0) &&
+	    /* append if HMAC session and not bind match */
+	    (((session->sessionType == TPM_SE_HMAC) && !bindMatch) ||
+	     /* append if policy and policy authvalue */
+	     ((session->sessionType == TPM_SE_POLICY) && session->isAuthValueNeeded)) &&
+	    (password != NULL)	/* if password is NULL, nothing to append. */
+
+	    ) {
+	    
+	    if (tssVverbose)
+		printf("TSS_HmacSession_SetHmacKey: Appending authValue to HMAC key\n");
+	    /* convert the password to an authvalue */
+	    if (rc == 0) {
+		rc = TSS_TPM2B_StringCopy(&authValue.b, password, sizeof(authValue.t.buffer));
+	    }
+	    /* append the authvalue to the session key to create the hmac key */
+	    if (rc == 0) {
+		rc = TSS_TPM2B_Append(&session->hmacKey.b, &authValue.b,
+				      sizeof(TPMU_HA) + sizeof(TPMT_HA));
+	    }
+	}
+	/* Third, append password to session key for sessionValue
+
+	   If a session is also being used for authorization, sessionValue (see 21.2 and 21.3) is
+	   sessionKey || authValue. The binding of the session is ignored. If the session is not
+	   being used for authorization, sessionValue is sessionKey.
+	 */
+	/* NOTE This step occurs even if there is a bind match. That is, the password is effectively
+	   appended twice. */
+	if (rc == 0) {
+	    /* if not bind, sessionValue is sessionKey || authValue (same as HMAC key) */
+	    if (!bindMatch) {
+		if (tssVverbose)
+		    printf("TSS_HmacSession_SetHmacKey: "
+			   "No bind, appending authValue to sessionValue\n");
+		/* convert the password to an authvalue */
+		if (rc == 0) {
+		    rc = TSS_TPM2B_StringCopy(&authValue.b, password, sizeof(authValue.t.buffer));
+		}
+		if (rc == 0) {
+		    rc = TSS_TPM2B_Append(&session->sessionValue.b, &authValue.b,
+					  sizeof(TPMU_HA) + sizeof(TPMT_HA));
+		}
+	    }
+	    /* if bind, sessionValue is sessionKey || bindAuthValue */
+	    else {
+		if (tssVverbose)
+		    printf("TSS_HmacSession_SetHmacKey: "
+			   "Bind, appending bind authValue to sessionValue\n");
+		if (rc == 0) {
+		    rc = TSS_TPM2B_Append(&session->sessionValue.b, &session->bindAuthValue.b,
+					  sizeof(TPMU_HA) + sizeof(TPMT_HA));
+		}
+	    }
+	    if (rc == 0) {
+		if (tssVverbose)
+		    TSS_PrintAll("TSS_HmacSession_SetHmacKey: bindAuthValue",
+				 session->bindAuthValue.b.buffer, session->bindAuthValue.b.size);
+	    }
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose)
+	    TSS_PrintAll("TSS_HmacSession_SetHmacKey: hmacKey",
+			 session->hmacKey.b.buffer, session->hmacKey.b.size);
+	if (tssVverbose)
+	    TSS_PrintAll("TSS_HmacSession_SetHmacKey: sessionValue",
+			 session->sessionValue.b.buffer, session->sessionValue.b.size);
+    }
+    return rc;
+}
+    
+#endif	/* TPM_TSS_NOCRYPTO */
+
+/* TSS_HmacSession_SetHMAC() is used for a command.  It sets all the values in one
+   TPMS_AUTH_COMMAND, ready for marshaling into the command packet.
+
+   - gets cpBuffer
+   - generates cpHash
+   - generates the HMAC
+   - copies the result into authCommand
+
+   Unused names must have size 0.
+
+   The HMAC key is already in the session structure.
+*/
+
+static TPM_RC TSS_HmacSession_SetHMAC(TSS_AUTH_CONTEXT *tssAuthContext,	/* authorization context */
+				      struct TSS_HMAC_CONTEXT *session[],
+				      TPMS_AUTH_COMMAND *authCommand[],	/* output: command
+									   authorization */
+				      TPMI_SH_AUTH_SESSION sessionHandle[], /* session handles in
+									       command */
+				      unsigned int sessionAttributes[],	/* attributes for this
+									   command */
+				      const char *password[],
+				      TPM2B_NAME *name0,		/* up to 3 names */
+				      TPM2B_NAME *name1,	/* unused names have length 0 */
+				      TPM2B_NAME *name2)
+{
+    TPM_RC		rc = 0;
+    unsigned int	i = 0;
+#ifndef TPM_TSS_NOCRYPTO
+    TPMT_HA 		cpHash;
+    TPMT_HA 		hmac;
+    TPM2B_NONCE	nonceTPMDecrypt;
+    TPM2B_NONCE	nonceTPMEncrypt;
+    cpHash.hashAlg = TPM_ALG_NULL;	/* for cpHash calculation optimization */
+#endif	/* TPM_TSS_NOCRYPTO */
+
+
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) && (sessionHandle[i] != TPM_RH_NULL) ; i++) {
+	uint8_t sessionAttr8;
+	if (tssVverbose) printf("TSS_HmacSession_SetHMAC: Step 6 session %08x\n", sessionHandle[i]);
+	/* password sessions were serviced in step 2. */
+	if (sessionHandle[i] == TPM_RS_PW) {
+	    continue;
+	}
+	if (tssVverbose) printf("TSS_HmacSession_SetHMAC: sessionType %02x\n",
+				session[i]->sessionType);
+	if (tssVverbose) printf("TSS_HmacSession_SetHMAC: isPasswordNeeded %02x\n",
+				session[i]->isPasswordNeeded);
+	if (tssVverbose) printf("TSS_HmacSession_SetHMAC: isAuthValueNeeded %02x\n",
+				session[i]->isAuthValueNeeded);
+	/* sessionHandle */
+	authCommand[i]->sessionHandle = session[i]->sessionHandle;
+	/* attributes come from command */
+	sessionAttr8 = (uint8_t)sessionAttributes[i];
+	authCommand[i]->sessionAttributes.val = sessionAttr8;
+
+	/* policy session with policy password handled below, no hmac.  isPasswordNeeded is never
+	   true for an HMAC session, so don't need to test session type here. */
+	if (!(session[i]->isPasswordNeeded)) {
+	    /* HMAC session */ 
+	    if ((session[i]->sessionType == TPM_SE_HMAC) ||
+		/* policy session with TPM2_PolicyAuthValue */
+		((session[i]->sessionType == TPM_SE_POLICY) && (session[i]->isAuthValueNeeded)) ||
+		/* salted session */
+		(session[i]->hmacKey.t.size != 0)
+		) {
+		/* needs HMAC */
+#ifndef TPM_TSS_NOCRYPTO
+		if (tssVverbose) printf("TSS_HmacSession_SetHMAC: calculate HMAC\n");
+		/* calculate cpHash.  Performance optimization: If there is more than one session,
+		   and the hash algorithm is the same, use the previously calculated version. */
+		if ((rc == 0) && (cpHash.hashAlg != session[i]->authHashAlg)) {
+		    uint32_t cpBufferSize;
+		    uint8_t *cpBuffer;
+		    TPM_CC commandCode;
+		    TPM_CC commandCodeNbo;
+	
+		    rc = TSS_GetCpBuffer(tssAuthContext,
+					 &cpBufferSize,
+					 &cpBuffer);
+		    if (tssVverbose) TSS_PrintAll("TSS_HmacSession_SetHMAC: cpBuffer",
+						  cpBuffer, cpBufferSize);
+		    cpHash.hashAlg = session[i]->authHashAlg;
+    
+		    /* cpHash = hash(commandCode [ || authName1		*/
+		    /*                           [ || authName2		*/
+		    /*                           [ || authName3 ]]]	*/
+		    /*                           [ || parameters])	*/
+		    /* A cpHash can contain just a commandCode only if the lone session is */
+		    /* an audit session. */
+
+		    commandCode = TSS_GetCommandCode(tssAuthContext);
+		    commandCodeNbo = htonl(commandCode);
+		    rc = TSS_Hash_Generate(&cpHash,		/* largest size of a digest */
+					   sizeof(TPM_CC), &commandCodeNbo,
+					   name0->b.size, &name0->b.buffer,
+					   name1->b.size, &name1->b.buffer,
+					   name2->b.size, &name2->b.buffer,
+					   cpBufferSize, cpBuffer,
+					   0, NULL);
+		}
+		if (i == 0) {
+		    unsigned int 	isDecrypt = 0;	/* count number of sessions with decrypt
+							   set */
+		    unsigned int	decryptSession = 0;	/* which one is decrypt */
+		    unsigned int 	isEncrypt = 0;	/* count number of sessions with decrypt
+							   set */
+		    unsigned int	encryptSession = 0;	/* which one is decrypt */
+		    nonceTPMDecrypt.t.size = 0;
+		    nonceTPMEncrypt.t.size = 0;
+		    /* if a different session is being used for parameter decryption, then the
+		       nonceTPM for that session is included in the HMAC of the first authorization
+		       session */
+		    if (rc == 0) {
+			rc = TSS_Sessions_GetDecryptSession(&isDecrypt,
+							    &decryptSession,
+							    sessionHandle,
+							    sessionAttributes);
+		    }
+		    if ((rc == 0) && isDecrypt && (decryptSession != 0)) {
+			rc = TSS_TPM2B_Copy(&nonceTPMDecrypt.b,
+					    &session[decryptSession]->nonceTPM.b, sizeof(TPMU_HA));
+		    }
+		    /* if a different session is being used for parameter encryption, then the
+		       nonceTPM for that session is included in the HMAC of the first authorization
+		       session */
+		    if (rc == 0) {
+			rc = TSS_Sessions_GetEncryptSession(&isEncrypt,
+							    &encryptSession,
+							    sessionHandle,
+							    sessionAttributes);
+		    }
+		    /* Don't include the same nonce twice */
+		    if ((rc == 0) && isEncrypt && (encryptSession != 0)) {
+			if (!isDecrypt || (encryptSession != decryptSession)) {
+			    rc = TSS_TPM2B_Copy(&nonceTPMEncrypt.b, 
+						&session[encryptSession]->nonceTPM.b,
+						sizeof(TPMU_HA));
+			}
+		    }
+		}
+		/* for other than the first session, those nonces are not used */
+		else {
+		    nonceTPMDecrypt.t.size = 0;
+		    nonceTPMEncrypt.t.size = 0;
+		}
+		/* */
+		if (rc == 0) {
+		    hmac.hashAlg = session[i]->authHashAlg;
+		    rc = TSS_HMAC_Generate(&hmac,				/* output hmac */
+					   &session[i]->hmacKey,		/* input key */
+					   session[i]->sizeInBytes, (uint8_t *)&cpHash.digest,
+					   /* new is nonceCaller */
+					   session[i]->nonceCaller.b.size,
+					   &session[i]->nonceCaller.b.buffer,
+					   /* old is previous nonceTPM */
+					   session[i]->nonceTPM.b.size,
+					   &session[i]->nonceTPM.b.buffer,
+					   /* nonceTPMDecrypt */
+					   nonceTPMDecrypt.b.size, nonceTPMDecrypt.b.buffer,
+					   /* nonceTPMEncrypt */
+					   nonceTPMEncrypt.b.size, nonceTPMEncrypt.b.buffer,
+					   /* 1 byte, no endian conversion */
+					   sizeof(uint8_t), &sessionAttr8,
+					   0, NULL);
+		    if (tssVverbose) {
+			TSS_PrintAll("TSS_HmacSession_SetHMAC: HMAC key",
+				     session[i]->hmacKey.t.buffer, session[i]->hmacKey.t.size);
+			TSS_PrintAll("TSS_HmacSession_SetHMAC: cpHash",
+				     (uint8_t *)&cpHash.digest, session[i]->sizeInBytes);
+			TSS_PrintAll("TSS_HmacSession_Set: nonceCaller",
+				     session[i]->nonceCaller.b.buffer,
+				     session[i]->nonceCaller.b.size);
+			TSS_PrintAll("TSS_HmacSession_SetHMAC: nonceTPM",
+				     session[i]->nonceTPM.b.buffer, session[i]->nonceTPM.b.size);
+			TSS_PrintAll("TSS_HmacSession_SetHMAC: nonceTPMDecrypt",
+				     nonceTPMDecrypt.b.buffer, nonceTPMDecrypt.b.size);
+			TSS_PrintAll("TSS_HmacSession_SetHMAC: nonceTPMEncrypt",
+				     nonceTPMEncrypt.b.buffer, nonceTPMEncrypt.b.size);
+			TSS_PrintAll("TSS_HmacSession_SetHMAC: sessionAttributes",
+				     &sessionAttr8, sizeof(uint8_t));
+			TSS_PrintAll("TSS_HmacSession_SetHMAC: HMAC",
+				     (uint8_t *)&hmac.digest, session[i]->sizeInBytes);
+		    }
+		}
+		/* copy HMAC into authCommand TPM2B_AUTH hmac */
+		if (rc == 0) {
+		    rc = TSS_TPM2B_Create(&authCommand[i]->hmac.b,
+					  (uint8_t *)&hmac.digest,
+					  session[i]->sizeInBytes,
+					  sizeof(authCommand[i]->hmac.t.buffer));
+		}
+#else
+		tssAuthContext = tssAuthContext;
+		name0 = name0;
+		name1 = name1;
+		name2 = name2;
+		if (tssVerbose)
+		    printf("TSS_HmacSession_SetHMAC: Error, with no crypto not implemented\n");
+		rc = TSS_RC_NOT_IMPLEMENTED;
+#endif	/* TPM_TSS_NOCRYPTO */
+	    }
+	    /* not HMAC, not policy requiring password or hmac */
+	    else {
+		authCommand[i]->hmac.b.size = 0;
+	    }
+	}
+	/* For a policy session that contains TPM2_PolicyPassword(), the password takes precedence
+	   and must be present in hmac. */
+	else {		/* isPasswordNeeded true */
+	    if (tssVverbose) printf("TSS_HmacSession_SetHMAC: use password\n");
+	    /* nonce has already been set */
+	    rc = TSS_TPM2B_StringCopy(&authCommand[i]->hmac.b,
+				      password[i], sizeof(authCommand[i]->hmac.t.buffer));
+	}
+    }
+    return rc;
+}
+
+
+#ifndef TPM_TSS_NOCRYPTO
+
+/* TSS_HmacSession_Verify() is used for a response.  It uses the values in TPMS_AUTH_RESPONSE to
+   validate the response HMAC
+*/
+
+static TPM_RC TSS_HmacSession_Verify(TSS_AUTH_CONTEXT *tssAuthContext,	/* authorization context */
+				     struct TSS_HMAC_CONTEXT *session,	/* TSS session context */
+				     TPMS_AUTH_RESPONSE *authResponse)	/* input: response authorization */
+{
+    TPM_RC		rc = 0;
+    uint32_t		rpBufferSize;
+    uint8_t 		*rpBuffer;
+    TPMT_HA 		rpHash;
+    TPMT_HA 		actualHmac;
+
+    /* get the rpBuffer */
+    if (rc == 0) {
+	rc = TSS_GetRpBuffer(tssAuthContext, &rpBufferSize, &rpBuffer);
+	if (tssVverbose) TSS_PrintAll("TSS_HmacSession_Verify: rpBuffer",
+				      rpBuffer, rpBufferSize);
+    }
+    /* calculate rpHash */
+    if (rc == 0) {
+	TPM_CC commandCode;
+	TPM_CC commandCodeNbo;
+	rpHash.hashAlg = session->authHashAlg;
+	
+	commandCode = TSS_GetCommandCode(tssAuthContext);
+	commandCodeNbo = htonl(commandCode);
+	
+	/* rpHash = HsessionAlg (responseCode || commandCode {|| parameters })	 */
+	rc = TSS_Hash_Generate(&rpHash,			/* largest size of a digest */
+			       sizeof(TPM_RC), &rc,	/* RC is always 0, no need to endian
+							   convert */
+			       sizeof(TPM_CC), &commandCodeNbo,
+			       rpBufferSize, rpBuffer,
+			       0, NULL);
+    }
+    /* construct the actual HMAC as TPMT_HA */
+    if (rc == 0) {
+	actualHmac.hashAlg = session->authHashAlg;
+	if (authResponse->hmac.t.size != session->sizeInBytes) {
+	    if (tssVerbose)
+		printf("TSS_HmacSession_Verify: HMAC size %u inconsistent with algorithm %u\n",
+		       authResponse->hmac.t.size, session->sizeInBytes);
+	    rc = TSS_RC_HMAC_SIZE;
+	}
+    }
+    if (rc == 0) {
+	memcpy((uint8_t *)&actualHmac.digest, &authResponse->hmac.t.buffer,
+	       authResponse->hmac.t.size);
+    }
+    /* verify the HMAC */
+    if (rc == 0) {
+	if (tssVverbose) {
+	    TSS_PrintAll("TSS_HmacSession_Verify: HMAC key",
+			 session->hmacKey.t.buffer, session->hmacKey.t.size);
+	    TSS_PrintAll("TSS_HmacSession_Verify: rpHash",
+			 (uint8_t *)&rpHash.digest, session->sizeInBytes);
+	    TSS_PrintAll("TSS_HmacSession_Verify: nonceTPM",
+			 session->nonceTPM.b.buffer, session->nonceTPM.b.size);
+	    TSS_PrintAll("TSS_HmacSession_Verify: nonceCaller",
+			 session->nonceCaller.b.buffer, session->nonceCaller.b.size);
+	    TSS_PrintAll("TSS_HmacSession_Verify: sessionAttributes",
+			 &authResponse->sessionAttributes.val, sizeof(uint8_t));
+	    TSS_PrintAll("TSS_HmacSession_Verify: response HMAC",
+			 (uint8_t *)&authResponse->hmac.t.buffer, session->sizeInBytes);
+	}
+	rc = TSS_HMAC_Verify(&actualHmac,		/* input response hmac */
+			     &session->hmacKey,		/* input HMAC key */
+			     session->sizeInBytes,
+			     /* rpHash */
+			     session->sizeInBytes, (uint8_t *)&rpHash.digest,
+			     /* new is nonceTPM */
+			     session->nonceTPM.b.size, &session->nonceTPM.b.buffer,
+			     /* old is nonceCaller */
+			     session->nonceCaller.b.size, &session->nonceCaller.b.buffer,
+			     /* 1 byte, no endian conversion */
+			     sizeof(uint8_t), &authResponse->sessionAttributes.val,
+			     0, NULL);
+    }
+    return rc;
+}
+
+#endif 	/* TPM_TSS_NOCRYPTO */
+
+/* TSS_HmacSession_Continue() handles the response continueSession flag.  It either saves the
+   updated session or deletes the session state. */
+
+static TPM_RC TSS_HmacSession_Continue(TSS_CONTEXT *tssContext,
+				       struct TSS_HMAC_CONTEXT *session,
+				       TPMS_AUTH_RESPONSE *authR)
+{
+    TPM_RC		rc = 0;
+
+    if (rc == 0) {
+	/* if continue set */
+	if (authR->sessionAttributes.val & TPMA_SESSION_CONTINUESESSION) {
+	    /* clear the policy flags in preparation for the next use */
+	    session->isPasswordNeeded = FALSE;
+	    session->isAuthValueNeeded = FALSE;
+	    /* save the session */
+	    rc = TSS_HmacSession_SaveSession(tssContext, session);
+	}
+	else {		/* continue clear */
+	    /* delete the session state */
+	    rc = TSS_DeleteHandle(tssContext, session->sessionHandle);
+	}
+    }
+    return rc;
+}
+
+/* TSS_Sessions_GetDecryptSession() searches for a command decrypt session.  If found, returns
+   isDecrypt TRUE, and the session number in decryptSession.
+
+*/
+
+static TPM_RC TSS_Sessions_GetDecryptSession(unsigned int *isDecrypt,
+					     unsigned int *decryptSession,
+					     TPMI_SH_AUTH_SESSION sessionHandle[],
+					     unsigned int sessionAttributes[])
+{
+    TPM_RC		rc = 0;
+    unsigned int 	i = 0;
+
+    /* count the number of command decrypt sessions */
+    *isDecrypt = 0;		/* number of sessions with decrypt set */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) &&
+	     (sessionHandle[i] != TPM_RH_NULL) &&
+	     (sessionHandle[i] != TPM_RS_PW) ;
+	     i++) {
+	if (sessionAttributes[i] & TPMA_SESSION_DECRYPT) {
+	    (*isDecrypt)++;		/* count number of decrypt sessions */
+	    *decryptSession = i;	/* record which one it was */
+	}
+    }
+    /* how many decrypt sessions were found */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Sessions_GetDecryptSession: Found %u decrypt sessions at %u\n",
+				*isDecrypt, *decryptSession);
+	if (*isDecrypt > 1) {
+	    if (tssVerbose)
+		printf("TSS_Sessions_GetDecryptSession: Error, found %u decrypt sessions\n",
+		       *isDecrypt);
+	    rc = TSS_RC_DECRYPT_SESSIONS;
+	}
+    }
+    return rc;
+}
+
+/* TSS_Sessions_GetEncryptSession() searches for a response encrypt session.  If found, returns
+   isEncrypt TRUE, and the session number in encryptSession.
+
+*/
+
+static TPM_RC TSS_Sessions_GetEncryptSession(unsigned int *isEncrypt,
+					     unsigned int *encryptSession,
+					     TPMI_SH_AUTH_SESSION sessionHandle[],
+					     unsigned int sessionAttributes[])
+{
+    TPM_RC		rc = 0;
+    unsigned int 	i = 0;
+
+    /* count the number of command encrypt sessions */
+    *isEncrypt = 0;		/* number of sessions with encrypt set */
+    for (i = 0 ; (rc == 0) && (i < MAX_SESSION_NUM) &&
+	     (sessionHandle[i] != TPM_RH_NULL) &&
+	     (sessionHandle[i] != TPM_RS_PW) ;
+	 i++) {
+	if (sessionAttributes[i] & TPMA_SESSION_ENCRYPT) {
+	    (*isEncrypt)++;		/* count number of encrypt sessions */
+	    *encryptSession = i;	/* record which one it was */
+	}
+    }
+    /* how many encrypt sessions were found */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Sessions_GetEncryptSession: Found %u encrypt sessions at %u\n",
+				*isEncrypt, *encryptSession);
+	if (*isEncrypt > 1) {
+	    if (tssVerbose)
+		printf("TSS_Sessions_GetEncryptSession: Error, found %u encrypt sessions\n",
+		       *isEncrypt);
+	    rc = TSS_RC_ENCRYPT_SESSIONS;
+	}
+    }
+    return rc;
+}
+
+/* TSS_Command_Decrypt() determines whether any sessions are command decrypt sessions.  If so, it
+   encrypts the first command parameter.
+
+   It does common error checking, then calls algorithm specific functions.
+
+*/
+
+static TPM_RC TSS_Command_Decrypt(TSS_AUTH_CONTEXT *tssAuthContext,
+				  struct TSS_HMAC_CONTEXT *session[],
+				  TPMI_SH_AUTH_SESSION sessionHandle[],
+				  unsigned int	sessionAttributes[])
+{
+    TPM_RC		rc = 0;
+    unsigned int 	isDecrypt = 0;		/* count number of sessions with decrypt set */
+    unsigned int	decryptSession = 0;	/* which session is decrypt */
+
+    /* determine if there is a decrypt session */
+    if (rc == 0) {
+	rc = TSS_Sessions_GetDecryptSession(&isDecrypt,
+					    &decryptSession,
+					    sessionHandle,
+					    sessionAttributes);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    {
+	COMMAND_INDEX   tpmCommandIndex;	/* index into TPM table */
+	TPM_CC 		commandCode;
+	int		decryptSize;		/* size of TPM2B size, 2 if there is a TPM2B, 0 if
+						   not */
+	uint32_t 	paramSize;		/* size of the parameter to encrypt */	
+	uint8_t 	*decryptParamBuffer;
+	/* can the command parameter be encrypted */
+	if ((rc == 0) && isDecrypt) {
+	    /* get the commandCode, stored in TSS during marshal */
+	    commandCode  = TSS_GetCommandCode(tssAuthContext);
+	    /* get the index into the TPM command attributes table */
+	    tpmCommandIndex = CommandCodeToCommandIndex(commandCode);
+	    /* can this be a decrypt command (this is size of TPM2B size, not size of parameter) */
+	    decryptSize = getDecryptSize(tpmCommandIndex);
+	    if (decryptSize != 2) {		/* only handle TPM2B */
+		printf("TSS_Command_Decrypt: Error, command cannot be encrypted\n");
+		rc = TSS_RC_NO_DECRYPT_PARAMETER;
+	    }
+	}
+	/* get the TPM2B parameter to encrypt */
+	if ((rc == 0) && isDecrypt) {
+	    rc = TSS_GetCommandDecryptParam(tssAuthContext, &paramSize, &decryptParamBuffer);
+	}
+	/* if the size of the parameter to encrypt is zero, nothing to encrypt */
+	if ((rc == 0) && isDecrypt) {
+	    if (paramSize == 0) {
+		isDecrypt = FALSE;	/* none, done with this function */
+	    }
+	}
+	/* error checking complete, do the encryption */
+	if ((rc == 0) && isDecrypt) {
+	    switch (session[decryptSession]->symmetric.algorithm) {
+	      case TPM_ALG_XOR:
+		rc = TSS_Command_DecryptXor(tssAuthContext, session[decryptSession]);
+		break;
+	      case TPM_ALG_AES:
+		rc = TSS_Command_DecryptAes(tssAuthContext, session[decryptSession]);
+		break;
+	      default:
+		if (tssVerbose) printf("TSS_Command_Decrypt: Error, algorithm %04x not implemented\n",
+				       session[decryptSession]->symmetric.algorithm);
+		rc = TSS_RC_BAD_DECRYPT_ALGORITHM;
+		break;
+	    }
+	}
+    }
+#else
+    tssAuthContext = tssAuthContext;
+    session = session;
+    if ((rc == 0) && isDecrypt) {
+	if (tssVerbose)
+	    printf("TSS_Command_Decrypt: Error, with no crypto not implemented\n");
+	rc = TSS_RC_NOT_IMPLEMENTED;
+    }
+#endif
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCRYPTO
+
+/* NOTE: if AES also works, do in place encryption */
+
+static TPM_RC TSS_Command_DecryptXor(TSS_AUTH_CONTEXT *tssAuthContext,
+				     struct TSS_HMAC_CONTEXT *session)
+{
+    TPM_RC		rc = 0;
+    unsigned int	i;
+    uint32_t 		paramSize;
+    uint8_t 		*decryptParamBuffer;
+    uint8_t 		*mask = NULL;
+    uint8_t 		*encryptParamBuffer = NULL;
+
+    /* get the TPM2B parameter to encrypt */
+    if (rc == 0) {
+	rc = TSS_GetCommandDecryptParam(tssAuthContext, &paramSize, &decryptParamBuffer);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptXor: decrypt in",
+				      decryptParamBuffer, paramSize);
+    }    
+    if (rc == 0) {
+	rc = TSS_Malloc(&mask, paramSize);
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(&encryptParamBuffer, paramSize);
+    }
+    /* generate the XOR pad */
+    /* 21.2	XOR Parameter Obfuscation
+
+       XOR(parameter, hashAlg, sessionValue, nonceNewer, nonceOlder)
+
+       parameter	a variable sized buffer containing the parameter to be obfuscated
+       hashAlg		the hash algorithm associated with the session
+       sessionValue	the session-specific HMAC key
+       nonceNewer	for commands, this will be nonceCaller and for responses it will be nonceTPM
+       nonceOlder	for commands, this will be nonceTPM and for responses it will be nonceCaller
+
+       11.4.6.3	XOR Obfuscation
+
+       XOR(data, hashAlg, key, contextU, contextV)
+       
+       mask = KDFa (hashAlg, key, "XOR", contextU, contextV, data.size * 8)
+    */
+    /* KDFa for the XOR mask */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Command_DecryptXor: hashAlg %04x\n", session->authHashAlg);
+	if (tssVverbose) printf("TSS_Command_DecryptXor: sizeInBits %04x\n", paramSize * 8);
+	if (tssVverbose)
+	    TSS_PrintAll("TSS_Command_DecryptXor: sessionKey",
+			 session->sessionKey.b.buffer, session->sessionKey.b.size);
+	if (tssVverbose)
+	    TSS_PrintAll("TSS_Command_DecryptXor: sessionValue",
+			 session->sessionValue.b.buffer, session->sessionValue.b.size);
+	rc = TSS_KDFA(mask,
+		      session->authHashAlg,
+		      &session->sessionValue.b,
+		      "XOR",
+		      &session->nonceCaller.b,
+		      &session->nonceTPM.b,
+		      paramSize * 8);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptXor: mask",
+				      mask, paramSize);
+    }
+    /* XOR */
+    for (i = 0 ; (rc == 0) && (i < paramSize ) ; i++)  {
+	encryptParamBuffer[i] = decryptParamBuffer[i] ^ mask[i];
+    }
+    if (rc == 0) {
+	rc = TSS_SetCommandDecryptParam(tssAuthContext, paramSize, encryptParamBuffer);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptXor: encrypt out",
+				      encryptParamBuffer, paramSize);
+    }
+    free(mask);
+    free(encryptParamBuffer);
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+#ifndef TPM_TSS_NOCRYPTO
+
+/* NOTE: if AES also works, do in place encryption */
+
+static TPM_RC TSS_Command_DecryptAes(TSS_AUTH_CONTEXT *tssAuthContext,
+				     struct TSS_HMAC_CONTEXT *session)
+{
+    TPM_RC		rc = 0;
+    uint32_t 		paramSize;
+    uint8_t 		*decryptParamBuffer;
+    uint8_t 		*encryptParamBuffer = NULL;
+    TPM2B_IV		iv;
+    uint32_t           	kdfaBits;
+    uint16_t		keySizeinBytes;
+    uint8_t		symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];	/* AES key + IV */
+    
+    /* get the TPM2B parameter to encrypt */
+    if (rc == 0) {
+	rc = TSS_GetCommandDecryptParam(tssAuthContext, &paramSize, &decryptParamBuffer);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptAes: decrypt in",
+				      decryptParamBuffer, paramSize);
+    }    
+    if (rc == 0) {
+	rc = TSS_Malloc(&encryptParamBuffer, paramSize);	/* free @1 */
+    }
+    /* generate the encryption key and IV */
+    /* 21.3	CFB Mode Parameter Encryption
+
+       KDFa (hashAlg, sessionValue, "CFB", nonceNewer, nonceOlder, bits)	(34)
+
+       hashAlg		the hash algorithm associated with the session
+       sessionValue	the session-specific HMAC key
+       "CFB"		label to differentiate use of KDFa() (see 4.2)
+       nonceNewer	nonceCaller for a command and nonceTPM for a response
+       nonceOlder	nonceTPM for a command and nonceCaller for a response
+       bits		the number of bits required for the symmetric key plus an IV
+    */
+    if (rc == 0) {
+	iv.t.size = TSS_Sym_GetBlockSize(session->symmetric.algorithm,
+					 session->symmetric.keyBits.aes);
+	/* generate random values for both the AES key and the IV */
+	kdfaBits = session->symmetric.keyBits.aes + (iv.t.size * 8);
+
+	if (tssVverbose) printf("TSS_Command_DecryptAes: hashAlg %04x\n",
+				session->authHashAlg);
+	if (tssVverbose) printf("TSS_Command_DecryptAes: AES key bits %u\n",
+				session->symmetric.keyBits.aes);
+	if (tssVverbose) printf("TSS_Command_DecryptAes: kdfaBits %04x\n",
+				kdfaBits);
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptAes: session key",
+				      session->sessionKey.b.buffer, session->sessionKey.b.size);
+
+	rc = TSS_KDFA(&symParmString[0],
+		      session->authHashAlg,
+		      &session->sessionValue.b,
+		      "CFB",
+		      &session->nonceCaller.b,
+		      &session->nonceTPM.b,
+		      kdfaBits);
+    }
+    /* copy the latter part of the kdf output to the IV */
+    if (rc == 0) {
+	keySizeinBytes = session->symmetric.keyBits.aes / 8;
+	memcpy(iv.t.buffer, &symParmString[keySizeinBytes], iv.t.size);
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptAes: IV",
+				      iv.t.buffer, iv.t.size);
+    }
+    /* AES CFB encrypt the command */
+    if (rc == 0) {
+	TPM_RC crc;
+	crc = TSS_AES_EncryptCFB(encryptParamBuffer,			/* output */
+				 session->symmetric.keyBits.aes,	/* 128 */
+				 symParmString,				/* key */
+				 iv.t.buffer,				/* IV */
+				 paramSize,				/* length */
+				 (uint8_t *)decryptParamBuffer);	/* input */
+	if (crc != 0) {
+	    if (tssVerbose) printf("TSS_Command_DecryptAes: AES encrypt failed\n");
+	    rc = TSS_RC_AES_ENCRYPT_FAILURE;
+	}
+    }		 
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Command_DecryptAes: encrypt out",
+				      encryptParamBuffer, paramSize);
+    }
+    if (rc == 0) {
+	rc = TSS_SetCommandDecryptParam(tssAuthContext, paramSize, encryptParamBuffer);
+    }
+    free(encryptParamBuffer);	/* @1 */
+    return rc;
+}    
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+static TPM_RC TSS_Response_Encrypt(TSS_AUTH_CONTEXT *tssAuthContext,
+				   struct TSS_HMAC_CONTEXT *session[],
+				   TPMI_SH_AUTH_SESSION sessionHandle[],
+				   unsigned int sessionAttributes[])
+{
+    TPM_RC		rc = 0;
+    unsigned int 	isEncrypt = 0;		/* count number of sessions with decrypt set */
+    unsigned int	encryptSession = 0;	/* which one is decrypt */
+    
+    /* determine if there is an encrypt session */
+    if (rc == 0) {
+	rc = TSS_Sessions_GetEncryptSession(&isEncrypt,
+					    &encryptSession,
+					    sessionHandle,
+					    sessionAttributes);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    {
+	COMMAND_INDEX   tpmCommandIndex;	/* index into TPM table */
+	TPM_CC 		commandCode;
+	int		encryptSize;		/* size of TPM2B size, 2 if there is a TPM2B, 0 if
+						   not */
+	uint32_t 	paramSize;		/* size of the parameter to decrypt */	
+	uint8_t 	*encryptParamBuffer;
+	/* can the response parameter be decrypted */
+	if ((rc == 0) && isEncrypt) {
+	    /* get the commandCode, stored in TSS during marshal */
+	    commandCode  = TSS_GetCommandCode(tssAuthContext);
+	    /* get the index into the TPM command attributes table */
+	    tpmCommandIndex = CommandCodeToCommandIndex(commandCode);
+	    /* can this be a decrypt command */
+	    encryptSize = getEncryptSize(tpmCommandIndex);
+	    if (encryptSize == 0) {
+		if (tssVerbose) printf("TSS_Response_Encrypt: "
+				       "Error, response cannot be encrypted\n");
+		rc = TSS_RC_NO_ENCRYPT_PARAMETER;
+	    }
+	}
+	/* get the TPM2B parameter to decrypt */
+	if ((rc == 0) && isEncrypt) {
+	    rc = TSS_GetResponseEncryptParam(tssAuthContext, &paramSize, &encryptParamBuffer);
+	}
+	/* if the size of the parameter to decrypt is zero, nothing to decrypt */
+	if ((rc == 0) && isEncrypt) {
+	    if (paramSize == 0) {
+		isEncrypt = FALSE;	/* none, done with this function */
+	    }
+	}
+	/* error checking complete, do the decryption */
+	if ((rc == 0) && isEncrypt) {
+	    switch (session[encryptSession]->symmetric.algorithm) {
+	      case TPM_ALG_XOR:
+		rc = TSS_Response_EncryptXor(tssAuthContext, session[encryptSession]);
+		break;
+	      case TPM_ALG_AES:
+		rc = TSS_Response_EncryptAes(tssAuthContext, session[encryptSession]);
+		break;
+	      default:
+		if (tssVerbose) printf("TSS_Response_Encrypt: "
+				       "Error, algorithm %04x not implemented\n",
+				       session[encryptSession]->symmetric.algorithm);
+		rc = TSS_RC_BAD_ENCRYPT_ALGORITHM;
+		break;
+	    }
+	}
+    }
+#else
+    tssAuthContext = tssAuthContext;
+    session = session;
+    if ((rc == 0) && isEncrypt) {
+	if (tssVerbose)
+	    printf("TSS_Response_Encrypt: Error, with no crypto not implemented\n");
+	rc = TSS_RC_NOT_IMPLEMENTED;
+    }
+#endif
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCRYPTO
+
+/* NOTE: if CFB also works, do in place decryption */
+
+static TPM_RC TSS_Response_EncryptXor(TSS_AUTH_CONTEXT *tssAuthContext,
+				      struct TSS_HMAC_CONTEXT *session)
+{
+    TPM_RC		rc = 0;
+    unsigned int	i;
+    uint32_t 		paramSize;
+    uint8_t 		*encryptParamBuffer;
+    uint8_t 		*mask = NULL;
+    uint8_t 		*decryptParamBuffer = NULL;
+
+    /* get the TPM2B parameter to decrypt */
+    if (rc == 0) {
+	rc = TSS_GetResponseEncryptParam(tssAuthContext,
+					 &paramSize, &encryptParamBuffer);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptXor: encrypt in",
+				      encryptParamBuffer, paramSize);
+    }    
+    if (rc == 0) {
+	rc = TSS_Malloc(&mask, paramSize);			/* freed @1 */
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(&decryptParamBuffer, paramSize);	/* freed @2 */
+    }
+    /* generate the XOR pad */
+    /* 21.2	XOR Parameter Obfuscation
+
+       XOR(parameter, hashAlg, sessionValue, nonceNewer, nonceOlder)
+
+       parameter	a variable sized buffer containing the parameter to be obfuscated
+       hashAlg		the hash algorithm associated with the session
+       sessionValue	the session-specific HMAC key
+       nonceNewer	for commands, this will be nonceCaller and for responses it will be nonceTPM
+       nonceOlder	for commands, this will be nonceTPM and for responses it will be nonceCaller
+
+       
+       11.4.6.3	XOR Obfuscation
+
+       XOR(data, hashAlg, key, contextU, contextV)
+       
+       mask = KDFa (hashAlg, key, "XOR", contextU, contextV, data.size * 8)
+    */
+    /* KDFa for the XOR mask */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Response_EncryptXor: hashAlg %04x\n", session->authHashAlg);
+	if (tssVverbose) printf("TSS_Response_EncryptXor: sizeInBits %04x\n", paramSize * 8);
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptXor: session key",
+				      session->sessionKey.b.buffer, session->sessionKey.b.size);
+	rc = TSS_KDFA(mask,
+		      session->authHashAlg,
+		      &session->sessionValue.b,
+		      "XOR",
+		      &session->nonceTPM.b,
+		      &session->nonceCaller.b,
+		      paramSize * 8);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptXor: mask",
+				      mask, paramSize);
+    }
+    /* XOR */
+    for (i = 0 ; (rc == 0) && (i < paramSize ) ; i++)  {
+	decryptParamBuffer[i] = encryptParamBuffer[i] ^ mask[i];
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptXor: decrypt out",
+				      decryptParamBuffer, paramSize);
+    }
+    if (rc == 0) {
+	rc = TSS_SetResponseDecryptParam(tssAuthContext,
+					 paramSize, decryptParamBuffer);
+    }
+    free(mask);			/* @1 */
+    free(decryptParamBuffer);	/* @2 */
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+#ifndef TPM_TSS_NOCRYPTO
+
+/* NOTE: if CFB also works, do in place decryption */
+
+static TPM_RC TSS_Response_EncryptAes(TSS_AUTH_CONTEXT *tssAuthContext,
+				      struct TSS_HMAC_CONTEXT *session)
+{
+    TPM_RC		rc = 0;
+    uint32_t 		paramSize;
+    uint8_t 		*encryptParamBuffer;
+    uint8_t 		*decryptParamBuffer = NULL;
+    TPM2B_IV		iv;
+    uint32_t           	kdfaBits;
+    uint16_t		keySizeinBytes;
+    uint8_t		symParmString[MAX_SYM_KEY_BYTES + MAX_SYM_BLOCK_SIZE];	/* AES key + IV */
+
+    /* get the TPM2B parameter to decrypt */
+    if (rc == 0) {
+	rc = TSS_GetResponseEncryptParam(tssAuthContext,
+					 &paramSize, &encryptParamBuffer);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptAes: encrypt in",
+				      encryptParamBuffer, paramSize);
+    }    
+    if (rc == 0) {
+	rc = TSS_Malloc(&decryptParamBuffer, paramSize);	/* freed @1 */
+    }
+    /* generate the encryption key and IV */
+    /* 21.3	CFB Mode Parameter Encryption
+
+       KDFa (hashAlg, sessionValue, "CFB", nonceNewer, nonceOlder, bits)	(34)
+    */
+    if (rc == 0) {
+	
+	iv.t.size = TSS_Sym_GetBlockSize(session->symmetric.algorithm,
+					 session->symmetric.keyBits.aes);
+	/* generate random values for both the AES key and the IV */
+	kdfaBits = session->symmetric.keyBits.aes + (iv.t.size * 8);
+
+	if (tssVverbose) printf("TSS_Response_EncryptAes: hashAlg %04x\n",
+				session->authHashAlg);
+	if (tssVverbose) printf("TSS_Response_EncryptAes: AES key bits %u\n",
+				session->symmetric.keyBits.aes);
+	if (tssVverbose) printf("TSS_Response_EncryptAes: kdfaBits %04x\n",
+				kdfaBits);
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptAes: session key",
+				      session->sessionKey.b.buffer, session->sessionKey.b.size);
+	
+	rc = TSS_KDFA(&symParmString[0],
+		      session->authHashAlg,
+		      &session->sessionValue.b,
+		      "CFB",
+		      &session->nonceTPM.b,
+		      &session->nonceCaller.b,
+		      kdfaBits);
+    }
+    /* copy the latter part of the kdf output to the IV */
+    if (rc == 0) {
+	keySizeinBytes = session->symmetric.keyBits.aes / 8;
+	memcpy(iv.t.buffer, &symParmString[keySizeinBytes], iv.t.size);
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptAes: IV",
+				      iv.t.buffer, iv.t.size);
+    }
+    /* AES CFB decrypt the response */
+    if (rc == 0) {
+	TPM_RC crc;
+	crc = TSS_AES_DecryptCFB(decryptParamBuffer,			/* output */
+				 session->symmetric.keyBits.aes,	/* 128 */
+				 symParmString,				/* key */
+				 iv.t.buffer,				/* IV */
+				 paramSize,				/* length */
+				 (uint8_t *)encryptParamBuffer);	/* input */
+	if (crc != 0) {
+	    if (tssVerbose) printf("TSS_Response_EncryptAes: AES decrypt failed\n");
+	    rc = TSS_RC_AES_DECRYPT_FAILURE;
+	}
+    }		 
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Response_EncryptAes: decrypt out",
+				      decryptParamBuffer, paramSize);
+    }
+    if (rc == 0) {
+	rc = TSS_SetResponseDecryptParam(tssAuthContext,
+					 paramSize, decryptParamBuffer);
+    }
+    free(decryptParamBuffer);	/* @1 */
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+/*
+  Command Change Authorization Processor
+*/
+
+#ifndef TPM_TSS_NOCRYPTO
+
+static TPM_RC TSS_Command_ChangeAuthProcessor(TSS_CONTEXT *tssContext,
+					      struct TSS_HMAC_CONTEXT *session,
+					      size_t handleNumber,
+					      COMMAND_PARAMETERS *in)
+{
+    TPM_RC 			rc = 0;
+    size_t 			index;
+    int 			found;
+    TSS_ChangeAuthFunction_t 	changeAuthFunction = NULL;
+
+    TPM_CC commandCode = TSS_GetCommandCode(tssContext->tssAuthContext);
+
+    /* search the table for a change authorization processing function */
+    if (rc == 0) {
+	found = FALSE;
+	for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) {
+	    if (tssTable[index].commandCode == commandCode) {
+		found = TRUE;
+		break;	/* don't increment index if found */
+	    }
+	}
+    }
+    /* found false means there is no change authorization function.  This permits the table to be
+       smaller if desired. */
+    if ((rc == 0) && found) {
+	changeAuthFunction = tssTable[index].changeAuthFunction;
+	/* there could also be an entry that is currently NULL, nothing to do */
+	if (changeAuthFunction == NULL) {
+	    found = FALSE;
+	}
+    }
+    /* call the processing function */
+    if ((rc == 0) && found) {
+	rc = changeAuthFunction(tssContext, session, handleNumber, in);
+    }
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOCRYPTO */
+
+static TPM_RC TSS_CA_HierarchyChangeAuth(TSS_CONTEXT *tssContext,
+					 struct TSS_HMAC_CONTEXT *session,
+					 size_t handleNumber,
+					 HierarchyChangeAuth_In *in)
+{
+    TPM_RC 		rc = 0;
+    char		*password = NULL;
+    
+    if (tssVverbose) printf("TSS_CA_HierarchyChangeAuth\n");
+    if (in->newAuth.t.size == 0) {
+	password = NULL;
+    }
+    else {
+	if (rc == 0) {
+	    rc = TSS_Malloc((uint8_t **)&password,	/* freed @1 */
+			    in->newAuth.t.size + 1);
+	}
+	if (rc == 0) {
+	    /* copy the password */
+	    memcpy(password, in->newAuth.t.buffer, in->newAuth.t.size);
+	    password[in->newAuth.t.size] = '\0';	/* nul terminate string */
+	}
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	rc = TSS_HmacSession_SetHmacKey(tssContext,
+					session,
+					handleNumber,
+					password);
+    }
+#else
+    tssContext = tssContext;
+    session = session;
+    handleNumber = handleNumber;
+#endif	/* TPM_TSS_NOCRYPTO */
+    free(password);	/* @1 */
+    return rc;
+}
+
+static TPM_RC TSS_CA_NV_ChangeAuth(TSS_CONTEXT *tssContext,
+				   struct TSS_HMAC_CONTEXT *session,
+				   size_t handleNumber,
+				   NV_ChangeAuth_In *in)
+{
+    TPM_RC 		rc = 0;
+    char		*password = NULL;
+
+    if (tssVverbose) printf("TSS_CA_NV_ChangeAuth\n");
+    if (in->newAuth.t.size == 0) {
+	password = NULL;
+    }
+    else {
+	if (rc == 0) {
+	    rc = TSS_Malloc((uint8_t **)&password,	/* freed @1 */
+			    in->newAuth.t.size + 1);
+	}
+	if (rc == 0) {
+	    /* copy the password */
+	    memcpy(password, in->newAuth.t.buffer, in->newAuth.t.size);
+	    password[in->newAuth.t.size] = '\0';	/* nul terminate string */
+	}
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	rc = TSS_HmacSession_SetHmacKey(tssContext,
+					session,
+					handleNumber,
+					password);
+    }
+#else
+    tssContext = tssContext;
+    session = session;
+    handleNumber = handleNumber;
+#endif	/* TPM_TSS_NOCRYPTO */
+    free(password);	/* @1 */
+    return rc;
+}
+
+static TPM_RC TSS_CA_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext,
+					     struct TSS_HMAC_CONTEXT *session,
+					     size_t handleNumber,
+					     NV_UndefineSpaceSpecial_In *in)
+{
+    TPM_RC 		rc = 0;
+    
+    in = in;
+    if (tssVverbose) printf("TSS_CA_NV_UndefineSpaceSpecial\n");
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	/* the nvIndex authorization, the zeroth authorization, has special handling */
+	if (handleNumber == 0) {
+	    /* the Empty Buffer is used as the authValue when generating the response HMAC */
+	    rc = TSS_HmacSession_SetHmacKey(tssContext,
+					    session,
+					    handleNumber,
+					    NULL);		/* password */
+	}
+    }
+#else
+    tssContext = tssContext;
+    session = session;
+    handleNumber = handleNumber;
+#endif	/* TPM_TSS_NOCRYPTO */
+    return rc;
+}
+
+/*
+  Command Pre-Processor
+*/
+
+static TPM_RC TSS_Command_PreProcessor(TSS_CONTEXT *tssContext,
+				       TPM_CC commandCode,
+				       COMMAND_PARAMETERS *in,
+				       EXTRA_PARAMETERS *extra)
+{
+    TPM_RC 			rc = 0;
+    size_t 			index;
+    int 			found;
+    TSS_PreProcessFunction_t 	preProcessFunction = NULL;
+    
+    /* search the table for a pre-processing function */
+    if (rc == 0) {
+	found = FALSE;
+	for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) {
+	    if (tssTable[index].commandCode == commandCode) {
+		found = TRUE;
+		break;	/* don't increment index if found */
+	    }
+	}
+    }
+    /* found false means there is no pre-processing function.  This permits the table to be smaller
+       if desired. */
+    if ((rc == 0) && found) {
+	preProcessFunction = tssTable[index].preProcessFunction;
+	/* call the pre processing function if there is one */
+	if (preProcessFunction != NULL) {
+	    rc = preProcessFunction(tssContext, in, extra);
+	}
+    }
+#ifndef TPM_TSS_NO_PRINT
+    if ((rc == 0) && tssVverbose) {
+	found = FALSE;
+	for (index = 0 ;
+	     (index < (sizeof(tssPrintTable) / sizeof(TSS_PRINT_TABLE))) && !found ;
+	     index++) {
+	    if (tssPrintTable[index].commandCode == commandCode) {
+		found = TRUE;
+		break;	/* don't increment index if found */
+	    }
+	}
+    }
+    /* found false means there is no print function.  This permits the table to be smaller
+       if desired. */
+    if ((rc == 0) && tssVverbose && found) {
+	TSS_InPrintFunction_t inPrintFunction = tssPrintTable[index].inPrintFunction;
+	/* call the pre processing function if there is one */
+	if (inPrintFunction != NULL) {
+	    printf("TSS_Command_PreProcessor: Input parameters\n");
+	    inPrintFunction(in, 8);	/* hard code indent 8 */
+	}
+    }
+#endif /* TPM_TSS_NO_PRINT */
+    return rc;
+}
+
+/*
+  Command specific pre processing functions
+*/
+
+/* TSS_PR_StartAuthSession handles StartAuthSession pre processing.
+
+   If the salt key in->tpmKey is not NULL and an RSA key, the preprocessor supplies the encrypted
+   salt.  It passes the unencrypted salt to the post processor for session key processing.
+
+   An input salt (encrypted or unencrypted) is ignored.
+
+   Returns an error if the key is not an RSA key.
+*/
+
+static TPM_RC TSS_PR_StartAuthSession(TSS_CONTEXT *tssContext,
+				      StartAuthSession_In *in,
+				      StartAuthSession_Extra *extra)
+{
+    TPM_RC 			rc = 0;
+    
+    if (tssVverbose) printf("TSS_PR_StartAuthSession\n");
+
+    /* if (tssVverbose) StartAuthSession_In_Print(in, 8); */
+    
+#ifndef TPM_TSS_NOCRYPTO
+    /* generate nonceCaller */
+    if (rc == 0) {
+	/* the size is determined by the session hash algorithm */
+	in->nonceCaller.t.size = TSS_GetDigestSize(in->authHash);
+	if (in->nonceCaller.t.size == 0) {
+	    if (tssVerbose) printf("TSS_PR_StartAuthSession: hash algorithm %04x not implemented\n",
+				   in->authHash);
+	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_RandBytes((unsigned char *)&in->nonceCaller.t.buffer, in->nonceCaller.t.size);
+    }
+#else
+    in->nonceCaller.t.size = 16;
+    memset(&in->nonceCaller.t.buffer, 0, 16);
+#endif	/* TPM_TSS_NOCRYPTO */
+	/* initialize to handle unsalted session */
+    in->encryptedSalt.t.size = 0;
+    if (extra != NULL) {		/* extra NULL is handled at the port processor */
+	extra->salt.t.size = 0;
+    }
+    /* if the caller requests a salted session */
+    if (in->tpmKey != TPM_RH_NULL) {
+#ifndef TPM_TSS_NOCRYPTO
+	TPM2B_PUBLIC		bPublic;
+	
+	if (rc == 0) {
+	    if (extra == NULL) {
+		if (tssVerbose)
+		    printf("TSS_PR_StartAuthSession: salt session requires extra parameter\n");
+		rc = TSS_RC_NULL_PARAMETER;
+	    }
+	}
+	/* get the tpmKey public key */
+	if (rc == 0) {
+	    rc = TSS_Public_Load(tssContext, &bPublic, in->tpmKey, NULL);
+	}
+	/* generate the salt and encrypted salt based on the asymmetric key type */
+	if (rc == 0) {
+	    switch (bPublic.publicArea.type) {
+#ifndef TPM_TSS_NOECC
+	      case TPM_ALG_ECC:
+		rc = TSS_ECC_Salt(&extra->salt,
+				  &in->encryptedSalt,
+				  &bPublic.publicArea);
+		break;
+#endif	/* TPM_TSS_NOECC */
+#ifndef TPM_TSS_NORSA
+	      case TPM_ALG_RSA:
+		rc = TSS_RSA_Salt(&extra->salt,
+				  &in->encryptedSalt,
+				  &bPublic.publicArea);
+		break;
+#endif 	/* TPM_TSS_NORSA */
+	      default:
+		if (tssVerbose)
+		    printf("TSS_PR_StartAuthSession: public key type %04x not supported\n",
+			   bPublic.publicArea.type);
+		rc = TSS_RC_BAD_SALT_KEY;
+	    }
+	}
+#else
+	tssContext = tssContext;
+	rc = TSS_RC_NOT_IMPLEMENTED;
+#endif	/* TPM_TSS_NOCRYPTO */
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NOCRYPTO
+#ifndef TPM_TSS_NORSA
+
+/* TSS_RSA_Salt() returns both the plaintext and excrypted salt, based on the salt key bPublic. */
+
+static TPM_RC TSS_RSA_Salt(TPM2B_DIGEST 		*salt,
+			   TPM2B_ENCRYPTED_SECRET	*encryptedSalt,
+			   TPMT_PUBLIC			*publicArea)
+{
+    TPM_RC		rc = 0;
+
+    if (rc == 0) {
+	{
+	    /* error conditions when true */
+	    int b1 = publicArea->type != TPM_ALG_RSA;
+	    int b2 = publicArea->objectAttributes.val & TPMA_OBJECT_SIGN;
+	    int b3 = !(publicArea->objectAttributes.val & TPMA_OBJECT_DECRYPT);
+	    int b4 = (publicArea->parameters.rsaDetail.exponent != 0) &&
+		     /* some HW TPMs return 010001 for the RSA EK with the default IWG template */
+		     (publicArea->parameters.rsaDetail.exponent != RSA_DEFAULT_PUBLIC_EXPONENT);
+	    /* TSS support checks */
+	    if (b1 || b2 || b3 || b4) {
+		if (tssVerbose)
+		    printf("TSS_RSA_Salt: public key attributes not supported\n");
+		rc = TSS_RC_BAD_SALT_KEY;
+	    }
+	}
+    }    
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_RSA_Salt: public key",
+				      publicArea->unique.rsa.t.buffer,
+				      publicArea->unique.rsa.t.size);
+    }
+    /* generate a salt */
+    if (rc == 0) {
+	/* The size of the secret value is limited to the size of the digest produced by the
+	   nameAlg of the object that is associated with the public key used for OAEP
+	   encryption. */
+	salt->t.size = TSS_GetDigestSize(publicArea->nameAlg);
+	if (tssVverbose) printf("TSS_RSA_Salt: "
+				"Hash algorithm %04x Salt size %u\n",
+				publicArea->nameAlg, salt->t.size);
+	/* place the salt in extra so that it can be retrieved by post processor */
+	rc = TSS_RandBytes((uint8_t *)&salt->t.buffer, salt->t.size);
+    }
+    /* In TPM2_StartAuthSession(), when tpmKey is an RSA key, the secret value (salt) is
+       encrypted using OAEP as described in B.4. The string "SECRET" (see 4.5) is used as
+       the L value and the nameAlg of the encrypting key is used for the hash algorithm. The
+       data value in OAEP-encrypted blob (salt) is used to compute sessionKey. */
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_RSA_Salt: salt",
+				      (uint8_t *)&salt->t.buffer,
+				      salt->t.size);
+    }
+    /* encrypt the salt */
+    if (rc == 0) {
+	/* public exponent */
+	unsigned char earr[3] = {0x01, 0x00, 0x01};
+	/* encrypt the salt with the tpmKey public key */
+	rc = TSS_RSAPublicEncrypt((uint8_t *)&encryptedSalt->t.secret,   /* encrypted data */
+				  publicArea->unique.rsa.t.size,  /* size of encrypted data buffer */
+				  (uint8_t *)&salt->t.buffer, /* decrypted data */
+				  salt->t.size,
+				  publicArea->unique.rsa.t.buffer,  /* public modulus */
+				  publicArea->unique.rsa.t.size,
+				  earr, 		/* public exponent */
+				  sizeof(earr),
+				  (unsigned char *)"SECRET",	/* encoding parameter */
+				  sizeof("SECRET"),
+				  publicArea->nameAlg);
+    }    
+    if (rc == 0) {
+	encryptedSalt->t.size = publicArea->unique.rsa.t.size;
+	if (tssVverbose) TSS_PrintAll("TSS_RSA_Salt: RSA encrypted salt",
+				      encryptedSalt->t.secret,
+				      encryptedSalt->t.size);
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+#endif /* TPM_TSS_NOCRYPTO */
+
+static TPM_RC TSS_PR_NV_DefineSpace(TSS_CONTEXT *tssContext,
+				    NV_DefineSpace_In *in,
+				    void *extra)
+{
+    TPM_RC 	rc = 0;
+    tssContext = tssContext;
+    extra = extra;
+
+    if (tssVverbose) printf("TSS_PR_NV_DefineSpace\n");
+    /* Test that TPMA_NVA_POLICY_DELETE is only set when a policy is also set.  Otherwise, the index
+       cannot ever be deleted, even with Platform Authorization. If the application really wants to
+       do this, set the policy to one that cannot be satisfied, e.g., all 0xff's. */
+    if (rc == 0) {
+	if (in->publicInfo.nvPublic.attributes.val & TPMA_NVA_POLICY_DELETE) {
+	    if (in->publicInfo.nvPublic.authPolicy.b.size == 0) {
+		if (tssVverbose) printf("TSS_PR_NV_DefineSpace POLICY_DELETE requires a policy\n");
+		rc = TSS_RC_IN_PARAMETER;
+	    }
+	}
+    }
+    return rc;
+}
+
+/*
+  Response Post Processor
+*/
+
+/* TSS_Response_PostProcessor() handles any response specific post processing
+ */
+
+static TPM_RC TSS_Response_PostProcessor(TSS_CONTEXT *tssContext,
+					 COMMAND_PARAMETERS *in,
+					 RESPONSE_PARAMETERS *out,
+					 EXTRA_PARAMETERS *extra)
+{
+    TPM_RC 			rc = 0;
+    size_t 			index;
+    int 			found;
+    TSS_PostProcessFunction_t 	postProcessFunction = NULL;
+
+    /* search the table for a post processing function */
+    if (rc == 0) {
+	TPM_CC commandCode = TSS_GetCommandCode(tssContext->tssAuthContext);
+	found = FALSE;
+	for (index = 0 ; (index < (sizeof(tssTable) / sizeof(TSS_TABLE))) && !found ; index++) {
+	    if (tssTable[index].commandCode == commandCode) {
+		found = TRUE;
+		break;	/* don't increment index if found */
+	    }
+	}
+    }
+    /* found false means there is no post processing function.  This permits the table to be smaller
+       if desired. */
+    if ((rc == 0) && found) {
+	postProcessFunction = tssTable[index].postProcessFunction;
+	/* there could also be an entry that it currently NULL, nothing to do */
+	if (postProcessFunction == NULL) {
+	    found = FALSE;
+	}
+    }
+    /* call the function */
+    if ((rc == 0) && found) {
+	rc = postProcessFunction(tssContext, in, out, extra);
+    }
+    return rc;
+}
+
+/*
+  Command specific post processing functions
+*/
+
+/* TSS_PO_StartAuthSession handles StartAuthSession post processing.  It:
+
+   creates a TSS HMAC session
+
+   saves the session handle, hash algorithm, and symmetric algorithm, nonceCaller and nonceTPM
+   
+   It calculates the session key and saves it
+
+   Finally, it marshals the session and stores it
+*/
+
+static TPM_RC TSS_PO_StartAuthSession(TSS_CONTEXT *tssContext,
+				      StartAuthSession_In *in,
+				      StartAuthSession_Out *out,
+				      StartAuthSession_Extra *extra)
+{
+    TPM_RC 			rc = 0;
+    struct TSS_HMAC_CONTEXT 	*session = NULL;
+    TPM2B_DIGEST 		salt;
+    
+    if (tssVverbose) printf("TSS_PO_StartAuthSession\n");
+    /* allocate a TSS_HMAC_CONTEXT session context */
+    if (rc == 0) {
+	rc = TSS_HmacSession_GetContext(&session);
+    }
+    if (rc == 0) {
+	session->sessionHandle = out->sessionHandle;
+	session->authHashAlg = in->authHash;
+#ifndef TPM_TSS_NOCRYPTO
+	session->sizeInBytes = TSS_GetDigestSize(session->authHashAlg);
+#endif
+	session->symmetric = in->symmetric;
+	session->sessionType = in->sessionType;
+    }
+    /* if not a bind session or if no bind password was supplied */
+    if (rc == 0) {
+	if ((extra == NULL) || (in->bind == TPM_RH_NULL) || (extra->bindPassword == NULL)) {
+	    session->bindAuthValue.b.size = 0;
+	}
+	else {
+	    rc = TSS_TPM2B_StringCopy(&session->bindAuthValue.b,
+				      extra->bindPassword, sizeof(session->bindAuthValue.t.buffer));
+	}
+    }
+    if (rc == 0) {
+	/* if the caller did not supply extra, the salt must be empty */
+	if (extra == NULL) {
+	    salt.b.size = 0;
+	}
+	/* if the caller supplied extra, the preprocessor sets salt to empty (unsalted) or the
+	   plaintext salt value */
+	else {
+	    rc = TSS_TPM2B_Copy(&salt.b, &extra->salt.b, sizeof(TPMT_HA));
+	}
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    if (rc == 0) {
+	rc = TSS_TPM2B_Copy(&session->nonceTPM.b, &out->nonceTPM.b, sizeof(TPMT_HA));
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_Copy(&session->nonceCaller.b, &in->nonceCaller.b, sizeof(TPMT_HA));
+    }
+    if (rc == 0) {
+	rc = TSS_HmacSession_SetSessionKey(tssContext, session,
+					   &salt,
+					   in->bind, &session->bindAuthValue);
+    }
+#endif	/* TPM_TSS_NOCRYPTO */
+    if (rc == 0) {
+	rc = TSS_HmacSession_SaveSession(tssContext, session);
+    }
+    TSS_HmacSession_FreeContext(session);
+    return rc;
+}
+
+/* TSS_PO_ContextSave() saves the name of an object in a filename that is a hash of the contextBlob.
+
+   This permits the name to be found during ContextLoad.
+*/
+
+static TPM_RC TSS_PO_ContextSave(TSS_CONTEXT *tssContext,
+				 ContextSave_In *in,
+				 ContextSave_Out *out,
+				 void *extra)
+{
+    TPM_RC 		rc = 0;
+#ifndef TPM_TSS_NOFILE
+    TPMT_HA 		cpHash;		/* largest size of a digest */
+    char		string[65];	/*  sha256 hash * 2 + 1 */
+    TPM_HT 		handleType;
+    int			done = FALSE;
+#endif
+
+    in = in;
+    extra = extra;
+
+#ifndef TPM_TSS_NOFILE
+    if (tssVverbose) printf("TSS_PO_ContextSave: handle %08x\n", in->saveHandle);
+    /* only for objects and sequence objects, not sessions */
+    if (rc == 0) {
+	handleType = (TPM_HT) ((in->saveHandle & HR_RANGE_MASK) >> HR_SHIFT);
+	if (handleType != TPM_HT_TRANSIENT) {
+	    done = TRUE;
+	}
+    }
+    if ((rc == 0) && !done) {
+	cpHash.hashAlg = TPM_ALG_SHA256;	/* arbitrary choice */
+	rc = TSS_Hash_Generate(&cpHash,
+			       out->context.contextBlob.b.size, out->context.contextBlob.b.buffer,
+			       0, NULL);
+    }
+    /* convert a hash of the context blob to a string */
+    if ((rc == 0) && !done) {
+	rc = TSS_HashToString(string, cpHash.digest.sha256);
+    }
+    if ((rc == 0) && !done) {
+	rc = TSS_Name_Copy(tssContext,
+			   0, string,			/* to context */
+			   in->saveHandle, NULL);	/* from handle */
+    }
+    /* get the public key of the object being context saved */
+    /* save the public key under the context */
+    if ((rc == 0) && !done) {
+	rc = TSS_Public_Copy(tssContext,
+			     0,
+			     string,
+			     in->saveHandle,
+			     NULL);
+    }
+#else
+    tssContext = tssContext;
+    out = out;
+#endif
+    return rc;
+}
+
+static TPM_RC TSS_PO_ContextLoad(TSS_CONTEXT *tssContext,
+				 ContextLoad_In *in,
+				 ContextLoad_Out *out,
+				 void *extra)
+{
+    TPM_RC 		rc = 0;
+#ifndef TPM_TSS_NOFILE
+    TPMT_HA 		cpHash;		/* largest size of a digest */
+    char		string[65];	/*  sha256 hash * 2 + 1 */
+    TPM_HT 		handleType;
+    int			done = FALSE;
+#endif
+
+    out = out;
+    extra = extra;
+
+#ifndef TPM_TSS_NOFILE
+    if (tssVverbose) printf("TSS_PO_ContextLoad: handle %08x\n", out->loadedHandle);
+    /* only for objects and sequence objects, not sessions */
+    if (rc == 0) {
+	handleType = (TPM_HT) ((out->loadedHandle & HR_RANGE_MASK) >> HR_SHIFT);
+	if (handleType != TPM_HT_TRANSIENT) {
+	    done = TRUE;
+	}
+    }
+    if ((rc == 0) && !done) {
+	cpHash.hashAlg = TPM_ALG_SHA256;	/* arbitrary choice */
+	rc = TSS_Hash_Generate(&cpHash,
+			       in->context.contextBlob.b.size, in->context.contextBlob.b.buffer,
+			       0, NULL);
+    }
+    /* convert a hash of the context blob to a string */
+    if ((rc == 0) && !done) {
+	rc = TSS_HashToString(string, cpHash.digest.sha256);
+    }
+    /* get the Name of the object being context loaded */
+    /* write the name with the loaded context's handle */
+    if ((rc == 0) && !done) {
+	rc = TSS_Name_Copy(tssContext,
+			   out->loadedHandle, NULL,	/* to handle */
+			   0, string);			/* from context */	
+    }
+    /* get the public key of the object being context loaded */
+    /* write the public key with the loaded context's handle */
+    if ((rc == 0) && !done) {
+	rc = TSS_Public_Copy(tssContext,
+			     out->loadedHandle,
+			     NULL,
+			     0,
+			     string);
+    }
+#else
+    tssContext = tssContext;
+    in = in; 
+#endif
+    return rc;
+}
+
+/* TSS_HashToString() converts a SHA-256 binary hash (really any 32-byte value) to a string 
+
+   string must be 65 bytes: 32*2 + 1
+
+   NOTE: Hard coded to SHA256
+*/
+
+#ifndef TPM_TSS_NOFILE
+
+static TPM_RC TSS_HashToString(char *str, uint8_t *digest)
+{
+    size_t i;
+
+    for (i = 0 ; i < SHA256_DIGEST_SIZE ; i++) {
+	sprintf(str +(i*2), "%02x", digest[i]);
+    }
+    if (tssVverbose) printf("TSS_HashToString: %s\n", str);
+    return 0;
+}
+
+#endif
+
+/* TSS_PO_FlushContext() removes persistent state associated with the handle */
+
+static TPM_RC TSS_PO_FlushContext(TSS_CONTEXT *tssContext,
+				  FlushContext_In *in,
+				  void *out,
+				  void *extra)
+{
+    TPM_RC 			rc = 0;
+
+    out = out;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_FlushContext: flushHandle %08x\n", in->flushHandle);
+    if (rc == 0) {
+	rc = TSS_DeleteHandle(tssContext, in->flushHandle);
+    }
+    return rc;
+}
+
+/* TSS_PO_EvictControl() removes persistent state associated with the handle */
+
+static TPM_RC TSS_PO_EvictControl(TSS_CONTEXT *tssContext,
+				  EvictControl_In *in,
+				  void *out,
+				  void *extra)
+{
+    TPM_RC 			rc = 0;
+
+    out = out;
+    extra = extra;
+    
+    if (tssVverbose) printf("TSS_PO_EvictControl: object %08x persistent %08x\n",
+			    in->objectHandle, in->persistentHandle);
+    /* if it successfully made a persistent copy */
+    if (in->objectHandle != in->persistentHandle) {
+	/* TPM2B_PUBLIC	bPublic; */
+	if (rc == 0) {
+	    rc = TSS_Name_Copy(tssContext,
+			       in->persistentHandle, NULL,	/* to persistent handle */
+			       in->objectHandle, NULL);		/* from transient handle */	
+	}
+	/* get the transient object public key */
+	/* copy it to the persistent object public key */
+	if (rc == 0) {
+	    rc = TSS_Public_Copy(tssContext,
+				 in->persistentHandle,
+				 NULL,
+				 in->objectHandle,
+				 NULL);
+	}
+    }
+    /* if it successfully evicted the persistent object */
+    else {
+	if (rc == 0) {
+	    rc = TSS_DeleteHandle(tssContext, in->persistentHandle);
+	}
+    }
+    return rc;
+}
+
+/* TSS_PO_Load() saves the Name returned for the loaded object.  It saves the TPM2B_PUBLIC */
+
+static TPM_RC TSS_PO_Load(TSS_CONTEXT *tssContext,
+			  Load_In *in,
+			  Load_Out *out,
+			  void *extra)
+{
+    TPM_RC 	rc = 0;
+
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_Load: handle %08x\n", out->objectHandle);
+    /* use handle as file name */
+    if (rc == 0) {
+	rc = TSS_Name_Store(tssContext, &out->name, out->objectHandle, NULL);
+    }
+    if (rc == 0) {
+	rc = TSS_Public_Store(tssContext, &in->inPublic, out->objectHandle, NULL);
+    }
+    return rc;
+}
+
+/* TSS_PO_LoadExternal() saves the Name returned for the loaded object */
+
+static TPM_RC TSS_PO_LoadExternal(TSS_CONTEXT *tssContext,
+				  LoadExternal_In *in,
+				  LoadExternal_Out *out,
+				  void *extra)
+{
+    TPM_RC 	rc = 0;
+
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_LoadExternal: handle %08x\n", out->objectHandle);
+    /* use handle as file name */
+    if (rc == 0) {
+	rc = TSS_Name_Store(tssContext, &out->name, out->objectHandle, NULL);
+    }
+    if (rc == 0) {
+	rc = TSS_Public_Store(tssContext, &in->inPublic, out->objectHandle, NULL);
+    }
+    return rc;
+}
+
+/* TSS_PO_ReadPublic() saves the Name returned for the loaded object */
+
+static TPM_RC TSS_PO_ReadPublic(TSS_CONTEXT *tssContext,
+				ReadPublic_In *in,
+				ReadPublic_Out *out,
+				void *extra)
+{
+    TPM_RC 	rc = 0;
+
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_ReadPublic: handle %08x\n", in->objectHandle);
+    /* if the TSS is compiled without crypto support, it cannot recalculate the Name from the public
+       area. It has to trust the response from the TPM.  This should be OK since a 'no crypto' TSS
+       is used when there is a tructed path to the TPM. */
+#ifndef TPM_TSS_NOCRYPTO
+    /* validate the Name against the public area */
+    /* Name = nameAlg || HnameAlg (handle->publicArea)
+       where
+       nameAlg	algorithm used to compute Name
+       HnameAlg	hash using the nameAlg parameter in the object associated with handle
+       publicArea 	contents of the TPMT_PUBLIC associated with handle
+    */
+    {
+	TPM2B_NAME name;
+	if (rc == 0) {
+	    rc = TSS_ObjectPublic_GetName(&name, &out->outPublic.publicArea);
+	}
+	if (rc == 0) {
+	    if (name.t.size != out->name.t.size) {
+		if (tssVerbose)
+		    printf("TSS_PO_ReadPublic: TPMT_PUBLIC does not match TPM2B_NAME\n");
+		rc = TSS_RC_MALFORMED_PUBLIC;
+	    }
+	    else {
+		int irc;
+		irc = memcmp(name.t.name, out->name.t.name, out->name.t.size);
+		if (irc != 0) {
+		    if (tssVerbose)
+			printf("TSS_PO_ReadPublic: TPMT_PUBLIC does not match TPM2B_NAME\n");
+		    rc = TSS_RC_MALFORMED_PUBLIC;
+		}
+	    }
+	}
+    }
+#endif
+    /* use handle as file name */
+    if (rc == 0) {
+	rc = TSS_Name_Store(tssContext, &out->name, in->objectHandle, NULL);
+    }
+    if (rc == 0) {
+	rc = TSS_Public_Store(tssContext, &out->outPublic, in->objectHandle, NULL);
+    }
+    return rc;
+}
+
+/* TSS_PO_Load() saves the Name returned for the loaded object.  It saves the TPM2B_PUBLIC */
+
+static TPM_RC TSS_PO_CreateLoaded(TSS_CONTEXT *tssContext,
+				  CreateLoaded_In *in,
+				  CreateLoaded_Out *out,
+				  void *extra)
+{
+    TPM_RC 	rc = 0;
+
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_CreateLoaded: handle %08x\n", out->objectHandle);
+    /* use handle as file name */
+    if (rc == 0) {
+	rc = TSS_Name_Store(tssContext, &out->name, out->objectHandle, NULL);
+    }
+    if (rc == 0) {
+	rc = TSS_Public_Store(tssContext, &out->outPublic, out->objectHandle, NULL);
+    }
+    return rc;
+}
+
+/* TSS_PO_HashSequenceStart() saves the Name returned for the started sequence object */
+
+static TPM_RC TSS_PO_HashSequenceStart(TSS_CONTEXT *tssContext,
+				       HashSequenceStart_In *in,
+				       HashSequenceStart_Out *out,
+				       void *extra)
+{
+    TPM_RC 	rc = 0;
+    TPM2B_NAME 	name;
+
+    in = in;
+    extra = extra;
+
+    if (tssVverbose) printf("TSS_PO_HashSequenceStart\n");
+    /* Part 1 Table 3 The Name of a sequence object is an Empty Buffer */
+    if (rc == 0) {
+	name.b.size = 0;
+	/* use handle as file name */
+	rc = TSS_Name_Store(tssContext, &name, out->sequenceHandle, NULL);
+    }
+    return rc;
+}
+
+
+/* TSS_PO_HMAC_Start() saves the Name returned for the started sequence object */
+
+static TPM_RC TSS_PO_HMAC_Start(TSS_CONTEXT *tssContext,
+				HMAC_Start_In *in,
+				HMAC_Start_Out *out,
+				void *extra)
+{
+    TPM_RC 	rc = 0;
+    TPM2B_NAME 	name;
+
+    in = in;
+    extra = extra;
+
+    if (tssVverbose) printf("TSS_PO_HMAC_Start\n");
+    /* Part 1 Table 3 The Name of a sequence object is an Empty Buffer */
+    if (rc == 0) {
+	name.b.size = 0;
+	/* use handle as file name */
+	rc = TSS_Name_Store(tssContext, &name, out->sequenceHandle, NULL);
+    }
+    return rc;
+}
+
+static TPM_RC TSS_PO_SequenceComplete(TSS_CONTEXT *tssContext,
+				      SequenceComplete_In *in,
+				      SequenceComplete_Out *out,
+				      void *extra)
+{
+    TPM_RC 	rc = 0;
+
+    out = out;
+    extra = extra;
+
+    if (tssVverbose) printf("TSS_PO_SequenceComplete: sequenceHandle %08x\n", in->sequenceHandle);
+    if (rc == 0) {
+	rc = TSS_DeleteHandle(tssContext, in->sequenceHandle);
+    }
+    return rc;
+}
+static TPM_RC TSS_PO_EventSequenceComplete(TSS_CONTEXT *tssContext,
+					   EventSequenceComplete_In *in,
+					   EventSequenceComplete_Out *out,
+					   void *extra)
+{
+    TPM_RC 	rc = 0;
+    out = out;
+    extra = extra;
+    if (tssVverbose)
+	printf("TSS_PO_EventSequenceComplete: sequenceHandle %08x\n", in->sequenceHandle);
+    if (rc == 0) {
+	rc = TSS_DeleteHandle(tssContext, in->sequenceHandle);
+    }
+    return rc;
+}
+
+static TPM_RC TSS_PO_PolicyAuthValue(TSS_CONTEXT *tssContext,
+				     PolicyAuthValue_In *in,
+				     void *out,
+				     void *extra)
+{
+    TPM_RC 			rc = 0;
+    struct TSS_HMAC_CONTEXT 	*session = NULL;
+    
+    out = out;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_PolicyAuthValue\n");
+    if (rc == 0) {
+	rc = TSS_Malloc((unsigned char **)&session, sizeof(TSS_HMAC_CONTEXT));	/* freed @1 */
+    }
+    if (rc == 0) {
+	rc = TSS_HmacSession_LoadSession(tssContext, session, in->policySession);
+    }
+    if (rc == 0) {
+	session->isPasswordNeeded = FALSE;
+	session->isAuthValueNeeded = TRUE;
+	rc = TSS_HmacSession_SaveSession(tssContext, session);
+    }
+    free(session);		/* @1 */
+    return rc;
+}
+
+static TPM_RC TSS_PO_PolicyPassword(TSS_CONTEXT *tssContext,
+				    PolicyPassword_In *in,
+				    void *out,
+				    void *extra)
+{
+    TPM_RC 			rc = 0;
+    struct TSS_HMAC_CONTEXT 	*session = NULL;
+
+    out = out;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_PolicyPassword\n");
+    if (rc == 0) {
+	rc = TSS_Malloc((unsigned char **)&session, sizeof(TSS_HMAC_CONTEXT));	/* freed @1 */
+    }
+    if (rc == 0) {
+	rc = TSS_HmacSession_LoadSession(tssContext, session, in->policySession);
+    }
+    if (rc == 0) {
+	session->isPasswordNeeded = TRUE;
+	session->isAuthValueNeeded = FALSE;
+	rc = TSS_HmacSession_SaveSession(tssContext, session);
+    }
+    free(session);		/* @1 */
+    return rc;
+}
+
+static TPM_RC TSS_PO_CreatePrimary(TSS_CONTEXT *tssContext,
+				   CreatePrimary_In *in,
+				   CreatePrimary_Out *out,
+				   void *extra)
+{
+    TPM_RC 			rc = 0;
+
+    in = in;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_CreatePrimary: handle %08x\n", out->objectHandle);
+    /* use handle as file name */
+    if (rc == 0) {
+	rc = TSS_Name_Store(tssContext, &out->name, out->objectHandle, NULL);
+    }
+    if (rc == 0) {
+	rc = TSS_Public_Store(tssContext, &out->outPublic, out->objectHandle, NULL);
+    }
+    return rc;
+}
+
+static TPM_RC TSS_PO_NV_DefineSpace(TSS_CONTEXT *tssContext,
+				    NV_DefineSpace_In *in,
+				    void *out,
+				    void *extra)
+{
+    TPM_RC 	rc = 0;
+
+    if (tssVverbose) printf("TSS_PO_NV_DefineSpace\n");
+#ifndef TPM_TSS_NOCRYPTO
+    {
+	TPM2B_NAME name;
+	/* calculate the Name from the input public area */
+	/* Name = nameAlg || HnameAlg (handle->nvPublicArea)
+	   where
+	   nameAlg	algorithm used to compute Name
+	   HnameAlg hash using the nameAlg parameter in the NV Index location associated with handle
+	   nvPublicArea	contents of the TPMS_NV_PUBLIC associated with handle
+	*/
+	/* calculate the Name from the input TPMS_NV_PUBLIC */
+	if (rc == 0) {
+	    rc = TSS_NVPublic_GetName(&name, &in->publicInfo.nvPublic);
+	}
+	/* use handle as file name */
+	if (rc == 0) {
+	    rc = TSS_Name_Store(tssContext, &name, in->publicInfo.nvPublic.nvIndex, NULL);
+	}
+	if (rc == 0) {
+	    rc = TSS_NVPublic_Store(tssContext, &in->publicInfo.nvPublic,
+				    in->publicInfo.nvPublic.nvIndex); 
+	}
+    }
+#else
+    tssContext = tssContext;
+    in = in;
+#endif
+    out = out;
+    extra = extra;
+    return rc;
+}
+
+
+static TPM_RC TSS_PO_NV_ReadPublic(TSS_CONTEXT *tssContext,
+				   NV_ReadPublic_In *in,
+				   NV_ReadPublic_Out *out,
+				   void *extra)
+{
+    TPM_RC 	rc = 0;
+
+    if (tssVverbose) printf("TSS_PO_NV_ReadPublic\n");
+    
+    /* validate the Name against the public area */
+    /* Name = nameAlg || HnameAlg (handle->nvPublicArea)
+       where
+       nameAlg	algorithm used to compute Name
+       HnameAlg hash using the nameAlg parameter in the NV Index location associated with handle
+       nvPublicArea	contents of the TPMS_NV_PUBLIC associated with handle
+    */
+#ifndef TPM_TSS_NOCRYPTO
+    {
+	TPM2B_NAME name;
+	/* calculate the Name from the TPMS_NV_PUBLIC */
+	if (rc == 0) {
+	    rc = TSS_NVPublic_GetName(&name, &out->nvPublic.nvPublic);
+	}
+	if (rc == 0) {
+	    if (name.t.size != out->nvName.t.size) {
+		if (tssVerbose)
+		    printf("TSS_PO_NV_ReadPublic: TPMT_NV_PUBLIC does not match TPM2B_NAME\n");
+		rc = TSS_RC_MALFORMED_NV_PUBLIC;
+	    }
+	    else {
+		int irc;
+		irc = memcmp(name.t.name, out->nvName.t.name, out->nvName.t.size);
+		if (irc != 0) {
+		    if (tssVerbose)
+			printf("TSS_PO_NV_ReadPublic: TPMT_NV_PUBLIC does not match TPM2B_NAME\n");
+		    rc = TSS_RC_MALFORMED_NV_PUBLIC;
+		}
+	    }
+	}
+	/* use handle as file name */
+	if (rc == 0) {
+	    rc = TSS_Name_Store(tssContext, &out->nvName, in->nvIndex, NULL);
+	}
+	if (rc == 0) {
+	    rc = TSS_NVPublic_Store(tssContext, &out->nvPublic.nvPublic, in->nvIndex); 
+	}
+    }
+#else
+    tssContext = tssContext;
+    in = in;
+    out = out;
+#endif
+    extra = extra;
+    return rc;
+}
+
+static TPM_RC TSS_PO_NV_UndefineSpace(TSS_CONTEXT *tssContext,
+				      NV_UndefineSpace_In *in,
+				      void *out,
+				      void *extra)
+{
+    TPM_RC 			rc = 0;
+
+    out = out;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_NV_UndefineSpace\n");
+#ifndef TPM_TSS_NOCRYPTO
+    /* Don't check return code. */
+    TSS_DeleteHandle(tssContext, in->nvIndex);
+    TSS_NVPublic_Delete(tssContext, in->nvIndex);
+#else
+    tssContext = tssContext;
+    in = in;
+#endif
+    return rc;
+}
+
+static TPM_RC TSS_PO_NV_UndefineSpaceSpecial(TSS_CONTEXT *tssContext,
+					     NV_UndefineSpaceSpecial_In *in,
+					     void *out,
+					     void *extra)
+{
+    TPM_RC 			rc = 0;
+
+    out = out;
+    extra = extra;
+    if (tssVverbose) printf("TSS_PO_NV_UndefineSpaceSpecial\n");
+    /* Don't check return code.  The name will only exist if NV_ReadPublic has been issued */
+    TSS_DeleteHandle(tssContext, in->nvIndex);
+    TSS_NVPublic_Delete(tssContext, in->nvIndex);
+    return rc;
+}
+
+/* TSS_PO_NV_Write() handles the Name and NVPublic update for the 4 NV write commands: write,
+   increment, extend, and setbits */
+
+static TPM_RC TSS_PO_NV_Write(TSS_CONTEXT *tssContext,
+			      NV_Write_In *in,
+			      void *out,
+			      void *extra)
+{
+    TPM_RC 			rc = 0;
+    
+    if (tssVverbose) printf("TSS_PO_NV_Write, Increment, Extend, SetBits:\n");
+
+#ifndef TPM_TSS_NOCRYPTO
+    {
+	TPMS_NV_PUBLIC 		nvPublic;
+	TPM2B_NAME 		name;		/* new name */
+	
+	if (rc == 0) {
+	    rc = TSS_NVPublic_Load(tssContext, &nvPublic, in->nvIndex);
+	}
+	/* if the previous store had written clear */
+	if (!(nvPublic.attributes.val & TPMA_NVA_WRITTEN)) {
+	    if (rc == 0) {
+		/* set the written bit */
+		nvPublic.attributes.val |= TPMA_NVA_WRITTEN;
+		/* save the TPMS_NV_PUBLIC */
+		rc = TSS_NVPublic_Store(tssContext, &nvPublic, in->nvIndex);
+	    }
+	    /* calculate the name */
+	    if (rc == 0) {
+		rc = TSS_NVPublic_GetName(&name, &nvPublic);
+	    }
+	    /* save the name */
+	    if (rc == 0) {
+		/* use handle as file name */
+		rc = TSS_Name_Store(tssContext, &name, in->nvIndex, NULL);
+	    }
+	    /* if there is a failure. delete the name and NVPublic */
+	    if (rc != 0) {
+		TSS_DeleteHandle(tssContext, in->nvIndex);
+		TSS_NVPublic_Delete(tssContext, in->nvIndex);
+	    }
+	}
+    }
+#else
+    tssContext = tssContext;
+    in = in;
+#endif
+    out = out;
+    extra = extra;
+    return rc;
+}
+
+/* TSS_PO_NV_WriteLock() handles the Name and NVPublic update for the write lock command */
+
+static TPM_RC TSS_PO_NV_WriteLock(TSS_CONTEXT *tssContext,
+				  NV_WriteLock_In *in,
+				  void *out,
+				  void *extra)
+{
+    TPM_RC 			rc = 0;
+   
+    if (tssVverbose) printf("TSS_PO_NV_WriteLock:\n");
+
+#ifndef TPM_TSS_NOCRYPTO
+    {
+	TPMS_NV_PUBLIC 		nvPublic;
+	TPM2B_NAME 		name;		/* new name */
+	
+ 	if (rc == 0) {
+	    rc = TSS_NVPublic_Load(tssContext, &nvPublic, in->nvIndex);
+	}
+	/* if the previous store had write lock clear */
+	if (!(nvPublic.attributes.val & TPMA_NVA_WRITELOCKED)) {
+	    if (rc == 0) {
+		/* set the write lock bit */
+		nvPublic.attributes.val |= TPMA_NVA_WRITELOCKED;
+		/* save the TPMS_NV_PUBLIC */
+		rc = TSS_NVPublic_Store(tssContext, &nvPublic, in->nvIndex);
+	    }
+	    /* calculate the name */
+	    if (rc == 0) {
+		rc = TSS_NVPublic_GetName(&name, &nvPublic);
+	    }
+	    /* save the name */
+	    if (rc == 0) {
+		/* use handle as file name */
+		rc = TSS_Name_Store(tssContext, &name, in->nvIndex, NULL);
+	    }
+	    /* if there is a failure. delete the name and NVPublic */
+	    if (rc != 0) {
+		TSS_DeleteHandle(tssContext, in->nvIndex);
+		TSS_NVPublic_Delete(tssContext, in->nvIndex);
+	    }
+	}
+    }
+#else
+    tssContext = tssContext;
+    in = in;
+#endif
+    out = out;
+    extra = extra;
+    return rc;
+}
+
+/* TSS_PO_NV_WriteLock() handles the Name and NVPublic update for the read lock command */
+
+static TPM_RC TSS_PO_NV_ReadLock(TSS_CONTEXT *tssContext,
+				 NV_ReadLock_In *in,
+				 void *out,
+				 void *extra)
+{
+    TPM_RC 			rc = 0;
+    
+    if (tssVverbose) printf("TSS_PO_NV_ReadLock:");
+
+#ifndef TPM_TSS_NOCRYPTO
+    {
+	TPMS_NV_PUBLIC 		nvPublic;
+	TPM2B_NAME 			name;		/* new name */
+
+	if (rc == 0) {
+	    rc = TSS_NVPublic_Load(tssContext, &nvPublic, in->nvIndex);
+	}
+	/* if the previous store had read lock clear */
+	if (!(nvPublic.attributes.val & TPMA_NVA_READLOCKED)) {
+	    if (rc == 0) {
+		/* set the read lock bit */
+		nvPublic.attributes.val |= TPMA_NVA_READLOCKED;
+		/* save the TPMS_NV_PUBLIC */
+		rc = TSS_NVPublic_Store(tssContext, &nvPublic, in->nvIndex);
+	    }
+	    /* calculate the name */
+	    if (rc == 0) {
+		rc = TSS_NVPublic_GetName(&name, &nvPublic);
+	    }
+	    /* save the name */
+	    if (rc == 0) {
+		/* use handle as file name */
+		rc = TSS_Name_Store(tssContext, &name, in->nvIndex, NULL);
+	    }
+	    /* if there is a failure. delete the name and NVPublic */
+	    if (rc != 0) {
+		TSS_DeleteHandle(tssContext, in->nvIndex);
+		TSS_NVPublic_Delete(tssContext, in->nvIndex);
+	    }
+	}
+    }
+#else
+    tssContext = tssContext;
+    in = in;
+#endif
+    out = out;
+    extra = extra;
+    return rc;
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tss20.h b/libstb/tss2/ibmtpm20tss/utils/tss20.h
new file mode 100644
index 0000000..2e3e2b0
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tss20.h
@@ -0,0 +1,58 @@
+/********************************************************************************/
+/*										*/
+/*			   TSS TPM 2.0 API 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id:tss.h 656 2016-06-28 16:49:29Z kgoldman $			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSS20_H
+#define TSS20_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC TSS_Execute20(TSS_CONTEXT *tssContext,
+			 RESPONSE_PARAMETERS *out,
+			 COMMAND_PARAMETERS *in,
+			 EXTRA_PARAMETERS *extra,
+			 TPM_CC commandCode,
+			 va_list ap);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssauth.c b/libstb/tss2/ibmtpm20tss/utils/tssauth.c
new file mode 100644
index 0000000..40e9602
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssauth.c
@@ -0,0 +1,161 @@
+/********************************************************************************/
+/*										*/
+/*		Common TPM 1.2 and TPM 2.0 TSS Authorization 			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This layer handles command and response packet authorization parameters. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tsstransmit.h>
+#include "tssproperties.h"
+#include <ibmtss/tssresponsecode.h>
+
+#include "tssauth.h"
+
+extern int tssVerbose;
+extern int tssVverbose;
+
+/* TSS_AuthCreate() allocates and initializes a TSS_AUTH_CONTEXT */
+
+TPM_RC TSS_AuthCreate(TSS_AUTH_CONTEXT **tssAuthContext)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+        rc = TSS_Malloc((uint8_t **)tssAuthContext, sizeof(TSS_AUTH_CONTEXT));
+   }
+    if (rc == 0) {
+	TSS_InitAuthContext(*tssAuthContext);
+    }
+    return rc;
+}
+
+/* TSS_InitAuthContext() sets initial values for an allocated TSS_AUTH_CONTEXT */
+
+void TSS_InitAuthContext(TSS_AUTH_CONTEXT *tssAuthContext)
+{
+    memset(tssAuthContext->commandBuffer, 0, sizeof(tssAuthContext->commandBuffer));
+    memset(tssAuthContext->responseBuffer, 0, sizeof(tssAuthContext->responseBuffer));
+    tssAuthContext->commandText = NULL;
+    tssAuthContext->commandCode = 0;
+    tssAuthContext->responseCode = 0;
+    tssAuthContext->commandHandleCount = 0;
+    tssAuthContext->responseHandleCount = 0;
+    tssAuthContext->authCount = 0;
+    tssAuthContext->commandSize = 0;
+    tssAuthContext->cpBufferSize = 0;
+    tssAuthContext->cpBuffer = NULL;
+    tssAuthContext->responseSize = 0;
+    tssAuthContext->marshalInFunction = NULL;
+    tssAuthContext->unmarshalOutFunction = NULL;
+#ifndef TPM_TSS_NOCMDCHECK
+    tssAuthContext->unmarshalInFunction = NULL;
+#endif
+#ifdef TPM_TPM12
+    tssAuthContext->sessionNumber = 0xffff;	/* no encrypt sessions */
+    tssAuthContext->encAuthOffset0 = 0;
+    tssAuthContext->encAuthOffset1 = 0;
+#endif
+    return;
+}
+
+/* TSS_AuthDelete() re-initializes and then frees an allocated TSS_AUTH_CONTEXT */
+
+TPM_RC TSS_AuthDelete(TSS_AUTH_CONTEXT *tssAuthContext)
+{
+    if (tssAuthContext != NULL) {
+	TSS_InitAuthContext(tssAuthContext);
+	free(tssAuthContext);
+    }
+    return 0;
+}
+
+TPM_CC TSS_GetCommandCode(TSS_AUTH_CONTEXT *tssAuthContext)
+{
+    TPM_CC commandCode = tssAuthContext->commandCode;
+    return commandCode;
+}
+
+TPM_RC TSS_GetCpBuffer(TSS_AUTH_CONTEXT *tssAuthContext,
+		       uint32_t *cpBufferSize,
+		       uint8_t **cpBuffer)
+{
+    *cpBufferSize = tssAuthContext->cpBufferSize;
+    *cpBuffer = tssAuthContext->cpBuffer;
+    return 0;
+}
+
+/* TSS_GetCommandHandleCount() returns the number of handles in the command area */
+
+TPM_RC TSS_GetCommandHandleCount(TSS_AUTH_CONTEXT *tssAuthContext,
+				 size_t *commandHandleCount)
+{
+    *commandHandleCount = tssAuthContext->commandHandleCount;
+    return 0;
+}
+
+TPM_RC TSS_AuthExecute(TSS_CONTEXT *tssContext)
+{
+    TPM_RC rc = 0;
+    if (tssVverbose) printf("TSS_AuthExecute: Executing %s\n",
+			    tssContext->tssAuthContext->commandText);
+    /* transmit the command and receive the response.  Normally returns the TPM response code. */
+    if (rc == 0) {
+	rc = TSS_Transmit(tssContext,
+			  tssContext->tssAuthContext->responseBuffer,
+			  &tssContext->tssAuthContext->responseSize,
+			  tssContext->tssAuthContext->commandBuffer,
+			  tssContext->tssAuthContext->commandSize,
+			  tssContext->tssAuthContext->commandText);
+    }
+    return rc;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssauth.h b/libstb/tss2/ibmtpm20tss/utils/tssauth.h
new file mode 100644
index 0000000..9d52c53
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssauth.h
@@ -0,0 +1,104 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Authorization 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: tssauth.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is not a public header.  It should not be used by applications. */
+
+#ifndef TSS_AUTH_H
+#define TSS_AUTH_H
+
+#include <ibmtss/tss.h>
+#include "tssccattributes.h"
+
+/* Generic functions to marshal and unmarshal Part 3 ordinal command and response parameters */
+
+typedef TPM_RC (*MarshalInFunction_t)(COMMAND_PARAMETERS *source,
+				      uint16_t *written, BYTE **buffer, uint32_t *size);
+typedef TPM_RC (*UnmarshalOutFunction_t)(RESPONSE_PARAMETERS *target,
+					 TPM_ST tag, BYTE **buffer, uint32_t *size);
+typedef TPM_RC (*UnmarshalInFunction_t)(COMMAND_PARAMETERS *target,
+					BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+
+/* The context for the entire command processor.  Update TSS_InitAuthContext() when changing
+   this structure */
+
+typedef struct TSS_AUTH_CONTEXT {
+    uint8_t 		commandBuffer [MAX_COMMAND_SIZE];
+    uint8_t 		responseBuffer [MAX_RESPONSE_SIZE];
+    const char 		*commandText;
+    COMMAND_INDEX    	tpmCommandIndex;	/* index into attributes table */
+    TPM_CC 		commandCode;
+    TPM_RC 		responseCode;
+    size_t		commandHandleCount;
+    uint32_t 		responseHandleCount;
+    uint16_t		authCount;		/* authorizations in command */
+    uint16_t 		commandSize;
+    uint32_t 		cpBufferSize;
+    uint8_t 		*cpBuffer;
+    uint32_t 		responseSize;
+    MarshalInFunction_t    marshalInFunction;
+    UnmarshalOutFunction_t unmarshalOutFunction;
+#ifndef TPM_TSS_NOCMDCHECK	/* disable command parameter checking */
+    UnmarshalInFunction_t  unmarshalInFunction;
+#endif
+#ifdef TPM_TPM12
+    uint16_t		sessionNumber;		/* session used for ADIP, zero based */
+    int16_t		encAuthOffset0;		/* offset to first TPM_ENCAUTH parameter */
+    int16_t		encAuthOffset1;		/* offset to second TPM_ENCAUTH parameter if not NULL */
+#endif
+} TSS_AUTH_CONTEXT;
+
+TPM_RC TSS_AuthCreate(TSS_AUTH_CONTEXT **tssAuthContext);
+
+void TSS_InitAuthContext(TSS_AUTH_CONTEXT *tssAuthContext);
+
+TPM_RC TSS_AuthDelete(TSS_AUTH_CONTEXT *tssAuthContext);
+
+TPM_CC TSS_GetCommandCode(TSS_AUTH_CONTEXT *tssAuthContext);
+
+TPM_RC TSS_GetCpBuffer(TSS_AUTH_CONTEXT *tssAuthContext,
+		       uint32_t *cpBufferSize,
+		       uint8_t **cpBuffer);
+
+
+TPM_RC TSS_GetCommandHandleCount(TSS_AUTH_CONTEXT *tssAuthContext,
+				 size_t *commandHandleCount);
+
+TPM_RC TSS_AuthExecute(TSS_CONTEXT *tssContext);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssauth12.c b/libstb/tss2/ibmtpm20tss/utils/tssauth12.c
new file mode 100644
index 0000000..1787618
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssauth12.c
@@ -0,0 +1,746 @@
+/********************************************************************************/
+/*										*/
+/*			     TPM 1.2 TSS Authorization				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This layer handles command and response packet authorization parameters. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+#include <ibmtss/tsstransmit.h>
+#include "tssproperties.h"
+#include <ibmtss/tssresponsecode.h>
+
+#include <ibmtss/tpmtypes12.h>
+#include <ibmtss/tpmconstants12.h>
+#include <ibmtss/tssmarshal12.h>
+#include <ibmtss/Unmarshal12_fp.h>
+
+#include "tssauth12.h"
+
+extern int tssVerbose;
+extern int tssVverbose;
+
+typedef struct MARSHAL_TABLE {
+    TPM_CC 			commandCode;
+    const char 			*commandText;
+    MarshalInFunction_t 	marshalInFunction;	/* marshal input command */
+    UnmarshalOutFunction_t 	unmarshalOutFunction;	/* unmarshal output response */
+#ifndef TPM_TSS_NOCMDCHECK
+    UnmarshalInFunction_t	unmarshalInFunction;	/* unmarshal input command for parameter
+							   checking */
+#endif
+} MARSHAL_TABLE;
+
+static const MARSHAL_TABLE marshalTable12 [] = {
+				 
+    {TPM_ORD_ActivateIdentity,"TPM_ORD_ActivateIdentity",
+     (MarshalInFunction_t)TSS_ActivateIdentity_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ActivateIdentity_Out_Unmarshalu,
+     (UnmarshalInFunction_t)ActivateIdentity_In_Unmarshal},
+
+    {TPM_ORD_ContinueSelfTest,"TPM_ORD_ContinueSelfTest",
+     (MarshalInFunction_t)NULL,
+     (UnmarshalOutFunction_t)NULL,
+     (UnmarshalInFunction_t)NULL},
+
+    {TPM_ORD_CreateEndorsementKeyPair,"TPM_ORD_CreateEndorsementKeyPair",
+     (MarshalInFunction_t)TSS_CreateEndorsementKeyPair_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_CreateEndorsementKeyPair_Out_Unmarshalu,
+     (UnmarshalInFunction_t)CreateEndorsementKeyPair_In_Unmarshal},
+
+    {TPM_ORD_CreateWrapKey,"TPM_ORD_CreateWrapKey",
+     (MarshalInFunction_t)TSS_CreateWrapKey_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_CreateWrapKey_Out_Unmarshalu,
+     (UnmarshalInFunction_t)CreateWrapKey_In_Unmarshal},
+
+    {TPM_ORD_Extend,"TPM_ORD_Extend",
+     (MarshalInFunction_t)TSS_Extend_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Extend_Out_Unmarshalu,
+     (UnmarshalInFunction_t)Extend_In_Unmarshal},
+
+    {TPM_ORD_FlushSpecific,"TPM_ORD_FlushSpecific",
+     (MarshalInFunction_t)TSS_FlushSpecific_In_Marshalu,
+     (UnmarshalOutFunction_t)NULL,
+     (UnmarshalInFunction_t)FlushSpecific_In_Unmarshal},
+
+    {TPM_ORD_GetCapability,"TPM_ORD_GetCapability",
+     (MarshalInFunction_t)TSS_GetCapability12_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_GetCapability12_Out_Unmarshalu,
+     (UnmarshalInFunction_t)GetCapability12_In_Unmarshal},
+
+    {TPM_ORD_LoadKey2,"TPM_ORD_LoadKey2",
+     (MarshalInFunction_t)TSS_LoadKey2_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_LoadKey2_Out_Unmarshalu,
+     (UnmarshalInFunction_t)LoadKey2_In_Unmarshal},
+
+    {TPM_ORD_MakeIdentity,"TPM_ORD_MakeIdentity",
+     (MarshalInFunction_t)TSS_MakeIdentity_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_MakeIdentity_Out_Unmarshalu,
+     (UnmarshalInFunction_t)MakeIdentity_In_Unmarshal},
+
+    {TPM_ORD_NV_DefineSpace,"TPM_ORD_NV_DefineSpace",
+     (MarshalInFunction_t)TSS_NV_DefineSpace12_In_Marshalu,
+     NULL,
+     (UnmarshalInFunction_t)NV_DefineSpace12_In_Unmarshal},
+
+    {TPM_ORD_NV_ReadValueAuth,"TPM_ORD_NV_ReadValueAuth",
+     (MarshalInFunction_t)TSS_NV_ReadValueAuth_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_NV_ReadValueAuth_Out_Unmarshalu,
+     (UnmarshalInFunction_t)NV_ReadValueAuth_In_Unmarshal},
+
+    {TPM_ORD_NV_ReadValue,"TPM_ORD_NV_ReadValue",
+     (MarshalInFunction_t)TSS_NV_ReadValue_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_NV_ReadValue_Out_Unmarshalu,
+     (UnmarshalInFunction_t)NV_ReadValue_In_Unmarshal},
+
+    {TPM_ORD_NV_WriteValue,"TPM_ORD_NV_WriteValue",
+     (MarshalInFunction_t)TSS_NV_WriteValue_In_Marshalu,
+     NULL,
+     (UnmarshalInFunction_t)NV_WriteValue_In_Unmarshal},
+
+    {TPM_ORD_NV_WriteValueAuth,"TPM_ORD_NV_WriteValueAuth",
+     (MarshalInFunction_t)TSS_NV_WriteValueAuth_In_Marshalu,
+     NULL,
+     (UnmarshalInFunction_t)NV_WriteValueAuth_In_Unmarshal},
+
+    {TPM_ORD_OIAP,"TPM_ORD_OIAP",
+     (MarshalInFunction_t)NULL,
+     (UnmarshalOutFunction_t)TSS_OIAP_Out_Unmarshalu,
+     (UnmarshalInFunction_t)NULL},
+
+    {TPM_ORD_OSAP,"TPM_ORD_OSAP",
+     (MarshalInFunction_t)TSS_OSAP_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_OSAP_Out_Unmarshalu,
+     (UnmarshalInFunction_t)OSAP_In_Unmarshal},
+
+    {TPM_ORD_OwnerReadInternalPub,"TPM_ORD_OwnerReadInternalPub",
+     (MarshalInFunction_t)TSS_OwnerReadInternalPub_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_OwnerReadInternalPub_Out_Unmarshalu,
+     (UnmarshalInFunction_t)OwnerReadInternalPub_In_Unmarshal},
+
+    {TPM_ORD_OwnerSetDisable,"TPM_ORD_OwnerSetDisable",
+     (MarshalInFunction_t)TSS_OwnerSetDisable_In_Marshalu,
+     NULL,
+     (UnmarshalInFunction_t)OwnerSetDisable_In_Unmarshal},
+
+    {TPM_ORD_MakeIdentity,"TPM_ORD_MakeIdentity",
+     (MarshalInFunction_t)TSS_MakeIdentity_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_MakeIdentity_Out_Unmarshalu,
+     (UnmarshalInFunction_t)MakeIdentity_In_Unmarshal},
+
+    {TPM_ORD_PcrRead,"TPM_ORD_PcrRead",
+     (MarshalInFunction_t)TSS_PcrRead12_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_PcrRead12_Out_Unmarshalu,
+     (UnmarshalInFunction_t)PcrRead12_In_Unmarshal},
+
+    {TPM_ORD_PCR_Reset,"TPM_ORD_PCR_Reset",
+     (MarshalInFunction_t)TSS_PCR_Reset12_In_Marshalu,
+     NULL,
+     (UnmarshalInFunction_t)PCR_Reset12_In_Unmarshal},
+
+    {TPM_ORD_Quote2,"TPM_ORD_Quote2",
+     (MarshalInFunction_t)TSS_Quote2_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Quote2_Out_Unmarshalu,
+     (UnmarshalInFunction_t)Quote2_In_Unmarshal},
+
+    {TPM_ORD_ReadPubek,"TPM_ORD_ReadPubek",
+     (MarshalInFunction_t)TSS_ReadPubek_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ReadPubek_Out_Unmarshalu,
+     (UnmarshalInFunction_t)ReadPubek_In_Unmarshal},
+
+    {TPM_ORD_Sign,"TPM_ORD_Sign",
+     (MarshalInFunction_t)TSS_Sign12_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Sign12_Out_Unmarshalu,
+     (UnmarshalInFunction_t)Sign12_In_Unmarshal},
+
+    {TPM_ORD_Startup,"TPM_ORD_Startup",
+     (MarshalInFunction_t)TSS_Startup12_In_Marshalu,
+     NULL,
+     (UnmarshalInFunction_t)Startup12_In_Unmarshal},
+
+    {TPM_ORD_TakeOwnership,"TPM_ORD_TakeOwnership",
+     (MarshalInFunction_t)TSS_TakeOwnership_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_TakeOwnership_Out_Unmarshalu,
+     (UnmarshalInFunction_t)TakeOwnership_In_Unmarshal},
+
+     {TPM_ORD_Init,"TPM_ORD_Init",
+     NULL,
+     NULL,
+     NULL},
+};
+
+/* TSS_MarshalTable12_Process() indexes into the command marshal table, and saves the marshal and
+   unmarshal functions */
+
+
+static TPM_RC TSS_MarshalTable12_Process(TSS_AUTH_CONTEXT *tssAuthContext,
+					 TPM_CC commandCode)
+{
+    TPM_RC rc = 0;
+    size_t index;
+    int found = FALSE;
+
+    /* get the command index in the dispatch table */
+    for (index = 0 ; index < (sizeof(marshalTable12) / sizeof(MARSHAL_TABLE)) ; (index)++) {
+	if (marshalTable12[index].commandCode == commandCode) {
+	    found = TRUE;
+	    break;
+	}
+    }
+    if (found) {
+	tssAuthContext->commandCode = commandCode;
+	tssAuthContext->commandText = marshalTable12[index].commandText;
+	tssAuthContext->marshalInFunction = marshalTable12[index].marshalInFunction;
+	tssAuthContext->unmarshalOutFunction = marshalTable12[index].unmarshalOutFunction;
+#ifndef TPM_TSS_NOCMDCHECK
+	tssAuthContext->unmarshalInFunction = marshalTable12[index].unmarshalInFunction;
+#endif
+    }
+    else {
+	if (tssVerbose) printf("TSS_MarshalTable12_Process: "
+			       "commandCode %08x not found in marshal table\n",
+			       commandCode);
+	rc = TSS_RC_COMMAND_UNIMPLEMENTED;
+    }
+    return rc;
+}
+
+/* TSS_Marshal12() marshals the input parameters into the TSS Authorization context.
+
+   It also sets other member of the context in preparation for the rest of the sequence.  
+*/
+
+TPM_RC TSS_Marshal12(TSS_AUTH_CONTEXT *tssAuthContext,
+		     COMMAND_PARAMETERS *in,
+		     TPM_CC commandCode)
+{
+    TPM_RC 		rc = 0;
+    TPM_TAG 		tag = TPM_TAG_RQU_COMMAND;	/* default until sessions are added */
+    uint8_t 		*buffer;			/* for marshaling */
+    uint8_t 		*bufferu;			/* for test unmarshaling */
+    uint32_t 		size;
+    
+    /* index from command code to table and save marshal and unmarshal functions for this command */
+    if (rc == 0) {
+	rc = TSS_MarshalTable12_Process(tssAuthContext, commandCode);
+    }
+    /* get the number of command and response handles from the TPM table */
+    if (rc == 0) {
+	tssAuthContext->tpmCommandIndex = CommandCodeToCommandIndex12(commandCode);
+	if (tssAuthContext->tpmCommandIndex == UNIMPLEMENTED_COMMAND_INDEX) {
+	    if (tssVerbose) printf("TSS_Marshal12: "
+				   "commandCode %08x not found in command attributes table\n",
+				   commandCode);
+	    rc = TSS_RC_COMMAND_UNIMPLEMENTED;
+	}
+    }
+    if (rc == 0) {
+	tssAuthContext->commandHandleCount =
+	    getCommandHandleCount12(tssAuthContext->tpmCommandIndex);
+	tssAuthContext->responseHandleCount =
+	    getresponseHandleCount12(tssAuthContext->tpmCommandIndex);
+    }
+    if (rc == 0) {
+	/* make a copy of the command buffer and size since the marshal functions move them */
+	buffer = tssAuthContext->commandBuffer;
+	size = MAX_COMMAND_SIZE;
+	/* marshal header, preliminary tag and command size */
+	rc = TSS_UINT16_Marshalu(&tag, &tssAuthContext->commandSize, &buffer, &size);
+    }
+    if (rc == 0) {
+	uint32_t commandSize = tssAuthContext->commandSize;
+	rc = TSS_UINT32_Marshalu(&commandSize, &tssAuthContext->commandSize, &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&commandCode, &tssAuthContext->commandSize, &buffer, &size);
+    }    
+    if (rc == 0) {
+	/* save pointer to marshaled data for test unmarshal */
+	bufferu = buffer +
+		  tssAuthContext->commandHandleCount * sizeof(TPM_HANDLE);
+	/* if there is a marshal function */
+	if (tssAuthContext->marshalInFunction != NULL) {
+	    /* if there is a structure to marshal */
+	    if (in != NULL) {
+		rc = tssAuthContext->marshalInFunction(in, &tssAuthContext->commandSize,
+						       &buffer, &size);
+	    }
+	    /* caller error, no structure supplied to marshal */
+	    else {
+		if (tssVerbose)
+		    printf("TSS_Marshal12: Command %08x requires command parameter structure\n",
+			   commandCode);
+		rc = TSS_RC_IN_PARAMETER;	
+	    }
+	}
+	/* if there is no marshal function */
+	else {
+	    /* caller error, supplied structure but there is no marshal function */
+	    if (in != NULL) {
+		if (tssVerbose)
+		    printf("TSS_Marshal12: Command %08x does not take command parameter structure\n",
+			   commandCode);
+		rc = TSS_RC_IN_PARAMETER;	
+	    }
+	    /* no marshal function and no command parameter structure is OK */
+	}
+    }
+#ifndef TPM_TSS_NOCMDCHECK
+    /* unmarshal to validate the input parameters */
+    if ((rc == 0) && (tssAuthContext->unmarshalInFunction != NULL)) {
+	COMMAND_PARAMETERS target;
+	TPM_HANDLE 	handles[MAX_HANDLE_NUM];
+	size = MAX_COMMAND_SIZE;
+	rc = tssAuthContext->unmarshalInFunction(&target, &bufferu, &size, handles);
+	if ((rc != 0) && tssVerbose) {
+	    printf("TSS_Marshal12: Invalid command parameter\n");
+	}
+    }
+#endif
+    /* back fill the correct commandSize */
+    if (rc == 0) {
+	uint16_t written = 0;		/* dummy */
+	uint32_t commandSize = tssAuthContext->commandSize;
+	buffer = tssAuthContext->commandBuffer + sizeof(TPMI_ST_COMMAND_TAG);
+	TSS_UINT32_Marshalu(&commandSize, &written, &buffer, NULL);
+    }
+    /* record the interim cpBuffer and cpBufferSize before adding authorizations */
+    if (rc == 0) {
+	uint32_t notCpBufferSize;
+	
+	/* cpBuffer does not include the header and handles */
+	notCpBufferSize = sizeof(TPMI_ST_COMMAND_TAG) + sizeof (uint32_t) + sizeof(TPM_CC) +
+			  (sizeof(TPM_HANDLE) * tssAuthContext->commandHandleCount);
+
+	tssAuthContext->cpBuffer = tssAuthContext->commandBuffer + notCpBufferSize;
+	tssAuthContext->cpBufferSize = tssAuthContext->commandSize - notCpBufferSize;
+    }
+    return rc;
+}
+
+/* TSS_Unmarshal12() unmarshals the response parameter.
+
+   It returns an error if either there is no unmarshal function and out is not NULL or if there is
+   an unmarshal function and out is not NULL.
+
+   If there is no unmarshal function and out is NULL, the function is a noop.
+*/
+
+TPM_RC TSS_Unmarshal12(TSS_AUTH_CONTEXT *tssAuthContext,
+		       RESPONSE_PARAMETERS *out)
+{
+    TPM_RC 	rc = 0;
+    TPM_TAG 	tag;
+    uint8_t 	*buffer;    
+    uint32_t 	size;
+
+    /* if there is an unmarshal function */
+    if (tssAuthContext->unmarshalOutFunction != NULL) {
+	/* if there is a structure to unmarshal */
+	if (out != NULL) {
+	    if (rc == 0) {
+		/* get the response tag, determines whether there are response authorizations to
+		   unmarshal */
+		/* tag not required for TPM 1.2, where there is no parameterSize to skip, but the
+		   response unmarshal function uses a common prototype */
+		buffer = tssAuthContext->responseBuffer;
+		size = tssAuthContext->responseSize;
+		rc = TSS_TPM_TAG_Unmarshalu(&tag, &buffer, &size);
+	    }
+	    if (rc == 0) {
+		/* move the buffer and size past the header */
+		buffer = tssAuthContext->responseBuffer +
+			 sizeof(TPM_TAG) + sizeof(uint32_t) + sizeof(TPM_RC);
+		size = tssAuthContext->responseSize -
+		       (sizeof(TPM_TAG) + sizeof(uint32_t) + sizeof(TPM_RC));
+		rc = tssAuthContext->unmarshalOutFunction(out, tag, &buffer, &size);
+	    }
+	}
+	/* caller error, no structure supplied to unmarshal */
+	else {
+	    if (tssVerbose)
+		printf("TSS_Unmarshal12: Command %08x requires response parameter structure\n",
+		       tssAuthContext->commandCode);
+	    rc = TSS_RC_OUT_PARAMETER;
+	}
+    }
+    /* if there is no unmarshal function */
+    else {
+	/* caller error, structure supplied but no unmarshal function */
+	if (out != NULL) {
+	    if (tssVerbose)
+		printf("TSS_Unmarshal12: Command %08x does not take response parameter structure\n",
+		       tssAuthContext->commandCode);
+	    rc = TSS_RC_OUT_PARAMETER;
+	}
+	/* no unmarshal function and no response parameter structure is OK */
+    }
+    return rc;
+}
+
+/* TSS_SetCmdAuths12() appends a list of TPMS_AUTH12_COMMAND structures to the command buffer.  It
+   back fills the tag and paramSize.
+
+*/
+
+TPM_RC TSS_SetCmdAuths12(TSS_AUTH_CONTEXT 	*tssAuthContext,
+			 size_t 		numSessions,
+			 TPMS_AUTH12_COMMAND 	*authC[])
+{
+    TPM_RC 		rc = 0;
+    size_t		i = 0;
+    TPM_TAG 		tag;
+    uint32_t 		cpBufferSize;
+    uint8_t 		*cpBuffer;
+    uint8_t 		*buffer;
+
+    if (rc == 0) {
+	/* record the number of authorizations for the response */
+	tssAuthContext->authCount = numSessions;
+	switch (numSessions) {
+	  case 0:
+	    tag = TPM_TAG_RQU_COMMAND;
+	    break;
+	  case 1:
+	    tag = TPM_TAG_RQU_AUTH1_COMMAND;
+	    break;
+	  case 2:
+	    tag = TPM_TAG_RQU_AUTH2_COMMAND;
+	    break;
+	  default:
+	    if (tssVerbose) printf("TSS_SetCmdAuths12: Invalid number of sessions %u\n",
+				   (unsigned int)numSessions);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    /* back fill the tag */
+    if (rc == 0) {
+	uint16_t written = 0;		/* dummy */
+	buffer = tssAuthContext->commandBuffer;
+	TSS_UINT16_Marshalu(&tag, &written, &buffer, NULL);
+    }
+    /* get cpBuffer, command parameters */
+    if (rc == 0) {
+	rc = TSS_GetCpBuffer(tssAuthContext, &cpBufferSize, &cpBuffer);
+    }
+    /* index to the beginning of the authorization area, and range check the command buffer */
+    if (rc == 0) {
+	cpBuffer += cpBufferSize;
+    }
+    for (i = 0 ; (rc == 0) && (i < numSessions) ; i++) {
+	uint16_t written = 0;
+	uint32_t size = MAX_COMMAND_SIZE - cpBufferSize;
+	/* marshal authHandle */
+	if (rc == 0) {
+	    rc = TSS_UINT32_Marshalu(&authC[i]->sessionHandle, &written, &cpBuffer, &size); 
+	}
+	/* marshal nonceOdd */
+	if (rc == 0) {
+	    rc = TSS_Array_Marshalu(authC[i]->nonce, SHA1_DIGEST_SIZE,
+				   &written, &cpBuffer, &size); 
+	}
+	/* marshal attributes */
+	if (rc == 0) {
+	    rc = TSS_UINT8_Marshalu(&authC[i]->sessionAttributes.val, &written, &cpBuffer, &size);
+	}
+	/* marshal HMAC */
+	if (rc == 0) {
+	    rc = TSS_Array_Marshalu(authC[i]->hmac, SHA1_DIGEST_SIZE,
+				   &written, &cpBuffer, &size); 
+	}
+    }	
+    if (rc == 0) {
+	uint16_t written = 0;		/* dummy */
+	uint32_t commandSize;
+	/* record command stream used size */
+	tssAuthContext->commandSize = cpBuffer - tssAuthContext->commandBuffer;
+	/* back fill the correct commandSize */
+	buffer = tssAuthContext->commandBuffer + sizeof(TPMI_ST_COMMAND_TAG);
+	commandSize = tssAuthContext->commandSize;
+	TSS_UINT32_Marshalu(&commandSize, &written, &buffer, NULL);
+    }
+    return rc;
+}
+
+/* TSS_GetRspAuths12() unmarshals a response buffer into a list of list of TPMS_AUTH12_RESPONSE
+   structures.  This should not be called if the TPM returned a non-success response code.
+
+   Returns an error if the number of response auths requested is not equal to the number of command
+   auths, including zero.
+
+   If the response tag is TPM_TAG_RSP_COMMAND, the function is a noop (except for error checking).
+*/
+
+TPM_RC TSS_GetRspAuths12(TSS_AUTH_CONTEXT 	*tssAuthContext,
+			 size_t 		numSessions,
+			 TPMS_AUTH12_RESPONSE	*authR[])
+{
+    TPM_RC 	rc = 0;
+    size_t	i;
+    TPM_TAG 	tag;
+    uint32_t 	oneAuthAreaSize = SHA1_DIGEST_SIZE + 1 + SHA1_DIGEST_SIZE;
+    uint32_t 	authBufferSize;
+    uint8_t 	*authBuffer;
+
+    /* range check the response buffer size before the subtraction below */
+    if (rc == 0) {
+	if ((sizeof(TPM_TAG) + sizeof(uint32_t) + sizeof(TPM_RC) +
+	     (numSessions * oneAuthAreaSize)) <= tssAuthContext->responseSize) {
+	    authBufferSize = tssAuthContext->responseSize -
+			     (sizeof(TPM_TAG) + sizeof(uint32_t) + sizeof(TPM_RC));  
+	}
+	else {
+	    if (tssVerbose) printf("TSS_GetRspAuths12: Invalid response size %u\n",
+				   (unsigned int)tssAuthContext->responseSize);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    /* unmarshal the response tag */
+    if (rc == 0) {
+	uint32_t size = tssAuthContext->responseSize;
+  	uint8_t *buffer = tssAuthContext->responseBuffer;
+	rc = TSS_TPM_TAG_Unmarshalu(&tag, &buffer, &size);
+    }
+    /* sanity check the response tag, range checking below */
+    if (rc == 0) {
+	switch (tag) {
+	  case TPM_TAG_RSP_COMMAND:
+	    if (numSessions != 0) {
+		if (tssVerbose) printf("TSS_GetRspAuths12: Invalid number of sessions %u\n",
+				       (unsigned int)numSessions);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	    break;
+	  case TPM_TAG_RSP_AUTH1_COMMAND:
+	    authBuffer = tssAuthContext->responseBuffer + tssAuthContext->responseSize 	/* end */
+			 - oneAuthAreaSize;	/* minus one auth area */
+	    authBufferSize = oneAuthAreaSize;
+	    if (numSessions != 1) {
+		if (tssVerbose) printf("TSS_GetRspAuths12: Invalid number of sessions %u\n",
+				       (unsigned int)numSessions);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	    break;
+	  case TPM_TAG_RSP_AUTH2_COMMAND:
+	    authBuffer = tssAuthContext->responseBuffer + tssAuthContext->responseSize 	/* end */
+			 - oneAuthAreaSize - oneAuthAreaSize ;	/* minus two auth areas */
+	    authBufferSize = oneAuthAreaSize + oneAuthAreaSize;
+	    if (numSessions != 2) {
+		if (tssVerbose) printf("TSS_GetRspAuths12: Invalid number of sessions %u\n",
+				       (unsigned int)numSessions);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	    break;
+	  default:
+	    if (tssVerbose) printf("TSS_GetRspAuths12: Bad tag %04x\n", tag);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	    break;
+	}
+    }
+    /* unmarshal into the TPMS_AUTH12_RESPONSE structures */
+    for (i = 0 ; (rc == 0) && (i < numSessions) ; i++) {
+	/* TPM 1.2 has fixed size auth area - nonceEven + continue + auth HMAC */
+	if (rc == 0) {
+	    rc = TSS_Array_Unmarshalu(authR[i]->nonce,
+				     SHA1_DIGEST_SIZE, &authBuffer, &authBufferSize);
+	}	
+	if (rc == 0) {
+	    rc = TSS_UINT8_Unmarshalu(&authR[i]->sessionAttributes.val, &authBuffer, &authBufferSize);
+	}	
+	if (rc == 0) {
+	    rc = TSS_Array_Unmarshalu(authR[i]->hmac,
+				     SHA1_DIGEST_SIZE, &authBuffer, &authBufferSize);
+	}	
+    }	
+    return rc;
+}
+
+/* TSS_GetRpBuffer12() returns a pointer to the response parameter area.
+
+   NOTE could move to execute so it only has to be done once.
+*/
+
+TPM_RC TSS_GetRpBuffer12(TSS_AUTH_CONTEXT *tssAuthContext,
+			 uint32_t 	*rpBufferSize,
+			 uint8_t 	**rpBuffer,
+			 size_t		numSessions)
+{
+    TPM_RC 	rc = 0;
+    uint32_t	headerSize = sizeof(TPM_TAG) + sizeof (uint32_t) + sizeof(TPM_RC) +
+			     (sizeof(TPM_HANDLE) * tssAuthContext->responseHandleCount);
+    uint32_t 	oneAuthAreaSize = SHA1_DIGEST_SIZE + 1 + SHA1_DIGEST_SIZE;
+    
+    if (rc == 0) {
+	*rpBuffer = tssAuthContext->responseBuffer + headerSize;
+
+	if (headerSize + (numSessions * oneAuthAreaSize) <= tssAuthContext->responseSize) {
+	    *rpBufferSize =
+		tssAuthContext->responseSize - headerSize - (numSessions * oneAuthAreaSize);
+	}
+	else {
+	    if (tssVerbose) printf("TSS_GetRpBuffer12: "
+				   "response size %u too small for number of sessions %u\n",
+				   tssAuthContext->responseSize, (unsigned int)numSessions);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    return rc;
+}
+
+/* TSS_SetEncAuth() are called from the TPM 1.2 command pre-processor to record the location(s) of
+   the encrypted authorizations.
+
+   Cannot range check here, because command parameters have not been marshaled yet.
+   
+   NOTE: This is a bit of a hack, depending on the location being a fixed distance from the
+   beginning or end of the command buffer.  It could break if there is both a variable size argument
+   before and a variable number of authorizations or variable size argument after the location.
+
+   If this occurs, the pointers nust be set during marshaling, but this is more intrusive, requiring
+   TSS_AUTH_CONTEXT to be passed into the marshaling code.
+
+*/
+
+TPM_RC TSS_SetEncAuthOffset0(TSS_AUTH_CONTEXT *tssAuthContext,
+			     int16_t offset)
+{
+    tssAuthContext->encAuthOffset0 = offset;
+    return 0;
+}
+TPM_RC TSS_SetEncAuthOffset1(TSS_AUTH_CONTEXT *tssAuthContext,
+			     int16_t offset)
+{
+    tssAuthContext->encAuthOffset1 = offset;
+    return 0;
+}
+TPM_RC TSS_GetEncAuths(TSS_AUTH_CONTEXT *tssAuthContext,
+		       uint8_t		**encAuth0,
+		       uint8_t		**encAuth1)
+{
+    TPM_RC rc = 0;
+    
+    if (tssAuthContext->encAuthOffset0 > 0) {
+	if ((uint16_t)tssAuthContext->encAuthOffset0 < tssAuthContext->cpBufferSize) {
+	    *encAuth0 = tssAuthContext->commandBuffer + tssAuthContext->encAuthOffset0;
+	}
+	else {
+	    if (tssVerbose) printf("TSS_GetEncAuths: "
+				   "encAuthOffset0 %d too large for command buffer %u\n",
+				   tssAuthContext->encAuthOffset0, tssAuthContext->cpBufferSize);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    else if (tssAuthContext->encAuthOffset0 < 0) {
+	if ((uint16_t)(-tssAuthContext->encAuthOffset0) < tssAuthContext->commandSize) {
+	    *encAuth0 = tssAuthContext->commandBuffer +
+			tssAuthContext->commandSize + tssAuthContext->encAuthOffset0;
+	}
+	else {
+	    if (tssVerbose) printf("TSS_GetEncAuths: "
+				   "encAuthOffset0 %d too large for command buffer %u\n",
+				   tssAuthContext->encAuthOffset0, tssAuthContext->commandSize);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    else {
+	*encAuth0 = NULL;
+    }
+    if (tssAuthContext->encAuthOffset1 > 0) {
+	if ((uint16_t)tssAuthContext->encAuthOffset1 < tssAuthContext->cpBufferSize) {
+	    *encAuth1 = tssAuthContext->commandBuffer + tssAuthContext->encAuthOffset1;
+	}
+	else {
+	    if (tssVerbose) printf("TSS_GetEncAuths: "
+				   "encAuthOffset1 %u too large for command buffer %u\n",
+				   tssAuthContext->encAuthOffset1, tssAuthContext->cpBufferSize);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    else if (tssAuthContext->encAuthOffset1 < 0) {
+	if ((uint16_t)(-tssAuthContext->encAuthOffset1) < tssAuthContext->commandSize) {
+	    *encAuth1 = tssAuthContext->commandBuffer +
+			tssAuthContext->commandSize + tssAuthContext->encAuthOffset1;
+	}
+	else {
+	    if (tssVerbose) printf("TSS_GetEncAuths: "
+				   "encAuthOffset1 %d too large for command buffer %u\n",
+				   tssAuthContext->encAuthOffset1, tssAuthContext->commandSize);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    else {
+	*encAuth1 = NULL;
+    }
+    return rc;
+}
+
+TPM_RC TSS_SetSessionNumber(TSS_AUTH_CONTEXT *tssAuthContext,
+			   uint16_t sessionNumber)
+{
+    TPM_RC	rc = 0;
+    
+    tssAuthContext->sessionNumber = sessionNumber;
+    if (sessionNumber > 1) {
+	if (tssVerbose) printf("TSS_SetSessionNumber: %u out of range\n",
+			       sessionNumber);
+	rc = TSS_RC_SESSION_NUMBER;
+    }
+    return rc;
+}
+TPM_RC TSS_GetSessionNumber(TSS_AUTH_CONTEXT *tssAuthContext,
+			    uint16_t *sessionNumber)
+{
+    *sessionNumber = tssAuthContext->sessionNumber;
+    return 0;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssauth12.h b/libstb/tss2/ibmtpm20tss/utils/tssauth12.h
new file mode 100644
index 0000000..9cc898c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssauth12.h
@@ -0,0 +1,94 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Authorization 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: tssauth12.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is not a public header.  It should not be used by applications. */
+
+#ifndef TSS_AUTH12_H
+#define TSS_AUTH12_H
+
+#include <ibmtss/tss.h>
+#include "Commands12_fp.h"
+#include "tssccattributes12.h"
+
+/* command and response authorization structures adapted for TPM 1.2 */
+
+typedef struct {
+    TPM_AUTHHANDLE 	sessionHandle;		/* the session handle */
+    TPM_NONCE		nonce;			/* the session nonce, may be the Empty Buffer */
+    TPMA_SESSION	sessionAttributes;	/* the session attributes */
+    TPM_AUTHDATA	hmac;			/* authorization HMAC */
+} TPMS_AUTH12_COMMAND;
+
+
+typedef struct {
+    TPM_NONCE		nonce;			/* the session nonce, may be the Empty Buffer */
+    TPMA_SESSION	sessionAttributes;	/* the session attributes */
+    TPM_AUTHDATA 	hmac;			/* authorization HMAC */
+} TPMS_AUTH12_RESPONSE;
+
+TPM_RC TSS_Marshal12(TSS_AUTH_CONTEXT *tssAuthContext,
+		     COMMAND_PARAMETERS *in,
+		     TPM_CC commandCode);
+
+TPM_RC TSS_Unmarshal12(TSS_AUTH_CONTEXT *tssAuthContext,
+		     RESPONSE_PARAMETERS *out);
+
+TPM_RC TSS_SetCmdAuths12(TSS_AUTH_CONTEXT 	*tssAuthContext,
+			 size_t			numSessions,
+			 TPMS_AUTH12_COMMAND 	*authC[]);
+TPM_RC TSS_GetRspAuths12(TSS_AUTH_CONTEXT *tssAuthContext,
+			 size_t 		numSessions,
+			 TPMS_AUTH12_RESPONSE	*authR[]);
+TPM_RC TSS_GetRpBuffer12(TSS_AUTH_CONTEXT *tssAuthContext,
+		       uint32_t *rpBufferSize,
+			 uint8_t **rpBuffer,
+			 size_t	numSessions);
+TPM_RC TSS_SetEncAuthOffset0(TSS_AUTH_CONTEXT *tssAuthContext,
+			     int16_t offset);
+TPM_RC TSS_SetEncAuthOffset1(TSS_AUTH_CONTEXT *tssAuthContext,
+			     int16_t offset);
+TPM_RC TSS_GetEncAuths(TSS_AUTH_CONTEXT *tssAuthContext,
+		       uint8_t		**encAuth0,
+		       uint8_t		**encAuth1);
+TPM_RC TSS_SetSessionNumber(TSS_AUTH_CONTEXT *tssAuthContext,
+			    uint16_t sessionNumber);
+TPM_RC TSS_GetSessionNumber(TSS_AUTH_CONTEXT *tssAuthContext,
+			    uint16_t *sessionNumber);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssauth20.c b/libstb/tss2/ibmtpm20tss/utils/tssauth20.c
new file mode 100644
index 0000000..8489e86
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssauth20.c
@@ -0,0 +1,1546 @@
+/********************************************************************************/
+/*										*/
+/*			     TPM 2.0 TSS Authorization				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This layer handles command and response packet authorization parameters. */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdarg.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tsstransmit.h>
+#include "tssproperties.h"
+#include <ibmtss/tssresponsecode.h>
+
+#include "tssntc.h"
+#include "tssauth.h"
+#include "tssauth20.h"
+
+extern int tssVerbose;
+extern int tssVverbose;
+
+typedef struct MARSHAL_TABLE {
+    TPM_CC 			commandCode;
+    const char 			*commandText;
+    MarshalInFunction_t 	marshalInFunction;	/* marshal input command */
+    UnmarshalOutFunction_t 	unmarshalOutFunction;	/* unmarshal output response */
+#ifndef TPM_TSS_NOCMDCHECK
+    UnmarshalInFunction_t	unmarshalInFunction;	/* unmarshal input command for parameter
+							   checking */
+#endif
+} MARSHAL_TABLE;
+
+static const MARSHAL_TABLE marshalTable [] = {
+				 
+    {TPM_CC_Startup, "TPM2_Startup",
+     (MarshalInFunction_t)TSS_Startup_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Startup_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Shutdown, "TPM2_Shutdown",
+     (MarshalInFunction_t)TSS_Shutdown_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Shutdown_In_Unmarshal
+#endif
+    },
+    {TPM_CC_SelfTest, "TPM2_SelfTest",
+     (MarshalInFunction_t)TSS_SelfTest_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)SelfTest_In_Unmarshal
+#endif
+    },
+    {TPM_CC_IncrementalSelfTest, "TPM2_IncrementalSelfTest",
+     (MarshalInFunction_t)TSS_IncrementalSelfTest_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_IncrementalSelfTest_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)IncrementalSelfTest_In_Unmarshal
+#endif
+    },
+    {TPM_CC_GetTestResult, "TPM2_GetTestResult",
+     NULL,
+     (UnmarshalOutFunction_t)TSS_GetTestResult_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,NULL
+#endif
+    },
+    {TPM_CC_StartAuthSession, "TPM2_StartAuthSession",
+     (MarshalInFunction_t)TSS_StartAuthSession_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_StartAuthSession_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)StartAuthSession_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyRestart, "TPM2_PolicyRestart",
+     (MarshalInFunction_t)TSS_PolicyRestart_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyRestart_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Create, "TPM2_Create",
+     (MarshalInFunction_t)TSS_Create_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Create_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Create_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Load, "TPM2_Load",
+     (MarshalInFunction_t)TSS_Load_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Load_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Load_In_Unmarshal
+#endif
+    },
+    {TPM_CC_LoadExternal, "TPM2_LoadExternal",
+     (MarshalInFunction_t)TSS_LoadExternal_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_LoadExternal_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)LoadExternal_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ReadPublic, "TPM2_ReadPublic",
+     (MarshalInFunction_t)TSS_ReadPublic_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ReadPublic_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ReadPublic_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ActivateCredential, "TPM2_ActivateCredential",
+     (MarshalInFunction_t)TSS_ActivateCredential_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ActivateCredential_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ActivateCredential_In_Unmarshal
+#endif
+    },
+    {TPM_CC_MakeCredential, "TPM2_MakeCredential",
+     (MarshalInFunction_t)TSS_MakeCredential_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_MakeCredential_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)MakeCredential_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Unseal, "TPM2_Unseal",
+     (MarshalInFunction_t)TSS_Unseal_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Unseal_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Unseal_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ObjectChangeAuth, "TPM2_ObjectChangeAuth",
+     (MarshalInFunction_t)TSS_ObjectChangeAuth_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ObjectChangeAuth_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ObjectChangeAuth_In_Unmarshal
+#endif
+    },
+    {TPM_CC_CreateLoaded, "TPM2_CreateLoaded",
+     (MarshalInFunction_t)TSS_CreateLoaded_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_CreateLoaded_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)CreateLoaded_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Duplicate, "TPM2_Duplicate",
+     (MarshalInFunction_t)TSS_Duplicate_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Duplicate_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Duplicate_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Rewrap, "TPM2_Rewrap",
+     (MarshalInFunction_t)TSS_Rewrap_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Rewrap_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Rewrap_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Import, "TPM2_Import",
+     (MarshalInFunction_t)TSS_Import_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Import_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Import_In_Unmarshal
+#endif
+    },
+    {TPM_CC_RSA_Encrypt, "TPM2_RSA_Encrypt",
+     (MarshalInFunction_t)TSS_RSA_Encrypt_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_RSA_Encrypt_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)RSA_Encrypt_In_Unmarshal
+#endif
+    },
+    {TPM_CC_RSA_Decrypt, "TPM2_RSA_Decrypt",
+     (MarshalInFunction_t)TSS_RSA_Decrypt_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_RSA_Decrypt_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)RSA_Decrypt_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ECDH_KeyGen, "TPM2_ECDH_KeyGen",
+     (MarshalInFunction_t)TSS_ECDH_KeyGen_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ECDH_KeyGen_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ECDH_KeyGen_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ECDH_ZGen, "TPM2_ECDH_ZGen",
+     (MarshalInFunction_t)TSS_ECDH_ZGen_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ECDH_ZGen_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ECDH_ZGen_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ECC_Parameters, "TPM2_ECC_Parameters",
+     (MarshalInFunction_t)TSS_ECC_Parameters_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ECC_Parameters_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ECC_Parameters_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ZGen_2Phase, "TPM2_ZGen_2Phase",
+     (MarshalInFunction_t)TSS_ZGen_2Phase_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ZGen_2Phase_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ZGen_2Phase_In_Unmarshal
+#endif
+    },
+    {TPM_CC_EncryptDecrypt, "TPM2_EncryptDecrypt",
+     (MarshalInFunction_t)TSS_EncryptDecrypt_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_EncryptDecrypt_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)EncryptDecrypt_In_Unmarshal
+#endif
+    },
+    {TPM_CC_EncryptDecrypt2, "TPM2_EncryptDecrypt2",
+     (MarshalInFunction_t)TSS_EncryptDecrypt2_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_EncryptDecrypt2_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)EncryptDecrypt2_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Hash, "TPM2_Hash",
+     (MarshalInFunction_t)TSS_Hash_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Hash_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Hash_In_Unmarshal
+#endif
+    },
+    {TPM_CC_HMAC, "TPM2_HMAC",
+     (MarshalInFunction_t)TSS_HMAC_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_HMAC_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)HMAC_In_Unmarshal
+#endif
+    },
+    {TPM_CC_GetRandom, "TPM2_GetRandom",
+     (MarshalInFunction_t)TSS_GetRandom_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_GetRandom_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)GetRandom_In_Unmarshal
+#endif
+    },
+    {TPM_CC_StirRandom, "TPM2_StirRandom",
+     (MarshalInFunction_t)TSS_StirRandom_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)StirRandom_In_Unmarshal
+#endif
+    },
+    {TPM_CC_HMAC_Start, "TPM2_HMAC_Start",
+     (MarshalInFunction_t)TSS_HMAC_Start_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_HMAC_Start_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)HMAC_Start_In_Unmarshal
+#endif
+    },
+    {TPM_CC_HashSequenceStart, "TPM2_HashSequenceStart",
+     (MarshalInFunction_t)TSS_HashSequenceStart_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_HashSequenceStart_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)HashSequenceStart_In_Unmarshal
+#endif
+    },
+    {TPM_CC_SequenceUpdate, "TPM2_SequenceUpdate",
+     (MarshalInFunction_t)TSS_SequenceUpdate_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)SequenceUpdate_In_Unmarshal
+#endif
+    },
+    {TPM_CC_SequenceComplete, "TPM2_SequenceComplete",
+     (MarshalInFunction_t)TSS_SequenceComplete_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_SequenceComplete_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)SequenceComplete_In_Unmarshal
+#endif
+    },
+    {TPM_CC_EventSequenceComplete, "TPM2_EventSequenceComplete",
+     (MarshalInFunction_t)TSS_EventSequenceComplete_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_EventSequenceComplete_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)EventSequenceComplete_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Certify, "TPM2_Certify",
+     (MarshalInFunction_t)TSS_Certify_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Certify_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Certify_In_Unmarshal
+#endif
+    },
+    {TPM_CC_CertifyX509, "TPM2_CertifyX509",
+     (MarshalInFunction_t)TSS_CertifyX509_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_CertifyX509_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)CertifyX509_In_Unmarshal
+#endif
+    },
+    {TPM_CC_CertifyCreation, "TPM2_CertifyCreation",
+     (MarshalInFunction_t)TSS_CertifyCreation_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_CertifyCreation_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)CertifyCreation_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Quote, "TPM2_Quote",
+     (MarshalInFunction_t)TSS_Quote_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Quote_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Quote_In_Unmarshal
+#endif
+    },
+    {TPM_CC_GetSessionAuditDigest, "TPM2_GetSessionAuditDigest",
+     (MarshalInFunction_t)TSS_GetSessionAuditDigest_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_GetSessionAuditDigest_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)GetSessionAuditDigest_In_Unmarshal
+#endif
+    },
+    {TPM_CC_GetCommandAuditDigest, "TPM2_GetCommandAuditDigest",
+     (MarshalInFunction_t)TSS_GetCommandAuditDigest_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_GetCommandAuditDigest_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)GetCommandAuditDigest_In_Unmarshal
+#endif
+    },
+    {TPM_CC_GetTime, "TPM2_GetTime",
+     (MarshalInFunction_t)TSS_GetTime_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_GetTime_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)GetTime_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Commit, "TPM2_Commit",
+     (MarshalInFunction_t)TSS_Commit_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Commit_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Commit_In_Unmarshal
+#endif
+    },
+    {TPM_CC_EC_Ephemeral, "TPM2_EC_Ephemeral",
+     (MarshalInFunction_t)TSS_EC_Ephemeral_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_EC_Ephemeral_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)EC_Ephemeral_In_Unmarshal
+#endif
+    },
+    {TPM_CC_VerifySignature, "TPM2_VerifySignature",
+     (MarshalInFunction_t)TSS_VerifySignature_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_VerifySignature_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)VerifySignature_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Sign, "TPM2_Sign",
+     (MarshalInFunction_t)TSS_Sign_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_Sign_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Sign_In_Unmarshal
+#endif
+    },
+    {TPM_CC_SetCommandCodeAuditStatus, "TPM2_SetCommandCodeAuditStatus",
+     (MarshalInFunction_t)TSS_SetCommandCodeAuditStatus_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)SetCommandCodeAuditStatus_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PCR_Extend, "TPM2_PCR_Extend",
+     (MarshalInFunction_t)TSS_PCR_Extend_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PCR_Extend_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PCR_Event, "TPM2_PCR_Event",
+     (MarshalInFunction_t)TSS_PCR_Event_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_PCR_Event_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PCR_Event_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PCR_Read, "TPM2_PCR_Read",
+     (MarshalInFunction_t)TSS_PCR_Read_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_PCR_Read_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PCR_Read_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PCR_Allocate, "TPM2_PCR_Allocate",
+     (MarshalInFunction_t)TSS_PCR_Allocate_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_PCR_Allocate_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PCR_Allocate_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PCR_SetAuthPolicy, "TPM2_PCR_SetAuthPolicy",
+     (MarshalInFunction_t)TSS_PCR_SetAuthPolicy_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PCR_SetAuthPolicy_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PCR_SetAuthValue, "TPM2_PCR_SetAuthValue",
+     (MarshalInFunction_t)TSS_PCR_SetAuthValue_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PCR_SetAuthValue_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PCR_Reset, "TPM2_PCR_Reset",
+     (MarshalInFunction_t)TSS_PCR_Reset_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PCR_Reset_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicySigned, "TPM2_PolicySigned",
+     (MarshalInFunction_t)TSS_PolicySigned_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_PolicySigned_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicySigned_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicySecret, "TPM2_PolicySecret",
+     (MarshalInFunction_t)TSS_PolicySecret_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_PolicySecret_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicySecret_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyTicket, "TPM2_PolicyTicket",
+     (MarshalInFunction_t)TSS_PolicyTicket_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyTicket_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyOR, "TPM2_PolicyOR",
+     (MarshalInFunction_t)TSS_PolicyOR_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyOR_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyPCR, "TPM2_PolicyPCR",
+     (MarshalInFunction_t)TSS_PolicyPCR_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyPCR_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyLocality, "TPM2_PolicyLocality",
+     (MarshalInFunction_t)TSS_PolicyLocality_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyLocality_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyNV, "TPM2_PolicyNV",
+     (MarshalInFunction_t)TSS_PolicyNV_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyNV_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyAuthorizeNV, "TPM2_PolicyAuthorizeNV",
+     (MarshalInFunction_t)TSS_PolicyAuthorizeNV_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyAuthorizeNV_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyCounterTimer, "TPM2_PolicyCounterTimer",
+     (MarshalInFunction_t)TSS_PolicyCounterTimer_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyCounterTimer_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyCommandCode, "TPM2_PolicyCommandCode",
+     (MarshalInFunction_t)TSS_PolicyCommandCode_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyCommandCode_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyPhysicalPresence, "TPM2_PolicyPhysicalPresence",
+     (MarshalInFunction_t)TSS_PolicyPhysicalPresence_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyPhysicalPresence_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyCpHash, "TPM2_PolicyCpHash",
+     (MarshalInFunction_t)TSS_PolicyCpHash_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyCpHash_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyNameHash, "TPM2_PolicyNameHash",
+     (MarshalInFunction_t)TSS_PolicyNameHash_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyNameHash_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyDuplicationSelect, "TPM2_PolicyDuplicationSelect",
+     (MarshalInFunction_t)TSS_PolicyDuplicationSelect_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyDuplicationSelect_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyAuthorize, "TPM2_PolicyAuthorize",
+     (MarshalInFunction_t)TSS_PolicyAuthorize_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyAuthorize_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyAuthValue, "TPM2_PolicyAuthValue",
+     (MarshalInFunction_t)TSS_PolicyAuthValue_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyAuthValue_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyPassword, "TPM2_PolicyPassword",
+     (MarshalInFunction_t)TSS_PolicyPassword_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyPassword_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyGetDigest, "TPM2_PolicyGetDigest",
+     (MarshalInFunction_t)TSS_PolicyGetDigest_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_PolicyGetDigest_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyGetDigest_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyNvWritten, "TPM2_PolicyNvWritten",
+     (MarshalInFunction_t)TSS_PolicyNvWritten_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyNvWritten_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PolicyTemplate, "TPM2_PolicyTemplate",
+     (MarshalInFunction_t)TSS_PolicyTemplate_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PolicyTemplate_In_Unmarshal
+#endif
+    },
+    {TPM_CC_CreatePrimary, "TPM2_CreatePrimary",
+     (MarshalInFunction_t)TSS_CreatePrimary_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_CreatePrimary_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)CreatePrimary_In_Unmarshal
+#endif
+    },
+    {TPM_CC_HierarchyControl, "TPM2_HierarchyControl",
+     (MarshalInFunction_t)TSS_HierarchyControl_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)HierarchyControl_In_Unmarshal
+#endif
+    },
+    {TPM_CC_SetPrimaryPolicy, "TPM2_SetPrimaryPolicy",
+     (MarshalInFunction_t)TSS_SetPrimaryPolicy_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)SetPrimaryPolicy_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ChangePPS, "TPM2_ChangePPS",
+     (MarshalInFunction_t)TSS_ChangePPS_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ChangePPS_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ChangeEPS, "TPM2_ChangeEPS",
+     (MarshalInFunction_t)TSS_ChangeEPS_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ChangeEPS_In_Unmarshal
+#endif
+    },
+    {TPM_CC_Clear, "TPM2_Clear",
+     (MarshalInFunction_t)TSS_Clear_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)Clear_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ClearControl, "TPM2_ClearControl",
+     (MarshalInFunction_t)TSS_ClearControl_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ClearControl_In_Unmarshal
+#endif
+    },
+    {TPM_CC_HierarchyChangeAuth, "TPM2_HierarchyChangeAuth",
+     (MarshalInFunction_t)TSS_HierarchyChangeAuth_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)HierarchyChangeAuth_In_Unmarshal
+#endif
+    },
+    {TPM_CC_DictionaryAttackLockReset, "TPM2_DictionaryAttackLockReset",
+     (MarshalInFunction_t)TSS_DictionaryAttackLockReset_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)DictionaryAttackLockReset_In_Unmarshal
+#endif
+    },
+    {TPM_CC_DictionaryAttackParameters, "TPM2_DictionaryAttackParameters",
+     (MarshalInFunction_t)TSS_DictionaryAttackParameters_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)DictionaryAttackParameters_In_Unmarshal
+#endif
+    },
+    {TPM_CC_PP_Commands, "TPM2_PP_Commands",
+     (MarshalInFunction_t)TSS_PP_Commands_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)PP_Commands_In_Unmarshal
+#endif
+    },
+    {TPM_CC_SetAlgorithmSet, "TPM2_SetAlgorithmSet",
+     (MarshalInFunction_t)TSS_SetAlgorithmSet_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)SetAlgorithmSet_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ContextSave, "TPM2_ContextSave",
+     (MarshalInFunction_t)TSS_ContextSave_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ContextSave_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ContextSave_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ContextLoad, "TPM2_ContextLoad",
+     (MarshalInFunction_t)TSS_ContextLoad_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_ContextLoad_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ContextLoad_In_Unmarshal
+#endif
+    },
+    {TPM_CC_FlushContext, "TPM2_FlushContext",
+     (MarshalInFunction_t)TSS_FlushContext_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)FlushContext_In_Unmarshal
+#endif
+    },
+    {TPM_CC_EvictControl, "TPM2_EvictControl",
+     (MarshalInFunction_t)TSS_EvictControl_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)EvictControl_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ReadClock, "TPM2_ReadClock",
+     NULL,
+     (UnmarshalOutFunction_t)TSS_ReadClock_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,NULL
+#endif
+    },
+    {TPM_CC_ClockSet, "TPM2_ClockSet",
+     (MarshalInFunction_t)TSS_ClockSet_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ClockSet_In_Unmarshal
+#endif
+    },
+    {TPM_CC_ClockRateAdjust, "TPM2_ClockRateAdjust",
+     (MarshalInFunction_t)TSS_ClockRateAdjust_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)ClockRateAdjust_In_Unmarshal
+#endif
+    },
+    {TPM_CC_GetCapability, "TPM2_GetCapability",
+     (MarshalInFunction_t)TSS_GetCapability_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_GetCapability_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)GetCapability_In_Unmarshal
+#endif
+    },
+    {TPM_CC_TestParms, "TPM2_TestParms",
+     (MarshalInFunction_t)TSS_TestParms_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)TestParms_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_DefineSpace, "TPM2_NV_DefineSpace",
+     (MarshalInFunction_t)TSS_NV_DefineSpace_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_DefineSpace_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_UndefineSpace, "TPM2_NV_UndefineSpace",
+     (MarshalInFunction_t)TSS_NV_UndefineSpace_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_UndefineSpace_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_UndefineSpaceSpecial, "TPM2_NV_UndefineSpaceSpecial",
+     (MarshalInFunction_t)TSS_NV_UndefineSpaceSpecial_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_UndefineSpaceSpecial_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_ReadPublic, "TPM2_NV_ReadPublic",
+     (MarshalInFunction_t)TSS_NV_ReadPublic_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_NV_ReadPublic_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_ReadPublic_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_Write, "TPM2_NV_Write",
+     (MarshalInFunction_t)TSS_NV_Write_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_Write_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_Increment, "TPM2_NV_Increment",
+     (MarshalInFunction_t)TSS_NV_Increment_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_Increment_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_Extend, "TPM2_NV_Extend",
+     (MarshalInFunction_t)TSS_NV_Extend_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_Extend_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_SetBits, "TPM2_NV_SetBits",
+     (MarshalInFunction_t)TSS_NV_SetBits_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_SetBits_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_WriteLock, "TPM2_NV_WriteLock",
+     (MarshalInFunction_t)TSS_NV_WriteLock_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_WriteLock_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_GlobalWriteLock, "TPM2_NV_GlobalWriteLock",
+     (MarshalInFunction_t)TSS_NV_GlobalWriteLock_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_GlobalWriteLock_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_Read, "TPM2_NV_Read",
+     (MarshalInFunction_t)TSS_NV_Read_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_NV_Read_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_Read_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_ReadLock, "TPM2_NV_ReadLock",
+     (MarshalInFunction_t)TSS_NV_ReadLock_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_ReadLock_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_ChangeAuth, "TPM2_NV_ChangeAuth",
+     (MarshalInFunction_t)TSS_NV_ChangeAuth_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_ChangeAuth_In_Unmarshal
+#endif
+    },
+    {TPM_CC_NV_Certify, "TPM2_NV_Certify",
+     (MarshalInFunction_t)TSS_NV_Certify_In_Marshalu,
+     (UnmarshalOutFunction_t)TSS_NV_Certify_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)NV_Certify_In_Unmarshal
+#endif
+    },
+#ifdef TPM_TSS_NUVOTON
+    {NTC2_CC_PreConfig,"NTC2_CC_PreConfig",
+     (MarshalInFunction_t)TSS_NTC2_PreConfig_In_Marshalu,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,(UnmarshalInFunction_t)TSS_NTC2_PreConfig_In_Unmarshalu
+#endif
+    },
+    {NTC2_CC_LockPreConfig,"NTC2_CC_LockPreConfig",
+     NULL,
+     NULL
+#ifndef TPM_TSS_NOCMDCHECK
+     ,NULL
+#endif
+    },
+    {NTC2_CC_GetConfig,"NTC2_CC_GetConfig",
+     NULL,
+     (UnmarshalOutFunction_t)TSS_NTC2_GetConfig_Out_Unmarshalu
+#ifndef TPM_TSS_NOCMDCHECK
+     ,NULL
+#endif
+    },
+     
+#endif	/* TPM_TSS_NUVOTON */
+};
+
+/* TSS_MarshalTable_Process() indexes into the command marshal table, and saves the marshal and
+   unmarshal functions */
+
+static TPM_RC TSS_MarshalTable_Process(TSS_AUTH_CONTEXT *tssAuthContext,
+				       TPM_CC commandCode)
+{
+    TPM_RC rc = 0;
+    size_t index;
+    int found = FALSE;
+
+    /* get the command index in the dispatch table */
+    for (index = 0 ; index < (sizeof(marshalTable) / sizeof(MARSHAL_TABLE)) ; (index)++) {
+	if (marshalTable[index].commandCode == commandCode) {
+	    found = TRUE;
+	    break;
+	}
+    }
+    if (found) {
+	tssAuthContext->commandCode = commandCode;
+	tssAuthContext->commandText = marshalTable[index].commandText;
+	tssAuthContext->marshalInFunction = marshalTable[index].marshalInFunction;
+	tssAuthContext->unmarshalOutFunction = marshalTable[index].unmarshalOutFunction;
+#ifndef TPM_TSS_NOCMDCHECK
+	tssAuthContext->unmarshalInFunction = marshalTable[index].unmarshalInFunction;
+#endif
+    }
+    else {
+	if (tssVerbose) printf("TSS_MarshalTable_Process: "
+			       "commandCode %08x not found in marshal table\n",
+			       commandCode);
+	rc = TSS_RC_COMMAND_UNIMPLEMENTED;
+    }
+    return rc;
+}
+
+/* TSS_Marshal() marshals the input parameters into the TSS Authorization context.
+
+   It also sets other member of the context in preparation for the rest of the sequence.  
+*/
+
+TPM_RC TSS_Marshal(TSS_AUTH_CONTEXT *tssAuthContext,
+		   COMMAND_PARAMETERS *in,
+		   TPM_CC commandCode)
+{
+    TPM_RC 		rc = 0;
+    TPMI_ST_COMMAND_TAG tag = TPM_ST_NO_SESSIONS;	/* default until sessions are added */
+    uint8_t 		*buffer;			/* for marshaling */
+#ifndef TPM_TSS_NOCMDCHECK
+    uint8_t 		*bufferu;			/* for test unmarshaling */
+#endif
+    uint32_t 		size;
+    
+    /* index from command code to table and save items for this command */
+    if (rc == 0) {
+	rc = TSS_MarshalTable_Process(tssAuthContext, commandCode);
+    }
+    /* get the number of command and response handles from the TPM table */
+    if (rc == 0) {
+	tssAuthContext->tpmCommandIndex = CommandCodeToCommandIndex(commandCode);
+	if (tssAuthContext->tpmCommandIndex == UNIMPLEMENTED_COMMAND_INDEX) {
+	    if (tssVerbose) printf("TSS_Marshal: "
+				   "commandCode %08x not found in command attributes table\n",
+				   commandCode);
+	    rc = TSS_RC_COMMAND_UNIMPLEMENTED;
+	}
+    }
+    if (rc == 0) {
+	tssAuthContext->commandHandleCount =
+	    getCommandHandleCount(tssAuthContext->tpmCommandIndex);
+	tssAuthContext->responseHandleCount =
+	    getresponseHandleCount(tssAuthContext->tpmCommandIndex);
+    }
+    if (rc == 0) {
+	/* make a copy of the command buffer and size since the marshal functions move them */
+	buffer = tssAuthContext->commandBuffer;
+	size = sizeof(tssAuthContext->commandBuffer);
+	/* marshal header, preliminary tag and command size */
+	rc = TSS_TPMI_ST_COMMAND_TAG_Marshalu(&tag, &tssAuthContext->commandSize, &buffer, &size);
+    }
+    if (rc == 0) {
+	uint32_t commandSize = tssAuthContext->commandSize;
+	rc = TSS_UINT32_Marshalu(&commandSize, &tssAuthContext->commandSize, &buffer, &size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_CC_Marshalu(&commandCode, &tssAuthContext->commandSize, &buffer, &size);
+    }    
+    if (rc == 0) {
+#ifndef TPM_TSS_NOCMDCHECK
+	/* save pointer to marshaled data for test unmarshal */
+	bufferu = buffer +
+		  tssAuthContext->commandHandleCount * sizeof(TPM_HANDLE);
+#endif
+	/* if there is a marshal function */
+	if (tssAuthContext->marshalInFunction != NULL) {
+	    /* if there is a structure to marshal */
+	    if (in != NULL) {
+		rc = tssAuthContext->marshalInFunction(in, &tssAuthContext->commandSize,
+						       &buffer, &size);
+	    }
+	    /* caller error, no structure supplied to marshal */
+	    else {
+		if (tssVerbose)
+		    printf("TSS_Marshal: Command %08x requires command parameter structure\n",
+			   commandCode);
+		rc = TSS_RC_IN_PARAMETER;	
+	    }
+	}
+	/* if there is no marshal function */
+	else {
+	    /* caller error, supplied structure but there is no marshal function */
+	    if (in != NULL) {
+		if (tssVerbose)
+		    printf("TSS_Marshal: Command %08x does not take command parameter structure\n",
+			   commandCode);
+		rc = TSS_RC_IN_PARAMETER;	
+	    }
+	    /* no marshal function and no command parameter structure is OK */
+	}
+    }
+#ifndef TPM_TSS_NOCMDCHECK
+    /* unmarshal to validate the input parameters */
+    if ((rc == 0) && (tssAuthContext->unmarshalInFunction != NULL)) {
+	COMMAND_PARAMETERS *target = NULL;
+	TPM_HANDLE 	handles[MAX_HANDLE_NUM];
+	if (rc == 0) {
+	    rc = TSS_Malloc((unsigned char **)&target,
+			    sizeof(COMMAND_PARAMETERS));	/* freed @1 */
+	}
+	if (rc == 0) {
+	    size = sizeof(tssAuthContext->commandBuffer) -
+		   (tssAuthContext->commandHandleCount * sizeof(TPM_HANDLE));
+	    rc = tssAuthContext->unmarshalInFunction(target, &bufferu, &size, handles);
+	    if ((rc != 0) && tssVerbose) {
+		printf("TSS_Marshal: Invalid command parameter\n");
+	    }
+	}
+	free(target);		/* @1 */
+    }
+#endif
+    /* back fill the correct commandSize */
+    if (rc == 0) {
+	uint16_t written = 0;		/* dummy */
+	uint32_t commandSize = tssAuthContext->commandSize;
+	buffer = tssAuthContext->commandBuffer + sizeof(TPMI_ST_COMMAND_TAG);
+	TSS_UINT32_Marshalu(&commandSize, &written, &buffer, NULL);
+    }
+    /* record the interim cpBuffer and cpBufferSize before adding authorizations */
+    if (rc == 0) {
+	uint32_t notCpBufferSize;
+	
+	/* cpBuffer does not include the header and handles */
+	notCpBufferSize = sizeof(TPMI_ST_COMMAND_TAG) + sizeof (uint32_t) + sizeof(TPM_CC) +
+			  (sizeof(TPM_HANDLE) * tssAuthContext->commandHandleCount);
+
+	tssAuthContext->cpBuffer = tssAuthContext->commandBuffer + notCpBufferSize;
+	tssAuthContext->cpBufferSize = tssAuthContext->commandSize - notCpBufferSize;
+    }
+    return rc;
+}
+
+/* TSS_Unmarshal() unmarshals the response parameter.
+
+   It returns an error if either there is no unmarshal function and out is not NULL or if there is
+   an unmarshal function and out is not NULL.
+
+   If there is no unmarshal function and out is NULL, the function is a noop.
+*/
+
+TPM_RC TSS_Unmarshal(TSS_AUTH_CONTEXT *tssAuthContext,
+		     RESPONSE_PARAMETERS *out)
+{
+    TPM_RC 	rc = 0;
+    TPM_ST 	tag;
+    uint8_t 	*buffer;    
+    uint32_t 	size;
+
+    /* if there is an unmarshal function */
+    if (tssAuthContext->unmarshalOutFunction != NULL) {
+	/* if there is a structure to unmarshal */
+	if (out != NULL) {
+	    if (rc == 0) {
+		/* get the response tag, determines whether there is a response parameterSize to
+		   unmarshal */
+		buffer = tssAuthContext->responseBuffer;
+		size = tssAuthContext->responseSize;
+		rc = TSS_TPM_ST_Unmarshalu(&tag, &buffer, &size);
+	    }
+	    if (rc == 0) {
+		/* move the buffer and size past the header */
+		buffer = tssAuthContext->responseBuffer +
+			 sizeof(TPM_ST) + sizeof(uint32_t) + sizeof(TPM_RC);
+		size = tssAuthContext->responseSize -
+		       (sizeof(TPM_ST) + sizeof(uint32_t) + sizeof(TPM_RC));
+		rc = tssAuthContext->unmarshalOutFunction(out, tag, &buffer, &size);
+	    }
+	}
+	/* caller error, no structure supplied to unmarshal */
+	else {
+	    if (tssVerbose)
+		printf("TSS_Unmarshal: Command %08x requires response parameter structure\n",
+		       tssAuthContext->commandCode);
+	    rc = TSS_RC_OUT_PARAMETER;
+	}
+    }
+    /* if there is no unmarshal function */
+    else {
+	/* caller error, structure supplied but no unmarshal function */
+	if (out != NULL) {
+	    if (tssVerbose)
+		printf("TSS_Unmarshal: Command %08x does not take response parameter structure\n",
+		       tssAuthContext->commandCode);
+	    rc = TSS_RC_OUT_PARAMETER;
+	}
+	/* no unmarshal function and no response parameter structure is OK */
+    }
+    return rc;
+}
+
+/* TSS_SetCmdAuths() adds a list of TPMS_AUTH_COMMAND structures to the command buffer.
+
+   The arguments are a NULL terminated list of TPMS_AUTH_COMMAND * structures.
+ */
+
+TPM_RC TSS_SetCmdAuths(TSS_AUTH_CONTEXT *tssAuthContext, ...)
+{
+    TPM_RC 		rc = 0;
+    va_list		ap;
+    uint16_t 		authorizationSize;	/* does not include 4 bytes of size */   
+    TPMS_AUTH_COMMAND 	*authCommand = NULL;
+    int 		done;
+    uint32_t 		cpBufferSize;
+    uint8_t 		*cpBuffer;
+    uint8_t 		*buffer;
+
+    /* calculate size of authorization area */
+    done = FALSE;
+    authorizationSize = 0;
+    va_start(ap, tssAuthContext);
+    while ((rc == 0) && !done){
+	authCommand = va_arg(ap, TPMS_AUTH_COMMAND *);
+	if (authCommand != NULL) {
+	    rc = TSS_TPMS_AUTH_COMMAND_Marshalu(authCommand, &authorizationSize, NULL, NULL);
+	}
+	else {
+	    done = TRUE;
+	}
+    }
+    va_end(ap);
+    /* command called with authorizations */
+    if (authorizationSize != 0) {
+	/* back fill the tag TPM_ST_SESSIONS */
+	if (rc == 0) {
+	    uint16_t written = 0;		/* dummy */
+	    TPMI_ST_COMMAND_TAG tag = TPM_ST_SESSIONS;
+	    buffer = tssAuthContext->commandBuffer;
+	    TSS_TPMI_ST_COMMAND_TAG_Marshalu(&tag, &written, &buffer, NULL);
+	}
+	/* get cpBuffer, command parameters */
+	if (rc == 0) {
+	    rc = TSS_GetCpBuffer(tssAuthContext, &cpBufferSize, &cpBuffer);
+	}
+	/* new authorization area range check, will cpBuffer move overflow */
+	if (rc == 0) {
+	    if (cpBuffer +
+		cpBufferSize +
+		sizeof (uint32_t) +		/* authorizationSize */
+		authorizationSize		/* authorization area */
+		> tssAuthContext->commandBuffer + sizeof(tssAuthContext->commandBuffer)) {
+	
+		if (tssVerbose)
+		    printf("TSS_SetCmdAuths: Command authorizations overflow command buffer\n");
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	/* move the cpBuffer to make space for the authorization area and its size */
+	if (rc == 0) {
+	    memmove(cpBuffer + sizeof (uint32_t) + authorizationSize,	/* to here */
+		    cpBuffer,						/* from here */
+		    cpBufferSize);
+	}
+	/* marshal the authorizationSize area, where cpBuffer was before move */
+	if (rc == 0) {
+	    uint32_t authorizationSize32 = authorizationSize;
+	    uint16_t written = 0;		/* dummy */
+	    TSS_UINT32_Marshalu(&authorizationSize32, &written, &cpBuffer, NULL);
+	}
+	/* marshal the command authorization areas */
+	done = FALSE;
+	authorizationSize = 0;
+	va_start(ap, tssAuthContext);
+	while ((rc == 0) && !done){
+	    authCommand = va_arg(ap, TPMS_AUTH_COMMAND *);
+	    if (authCommand != NULL) {
+		rc = TSS_TPMS_AUTH_COMMAND_Marshalu(authCommand, &authorizationSize, &cpBuffer, NULL);
+		tssAuthContext->authCount++; /* count the number of authorizations for the
+						response */
+	    }
+	    else {
+		done = TRUE;
+	    }
+	}
+	va_end(ap);
+	if (rc == 0) {
+	    uint16_t written = 0;		/* dummy */
+	    uint32_t commandSize;
+	    /* mark cpBuffer new location, size doesn't change */
+	    tssAuthContext->cpBuffer += sizeof (uint32_t) + authorizationSize;
+	    /* record command stream used size */
+	    tssAuthContext->commandSize += sizeof (uint32_t) + authorizationSize;
+	    /* back fill the correct commandSize */
+	    buffer = tssAuthContext->commandBuffer + sizeof(TPMI_ST_COMMAND_TAG);
+	    commandSize = tssAuthContext->commandSize;
+	    TSS_UINT32_Marshalu(&commandSize, &written, &buffer, NULL);
+	}
+    }
+    return rc;
+}
+
+/* TSS_GetRspAuths() unmarshals a response buffer into a NULL terminated list of TPMS_AUTH_RESPONSE
+   structures.  This should not be called if the TPM returned a non-success response code.
+
+   Returns an error if the number of response auths requested is not equal to the number of command
+   auths, including zero.
+
+   If the response tag is not TPM_ST_SESSIONS, the function is a noop (except for error checking).
+ */
+
+TPM_RC TSS_GetRspAuths(TSS_AUTH_CONTEXT *tssAuthContext, ...)
+{
+    TPM_RC 	rc = 0;
+    va_list	ap;
+    TPMS_AUTH_RESPONSE 	*authResponse = NULL;
+    uint32_t 	size;
+    uint8_t 	*buffer;
+    TPM_ST 	tag;
+    int 	done;
+    uint16_t	authCount = 0;		/* authorizations in response */
+    uint32_t 	parameterSize;
+    
+    /* unmarshal the response tag */
+    if (rc == 0) {
+	size = tssAuthContext->responseSize;
+  	buffer = tssAuthContext->responseBuffer;
+	rc = TSS_TPM_ST_Unmarshalu(&tag, &buffer, &size);
+    }
+    /* check that the tag indicates that there are sessions */
+    if ((rc == 0) && (tag == TPM_ST_SESSIONS)) {
+	/* offset the buffer past the header and handles, and get the response parameterSize */
+	if (rc == 0) {
+	    uint32_t offsetSize = sizeof(TPM_ST) +  + sizeof (uint32_t) + sizeof(TPM_RC) +
+				  (sizeof(TPM_HANDLE) * tssAuthContext->responseHandleCount);
+	    buffer = tssAuthContext->responseBuffer + offsetSize;
+	    size = tssAuthContext->responseSize - offsetSize;
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, &buffer, &size);
+	}
+	if (rc == 0) {
+	    if (parameterSize > (uint32_t)size) {
+		if (tssVerbose)	printf("TSS_GetRspAuths: Invalid response parameterSize %u\n",
+				       parameterSize);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	}
+	if (rc == 0) {
+	    /* index past the response parameters to the authorization area */
+	    buffer += parameterSize;
+	    size -= parameterSize;
+	}
+	/* unmarshal the response authorization area */
+	done = FALSE;
+	va_start(ap, tssAuthContext);
+	while ((rc == 0) && !done){
+	    authResponse = va_arg(ap, TPMS_AUTH_RESPONSE *);
+	    if (authResponse != NULL) {
+		rc = TSS_TPMS_AUTH_RESPONSE_Unmarshalu(authResponse, &buffer, &size);
+		authCount++;
+	    }
+	    else {
+		done = TRUE;
+	    }
+	}
+	va_end(ap);
+	/* check for extra bytes at the end of the response */
+	if (rc == 0) {
+	    if (size != 0) {
+		if (tssVerbose)
+		    printf("TSS_GetRspAuths: Extra bytes at the end of response authorizations\n");
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	}
+    }
+    /* check that the same number was requested as were sent in the command.  Check for zero if not
+       TPM_ST_SESSIONS */
+    if (rc == 0) {
+	if (tssAuthContext->authCount != authCount) {
+	    if (tssVerbose)
+		printf("TSS_GetRspAuths: "
+		       "Response authorizations requested does not equal number in command\n");
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    return rc;
+}
+
+/* TSS_GetCommandDecryptParam() returns the size and pointer to the first marshaled TPM2B */
+
+TPM_RC TSS_GetCommandDecryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				  uint32_t *decryptParamSize,
+				  uint8_t **decryptParamBuffer)
+{
+    TPM_RC 	rc = 0;
+    /* the first parameter is the TPM2B */
+    uint32_t cpBufferSize;
+    uint8_t *cpBuffer;
+
+    if (rc == 0) {
+	rc = TSS_GetCpBuffer(tssAuthContext, &cpBufferSize, &cpBuffer);
+    }
+    /* extract contents of the first TPM2B */
+    if (rc == 0) {
+	*decryptParamSize = ntohs(*(uint16_t *)cpBuffer);
+	*decryptParamBuffer = cpBuffer + sizeof(uint16_t);
+    }
+    /* sanity range check */
+    if (rc == 0) {
+	if (((*decryptParamBuffer + *decryptParamSize) >
+	     (tssAuthContext->commandBuffer + tssAuthContext->commandSize)) ||
+	    ((*decryptParamSize + sizeof(uint16_t) > tssAuthContext->cpBufferSize))) {
+	    if (tssVerbose) printf("TSS_GetCommandDecryptParam: Malformed decrypt parameter "
+				   "size %u cpBufferSize %u commandSize %u\n",
+				   *decryptParamSize, tssAuthContext->cpBufferSize,
+				   tssAuthContext->commandSize);
+	    rc = TSS_RC_BAD_ENCRYPT_SIZE;
+	}
+    }
+    return rc;
+}
+
+TPM_RC TSS_SetCommandDecryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				  uint32_t encryptParamSize,
+				  uint8_t *encryptParamBuffer)
+{
+    TPM_RC 	rc = 0;
+    /* the first parameter is the TPM2B */
+    uint32_t decryptParamSize;
+    uint8_t *decryptParamBuffer;
+
+    if (rc == 0) {
+	rc = TSS_GetCommandDecryptParam(tssAuthContext,
+					&decryptParamSize,
+					&decryptParamBuffer);
+    }
+    /* the encrypt data overwrites the already marshaled data */
+    if (rc == 0) {
+	if (decryptParamSize != encryptParamSize) {
+	    if (tssVerbose)
+		printf("TSS_SetCommandDecryptParam: Different encrypt and decrypt size\n");
+	    rc = TSS_RC_BAD_ENCRYPT_SIZE;
+	}
+    }
+    /* skip the 2B size, copy the data */
+    if (rc == 0) {
+	memcpy(decryptParamBuffer, encryptParamBuffer, encryptParamSize);
+    }
+    return rc;
+}
+
+/* TSS_GetAuthRole() returns AUTH_NONE if the handle in the handle area cannot be an authorization
+   handle. */
+
+AUTH_ROLE TSS_GetAuthRole(TSS_AUTH_CONTEXT *tssAuthContext,
+			  size_t handleIndex)
+{
+    AUTH_ROLE authRole;
+    authRole = getCommandAuthRole(tssAuthContext->tpmCommandIndex, handleIndex);
+    return authRole;
+}
+
+/* TSS_GetCommandHandle() gets the command handle at the index.  Index is a zero based count, not a
+   byte count.
+
+   Returns 0 if the index exceeds the number of handles.
+*/
+
+TPM_RC TSS_GetCommandHandle(TSS_AUTH_CONTEXT *tssAuthContext,
+			    TPM_HANDLE *commandHandle,
+			    size_t index)
+{
+    TPM_RC 	rc = 0;
+    uint8_t 	*buffer;
+    uint32_t 	size;
+   
+    
+    if (rc == 0) {
+	if (index >= tssAuthContext->commandHandleCount) {
+	    if (tssVerbose) printf("TSS_GetCommandHandle: index %u too large for command\n",
+				   (unsigned int)index);
+	    rc = TSS_RC_BAD_HANDLE_NUMBER;
+	}
+    }
+    if (rc == 0) {
+	/* index into the command handle */
+	buffer = tssAuthContext->commandBuffer +
+		 sizeof(TPMI_ST_COMMAND_TAG) + sizeof (uint32_t) + sizeof(TPM_CC) +
+		 (sizeof(TPM_HANDLE) * index);
+	size = sizeof(TPM_HANDLE);
+	rc = TSS_TPM_HANDLE_Unmarshalu(commandHandle, &buffer, &size);
+    }
+    return rc;
+}
+    
+/* TSS_GetRpBuffer() returns a pointer to the response parameter area.
+
+   NOTE could move to execute so it only has to be done once.
+*/
+
+TPM_RC TSS_GetRpBuffer(TSS_AUTH_CONTEXT *tssAuthContext,
+		       uint32_t *rpBufferSize,
+		       uint8_t **rpBuffer)
+{
+    TPM_RC 	rc = 0;
+    TPM_ST 	tag;			/* response tag */
+    uint32_t 	offsetSize;		/* to beginning of parameter area, to parameterSize */
+    uint32_t 	size;			/* tmp for unmarshal */
+    uint8_t 	*buffer;		/* tmp for unmarshal */
+    uint32_t 	parameterSize;		/* response parameter (if sessions) */
+     
+    /* unmarshal the response tag */
+    if (rc == 0) {
+	/* offset to parameterSize or parameters */
+	offsetSize = sizeof(TPM_ST) + sizeof (uint32_t) + sizeof(TPM_RC) +
+		     (sizeof(TPM_HANDLE) * tssAuthContext->responseHandleCount);
+
+	size = tssAuthContext->responseSize;
+  	buffer = tssAuthContext->responseBuffer;
+	rc = TSS_TPM_ST_Unmarshalu(&tag, &buffer, &size);	/* does value checking */
+    }
+    /* no sessions -> no parameterSize */
+    if (tag == TPM_ST_NO_SESSIONS) {
+	if (rc == 0) {
+	    if (offsetSize > tssAuthContext->responseSize) {
+		if (tssVerbose)
+		    printf("TSS_GetRpBuffer: offset %u past response buffer %u\n",
+			   offsetSize, tssAuthContext->responseSize);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	}
+	if (rc == 0) {			/* subtract now safe from above range check */
+	    *rpBufferSize = tssAuthContext->responseSize - offsetSize;
+	    *rpBuffer = tssAuthContext->responseBuffer + offsetSize;
+	}
+    }
+    /* sessions -> parameterSize */
+    else {
+	/* validate that there are enough response bytes for uint32_t parameterSize */
+	if (rc == 0) {
+	    if ((offsetSize + sizeof(uint32_t)) > tssAuthContext->responseSize) {
+		if (tssVerbose)
+		    printf("TSS_GetRpBuffer: offset %u past response buffer %u\n",
+			   offsetSize, tssAuthContext->responseSize);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	}
+	/* unmarshal the parameterSize */
+	if (rc == 0) {
+	    size = tssAuthContext->responseSize - offsetSize;
+	    buffer = tssAuthContext->responseBuffer + offsetSize;
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, &buffer, &size);
+	    offsetSize += sizeof(uint32_t);	/* move offset past parameterSize, to rpBuffer */
+	}
+	/* range check parameterSize */
+	/* first, check that addition willl not overflow */
+	if (rc == 0) {
+	    if (parameterSize > (0xffffffff - offsetSize)) {
+		if (tssVerbose) printf("TSS_GetRpBuffer: parameterSize %u too large\n",
+				       parameterSize);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	}
+	/* second, range check parameterSize vs. entire response buffer */
+	if (rc == 0) {
+	    if ((offsetSize + parameterSize) > tssAuthContext->responseSize) {
+		if (tssVerbose)
+		    printf("TSS_GetRpBuffer: parameterSize %u past response buffer %u\n",
+			   parameterSize, tssAuthContext->responseSize);
+		rc = TSS_RC_MALFORMED_RESPONSE;
+	    }
+	}
+	/* assignment safe after above checks */
+	if (rc == 0) {
+	    *rpBufferSize = parameterSize;	/* by definition when there are auth sessions */
+	    *rpBuffer = tssAuthContext->responseBuffer + offsetSize;
+	}
+    }
+    return rc;
+}
+
+/* TSS_GetResponseEncryptParam() returns the first TPM2B in the response area.
+
+   The caller should ensure that the first response parameter is a TPM2B.
+*/
+
+TPM_RC TSS_GetResponseEncryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				   uint32_t *encryptParamSize,
+				   uint8_t **encryptParamBuffer)
+{
+    TPM_RC 	rc = 0;
+    /* the first parameter is the TPM2B */
+    uint32_t rpBufferSize;
+    uint8_t *rpBuffer;
+
+    if (rc == 0) {
+	rc = TSS_GetRpBuffer(tssAuthContext, &rpBufferSize, &rpBuffer);
+    }
+    /* extract contents of the first TPM2B */
+    if (rc == 0) {
+	*encryptParamSize = ntohs(*(uint16_t *)rpBuffer);
+	*encryptParamBuffer = rpBuffer + sizeof(uint16_t);
+    }
+    /* sanity range check */
+    if (rc == 0) {
+	if (((*encryptParamBuffer + *encryptParamSize) >
+	     (tssAuthContext->responseBuffer + tssAuthContext->responseSize)) ||
+	    ((*encryptParamSize + sizeof(uint16_t) > rpBufferSize))) {
+	    if (tssVerbose) printf("TSS_GetResponseEncryptParam: Malformed encrypt parameter "
+				   "size %u rpBufferSize %u responseSize %u\n",
+				   *encryptParamSize, rpBufferSize,
+				   tssAuthContext->responseSize);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    return rc;
+}
+
+/* TSS_SetResponseDecryptParam() copies the decryptParamBuffer into the first TPM2B in the response
+   area.
+
+   The caller should ensure that the first response parameter is a TPM2B.
+*/
+
+TPM_RC TSS_SetResponseDecryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				   uint32_t decryptParamSize,
+				   uint8_t *decryptParamBuffer)
+{
+    TPM_RC 	rc = 0;
+    /* the first parameter is the TPM2B */
+    uint32_t encryptParamSize;
+    uint8_t *encryptParamBuffer;
+
+    if (rc == 0) {
+	rc = TSS_GetResponseEncryptParam(tssAuthContext,
+					 &encryptParamSize,
+					 &encryptParamBuffer);
+    }
+    /* the decrypt data overwrites the already marshaled data */
+    if (rc == 0) {
+	if (decryptParamSize != encryptParamSize) {
+	    if (tssVerbose)
+		printf("TSS_SetCommandDecryptParam: Different encrypt and decrypt size\n");
+	    rc = TSS_RC_BAD_ENCRYPT_SIZE;
+	}
+    }
+    /* skip the 2B size, copy the data */
+    if (rc == 0) {
+	memcpy(encryptParamBuffer, decryptParamBuffer, decryptParamSize);
+    }
+    return rc;
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssauth20.h b/libstb/tss2/ibmtpm20tss/utils/tssauth20.h
new file mode 100644
index 0000000..52b8403
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssauth20.h
@@ -0,0 +1,86 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Authorization 					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*            $Id: tssauth20.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is not a public header.  It should not be used by applications. */
+
+#ifndef TSS_AUTH20_H
+#define TSS_AUTH20_H
+
+#include <ibmtss/tss.h>
+#include "tssccattributes.h"
+
+TPM_RC TSS_Marshal(TSS_AUTH_CONTEXT *tssAuthContext,
+		   COMMAND_PARAMETERS *in,
+		   TPM_CC commandCode);
+
+TPM_RC TSS_Unmarshal(TSS_AUTH_CONTEXT *tssAuthContext,
+		     RESPONSE_PARAMETERS *out);
+
+TPM_RC TSS_SetCmdAuths(TSS_AUTH_CONTEXT *tssAuthContext, ...);
+
+TPM_RC TSS_GetRspAuths(TSS_AUTH_CONTEXT *tssAuthContext, ...);
+
+TPM_RC TSS_GetCommandDecryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				  uint32_t *decryptParamSize,
+				  uint8_t **decryptParamBuffer);
+
+TPM_RC TSS_SetCommandDecryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				  uint32_t encryptParamSize,
+				  uint8_t *encryptParamBuffer);
+
+AUTH_ROLE TSS_GetAuthRole(TSS_AUTH_CONTEXT *tssAuthContext,
+			  size_t handleIndex);
+
+TPM_RC TSS_GetCommandHandle(TSS_AUTH_CONTEXT *tssAuthContext,
+			    TPM_HANDLE *commandHandle,
+			    size_t index);
+
+TPM_RC TSS_GetRpBuffer(TSS_AUTH_CONTEXT *tssAuthContext,
+		       uint32_t *rpBufferSize,
+		       uint8_t **rpBuffer);
+
+TPM_RC TSS_GetResponseEncryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				   uint32_t *encryptParamSize,
+				   uint8_t **encryptParamBuffer);
+
+TPM_RC TSS_SetResponseDecryptParam(TSS_AUTH_CONTEXT *tssAuthContext,
+				   uint32_t decryptParamSize,
+				   uint8_t *decryptParamBuffer);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssccattributes.c b/libstb/tss2/ibmtpm20tss/utils/tssccattributes.c
new file mode 100644
index 0000000..1f4f656
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssccattributes.c
@@ -0,0 +1,150 @@
+/********************************************************************************/
+/*										*/
+/*			     Command Code Attributes				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* NOTE: This is a replica of CommandAttributeData.c, but endian independent.  It must be kept in
+   sync with the TPM reference implementation.
+   
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <inttypes.h>
+
+#include "tssccattributes.h"
+
+/* CommandCodeToCommandIndex() returns the index into the s_ccAttr table for the commandCode.
+   Returns UNIMPLEMENTED_COMMAND_INDEX if the command is unimplemented.
+*/
+
+/* NOTE: Marked as const function in header declaration */
+
+COMMAND_INDEX CommandCodeToCommandIndex(TPM_CC commandCode)
+{
+    COMMAND_INDEX i;
+
+    /* s_ccAttr has terminating 0x0000 command code and V */
+    for (i = 0 ; (s_ccAttr[i].commandCode != 0) || (s_ccAttr[i].V != 0) ; i++) {
+	if (s_ccAttr[i].commandCode == commandCode) {
+	    return i;
+	}
+    }
+    return UNIMPLEMENTED_COMMAND_INDEX;
+}
+
+/* getCommandHandleCount() returns the number of command parameter handles */
+
+/* NOTE: Marked as const function in header declaration */
+
+uint32_t getCommandHandleCount(COMMAND_INDEX index)
+{
+    return s_ccAttr[index].cHandles;
+}
+
+/* getresponseHandleCount() returns the number of command parameter handles */
+
+/* NOTE: Marked as const function in header declaration */
+
+uint32_t getresponseHandleCount(COMMAND_INDEX index)
+{
+    return s_ccAttr[index].rHandle;
+}
+
+/* getDecryptSize() returns 0 if the command does not support command parameter encryption, 2 if the
+   command does support command parameter encryption and the size is a uint16_t.  There is an unused
+   provision for a 4 for a uint32_t size. */
+
+/* NOTE: Marked as const function in header declaration */
+
+int getDecryptSize(COMMAND_INDEX    commandIndex)
+{
+    COMMAND_ATTRIBUTES      ca = s_commandAttributes[commandIndex];
+    
+    if(ca & DECRYPT_2)
+	return 2;
+    if(ca & DECRYPT_4)
+	return 4;
+    return 0;
+}
+
+/* getEecryptSize() returns 0 if the response does not support response parameter encryption, 2 if
+   the command does support response parameter encryption and the size is a uint16_t.  There is an
+   unused provision for a 4 for a uint32_t size. */
+
+/* NOTE: Marked as const function in header declaration */
+
+int getEncryptSize(COMMAND_INDEX    commandIndex)
+{
+    COMMAND_ATTRIBUTES  ca = s_commandAttributes[commandIndex];
+    if(ca & ENCRYPT_2)
+	return 2;
+    if(ca & ENCRYPT_4)
+	return 4;
+    return 0;
+}
+
+/* getCommandAuthRole() returns the authorization role for the handle: user, admin, or dup.
+
+ */
+
+/* NOTE: Marked as const function in header declaration */
+
+AUTH_ROLE getCommandAuthRole(
+			     COMMAND_INDEX    	commandIndex,  // IN: command index
+			     size_t		handleIndex    // IN: handle index (zero based)
+			     )
+{
+    if(0 == handleIndex )
+	{
+	    // Any auth role set?
+	    COMMAND_ATTRIBUTES  properties = s_commandAttributes[commandIndex];
+	    
+	    if(properties & HANDLE_1_USER)
+		return AUTH_USER;
+	    if(properties & HANDLE_1_ADMIN)
+		return AUTH_ADMIN;
+	    if(properties & HANDLE_1_DUP)
+		return AUTH_DUP;
+	}
+    else if (1 == handleIndex)
+	{
+	    if(s_commandAttributes[commandIndex] & HANDLE_2_USER)
+		return AUTH_USER;
+	}
+    return AUTH_NONE;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssccattributes.h b/libstb/tss2/ibmtpm20tss/utils/tssccattributes.h
new file mode 100644
index 0000000..d975b91
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssccattributes.h
@@ -0,0 +1,90 @@
+/********************************************************************************/
+/*										*/
+/*			     Command Code Attributes				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSSCCATTRIBUTES_H
+#define TSSCCATTRIBUTES_H
+
+#include <stdio.h>
+
+#include <ibmtss/TPM_Types.h>
+#include "CommandAttributes.h"
+
+typedef uint16_t COMMAND_INDEX;
+
+/* From Global.h */
+typedef UINT32          AUTH_ROLE;
+#define AUTH_NONE       ((AUTH_ROLE)(0))
+#define AUTH_USER       ((AUTH_ROLE)(1))
+#define AUTH_ADMIN      ((AUTH_ROLE)(2))
+#define AUTH_DUP        ((AUTH_ROLE)(3))
+
+#define UNIMPLEMENTED_COMMAND_INDEX     ((COMMAND_INDEX)(~0))
+
+COMMAND_INDEX CommandCodeToCommandIndex(TPM_CC commandCode)
+#ifdef __ULTRAVISOR__
+__attribute__ ((const))
+#endif
+    ;
+uint32_t getCommandHandleCount(COMMAND_INDEX index)
+#ifdef __ULTRAVISOR__
+    __attribute__ ((const))
+#endif
+    ;
+uint32_t getresponseHandleCount(COMMAND_INDEX index)
+#ifdef __ULTRAVISOR__
+    __attribute__ ((const))
+#endif
+    ;
+int getDecryptSize(COMMAND_INDEX    commandIndex)
+#ifdef __ULTRAVISOR__
+    __attribute__ ((const))
+#endif
+    ;
+int getEncryptSize(COMMAND_INDEX    commandIndex)
+#ifdef __ULTRAVISOR__
+    __attribute__ ((const))
+#endif
+    ;
+AUTH_ROLE getCommandAuthRole(COMMAND_INDEX    	commandIndex,
+			     size_t		handleIndex)
+#ifdef __ULTRAVISOR__
+    __attribute__ ((const))
+#endif
+    ;
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssccattributes12.c b/libstb/tss2/ibmtpm20tss/utils/tssccattributes12.c
new file mode 100644
index 0000000..0ae8a87
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssccattributes12.c
@@ -0,0 +1,74 @@
+/********************************************************************************/
+/*										*/
+/*			     Command Code Attributes				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssccattributes12.c 1164 2018-04-17 19:53:29Z kgoldman $	*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* NOTE: This is a replica of CommandAttributeData.c, but endian independent.  It must be kept in
+   sync with the TPM reference implementation.
+   
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <inttypes.h>
+
+#include "tssccattributes12.h"
+
+COMMAND_INDEX CommandCodeToCommandIndex12(TPM_CC commandCode)
+{
+    COMMAND_INDEX i;
+
+    /* s_ccAttr12 has terminating 0x0000 command code and V */
+    for (i = 0 ; (s_ccAttr12[i].commandCode != 0) || (s_ccAttr12[i].V != 0) ; i++) {
+	if (s_ccAttr12[i].commandCode == commandCode) {
+	    return i;
+	}
+    }
+    return UNIMPLEMENTED_COMMAND_INDEX;
+}
+
+uint32_t getCommandHandleCount12(COMMAND_INDEX index)
+{
+    return s_ccAttr12[index].cHandles;
+}
+
+uint32_t getresponseHandleCount12(COMMAND_INDEX index)
+{
+    return s_ccAttr12[index].rHandle;
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssccattributes12.h b/libstb/tss2/ibmtpm20tss/utils/tssccattributes12.h
new file mode 100644
index 0000000..a29f011
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssccattributes12.h
@@ -0,0 +1,55 @@
+/********************************************************************************/
+/*										*/
+/*			     Command Code Attributes				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssccattributes12.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSSCCATTRIBUTES12_H
+#define TSSCCATTRIBUTES12_H
+
+#include <stdio.h>
+
+#include <ibmtss/TPM_Types.h>
+#include "tssccattributes.h"
+#include "CommandAttributes.h"
+
+#define UNIMPLEMENTED_COMMAND_INDEX     ((COMMAND_INDEX)(~0))
+
+COMMAND_INDEX CommandCodeToCommandIndex12(TPM_CC commandCode);
+uint32_t getCommandHandleCount12(COMMAND_INDEX index);
+uint32_t getresponseHandleCount12(COMMAND_INDEX index);
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tsscrypto.c b/libstb/tss2/ibmtpm20tss/utils/tsscrypto.c
new file mode 100644
index 0000000..74c7927
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tsscrypto.c
@@ -0,0 +1,1457 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Library Dependent Crypto Support		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*		ECC Salt functions written by Bill Martin			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* Interface to OpenSSL version 1.0 or 1.1 crypto library */
+
+#include <string.h>
+#include <stdio.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/aes.h>
+#ifndef TPM_TSS_NORSA
+#include <openssl/rsa.h>
+#endif
+#include <openssl/rand.h>
+#include <openssl/engine.h>
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tsserror.h>
+
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+
+extern int tssVverbose;
+extern int tssVerbose;
+
+/* openssl compatibility code */
+
+#if OPENSSL_VERSION_NUMBER < 0x10101000
+#define EC_POINT_set_affine_coordinates(a,b,c,d,e)  EC_POINT_set_affine_coordinates_GFp(a,b,c,d,e)
+#define EC_POINT_get_affine_coordinates(a,b,c,d,e)  EC_POINT_get_affine_coordinates_GFp(a,b,c,d,e)
+#endif
+
+/* local prototypes */
+
+static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+			     TPMI_ALG_HASH hashAlg);
+
+#ifndef TPM_TSS_NOECC
+
+/* ECC salt */
+
+typedef struct
+{
+    EC_GROUP            *G;
+    BN_CTX              *ctx;
+} CURVE_DATA;
+
+static TPM_RC TSS_ECC_GeneratePlatformEphemeralKey(CURVE_DATA *eCurveData,
+						   EC_KEY *myecc);
+static TPM_RC TSS_BN_new(BIGNUM **bn);
+static TPM_RC TSS_BN_hex2bn(BIGNUM **bn, const char *str);
+#endif	/* TPM_TSS_NOECC */
+
+#ifndef TPM_TSS_NORSA
+static TPM_RC TSS_bin2bn(BIGNUM **bn, const unsigned char *bin, unsigned int bytes);
+#endif	/* TPM_TSS_NORSA */
+
+/*
+  Initialization
+*/
+
+TPM_RC TSS_Crypto_Init(void)
+{
+    TPM_RC		rc = 0;
+#if 0
+    int			irc;
+#endif
+
+    ERR_load_crypto_strings ();
+    OpenSSL_add_all_algorithms();
+#if 0
+    irc = FIPS_mode_set(1);
+    if (irc == 0) {
+	if (tssVerbose) printf("TSS_Crypto_Init: Cannot set FIPS mode\n");
+    }
+#endif
+    return rc;
+}
+
+/*
+  Digests
+*/
+
+static TPM_RC TSS_Hash_GetMd(const EVP_MD **md,
+			     TPMI_ALG_HASH hashAlg)
+{
+    TPM_RC		rc = 0;
+
+    if (rc == 0) {
+	switch (hashAlg) {
+#ifdef TPM_ALG_SHA1
+	  case TPM_ALG_SHA1:
+	    *md = EVP_get_digestbyname("sha1");
+	    break;
+#endif
+#ifdef TPM_ALG_SHA256	
+	  case TPM_ALG_SHA256:
+	    *md = EVP_get_digestbyname("sha256");
+	    break;
+#endif
+#ifdef TPM_ALG_SHA384
+	  case 	TPM_ALG_SHA384:
+	    *md = EVP_get_digestbyname("sha384");
+	    break;
+#endif
+#ifdef TPM_ALG_SHA512
+	  case 	TPM_ALG_SHA512:
+	    *md = EVP_get_digestbyname("sha512");
+	    break;
+#endif
+	  default:
+	    rc = TSS_RC_BAD_HASH_ALGORITHM;
+	}
+    }
+    return rc;
+}
+
+/* On call, digest->hashAlg is the desired hash algorithm
+
+   length 0 is ignored, buffer NULL terminates list.
+*/
+
+TPM_RC TSS_HMAC_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
+				const TPM2B_KEY *hmacKey,
+				va_list ap)
+{
+    TPM_RC		rc = 0;
+    int 		irc = 0;
+    int			done = FALSE;
+    const EVP_MD 	*md;	/* message digest method */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+    HMAC_CTX 		ctx;
+#else
+    HMAC_CTX 		*ctx;
+#endif
+    int			length;
+    uint8_t 		*buffer;
+    
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+    HMAC_CTX_init(&ctx);
+#else
+    ctx = HMAC_CTX_new();
+#endif
+    if (rc == 0) {
+	rc = TSS_Hash_GetMd(&md, digest->hashAlg);
+    }
+    if (rc == 0) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+	irc = HMAC_Init_ex(&ctx,
+			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
+			   md,					/* message digest method */
+			   NULL);
+#else
+	irc = HMAC_Init_ex(ctx,
+			   hmacKey->b.buffer, hmacKey->b.size,	/* HMAC key */
+			   md,					/* message digest method */
+			   NULL);
+#endif
+	
+	if (irc == 0) {
+	    rc = TSS_RC_HMAC;
+	}
+    }
+    while ((rc == 0) && !done) {
+	length = va_arg(ap, int);		/* first vararg is the length */
+	buffer = va_arg(ap, unsigned char *);	/* second vararg is the array */
+	if (buffer != NULL) {			/* loop until a NULL buffer terminates */
+	    if (length < 0) {
+		if (tssVerbose) printf("TSS_HMAC_Generate: Length is negative\n");
+		rc = TSS_RC_HMAC;
+	    }
+	    else {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+		irc = HMAC_Update(&ctx, buffer, length);
+#else
+		irc = HMAC_Update(ctx, buffer, length);
+#endif
+		if (irc == 0) {
+		    if (tssVerbose) printf("TSS_HMAC_Generate: HMAC_Update failed\n");
+		    rc = TSS_RC_HMAC;
+		}
+	    }
+ 	}
+	else {
+	    done = TRUE;
+	}
+    }
+
+    if (rc == 0) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+	irc = HMAC_Final(&ctx, (uint8_t *)&digest->digest, NULL);
+#else
+	irc = HMAC_Final(ctx, (uint8_t *)&digest->digest, NULL);
+#endif
+	if (irc == 0) {
+	    rc = TSS_RC_HMAC;
+	}
+    }
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+    HMAC_CTX_cleanup(&ctx);
+#else
+    HMAC_CTX_free(ctx);
+#endif
+    return rc;
+}
+
+/*
+  valist is int length, unsigned char *buffer pairs
+  
+  length 0 is ignored, buffer NULL terminates list.
+*/
+
+TPM_RC TSS_Hash_Generate_valist(TPMT_HA *digest,		/* largest size of a digest */
+				va_list ap)
+{
+    TPM_RC		rc = 0;
+    int			irc = 0;
+    int			done = FALSE;
+    int			length;
+    uint8_t 		*buffer;
+    EVP_MD_CTX 		*mdctx;
+    const EVP_MD 	*md;
+
+    if (rc == 0) {
+	mdctx = EVP_MD_CTX_create();
+        if (mdctx == NULL) {
+	    if (tssVerbose) printf("TSS_Hash_Generate: EVP_MD_CTX_create failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Hash_GetMd(&md, digest->hashAlg);
+    }
+    if (rc == 0) {
+	irc = EVP_DigestInit_ex(mdctx, md, NULL);
+	if (irc != 1) {
+	    rc = TSS_RC_HASH;
+	}
+    }
+    while ((rc == 0) && !done) {
+	length = va_arg(ap, int);		/* first vararg is the length */
+	buffer = va_arg(ap, unsigned char *);	/* second vararg is the array */
+	if (buffer != NULL) {			/* loop until a NULL buffer terminates */
+	    if (length < 0) {
+		if (tssVerbose) printf("TSS_Hash_Generate: Length is negative\n");
+		rc = TSS_RC_HASH;
+	    }
+	    else {
+		/* if (tssVverbose) TSS_PrintAll("TSS_Hash_Generate:", buffer, length); */
+		if (length != 0) {
+		    EVP_DigestUpdate(mdctx, buffer, length);
+		}
+	    }
+	}
+	else {
+	    done = TRUE;
+	}
+    }
+    if (rc == 0) {
+	EVP_DigestFinal_ex(mdctx, (uint8_t *)&digest->digest, NULL);
+    }
+    EVP_MD_CTX_destroy(mdctx);
+    return rc;
+}
+
+/* Random Numbers */
+
+TPM_RC TSS_RandBytes(unsigned char *buffer, uint32_t size)
+{
+    TPM_RC 	rc = 0;
+    int		irc = 0;
+
+    irc = RAND_bytes(buffer, size);
+    if (irc != 1) {
+	if (tssVerbose) printf("TSS_RandBytes: Random number generation failed\n");
+	rc = TSS_RC_RNG_FAILURE;
+    }
+    return rc;
+}
+
+/*
+  RSA functions
+*/
+
+#ifndef TPM_TSS_NORSA
+
+/* TSS_RsaNew() allocates an openssl RSA key token.
+
+   This abstracts the crypto library specific allocation.
+
+   For Openssl, rsaKey is an RSA structure.
+*/
+
+TPM_RC TSS_RsaNew(void **rsaKey)
+{
+    TPM_RC  	rc = 0;
+
+    /* sanity check for the free */
+    if (rc == 0) {
+	if (*rsaKey != NULL) {
+            if (tssVerbose)
+		printf("TSS_RsaNew: Error (fatal), token %p should be NULL\n",
+		       *rsaKey);
+            rc = TSS_RC_ALLOC_INPUT;
+	}
+    }
+    /* construct the OpenSSL private key object */
+    if (rc == 0) {
+        *rsaKey = RSA_new();                        	/* freed by caller */
+        if (*rsaKey == NULL) {
+            if (tssVerbose) printf("TSS_RsaNew: Error in RSA_new()\n");
+            rc = TSS_RC_RSA_KEY_CONVERT;
+        }
+    }
+    return rc;
+}
+
+/* TSS_RsaFree() frees an openssl RSA key token.
+
+   This abstracts the crypto library specific free.
+   
+   For Openssl, rsaKey is an RSA structure.
+*/
+
+void TSS_RsaFree(void *rsaKey)
+{
+    if (rsaKey != NULL) {
+        RSA_free(rsaKey); 
+    }
+    return;
+}
+
+/* TSS_RSAGeneratePublicToken() is deprecated for application use, since it is openssl library
+   dependent.
+
+   Use TSS_RSAGeneratePublicTokenI().
+*/
+
+TPM_RC TSS_RSAGeneratePublicToken(RSA **rsa_pub_key,		/* freed by caller */
+				  const unsigned char *narr,    /* public modulus */
+				  uint32_t nbytes,
+				  const unsigned char *earr,    /* public exponent */
+				  uint32_t ebytes)
+{
+    TPM_RC  	rc = 0;
+    rc = TSS_RSAGeneratePublicTokenI((void **)rsa_pub_key,
+				     narr, 
+				     nbytes,
+				     earr,
+				     ebytes);
+    return rc;
+}
+
+/* TSS_RSAGeneratePublicTokenI() generates an RSA key token from n and e
+
+   Free rsa_pub_key using TSS_RsaFree();
+ */
+
+TPM_RC TSS_RSAGeneratePublicTokenI(void **rsa_pub_key,		/* freed by caller */
+				   const unsigned char *narr,    /* public modulus */
+				   uint32_t nbytes,
+				   const unsigned char *earr,    /* public exponent */
+				   uint32_t ebytes)
+{
+    TPM_RC  	rc = 0;
+    BIGNUM *    n = NULL;
+    BIGNUM *    e = NULL;
+    RSA **	rsaPubKey = (RSA **)rsa_pub_key;	/* openssl specific structure */
+
+    /* construct the OpenSSL private key object */
+    if (rc == 0) {
+	rc = TSS_RsaNew(rsa_pub_key);
+    }
+    if (rc == 0) {
+        rc = TSS_bin2bn(&n, narr, nbytes);	/* freed by caller */
+    }
+    if (rc == 0) {
+        rc = TSS_bin2bn(&e, earr, ebytes);	/* freed by caller */
+    }
+    if (rc == 0) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+        (*rsaPubKey)->n = n;
+        (*rsaPubKey)->e = e;
+        (*rsaPubKey)->d = NULL;
+#else
+	int irc = RSA_set0_key(*rsaPubKey, n, e, NULL);
+	if (irc != 1) {
+            if (tssVerbose) printf("TSS_RSAGeneratePublicTokenI: Error in RSA_set0_key()\n");
+            rc = TSS_RC_RSA_KEY_CONVERT;
+	}
+#endif
+    }
+    return rc;
+}
+
+/* TSS_RSAPublicEncrypt() pads 'decrypt_data' to 'encrypt_data_size' and encrypts using the public
+   key 'n, e'.
+*/
+
+TPM_RC TSS_RSAPublicEncrypt(unsigned char *encrypt_data,    /* encrypted data */
+			    size_t encrypt_data_size,       /* size of encrypted data buffer */
+			    const unsigned char *decrypt_data,      /* decrypted data */
+			    size_t decrypt_data_size,
+			    unsigned char *narr,           /* public modulus */
+			    uint32_t nbytes,
+			    unsigned char *earr,           /* public exponent */
+			    uint32_t ebytes,
+			    unsigned char *p,		/* encoding parameter */
+			    int pl,
+			    TPMI_ALG_HASH halg)		/* OAEP hash algorithm */
+{
+    TPM_RC  	rc = 0;
+    int         irc;
+    RSA         *rsa_pub_key = NULL;
+    unsigned char *padded_data = NULL;
+    
+    if (tssVverbose) printf(" TSS_RSAPublicEncrypt: Input data size %lu\n",
+			    (unsigned long)decrypt_data_size);
+    /* intermediate buffer for the decrypted but still padded data */
+    if (rc == 0) {
+        rc = TSS_Malloc(&padded_data, encrypt_data_size);               /* freed @2 */
+    }
+    /* construct the OpenSSL public key object */
+    if (rc == 0) {
+	rc = TSS_RSAGeneratePublicTokenI((void **)&rsa_pub_key,	/* freed @1 */
+					 narr,      	/* public modulus */
+					 nbytes,
+					 earr,      	/* public exponent */
+					 ebytes);
+    }
+    if (rc == 0) {
+	padded_data[0] = 0x00;
+	rc = TSS_RSA_padding_add_PKCS1_OAEP(padded_data,		/* to */
+					    encrypt_data_size,		/* to length */
+					    decrypt_data,		/* from */
+					    decrypt_data_size,		/* from length */
+					    p,		/* encoding parameter */
+					    pl,		/* encoding parameter length */
+					    halg);	/* OAEP hash algorithm */
+    }
+    if (rc == 0) {
+        if (tssVverbose)
+	    printf("  TSS_RSAPublicEncrypt: Padded data size %lu\n",
+		   (unsigned long)encrypt_data_size);
+        if (tssVverbose) TSS_PrintAll("  TPM_RSAPublicEncrypt: Padded data", padded_data,
+				      encrypt_data_size);
+        /* encrypt with public key.  Must pad first and then encrypt because the encrypt
+           call cannot specify an encoding parameter */
+	/* returns the size of the encrypted data.  On error, -1 is returned */
+	irc = RSA_public_encrypt(encrypt_data_size,         /* from length */
+				 padded_data,               /* from - the clear text data */
+				 encrypt_data,              /* the padded and encrypted data */
+				 rsa_pub_key,               /* key */
+				 RSA_NO_PADDING);           /* padding */
+	if (irc < 0) {
+	    if (tssVerbose) printf("TSS_RSAPublicEncrypt: Error in RSA_public_encrypt()\n");
+	    rc = TSS_RC_RSA_ENCRYPT;
+	}
+    }
+    if (rc == 0) {
+        if (tssVverbose) printf("  TSS_RSAPublicEncrypt: RSA_public_encrypt() success\n");
+    }
+    TSS_RsaFree(rsa_pub_key);          /* @1 */
+    free(padded_data);                  /* @2 */
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+
+#ifndef TPM_TSS_NOECC
+
+/* TSS_GeneratePlatformEphemeralKey sets the EC parameters to NIST P256 for generating the ephemeral
+   key. Some OpenSSL versions do not come with NIST p256.
+
+   On success, eCurveData->G must be freed by the caller.
+*/
+
+static TPM_RC TSS_ECC_GeneratePlatformEphemeralKey(CURVE_DATA *eCurveData, EC_KEY *myecc)
+{
+    TPM_RC      rc = 0;
+    BIGNUM 	*p = NULL;
+    BIGNUM 	*a = NULL;
+    BIGNUM 	*b = NULL;
+    BIGNUM 	*x = NULL;
+    BIGNUM 	*y = NULL;
+    BIGNUM 	*z = NULL;
+    EC_POINT    *G = NULL; 	/* generator */
+
+    /* ---------------------------------------------------------- *
+     * Set the EC parameters to NISTp256. Openssl versions might  *
+     * not have NISTP256 as a possible parameter so we make it    *
+     * possible by setting the curve ourselves.                   *
+     * ---------------------------------------------------------- */
+
+    /*  NIST P256  from FIPS 186-3 */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Converting p\n");
+	rc = TSS_BN_hex2bn(&p,		/* freed @1 */
+			   "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF");
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Converting a\n");
+	rc = TSS_BN_hex2bn(&a,		/* freed @2 */
+			   "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC");
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Converting b\n");
+	rc = TSS_BN_hex2bn(&b,		/* freed @3 */
+			   "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B");
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: New group\n");
+	eCurveData->G = EC_GROUP_new(EC_GFp_mont_method());	/* freed @4 */
+	if (eCurveData->G == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: "
+				   "Error creating new group\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Set the curve prime\n");
+	if (EC_GROUP_set_curve_GFp(eCurveData->G, p, a, b, eCurveData->ctx) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: "
+				   "Error seting curve prime\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	G = EC_POINT_new(eCurveData->G);			/* freed @5 */
+	if (G == NULL ){
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: EC_POINT_new failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_BN_hex2bn(&x,					/* freed @6 */
+			   "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296");
+    }
+    if (rc == 0) {
+	rc = TSS_BN_hex2bn(&y,					/* freed @7 */
+			   "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5");
+    }
+    if (rc == 0) {
+	if (EC_POINT_set_affine_coordinates(eCurveData->G, G, x, y, eCurveData->ctx) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Error, "
+				   "Cannot create TPM public point from coordinates\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    /* sanity check to see if point is on the curve */
+    if (rc == 0) {
+	if (EC_POINT_is_on_curve(eCurveData->G, G, eCurveData->ctx) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Error, "
+				   "Point not on curve\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_BN_hex2bn(&z,					/* freed @8 */
+			   "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551");
+    }
+    if (rc == 0) {
+	if (EC_GROUP_set_generator(eCurveData->G, G, z, BN_value_one()) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Error, "
+				   "EC_GROUP_set_generator()\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+        }
+    }
+    if (rc == 0) {
+	if (EC_GROUP_check(eCurveData->G, eCurveData->ctx) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Error, "
+				   "EC_GROUP_check()\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+        }
+    }
+    if (rc == 0) {
+	if (EC_KEY_set_group(myecc, eCurveData->G) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: Error, "
+				   "EC_KEY_set_group()\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+        }
+    }
+    if (rc == 0) {
+#if 0
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: "
+				"Address of eCurveData->G is %p\n", eCurveData->G);
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: "
+				"Address of eCurveData->CTX is %p\n", eCurveData->ctx);
+#endif
+	if (tssVverbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: "
+				"Set group for key\n");
+    }
+    /* Create the public/private EC key pair here */
+    if (rc == 0) {
+	if (EC_KEY_generate_key(myecc) == 0) 	{
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: "
+				   "Error generating the ECC key.\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	if (!EC_KEY_check_key(myecc)) {
+	    if (tssVerbose) printf("TSS_ECC_GeneratePlatformEphemeralKey: "
+				   "Error on EC_KEY_check_key()\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (p != NULL)	BN_clear_free(p);	/* @1 */
+    if (a != NULL)	BN_clear_free(a);	/* @2 */
+    if (b != NULL) 	BN_clear_free(b);	/* @3 */
+    if (rc != 0) {				/* else freed by caller */
+	EC_GROUP_free(eCurveData->G);	/* @4 */	
+	/* EC_POINT_free(G);		/\* @5  *\/ */
+    }
+    EC_POINT_free(G);		/* @5  */
+    if (x != NULL)	BN_clear_free(x);	/* @6 */
+    if (y != NULL)	BN_clear_free(y);	/* @7 */
+    if (z != NULL)	BN_clear_free(z);	/* @8 */
+
+    /* don't free the key info.  This curve was constructed out of parameters, not of the openssl
+       library */
+    /* EC_KEY_free(myecc) */
+    /* EC_POINT_free(G); */
+    return rc;
+}
+
+/* TSS_ECC_Salt() returns both the plaintext and excrypted salt, based on the salt key bPublic.
+
+   This is currently hard coded to the TPM_ECC_NIST_P256 curve.
+*/
+
+TPM_RC TSS_ECC_Salt(TPM2B_DIGEST 		*salt,
+		    TPM2B_ENCRYPTED_SECRET	*encryptedSalt,
+		    TPMT_PUBLIC			*publicArea)
+{
+    TPM_RC		rc = 0;
+    EC_KEY		*myecc = NULL;		/* ephemeral key */
+    const BIGNUM	*d_caller; 		/* ephemeral private key */
+    const EC_POINT	*callerPointPub; 	/* ephemeral public key */
+    EC_POINT		*tpmPointPub = NULL;
+    BIGNUM		*p_tpmX = NULL;
+    BIGNUM		*bigY = NULL;
+    BIGNUM 		*zBn = NULL;
+    EC_POINT 		*rPoint = NULL;
+    BIGNUM 		*thepoint = NULL;
+    BIGNUM		*sharedX = NULL;
+    BIGNUM		*yBn = NULL;
+    uint32_t		sizeInBytes;
+    uint32_t		sizeInBits;
+    uint8_t             *sharedXBin = NULL;
+    unsigned int	lengthSharedXBin;
+    BIGNUM		*p_caller_Xbn = NULL;
+    BIGNUM		*p_caller_Ybn = NULL; 
+    uint8_t		*p_caller_Xbin = NULL;
+    uint8_t		*p_caller_Ybin = NULL;
+    uint8_t		*p_tpmXbin = NULL;
+    unsigned int 	length_p_caller_Xbin;
+    unsigned int 	length_p_caller_Ybin;
+    unsigned int	length_p_tpmXbin;
+    TPM2B_ECC_PARAMETER	sharedX_For_KDFE;
+    TPM2B_ECC_PARAMETER	p_caller_X_For_KDFE;
+    TPM2B_ECC_PARAMETER	p_tpmX_For_KDFE;
+    CURVE_DATA 		eCurveData;
+
+    eCurveData.ctx = NULL;	/* for free */
+    eCurveData.G = NULL;	/* this is initialized in TSS_ECC_GeneratePlatformEphemeralKey() at
+				   EC_GROUP_new() but gcc -O3 emits a warning that it's
+				   uninitialized. */
+    /* only NIST P256 is currently supported */
+    if (rc == 0) {
+	if ((publicArea->parameters.eccDetail.curveID != TPM_ECC_NIST_P256)) {
+	    if (tssVerbose)
+		printf("TSS_ECC_Salt: ECC curve ID %04x not supported\n",
+		       publicArea->parameters.eccDetail.curveID);
+	    rc = TSS_RC_BAD_SALT_KEY;
+	}
+    }
+    if (rc == 0) {
+	myecc = EC_KEY_new();		/* freed @1 */
+	if (myecc == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: EC_KEY_new failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	eCurveData.ctx = BN_CTX_new();	/* freed @16 */
+	if (eCurveData.ctx == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: BN_CTX_new failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* Generate the TSS EC ephemeral key pair outside the TPM for the salt. The public part of this
+       key is actually the 'encrypted' salt. */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_Salt: "
+				"Calling TSS_ECC_GeneratePlatformEphemeralKey\n");
+	/* eCurveData->G freed @17 */
+	rc = TSS_ECC_GeneratePlatformEphemeralKey(&eCurveData, myecc);
+    }
+    if (rc == 0) {
+	d_caller = EC_KEY_get0_private_key(myecc);		/* ephemeral private key */
+	callerPointPub = EC_KEY_get0_public_key(myecc); 	/* ephemeral public key */
+    } 
+    /* validate that the public point is on the NIST P-256 curve */
+    if (rc == 0) 		{
+	if (EC_POINT_is_on_curve(eCurveData.G, callerPointPub, eCurveData.ctx) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "Generated point not on curve\n"); 
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) { 
+	/* let d_caller be private scalar and P_caller be public point */
+	/* p_tpm is public point. p_tpmX is to be X-coordinate and p_tpmY the
+	   Y-coordinate */
+
+	/* Allocate the space for P_tpm */
+	tpmPointPub = EC_POINT_new(eCurveData.G); 			/* freed @2 */
+	if (tpmPointPub == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: EC_POINT_new failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* grab the public point x and y using the parameters passed in */
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_Salt: "
+				"Salt key sizes are X: %d and Y: %d\n",
+				publicArea->unique.ecc.x.t.size,
+				publicArea->unique.ecc.y.t.size);
+	p_tpmX = BN_bin2bn((const unsigned char *)&publicArea->unique.ecc.x.t.buffer,
+			   publicArea->unique.ecc.x.t.size, NULL);	/* freed @3 */
+	if (p_tpmX == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: BN_bin2bn p_tpmX failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	bigY = BN_bin2bn((const unsigned char*)&publicArea->unique.ecc.y.t.buffer,
+			 publicArea->unique.ecc.y.t.size, bigY);	/* freed @15 */
+	if (bigY == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: BN_bin2bn bigY failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_Salt: "
+				"Salt public key X %s\n", BN_bn2hex(p_tpmX));
+	if (tssVverbose) printf("TSS_ECC_Salt: "
+				"Salt public key Y %s\n", BN_bn2hex(bigY));
+    }
+    /* Create the openssl form of the TPM salt public key as EC_POINT using coordinates */
+    if (rc == 0) {
+	if (EC_POINT_set_affine_coordinates
+	    (eCurveData.G, tpmPointPub, p_tpmX, bigY, eCurveData.ctx) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "Cannot create TPM public point from coordinates\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    /* RFC 2440 Named curve prime256v1 */
+    if (rc == 0) {
+	rc = TSS_BN_hex2bn(&zBn,			/* freed @4 */
+			   "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551");
+    }    
+    /* add the generator z to the group we are constructing */
+    if (rc == 0) {
+	if (EC_GROUP_set_generator(eCurveData.G, tpmPointPub, zBn, BN_value_one()) == 0) { 
+	    if(tssVerbose) printf ("TSS_ECC_Salt: "
+				   "Error EC_GROUP_set_generator()\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE; 
+	}
+    } 
+    /* Check for validity of our group  */
+    if (rc == 0) { 
+	if (EC_GROUP_check(eCurveData.G, eCurveData.ctx) == 0) { 
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "ec_group_check() failed\n"); 
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    /* Check to see if what we think is the TPM point is on the curve */
+    if (rc == 0) {
+	if (EC_POINT_is_on_curve(eCurveData.G, tpmPointPub, eCurveData.ctx) == 0) { 
+	    if (tssVerbose) printf("TSS_ECC_Salt: Error, "
+				   "Point not on curve\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+	else {
+	    if (tssVverbose) printf("TSS_ECC_Salt: "
+				    "Validated that TPM EC point is on curve\n");
+	}
+    }
+    if (rc == 0) {
+	rPoint = EC_POINT_new(eCurveData.G);
+	if (rPoint == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "Cannot create rPoint\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    /* Point multiply the TPM public point by the ephemeral scalar. This will produce the
+       point from which we get the shared X coordinate, which we keep for use in KDFE. The
+       TPM will calculate the same X. */
+    if (rc == 0) {
+	if (EC_POINT_mul(eCurveData.G, rPoint, NULL, tpmPointPub,
+			 d_caller, eCurveData.ctx) == 0) { 
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "EC_POINT_mul failed\n") ;
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE; 
+	}
+	else {
+	    if (tssVverbose) printf("TSS_ECC_Salt: "
+				    "EC_POINT_mul() succeeded\n");
+	}
+    }
+    /* Check to see if calculated point is on the curve, just for extra sanity */
+    if (rc == 0) {  
+	if (EC_POINT_is_on_curve(eCurveData.G, rPoint, eCurveData.ctx) == 0) { 
+	    if (tssVerbose) printf("TSS_ECC_Salt: Error,"
+				   "Point r is not on curve\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+	else {
+	    if (tssVverbose) printf("TSS_ECC_Salt: "
+				    "Point calculated by EC_POINT_mul() is on the curve\n");
+	}
+    }
+    if (rc == 0) {
+	thepoint = EC_POINT_point2bn(eCurveData.G, rPoint, POINT_CONVERSION_UNCOMPRESSED,
+				     NULL, eCurveData.ctx);	/* freed @6 */
+	if (thepoint == NULL) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "EC_POINT_point2bn thepoint failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    /* get sharedX */
+    if (rc == 0) {
+	rc = TSS_BN_new(&sharedX);		/* freed @7 */
+    }
+    if (rc == 0) {
+	rc = TSS_BN_new(&yBn);			/* freed @8 */
+    }
+    if (rc == 0) {
+	if (EC_POINT_get_affine_coordinates(eCurveData.G, rPoint,
+						sharedX, yBn, eCurveData.ctx) == 0) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "EC_POINT_get_affine_coordinates() failed\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	sizeInBytes = TSS_GetDigestSize(publicArea->nameAlg);
+	sizeInBits =  sizeInBytes * 8;
+	rc = TSS_Malloc(&sharedXBin, BN_num_bytes(sharedX));		/* freed @9 */
+    }
+    if (rc == 0) {
+	lengthSharedXBin = (unsigned int)BN_bn2bin(sharedX, sharedXBin);
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: sharedXBin",
+				      sharedXBin,
+				      lengthSharedXBin);
+    }
+    /* encrypted salt is just the ephemeral public key */
+    if (rc == 0) {
+	rc = TSS_BN_new(&p_caller_Xbn);			/* freed 10 */
+    }
+    if (rc == 0) {
+	rc = TSS_BN_new(&p_caller_Ybn);			/* freed @11 */
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_Salt: "
+				"Allocated space for ephemeral BIGNUM X, Y\n");
+    }
+    /* Get the X-coordinate and Y-Coordinate */
+    if (rc == 0) {
+	if (EC_POINT_get_affine_coordinates(eCurveData.G, callerPointPub,
+						p_caller_Xbn, p_caller_Ybn,
+						eCurveData.ctx) == 0) { 
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "EC_POINT_get_affine_coordinates() failed\n");
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+	else {
+	    if (tssVverbose) printf("TSS_ECC_Salt: "
+				    "Retrieved X and Y coordinates from ephemeral public\n");
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(&p_caller_Xbin, BN_num_bytes(p_caller_Xbn));	/* freed @12 */
+    }
+    if (rc == 0) {    
+	rc = TSS_Malloc(&p_caller_Ybin , BN_num_bytes(p_caller_Ybn));	/* freed @13 */
+    }
+    if (rc == 0) {    
+	if (tssVverbose) printf("TSS_ECC_Salt: "
+				"Allocated space for ephemeral binary X and y\n");
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(&p_tpmXbin, BN_num_bytes(p_tpmX));		/* freed @14 */
+    }
+    if (rc == 0) {
+	length_p_tpmXbin = (unsigned int)BN_bn2bin(p_tpmX, p_tpmXbin);
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: p_tpmXbin ",
+				      p_tpmXbin,
+				      length_p_tpmXbin);
+	length_p_caller_Xbin = (unsigned int)BN_bn2bin(p_caller_Xbn, p_caller_Xbin);
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: p_caller_Xbin",
+				      p_caller_Xbin,
+				      length_p_caller_Xbin);
+	length_p_caller_Ybin = (unsigned int)BN_bn2bin(p_caller_Ybn, p_caller_Ybin);
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: p_caller_Ybin",
+				      p_caller_Ybin,
+				      length_p_caller_Ybin);
+    }
+    /* in->encryptedSalt TPM2B_ENCRYPTED_SECRET is a size and TPMU_ENCRYPTED_SECRET secret.
+       TPMU_ENCRYPTED_SECRET is a TPMS_ECC_POINT
+       TPMS_ECC_POINT has two TPMB_ECC_PARAMETER, x and y
+    */
+    if (rc == 0) {
+	/* TPMS_ECC_POINT 256/8 is a hard coded value for NIST P256, the only curve
+	   currently supported */
+	uint8_t *secret = encryptedSalt->t.secret;	/* TPMU_ENCRYPTED_SECRET pointer for
+							   clarity */
+	/* TPM2B_ENCRYPTED_SECRET size */
+	encryptedSalt->t.size = sizeof(uint16_t) + (256/8) + sizeof(uint16_t) + (256/8);
+	/* leading zeros, because some points may be less than 32 bytes */
+	memset(secret, 0, sizeof(TPMU_ENCRYPTED_SECRET));
+	/* TPMB_ECC_PARAMETER X point */
+	*(uint16_t *)(secret) = htons(256/8);
+	memcpy(secret +
+	       sizeof(uint16_t) + (256/8) - length_p_caller_Xbin,
+	       p_caller_Xbin, length_p_caller_Xbin);
+	/* TPMB_ECC_PARAMETER Y point */
+	*(uint16_t *)(secret + sizeof(uint16_t) + (256/8)) = htons(256/8);
+	memcpy(secret +
+	       sizeof(uint16_t) + (256/8) +
+	       sizeof(uint16_t) + (256/8) - length_p_caller_Ybin,
+	       p_caller_Ybin, length_p_caller_Ybin);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: ECC encrypted salt",
+				      encryptedSalt->t.secret,
+				      encryptedSalt->t.size);
+    }
+    /* TPM2B_ECC_PARAMETER sharedX_For_KDFE */
+    if (rc == 0) {
+	if (lengthSharedXBin > 32) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "lengthSharedXBin %u too large\n",
+				   lengthSharedXBin);
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	sharedX_For_KDFE.t.size = 32;
+	memset(sharedX_For_KDFE.t.buffer, 0, sizeof(sharedX_For_KDFE.t.buffer));
+	memcpy(sharedX_For_KDFE.t.buffer + 32 - lengthSharedXBin,
+	       sharedXBin, lengthSharedXBin);
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: sharedX_For_KDFE",
+				      sharedX_For_KDFE.t.buffer,
+				      sharedX_For_KDFE.t.size);
+    }
+    /* TPM2B_ECC_PARAMETER p_caller_X_For_KDFE */
+    if (rc == 0) {
+	if (length_p_caller_Xbin > 32) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "length_p_caller_Xbin %u too large\n",
+				   length_p_caller_Xbin);
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	p_caller_X_For_KDFE.t.size = 32;
+	memset(p_caller_X_For_KDFE.t.buffer, 0, sizeof(p_caller_X_For_KDFE.t.buffer));
+	memcpy(p_caller_X_For_KDFE.t.buffer + 32 - length_p_caller_Xbin,
+	       p_caller_Xbin, length_p_caller_Xbin);
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: p_caller_X_For_KDFE",
+				      p_caller_X_For_KDFE.t.buffer,
+				      p_caller_X_For_KDFE.t.size);
+    }
+    /* p_tpmX_For_KDFE */
+    if (rc == 0) {
+	if (length_p_tpmXbin > 32) {
+	    if (tssVerbose) printf("TSS_ECC_Salt: "
+				   "length_p_tpmXbin %u too large\n",
+				   length_p_tpmXbin);
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }
+    if (rc == 0) {
+	p_tpmX_For_KDFE .t.size = 32;
+	memset(p_tpmX_For_KDFE.t.buffer, 0, sizeof(p_tpmX_For_KDFE.t.buffer));
+	memcpy(p_tpmX_For_KDFE.t.buffer + 32 - length_p_tpmXbin,
+	       p_tpmXbin, length_p_tpmXbin);
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: p_tpmX_For_KDFE",
+				      p_tpmX_For_KDFE.t.buffer,
+				      p_tpmX_For_KDFE.t.size);
+    }
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_ECC_Salt: "
+				"Calling TSS_KDFE\n");
+	/* TPM2B_DIGEST salt size is the largest supported digest algorithm.
+	   This has already been validated when unmarshaling the Name hash algorithm.
+	*/
+	/* salt = KDFe(tpmKey_NameAlg, sharedX, "SECRET", P_caller, P_tpm,
+	   tpmKey_NameAlgSizeBits) */
+	salt->t.size = sizeInBytes;
+	rc = TSS_KDFE((uint8_t *)&salt->t.buffer, 	/* KDFe output */
+		      publicArea->nameAlg,		/* hash algorithm */
+		      &sharedX_For_KDFE.b,		/* Z (key) */
+		      "SECRET",				/* KDFe label */
+		      &p_caller_X_For_KDFE.b,		/* context U */
+		      &p_tpmX_For_KDFE.b,		/* context V */
+		      sizeInBits);			/* required size of key in bits */
+    }
+    if (rc == 0) { 
+	if (tssVverbose) TSS_PrintAll("TSS_ECC_Salt: salt",
+				      (uint8_t *)&salt->t.buffer,
+				      salt->t.size);
+    }
+    /* cleanup */
+    if (myecc != NULL) 		EC_KEY_free(myecc);		/* @1 */
+    if (tpmPointPub != NULL)    EC_POINT_free(tpmPointPub);	/* @2 */
+    if (p_tpmX != NULL)		BN_clear_free(p_tpmX);		/* @3 */
+    if (zBn != NULL)            BN_clear_free(zBn);		/* @4 */
+    if (rPoint != NULL)		EC_POINT_free(rPoint);		/* @5 */
+    if (thepoint != NULL)       BN_clear_free(thepoint);	/* @6 */
+    if (sharedX != NULL)        BN_clear_free(sharedX);		/* @7 */
+    if (yBn != NULL)		BN_clear_free(yBn);		/* @8 */
+    free(sharedXBin);						/* @9 */
+    if (p_caller_Xbn != NULL)   BN_clear_free(p_caller_Xbn);	/* @10 */
+    if (p_caller_Ybn != NULL)   BN_clear_free(p_caller_Ybn);	/* @11 */
+    free(p_caller_Xbin);					/* @12 */
+    free(p_caller_Ybin);					/* @13 */
+    free(p_tpmXbin);						/* @14 */
+    if (bigY != NULL)           BN_clear_free(bigY);		/* @15 */
+    EC_GROUP_free(eCurveData.G);				/* @17 */	
+    if (eCurveData.ctx != NULL)	BN_CTX_free(eCurveData.ctx);	/* @16 */
+
+    return rc;
+}
+
+/* TSS_BN_new() wraps the openSSL function in a TPM error handler
+ */
+
+static TPM_RC TSS_BN_new(BIGNUM **bn)		/* freed by caller */
+{
+    TPM_RC	rc = 0;
+
+    if (rc == 0) {
+	if (*bn != NULL) {
+	    if (tssVerbose)
+		printf("TSS_BN_new: Error (fatal), *bn %p should be NULL before BN_new()\n", *bn);
+	    rc = TSS_RC_ALLOC_INPUT;
+	}	    
+    }
+    if (rc == 0) {
+	*bn = BN_new();
+	if (*bn == NULL) {
+	    if (tssVerbose) printf("TSS_BN_new: BN_new() failed\n");
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    return rc;
+}
+
+/* TSS_BN_hex2bn() wraps the openSSL function in a TPM error handler
+ */
+
+static TPM_RC TSS_BN_hex2bn(BIGNUM **bn, const char *str)	/* freed by caller */
+{
+    TPM_RC	rc = 0;
+
+    if (rc == 0) {
+	if (*bn != NULL) {
+	    if (tssVerbose)
+		printf("TSS_BN_hex2bn: Error (fatal), *bn %p should be NULL before BN_new()\n", *bn);
+	    rc = TSS_RC_ALLOC_INPUT;
+	}	    
+    }
+    if (rc == 0) {
+	int irc;
+	irc = BN_hex2bn(bn, str);
+	if (irc == 0) {
+	    if (tssVerbose) printf("TSS_BN_hex2bn: BN_hex2bn() failed\n"); 
+	    rc = TSS_RC_EC_EPHEMERAL_FAILURE;
+	}
+    }    
+    return rc;
+}
+
+#endif	/* TPM_TSS_NOECC */
+
+#ifndef TPM_TSS_NORSA
+
+/* TSS_bin2bn() wraps the openSSL function in a TPM error handler
+
+   Converts a char array to bignum
+
+   bn must be freed by the caller.
+*/
+
+static TPM_RC TSS_bin2bn(BIGNUM **bn, const unsigned char *bin, unsigned int bytes)
+{
+    TPM_RC	rc = 0;
+
+    /* BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
+    
+       BN_bin2bn() converts the positive integer in big-endian form of length len at s into a BIGNUM
+       and places it in ret. If ret is NULL, a new BIGNUM is created.
+
+       BN_bin2bn() returns the BIGNUM, NULL on error.
+    */
+    if (rc == 0) {
+        *bn = BN_bin2bn(bin, bytes, *bn);
+        if (*bn == NULL) {
+            if (tssVerbose) printf("TSS_bin2bn: Error in BN_bin2bn\n");
+            rc = TSS_RC_BIGNUM;
+        }
+    }
+    return rc;
+}
+
+#endif /* TPM_TSS_NORSA */
+
+/*
+  AES
+*/
+
+TPM_RC TSS_AES_GetEncKeySize(size_t *tssSessionEncKeySize)
+{
+    *tssSessionEncKeySize = sizeof(AES_KEY);
+    return 0;
+}
+TPM_RC TSS_AES_GetDecKeySize(size_t *tssSessionDecKeySize)
+{
+    *tssSessionDecKeySize = sizeof(AES_KEY);
+    return 0;
+}
+
+#define TSS_AES_KEY_BITS 128
+
+#ifndef TPM_TSS_NOFILE
+
+TPM_RC TSS_AES_KeyGenerate(void *tssSessionEncKey,
+			   void *tssSessionDecKey)
+{
+    TPM_RC		rc = 0;
+    int 		irc;
+    unsigned char 	userKey[AES_128_BLOCK_SIZE_BYTES];
+    const char 		*envKeyString = NULL;
+    unsigned char 	*envKeyBin = NULL;
+    size_t 		envKeyBinLen;
+
+    if (rc == 0) {
+	envKeyString = getenv("TPM_SESSION_ENCKEY");
+    }
+    if (envKeyString == NULL) {
+	/* If the env variable TPM_SESSION_ENCKEY is not set, generate a random key for this
+	   TSS_CONTEXT */
+	if (rc == 0) {
+	    /* initialize userKey to silence valgrind false positive */
+	    memset(userKey, 0, sizeof(userKey));
+	    rc = TSS_RandBytes(userKey, AES_128_BLOCK_SIZE_BYTES);
+	}
+    }
+    /* The env variable TPM_SESSION_ENCKEY can set a (typically constant) encryption key.  This is
+       useful for scripting, where the env variable is set to a random seed at the beginning of the
+       script. */
+    else {
+	/* hexascii to binary */
+	if (rc == 0) {
+	    rc = TSS_Array_Scan(&envKeyBin,			/* freed @1 */
+				&envKeyBinLen, envKeyString);
+	}
+	/* range check */
+	if (rc == 0) {
+	    if (envKeyBinLen != AES_128_BLOCK_SIZE_BYTES) {
+		if (tssVerbose)
+		    printf("TSS_AES_KeyGenerate: Error, env variable length %lu not %lu\n",
+			   (unsigned long)envKeyBinLen, (unsigned long)sizeof(userKey));
+		rc = TSS_RC_BAD_PROPERTY_VALUE;
+	    }
+	}
+	/* copy the binary to the common userKey for use below */
+	if (rc == 0) {
+	    memcpy(userKey, envKeyBin, envKeyBinLen);  
+	}
+    }
+    /* translate to an openssl key token */
+    if (rc == 0) {
+        irc = AES_set_encrypt_key(userKey,
+                                  TSS_AES_KEY_BITS,
+                                  tssSessionEncKey);
+	/* should never occur, null pointers or bad bit size */
+	if (irc != 0) {
+            if (tssVerbose)
+		printf("TSS_AES_KeyGenerate: Error setting openssl AES encryption key\n");
+	    rc = TSS_RC_AES_KEYGEN_FAILURE; 
+	}
+    }
+    if (rc == 0) {
+	irc = AES_set_decrypt_key(userKey,
+				  TSS_AES_KEY_BITS,
+				  tssSessionDecKey);
+	/* should never occur, null pointers or bad bit size */
+	if (irc != 0) {
+            if (tssVerbose)
+		printf("TSS_AES_KeyGenerate: Error setting openssl AES decryption key\n");
+	    rc = TSS_RC_AES_KEYGEN_FAILURE; 
+	}
+    }
+    free(envKeyBin);	/* @1 */
+    return rc;
+}
+
+#endif
+
+/* TSS_AES_Encrypt() is AES non-portable code to encrypt 'decrypt_data' to 'encrypt_data' using CBC.
+   This function uses the session encryption key for encrypting session state.
+
+   The stream is padded as per PKCS#7 / RFC2630
+
+   'encrypt_data' must be free by the caller
+*/
+   
+TPM_RC TSS_AES_Encrypt(void *tssSessionEncKey,
+		       unsigned char **encrypt_data,   		/* output, caller frees */
+		       uint32_t *encrypt_length,		/* output */
+		       const unsigned char *decrypt_data,	/* input */
+		       uint32_t decrypt_length)			/* input */
+{
+    TPM_RC		rc = 0;
+    uint32_t		pad_length;
+    unsigned char	*decrypt_data_pad;
+    unsigned char	ivec[AES_128_BLOCK_SIZE_BYTES];       /* initial chaining vector */
+
+    decrypt_data_pad = NULL;    /* freed @1 */
+    if (rc == 0) {
+        /* calculate the pad length and padded data length */
+        pad_length = AES_128_BLOCK_SIZE_BYTES - (decrypt_length % AES_128_BLOCK_SIZE_BYTES);
+        *encrypt_length = decrypt_length + pad_length;
+         /* allocate memory for the encrypted response */
+        rc = TSS_Malloc(encrypt_data, *encrypt_length);
+    }
+    /* allocate memory for the padded decrypted data */
+    if (rc == 0) {
+        rc = TSS_Malloc(&decrypt_data_pad, *encrypt_length);
+    }
+    /* pad the decrypted clear text data */
+    if (rc == 0) {
+        /* unpadded original data */
+        memcpy(decrypt_data_pad, decrypt_data, decrypt_length);
+        /* last gets pad = pad length */
+        memset(decrypt_data_pad + decrypt_length, pad_length, pad_length);
+        /* set the IV */
+        memset(ivec, 0, sizeof(ivec));
+        /* encrypt the padded input to the output */
+        AES_cbc_encrypt(decrypt_data_pad,
+                        *encrypt_data,
+                        *encrypt_length,
+                        tssSessionEncKey,
+                        ivec,
+                        AES_ENCRYPT);
+    }
+    free(decrypt_data_pad);     /* @1 */
+    return rc;
+}
+
+/* TSS_AES_Decrypt() is AES non-portable code to decrypt 'encrypt_data' to 'decrypt_data' using CBC.
+   This function uses the session encryption key for decrypting session state.
+
+   The stream must be padded as per PKCS#7 / RFC2630
+
+   decrypt_data must be free by the caller
+*/
+
+TPM_RC TSS_AES_Decrypt(void *tssSessionDecKey,
+		       unsigned char **decrypt_data,   		/* output, caller frees */
+		       uint32_t *decrypt_length,		/* output */
+		       const unsigned char *encrypt_data,	/* input */
+		       uint32_t encrypt_length)			/* input */
+{
+    TPM_RC          	rc = 0;
+    uint32_t		pad_length;
+    uint32_t		i;
+    unsigned char       *pad_data;
+    unsigned char       ivec[AES_128_BLOCK_SIZE_BYTES];       /* initial chaining vector */
+    
+    /* sanity check encrypted length */
+    if (rc == 0) {
+        if (encrypt_length < AES_128_BLOCK_SIZE_BYTES) {
+            if (tssVerbose) printf("TSS_AES_Decrypt: Error, bad length %u\n",
+				   encrypt_length);
+            rc = TSS_RC_AES_DECRYPT_FAILURE;
+        }
+    }
+    /* allocate memory for the padded decrypted data */
+    if (rc == 0) {
+        rc = TSS_Malloc(decrypt_data, encrypt_length);
+    }
+    /* decrypt the input to the padded output */
+    if (rc == 0) {
+        /* set the IV */
+        memset(ivec, 0, sizeof(ivec));
+        /* decrypt the padded input to the output */
+        AES_cbc_encrypt(encrypt_data,
+                        *decrypt_data,
+                        encrypt_length,
+                        tssSessionDecKey,
+                        ivec,
+                        AES_DECRYPT);
+    }
+    /* get the pad length */
+    if (rc == 0) {
+        /* get the pad length from the last byte */
+        pad_length = (uint32_t)*(*decrypt_data + encrypt_length - 1);
+        /* sanity check the pad length */
+        if ((pad_length == 0) ||
+            (pad_length > AES_128_BLOCK_SIZE_BYTES)) {
+            if (tssVerbose) printf("TSS_AES_Decrypt: Error, illegal pad length\n");
+            rc = TSS_RC_AES_DECRYPT_FAILURE;
+        }
+    }
+    if (rc == 0) {
+        /* get the unpadded length */
+        *decrypt_length = encrypt_length - pad_length;
+        /* pad starting point */
+        pad_data = *decrypt_data + *decrypt_length;
+        /* sanity check the pad */
+        for (i = 0 ; (rc == 0) && (i < pad_length) ; i++, pad_data++) {
+            if (*pad_data != pad_length) {
+                if (tssVerbose) printf("TSS_AES_Decrypt: Error, bad pad %02x at index %u\n",
+				       *pad_data, i);
+                rc = TSS_RC_AES_DECRYPT_FAILURE;
+            }
+        }
+    }
+    return rc;
+}
+
+TPM_RC TSS_AES_EncryptCFB(uint8_t	*dOut,		/* OUT: the encrypted data */
+			  uint32_t	keySizeInBits,	/* IN: key size in bits */
+			  uint8_t 	*key,           /* IN: key buffer */
+			  uint8_t 	*iv,		/* IN/OUT: IV for decryption */
+			  uint32_t	dInSize,       	/* IN: data size */
+			  uint8_t 	*dIn)		/* IN: data buffer */
+{
+    TPM_RC	rc = 0;
+    int 	irc;
+    int		blockSize;
+    AES_KEY	aeskey;
+    int32_t	dSize;         /* signed version of dInSize */
+    
+    /* Create AES encryption key token */
+    if (rc == 0) {
+	irc = AES_set_encrypt_key(key, keySizeInBits, &aeskey);
+	if (irc != 0) {
+            if (tssVerbose) printf("TSS_AES_EncryptCFB: Error setting openssl AES encryption key\n");
+	    rc = TSS_RC_AES_KEYGEN_FAILURE;  /* should never occur, null pointers or bad bit size */
+	}
+    }
+    if (rc == 0) {
+	/* Encrypt the current IV into the new IV, XOR in the data, and copy to output */
+	for(dSize = (int32_t)dInSize ; dSize > 0 ; dSize -= 16, dOut += 16, dIn += 16) {
+	    /* Encrypt the current value of the IV to the intermediate value.  Store in old iv,
+	       since it's not needed anymore. */
+	    AES_encrypt(iv, iv, &aeskey);
+	    blockSize = (dSize < 16) ? dSize : 16;	/* last block can be < 16 */	
+	    TSS_XOR(dOut, dIn, iv, blockSize);
+	    memcpy(iv, dOut, blockSize);
+	}
+    }
+    return rc;
+}
+
+TPM_RC TSS_AES_DecryptCFB(uint8_t *dOut,          	/* OUT: the decrypted data */
+			  uint32_t keySizeInBits, 	/* IN: key size in bits */
+			  uint8_t *key,           	/* IN: key buffer */
+			  uint8_t *iv,            	/* IN/OUT: IV for decryption. */
+			  uint32_t dInSize,       	/* IN: data size */
+			  uint8_t *dIn)			/* IN: data buffer */
+{
+    TPM_RC	rc = 0;
+    int 	irc;
+    uint8_t	tmp[16];
+    int		blockSize;
+    AES_KEY	aesKey;
+    int32_t	dSize;
+    
+    /* Create AES encryption key token */
+    if (rc == 0) {
+	irc = AES_set_encrypt_key(key, keySizeInBits, &aesKey);
+	if (irc != 0) {
+            if (tssVerbose) printf("TSS_AES_DecryptCFB: Error setting openssl AES encryption key\n");
+	    rc = TSS_RC_AES_KEYGEN_FAILURE;  /* should never occur, null pointers or bad bit size */
+	}
+    }
+    if (rc == 0) {
+	for (dSize = (int32_t)dInSize ; dSize > 0; dSize -= 16, dOut += 16, dIn += 16) {
+	    /* Encrypt the IV into the temp buffer */
+	    AES_encrypt(iv, tmp, &aesKey);
+	    blockSize = (dSize < 16) ? dSize : 16;	/* last block can be < 16 */	
+	    TSS_XOR(dOut, dIn, tmp, blockSize);
+	    memcpy(iv, dIn, blockSize);
+	}
+    }
+    return rc;
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tsscryptoh.c b/libstb/tss2/ibmtpm20tss/utils/tsscryptoh.c
new file mode 100644
index 0000000..9afc99e
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tsscryptoh.c
@@ -0,0 +1,590 @@
+/********************************************************************************/
+/*										*/
+/*			     TSS Library Independent Crypto Support		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tsserror.h>
+
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+
+extern int tssVverbose;
+extern int tssVerbose;
+
+/* local prototypes */
+
+static TPM_RC TSS_MGF1(unsigned char       	*mask,
+		       uint32_t            	maskLen,
+		       const unsigned char 	*mgfSeed,
+		       uint16_t			mgfSeedlen,
+		       TPMI_ALG_HASH 		halg);
+
+/* TSS_HMAC_Generate() can be called directly to HMAC a list of streams.
+   
+   The ... arguments are a message list of the form
+   int length, unsigned char *buffer
+   terminated by a 0 length
+*/
+
+/* On call, digest->hashAlg is the desired hash algorithm */
+
+TPM_RC TSS_HMAC_Generate(TPMT_HA *digest,		/* largest size of a digest */
+			 const TPM2B_KEY *hmacKey,
+			 ...)
+{
+    TPM_RC		rc = 0;
+    va_list		ap;
+    
+    va_start(ap, hmacKey);
+    rc = TSS_HMAC_Generate_valist(digest, hmacKey, ap);
+    va_end(ap);
+    return rc;
+}
+
+/* TSS_HMAC_Verify() can be called directly to check the HMAC of a list of streams.
+   
+   The ... arguments are a list of the form
+   int length, unsigned char *buffer
+   terminated by a 0 length
+
+*/
+
+TPM_RC TSS_HMAC_Verify(TPMT_HA *expect,
+		       const TPM2B_KEY *hmacKey,
+		       uint32_t sizeInBytes,
+		       ...)
+{
+    TPM_RC		rc = 0;
+    int			irc;
+    va_list		ap;
+    TPMT_HA 		actual;
+
+    actual.hashAlg = expect->hashAlg;	/* algorithm for the HMAC calculation */
+    va_start(ap, sizeInBytes);
+    if (rc == 0) {
+	rc = TSS_HMAC_Generate_valist(&actual, hmacKey, ap);
+    }
+    if (rc == 0) {
+	irc = memcmp((uint8_t *)&expect->digest, &actual.digest, sizeInBytes);
+	if (irc != 0) {
+	    TSS_PrintAll("TSS_HMAC_Verify: calculated HMAC",
+			 (uint8_t *)&actual.digest, sizeInBytes);
+	    rc = TSS_RC_HMAC_VERIFY;
+	}
+    }
+    va_end(ap);
+    return rc;
+}
+
+/* TSS_KDFA() 11.4.9	Key Derivation Function
+
+   As defined in SP800-108, the inner loop for building the key stream is:
+
+   K(i) = HMAC (KI , [i]2 || Label || 00 || Context || [L]2) 
+*/
+
+TPM_RC TSS_KDFA(uint8_t		*keyStream,    	/* OUT: key buffer */
+		TPM_ALG_ID	hashAlg,       	/* IN: hash algorithm used in HMAC */
+		const TPM2B	*key,           /* IN: HMAC key */
+		const char	*label,		/* IN: KDFa label, NUL terminated */
+		const TPM2B	*contextU,      /* IN: context U */
+		const TPM2B	*contextV,      /* IN: context V */
+		uint32_t	sizeInBits)    	/* IN: size of generated key in bits */
+
+{
+    TPM_RC	rc = 0;
+    uint32_t 	bytes = ((sizeInBits + 7) / 8);	/* bytes left to produce */
+    uint8_t	*stream;
+    uint32_t 	sizeInBitsNbo = htonl(sizeInBits);	/* KDFa L2 */
+    uint16_t    bytesThisPass;			/* in one HMAC operation */
+    uint32_t	counter;    			/* counter value */
+    uint32_t 	counterNbo;			/* counter in big endian */
+    TPMT_HA 	hmac;				/* hmac result for this pass */
+    
+
+    if (rc == 0) {
+	hmac.hashAlg = hashAlg;			/* for TSS_HMAC_Generate() */
+	bytesThisPass = TSS_GetDigestSize(hashAlg);	/* start with hashAlg sized chunks */
+	if (bytesThisPass == 0) {
+	    if (tssVerbose) printf("TSS_KDFA: KDFa failed\n");
+	    rc = TSS_RC_KDFA_FAILED;
+	}
+    }
+    /* Generate required bytes */
+    for (stream = keyStream, counter = 1 ;	/* beginning of stream, KDFa counter starts at 1 */
+	 (rc == 0) && bytes > 0 ;				/* bytes left to produce */
+	 stream += bytesThisPass, bytes -= bytesThisPass, counter++) {
+
+	/* last pass, can be less than hashAlg sized chunks */
+	if (bytes < bytesThisPass) {
+	    bytesThisPass = bytes;
+	}
+	counterNbo = htonl(counter);	/* counter for this pass in BE format */
+	    
+	rc = TSS_HMAC_Generate(&hmac,				/* largest size of an HMAC */
+			       (const TPM2B_KEY *)key,
+			       sizeof(uint32_t), &counterNbo,	/* KDFa i2 counter */
+			       strlen(label) + 1, label,	/* KDFa label, use NUL as the KDFa
+								   00 byte */
+			       contextU->size, contextU->buffer,	/* KDFa Context */
+			       contextV->size, contextV->buffer,	/* KDFa Context */
+			       sizeof(uint32_t), &sizeInBitsNbo,	/* KDFa L2 */
+			       0, NULL);
+	memcpy(stream, &hmac.digest.tssmax, bytesThisPass);
+    }
+    return rc;
+}
+
+/* TSS_KDFE() 11.4.9.3	Key Derivation Function for ECDH
+
+   Digest = Hash(counter || Z || Use || PartyUInfo || PartyVInfo || bits )
+
+   where
+
+   counter is initialized to 1 and incremented for each iteration
+   
+   Z is the X-coordinate of the product of a public (TPM) ECC key and 
+   a different private ECC key
+   
+   Use is a NULL-terminated string that indicates the use of the key 
+   ("DUPLICATE", "IDENTITY", "SECRET", etc)
+   
+   PartyUInfo is the X-coordinate of the public point of an ephemeral key
+   
+   PartyVInfo is the X-coordinate of the public point of the TPM key
+   
+   bits is a 32-bit value indicating the number of bits to be returned
+*/
+
+TPM_RC TSS_KDFE(uint8_t		*keyStream,    	/* OUT: key buffer */
+		TPM_ALG_ID	hashAlg,       	/* IN: hash algorithm used */
+		const TPM2B	*key,           /* IN: Z  */
+		const char	*label,		/* IN: KDFe label, NUL terminated */
+		const TPM2B	*contextU,      /* IN: context U */
+		const TPM2B	*contextV,      /* IN: context V */
+		uint32_t	sizeInBits)    	/* IN: size of generated key in bits */
+
+{
+    TPM_RC	rc = 0;
+    uint32_t 	bytes = ((sizeInBits + 7) / 8);	/* bytes left to produce */
+    uint8_t	*stream;
+    uint16_t    bytesThisPass;			/* in one Hash operation */
+    uint32_t	counter;    			/* counter value */
+    uint32_t 	counterNbo;			/* counter in big endian */
+    TPMT_HA 	digest;				/* result for this pass */
+    
+    if (rc == 0) {
+	digest.hashAlg = hashAlg;			/* for TSS_Hash_Generate() */
+	bytesThisPass = TSS_GetDigestSize(hashAlg);	/* start with hashAlg sized chunks */
+	if (bytesThisPass == 0) {
+	    if (tssVerbose) printf("TSS_KDFE: KDFe failed\n");
+	    rc = TSS_RC_KDFE_FAILED;
+	}
+    }
+    /* Generate required bytes */
+    for (stream = keyStream, counter = 1 ;	/* beginning of stream, KDFe counter starts at 1 */
+	 (rc == 0) && bytes > 0 ;				/* bytes left to produce */
+	 stream += bytesThisPass, bytes -= bytesThisPass, counter++) {
+	/* last pass, can be less than hashAlg sized chunks */
+	if (bytes < bytesThisPass) {
+	    bytesThisPass = bytes;
+	}
+	counterNbo = htonl(counter);	/* counter for this pass in BE format */
+	    
+	rc = TSS_Hash_Generate(&digest,				/* largest size of a digest */
+			       sizeof(uint32_t), &counterNbo,	/* KDFe i2 counter */
+			       key->size, key->buffer,
+			       strlen(label) + 1, label,	/* KDFe label, use NUL as the KDFe
+								   00 byte */
+			       contextU->size, contextU->buffer,	/* KDFe Context */
+			       contextV->size, contextV->buffer,	/* KDFe Context */
+			       0, NULL);
+	memcpy(stream, &digest.digest.tssmax, bytesThisPass);
+    }
+    return rc;
+}
+
+/* On call, digest->hashAlg is the desired hash algorithm
+
+   ... is a list of int length, unsigned char *buffer pairs.
+
+   length 0 is ignored, buffer NULL terminates list.
+*/
+
+TPM_RC TSS_Hash_Generate(TPMT_HA *digest,		/* largest size of a digest */
+			 ...)
+{
+    TPM_RC	rc = 0;
+    va_list	ap;
+    va_start(ap, digest);
+    rc = TSS_Hash_Generate_valist(digest, ap);
+    va_end(ap);
+    return rc;
+}
+
+
+/* TSS_GetDigestBlockSize() returns the digest block size in bytes based on the hash algorithm.
+
+   Returns 0 for an unknown algorithm.
+*/
+
+/* NOTE: Marked as const function in header */
+
+uint16_t TSS_GetDigestBlockSize(TPM_ALG_ID hashAlg)
+{
+    uint16_t size;
+    
+    switch (hashAlg) {
+#ifdef TPM_ALG_SHA1
+     case TPM_ALG_SHA1:
+	size = SHA1_BLOCK_SIZE;
+	break;
+#endif
+#ifdef TPM_ALG_SHA256	
+      case TPM_ALG_SHA256:
+	size = SHA256_BLOCK_SIZE;
+	break;
+#endif
+#ifdef TPM_ALG_SHA384
+     case TPM_ALG_SHA384:
+	size = SHA384_BLOCK_SIZE;
+	break;
+#endif
+#ifdef TPM_ALG_SHA512
+      case TPM_ALG_SHA512:
+	size = SHA512_BLOCK_SIZE;
+	break;
+#endif
+#if 0
+      case TPM_ALG_SM3_256:
+	size = SM3_256_BLOCK_SIZE;
+	break;
+#endif
+      default:
+	size = 0;
+    }
+    return size;
+}
+
+/* TPM_MGF1() generates an MGF1 'array' of length 'arrayLen' from 'seed' of length 'seedlen'
+
+   The openSSL DLL doesn't export MGF1 in Windows or Linux 1.0.0, so this version is created from
+   scratch.
+   
+   Algorithm and comments (not the code) from:
+
+   PKCS #1: RSA Cryptography Specifications Version 2.1 B.2.1 MGF1
+
+   Prototype designed to be compatible with openSSL
+
+   MGF1 is a Mask Generation Function based on a hash function.
+   
+   MGF1 (mgfSeed, maskLen)
+
+   Options:     
+
+   Hash hash function (hLen denotes the length in octets of the hash 
+   function output)
+
+   Input:
+   
+   mgfSeed         seed from which mask is generated, an octet string
+   maskLen         intended length in octets of the mask, at most 2^32(hLen)
+
+   Output:      
+   mask            mask, an octet string of length l; or "mask too long"
+
+   Error:          "mask too long'
+*/
+
+static TPM_RC TSS_MGF1(unsigned char       	*mask,
+		       uint32_t            	maskLen,
+		       const unsigned char 	*mgfSeed,
+		       uint16_t			mgfSeedlen,
+		       TPMI_ALG_HASH 		halg)
+{
+    TPM_RC 		rc = 0;
+    unsigned char       counter[4];     /* 4 octets */
+    uint32_t	        count;          /* counter as an integral type */
+    uint32_t		outLen;
+    TPMT_HA 		digest;
+    uint16_t 		digestSize = TSS_GetDigestSize(halg);
+    
+    digest.hashAlg = halg;
+    
+#if 0
+    if (rc == 0) {
+        /* this is possible with arrayLen on a 64 bit architecture, comment to quiet beam */
+        if ((maskLen / TPM_DIGEST_SIZE) > 0xffffffff) {        /* constant condition */
+            if (tssVerbose)
+		printf("TSS_MGF1: Error (fatal), Output length too large for 32 bit counter\n");
+            rc = TPM_FAIL;              /* should never occur */
+        }
+    }
+#endif
+    /* 1.If l > 2^32(hLen), output "mask too long" and stop. */
+    /* NOTE Checked by caller */
+    /* 2. Let T be the empty octet string. */
+    /* 3. For counter from 0 to [masklen/hLen] - 1, do the following: */
+    for (count = 0, outLen = 0 ; (rc == 0) && (outLen < maskLen) ; count++) {
+	/* a. Convert counter to an octet string C of length 4 octets - see Section 4.1 */
+	/* C = I2OSP(counter, 4) NOTE Basically big endian */
+        uint32_t count_n = htonl(count);
+	memcpy(counter, &count_n, 4);
+	/* b.Concatenate the hash of the seed mgfSeed and C to the octet string T: */
+	/* T = T || Hash (mgfSeed || C) */
+	/* If the entire digest is needed for the mask */
+	if ((outLen + digestSize) < maskLen) {
+	    rc = TSS_Hash_Generate(&digest,
+				   mgfSeedlen, mgfSeed,
+				   4, counter,
+				   0, NULL);
+	    memcpy(mask + outLen, &digest.digest, digestSize);
+	    outLen += digestSize;
+	}
+	/* if the mask is not modulo TPM_DIGEST_SIZE, only part of the final digest is needed */
+	else {
+	    /* hash to a temporary digest variable */
+	    rc = TSS_Hash_Generate(&digest,
+				   mgfSeedlen, mgfSeed,
+				   4, counter,
+				   0, NULL);
+	    /* copy what's needed */
+	    memcpy(mask + outLen, &digest.digest, maskLen - outLen);
+	    outLen = maskLen;           /* outLen = outLen + maskLen - outLen */
+	}
+    }
+    /* 4.Output the leading l octets of T as the octet string mask. */
+    return rc;
+}
+
+/*
+  OAEP Padding 
+*/
+
+/* TSS_RSA_padding_add_PKCS1_OAEP() is a variation of the the openSSL function
+
+   int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+   unsigned char *f, int fl, unsigned char *p, int pl);
+
+   It is used because the openssl function is hard coded to SHA1.
+
+   This function was independently written from the PKCS1 specification "9.1.1.1 Encoding
+   Operation" and PKCS#1 v2.2, intended to be unencumbered by any license.
+
+
+   | <-			  emLen					   -> |
+   
+                         |  lHash |    PS     | 01 |  Message	      |
+
+                            SHA                       flen
+
+                         |  db                                        |
+			 |  dbMask                                    |
+        |  seed          |
+
+	   SHA
+	   
+        |  seedMask      | 
+   | 00 |  maskSeed      |   maskedDB                                 |
+*/
+
+TPM_RC TSS_RSA_padding_add_PKCS1_OAEP(unsigned char *em, uint32_t emLen,
+				      const unsigned char *from, uint32_t fLen,
+				      const unsigned char *p,
+				      int plen,
+				      TPMI_ALG_HASH halg)	
+{	
+    TPM_RC		rc = 0;
+    TPMT_HA 		lHash;
+    unsigned char 	*db = NULL;		/* compiler false positive */
+    
+    unsigned char *dbMask = NULL;			/* freed @1 */
+    unsigned char *seed = NULL;				/* freed @2 */
+    unsigned char *maskedDb;
+    unsigned char *seedMask = NULL;		/* compiler false positive */
+    unsigned char *maskedSeed;
+
+    uint16_t hlen = TSS_GetDigestSize(halg);
+    
+    /* 1.a. If the length of L is greater than the input limitation for */
+    /* the hash function (2^61-1 octets for SHA-1) then output "parameter */
+    /* string too long" and stop. */
+    if (rc == 0) {
+	if (plen > 0xffff) {
+	    if (tssVerbose) printf("TSS_RSA_padding_add_PKCS1_OAEP: Error, "
+				   "label %u too long\n", plen);
+	    rc = TSS_RC_RSA_PADDING;
+	}	    
+    }
+    /* 1.b. If ||M|| > emLen-2hLen-1 then output "message too long" and stop. */
+    if (rc == 0) {
+	if (emLen < ((2 * hlen) + 2 + fLen)) {
+	    if (tssVerbose) printf("TSS_RSA_padding_add_PKCS1_OAEP: Error, "
+				   "message length %u too large for encoded length %u\n",
+				   fLen, emLen);
+	    rc = TSS_RC_RSA_PADDING;
+	}
+    }
+    /* 2.a. Let lHash = Hash(L), an octet string of length hLen. */
+    if (rc == 0) {
+	lHash.hashAlg = halg;
+	rc = TSS_Hash_Generate(&lHash,
+			       plen, p,
+			       0, NULL);
+    }
+    if (rc == 0) {
+	/* 2.b. Generate an octet string PS consisting of emLen-||M||-2hLen-2 zero octets. The
+	   length of PS may be 0. */
+	/* 2.c. Concatenate lHash, PS, a single octet of 0x01 the message M, to form a data block DB
+	   as: DB = lHash || PS || 01 || M */
+	/* NOTE Since db is eventually maskedDb, part of em, create directly in em */
+	db = em + hlen + 1;
+	memcpy(db, &lHash.digest, hlen);			/* lHash */
+	/* PSlen = emlen - flen - (2 * hlen) - 2 */
+	memset(db + hlen, 0,					/* PS */
+	       emLen - fLen - (2 * hlen) - 2);
+	/* position of 0x01 in db is
+	   hlen + PSlen =
+	   hlen + emlen - flen - (2 * hlen) - 2 = 
+	   emlen - hlen - flen - 2 */
+	db[emLen - fLen - hlen - 2] = 0x01;
+	memcpy(db + emLen - fLen - hlen - 1, from, fLen);	/* M */
+    }
+    /* 2.d. Generate a random octet string seed of length hLen. */
+    if (rc == 0) {
+	rc = TSS_Malloc(&seed, hlen);
+    }
+    if (rc == 0) {
+	rc = TSS_RandBytes(seed, hlen);
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(&dbMask, emLen - hlen - 1);
+    }
+    if (rc == 0) {
+	/* 2.e. Let dbMask = MGF(seed, emLen-hLen-1). */
+	rc = TSS_MGF1(dbMask, emLen - hlen -1,	/* dbLen */
+		      seed, hlen,
+		      halg);
+    }
+    if (rc == 0) {
+	/* 2.f. Let maskedDB = DB xor dbMask. */
+	/* NOTE Since maskedDB is eventually em, XOR directly to em */
+	maskedDb = em + hlen + 1;
+	TSS_XOR(maskedDb, db, dbMask, emLen - hlen -1);
+	/* 2.g. Let seedMask = MGF(maskedDB, hLen). */
+	/* NOTE Since seedMask is eventually em, create directly to em */
+	seedMask = em + 1;
+	rc = TSS_MGF1(seedMask, hlen,
+		      maskedDb, emLen - hlen - 1,
+		      halg);
+    }
+    if (rc == 0) {
+	/* 2.h. Let maskedSeed = seed xor seedMask. */
+	/* NOTE Since maskedSeed is eventually em, create directly to em */
+	maskedSeed = em + 1;
+	TSS_XOR(maskedSeed, seed, seedMask, hlen);
+	/* 2.i. 0x00, maskedSeed, and maskedDb to form EM */
+	/* NOTE Created directly in em */
+    }
+    free(dbMask);		/* @1 */
+    free(seed);			/* @2 */
+    return rc;
+}
+
+/* TPM_XOR XOR's 'in1' and 'in2' of 'length', putting the result in 'out'
+
+ */
+
+void TSS_XOR(unsigned char *out,
+	     const unsigned char *in1,
+	     const unsigned char *in2,
+	     size_t length)
+{
+    size_t i;
+    
+    for (i = 0 ; i < length ; i++) {
+	out[i] = in1[i] ^ in2[i];
+    }
+    return;
+}
+
+/*
+  AES
+*/
+
+#define TSS_AES_KEY_BITS 128
+
+/* TSS_Sym_GetBlockSize() returns the block size for the symmetric algorithm.  Returns 0 on for an
+   unknown algorithm.
+*/
+
+/* NOTE: Marked as const function in header */
+
+uint16_t TSS_Sym_GetBlockSize(TPM_ALG_ID	symmetricAlg, 
+			      uint16_t		keySizeInBits)
+{
+    keySizeInBits = keySizeInBits;
+    
+    switch (symmetricAlg) {
+#ifdef TPM_ALG_AES
+      case TPM_ALG_AES:
+#endif
+#ifdef TPM_ALG_SM4 /* Both AES and SM4 use the same block size */
+      case TPM_ALG_SM4:
+#endif
+	return  16;
+      default:
+	return 0;
+    }
+    return 0;
+}
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssdev.c b/libstb/tss2/ibmtpm20tss/utils/tssdev.c
new file mode 100644
index 0000000..affd9db
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssdev.c
@@ -0,0 +1,213 @@
+/********************************************************************************/
+/*										*/
+/*		Linux Device Transmit and Receive Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifdef TPM_POSIX
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <errno.h>
+
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include "tssproperties.h"
+
+#include "tssdev.h"
+
+/* local prototypes */
+
+static uint32_t TSS_Dev_Open(TSS_CONTEXT *tssContext);
+static uint32_t TSS_Dev_SendCommand(int dev_fd, const uint8_t *buffer, uint16_t length,
+				    const char *message);
+static uint32_t TSS_Dev_ReceiveResponse(int dev_fd, uint8_t *buffer, uint32_t *length);
+
+/* global configuration */
+
+extern int tssVverbose;
+extern int tssVerbose;
+
+/* TSS_Dev_Transmit() transmits the command and receives the response.
+
+   Can return device transmit and receive packet errors, but normally returns the TPM response code.
+*/
+
+TPM_RC TSS_Dev_Transmit(TSS_CONTEXT *tssContext,
+			uint8_t *responseBuffer, uint32_t *read,
+			const uint8_t *commandBuffer, uint32_t written,
+			const char *message)
+{
+    TPM_RC rc = 0;
+    
+    /* open on first transmit */
+    if (tssContext->tssFirstTransmit) {	
+	if (rc == 0) {
+	    rc = TSS_Dev_Open(tssContext);
+	}
+	if (rc == 0) {
+	    tssContext->tssFirstTransmit = FALSE;
+	}
+    }
+    /* send the command to the device.  Error if the device send fails. */
+    if (rc == 0) {
+	rc = TSS_Dev_SendCommand(tssContext->dev_fd, commandBuffer, written, message);
+    }
+    /* receive the response from the dev_fd.  Returns dev_fd errors, malformed response errors.
+       Else returns the TPM response code. */
+    if (rc == 0) {
+	rc = TSS_Dev_ReceiveResponse(tssContext->dev_fd, responseBuffer, read);
+    }
+    return rc;
+}
+
+/* TSS_Dev_Open() opens the TPM device (through the device driver) */
+
+static uint32_t TSS_Dev_Open(TSS_CONTEXT *tssContext)
+{
+    uint32_t rc = 0;
+    
+    if (rc == 0) {
+	if (tssVverbose) printf("TSS_Dev_Open: Opening %s\n", tssContext->tssDevice);
+	tssContext->dev_fd = open(tssContext->tssDevice, O_RDWR);
+	if (tssContext->dev_fd < 0) {
+	    if (tssVerbose) printf("TSS_Dev_Open: Error opening %s\n", tssContext->tssDevice);
+	    rc = TSS_RC_NO_CONNECTION;
+	}
+    }
+    return rc;
+}
+
+/* TSS_Dev_SendCommand() sends the TPM command buffer to the device.
+
+   Returns an error if the device write fails.
+*/
+
+static uint32_t TSS_Dev_SendCommand(int dev_fd,
+				    const uint8_t *buffer, uint16_t length,
+				    const char *message)
+{
+    uint32_t rc = 0;
+    int irc;
+    
+    if (message != NULL) {
+	if (tssVverbose) printf("TSS_Dev_SendCommand: %s\n", message);
+    }
+    if ((rc == 0) && tssVverbose) {
+	TSS_PrintAll("TSS_Dev_SendCommand",
+		     buffer, length);
+    }
+    if (rc == 0) {
+	irc = write(dev_fd, buffer, length);
+	if (irc < 0) {
+	    if (tssVerbose) printf("TSS_Dev_SendCommand: write error %d %s\n",
+				   errno, strerror(errno));
+	    rc = TSS_RC_BAD_CONNECTION;
+	}
+    }
+    return rc;
+}
+
+/* TSS_Dev_ReceiveResponse() reads a response buffer from the device.  'buffer' must be at least
+   MAX_RESPONSE_SIZE bytes.
+
+   Returns TPM packet error code.
+
+   Validates that the packet length and the packet responseSize match 
+*/
+
+static uint32_t TSS_Dev_ReceiveResponse(int dev_fd, uint8_t *buffer, uint32_t *length)
+{
+    uint32_t 	rc = 0;
+    int 	irc;		/* read() return code, negative is error, positive is length */
+    uint32_t 	responseSize = 0;	/* from TPM packet response stream */
+
+    if (tssVverbose) printf("TSS_Dev_ReceiveResponse:\n");
+    /* read the TPM device */
+    if (rc == 0) {
+	irc = read(dev_fd, buffer, MAX_RESPONSE_SIZE);
+	if (irc <= 0) {
+	    rc = TSS_RC_BAD_CONNECTION;
+	    if (irc < 0) {
+		if (tssVerbose) printf("TSS_Dev_ReceiveResponse: read error %d %s\n",
+				       errno, strerror(errno));
+	    }
+	}
+    }
+    /* read() is successful, trace the response */
+    if ((rc == 0) && tssVverbose) {
+	TSS_PrintAll("TSS_Dev_ReceiveResponse",
+		     buffer, irc);
+    }
+    /* verify that there is at least a tag, responseSize, and responseCode in TPM response */
+    if (rc == 0) {
+	if ((unsigned int)irc < (sizeof(TPM_ST) + sizeof(uint32_t) + sizeof(uint32_t))) {
+	    if (tssVerbose) printf("TSS_Dev_ReceiveResponse: read bytes %u < header\n", irc);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    /* get responseSize from the packet */
+    if (rc == 0) {
+	responseSize = ntohl(*(uint32_t *)(buffer + sizeof(TPM_ST)));
+	/* sanity check against the length actually received, the return code */
+	if ((uint32_t)irc != responseSize) {
+	    if (tssVerbose) printf("TSS_Dev_ReceiveResponse: read bytes %u != responseSize %u\n",
+				   (uint32_t)irc, responseSize);
+	    rc = TSS_RC_MALFORMED_RESPONSE;
+	}
+    }
+    /* if there was no lower level failure, return the TPM packet responseCode */
+    if (rc == 0) {
+	rc = ntohl(*(uint32_t *)(buffer + sizeof(TPM_ST)+ sizeof(uint32_t)));
+    }
+    *length = responseSize;
+    if (tssVverbose) printf("TSS_Dev_ReceiveResponse: rc %08x\n", rc);
+    return rc;
+}	
+
+TPM_RC TSS_Dev_Close(TSS_CONTEXT *tssContext)
+{
+    if (tssVverbose) printf("TSS_Dev_Close: Closing %s\n", tssContext->tssDevice);
+    close(tssContext->dev_fd);
+    return 0;
+}
+
+#endif	/* TPM_POSIX */
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssdev.h b/libstb/tss2/ibmtpm20tss/utils/tssdev.h
new file mode 100644
index 0000000..73d4bfc
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssdev.h
@@ -0,0 +1,64 @@
+/********************************************************************************/
+/*										*/
+/*		Linux Device Transmit and Receive Utilities  			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssdev.h 1015 2017-06-07 13:16:34Z kgoldman $			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is not a public header.  It should not be used by applications. */
+
+#ifndef TSSDEV_H
+#define TSSDEV_H
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC TSS_Dev_Transmit(TSS_CONTEXT *tssContext,
+			    uint8_t *responseBuffer, uint32_t *read,
+			    const uint8_t *commandBuffer, uint32_t written,
+			    const char *message);
+    TPM_RC TSS_Dev_Close(TSS_CONTEXT *tssContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssdevskiboot.c b/libstb/tss2/ibmtpm20tss/utils/tssdevskiboot.c
new file mode 100644
index 0000000..24d4379
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssdevskiboot.c
@@ -0,0 +1,195 @@
+/********************************************************************************/
+/*										*/
+/*		Skiboot Transmit and Receive Utilities				*/
+/*										*/
+/* (c) Copyright IBM Corporation 2020.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <string.h>
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/Implementation.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include <tssproperties.h>
+
+#include <tssdev.h>
+#include <tpm_chip.h>
+
+/* global configuration */
+
+extern int tssVerbose;
+extern int tssVverbose;
+
+/*
+ * TSS_Dev_Transmit() transmits the command and receives the response in
+ * skiboot.
+ * Can return device transmit and receive packet errors, but normally returns
+ * the TPM response code.
+*/
+TPM_RC TSS_Dev_Transmit(TSS_CONTEXT *tssContext,
+			    uint8_t *responseBuffer, uint32_t *length,
+			    const uint8_t *commandBuffer, uint32_t written,
+			    const char *message)
+{
+	TPM_RC rc = 0;
+	size_t responseSize;
+
+	/* skiboot driver's transmit function expects a size_t value as buffer
+	 * length instead of uint32_t used in this function header, so this
+	 * variable exists just for type compatibility.
+	 */
+	size_t buffer_length;
+
+	if (message != NULL) {
+		if (tssVverbose) printf("TSS_Skiboot_Transmit: %s\n", message);
+	}
+	if ((rc == 0) && tssVverbose) {
+			TSS_PrintAll("TSS_Skiboot_Transmit: Command ",
+				     commandBuffer, written);
+	}
+
+	/* we don't need to open a device as it is done in user space but we
+	 * need to be sure a device and the driver are available for use.
+	 */
+	if (rc == 0) {
+		if (tssContext->tssFirstTransmit) {
+			tssContext->tpm_device = tpm_get_device();
+			if (tssContext->tpm_device == NULL) {
+				if (tssVerbose)
+					printf("TSS_Skiboot_Transmit: TPM device not set\n");
+				rc = TSS_RC_NO_CONNECTION;
+			}
+			if (rc == 0) {
+		        	tssContext->tpm_driver = tpm_get_driver();
+				if (tssContext->tpm_driver == NULL) {
+					if (tssVerbose)
+						printf("TSS_Skiboot_Transmit: TPM driver not set\n");
+					rc = TSS_RC_NO_CONNECTION;
+				}
+			}
+		}
+	}
+
+	if (rc == 0 ) {
+		tssContext->tssFirstTransmit = FALSE;
+	}
+
+	/*
+	 * Let's issue compilation issue if eventually MAX_COMMAND_SIZE becomes
+	 * potentially greater than MAX_RESPONSE_SIZE
+	 */
+#if MAX_COMMAND_SIZE > MAX_RESPONSE_SIZE
+#error "MAX_COMMAND_SIZE cannot be greater than MAX_RESPONSE_SIZE. Potential overflow on the buffer for Command and Response"
+#endif
+	if (rc == 0) {
+		if (written > MAX_RESPONSE_SIZE) {
+			if (tssVerbose)
+				printf("TSS_Skiboot_Transmit: Response Overflow. TPM wrote %u bytes, Max response size is %u ",
+				       written, MAX_RESPONSE_SIZE);
+			rc = TSS_RC_BAD_CONNECTION;
+		}
+	}
+
+	/*
+	 * the buffer used to send the command will be overwritten and store the
+	 * response data after TPM execution. So here we copy the contents of
+	 * commandBuffer to responseBuffer, using the latter to perform the
+	 * operation and storing the response and keeping the former safe.
+	 */
+	if (rc == 0) {
+		/*
+		 * skiboot driver checks for overflow, so we need to share the
+		 * max response size to length. In the response length will
+		 * contain the length of the response buffer.
+	 	 */
+		buffer_length = MAX_RESPONSE_SIZE;
+
+		memcpy(responseBuffer, commandBuffer, written);
+		rc = tssContext->tpm_driver->transmit(tssContext->tpm_device,
+					      responseBuffer, written, &buffer_length);
+		/* now that we have buffer length set we save it to length so it
+		 * can be used by the callers
+		 */
+		*length = buffer_length;
+
+		if (rc != 0) {
+			if (tssVerbose)
+				printf("TSS_Skiboot_Transmit: receive error %u\n", rc);
+			rc = TSS_RC_BAD_CONNECTION;
+		}
+	}
+
+	if (rc == 0) {
+		if (tssVverbose)
+			TSS_PrintAll("TSS_Skiboot_Transmit: Response", responseBuffer, *length);
+
+    		/* verify that there is at least a tag, responseSize, and responseCode */
+		if (*length < (sizeof(TPM_ST) + (2 * sizeof(uint32_t)))) {
+			if (tssVerbose)
+				printf("TSS_Skiboot_Transmit: received %u bytes < header\n", *length);
+			rc = TSS_RC_MALFORMED_RESPONSE;
+		}
+	}
+
+	/*
+	 * length and the response size in the response body should match. Check
+	 * it here.
+	 */
+	if (rc == 0) {
+		responseSize = ntohl(*(uint32_t *)(responseBuffer + sizeof(TPM_ST)));
+		if (responseSize != *length) {
+			if (tssVerbose)
+				printf("TSS_Skiboot_Transmit: Bytes read (%u) and Buffer responseSize field (%lu) don't match\n",
+				       *length, responseSize);
+		    rc = TSS_RC_MALFORMED_RESPONSE;
+		}
+	}
+
+	/*
+	 * Now we need to get the actual return code from the response buffer
+	 * and deliver it to the upper layers
+	 */
+	if (rc == 0)
+		rc = ntohl(*(uint32_t *)(responseBuffer + sizeof(TPM_ST) + sizeof(uint32_t)));
+
+	if (tssVverbose)
+		printf("TSS_Skiboot_Transmit: Response Code: %08x", rc);
+
+	return rc;
+}
+
+TPM_RC TSS_Dev_Close(TSS_CONTEXT *tssContext)
+{
+	tssContext = tssContext;
+	return 0;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssfile.c b/libstb/tss2/ibmtpm20tss/utils/tssfile.c
new file mode 100644
index 0000000..3c200d5
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssfile.c
@@ -0,0 +1,321 @@
+/********************************************************************************/
+/*										*/
+/*			    TSS and Application File Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tssfile.h>
+
+extern int tssVerbose;
+extern int tssVverbose;
+
+/* TSS_File_Open() opens the 'filename' for 'mode'
+ */
+
+int TSS_File_Open(FILE **file,
+		  const char *filename,
+		  const char* mode)
+{
+    int 	rc = 0;
+		    
+    if (rc == 0) {
+	*file = fopen(filename, mode);
+	if (*file == NULL) {
+	    if (tssVerbose) printf("TSS_File_Open: Error opening %s for %s, %s\n",
+				   filename, mode, strerror(errno));
+	    rc = TSS_RC_FILE_OPEN;
+	}
+    }
+    return rc;
+}
+
+/* TSS_File_ReadBinaryFile() reads 'filename'.  The results are put into 'data', which must be freed
+   by the caller.  'length' indicates the number of bytes read.
+   
+*/
+
+TPM_RC TSS_File_ReadBinaryFile(unsigned char **data,     /* must be freed by caller */
+			       size_t *length,
+			       const char *filename) 
+{
+    int		rc = 0;
+    long	lrc;
+    size_t	src;
+    int		irc;
+    FILE	*file = NULL;
+
+    *data = NULL;
+    *length = 0;
+    /* open the file */
+    if (rc == 0) {
+	rc = TSS_File_Open(&file, filename, "rb");				/* closed @1 */
+    }
+    /* determine the file length */
+    if (rc == 0) {
+	irc = fseek(file, 0L, SEEK_END);	/* seek to end of file */
+	if (irc == -1L) {
+	    if (tssVerbose) printf("TSS_File_ReadBinaryFile: Error seeking to end of %s\n",
+				   filename);
+	    rc = TSS_RC_FILE_SEEK;
+	}
+    }
+    if (rc == 0) {
+	lrc = ftell(file);			/* get position in the stream */
+	if (lrc == -1L) {
+	    if (tssVerbose) printf("TSS_File_ReadBinaryFile: Error ftell'ing %s\n", filename);
+	    rc = TSS_RC_FILE_FTELL;
+	}
+	else {
+	    *length = (size_t)lrc;		/* save the length */
+	}
+    }
+    if (rc == 0) {
+	irc = fseek(file, 0L, SEEK_SET);	/* seek back to the beginning of the file */
+	if (irc == -1L) {
+	    if (tssVerbose) printf("TSS_File_ReadBinaryFile: Error seeking to beginning of %s\n",
+				   filename);
+	    rc = TSS_RC_FILE_SEEK;
+	}
+    }
+    /* allocate a buffer for the actual data */
+    if ((rc == 0) && (*length != 0)) {
+	rc = TSS_Malloc(data, *length);
+    }
+    /* read the contents of the file into the data buffer */
+    if ((rc == 0) && *length != 0) {
+	src = fread(*data, 1, *length, file);
+	if (src != *length) {
+	    if (tssVerbose)
+		printf("TSS_File_ReadBinaryFile: Error reading %s, %u bytes, got %lu\n",
+		       filename, (unsigned int)*length, (unsigned long)src);
+	    rc = TSS_RC_FILE_READ;
+	}
+    }
+    if (file != NULL) {
+	irc = fclose(file);		/* @1 */
+	if (irc != 0) {
+	    if (tssVerbose) printf("TSS_File_ReadBinaryFile: Error closing %s\n",
+				   filename);
+	    rc = TSS_RC_FILE_CLOSE;
+	}
+    }
+    if (rc != 0) {
+	if (tssVerbose) printf("TSS_File_ReadBinaryFile: Error reading %s\n", filename);
+	free(*data);
+	*data = NULL;
+    }
+    return rc;
+}
+
+/* TSS_File_WriteBinaryFile() writes 'data' of 'length' to 'filename'
+ */
+
+TPM_RC TSS_File_WriteBinaryFile(const unsigned char *data,
+				size_t length,
+				const char *filename) 
+{
+    long	rc = 0;
+    size_t	src;
+    int		irc;
+    FILE	*file = NULL;
+
+    /* open the file */
+    if (rc == 0) {
+	rc = TSS_File_Open(&file, filename, "wb");	/* closed @1 */
+    }
+    /* write the contents of the data buffer into the file */
+    if (rc == 0) {
+	src = fwrite(data, 1, length, file);
+	if (src != length) {
+	    if (tssVerbose)
+		printf("TSS_File_WriteBinaryFile: Error writing %s, %lu bytes, got %lu\n",
+		       filename, (unsigned long)length, (unsigned long)src);
+	    rc = TSS_RC_FILE_WRITE;
+	}
+    }
+    if (file != NULL) {
+	irc = fclose(file);		/* @1 */
+	if (irc != 0) {
+	    if (tssVerbose) printf("TSS_File_WriteBinaryFile: Error closing %s\n",
+				   filename);
+	    rc = TSS_RC_FILE_CLOSE;
+	}
+    }
+    return rc;
+}
+
+/* TSS_File_ReadStructure() is a general purpose "read a structure" function.
+   
+   It reads the filename, and then unmarshals the structure using "unmarshalFunction".
+*/
+
+TPM_RC TSS_File_ReadStructure(void 			*structure,
+			      UnmarshalFunction_t 	unmarshalFunction,
+			      const char 		*filename)
+{
+    TPM_RC 	rc = 0;
+    uint8_t	*buffer = NULL;		/* for the free */
+    uint8_t	*buffer1 = NULL;	/* for unmarshaling */
+    size_t 	length = 0;
+
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     filename);
+    }
+    if (rc == 0) {
+	uint32_t ilength = length;
+	buffer1 = buffer;
+	rc = unmarshalFunction(structure, &buffer1, &ilength);
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+/* TSS_File_ReadStructureFlag() is a general purpose "read a structure" function.
+
+   It reads the filename, and then unmarshals the structure using "unmarshalFunction".
+
+   It is similar to TSS_File_ReadStructure() but is used when the structure unmarshal function
+   requires the allowNull flag.
+*/
+
+TPM_RC TSS_File_ReadStructureFlag(void 				*structure,
+				  UnmarshalFunctionFlag_t 	unmarshalFunction,
+				  BOOL 				allowNull,
+				  const char 			*filename)
+{
+    TPM_RC 	rc = 0;
+    uint8_t	*buffer = NULL;		/* for the free */
+    uint8_t	*buffer1 = NULL;	/* for unmarshaling */
+    size_t 	length = 0;
+
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     filename);
+    }
+    if (rc == 0) {
+	uint32_t ilength = length;
+	buffer1 = buffer;
+	rc = unmarshalFunction(structure, &buffer1, &ilength, allowNull);
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+/* TSS_File_WriteStructure() is a general purpose "write a structure" function.
+   
+   It marshals the structure using "marshalFunction", and then writes it to filename.
+*/
+
+TPM_RC TSS_File_WriteStructure(void 			*structure,
+			       MarshalFunction_t 	marshalFunction,
+			       const char 		*filename)
+{
+    TPM_RC 	rc = 0;
+    uint16_t	written = 0;
+    uint8_t	*buffer = NULL;		/* for the free */
+
+    if (rc == 0) {
+	rc = TSS_Structure_Marshal(&buffer,	/* freed @1 */
+				   &written,
+				   structure,
+				   marshalFunction);
+    }
+    if (rc == 0) {
+	rc = TSS_File_WriteBinaryFile(buffer,
+				      written,
+				      filename); 
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+/* TSS_File_Read2B() reads 'filename' and copies the data to 'tpm2b', checking targetSize
+
+ */
+
+TPM_RC TSS_File_Read2B(TPM2B 		*tpm2b,
+		       uint16_t 	targetSize,
+		       const char 	*filename)
+{
+    TPM_RC 	rc = 0;
+    uint8_t	*buffer = NULL;
+    size_t 	length = 0;
+    
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @1 */
+				     &length,
+				     filename);
+    }
+    if (rc == 0) {
+	if (length > 0xffff) {	/* overflow TPM2B uint16_t */
+	    if (tssVerbose) printf("TSS_File_Read2B: size %u greater than 0xffff\n",
+				   (unsigned int)length);	
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    /* copy it into the TPM2B */
+    if (rc == 0) {
+	rc = TSS_TPM2B_Create(tpm2b, buffer, (uint16_t)length, targetSize);
+    }
+    free(buffer);	/* @1 */
+    return rc;
+}
+
+/* FIXME need to add - ignore failure if does not exist */
+
+TPM_RC TSS_File_DeleteFile(const char *filename) 
+{
+    TPM_RC 	rc = 0;
+    int		irc;
+    
+    if (rc == 0) {
+	irc = remove(filename);
+	if (irc != 0) {
+	    rc = TSS_RC_FILE_REMOVE;
+	}
+    }
+    return rc;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssmarshal.c b/libstb/tss2/ibmtpm20tss/utils/tssmarshal.c
new file mode 100644
index 0000000..957a1ac
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssmarshal.c
@@ -0,0 +1,7768 @@
+/********************************************************************************/
+/*										*/
+/*			 TSS Marshal and Unmarshal    				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <string.h>
+
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+/* This file holds:
+
+   ---------------------------------------
+
+   Recommended functions - with an unsigned size
+
+   * Primary marshal functions             TSS_primary_Marshalu
+   * Primary unmarshal functions           TSS_primary_Unmarshalu  in Unmarshal.c
+   * TPM 2.0 structure   marshal functions TSS_structure_Marshalu
+   * TPM 2.0 structure unmarshal functions TSS_structure_Unmarshalu in Unmarshal.c
+   * TPM 2.0 command     marshal functions TSS_command_In_Marshalu
+     TPM 2.0 command   unmarshal functions command_In_Unmarshal 
+   * TPM 2.0 response  unmarshal functions TSS_response_Out_Unmarshalu
+
+   ---------------------------------------
+
+   Deprecated functions - with a signed size
+
+   * Primary   marshal functions           TSS_primary_Marshal
+   * Primary unmarshal functions           primary_Unmarshal       in Unmarshal.c
+   * TPM 2.0 structure   marshal functions TSS_structure_Marshal
+   * TPM 2.0 structure unmarshal functions structure_Unmarshal     in Unmarshal.c
+   * TPM 2.0 command     marshal functions TSS_command_In_Marshal
+   * TPM 2.0 response  unmarshal functions TSS_response_Out_Unmarshal
+
+   * are exposed in /tss2/
+*/
+
+/* The marshaling function prototype pattern is:
+
+   Return:
+
+   An extra return code, TSS_RC_INSUFFICIENT_BUFFER, indicates that the supplied buffer size is too
+   small.  The TPM functions assert.
+
+   'source' is the structure to be marshaled.
+   'written' is the __additional__ number of bytes written.
+   'buffer' is the buffer written.
+   ' size' is the remaining size of the buffer.
+
+   If 'buffer' is NULL, 'written' is updated but no marshaling is performed.  This is used in a two
+   pass pattern, where the first pass returns the size of the buffer to be malloc'ed.
+
+   If 'size' is NULL, the source is marshaled without a size check.  The caller must ensure that
+   the buffer is sufficient, often due to a malloc after the first pass.  */
+
+/* Marshal functions shared by TPM 1.2 and TPM 2.0 */
+
+/* The functions with the _Marshalu suffix are preferred.  They use an unsigned size.  The functions
+   with _Marshalu are deprecated.  */
+
+TPM_RC
+TSS_UINT8_Marshalu(const UINT8 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (buffer != NULL) {	/* if buffer is NULL, don't marshal, just return written */
+	/* if size is NULL, ignore it, else check sufficient */
+	if ((size == NULL) || (*size >= sizeof(UINT8))) {
+	    /* marshal, move the buffer */
+	    (*buffer)[0] = *source;
+	    *buffer += sizeof(UINT8);
+	    /* is size was supplied, update it */
+	    if (size != NULL) {
+		*size -= sizeof(UINT8);
+	    }
+	}
+	else {
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    *written += sizeof(UINT8);
+    return rc;
+}
+    
+TPM_RC
+TSS_INT8_Marshalu(const INT8 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    rc = TSS_UINT8_Marshalu((const UINT8 *)source, written, buffer, size);
+    return rc;
+}
+
+TPM_RC
+TSS_UINT16_Marshalu(const UINT16 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (buffer != NULL) {
+	if ((size == NULL) || (*size >= sizeof(uint16_t))) {
+
+	    (*buffer)[0] = (BYTE)((*source >> 8) & 0xff);
+	    (*buffer)[1] = (BYTE)((*source >> 0) & 0xff);
+	    *buffer += sizeof(uint16_t);
+
+	    if (size != NULL) {
+		*size -= sizeof(uint16_t);
+	    }
+	}
+	else {
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    *written += sizeof(uint16_t);
+    return rc;
+}
+
+TPM_RC
+TSS_UINT32_Marshalu(const UINT32 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (buffer != NULL) {
+	if ((size == NULL) || (*size >= sizeof(uint32_t))) {
+
+	    (*buffer)[0] = (BYTE)((*source >> 24) & 0xff);
+	    (*buffer)[1] = (BYTE)((*source >> 16) & 0xff);
+	    (*buffer)[2] = (BYTE)((*source >>  8) & 0xff);
+	    (*buffer)[3] = (BYTE)((*source >>  0) & 0xff);
+	    *buffer += sizeof(uint32_t);
+
+	    if (size != NULL) {
+		*size -= sizeof(uint32_t);
+	    }
+	}
+	else {
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    *written += sizeof(uint32_t);
+    return rc;
+}
+
+TPM_RC
+TSS_INT32_Marshalu(const INT32 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    rc = TSS_UINT32_Marshalu((const UINT32 *)source, written, buffer, size);
+    return rc;
+}
+
+TPM_RC
+TSS_UINT64_Marshalu(const UINT64 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (buffer != NULL) {
+	if ((size == NULL) || (*size >= sizeof(UINT64))) {
+
+	    (*buffer)[0] = (BYTE)((*source >> 56) & 0xff);
+	    (*buffer)[1] = (BYTE)((*source >> 48) & 0xff);
+	    (*buffer)[2] = (BYTE)((*source >> 40) & 0xff);
+	    (*buffer)[3] = (BYTE)((*source >> 32) & 0xff);
+	    (*buffer)[4] = (BYTE)((*source >> 24) & 0xff);
+	    (*buffer)[5] = (BYTE)((*source >> 16) & 0xff);
+	    (*buffer)[6] = (BYTE)((*source >>  8) & 0xff);
+	    (*buffer)[7] = (BYTE)((*source >>  0) & 0xff);
+	    *buffer += sizeof(UINT64);
+
+	    if (size != NULL) {
+		*size -= sizeof(UINT64);
+	    }
+	}
+	else {
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    *written += sizeof(UINT64);
+    return rc;
+}
+
+TPM_RC
+TSS_Array_Marshalu(const BYTE *source, uint16_t sourceSize, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (buffer != NULL) {
+	if ((size == NULL) || (*size >= sourceSize)) {
+	    memcpy(*buffer, source, sourceSize);
+
+	    *buffer += sourceSize;
+
+	    if (size != NULL) {
+		*size -= sourceSize;
+	    }
+	}
+	else {
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    *written += sourceSize;
+    return rc;
+}
+
+
+#ifdef TPM_TPM20
+
+/*
+  TPM 2.0 Command parameter marshaling
+*/
+
+TPM_RC
+TSS_Startup_In_Marshalu(const Startup_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_SU_Marshalu(&source->startupType, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Shutdown_In_Marshalu(const Shutdown_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_SU_Marshalu(&source->shutdownType, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_SelfTest_In_Marshalu(const SelfTest_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->fullTest, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_IncrementalSelfTest_In_Marshalu(const IncrementalSelfTest_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPML_ALG_Marshalu(&source->toTest, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_StartAuthSession_In_Marshalu(const StartAuthSession_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->tpmKey, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_ENTITY_Marshalu(&source->bind, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->nonceCaller, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Marshalu(&source->encryptedSalt, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_SE_Marshalu(&source->sessionType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_Marshalu(&source->symmetric, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->authHash, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyRestart_In_Marshalu(const PolicyRestart_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->sessionHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Create_In_Marshalu(const Create_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->parentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_SENSITIVE_CREATE_Marshalu(&source->inSensitive, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_Marshalu(&source->inPublic, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->outsideInfo, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->creationPCR, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Load_In_Marshalu(const Load_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->parentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PRIVATE_Marshalu(&source->inPrivate, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_Marshalu(&source->inPublic, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_LoadExternal_In_Marshalu(const LoadExternal_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	/* optional parameter, use size as flag */
+	if (source->inPrivate.b.size == 0) {		/* not present */
+	    uint16_t zero = 0;
+	    rc = TSS_UINT16_Marshalu(&zero, written, buffer, size);
+	}
+	else {
+	    rc = TSS_TPM2B_SENSITIVE_Marshalu(&source->inPrivate, written, buffer, size);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_Marshalu(&source->inPublic, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ReadPublic_In_Marshalu(const ReadPublic_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->objectHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ActivateCredential_In_Marshalu(const ActivateCredential_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->activateHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ID_OBJECT_Marshalu(&source->credentialBlob, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Marshalu(&source->secret, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_MakeCredential_In_Marshalu(const MakeCredential_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->handle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->credential, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->objectName, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Unseal_In_Marshalu(const Unseal_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->itemHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ObjectChangeAuth_In_Marshalu(const ObjectChangeAuth_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->objectHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->parentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->newAuth, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CreateLoaded_In_Marshalu(const CreateLoaded_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->parentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_SENSITIVE_CREATE_Marshalu(&source->inSensitive, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_TEMPLATE_Marshalu(&source->inPublic, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Duplicate_In_Marshalu(const Duplicate_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->objectHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->newParentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->encryptionKeyIn, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Marshalu(&source->symmetricAlg, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Rewrap_In_Marshalu(const Rewrap_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->oldParent, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->newParent, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PRIVATE_Marshalu(&source->inDuplicate, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->name, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Marshalu(&source->inSymSeed, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Import_In_Marshalu(const Import_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->parentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->encryptionKey, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_Marshalu(&source->objectPublic, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PRIVATE_Marshalu(&source->duplicate, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Marshalu(&source->inSymSeed, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Marshalu(&source->symmetricAlg, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_RSA_Encrypt_In_Marshalu(const RSA_Encrypt_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu(&source->message, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_RSA_DECRYPT_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->label, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_RSA_Decrypt_In_Marshalu(const RSA_Decrypt_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu(&source->cipherText, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_RSA_DECRYPT_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->label, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ECDH_KeyGen_In_Marshalu(const ECDH_KeyGen_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ECDH_ZGen_In_Marshalu(const ECDH_ZGen_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_POINT_Marshalu(&source->inPoint, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ECC_Parameters_In_Marshalu(const ECC_Parameters_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ECC_CURVE_Marshalu(&source->curveID, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ZGen_2Phase_In_Marshalu(const ZGen_2Phase_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyA, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_POINT_Marshalu(&source->inQsB, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_POINT_Marshalu(&source->inQeB, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ECC_KEY_EXCHANGE_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->counter, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EncryptDecrypt_In_Marshalu(const EncryptDecrypt_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->decrypt, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_CIPHER_MODE_Marshalu(&source->mode, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_IV_Marshalu(&source->ivIn, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->inData, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EncryptDecrypt2_In_Marshalu(const EncryptDecrypt2_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->inData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->decrypt, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_CIPHER_MODE_Marshalu(&source->mode, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_IV_Marshalu(&source->ivIn, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Hash_In_Marshalu(const Hash_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->data, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_HMAC_In_Marshalu(const HMAC_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->handle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->buffer, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetRandom_In_Marshalu(const GetRandom_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->bytesRequested, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_StirRandom_In_Marshalu(const StirRandom_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_SENSITIVE_DATA_Marshalu(&source->inData, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_HMAC_Start_In_Marshalu(const HMAC_Start_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->handle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_HashSequenceStart_In_Marshalu(const HashSequenceStart_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_SequenceUpdate_In_Marshalu(const SequenceUpdate_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->sequenceHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->buffer, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_SequenceComplete_In_Marshalu(const SequenceComplete_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->sequenceHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->buffer, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EventSequenceComplete_In_Marshalu(const EventSequenceComplete_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_PCR_Marshalu(&source->pcrHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->sequenceHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->buffer, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Certify_In_Marshalu(const Certify_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->objectHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->qualifyingData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CertifyCreation_In_Marshalu(const CertifyCreation_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->objectHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->qualifyingData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->creationHash, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_TK_CREATION_Marshalu(&source->creationTicket, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CertifyX509_In_Marshalu(const CertifyX509_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->objectHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->reserved, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_BUFFER_Marshalu(&source->partialCertificate, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Quote_In_Marshalu(const Quote_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->qualifyingData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->PCRselect, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetSessionAuditDigest_In_Marshalu(const GetSessionAuditDigest_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_ENDORSEMENT_Marshalu(&source->privacyAdminHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_HMAC_Marshalu(&source->sessionHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->qualifyingData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetCommandAuditDigest_In_Marshalu(const GetCommandAuditDigest_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_ENDORSEMENT_Marshalu(&source->privacyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->qualifyingData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetTime_In_Marshalu(const GetTime_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_ENDORSEMENT_Marshalu(&source->privacyAdminHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->qualifyingData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Commit_In_Marshalu(const Commit_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_POINT_Marshalu(&source->P1, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_SENSITIVE_DATA_Marshalu(&source->s2, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->y2, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EC_Ephemeral_In_Marshalu(const EC_Ephemeral_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ECC_CURVE_Marshalu(&source->curveID, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_VerifySignature_In_Marshalu(const VerifySignature_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->digest, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIGNATURE_Marshalu(&source->signature, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Sign_In_Marshalu(const Sign_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->digest, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_TK_HASHCHECK_Marshalu(&source->validation, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_SetCommandCodeAuditStatus_In_Marshalu(const SetCommandCodeAuditStatus_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PROVISION_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->auditAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_CC_Marshalu(&source->setList, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_CC_Marshalu(&source->clearList, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Extend_In_Marshalu(const PCR_Extend_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_PCR_Marshalu(&source->pcrHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_DIGEST_VALUES_Marshalu(&source->digests, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Event_In_Marshalu(const PCR_Event_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_PCR_Marshalu(&source->pcrHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_EVENT_Marshalu(&source->eventData, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Read_In_Marshalu(const PCR_Read_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->pcrSelectionIn, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Allocate_In_Marshalu(const PCR_Allocate_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PLATFORM_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->pcrAllocation, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_SetAuthPolicy_In_Marshalu(const PCR_SetAuthPolicy_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PLATFORM_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->authPolicy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_PCR_Marshalu(&source->pcrNum, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_SetAuthValue_In_Marshalu(const PCR_SetAuthValue_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_PCR_Marshalu(&source->pcrHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->auth, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Reset_In_Marshalu(const PCR_Reset_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_PCR_Marshalu(&source->pcrHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicySigned_In_Marshalu(const PolicySigned_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->authObject, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->nonceTPM, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->cpHashA, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->policyRef, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_INT32_Marshalu(&source->expiration, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIGNATURE_Marshalu(&source->auth, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicySecret_In_Marshalu(const PolicySecret_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_ENTITY_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->nonceTPM, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->cpHashA, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->policyRef, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_INT32_Marshalu(&source->expiration, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyTicket_In_Marshalu(const PolicyTicket_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_TIMEOUT_Marshalu(&source->timeout, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->cpHashA, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->policyRef, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->authName, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_TK_AUTH_Marshalu(&source->ticket, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyOR_In_Marshalu(const PolicyOR_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_DIGEST_Marshalu(&source->pHashList, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyPCR_In_Marshalu(const PolicyPCR_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->pcrDigest, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->pcrs, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyLocality_In_Marshalu(const PolicyLocality_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMA_LOCALITY_Marshalu(&source->locality, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyNV_In_Marshalu(const PolicyNV_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_OPERAND_Marshalu(&source->operandB, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->offset, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_EO_Marshalu(&source->operation, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyCounterTimer_In_Marshalu(const PolicyCounterTimer_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_OPERAND_Marshalu(&source->operandB, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->offset, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_EO_Marshalu(&source->operation, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyCommandCode_In_Marshalu(const PolicyCommandCode_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_CC_Marshalu(&source->code, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyPhysicalPresence_In_Marshalu(const PolicyPhysicalPresence_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyCpHash_In_Marshalu(const PolicyCpHash_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->cpHashA, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyNameHash_In_Marshalu(const PolicyNameHash_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->nameHash, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyDuplicationSelect_In_Marshalu(const PolicyDuplicationSelect_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->objectName, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->newParentName, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->includeObject, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyAuthorize_In_Marshalu(const PolicyAuthorize_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->approvedPolicy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->policyRef, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->keySign, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_TK_VERIFIED_Marshalu(&source->checkTicket, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyAuthValue_In_Marshalu(const PolicyAuthValue_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyPassword_In_Marshalu(const PolicyPassword_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyGetDigest_In_Marshalu(const PolicyGetDigest_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyNvWritten_In_Marshalu(const PolicyNvWritten_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->writtenSet, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyTemplate_In_Marshalu(const PolicyTemplate_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->templateHash, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyAuthorizeNV_In_Marshalu(const PolicyAuthorizeNV_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_POLICY_Marshalu(&source->policySession, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CreatePrimary_In_Marshalu(const CreatePrimary_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->primaryHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_SENSITIVE_CREATE_Marshalu(&source->inSensitive, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_Marshalu(&source->inPublic, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->outsideInfo, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->creationPCR, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_HierarchyControl_In_Marshalu(const HierarchyControl_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_ENABLES_Marshalu(&source->enable, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->state, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_SetPrimaryPolicy_In_Marshalu(const SetPrimaryPolicy_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_POLICY_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->authPolicy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ChangePPS_In_Marshalu(const ChangePPS_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PLATFORM_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ChangeEPS_In_Marshalu(const ChangeEPS_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PLATFORM_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Clear_In_Marshalu(const Clear_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_CLEAR_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ClearControl_In_Marshalu(const ClearControl_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_CLEAR_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->disable, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_HierarchyChangeAuth_In_Marshalu(const HierarchyChangeAuth_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->newAuth, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_DictionaryAttackLockReset_In_Marshalu(const DictionaryAttackLockReset_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_LOCKOUT_Marshalu(&source->lockHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_DictionaryAttackParameters_In_Marshalu(const DictionaryAttackParameters_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_LOCKOUT_Marshalu(&source->lockHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->newMaxTries, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->newRecoveryTime, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->lockoutRecovery, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PP_Commands_In_Marshalu(const PP_Commands_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PLATFORM_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_CC_Marshalu(&source->setList, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPML_CC_Marshalu(&source->clearList, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_SetAlgorithmSet_In_Marshalu(const SetAlgorithmSet_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PLATFORM_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->algorithmSet, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ContextSave_In_Marshalu(const ContextSave_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_CONTEXT_Marshalu(&source->saveHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ContextLoad_In_Marshalu(const ContextLoad_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_CONTEXT_Marshalu(&source->context, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_FlushContext_In_Marshalu(const FlushContext_In *source, uint16_t *written, BYTE **buffer, uint32_t *size) 
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_CONTEXT_Marshalu(&source->flushHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EvictControl_In_Marshalu(const EvictControl_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PROVISION_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->objectHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_PERSISTENT_Marshalu(&source->persistentHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ClockSet_In_Marshalu(const ClockSet_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PROVISION_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->newTime, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ClockRateAdjust_In_Marshalu(const ClockRateAdjust_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PROVISION_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_CLOCK_ADJUST_Marshalu(&source->rateAdjust, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetCapability_In_Marshalu(const GetCapability_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_CAP_Marshalu(&source->capability, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->property, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->propertyCount, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TestParms_In_Marshalu(const TestParms_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMT_PUBLIC_PARMS_Marshalu(&source->parameters, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_DefineSpace_In_Marshalu(const NV_DefineSpace_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PROVISION_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->auth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NV_PUBLIC_Marshalu(&source->publicInfo, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_UndefineSpace_In_Marshalu(const NV_UndefineSpace_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PROVISION_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_UndefineSpaceSpecial_In_Marshalu(const NV_UndefineSpaceSpecial_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PLATFORM_Marshalu(&source->platform, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_ReadPublic_In_Marshalu(const NV_ReadPublic_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_Write_In_Marshalu(const NV_Write_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_NV_BUFFER_Marshalu(&source->data, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->offset, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_Increment_In_Marshalu(const NV_Increment_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_Extend_In_Marshalu(const NV_Extend_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_NV_BUFFER_Marshalu(&source->data, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_SetBits_In_Marshalu(const NV_SetBits_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->bits, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_WriteLock_In_Marshalu(const NV_WriteLock_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_GlobalWriteLock_In_Marshalu(const NV_GlobalWriteLock_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_PROVISION_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_Read_In_Marshalu(const NV_Read_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->size, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->offset, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_ReadLock_In_Marshalu(const NV_ReadLock_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_ChangeAuth_In_Marshalu(const NV_ChangeAuth_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->newAuth, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_Certify_In_Marshalu(const NV_Certify_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_OBJECT_Marshalu(&source->signHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_AUTH_Marshalu(&source->authHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->qualifyingData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SIG_SCHEME_Marshalu(&source->inScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->size, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->offset, written, buffer, size);
+    }
+    return rc;
+}
+
+/*
+  TPM 2.0 Response parameter unmarshaling
+*/
+
+TPM_RC
+TSS_IncrementalSelfTest_Out_Unmarshalu(IncrementalSelfTest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_ALG_Unmarshalu(&target->toDoList, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetTestResult_Out_Unmarshalu(GetTestResult_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    uint32_t parameterSize;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->outData, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_RC_Unmarshalu(&target->testResult, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_StartAuthSession_Out_Unmarshalu(StartAuthSession_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_SH_AUTH_SESSION_Unmarshalu(&target->sessionHandle, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NONCE_Unmarshalu(&target->nonceTPM, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Create_Out_Unmarshalu(Create_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->outPrivate, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->outPublic, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_CREATION_DATA_Unmarshalu(&target->creationData, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->creationHash, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_CREATION_Unmarshalu(&target->creationTicket, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Load_Out_Unmarshalu(Load_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(&target->objectHandle, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->name, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_LoadExternal_Out_Unmarshalu(LoadExternal_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(&target->objectHandle, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->name, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ReadPublic_Out_Unmarshalu(ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->outPublic, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->name, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->qualifiedName, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ActivateCredential_Out_Unmarshalu(ActivateCredential_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->certInfo, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_MakeCredential_Out_Unmarshalu(MakeCredential_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ID_OBJECT_Unmarshalu(&target->credentialBlob, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(&target->secret, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Unseal_Out_Unmarshalu(Unseal_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_SENSITIVE_DATA_Unmarshalu(&target->outData, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ObjectChangeAuth_Out_Unmarshalu(ObjectChangeAuth_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->outPrivate, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CreateLoaded_Out_Unmarshalu(CreateLoaded_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(&target->objectHandle, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->outPrivate, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->outPublic, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->name, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Duplicate_Out_Unmarshalu(Duplicate_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DATA_Unmarshalu(&target->encryptionKeyOut, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->duplicate, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(&target->outSymSeed, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Rewrap_Out_Unmarshalu(Rewrap_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->outDuplicate, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ENCRYPTED_SECRET_Unmarshalu(&target->outSymSeed, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Import_Out_Unmarshalu(Import_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PRIVATE_Unmarshalu(&target->outPrivate, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_RSA_Encrypt_Out_Unmarshalu(RSA_Encrypt_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(&target->outData, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_RSA_Decrypt_Out_Unmarshalu(RSA_Decrypt_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Unmarshalu(&target->message, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ECDH_KeyGen_Out_Unmarshalu(ECDH_KeyGen_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->zPoint, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->pubPoint, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ECDH_ZGen_Out_Unmarshalu(ECDH_ZGen_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->outPoint, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ECC_Parameters_Out_Unmarshalu(ECC_Parameters_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_ALGORITHM_DETAIL_ECC_Unmarshalu(&target->parameters, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ZGen_2Phase_Out_Unmarshalu(ZGen_2Phase_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->outZ1, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->outZ2, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EncryptDecrypt_Out_Unmarshalu(EncryptDecrypt_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->outData, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_IV_Unmarshalu(&target->ivOut, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EncryptDecrypt2_Out_Unmarshalu(EncryptDecrypt2_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    return TSS_EncryptDecrypt_Out_Unmarshalu((EncryptDecrypt_Out *)target, tag, buffer, size);
+}
+TPM_RC
+TSS_Hash_Out_Unmarshalu(Hash_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->outHash, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_HASHCHECK_Unmarshalu(&target->validation, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_HMAC_Out_Unmarshalu(HMAC_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->outHMAC, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetRandom_Out_Unmarshalu(GetRandom_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->randomBytes, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_HMAC_Start_Out_Unmarshalu(HMAC_Start_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_DH_OBJECT_Unmarshalu(&target->sequenceHandle, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    return rc;
+}
+TPM_RC
+TSS_HashSequenceStart_Out_Unmarshalu(HashSequenceStart_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_DH_OBJECT_Unmarshalu(&target->sequenceHandle, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    return rc;
+}
+TPM_RC
+TSS_SequenceComplete_Out_Unmarshalu(SequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->result, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_HASHCHECK_Unmarshalu(&target->validation, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EventSequenceComplete_Out_Unmarshalu(EventSequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_DIGEST_VALUES_Unmarshalu(&target->results, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Certify_Out_Unmarshalu(Certify_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ATTEST_Unmarshalu(&target->certifyInfo, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CertifyCreation_Out_Unmarshalu(CertifyCreation_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ATTEST_Unmarshalu(&target->certifyInfo, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CertifyX509_Out_Unmarshalu(CertifyX509_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_BUFFER_Unmarshalu(&target->addedToCertificate, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->tbsDigest, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Quote_Out_Unmarshalu(Quote_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ATTEST_Unmarshalu(&target->quoted, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetSessionAuditDigest_Out_Unmarshalu(GetSessionAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ATTEST_Unmarshalu(&target->auditInfo, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetCommandAuditDigest_Out_Unmarshalu(GetCommandAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ATTEST_Unmarshalu(&target->auditInfo, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetTime_Out_Unmarshalu(GetTime_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ATTEST_Unmarshalu(&target->timeInfo, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Commit_Out_Unmarshalu(Commit_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->K, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->L, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->E, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->counter, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_EC_Ephemeral_Out_Unmarshalu(EC_Ephemeral_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ECC_POINT_Unmarshalu(&target->Q, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT16_Unmarshalu(&target->counter, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_VerifySignature_Out_Unmarshalu(VerifySignature_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_VERIFIED_Unmarshalu(&target->validation, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_Sign_Out_Unmarshalu(Sign_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, NO);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Event_Out_Unmarshalu(PCR_Event_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_DIGEST_VALUES_Unmarshalu(&target->digests, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Read_Out_Unmarshalu(PCR_Read_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->pcrUpdateCounter, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_PCR_SELECTION_Unmarshalu(&target->pcrSelectionOut, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPML_DIGEST_Unmarshalu(&target->pcrValues, buffer, size, 0);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PCR_Allocate_Out_Unmarshalu(PCR_Allocate_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->allocationSuccess, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->maxPCR, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->sizeNeeded, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_UINT32_Unmarshalu(&target->sizeAvailable, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicySigned_Out_Unmarshalu(PolicySigned_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_TIMEOUT_Unmarshalu(&target->timeout, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_AUTH_Unmarshalu(&target->policyTicket, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicySecret_Out_Unmarshalu(PolicySecret_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_TIMEOUT_Unmarshalu(&target->timeout, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_AUTH_Unmarshalu(&target->policyTicket, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_PolicyGetDigest_Out_Unmarshalu(PolicyGetDigest_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->policyDigest, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_CreatePrimary_Out_Unmarshalu(CreatePrimary_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM_HANDLE_Unmarshalu(&target->objectHandle, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_PUBLIC_Unmarshalu(&target->outPublic, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_CREATION_DATA_Unmarshalu(&target->creationData, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_DIGEST_Unmarshalu(&target->creationHash, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_TK_CREATION_Unmarshalu(&target->creationTicket, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->name, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ContextSave_Out_Unmarshalu(ContextSave_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_CONTEXT_Unmarshalu(&target->context, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_ContextLoad_Out_Unmarshalu(ContextLoad_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_DH_CONTEXT_Unmarshalu(&target->loadedHandle, buffer, size, NO);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    return rc;
+}
+TPM_RC
+TSS_ReadClock_Out_Unmarshalu(ReadClock_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_TIME_INFO_Unmarshalu(&target->currentTime, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_GetCapability_Out_Unmarshalu(GetCapability_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMI_YES_NO_Unmarshalu(&target->moreData, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMS_CAPABILITY_DATA_Unmarshalu(&target->capabilityData, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_ReadPublic_Out_Unmarshalu(NV_ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NV_PUBLIC_Unmarshalu(&target->nvPublic, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_NAME_Unmarshalu(&target->nvName, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_Read_Out_Unmarshalu(NV_Read_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_MAX_NV_BUFFER_Unmarshalu(&target->data, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_NV_Certify_Out_Unmarshalu(NV_Certify_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    uint32_t parameterSize = 0;
+    if (rc == TPM_RC_SUCCESS) {
+	if (tag == TPM_ST_SESSIONS) {
+	    rc = TSS_UINT32_Unmarshalu(&parameterSize, buffer, size);
+	}
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPM2B_ATTEST_Unmarshalu(&target->certifyInfo, buffer, size);
+    }
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_TPMT_SIGNATURE_Unmarshalu(&target->signature, buffer, size, YES);
+    }
+    return rc;
+}
+
+/*
+  TPM 2.0 Structure marshaling
+*/
+
+TPM_RC
+TSS_TPM2B_Marshalu(const TPM2B *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&(source->size), written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->buffer, source->size, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 5 - Definition of Types for Documentation Clarity */
+
+TPM_RC
+TSS_TPM_KEY_BITS_Marshalu(const TPM_KEY_BITS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+   
+/* Table 7 - Definition of (UINT32) TPM_GENERATED Constants <O> */
+
+TPM_RC
+TSS_TPM_GENERATED_Marshalu(const TPM_GENERATED *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+ 
+/* Table 9 - Definition of (UINT16) TPM_ALG_ID Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_ALG_ID_Marshalu(const TPM_ALG_ID *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 10 - Definition of (uint16_t) {ECC} TPM_ECC_CURVE Constants <IN/OUT, S> */
+
+#ifdef TPM_ALG_ECC
+TPM_RC
+TSS_TPM_ECC_CURVE_Marshalu(const TPM_ECC_CURVE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+#endif
+
+/* Table 17 - Definition of (UINT32) TPM_RC Constants (Actions) <OUT> */
+
+TPM_RC
+TSS_TPM_RC_Marshalu(const TPM_RC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 18 - Definition of (INT8) TPM_CLOCK_ADJUST Constants <IN> */
+
+TPM_RC
+TSS_TPM_CLOCK_ADJUST_Marshalu(const TPM_CLOCK_ADJUST *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_INT8_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 19 - Definition of (UINT16) TPM_EO Constants <IN/OUT> */
+
+TPM_RC
+TSS_TPM_EO_Marshalu(const TPM_EO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 20 - Definition of (UINT16) TPM_ST Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_ST_Marshalu(const TPM_ST *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+ 
+/* Table 21 - Definition of (UINT16) TPM_SU Constants <IN> */
+
+TPM_RC
+TSS_TPM_SU_Marshalu(const TPM_ST *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 22 - Definition of (UINT8) TPM_SE Constants <IN> */
+
+TPM_RC
+TSS_TPM_SE_Marshalu(const TPM_SE  *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 23 - Definition of (UINT32) TPM_CAP Constants  */
+
+TPM_RC
+TSS_TPM_CAP_Marshalu(const TPM_CAP *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 24 - Definition of (UINT32) TPM_PT Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_PT_Marshalu(const TPM_PT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 25 - Definition of (UINT32) TPM_PT_PCR Constants <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM_PT_PCR_Marshalu(const TPM_PT_PCR *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 27 - Definition of Types for Handles */
+
+TPM_RC
+TSS_TPM_HANDLE_Marshalu(const TPM_HANDLE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 31 - Definition of (UINT32) TPMA_ALGORITHM Bits */
+
+TPM_RC
+TSS_TPMA_ALGORITHM_Marshalu(const TPMA_ALGORITHM *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->val, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 32 - Definition of (UINT32) TPMA_OBJECT Bits */
+
+TPM_RC
+TSS_TPMA_OBJECT_Marshalu(const TPMA_OBJECT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->val, written, buffer, size);
+    }
+    return rc;
+}
+ 
+/* Table 33 - Definition of (UINT8) TPMA_SESSION Bits <IN/OUT> */
+
+TPM_RC
+TSS_TPMA_SESSION_Marshalu(const TPMA_SESSION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->val, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 34 - Definition of (UINT8) TPMA_LOCALITY Bits <IN/OUT> */
+
+TPM_RC
+TSS_TPMA_LOCALITY_Marshalu(const TPMA_LOCALITY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->val, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 38 - Definition of (TPM_CC) TPMA_CC Bits <OUT> */
+
+TPM_RC
+TSS_TPM_CC_Marshalu(const TPM_CC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 38 - Definition of (TPM_CC) TPMA_CC Bits <OUT> */
+
+TPM_RC
+TSS_TPMA_CC_Marshalu(const TPMA_CC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->val, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 39 - Definition of (BYTE) TPMI_YES_NO Type */
+
+TPM_RC
+TSS_TPMI_YES_NO_Marshalu(const TPMI_YES_NO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 40 - Definition of (TPM_HANDLE) TPMI_DH_OBJECT Type */
+
+TPM_RC
+TSS_TPMI_DH_OBJECT_Marshalu(const TPMI_DH_OBJECT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 41 - Definition of (TPM_HANDLE) TPMI_DH_PERSISTENT Type */
+
+TPM_RC
+TSS_TPMI_DH_PERSISTENT_Marshalu(const TPMI_DH_PERSISTENT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 42 - Definition of (TPM_HANDLE) TPMI_DH_ENTITY Type <IN> */
+
+TPM_RC
+TSS_TPMI_DH_ENTITY_Marshalu(const TPMI_DH_ENTITY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 43 - Definition of (TPM_HANDLE) TPMI_DH_PCR Type <IN> */
+
+TPM_RC
+TSS_TPMI_DH_PCR_Marshalu(const TPMI_DH_PCR  *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 44 - Definition of (TPM_HANDLE) TPMI_SH_AUTH_SESSION Type <IN/OUT> */
+
+TPM_RC
+TSS_TPMI_SH_AUTH_SESSION_Marshalu(const TPMI_SH_AUTH_SESSION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 45 - Definition of (TPM_HANDLE) TPMI_SH_HMAC Type <IN/OUT> */
+
+TPM_RC
+TSS_TPMI_SH_HMAC_Marshalu(const TPMI_SH_HMAC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 46 - Definition of (TPM_HANDLE) TPMI_SH_POLICY Type <IN/OUT> */
+
+TPM_RC
+TSS_TPMI_SH_POLICY_Marshalu(const TPMI_SH_POLICY*source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+  
+/* Table 47 - Definition of (TPM_HANDLE) TPMI_DH_CONTEXT Type  */
+
+TPM_RC
+TSS_TPMI_DH_CONTEXT_Marshalu(const TPMI_DH_CONTEXT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 49 - Definition of (TPM_HANDLE) TPMI_DH_SAVED Type  */
+
+TPM_RC
+TSS_TPMI_DH_SAVED_Marshalu(const TPMI_DH_SAVED *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 48 - Definition of (TPM_HANDLE) TPMI_RH_HIERARCHY Type  */
+
+TPM_RC
+TSS_TPMI_RH_HIERARCHY_Marshalu(const TPMI_RH_HIERARCHY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+   
+/* Table 49 - Definition of (TPM_HANDLE) TPMI_RH_ENABLES Type */
+
+TPM_RC
+TSS_TPMI_RH_ENABLES_Marshalu(const TPMI_RH_ENABLES *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 50 - Definition of (TPM_HANDLE) TPMI_RH_HIERARCHY_AUTH Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_HIERARCHY_AUTH_Marshalu(const TPMI_RH_HIERARCHY_AUTH *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 50 - Definition of (TPM_HANDLE) TPMI_RH_HIERARCHY_POLICY Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_HIERARCHY_POLICY_Marshalu(const TPMI_RH_HIERARCHY_POLICY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 51 - Definition of (TPM_HANDLE) TPMI_RH_PLATFORM Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_PLATFORM_Marshalu(const TPMI_RH_PLATFORM *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 53 - Definition of (TPM_HANDLE) TPMI_RH_ENDORSEMENT Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_ENDORSEMENT_Marshalu(const TPMI_RH_ENDORSEMENT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 54 - Definition of (TPM_HANDLE) TPMI_RH_PROVISION Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_PROVISION_Marshalu(const TPMI_RH_PROVISION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 55 - Definition of (TPM_HANDLE) TPMI_RH_CLEAR Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_CLEAR_Marshalu(const TPMI_RH_CLEAR *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 56 - Definition of (TPM_HANDLE) TPMI_RH_NV_AUTH Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_NV_AUTH_Marshalu(const TPMI_RH_NV_AUTH *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 57 - Definition of (TPM_HANDLE) TPMI_RH_LOCKOUT Type <IN> */
+
+TPM_RC
+TSS_TPMI_RH_LOCKOUT_Marshalu(const TPMI_RH_LOCKOUT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 58 - Definition of (TPM_HANDLE) TPMI_RH_NV_INDEX Type <IN/OUT> */
+
+TPM_RC
+TSS_TPMI_RH_NV_INDEX_Marshalu(const TPMI_RH_NV_INDEX *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_HANDLE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
+
+TPM_RC
+TSS_TPMI_ALG_HASH_Marshalu(const TPMI_ALG_HASH *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 61 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM Type */
+
+TPM_RC
+TSS_TPMI_ALG_SYM_Marshalu(const TPMI_ALG_SYM *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 62 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_OBJECT Type */
+
+TPM_RC
+TSS_TPMI_ALG_SYM_OBJECT_Marshalu(const TPMI_ALG_SYM_OBJECT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 63 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_MODE Type */
+
+TPM_RC
+TSS_TPMI_ALG_SYM_MODE_Marshalu(const TPMI_ALG_SYM_MODE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
+
+TPM_RC
+TSS_TPMI_ALG_KDF_Marshalu(const TPMI_ALG_KDF *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 65 - Definition of (TPM_ALG_ID) TPMI_ALG_SIG_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_SIG_SCHEME_Marshalu(const TPMI_ALG_SIG_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 66 - Definition of (TPM_ALG_ID) TPMI_ECC_KEY_EXCHANGE Type */
+
+TPM_RC
+TSS_TPMI_ECC_KEY_EXCHANGE_Marshalu(const TPMI_ECC_KEY_EXCHANGE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+} 
+
+/* Table 67 - Definition of (TPM_ST) TPMI_ST_COMMAND_TAG Type */
+
+TPM_RC
+TSS_TPMI_ST_COMMAND_TAG_Marshalu(const TPMI_ST_COMMAND_TAG *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ST_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 71 - Definition of (TPM_ALG_ID) TPMI_ALG_MAC_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_MAC_SCHEME_Marshalu(const TPMI_ALG_MAC_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size) 
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 72 - Definition of (TPM_ALG_ID) TPMI_ALG_CIPHER_MODE Type */
+
+TPM_RC
+TSS_TPMI_ALG_CIPHER_MODE_Marshalu(const TPMI_ALG_CIPHER_MODE *source, uint16_t *written, BYTE **buffer, uint32_t *size) 
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+} 
+
+/* Table 70 - Definition of TPMU_HA Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_HA_Marshalu(const TPMU_HA *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    
+    switch (selector) {
+#ifdef TPM_ALG_SHA1
+      case TPM_ALG_SHA1:
+	if (rc == 0) {
+	    rc = TSS_Array_Marshalu(&source->sha1[0], SHA1_DIGEST_SIZE, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SHA256
+      case TPM_ALG_SHA256:
+	if (rc == 0) {
+	    rc = TSS_Array_Marshalu(&source->sha256[0], SHA256_DIGEST_SIZE, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SHA384
+      case TPM_ALG_SHA384:
+	if (rc == 0) {
+	    rc = TSS_Array_Marshalu(&source->sha384[0], SHA384_DIGEST_SIZE, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SHA512
+      case TPM_ALG_SHA512:
+	if (rc == 0) {
+	    rc = TSS_Array_Marshalu(&source->sha512[0], SHA512_DIGEST_SIZE, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SM3_256
+      case TPM_ALG_SM3_256:
+	if (rc == 0) {
+	    rc = TSS_Array_Marshalu(&source->sm3_256[0], SM3_256_DIGEST_SIZE, written, buffer, size);
+	}
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 71 - Definition of TPMT_HA Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPMT_HA_Marshalu(const TPMT_HA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_HA_Marshalu(&source->digest, written, buffer, size, source->hashAlg);
+    }
+    return rc;
+}
+
+/* Table 72 - Definition of TPM2B_DIGEST Structure */
+
+TPM_RC
+TSS_TPM2B_DIGEST_Marshalu(const TPM2B_DIGEST *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 73 - Definition of TPM2B_DATA Structure */
+
+TPM_RC
+TSS_TPM2B_DATA_Marshalu(const TPM2B_DATA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 74 - Definition of Types for TPM2B_NONCE */
+
+TPM_RC
+TSS_TPM2B_NONCE_Marshalu(const TPM2B_NONCE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 75 - Definition of Types for TPM2B_AUTH */
+
+TPM_RC
+TSS_TPM2B_AUTH_Marshalu(const TPM2B_AUTH *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 76 - Definition of Types for TPM2B_OPERAND */
+
+TPM_RC
+TSS_TPM2B_OPERAND_Marshalu(const TPM2B_OPERAND *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 77 - Definition of TPM2B_EVENT Structure */
+
+TPM_RC
+TSS_TPM2B_EVENT_Marshalu(const TPM2B_EVENT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 78 - Definition of TPM2B_MAX_BUFFER Structure */
+
+TPM_RC
+TSS_TPM2B_MAX_BUFFER_Marshalu(const TPM2B_MAX_BUFFER *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 79 - Definition of TPM2B_MAX_NV_BUFFER Structure */
+
+TPM_RC
+TSS_TPM2B_MAX_NV_BUFFER_Marshalu(const TPM2B_MAX_NV_BUFFER *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 80 - Definition of TPM2B_TIMEOUT Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_TIMEOUT_Marshalu(const TPM2B_TIMEOUT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 81 - Definition of TPM2B_IV Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_IV_Marshalu(const TPM2B_IV *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 83 - Definition of TPM2B_NAME Structure */
+
+TPM_RC
+TSS_TPM2B_NAME_Marshalu(const TPM2B_NAME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 85 - Definition of TPMS_PCR_SELECTION Structure */
+
+TPM_RC
+TSS_TPMS_PCR_SELECTION_Marshalu(const TPMS_PCR_SELECTION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hash, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->sizeofSelect, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(&source->pcrSelect[0], source->sizeofSelect, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 88 - Definition of TPMT_TK_CREATION Structure */
+
+TPM_RC
+TSS_TPMT_TK_CREATION_Marshalu(const TPMT_TK_CREATION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ST_Marshalu(&source->tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->digest, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 89 - Definition of TPMT_TK_VERIFIED Structure */
+
+TPM_RC
+TSS_TPMT_TK_VERIFIED_Marshalu(const TPMT_TK_VERIFIED *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ST_Marshalu(&source->tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->digest, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 90 - Definition of TPMT_TK_AUTH Structure */
+
+TPM_RC
+TSS_TPMT_TK_AUTH_Marshalu(const TPMT_TK_AUTH *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ST_Marshalu(&source->tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->digest, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 91 - Definition of TPMT_TK_HASHCHECK Structure */
+
+TPM_RC
+TSS_TPMT_TK_HASHCHECK_Marshalu(const TPMT_TK_HASHCHECK *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ST_Marshalu(&source->tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->digest, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 92 - Definition of TPMS_ALG_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_ALG_PROPERTY_Marshalu(const TPMS_ALG_PROPERTY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(&source->alg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMA_ALGORITHM_Marshalu(&source->algProperties, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 93 - Definition of TPMS_TAGGED_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_TAGGED_PROPERTY_Marshalu(const TPMS_TAGGED_PROPERTY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_PT_Marshalu(&source->property, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->value, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 94 - Definition of TPMS_TAGGED_PCR_SELECT Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_TAGGED_PCR_SELECT_Marshalu(const TPMS_TAGGED_PCR_SELECT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_PT_PCR_Marshalu(&source->tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->sizeofSelect, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(&source->pcrSelect[0], source->sizeofSelect, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 95 - Definition of TPML_CC Structure */
+
+TPM_RC
+TSS_TPML_CC_Marshalu(const TPML_CC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPM_CC_Marshalu(&source->commandCodes[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 96 - Definition of TPML_CCA Structure <OUT> */
+
+TPM_RC
+TSS_TPML_CCA_Marshalu(const TPML_CCA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPMA_CC_Marshalu(&source->commandAttributes[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 97 - Definition of TPML_ALG Structure */
+
+TPM_RC
+TSS_TPML_ALG_Marshalu(const TPML_ALG *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPM_ALG_ID_Marshalu(&source->algorithms[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 98 - Definition of TPML_HANDLE Structure <OUT> */
+
+TPM_RC
+TSS_TPML_HANDLE_Marshalu(const TPML_HANDLE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPM_HANDLE_Marshalu(&source->handle[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 99 - Definition of TPML_DIGEST Structure */
+
+TPM_RC
+TSS_TPML_DIGEST_Marshalu(const TPML_DIGEST *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPM2B_DIGEST_Marshalu(&source->digests[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 100 - Definition of TPML_DIGEST_VALUES Structure */
+
+TPM_RC
+TSS_TPML_DIGEST_VALUES_Marshalu(const TPML_DIGEST_VALUES *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPMT_HA_Marshalu(&source->digests[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 102 - Definition of TPML_PCR_SELECTION Structure */
+
+TPM_RC
+TSS_TPML_PCR_SELECTION_Marshalu(const TPML_PCR_SELECTION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPMS_PCR_SELECTION_Marshalu(&source->pcrSelections[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 103 - Definition of TPML_ALG_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPML_ALG_PROPERTY_Marshalu(const TPML_ALG_PROPERTY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPMS_ALG_PROPERTY_Marshalu(&source->algProperties[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 104 - Definition of TPML_TAGGED_TPM_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPML_TAGGED_TPM_PROPERTY_Marshalu(const TPML_TAGGED_TPM_PROPERTY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPMS_TAGGED_PROPERTY_Marshalu(&source->tpmProperty[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 105 - Definition of TPML_TAGGED_PCR_PROPERTY Structure <OUT> */
+
+TPM_RC
+TSS_TPML_TAGGED_PCR_PROPERTY_Marshalu(const TPML_TAGGED_PCR_PROPERTY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPMS_TAGGED_PCR_SELECT_Marshalu(&source->pcrProperty[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 106 - Definition of {ECC} TPML_ECC_CURVE Structure <OUT> */
+
+TPM_RC
+TSS_TPML_ECC_CURVE_Marshalu(const TPML_ECC_CURVE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint32_t i;
+    
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->count, written, buffer, size);
+    }
+    for (i = 0 ; i < source->count ; i++) {
+	if (rc == 0) {
+	    rc = TSS_TPM_ECC_CURVE_Marshalu(&source->eccCurves[i], written, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* Table 107 - Definition of TPMU_CAPABILITIES Union <OUT> */
+
+TPM_RC
+TSS_TPMU_CAPABILITIES_Marshalu(const TPMU_CAPABILITIES *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+      case TPM_CAP_ALGS:
+	if (rc == 0) {
+	    rc = TSS_TPML_ALG_PROPERTY_Marshalu(&source->algorithms, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_HANDLES:
+	if (rc == 0) {
+	    rc = TSS_TPML_HANDLE_Marshalu(&source->handles, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_COMMANDS:
+	if (rc == 0) {
+	    rc = TSS_TPML_CCA_Marshalu(&source->command, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_PP_COMMANDS:
+	if (rc == 0) {
+	    rc = TSS_TPML_CC_Marshalu(&source->ppCommands, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_AUDIT_COMMANDS:
+	if (rc == 0) {
+	    rc = TSS_TPML_CC_Marshalu(&source->auditCommands, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_PCRS:
+	if (rc == 0) {
+	    rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->assignedPCR, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_TPM_PROPERTIES:
+	if (rc == 0) {
+	    rc = TSS_TPML_TAGGED_TPM_PROPERTY_Marshalu(&source->tpmProperties, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_PCR_PROPERTIES:
+	if (rc == 0) {
+	    rc = TSS_TPML_TAGGED_PCR_PROPERTY_Marshalu(&source->pcrProperties, written, buffer, size);
+	}
+	break;
+      case TPM_CAP_ECC_CURVES:
+	if (rc == 0) {
+	    rc = TSS_TPML_ECC_CURVE_Marshalu(&source->eccCurves, written, buffer, size);
+	}
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 108 - Definition of TPMS_CAPABILITY_DATA Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CAPABILITY_DATA_Marshalu(const TPMS_CAPABILITY_DATA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_CAP_Marshalu(&source->capability, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_CAPABILITIES_Marshalu(&source->data, written, buffer, size, source->capability);
+    }
+    return rc;
+}
+
+/* Table 109 - Definition of TPMS_CLOCK_INFO Structure */
+
+TPM_RC
+TSS_TPMS_CLOCK_INFO_Marshalu(const TPMS_CLOCK_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->clock, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->resetCount, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->restartCount, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->safe, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 110 - Definition of TPMS_TIME_INFO Structure */
+
+TPM_RC
+TSS_TPMS_TIME_INFO_Marshalu(const TPMS_TIME_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->time, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMS_CLOCK_INFO_Marshalu(&source->clockInfo, written, buffer, size);
+    }
+    return rc;
+}
+    
+/* Table 111 - Definition of TPMS_TIME_ATTEST_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_TIME_ATTEST_INFO_Marshalu(const TPMS_TIME_ATTEST_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_TIME_INFO_Marshalu(&source->time, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->firmwareVersion, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 112 - Definition of TPMS_CERTIFY_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CERTIFY_INFO_Marshalu(const TPMS_CERTIFY_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->name, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->qualifiedName, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 113 - Definition of TPMS_QUOTE_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_QUOTE_INFO_Marshalu(const TPMS_QUOTE_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->pcrSelect, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->pcrDigest, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 114 - Definition of TPMS_COMMAND_AUDIT_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_COMMAND_AUDIT_INFO_Marshalu(const TPMS_COMMAND_AUDIT_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->auditCounter, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(&source->digestAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->auditDigest, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->commandDigest, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 115 - Definition of TPMS_SESSION_AUDIT_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_SESSION_AUDIT_INFO_Marshalu(const TPMS_SESSION_AUDIT_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_YES_NO_Marshalu(&source->exclusiveSession, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->sessionDigest, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 116 - Definition of TPMS_CREATION_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CREATION_INFO_Marshalu(const TPMS_CREATION_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->objectName, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->creationHash, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 117 - Definition of TPMS_NV_CERTIFY_INFO Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_NV_CERTIFY_INFO_Marshalu(const TPMS_NV_CERTIFY_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->indexName, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->offset, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_MAX_NV_BUFFER_Marshalu(&source->nvContents, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 118 - Definition of (TPM_ST) TPMI_ST_ATTEST Type <OUT> */
+
+TPM_RC
+TSS_TPMI_ST_ATTEST_Marshalu(const TPMI_ST_ATTEST *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ST_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 119 - Definition of TPMU_ATTEST Union <OUT> */
+
+TPM_RC
+TSS_TPMU_ATTEST_Marshalu(const TPMU_ATTEST  *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+      case TPM_ST_ATTEST_CERTIFY:
+	if (rc == 0) {
+	    rc = TSS_TPMS_CERTIFY_INFO_Marshalu(&source->certify, written, buffer, size);
+	}
+	break;
+      case TPM_ST_ATTEST_CREATION:
+	if (rc == 0) {
+	    rc = TSS_TPMS_CREATION_INFO_Marshalu(&source->creation, written, buffer, size);
+	}
+	break;
+      case TPM_ST_ATTEST_QUOTE:
+	if (rc == 0) {
+	    rc = TSS_TPMS_QUOTE_INFO_Marshalu(&source->quote, written, buffer, size);
+	}
+	break;
+      case TPM_ST_ATTEST_COMMAND_AUDIT:
+	if (rc == 0) {
+	    rc = TSS_TPMS_COMMAND_AUDIT_INFO_Marshalu(&source->commandAudit, written, buffer, size);
+	}
+	break;
+      case TPM_ST_ATTEST_SESSION_AUDIT:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SESSION_AUDIT_INFO_Marshalu(&source->sessionAudit, written, buffer, size);
+	}
+	break;
+      case TPM_ST_ATTEST_TIME:
+	if (rc == 0) {
+	    rc = TSS_TPMS_TIME_ATTEST_INFO_Marshalu(&source->time, written, buffer, size);
+	}
+	break;
+      case TPM_ST_ATTEST_NV:
+	if (rc == 0) {
+	    rc = TSS_TPMS_NV_CERTIFY_INFO_Marshalu(&source->nv, written, buffer, size);
+	}
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 120 - Definition of TPMS_ATTEST Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_ATTEST_Marshalu(const TPMS_ATTEST  *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_GENERATED_Marshalu(&source->magic, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ST_ATTEST_Marshalu(&source->type, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->qualifiedSigner, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->extraData, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMS_CLOCK_INFO_Marshalu(&source->clockInfo, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->firmwareVersion, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_ATTEST_Marshalu(&source->attested, written, buffer, size,source->type);
+    }
+    return rc;
+}
+
+/* Table 121 - Definition of TPM2B_ATTEST Structure <OUT> */
+
+TPM_RC
+TSS_TPM2B_ATTEST_Marshalu(const TPM2B_ATTEST *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 122 - Definition of TPMS_AUTH_COMMAND Structure <IN> */
+
+TPM_RC
+TSS_TPMS_AUTH_COMMAND_Marshalu(const TPMS_AUTH_COMMAND *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_SH_AUTH_SESSION_Marshalu(&source->sessionHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NONCE_Marshalu(&source->nonce, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMA_SESSION_Marshalu(&source->sessionAttributes, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->hmac, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 124 - Definition of {AES} (TPM_KEY_BITS) TPMI_!ALG.S_KEY_BITS Type */
+
+TPM_RC
+TSS_TPMI_AES_KEY_BITS_Marshalu(const TPMI_AES_KEY_BITS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_BITS_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 125 - Definition of TPMU_SYM_KEY_BITS Union */
+
+TPM_RC
+TSS_TPMU_SYM_KEY_BITS_Marshalu(const TPMU_SYM_KEY_BITS *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch(selector) {
+#ifdef TPM_ALG_AES
+      case TPM_ALG_AES:
+	if (rc == 0) {
+	    rc = TSS_TPMI_AES_KEY_BITS_Marshalu(&source->aes, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SM4
+      case TPM_ALG_SM4:
+	if (rc == 0) {
+	    rc = TSS_TPMI_SM4_KEY_BITS_Marshalu(&source->sm4, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_CAMELLIA
+      case TPM_ALG_CAMELLIA:
+	if (rc == 0) {
+	    rc = TSS_TPMI_CAMELLIA_KEY_BITS_Marshalu(&source->camellia, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_XOR
+      case TPM_ALG_XOR:
+	if (rc == 0) {
+	    rc = TSS_TPMI_ALG_HASH_Marshalu(&source->xorr, written, buffer, size);
+	}
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	return rc;
+    }
+    return rc;
+}
+
+/* Table 126 - Definition of TPMU_SYM_MODE Union */
+
+TPM_RC
+TSS_TPMU_SYM_MODE_Marshalu(const TPMU_SYM_MODE *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_AES
+      case TPM_ALG_AES:
+	if (rc == 0) {
+	    rc = TSS_TPMI_ALG_SYM_MODE_Marshalu(&source->aes, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SM4
+      case TPM_ALG_SM4:
+	if (rc == 0) {
+	    rc = TSS_TPMI_ALG_SYM_MODE_Marshalu(&source->sm4, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_CAMELLIA
+      case TPM_ALG_CAMELLIA:
+	if (rc == 0) {
+	    rc = TSS_TPMI_ALG_SYM_MODE_Marshalu(&source->camellia, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_XOR
+      case TPM_ALG_XOR:
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 128 - Definition of TPMT_SYM_DEF Structure */
+
+TPM_RC
+TSS_TPMT_SYM_DEF_Marshalu(const TPMT_SYM_DEF *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_SYM_Marshalu(&source->algorithm, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SYM_KEY_BITS_Marshalu(&source->keyBits, written, buffer, size, source->algorithm);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SYM_MODE_Marshalu(&source->mode, written, buffer, size, source->algorithm);
+    }
+    return rc;
+}
+
+/* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure */
+
+TPM_RC
+TSS_TPMT_SYM_DEF_OBJECT_Marshalu(const TPMT_SYM_DEF_OBJECT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_SYM_OBJECT_Marshalu(&source->algorithm, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SYM_KEY_BITS_Marshalu(&source->keyBits, written, buffer, size, source->algorithm);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SYM_MODE_Marshalu(&source->mode, written, buffer, size, source->algorithm);
+    }
+    return rc;
+}
+
+/* Table 130 - Definition of TPM2B_SYM_KEY Structure */
+
+TPM_RC
+TSS_TPM2B_SYM_KEY_Marshalu(const TPM2B_SYM_KEY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 134 - Definition of TPM2B_LABEL Structure */
+
+TPM_RC
+TSS_TPM2B_LABEL_Marshalu(const TPM2B_LABEL *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 139 - Definition of TPMS_DERIVE Structure */
+
+TPM_RC
+TSS_TPMS_DERIVE_Marshalu(const TPMS_DERIVE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_LABEL_Marshalu(&source->label, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_LABEL_Marshalu(&source->context, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 131 - Definition of TPMS_SYMCIPHER_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_SYMCIPHER_PARMS_Marshalu(const TPMS_SYMCIPHER_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Marshalu(&source->sym, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 132 - Definition of TPM2B_SENSITIVE_DATA Structure */
+
+TPM_RC
+TSS_TPM2B_SENSITIVE_DATA_Marshalu(const TPM2B_SENSITIVE_DATA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 133 - Definition of TPMS_SENSITIVE_CREATE Structure <IN> */
+
+TPM_RC
+TSS_TPMS_SENSITIVE_CREATE_Marshalu(const TPMS_SENSITIVE_CREATE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->userAuth, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_SENSITIVE_DATA_Marshalu(&source->data, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 134 - Definition of TPM2B_SENSITIVE_CREATE Structure <IN, S> */
+
+TPM_RC
+TSS_TPM2B_SENSITIVE_CREATE_Marshalu(const TPM2B_SENSITIVE_CREATE  *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+
+    if (buffer != NULL) {
+	sizePtr = *buffer;
+	*buffer += sizeof(uint16_t);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMS_SENSITIVE_CREATE_Marshalu(&source->sensitive, &sizeWritten, buffer, size);
+    }
+    if (rc == 0) {
+	*written += sizeWritten;
+	if (buffer != NULL) {
+	    rc = TSS_UINT16_Marshalu(&sizeWritten, written, &sizePtr, size);	/* backfill 2B size */
+	}
+	else {
+	    *written += sizeof(uint16_t);
+	}
+    }
+    return rc;
+}
+
+/* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
+
+TPM_RC
+TSS_TPMS_SCHEME_HASH_Marshalu(const TPMS_SCHEME_HASH *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    return rc;
+}
+    
+/* Table 136 - Definition of {ECC} TPMS_SCHEME_ECDAA Structure */
+
+TPM_RC
+TSS_TPMS_SCHEME_ECDAA_Marshalu(const TPMS_SCHEME_ECDAA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->count, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_KEYEDHASH_SCHEME_Marshalu(const TPMI_ALG_KEYEDHASH_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
+
+TPM_RC
+TSS_TPMS_SCHEME_HMAC_Marshalu(const TPMS_SCHEME_HMAC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 139 - Definition of TPMS_SCHEME_XOR Structure */
+
+TPM_RC
+TSS_TPMS_SCHEME_XOR_Marshalu(const TPMS_SCHEME_XOR *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hashAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_KDF_Marshalu(&source->kdf, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SCHEME_KEYEDHASH_Marshalu(const TPMU_SCHEME_KEYEDHASH *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SCHEME_HMAC_Marshalu(&source->hmac, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_XOR
+      case TPM_ALG_XOR:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SCHEME_XOR_Marshalu(&source->xorr, written, buffer, size);
+	}
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_KEYEDHASH_SCHEME_Marshalu(const TPMT_KEYEDHASH_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_KEYEDHASH_SCHEME_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SCHEME_KEYEDHASH_Marshalu(&source->details, written, buffer, size, source->scheme);
+    }
+    return rc;
+}
+
+/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_RSASSA_Marshalu(const TPMS_SIG_SCHEME_RSASSA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_RSAPSS_Marshalu(const TPMS_SIG_SCHEME_RSAPSS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECDSA_Marshalu(const TPMS_SIG_SCHEME_ECDSA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_SM2_Marshalu(const TPMS_SIG_SCHEME_SM2 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECSCHNORR_Marshalu(const TPMS_SIG_SCHEME_ECSCHNORR *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
+
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECDAA_Marshalu(const TPMS_SIG_SCHEME_ECDAA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_ECDAA_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 144 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SIG_SCHEME_Marshalu(const TPMU_SIG_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_RSASSA_Marshalu(&source->rsassa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_RSAPSS_Marshalu(&source->rsapss, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_ECDSA_Marshalu(&source->ecdsa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_ECDAA_Marshalu(&source->ecdaa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_SM2_Marshalu(&source->sm2, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_ECSCHNORR_Marshalu(&source->ecSchnorr, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SCHEME_HMAC_Marshalu(&source->hmac, written, buffer, size);
+	}
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+ 
+/* Table 145 - Definition of TPMT_SIG_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_SIG_SCHEME_Marshalu(const TPMT_SIG_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_SIG_SCHEME_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SIG_SCHEME_Marshalu(&source->details, written, buffer, size,source->scheme);
+    }
+    return rc;
+}
+
+/* Table 146 - Definition of Types for {RSA} Encryption Schemes */
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC
+TSS_TPMS_ENC_SCHEME_OAEP_Marshalu(const TPMS_ENC_SCHEME_OAEP *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 146 - Definition of Types for {RSA} Encryption Schemes */
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC
+TSS_TPMS_ENC_SCHEME_RSAES_Marshalu(const TPMS_ENC_SCHEME_RSAES *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    source = source;
+    written = written;
+    buffer = buffer;
+    size = size;
+    return 0;
+}
+
+/* Table 147 - Definition of Types for {ECC} ECC Key Exchange */
+
+TPM_RC
+TSS_TPMS_KEY_SCHEME_ECDH_Marshalu(const TPMS_KEY_SCHEME_ECDH *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TPMS_KEY_SCHEME_ECMQV_Marshalu(const TPMS_KEY_SCHEME_ECMQV *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 148 - Definition of Types for KDF Schemes, hash-based key- or mask-generation functions */
+
+TPM_RC
+TSS_TPMS_SCHEME_MGF1_Marshalu(const TPMS_SCHEME_MGF1 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TPMS_SCHEME_KDF1_SP800_56A_Marshalu(const TPMS_SCHEME_KDF1_SP800_56A *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TPMS_SCHEME_KDF2_Marshalu(const TPMS_SCHEME_KDF2 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TPMS_SCHEME_KDF1_SP800_108_Marshalu(const TPMS_SCHEME_KDF1_SP800_108 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 149 - Definition of TPMU_KDF_SCHEME Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_KDF_SCHEME_Marshalu(const TPMU_KDF_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_MGF1
+      case TPM_ALG_MGF1:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SCHEME_MGF1_Marshalu(&source->mgf1, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_KDF1_SP800_56A
+      case TPM_ALG_KDF1_SP800_56A:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SCHEME_KDF1_SP800_56A_Marshalu(&source->kdf1_SP800_56a, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_KDF2
+      case TPM_ALG_KDF2:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SCHEME_KDF2_Marshalu(&source->kdf2, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_KDF1_SP800_108
+      case TPM_ALG_KDF1_SP800_108:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SCHEME_KDF1_SP800_108_Marshalu(&source->kdf1_sp800_108, written, buffer, size);
+	}
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+/* Table 150 - Definition of TPMT_KDF_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_KDF_SCHEME_Marshalu(const TPMT_KDF_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_KDF_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_KDF_SCHEME_Marshalu(&source->details, written, buffer, size, source->scheme);
+    }
+    return rc;
+}
+
+/* Table 152 - Definition of TPMU_ASYM_SCHEME Union */
+
+TPM_RC
+TSS_TPMU_ASYM_SCHEME_Marshalu(const TPMU_ASYM_SCHEME  *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_ECDH
+      case TPM_ALG_ECDH:
+	if (rc == 0) {
+	    rc = TSS_TPMS_KEY_SCHEME_ECDH_Marshalu(&source->ecdh, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECMQV
+      case TPM_ALG_ECMQV:
+	if (rc == 0) {
+	    rc = TSS_TPMS_KEY_SCHEME_ECMQV_Marshalu(&source->ecmqvh, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_RSASSA_Marshalu(&source->rsassa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_RSAPSS_Marshalu(&source->rsapss, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_ECDSA_Marshalu(&source->ecdsa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_ECDAA_Marshalu(&source->ecdaa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_SM2_Marshalu(&source->sm2, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIG_SCHEME_ECSCHNORR_Marshalu(&source->ecSchnorr, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_RSAES
+      case TPM_ALG_RSAES:
+	if (rc == 0) {
+	    rc = TSS_TPMS_ENC_SCHEME_RSAES_Marshalu(&source->rsaes, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_OAEP
+      case TPM_ALG_OAEP:
+	if (rc == 0) {
+	    rc = TSS_TPMS_ENC_SCHEME_OAEP_Marshalu(&source->oaep, written, buffer, size);
+	}
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 154 - Definition of (TPM_ALG_ID) {RSA} TPMI_ALG_RSA_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_RSA_SCHEME_Marshalu(const TPMI_ALG_RSA_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 155 - Definition of {RSA} TPMT_RSA_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_RSA_SCHEME_Marshalu(const TPMT_RSA_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_RSA_SCHEME_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_ASYM_SCHEME_Marshalu(&source->details, written, buffer, size, source->scheme);
+    }
+    return rc;
+}
+
+/* Table 156 - Definition of (TPM_ALG_ID) {RSA} TPMI_ALG_RSA_DECRYPT Type */
+
+TPM_RC
+TSS_TPMI_ALG_RSA_DECRYPT_Marshalu(const TPMI_ALG_RSA_DECRYPT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 157 - Definition of {RSA} TPMT_RSA_DECRYPT Structure */
+
+TPM_RC
+TSS_TPMT_RSA_DECRYPT_Marshalu(const TPMT_RSA_DECRYPT  *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_RSA_DECRYPT_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_ASYM_SCHEME_Marshalu(&source->details, written, buffer, size, source->scheme);
+    }
+    return rc;
+}
+
+/* Table 158 - Definition of {RSA} TPM2B_PUBLIC_KEY_RSA Structure */
+
+TPM_RC
+TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu(const TPM2B_PUBLIC_KEY_RSA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 159 - Definition of {RSA} (TPM_KEY_BITS) TPMI_RSA_KEY_BITS Type */
+
+TPM_RC
+TSS_TPMI_RSA_KEY_BITS_Marshalu(const TPMI_RSA_KEY_BITS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_BITS_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 160 - Definition of {RSA} TPM2B_PRIVATE_KEY_RSA Structure */
+
+TPM_RC
+TSS_TPM2B_PRIVATE_KEY_RSA_Marshalu(const TPM2B_PRIVATE_KEY_RSA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 161 - Definition of {ECC} TPM2B_ECC_PARAMETER Structure */
+
+TPM_RC
+TSS_TPM2B_ECC_PARAMETER_Marshalu(const TPM2B_ECC_PARAMETER *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 162 - Definition of {ECC} TPMS_ECC_POINT Structure */
+
+TPM_RC
+TSS_TPMS_ECC_POINT_Marshalu(const TPMS_ECC_POINT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->x, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->y, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 163 - Definition of {ECC} TPM2B_ECC_POINT Structure */
+
+TPM_RC
+TSS_TPM2B_ECC_POINT_Marshalu(const TPM2B_ECC_POINT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+
+    if (buffer != NULL) {
+	sizePtr = *buffer;
+	*buffer += sizeof(uint16_t);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMS_ECC_POINT_Marshalu(&source->point, &sizeWritten, buffer, size);
+    }
+    if (rc == 0) {
+	*written += sizeWritten;
+	if (buffer != NULL) {
+	    rc = TSS_UINT16_Marshalu(&sizeWritten, written, &sizePtr, size);
+	}
+	else {
+	    *written += sizeof(uint16_t);
+	}
+    }
+    return rc;
+}
+
+/* Table 164 - Definition of (TPM_ALG_ID) {ECC} TPMI_ALG_ECC_SCHEME Type */
+
+TPM_RC
+TSS_TPMI_ALG_ECC_SCHEME_Marshalu(const TPMI_ALG_ECC_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
+
+TPM_RC
+TSS_TPMI_ECC_CURVE_Marshalu(const TPMI_ECC_CURVE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ECC_CURVE_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 166 - Definition of (TPMT_SIG_SCHEME) {ECC} TPMT_ECC_SCHEME Structure */
+
+TPM_RC
+TSS_TPMT_ECC_SCHEME_Marshalu(const TPMT_ECC_SCHEME *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_ECC_SCHEME_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_ASYM_SCHEME_Marshalu(&source->details, written, buffer, size, source->scheme);
+    }
+    return rc;
+}
+
+/* Table 167 - Definition of {ECC} TPMS_ALGORITHM_DETAIL_ECC Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_ALGORITHM_DETAIL_ECC_Marshalu(const TPMS_ALGORITHM_DETAIL_ECC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ECC_CURVE_Marshalu(&source->curveID, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->keySize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_KDF_SCHEME_Marshalu(&source->kdf, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_ECC_SCHEME_Marshalu(&source->sign, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->p, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->a, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->b, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->gX, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->gY, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->n, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->h, written, buffer, size);
+    }
+    return rc;
+}
+    
+/* Table 168 - Definition of {RSA} TPMS_SIGNATURE_RSA Structure */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_RSA_Marshalu(const TPMS_SIGNATURE_RSA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hash, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu(&source->sig, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 169 - Definition of Types for {RSA} Signature */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_RSASSA_Marshalu(const TPMS_SIGNATURE_RSASSA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SIGNATURE_RSA_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_RSAPSS_Marshalu(const TPMS_SIGNATURE_RSAPSS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SIGNATURE_RSA_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 170 - Definition of {ECC} TPMS_SIGNATURE_ECC Structure */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECC_Marshalu(const TPMS_SIGNATURE_ECC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->hash, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->signatureR, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->signatureS, written, buffer, size);
+    }
+    return rc;
+}
+    
+/* Table 171 - Definition of Types for {ECC} TPMS_SIGNATURE_ECC */
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECDSA_Marshalu(const TPMS_SIGNATURE_ECDSA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}	
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECDAA_Marshalu(const TPMS_SIGNATURE_ECDAA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMS_SIGNATURE_SM2_Marshalu(const TPMS_SIGNATURE_SM2 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMS_SIGNATURE_ECSCHNORR_Marshalu(const TPMS_SIGNATURE_ECSCHNORR *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMS_SIGNATURE_ECC_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 172 - Definition of TPMU_SIGNATURE Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SIGNATURE_Marshalu(const TPMU_SIGNATURE *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIGNATURE_RSASSA_Marshalu(&source->rsassa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIGNATURE_RSAPSS_Marshalu(&source->rsapss, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIGNATURE_ECDSA_Marshalu(&source->ecdsa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIGNATURE_ECDSA_Marshalu(&source->ecdaa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIGNATURE_ECDSA_Marshalu(&source->sm2, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SIGNATURE_ECDSA_Marshalu(&source->ecschnorr, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	if (rc == 0) {
+	    rc = TSS_TPMT_HA_Marshalu(&source->hmac, written, buffer, size);
+	}
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 173 - Definition of TPMT_SIGNATURE Structure */
+
+TPM_RC
+TSS_TPMT_SIGNATURE_Marshalu(const TPMT_SIGNATURE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_SIG_SCHEME_Marshalu(&source->sigAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SIGNATURE_Marshalu(&source->signature, written, buffer, size, source->sigAlg);
+    }
+    return rc;
+}
+
+/* Table 175 - Definition of TPM2B_ENCRYPTED_SECRET Structure */
+
+TPM_RC
+TSS_TPM2B_ENCRYPTED_SECRET_Marshalu(const TPM2B_ENCRYPTED_SECRET *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+ 
+/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
+
+TPM_RC
+TSS_TPMI_ALG_PUBLIC_Marshalu(const TPMI_ALG_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 177 - Definition of TPMU_PUBLIC_ID Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_PUBLIC_ID_Marshalu(const TPMU_PUBLIC_ID *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	if (rc == 0) {
+	    rc = TSS_TPM2B_DIGEST_Marshalu(&source->keyedHash, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	if (rc == 0) {
+	    rc = TSS_TPM2B_DIGEST_Marshalu(&source->sym, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	if (rc == 0) {
+	    rc = TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu(&source->rsa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	if (rc == 0) {
+	    rc = TSS_TPMS_ECC_POINT_Marshalu(&source->ecc, written, buffer, size);
+	}
+	break;
+#endif
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+} 
+
+/* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_KEYEDHASH_PARMS_Marshalu(const TPMS_KEYEDHASH_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMT_KEYEDHASH_SCHEME_Marshalu(&source->scheme, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 180 - Definition of {RSA} TPMS_RSA_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_RSA_PARMS_Marshalu(const TPMS_RSA_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Marshalu(&source->symmetric, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_RSA_SCHEME_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RSA_KEY_BITS_Marshalu(&source->keyBits, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->exponent, written, buffer, size);
+    }
+    return rc;
+}
+/* Table 181 - Definition of {ECC} TPMS_ECC_PARMS Structure */
+
+TPM_RC
+TSS_TPMS_ECC_PARMS_Marshalu(const TPMS_ECC_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMT_SYM_DEF_OBJECT_Marshalu(&source->symmetric, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_ECC_SCHEME_Marshalu(&source->scheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ECC_CURVE_Marshalu(&source->curveID, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_KDF_SCHEME_Marshalu(&source->kdf, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_PUBLIC_PARMS_Marshalu(const TPMU_PUBLIC_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector) 
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	if (rc == 0) {
+	    rc = TSS_TPMS_KEYEDHASH_PARMS_Marshalu(&source->keyedHashDetail, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	if (rc == 0) {
+	    rc = TSS_TPMS_SYMCIPHER_PARMS_Marshalu(&source->symDetail, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	if (rc == 0) {
+	    rc = TSS_TPMS_RSA_PARMS_Marshalu(&source->rsaDetail, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	if (rc == 0) {
+	    rc = TSS_TPMS_ECC_PARMS_Marshalu(&source->eccDetail, written, buffer, size);
+	}
+	break;
+#endif
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 183 - Definition of TPMT_PUBLIC_PARMS Structure */
+
+TPM_RC
+TSS_TPMT_PUBLIC_PARMS_Marshalu(const TPMT_PUBLIC_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_PUBLIC_Marshalu(&source->type, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_PUBLIC_PARMS_Marshalu(&source->parameters, written, buffer, size, source->type);
+    }
+    return rc;
+}
+
+/* Table 184 - Definition of TPMT_PUBLIC Structure */
+
+TPM_RC
+TSS_TPMT_PUBLIC_Marshalu(const TPMT_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_PUBLIC_Marshalu(&source->type, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->nameAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMA_OBJECT_Marshalu(&source->objectAttributes, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->authPolicy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_PUBLIC_PARMS_Marshalu(&source->parameters, written, buffer, size, source->type);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_PUBLIC_ID_Marshalu(&source->unique, written, buffer, size, source->type);
+    }
+    return rc;
+}
+
+/* Table 184 - Definition of TPMT_PUBLIC Structure - special marshaling for derived object template */
+
+TPM_RC
+TSS_TPMT_PUBLIC_D_Marshalu(const TPMT_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_PUBLIC_Marshalu(&source->type, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->nameAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMA_OBJECT_Marshalu(&source->objectAttributes, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->authPolicy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_PUBLIC_PARMS_Marshalu(&source->parameters, written, buffer, size, source->type);
+    }
+    /* if derived from a derivation parent, marshal a TPMS_DERIVE structure */             
+    if (rc == 0) {
+	rc = TSS_TPMS_DERIVE_Marshalu(&source->unique.derive, written, buffer, size);
+    }    
+    return rc;
+}
+
+/* Table 185 - Definition of TPM2B_PUBLIC Structure */
+
+TPM_RC
+TSS_TPM2B_PUBLIC_Marshalu(const TPM2B_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+    
+    if (buffer != NULL) {
+	sizePtr = *buffer;
+	*buffer += sizeof(uint16_t);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_PUBLIC_Marshalu(&source->publicArea, &sizeWritten, buffer, size);
+    }
+    if (rc == 0) {
+	*written += sizeWritten;
+	if (buffer != NULL) {
+	    rc = TSS_UINT16_Marshalu(&sizeWritten, written, &sizePtr, size);
+	}
+	else {
+	    *written += sizeof(uint16_t);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM2B_TEMPLATE_Marshalu(const TPM2B_TEMPLATE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 187 - Definition of TPMU_SENSITIVE_COMPOSITE Union <IN/OUT, S> */
+
+TPM_RC
+TSS_TPMU_SENSITIVE_COMPOSITE_Marshalu(const TPMU_SENSITIVE_COMPOSITE *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	if (rc == 0) {
+	    rc = TSS_TPM2B_PRIVATE_KEY_RSA_Marshalu(&source->rsa, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	if (rc == 0) {
+	    rc = TSS_TPM2B_ECC_PARAMETER_Marshalu(&source->ecc, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	if (rc == 0) {
+	    rc = TSS_TPM2B_SENSITIVE_DATA_Marshalu(&source->bits, written, buffer, size);
+	}
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	if (rc == 0) {
+	    rc = TSS_TPM2B_SYM_KEY_Marshalu(&source->sym, written, buffer, size);
+	}
+	break;
+#endif
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+/* Table 188 - Definition of TPMT_SENSITIVE Structure */
+
+TPM_RC
+TSS_TPMT_SENSITIVE_Marshalu(const TPMT_SENSITIVE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_PUBLIC_Marshalu(&source->sensitiveType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_AUTH_Marshalu(&source->authValue, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->seedValue, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_SENSITIVE_COMPOSITE_Marshalu(&source->sensitive, written, buffer, size, source->sensitiveType);
+    }
+    return rc;
+}
+
+/* Table 189 - Definition of TPM2B_SENSITIVE Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_SENSITIVE_Marshalu(const TPM2B_SENSITIVE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+    
+    if (buffer != NULL) {
+	sizePtr = *buffer;
+	*buffer += sizeof(uint16_t);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMT_SENSITIVE_Marshalu(&source->t.sensitiveArea, &sizeWritten, buffer, size);
+    }
+    if (rc == 0) {
+	*written += sizeWritten;
+	if (buffer != NULL) {
+	    rc = TSS_UINT16_Marshalu(&sizeWritten, written, &sizePtr, size);
+	}
+	else {
+	    *written += sizeof(uint16_t);
+	}
+    }
+    return rc;
+}
+
+/* Table 191 - Definition of TPM2B_PRIVATE Structure <IN/OUT, S> */
+
+TPM_RC
+TSS_TPM2B_PRIVATE_Marshalu(const TPM2B_PRIVATE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 193 - Definition of TPM2B_ID_OBJECT Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_ID_OBJECT_Marshalu(const TPM2B_ID_OBJECT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 196 - Definition of (UINT32) TPMA_NV Bits */
+
+TPM_RC
+TSS_TPMA_NV_Marshalu(const TPMA_NV *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->val, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 197 - Definition of TPMS_NV_PUBLIC Structure */
+
+TPM_RC
+TSS_TPMS_NV_PUBLIC_Marshalu(const TPMS_NV_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_NV_INDEX_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_ALG_HASH_Marshalu(&source->nameAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMA_NV_Marshalu(&source->attributes, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->authPolicy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->dataSize, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 198 - Definition of TPM2B_NV_PUBLIC Structure */
+
+TPM_RC
+TSS_TPM2B_NV_PUBLIC_Marshalu(const TPM2B_NV_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+
+    if (buffer != NULL) {
+ 	sizePtr = *buffer;
+	*buffer += sizeof(uint16_t);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMS_NV_PUBLIC_Marshalu(&source->nvPublic, &sizeWritten, buffer, size);
+    }
+    if (rc == 0) {
+	*written += sizeWritten;
+	if (buffer != NULL) {
+	    rc = TSS_UINT16_Marshalu(&sizeWritten, written, &sizePtr, size);
+	}
+	else {
+	    *written += sizeof(uint16_t);
+	}
+    }
+    return rc;
+}
+
+/* Table 199 - Definition of TPM2B_CONTEXT_SENSITIVE Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_CONTEXT_SENSITIVE_Marshalu(const TPM2B_CONTEXT_SENSITIVE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 201 - Definition of TPM2B_CONTEXT_DATA Structure <IN/OUT> */
+
+TPM_RC
+TSS_TPM2B_CONTEXT_DATA_Marshalu(const TPM2B_CONTEXT_DATA  *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM2B_Marshalu(&source->b, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 202 - Definition of TPMS_CONTEXT Structure */
+
+TPM_RC
+TSS_TPMS_CONTEXT_Marshalu(const TPMS_CONTEXT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT64_Marshalu(&source->sequence, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_DH_SAVED_Marshalu(&source->savedHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMI_RH_HIERARCHY_Marshalu(&source->hierarchy, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_CONTEXT_DATA_Marshalu(&source->contextBlob, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 204 - Definition of TPMS_CREATION_DATA Structure <OUT> */
+
+TPM_RC
+TSS_TPMS_CREATION_DATA_Marshalu(const TPMS_CREATION_DATA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPML_PCR_SELECTION_Marshalu(&source->pcrSelect, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DIGEST_Marshalu(&source->pcrDigest, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMA_LOCALITY_Marshalu(&source->locality, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_ALG_ID_Marshalu(&source->parentNameAlg, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->parentName, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_NAME_Marshalu(&source->parentQualifiedName, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM2B_DATA_Marshalu(&source->outsideInfo, written, buffer, size);
+    }
+    return rc;
+}
+
+/* Table 205 - Definition of TPM2B_CREATION_DATA Structure <OUT> */
+
+TPM_RC
+TSS_TPM2B_CREATION_DATA_Marshalu(const TPM2B_CREATION_DATA *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+
+    if (buffer != NULL) {
+	sizePtr = *buffer;
+	*buffer += sizeof(uint16_t);
+    }
+    if (rc == 0) {
+	rc = TSS_TPMS_CREATION_DATA_Marshalu(&source->creationData, &sizeWritten, buffer, size);
+    }
+    if (rc == 0) {
+	*written += sizeWritten;
+	if (buffer != NULL) {
+	    rc = TSS_UINT16_Marshalu(&sizeWritten, written, &sizePtr, size);
+	}
+	else {
+	    *written += sizeof(uint16_t);
+	}
+    }
+    return rc;
+}
+
+#ifndef TPM_TSS_NODEPRECATED
+
+/* Deprecated functions that use a sized value for the size parameter.  The recommended functions
+   use an unsigned value.
+
+*/
+
+TPM_RC
+TSS_UINT8_Marshal(const UINT8 *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_UINT8_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_INT8_Marshal(const INT8 *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_INT8_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_UINT16_Marshal(const UINT16 *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_UINT16_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_UINT32_Marshal(const UINT32 *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_UINT32_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_INT32_Marshal(const INT32 *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_INT32_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_UINT64_Marshal(const UINT64 *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_UINT64_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Array_Marshal(const BYTE *source, uint16_t sourceSize, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Array_Marshalu(source, sourceSize, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_Marshal(const TPM2B *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_KEY_BITS_Marshal(const TPM_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_KEY_BITS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_GENERATED_Marshal(const TPM_GENERATED *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_GENERATED_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_ALG_ID_Marshal(const TPM_ALG_ID *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_ALG_ID_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_ECC_CURVE_Marshal(const TPM_ECC_CURVE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_ECC_CURVE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_RC_Marshal(const TPM_RC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_RC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_CLOCK_ADJUST_Marshal(const TPM_CLOCK_ADJUST *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_CLOCK_ADJUST_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_EO_Marshal(const TPM_EO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_EO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_ST_Marshal(const TPM_ST *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_ST_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_SU_Marshal(const TPM_ST *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_SU_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_SE_Marshal(const TPM_SE  *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_SE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_CAP_Marshal(const TPM_CAP *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_CAP_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_PT_Marshal(const TPM_PT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_PT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_PT_PCR_Marshal(const TPM_PT_PCR *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_PT_PCR_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_HANDLE_Marshal(const TPM_HANDLE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_HANDLE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMA_ALGORITHM_Marshal(const TPMA_ALGORITHM *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_ALGORITHM_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMA_OBJECT_Marshal(const TPMA_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_OBJECT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMA_SESSION_Marshal(const TPMA_SESSION *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_SESSION_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMA_LOCALITY_Marshal(const TPMA_LOCALITY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_LOCALITY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM_CC_Marshal(const TPM_CC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM_CC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMA_CC_Marshal(const TPMA_CC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_CC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_YES_NO_Marshal(const TPMI_YES_NO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_YES_NO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_DH_OBJECT_Marshal(const TPMI_DH_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_DH_OBJECT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_DH_PERSISTENT_Marshal(const TPMI_DH_PERSISTENT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_DH_PERSISTENT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_DH_ENTITY_Marshal(const TPMI_DH_ENTITY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_DH_ENTITY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_DH_PCR_Marshal(const TPMI_DH_PCR  *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_DH_PCR_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_SH_AUTH_SESSION_Marshal(const TPMI_SH_AUTH_SESSION *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_SH_AUTH_SESSION_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_SH_HMAC_Marshal(const TPMI_SH_HMAC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_SH_HMAC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_SH_POLICY_Marshal(const TPMI_SH_POLICY*source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_SH_POLICY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_DH_CONTEXT_Marshal(const TPMI_DH_CONTEXT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_DH_CONTEXT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_HIERARCHY_Marshal(const TPMI_RH_HIERARCHY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_HIERARCHY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_ENABLES_Marshal(const TPMI_RH_ENABLES *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_ENABLES_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_HIERARCHY_AUTH_Marshal(const TPMI_RH_HIERARCHY_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_HIERARCHY_AUTH_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_PLATFORM_Marshal(const TPMI_RH_PLATFORM *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_PLATFORM_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_ENDORSEMENT_Marshal(const TPMI_RH_ENDORSEMENT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_ENDORSEMENT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_PROVISION_Marshal(const TPMI_RH_PROVISION *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_PROVISION_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_CLEAR_Marshal(const TPMI_RH_CLEAR *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_CLEAR_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_NV_AUTH_Marshal(const TPMI_RH_NV_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_NV_AUTH_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_LOCKOUT_Marshal(const TPMI_RH_LOCKOUT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_LOCKOUT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RH_NV_INDEX_Marshal(const TPMI_RH_NV_INDEX *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RH_NV_INDEX_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_HASH_Marshal(const TPMI_ALG_HASH *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_HASH_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_SYM_Marshal(const TPMI_ALG_SYM *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_SYM_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_SYM_OBJECT_Marshal(const TPMI_ALG_SYM_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_SYM_OBJECT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_SYM_MODE_Marshal(const TPMI_ALG_SYM_MODE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_SYM_MODE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_KDF_Marshal(const TPMI_ALG_KDF *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_KDF_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_SIG_SCHEME_Marshal(const TPMI_ALG_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_SIG_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ECC_KEY_EXCHANGE_Marshal(const TPMI_ECC_KEY_EXCHANGE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ECC_KEY_EXCHANGE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ST_COMMAND_TAG_Marshal(const TPMI_ST_COMMAND_TAG *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ST_COMMAND_TAG_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_MAC_SCHEME_Marshal(const TPMI_ALG_MAC_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_MAC_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_CIPHER_MODE_Marshal(const TPMI_ALG_CIPHER_MODE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_CIPHER_MODE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_HA_Marshal(const TPMU_HA *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_HA_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_HA_Marshal(const TPMT_HA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_HA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_DIGEST_Marshal(const TPM2B_DIGEST *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_DIGEST_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_DATA_Marshal(const TPM2B_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_DATA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_NONCE_Marshal(const TPM2B_NONCE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_NONCE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_AUTH_Marshal(const TPM2B_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_AUTH_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_OPERAND_Marshal(const TPM2B_OPERAND *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_OPERAND_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_EVENT_Marshal(const TPM2B_EVENT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_EVENT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_MAX_BUFFER_Marshal(const TPM2B_MAX_BUFFER *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_MAX_BUFFER_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_MAX_NV_BUFFER_Marshal(const TPM2B_MAX_NV_BUFFER *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_MAX_NV_BUFFER_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_TIMEOUT_Marshal(const TPM2B_TIMEOUT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_TIMEOUT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_IV_Marshal(const TPM2B_IV *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_IV_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_NAME_Marshal(const TPM2B_NAME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_NAME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_PCR_SELECTION_Marshal(const TPMS_PCR_SELECTION *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_PCR_SELECTION_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_TK_CREATION_Marshal(const TPMT_TK_CREATION *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_CREATION_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_TK_VERIFIED_Marshal(const TPMT_TK_VERIFIED *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_VERIFIED_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_TK_AUTH_Marshal(const TPMT_TK_AUTH *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_AUTH_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_TK_HASHCHECK_Marshal(const TPMT_TK_HASHCHECK *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_TK_HASHCHECK_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_ALG_PROPERTY_Marshal(const TPMS_ALG_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ALG_PROPERTY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_TAGGED_PROPERTY_Marshal(const TPMS_TAGGED_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TAGGED_PROPERTY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_TAGGED_PCR_SELECT_Marshal(const TPMS_TAGGED_PCR_SELECT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TAGGED_PCR_SELECT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_CC_Marshal(const TPML_CC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_CC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_CCA_Marshal(const TPML_CCA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_CCA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_ALG_Marshal(const TPML_ALG *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_ALG_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_HANDLE_Marshal(const TPML_HANDLE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_HANDLE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_DIGEST_Marshal(const TPML_DIGEST *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_DIGEST_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_DIGEST_VALUES_Marshal(const TPML_DIGEST_VALUES *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_DIGEST_VALUES_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_PCR_SELECTION_Marshal(const TPML_PCR_SELECTION *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_PCR_SELECTION_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_ALG_PROPERTY_Marshal(const TPML_ALG_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_ALG_PROPERTY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_TAGGED_TPM_PROPERTY_Marshal(const TPML_TAGGED_TPM_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_TAGGED_TPM_PROPERTY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_TAGGED_PCR_PROPERTY_Marshal(const TPML_TAGGED_PCR_PROPERTY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_TAGGED_PCR_PROPERTY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPML_ECC_CURVE_Marshal(const TPML_ECC_CURVE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPML_ECC_CURVE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_CAPABILITIES_Marshal(const TPMU_CAPABILITIES *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_CAPABILITIES_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMS_CAPABILITY_DATA_Marshal(const TPMS_CAPABILITY_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CAPABILITY_DATA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_CLOCK_INFO_Marshal(const TPMS_CLOCK_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CLOCK_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_TIME_INFO_Marshal(const TPMS_TIME_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TIME_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_TIME_ATTEST_INFO_Marshal(const TPMS_TIME_ATTEST_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_TIME_ATTEST_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_CERTIFY_INFO_Marshal(const TPMS_CERTIFY_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CERTIFY_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_QUOTE_INFO_Marshal(const TPMS_QUOTE_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_QUOTE_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_COMMAND_AUDIT_INFO_Marshal(const TPMS_COMMAND_AUDIT_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_COMMAND_AUDIT_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SESSION_AUDIT_INFO_Marshal(const TPMS_SESSION_AUDIT_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SESSION_AUDIT_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_CREATION_INFO_Marshal(const TPMS_CREATION_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CREATION_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_NV_CERTIFY_INFO_Marshal(const TPMS_NV_CERTIFY_INFO *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_NV_CERTIFY_INFO_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ST_ATTEST_Marshal(const TPMI_ST_ATTEST *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ST_ATTEST_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_ATTEST_Marshal(const TPMU_ATTEST  *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_ATTEST_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMS_ATTEST_Marshal(const TPMS_ATTEST  *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ATTEST_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_ATTEST_Marshal(const TPM2B_ATTEST *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ATTEST_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_AUTH_COMMAND_Marshal(const TPMS_AUTH_COMMAND *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_AUTH_COMMAND_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_AES_KEY_BITS_Marshal(const TPMI_AES_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_AES_KEY_BITS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_SYM_KEY_BITS_Marshal(const TPMU_SYM_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SYM_KEY_BITS_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMU_SYM_MODE_Marshal(const TPMU_SYM_MODE *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SYM_MODE_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_SYM_DEF_Marshal(const TPMT_SYM_DEF *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_SYM_DEF_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_SYM_DEF_OBJECT_Marshal(const TPMT_SYM_DEF_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_SYM_DEF_OBJECT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_SYM_KEY_Marshal(const TPM2B_SYM_KEY *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SYM_KEY_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_LABEL_Marshal(const TPM2B_LABEL *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_LABEL_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_DERIVE_Marshal(const TPMS_DERIVE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_DERIVE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SYMCIPHER_PARMS_Marshal(const TPMS_SYMCIPHER_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SYMCIPHER_PARMS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_SENSITIVE_DATA_Marshal(const TPM2B_SENSITIVE_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SENSITIVE_DATA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SENSITIVE_CREATE_Marshal(const TPMS_SENSITIVE_CREATE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SENSITIVE_CREATE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_SENSITIVE_CREATE_Marshal(const TPM2B_SENSITIVE_CREATE  *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SENSITIVE_CREATE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_HASH_Marshal(const TPMS_SCHEME_HASH *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_HASH_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_ECDAA_Marshal(const TPMS_SCHEME_ECDAA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_ECDAA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_KEYEDHASH_SCHEME_Marshal(const TPMI_ALG_KEYEDHASH_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_KEYEDHASH_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_HMAC_Marshal(const TPMS_SCHEME_HMAC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_HMAC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_XOR_Marshal(const TPMS_SCHEME_XOR *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_XOR_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_SCHEME_KEYEDHASH_Marshal(const TPMU_SCHEME_KEYEDHASH *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SCHEME_KEYEDHASH_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_KEYEDHASH_SCHEME_Marshal(const TPMT_KEYEDHASH_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_KEYEDHASH_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_RSASSA_Marshal(const TPMS_SIG_SCHEME_RSASSA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_RSASSA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_RSAPSS_Marshal(const TPMS_SIG_SCHEME_RSAPSS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_RSAPSS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECDSA_Marshal(const TPMS_SIG_SCHEME_ECDSA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_ECDSA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_SM2_Marshal(const TPMS_SIG_SCHEME_SM2 *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_SM2_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECSCHNORR_Marshal(const TPMS_SIG_SCHEME_ECSCHNORR *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_ECSCHNORR_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIG_SCHEME_ECDAA_Marshal(const TPMS_SIG_SCHEME_ECDAA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIG_SCHEME_ECDAA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_SIG_SCHEME_Marshal(const TPMU_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SIG_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_SIG_SCHEME_Marshal(const TPMT_SIG_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_SIG_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC
+TSS_TPMS_ENC_SCHEME_OAEP_Marshal(const TPMS_ENC_SCHEME_OAEP *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ENC_SCHEME_OAEP_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+
+/* NOTE: Marked as const function in header */
+
+TPM_RC
+TSS_TPMS_ENC_SCHEME_RSAES_Marshal(const TPMS_ENC_SCHEME_RSAES *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ENC_SCHEME_RSAES_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_KEY_SCHEME_ECDH_Marshal(const TPMS_KEY_SCHEME_ECDH *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_KEY_SCHEME_ECDH_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_KEY_SCHEME_ECMQV_Marshal(const TPMS_KEY_SCHEME_ECMQV *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_KEY_SCHEME_ECMQV_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_MGF1_Marshal(const TPMS_SCHEME_MGF1 *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_MGF1_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_KDF1_SP800_56A_Marshal(const TPMS_SCHEME_KDF1_SP800_56A *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_KDF1_SP800_56A_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_KDF2_Marshal(const TPMS_SCHEME_KDF2 *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_KDF2_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SCHEME_KDF1_SP800_108_Marshal(const TPMS_SCHEME_KDF1_SP800_108 *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SCHEME_KDF1_SP800_108_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_KDF_SCHEME_Marshal(const TPMU_KDF_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_KDF_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_KDF_SCHEME_Marshal(const TPMT_KDF_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_KDF_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_ASYM_SCHEME_Marshal(const TPMU_ASYM_SCHEME  *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_ASYM_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMI_ALG_RSA_SCHEME_Marshal(const TPMI_ALG_RSA_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_RSA_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_RSA_SCHEME_Marshal(const TPMT_RSA_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_RSA_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_RSA_DECRYPT_Marshal(const TPMI_ALG_RSA_DECRYPT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_RSA_DECRYPT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_RSA_DECRYPT_Marshal(const TPMT_RSA_DECRYPT  *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_RSA_DECRYPT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_PUBLIC_KEY_RSA_Marshal(const TPM2B_PUBLIC_KEY_RSA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_PUBLIC_KEY_RSA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_RSA_KEY_BITS_Marshal(const TPMI_RSA_KEY_BITS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_RSA_KEY_BITS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_PRIVATE_KEY_RSA_Marshal(const TPM2B_PRIVATE_KEY_RSA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_PRIVATE_KEY_RSA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_ECC_PARAMETER_Marshal(const TPM2B_ECC_PARAMETER *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ECC_PARAMETER_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_ECC_POINT_Marshal(const TPMS_ECC_POINT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ECC_POINT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_ECC_POINT_Marshal(const TPM2B_ECC_POINT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ECC_POINT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_ECC_SCHEME_Marshal(const TPMI_ALG_ECC_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_ECC_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ECC_CURVE_Marshal(const TPMI_ECC_CURVE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ECC_CURVE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_ECC_SCHEME_Marshal(const TPMT_ECC_SCHEME *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_ECC_SCHEME_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_ALGORITHM_DETAIL_ECC_Marshal(const TPMS_ALGORITHM_DETAIL_ECC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ALGORITHM_DETAIL_ECC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_RSA_Marshal(const TPMS_SIGNATURE_RSA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_RSA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_RSASSA_Marshal(const TPMS_SIGNATURE_RSASSA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_RSASSA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_RSAPSS_Marshal(const TPMS_SIGNATURE_RSAPSS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_RSAPSS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_ECC_Marshal(const TPMS_SIGNATURE_ECC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_ECDSA_Marshal(const TPMS_SIGNATURE_ECDSA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECDSA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_ECDAA_Marshal(const TPMS_SIGNATURE_ECDAA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECDAA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_SM2_Marshal(const TPMS_SIGNATURE_SM2 *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_SM2_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_SIGNATURE_ECSCHNORR_Marshal(const TPMS_SIGNATURE_ECSCHNORR *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_SIGNATURE_ECSCHNORR_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_SIGNATURE_Marshal(const TPMU_SIGNATURE *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SIGNATURE_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_SIGNATURE_Marshal(const TPMT_SIGNATURE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_SIGNATURE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_ENCRYPTED_SECRET_Marshal(const TPM2B_ENCRYPTED_SECRET *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ENCRYPTED_SECRET_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMI_ALG_PUBLIC_Marshal(const TPMI_ALG_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMI_ALG_PUBLIC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_PUBLIC_ID_Marshal(const TPMU_PUBLIC_ID *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_PUBLIC_ID_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMS_KEYEDHASH_PARMS_Marshal(const TPMS_KEYEDHASH_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_KEYEDHASH_PARMS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_RSA_PARMS_Marshal(const TPMS_RSA_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_RSA_PARMS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_ECC_PARMS_Marshal(const TPMS_ECC_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_ECC_PARMS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_PUBLIC_PARMS_Marshal(const TPMU_PUBLIC_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_PUBLIC_PARMS_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_PUBLIC_PARMS_Marshal(const TPMT_PUBLIC_PARMS *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_PUBLIC_PARMS_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_PUBLIC_Marshal(const TPMT_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_PUBLIC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMT_PUBLIC_D_Marshal(const TPMT_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_PUBLIC_D_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_PUBLIC_Marshal(const TPM2B_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_PUBLIC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_TEMPLATE_Marshal(const TPM2B_TEMPLATE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_TEMPLATE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMU_SENSITIVE_COMPOSITE_Marshal(const TPMU_SENSITIVE_COMPOSITE *source, UINT16 *written, BYTE **buffer, INT32 *size, UINT32 selector)
+{
+    return TSS_TPMU_SENSITIVE_COMPOSITE_Marshalu(source, written, buffer, (uint32_t *)size, selector);
+}
+TPM_RC
+TSS_TPMT_SENSITIVE_Marshal(const TPMT_SENSITIVE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMT_SENSITIVE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_SENSITIVE_Marshal(const TPM2B_SENSITIVE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_SENSITIVE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_PRIVATE_Marshal(const TPM2B_PRIVATE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_PRIVATE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_ID_OBJECT_Marshal(const TPM2B_ID_OBJECT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_ID_OBJECT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMA_NV_Marshal(const TPMA_NV *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMA_NV_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_NV_PUBLIC_Marshal(const TPMS_NV_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_NV_PUBLIC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_NV_PUBLIC_Marshal(const TPM2B_NV_PUBLIC *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_NV_PUBLIC_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_CONTEXT_SENSITIVE_Marshal(const TPM2B_CONTEXT_SENSITIVE *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_CONTEXT_SENSITIVE_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_CONTEXT_DATA_Marshal(const TPM2B_CONTEXT_DATA  *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_CONTEXT_DATA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_CONTEXT_Marshal(const TPMS_CONTEXT *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CONTEXT_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPMS_CREATION_DATA_Marshal(const TPMS_CREATION_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPMS_CREATION_DATA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TPM2B_CREATION_DATA_Marshal(const TPM2B_CREATION_DATA *source, UINT16 *written, BYTE **buffer, INT32 *size)
+{
+    return TSS_TPM2B_CREATION_DATA_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+
+
+
+TPM_RC
+TSS_Startup_In_Marshal(const Startup_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Startup_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Shutdown_In_Marshal(const Shutdown_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Shutdown_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_SelfTest_In_Marshal(const SelfTest_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_SelfTest_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_IncrementalSelfTest_In_Marshal(const IncrementalSelfTest_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_IncrementalSelfTest_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_StartAuthSession_In_Marshal(const StartAuthSession_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_StartAuthSession_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyRestart_In_Marshal(const PolicyRestart_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyRestart_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Create_In_Marshal(const Create_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Create_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Load_In_Marshal(const Load_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Load_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_LoadExternal_In_Marshal(const LoadExternal_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_LoadExternal_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ReadPublic_In_Marshal(const ReadPublic_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ReadPublic_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ActivateCredential_In_Marshal(const ActivateCredential_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ActivateCredential_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_MakeCredential_In_Marshal(const MakeCredential_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_MakeCredential_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Unseal_In_Marshal(const Unseal_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Unseal_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ObjectChangeAuth_In_Marshal(const ObjectChangeAuth_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ObjectChangeAuth_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_CreateLoaded_In_Marshal(const CreateLoaded_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_CreateLoaded_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Duplicate_In_Marshal(const Duplicate_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Duplicate_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Rewrap_In_Marshal(const Rewrap_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Rewrap_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Import_In_Marshal(const Import_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Import_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_RSA_Encrypt_In_Marshal(const RSA_Encrypt_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_RSA_Encrypt_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_RSA_Decrypt_In_Marshal(const RSA_Decrypt_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_RSA_Decrypt_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ECDH_KeyGen_In_Marshal(const ECDH_KeyGen_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ECDH_KeyGen_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ECDH_ZGen_In_Marshal(const ECDH_ZGen_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ECDH_ZGen_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ECC_Parameters_In_Marshal(const ECC_Parameters_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ECC_Parameters_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ZGen_2Phase_In_Marshal(const ZGen_2Phase_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ZGen_2Phase_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EncryptDecrypt_In_Marshal(const EncryptDecrypt_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_EncryptDecrypt_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EncryptDecrypt2_In_Marshal(const EncryptDecrypt2_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_EncryptDecrypt2_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Hash_In_Marshal(const Hash_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Hash_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HMAC_In_Marshal(const HMAC_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_HMAC_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetRandom_In_Marshal(const GetRandom_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetRandom_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_StirRandom_In_Marshal(const StirRandom_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_StirRandom_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HMAC_Start_In_Marshal(const HMAC_Start_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_HMAC_Start_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HashSequenceStart_In_Marshal(const HashSequenceStart_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_HashSequenceStart_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_SequenceUpdate_In_Marshal(const SequenceUpdate_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_SequenceUpdate_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_SequenceComplete_In_Marshal(const SequenceComplete_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_SequenceComplete_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EventSequenceComplete_In_Marshal(const EventSequenceComplete_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_EventSequenceComplete_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Certify_In_Marshal(const Certify_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Certify_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_CertifyCreation_In_Marshal(const CertifyCreation_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_CertifyCreation_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Quote_In_Marshal(const Quote_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Quote_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetSessionAuditDigest_In_Marshal(const GetSessionAuditDigest_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetSessionAuditDigest_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetCommandAuditDigest_In_Marshal(const GetCommandAuditDigest_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetCommandAuditDigest_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetTime_In_Marshal(const GetTime_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetTime_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Commit_In_Marshal(const Commit_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Commit_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EC_Ephemeral_In_Marshal(const EC_Ephemeral_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_EC_Ephemeral_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_VerifySignature_In_Marshal(const VerifySignature_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_VerifySignature_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Sign_In_Marshal(const Sign_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Sign_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_SetCommandCodeAuditStatus_In_Marshal(const SetCommandCodeAuditStatus_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_SetCommandCodeAuditStatus_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Extend_In_Marshal(const PCR_Extend_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Extend_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Event_In_Marshal(const PCR_Event_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Event_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Read_In_Marshal(const PCR_Read_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Read_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Allocate_In_Marshal(const PCR_Allocate_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Allocate_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_SetAuthPolicy_In_Marshal(const PCR_SetAuthPolicy_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_SetAuthPolicy_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_SetAuthValue_In_Marshal(const PCR_SetAuthValue_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_SetAuthValue_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Reset_In_Marshal(const PCR_Reset_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Reset_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicySigned_In_Marshal(const PolicySigned_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicySigned_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicySecret_In_Marshal(const PolicySecret_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicySecret_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyTicket_In_Marshal(const PolicyTicket_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyTicket_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyOR_In_Marshal(const PolicyOR_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyOR_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyPCR_In_Marshal(const PolicyPCR_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyPCR_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyLocality_In_Marshal(const PolicyLocality_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyLocality_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyNV_In_Marshal(const PolicyNV_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyNV_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyCounterTimer_In_Marshal(const PolicyCounterTimer_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyCounterTimer_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyCommandCode_In_Marshal(const PolicyCommandCode_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyCommandCode_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyPhysicalPresence_In_Marshal(const PolicyPhysicalPresence_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyPhysicalPresence_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyCpHash_In_Marshal(const PolicyCpHash_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyCpHash_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyNameHash_In_Marshal(const PolicyNameHash_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyNameHash_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyDuplicationSelect_In_Marshal(const PolicyDuplicationSelect_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyDuplicationSelect_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyAuthorize_In_Marshal(const PolicyAuthorize_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyAuthorize_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyAuthValue_In_Marshal(const PolicyAuthValue_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyAuthValue_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyPassword_In_Marshal(const PolicyPassword_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyPassword_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyGetDigest_In_Marshal(const PolicyGetDigest_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyGetDigest_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyNvWritten_In_Marshal(const PolicyNvWritten_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyNvWritten_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyTemplate_In_Marshal(const PolicyTemplate_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyTemplate_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyAuthorizeNV_In_Marshal(const PolicyAuthorizeNV_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyAuthorizeNV_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_CreatePrimary_In_Marshal(const CreatePrimary_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_CreatePrimary_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HierarchyControl_In_Marshal(const HierarchyControl_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_HierarchyControl_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_SetPrimaryPolicy_In_Marshal(const SetPrimaryPolicy_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_SetPrimaryPolicy_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ChangePPS_In_Marshal(const ChangePPS_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ChangePPS_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ChangeEPS_In_Marshal(const ChangeEPS_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ChangeEPS_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Clear_In_Marshal(const Clear_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_Clear_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ClearControl_In_Marshal(const ClearControl_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ClearControl_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HierarchyChangeAuth_In_Marshal(const HierarchyChangeAuth_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_HierarchyChangeAuth_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_DictionaryAttackLockReset_In_Marshal(const DictionaryAttackLockReset_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_DictionaryAttackLockReset_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_DictionaryAttackParameters_In_Marshal(const DictionaryAttackParameters_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_DictionaryAttackParameters_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PP_Commands_In_Marshal(const PP_Commands_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_PP_Commands_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_SetAlgorithmSet_In_Marshal(const SetAlgorithmSet_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_SetAlgorithmSet_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ContextSave_In_Marshal(const ContextSave_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ContextSave_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ContextLoad_In_Marshal(const ContextLoad_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ContextLoad_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_FlushContext_In_Marshal(const FlushContext_In *source, uint16_t *written, BYTE **buffer, int32_t *size) 
+{
+    return TSS_FlushContext_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EvictControl_In_Marshal(const EvictControl_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_EvictControl_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ClockSet_In_Marshal(const ClockSet_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ClockSet_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ClockRateAdjust_In_Marshal(const ClockRateAdjust_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_ClockRateAdjust_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetCapability_In_Marshal(const GetCapability_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetCapability_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_TestParms_In_Marshal(const TestParms_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_TestParms_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_DefineSpace_In_Marshal(const NV_DefineSpace_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_DefineSpace_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_UndefineSpace_In_Marshal(const NV_UndefineSpace_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_UndefineSpace_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_UndefineSpaceSpecial_In_Marshal(const NV_UndefineSpaceSpecial_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_UndefineSpaceSpecial_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_ReadPublic_In_Marshal(const NV_ReadPublic_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_ReadPublic_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_Write_In_Marshal(const NV_Write_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_Write_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_Increment_In_Marshal(const NV_Increment_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_Increment_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_Extend_In_Marshal(const NV_Extend_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_Extend_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_SetBits_In_Marshal(const NV_SetBits_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_SetBits_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_WriteLock_In_Marshal(const NV_WriteLock_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_WriteLock_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_GlobalWriteLock_In_Marshal(const NV_GlobalWriteLock_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_GlobalWriteLock_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_Read_In_Marshal(const NV_Read_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_Read_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_ReadLock_In_Marshal(const NV_ReadLock_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_ReadLock_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_ChangeAuth_In_Marshal(const NV_ChangeAuth_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_ChangeAuth_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_Certify_In_Marshal(const NV_Certify_In *source, uint16_t *written, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_Certify_In_Marshalu(source, written, buffer, (uint32_t *)size);
+}
+
+
+
+TPM_RC
+TSS_IncrementalSelfTest_Out_Unmarshal(IncrementalSelfTest_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_IncrementalSelfTest_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetTestResult_Out_Unmarshal(GetTestResult_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetTestResult_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_StartAuthSession_Out_Unmarshal(StartAuthSession_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_StartAuthSession_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Create_Out_Unmarshal(Create_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Create_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Load_Out_Unmarshal(Load_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Load_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_LoadExternal_Out_Unmarshal(LoadExternal_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_LoadExternal_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ReadPublic_Out_Unmarshal(ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ReadPublic_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ActivateCredential_Out_Unmarshal(ActivateCredential_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ActivateCredential_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_MakeCredential_Out_Unmarshal(MakeCredential_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_MakeCredential_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Unseal_Out_Unmarshal(Unseal_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Unseal_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ObjectChangeAuth_Out_Unmarshal(ObjectChangeAuth_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ObjectChangeAuth_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_CreateLoaded_Out_Unmarshal(CreateLoaded_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_CreateLoaded_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Duplicate_Out_Unmarshal(Duplicate_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Duplicate_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Rewrap_Out_Unmarshal(Rewrap_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Rewrap_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Import_Out_Unmarshal(Import_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Import_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_RSA_Encrypt_Out_Unmarshal(RSA_Encrypt_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_RSA_Encrypt_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_RSA_Decrypt_Out_Unmarshal(RSA_Decrypt_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_RSA_Decrypt_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ECDH_KeyGen_Out_Unmarshal(ECDH_KeyGen_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ECDH_KeyGen_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ECDH_ZGen_Out_Unmarshal(ECDH_ZGen_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ECDH_ZGen_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ECC_Parameters_Out_Unmarshal(ECC_Parameters_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ECC_Parameters_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ZGen_2Phase_Out_Unmarshal(ZGen_2Phase_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ZGen_2Phase_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EncryptDecrypt_Out_Unmarshal(EncryptDecrypt_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_EncryptDecrypt_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EncryptDecrypt2_Out_Unmarshal(EncryptDecrypt2_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_EncryptDecrypt2_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Hash_Out_Unmarshal(Hash_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Hash_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HMAC_Out_Unmarshal(HMAC_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_HMAC_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetRandom_Out_Unmarshal(GetRandom_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetRandom_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HMAC_Start_Out_Unmarshal(HMAC_Start_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_HMAC_Start_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_HashSequenceStart_Out_Unmarshal(HashSequenceStart_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_HashSequenceStart_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_SequenceComplete_Out_Unmarshal(SequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_SequenceComplete_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EventSequenceComplete_Out_Unmarshal(EventSequenceComplete_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_EventSequenceComplete_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Certify_Out_Unmarshal(Certify_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Certify_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_CertifyCreation_Out_Unmarshal(CertifyCreation_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_CertifyCreation_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Quote_Out_Unmarshal(Quote_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Quote_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetSessionAuditDigest_Out_Unmarshal(GetSessionAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetSessionAuditDigest_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetCommandAuditDigest_Out_Unmarshal(GetCommandAuditDigest_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetCommandAuditDigest_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetTime_Out_Unmarshal(GetTime_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetTime_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Commit_Out_Unmarshal(Commit_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Commit_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_EC_Ephemeral_Out_Unmarshal(EC_Ephemeral_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_EC_Ephemeral_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_VerifySignature_Out_Unmarshal(VerifySignature_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_VerifySignature_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_Sign_Out_Unmarshal(Sign_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_Sign_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Event_Out_Unmarshal(PCR_Event_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Event_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Read_Out_Unmarshal(PCR_Read_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Read_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PCR_Allocate_Out_Unmarshal(PCR_Allocate_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_PCR_Allocate_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicySigned_Out_Unmarshal(PolicySigned_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicySigned_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicySecret_Out_Unmarshal(PolicySecret_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicySecret_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_PolicyGetDigest_Out_Unmarshal(PolicyGetDigest_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_PolicyGetDigest_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_CreatePrimary_Out_Unmarshal(CreatePrimary_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_CreatePrimary_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ContextSave_Out_Unmarshal(ContextSave_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ContextSave_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ContextLoad_Out_Unmarshal(ContextLoad_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ContextLoad_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_ReadClock_Out_Unmarshal(ReadClock_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_ReadClock_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_GetCapability_Out_Unmarshal(GetCapability_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_GetCapability_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_ReadPublic_Out_Unmarshal(NV_ReadPublic_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_ReadPublic_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_Read_Out_Unmarshal(NV_Read_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_Read_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+TPM_RC
+TSS_NV_Certify_Out_Unmarshal(NV_Certify_Out *target, TPM_ST tag, BYTE **buffer, int32_t *size)
+{
+    return TSS_NV_Certify_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
+
+#endif	/* TPM_TSS_NODEPRECATED */
+#endif /* TPM 2.0 */
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssmarshal12.c b/libstb/tss2/ibmtpm20tss/utils/tssmarshal12.c
new file mode 100644
index 0000000..43d6b55
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssmarshal12.c
@@ -0,0 +1,1136 @@
+/********************************************************************************/
+/*										*/
+/*			 TSS Marshal and Unmarshal    				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssmarshal12.c 1285 2018-07-27 18:33:41Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifdef TPM_TPM12
+
+#include <string.h>
+
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/Unmarshal12_fp.h>
+#include <ibmtss/tssmarshal12.h>
+
+/* The marshaling functions are slightly different from the TPM side.  The TPM assumes that all
+   structures are trusted, and so has no error checking.  The TSS side makes no such assumption.
+
+   The prototype pattern is:
+
+   Return:
+
+   An extra return code, TSS_RC_INSUFFICIENT_BUFFER, indicates that the supplied buffer size is too
+   small.  The TPM functions assert.
+
+   'source' is the structure to be marshaled, the same as the TPM functions.
+   'written' is the __additional__ number of bytes written, the value that the TPM returns.
+   'buffer' is the buffer written, the same as the TPM functions.
+   ' size' is the remaining size of the buffer, the same as the TPM functions.
+
+   If 'buffer' is NULL, 'written' is updated but no marshaling is performed.  This is used in a two
+   pass pattern, where the first pass returns the size of the buffer to be malloc'ed.
+
+   If 'size' is NULL, the source is unmarshaled without a size check.  The caller must ensure that
+   the buffer is sufficient, often due to a malloc after the first pass.  */
+
+/*Unmarshal
+  Command parameter marshaling
+*/
+
+TPM_RC
+TSS_ActivateIdentity_In_Marshalu(const ActivateIdentity_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->idKeyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->blobSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->blob, source->blobSize, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_CreateEndorsementKeyPair_In_Marshalu(const CreateEndorsementKeyPair_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->antiReplay, TPM_NONCE_SIZE, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_PARMS_Marshalu(&source->keyInfo, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_CreateWrapKey_In_Marshalu(const CreateWrapKey_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->parentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->dataUsageAuth, SHA1_DIGEST_SIZE, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->dataMigrationAuth, SHA1_DIGEST_SIZE, written, buffer, size);	
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Marshalu(&source->keyInfo, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_Extend_In_Marshalu(const Extend_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->pcrNum, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->inDigest, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_FlushSpecific_In_Marshalu(const FlushSpecific_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->handle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->resourceType, written, buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_GetCapability12_In_Marshalu(const GetCapability12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->capArea, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->subCapSize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->subCap, source->subCapSize, written, buffer, size);	
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_LoadKey2_In_Marshalu(const LoadKey2_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->parentHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Marshalu(&source->inKey, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_MakeIdentity_In_Marshalu(const MakeIdentity_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->identityAuth, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->labelPrivCADigest, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Marshalu(&source->idKeyParams, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NV_DefineSpace12_In_Marshalu(const NV_DefineSpace12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_NV_DATA_PUBLIC_Marshalu(&source->pubInfo, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->encAuth, SHA1_DIGEST_SIZE, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NV_ReadValueAuth_In_Marshalu(const NV_ReadValueAuth_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->nvIndex , written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->offset, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->dataSize, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NV_ReadValue_In_Marshalu(const NV_ReadValue_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->nvIndex , written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->offset, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->dataSize, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NV_WriteValue_In_Marshalu(const NV_WriteValue_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->nvIndex , written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->offset, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->dataSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->data, source->dataSize, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NV_WriteValueAuth_In_Marshalu(const NV_WriteValueAuth_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->nvIndex , written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->offset, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->dataSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->data, source->dataSize, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_OwnerReadInternalPub_In_Marshalu(const OwnerReadInternalPub_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    return rc;
+}						  
+ 
+TPM_RC
+TSS_OwnerSetDisable_In_Marshalu(const OwnerSetDisable_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->disableState, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_OSAP_In_Marshalu(const OSAP_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->entityType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->entityValue, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->nonceOddOSAP, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    return rc;
+}						  
+ 
+TPM_RC
+TSS_PcrRead12_In_Marshalu(const PcrRead12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->pcrIndex, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_PCR_Reset12_In_Marshalu(const PCR_Reset12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+    	rc = TSS_TPM_PCR_SELECTION_Marshalu(&source->pcrSelection, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_Quote2_In_Marshalu(const Quote2_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->externalData, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_PCR_SELECTION_Marshalu(&source->targetPCR, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->addVersion, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_ReadPubek_In_Marshalu(const ReadPubek_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->antiReplay, TPM_NONCE_SIZE, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_Sign12_In_Marshalu(const Sign12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->keyHandle, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->areaToSignSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->areaToSign, source->areaToSignSize, written, buffer, size);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_Startup12_In_Marshalu(const Startup12_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_STARTUP_TYPE_Marshalu(&source->startupType, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TakeOwnership_In_Marshalu(const TakeOwnership_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->protocolID, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->encOwnerAuthSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->encOwnerAuth, source->encOwnerAuthSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->encSrkAuthSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->encSrkAuth, source->encSrkAuthSize, written, buffer, size);	
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Marshalu(&source->srkParams, written, buffer, size);
+    }
+    return rc;
+}
+
+/*
+  Response parameter unmarshaling
+*/
+
+TPM_RC
+TSS_ActivateIdentity_Out_Unmarshalu(ActivateIdentity_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_TPM_SYMMETRIC_KEY_Unmarshalu(&target->symmetricKey, buffer, size);
+    } 
+    return rc;
+}
+
+TPM_RC
+TSS_CreateEndorsementKeyPair_Out_Unmarshalu(CreateEndorsementKeyPair_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_TPM_PUBKEY_Unmarshalu(&target->pubEndorsementKey, buffer, size);
+    } 
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->checksum, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_CreateWrapKey_Out_Unmarshalu(CreateWrapKey_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_TPM_KEY12_Unmarshalu(&target->wrappedKey, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_Extend_Out_Unmarshalu(Extend_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->outDigest, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_GetCapability12_Out_Unmarshalu(GetCapability12_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->respSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->respSize > sizeof(target->resp)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->resp, target->respSize, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_LoadKey2_Out_Unmarshalu(LoadKey2_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->inkeyHandle, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_MakeIdentity_Out_Unmarshalu(MakeIdentity_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Unmarshalu(&target->idKey, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->identityBindingSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->identityBindingSize > sizeof(target->identityBinding)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->identityBinding, target->identityBindingSize, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NV_ReadValueAuth_Out_Unmarshalu(NV_ReadValueAuth_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->dataSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->dataSize > sizeof(target->data)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->data, target->dataSize, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NV_ReadValue_Out_Unmarshalu(NV_ReadValue_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->dataSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->dataSize > sizeof(target->data)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->data, target->dataSize, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_OIAP_Out_Unmarshalu(OIAP_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->authHandle, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->nonceEven, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_OSAP_Out_Unmarshalu(OSAP_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->authHandle, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->nonceEven, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->nonceEvenOSAP, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_OwnerReadInternalPub_Out_Unmarshalu(OwnerReadInternalPub_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_TPM_PUBKEY_Unmarshalu(&target->publicPortion, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_PcrRead12_Out_Unmarshalu(PcrRead12_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->outDigest, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_Quote2_Out_Unmarshalu(Quote2_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+    	rc = TSS_TPM_PCR_INFO_SHORT_Unmarshalu(&target->pcrData, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->versionInfoSize, buffer, size);
+    }
+    if (rc == 0) {
+    	rc = TSS_TPM_CAP_VERSION_INFO_Unmarshalu(&target->versionInfo, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->sigSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->sigSize > sizeof(target->sig)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->sig, target->sigSize, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_Sign12_Out_Unmarshalu(Sign12_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+	rc = TSS_UINT32_Unmarshalu(&target->sigSize, buffer, size);
+    }
+    if (rc == 0) {
+	if (target->sigSize > sizeof(target->sig)) {
+	    rc = TPM_RC_SIZE;
+	}
+    }    
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->sig, target->sigSize, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_ReadPubek_Out_Unmarshalu(ReadPubek_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+    	rc = TSS_TPM_PUBKEY_Unmarshalu(&target->pubEndorsementKey, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Unmarshalu(target->checksum, SHA1_DIGEST_SIZE, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TakeOwnership_Out_Unmarshalu(TakeOwnership_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    tag = tag;
+    if (rc == 0) {
+    	rc = TSS_TPM_KEY12_Unmarshalu(&target->srkPub, buffer, size);
+    }
+    return rc;
+}
+
+/*
+  Structure marshaling
+*/
+
+TPM_RC
+TSS_TPM_STARTUP_TYPE_Marshalu(const TPM_STARTUP_TYPE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(source, written, buffer, size);
+    }
+    return rc;
+}
+
+/* 5.0 */
+
+
+TPM_RC
+TSS_TPM_VERSION_Marshalu(const TPM_VERSION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->major, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->minor, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->revMajor, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->revMinor, written, buffer, size);
+    }
+    return rc;
+}
+
+/* 8.0 */
+
+TPM_RC
+TSS_TPM_PCR_SELECTION_Marshalu(const TPM_PCR_SELECTION *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{ 
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->sizeOfSelect, written, buffer, size);   
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->pcrSelect, source->sizeOfSelect, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_PCR_INFO_LONG_Marshalu(const TPM_PCR_INFO_LONG *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{ 
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	uint16_t tag = TPM_TAG_PCR_INFO_LONG;
+	rc = TSS_UINT16_Marshalu(&tag, written, buffer, size);                      
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->localityAtCreation, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->localityAtRelease, written, buffer, size);   
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_SELECTION_Marshalu(&source->creationPCRSelection, written, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_SELECTION_Marshalu(&source->releasePCRSelection, written, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->digestAtCreation, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->digestAtRelease, SHA1_DIGEST_SIZE, written, buffer, size); 
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_PCR_INFO_SHORT_Marshalu(const TPM_PCR_INFO_SHORT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{ 
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_SELECTION_Marshalu(&source->pcrSelection, written, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->localityAtRelease, written, buffer, size);   
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->digestAtRelease, SHA1_DIGEST_SIZE, written, buffer, size); 
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM4B_TPM_PCR_INFO_LONG_Marshalu(const TPM_PCR_INFO_LONG *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+
+    if (buffer != NULL) {
+	sizePtr = *buffer;
+	*buffer += sizeof(uint32_t);	/* skip size */
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_LONG_Marshalu(source, &sizeWritten, buffer, size);
+    }
+    if (rc == 0) {
+	uint32_t sizeWritten32;
+	*written += sizeWritten;
+	sizeWritten32 = sizeWritten;	/* back fill size */
+	if (buffer != NULL) {
+	    rc = TSS_UINT32_Marshalu(&sizeWritten32, written, &sizePtr, size);
+	}
+	else {
+	    *written += sizeof(uint32_t);
+	}
+    }
+    return rc;
+}
+
+/* 9.0 */
+
+TPM_RC
+TSS_TPM_SYMMETRIC_KEY_Marshalu(const TPM_SYMMETRIC_KEY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->algId, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->encScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->size, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->data, source->size, written, buffer, size);
+    }
+    return rc;
+}
+
+/* 10.0 */
+
+TPM_RC
+TSS_TPM_RSA_KEY_PARMS_Marshalu(const TPM_RSA_KEY_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->keyLength, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->numPrimes, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->exponentSize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->exponent, source->exponentSize, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPMU_PARMS_Marshalu(const TPMU_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    switch (selector) {
+      case TPM_ALG_RSA:		/* A structure of type TPM_RSA_KEY_PARMS */
+	rc = TSS_TPM_RSA_KEY_PARMS_Marshalu(&source->rsaParms, written, buffer, size);
+	break;
+      case TPM_ALG_AES128:	/* A structure of type TPM_SYMMETRIC_KEY_PARMS */
+	/* not implemented yet */
+      default:
+	rc = TPM_RC_SELECTOR;
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM4B_TPMU_PARMS_Marshalu(const TPMU_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size, uint32_t selector)
+{
+    TPM_RC rc = 0;
+    uint16_t sizeWritten = 0;	/* of structure */
+    BYTE *sizePtr;
+
+    if (buffer != NULL) {
+	sizePtr = *buffer;
+	*buffer += sizeof(uint32_t);	/* skip size */
+    }
+    if (rc == 0) {
+	rc = TSS_TPMU_PARMS_Marshalu(source, &sizeWritten, buffer, size, selector);
+    }
+    if (rc == 0) {
+	uint32_t sizeWritten32;
+	*written += sizeWritten;
+	sizeWritten32 = sizeWritten;	/* back fill size */
+	if (buffer != NULL) {
+	    rc = TSS_UINT32_Marshalu(&sizeWritten32, written, &sizePtr, size);
+	}
+	else {
+	    *written += sizeof(uint32_t);
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_KEY_PARMS_Marshalu(const TPM_KEY_PARMS *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->algorithmID, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->encScheme, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->sigScheme, written, buffer, size); 
+    }
+    if (rc == 0) {
+	rc = TSS_TPM4B_TPMU_PARMS_Marshalu(&source->parms, written, buffer, size, source->algorithmID);	
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_STORE_PUBKEY_Marshalu(const TPM_STORE_PUBKEY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->keyLength, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->key, source->keyLength, written, buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_TPM_KEY12_PUBKEY_Marshalu(const TPM_KEY12 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_PARMS_Marshalu(&source->algorithmParms, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_STORE_PUBKEY_Marshalu(&source->pubKey, written, buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_TPM_PUBKEY_Marshalu(const TPM_PUBKEY *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_PARMS_Marshalu(&source->algorithmParms, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_STORE_PUBKEY_Marshalu(&source->pubKey, written, buffer, size);
+    }
+    return rc;
+}						  
+
+TPM_RC
+TSS_TPM_KEY12_Marshalu(const TPM_KEY12 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	uint16_t tag = TPM_TAG_KEY12;
+	rc = TSS_UINT16_Marshalu(&tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	uint16_t fill = 0;
+	rc = TSS_UINT16_Marshalu(&fill, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->keyUsage, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->keyFlags, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->authDataUsage, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_KEY_PARMS_Marshalu(&source->algorithmParms, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM4B_TPM_PCR_INFO_LONG_Marshalu(&source->PCRInfo, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_STORE_PUBKEY_Marshalu(&source->pubKey, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_STORE_PUBKEY_Marshalu(&source->encData, written, buffer, size);
+    }
+    return rc;
+}
+
+/* 11.0 */
+
+TPM_RC
+TSS_TPM_QUOTE_INFO2_Marshalu(const TPM_QUOTE_INFO2 *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	uint16_t tag = TPM_TAG_QUOTE_INFO2;
+	rc = TSS_UINT16_Marshalu(&tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->fixed, 4, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->externalData, TPM_NONCE_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_SHORT_Marshalu(&source->infoShort, written, buffer, size);
+    }
+    return rc;
+}
+
+/* 12.0 */
+
+TPM_RC
+TSS_TPM_EK_BLOB_Marshalu(const TPM_EK_BLOB *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	uint16_t tag = TPM_TAG_EK_BLOB;
+	rc = TSS_UINT16_Marshalu(&tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->ekType, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->blobSize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->blob, source->blobSize, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_EK_BLOB_ACTIVATE_Marshalu(const TPM_EK_BLOB_ACTIVATE *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	uint16_t tag = TPM_TAG_EK_BLOB_ACTIVATE;
+	rc = TSS_UINT16_Marshalu(&tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_SYMMETRIC_KEY_Marshalu(&source->sessionKey, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->idDigest, SHA1_DIGEST_SIZE, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_SHORT_Marshalu(&source->pcrInfo, written, buffer, size);
+    }
+    return rc;
+}
+
+/* 19.0 */
+
+TPM_RC
+TSS_TPM_NV_ATTRIBUTES_Marshalu(const TPM_NV_ATTRIBUTES *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0; 
+    if (rc == 0) {
+	uint16_t tag = TPM_TAG_NV_ATTRIBUTES;
+	rc = TSS_UINT16_Marshalu(&tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->attributes, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_TPM_NV_DATA_PUBLIC_Marshalu(const TPM_NV_DATA_PUBLIC *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	uint16_t tag = TPM_TAG_NV_DATA_PUBLIC;
+	rc = TSS_UINT16_Marshalu(&tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->nvIndex, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_SHORT_Marshalu(&source->pcrInfoRead, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_PCR_INFO_SHORT_Marshalu(&source->pcrInfoWrite, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_NV_ATTRIBUTES_Marshalu(&source->permission, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->bReadSTClear, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->bWriteSTClear, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->bWriteDefine, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT32_Marshalu(&source->dataSize, written, buffer, size);
+    }
+    return rc;
+}
+
+/* 21.0 */
+
+TPM_RC
+TSS_TPM_CAP_VERSION_INFO_Marshalu(const TPM_CAP_VERSION_INFO *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->tag, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_TPM_VERSION_Marshalu(&source->version, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->specLevel, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT8_Marshalu(&source->errataRev, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->tpmVendorID, 4, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_UINT16_Marshalu(&source->vendorSpecificSize, written, buffer, size);
+    }
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu(source->vendorSpecific, source->vendorSpecificSize, written, buffer, size);
+    }
+    return rc;
+} ;
+
+#endif		/* TPM_TPM12 */
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssntc.c b/libstb/tss2/ibmtpm20tss/utils/tssntc.c
new file mode 100644
index 0000000..2b76602
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssntc.c
@@ -0,0 +1,128 @@
+/********************************************************************************/
+/*										*/
+/*		     	TPM2 Nuvoton Proprietary Commands			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssntc.c 1285 2018-07-27 18:33:41Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2017					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tssprint.h>
+#include "tssntc.h"
+
+/* Marshal and Unmarshal Functions */
+
+TPM_RC
+TSS_NTC2_CFG_STRUCT_Unmarshalu(NTC2_CFG_STRUCT *target, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+
+    /* assumes that the NTC2_CFG_STRUCT structure are all uint8_t so that there are no endian
+       issues */
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_Array_Unmarshalu((BYTE *)target, sizeof(NTC2_CFG_STRUCT), buffer, size);
+    }
+    return rc;
+}
+    
+TPM_RC
+TSS_NTC2_CFG_STRUCT_Marshal(NTC2_CFG_STRUCT *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_Array_Marshalu((BYTE *)source, sizeof(NTC2_CFG_STRUCT), written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NTC2_PreConfig_In_Unmarshalu(NTC2_PreConfig_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[])
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    handles = handles;
+
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_NTC2_CFG_STRUCT_Unmarshalu(&target->preConfig, buffer, size);	
+	if (rc != TPM_RC_SUCCESS) {	
+	    rc += RC_NTC2_PreConfig_preConfig;
+	}
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NTC2_PreConfig_In_Marshalu(NTC2_PreConfig_In *source, uint16_t *written, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = 0;
+    if (rc == 0) {
+	rc = TSS_NTC2_CFG_STRUCT_Marshal(&source->preConfig, written, buffer, size);
+    }
+    return rc;
+}
+
+TPM_RC
+TSS_NTC2_GetConfig_Out_Unmarshalu(NTC2_GetConfig_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size)
+{
+    TPM_RC rc = TPM_RC_SUCCESS;
+    tag = tag;
+    
+    if (rc == TPM_RC_SUCCESS) {
+	rc = TSS_NTC2_CFG_STRUCT_Unmarshalu(&target->preConfig, buffer, size);
+    }
+    return rc;
+}
+
+/* These functions are deprecated.  They were adapted from the TPM side, but the signed size
+   caused static analysis tool warnings. */
+    
+TPM_RC
+NTC2_CFG_STRUCT_Unmarshal(NTC2_CFG_STRUCT *target, BYTE **buffer, INT32 *size)
+{
+    return TSS_NTC2_CFG_STRUCT_Unmarshalu(target, buffer, (uint32_t *)size);
+}
+TPM_RC
+NTC2_PreConfig_In_Unmarshal(NTC2_PreConfig_In *target, BYTE **buffer, INT32 *size, TPM_HANDLE handles[])
+{
+    return TSS_NTC2_PreConfig_In_Unmarshalu(target, buffer, (uint32_t *)size, handles);
+}
+TPM_RC
+TSS_NTC2_GetConfig_Out_Unmarshal(NTC2_GetConfig_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size)
+{
+    return TSS_NTC2_GetConfig_Out_Unmarshalu(target, tag, buffer, (uint32_t *)size);
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssntc.h b/libstb/tss2/ibmtpm20tss/utils/tssntc.h
new file mode 100644
index 0000000..e9cf1e4
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssntc.h
@@ -0,0 +1,81 @@
+/********************************************************************************/
+/*										*/
+/*		     	Nuvoton Command Common Routines				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tssntc.h 1285 2018-07-27 18:33:41Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2018					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSSNTC2_H
+#define TSSNTC2_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/TPM_Types.h>
+#include "Commands_fp.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC
+    TSS_NTC2_CFG_STRUCT_Unmarshalu(NTC2_CFG_STRUCT *target, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NTC2_CFG_STRUCT_Marshal(NTC2_CFG_STRUCT *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NTC2_PreConfig_In_Unmarshalu(NTC2_PreConfig_In *target, BYTE **buffer, uint32_t *size, TPM_HANDLE handles[]);
+    TPM_RC
+    TSS_NTC2_PreConfig_In_Marshalu(NTC2_PreConfig_In *source, uint16_t *written, BYTE **buffer, uint32_t *size);
+    TPM_RC
+    TSS_NTC2_GetConfig_Out_Unmarshalu(NTC2_GetConfig_Out *target, TPM_ST tag, BYTE **buffer, uint32_t *size);
+
+    /* These functions are deprecated.  They were adapted from the TPM side, but the signed size
+    caused static analysis tool warnings. */
+
+    TPM_RC
+    NTC2_CFG_STRUCT_Unmarshal(NTC2_CFG_STRUCT *target, BYTE **buffer, INT32 *size);
+    TPM_RC
+    NTC2_PreConfig_In_Unmarshal(NTC2_PreConfig_In *target, BYTE **buffer, INT32 *size, TPM_HANDLE handles[]);
+    TPM_RC
+    TSS_NTC2_GetConfig_Out_Unmarshal(NTC2_GetConfig_Out *target, TPM_ST tag, BYTE **buffer, INT32 *size);
+
+    
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssprint.c b/libstb/tss2/ibmtpm20tss/utils/tssprint.c
new file mode 100644
index 0000000..d9f45cd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssprint.c
@@ -0,0 +1,2350 @@
+/********************************************************************************/
+/*										*/
+/*			     Structure Print and Scan Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <inttypes.h>
+
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssutils.h>
+
+#include <ibmtss/tssprint.h>
+
+extern int tssVerbose;
+
+#ifdef TPM_TSS_NO_PRINT
+
+/* false to compile out printf */
+int tssSwallowRc = 0;
+/* function prototype to match the printf prototype */
+int TSS_SwallowPrintf(const char *format, ...)
+{
+    format = format;
+    return 0;
+}
+
+#endif
+
+#ifndef TPM_TSS_NOFILE
+/* TSS_Array_Scan() converts a string to a binary array */
+
+uint32_t TSS_Array_Scan(unsigned char **data,	/* output binary, freed by caller */
+			size_t *len,
+			const char *string)	/* input string */
+{
+    uint32_t rc = 0;
+    size_t strLength;
+    
+    if (rc == 0) {
+	strLength = strlen(string);
+	if ((strLength %2) != 0) {
+	    if (tssVerbose) printf("TSS_Array_Scan: Error, string length %lu is not even\n",
+				   (unsigned long)strLength);
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+    if (rc == 0) {
+	*len = strLength / 2;		/* safe because already tested for even number of bytes */
+        rc = TSS_Malloc(data, (*len) + 8);
+    }
+    if (rc == 0) {
+	unsigned int i;
+	for (i = 0 ; i < *len ; i++) {
+	    unsigned int tmpint;
+	    int irc = sscanf(string + (2*i), "%2x", &tmpint);
+	    *((*data)+i) = tmpint;
+	    if (irc != 1) {
+		if (tssVerbose) printf("TSS_Array_Scan: invalid hexascii\n");
+		rc = TSS_RC_BAD_PROPERTY_VALUE;
+	    }
+	}
+    }
+    return rc;
+}
+#endif /* TPM_TSS_NOFILE */
+
+/* TSS_PrintAll() prints 'string', the length, and then the entire byte array
+ */
+
+void TSS_PrintAll(const char *string, const unsigned char* buff, uint32_t length)
+{
+    TSS_PrintAlli(string, 1, buff, length);
+}
+
+/* TSS_PrintAlli() prints 'string', the length, and then the entire byte array
+   
+   Each line indented 'indent' spaces.
+*/
+
+void TSS_PrintAlli(const char *string, unsigned int indent, const unsigned char* buff, uint32_t length)
+{
+    TSS_PrintAllLogLevel(LOGLEVEL_DEBUG, string, indent, buff, length);
+}
+
+/* TSS_PrintAllLogLevel() prints based on loglevel the 'string', the length, and then the entire
+   byte array
+
+   loglevel LOGLEVEL_DEBUG prints the length and prints the array with a newline every 16 bytes.
+   otherwise prints no length and prints the array with no newlines.
+
+*/
+
+void TSS_PrintAllLogLevel(uint32_t loglevel, const char *string, unsigned int indent,
+			  const unsigned char* buff, uint32_t length)
+{
+    uint32_t i;
+    if (buff != NULL) {
+        if (loglevel == LOGLEVEL_DEBUG) {
+	    printf("%*s" "%s length %u\n" "%*s", indent, "", string, length, indent, "");
+	}
+        else {
+	    printf("%*s" "%s" "%*s", indent, "", string, indent, "");
+	}
+        for (i = 0 ; i < length ; i++) {
+            if ((loglevel == LOGLEVEL_DEBUG) && i && !( i % 16 )) {
+                printf("\n" "%*s", indent, "");
+	    }
+            printf("%.2x ",buff[i]);
+        }
+	printf("\n");
+    }
+    else {
+        printf("%*s" "%s null\n", indent, "", string);
+    }
+    return;
+}
+
+#ifndef TPM_TSS_NO_PRINT
+#ifdef TPM_TPM20
+
+void TSS_TPM2B_Print(const char *string, unsigned int indent, TPM2B *source)
+{
+    TSS_PrintAlli(string, indent, source->buffer, source->size);
+    return;
+}
+
+/* Table 9 - Definition of (UINT16) TPM_ALG_ID Constants <IN/OUT, S> */
+
+void TSS_TPM_ALG_ID_Print(const char *string, TPM_ALG_ID source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case  ALG_RSA_VALUE:
+	printf("%s TPM_ALG_RSA\n", string);
+	break;
+      case  ALG_TDES_VALUE:
+	printf("%s TPM_ALG_TDES\n", string);
+	break;
+      case  ALG_SHA1_VALUE:
+	printf("%s TPM_ALG_SHA1\n", string);
+	break;
+      case  ALG_HMAC_VALUE:
+	printf("%s TPM_ALG_HMAC\n", string);
+	break;
+      case  ALG_AES_VALUE:
+	printf("%s TPM_ALG_AES\n", string);
+	break;
+      case  ALG_MGF1_VALUE:
+	printf("%s TPM_ALG_MGF1\n", string);
+	break;
+      case  ALG_KEYEDHASH_VALUE:
+	printf("%s TPM_ALG_KEYEDHASH\n", string);
+	break;
+      case  ALG_XOR_VALUE:
+	printf("%s TPM_ALG_XOR\n", string);
+	break;
+      case  ALG_SHA256_VALUE:
+	printf("%s TPM_ALG_SHA256\n", string);
+	break;
+      case  ALG_SHA384_VALUE:
+	printf("%s TPM_ALG_SHA384\n", string);
+	break;
+      case  ALG_SHA512_VALUE:
+	printf("%s TPM_ALG_SHA512\n", string);
+	break;
+      case  ALG_NULL_VALUE:
+	printf("%s TPM_ALG_NULL\n", string);
+	break;
+      case  ALG_SM3_256_VALUE:
+	printf("%s TPM_ALG_SM3_256\n", string);
+	break;
+      case  ALG_SM4_VALUE:
+	printf("%s TPM_ALG_SM4\n", string);
+	break;
+      case  ALG_RSASSA_VALUE:
+	printf("%s TPM_ALG_RSASSA\n", string);
+	break;
+      case  ALG_RSAES_VALUE:
+	printf("%s TPM_ALG_RSAES\n", string);
+	break;
+      case  ALG_RSAPSS_VALUE:
+	printf("%s TPM_ALG_RSAPSS\n", string);
+	break;
+      case  ALG_OAEP_VALUE:
+	printf("%s TPM_ALG_OAEP\n", string);
+	break;
+      case  ALG_ECDSA_VALUE:
+	printf("%s TPM_ALG_ECDSA\n", string);
+	break;
+      case  ALG_ECDH_VALUE:
+	printf("%s TPM_ALG_ECDH\n", string);
+	break;
+      case  ALG_ECDAA_VALUE:
+	printf("%s TPM_ALG_ECDAA\n", string);
+	break;
+      case  ALG_SM2_VALUE:
+	printf("%s TPM_ALG_SM2\n", string);
+	break;
+      case  ALG_ECSCHNORR_VALUE:
+	printf("%s TPM_ALG_ECSCHNORR\n", string);
+	break;
+      case  ALG_ECMQV_VALUE:
+	printf("%s TPM_ALG_ECMQV\n", string);
+	break;
+      case  ALG_KDF1_SP800_56A_VALUE:
+	printf("%s TPM_ALG_KDF1_SP800_56A\n", string);
+	break;
+      case  ALG_KDF2_VALUE:
+	printf("%s TPM_ALG_KDF2\n", string);
+	break;
+      case  ALG_KDF1_SP800_108_VALUE:
+	printf("%s TPM_ALG_KDF1_SP800_108\n", string);
+	break;
+      case  ALG_ECC_VALUE:
+	printf("%s TPM_ALG_ECC\n", string);
+	break;
+      case  ALG_SYMCIPHER_VALUE:
+	printf("%s TPM_ALG_SYMCIPHER\n", string);
+	break;
+      case  ALG_CAMELLIA_VALUE:
+	printf("%s TPM_ALG_CAMELLIA\n", string);
+	break;
+      case ALG_SHA3_256_VALUE:
+	printf("%s TPM_ALG_SHA3_256\n", string);
+	break;
+      case ALG_SHA3_384_VALUE:
+	printf("%s TPM_ALG_SHA3_384\n", string);
+	break;
+      case ALG_SHA3_512_VALUE:
+	printf("%s TPM_ALG_SHA3_512\n", string);
+	break;
+      case ALG_CMAC_VALUE:
+	printf("%s TPM_ALG_CMAC\n", string);
+	break;
+      case  ALG_CTR_VALUE:
+	printf("%s TPM_ALG_CTR\n", string);
+	break;
+      case  ALG_OFB_VALUE:
+	printf("%s TPM_ALG_OFB\n", string);
+	break;
+      case  ALG_CBC_VALUE:
+	printf("%s TPM_ALG_CBC\n", string);
+	break;
+      case  ALG_CFB_VALUE:
+	printf("%s TPM_ALG_CFB\n", string);
+	break;
+      case  ALG_ECB_VALUE:
+	printf("%s TPM_ALG_ECB\n", string);
+	break;
+      default:
+	printf("%s TPM_ALG_ID value %04hx unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants <IN/OUT, S> */
+
+void TSS_TPM_ECC_CURVE_Print(const char *string, TPM_ECC_CURVE source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_ECC_NONE:
+	printf("%s TPM_ECC_NONE\n", string);
+	break;
+      case TPM_ECC_NIST_P192:
+	printf("%s TPM_ECC_NIST_P192\n", string);
+	break;
+      case TPM_ECC_NIST_P224:
+	printf("%s TPM_ECC_NIST_P224\n", string);
+	break;
+      case TPM_ECC_NIST_P256:
+	printf("%s TPM_ECC_NIST_P256\n", string);
+	break;
+      case TPM_ECC_NIST_P384:
+	printf("%s TPM_ECC_NIST_P384\n", string);
+	break;
+      case TPM_ECC_NIST_P521:
+	printf("%s TPM_ECC_NIST_P521\n", string);
+	break;
+      case TPM_ECC_BN_P256:
+	printf("%s TPM_ECC_BN_P256\n", string);
+	break;
+      case TPM_ECC_BN_P638:
+	printf("%s TPM_ECC_BN_P638\n", string);
+	break;
+      case TPM_ECC_SM2_P256:
+	printf("%s TPM_ECC_SM2_P256\n", string);
+	break;
+      default:
+	printf("%s TPM_ECC_CURVE value %04hx unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 100 - Definition of TPMS_TAGGED_POLICY Structure <OUT> */
+
+void TSS_TPMS_TAGGED_POLICY_Print(TPMS_TAGGED_POLICY *source, unsigned int indent)
+{
+    TSS_TPM_HANDLE_Print("handle", source->handle, indent);
+    TSS_TPMT_HA_Print(&source->policyHash, indent);
+    return;
+}
+
+/* Table 12 - Definition of (UINT32) TPM_CC Constants (Numeric Order) <IN/OUT, S> */
+
+void TSS_TPM_CC_Print(const char *string, TPM_CC source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_CC_NV_UndefineSpaceSpecial:
+	printf("%s TPM_CC_NV_UndefineSpaceSpecial\n", string);
+	break;
+      case TPM_CC_EvictControl:
+	printf("%s TPM_CC_EvictControl\n", string);
+	break;
+      case TPM_CC_HierarchyControl:
+	printf("%s TPM_CC_HierarchyControl\n", string);
+	break;
+      case TPM_CC_NV_UndefineSpace:
+	printf("%s TPM_CC_NV_UndefineSpace\n", string);
+	break;
+      case TPM_CC_ChangeEPS:
+	printf("%s TPM_CC_ChangeEPS\n", string);
+	break;
+      case TPM_CC_ChangePPS:
+	printf("%s TPM_CC_ChangePPS\n", string);
+	break;
+      case TPM_CC_Clear:
+	printf("%s TPM_CC_Clear\n", string);
+	break;
+      case TPM_CC_ClearControl:
+	printf("%s TPM_CC_ClearControl\n", string);
+	break;
+      case TPM_CC_ClockSet:
+	printf("%s TPM_CC_ClockSet\n", string);
+	break;
+      case TPM_CC_HierarchyChangeAuth:
+	printf("%s TPM_CC_HierarchyChangeAuth\n", string);
+	break;
+      case TPM_CC_NV_DefineSpace:
+	printf("%s TPM_CC_NV_DefineSpace\n", string);
+	break;
+      case TPM_CC_PCR_Allocate:
+	printf("%s TPM_CC_PCR_Allocate\n", string);
+	break;
+      case TPM_CC_PCR_SetAuthPolicy:
+	printf("%s TPM_CC_PCR_SetAuthPolicy\n", string);
+	break;
+      case TPM_CC_PP_Commands:
+	printf("%s TPM_CC_PP_Commands\n", string);
+	break;
+      case TPM_CC_SetPrimaryPolicy:
+	printf("%s TPM_CC_SetPrimaryPolicy\n", string);
+	break;
+#if 0
+      case TPM_CC_FieldUpgradeStart:
+	printf("%s TPM_CC_FieldUpgradeStart\n", string);
+	break;
+#endif
+      case TPM_CC_ClockRateAdjust:
+	printf("%s TPM_CC_ClockRateAdjust\n", string);
+	break;
+      case TPM_CC_CreatePrimary:
+	printf("%s TPM_CC_CreatePrimary\n", string);
+	break;
+      case TPM_CC_NV_GlobalWriteLock:
+	printf("%s TPM_CC_NV_GlobalWriteLock\n", string);
+	break;
+      case TPM_CC_GetCommandAuditDigest:
+	printf("%s TPM_CC_GetCommandAuditDigest\n", string);
+	break;
+      case TPM_CC_NV_Increment:
+	printf("%s TPM_CC_NV_Increment\n", string);
+	break;
+      case TPM_CC_NV_SetBits:
+	printf("%s TPM_CC_NV_SetBits\n", string);
+	break;
+      case TPM_CC_NV_Extend:
+	printf("%s TPM_CC_NV_Extend\n", string);
+	break;
+      case TPM_CC_NV_Write:
+	printf("%s TPM_CC_NV_Write\n", string);
+	break;
+      case TPM_CC_NV_WriteLock:
+	printf("%s TPM_CC_NV_WriteLock\n", string);
+	break;
+      case TPM_CC_DictionaryAttackLockReset:
+	printf("%s TPM_CC_DictionaryAttackLockReset\n", string);
+	break;
+      case TPM_CC_DictionaryAttackParameters:
+	printf("%s TPM_CC_DictionaryAttackParameters\n", string);
+	break;
+      case TPM_CC_NV_ChangeAuth:
+	printf("%s TPM_CC_NV_ChangeAuth\n", string);
+	break;
+      case TPM_CC_PCR_Event:
+	printf("%s TPM_CC_PCR_Event\n", string);
+	break;
+      case TPM_CC_PCR_Reset:
+	printf("%s TPM_CC_PCR_Reset\n", string);
+	break;
+      case TPM_CC_SequenceComplete:
+	printf("%s TPM_CC_SequenceComplete\n", string);
+	break;
+      case TPM_CC_SetAlgorithmSet:
+	printf("%s TPM_CC_SetAlgorithmSet\n", string);
+	break;
+      case TPM_CC_SetCommandCodeAuditStatus:
+	printf("%s TPM_CC_SetCommandCodeAuditStatus\n", string);
+	break;
+#if 0
+      case TPM_CC_FieldUpgradeData:
+	printf("%s TPM_CC_FieldUpgradeData\n", string);
+	break;
+#endif
+      case TPM_CC_IncrementalSelfTest:
+	printf("%s TPM_CC_IncrementalSelfTest\n", string);
+	break;
+      case TPM_CC_SelfTest:
+	printf("%s TPM_CC_SelfTest\n", string);
+	break;
+      case TPM_CC_Startup:
+	printf("%s TPM_CC_Startup\n", string);
+	break;
+      case TPM_CC_Shutdown:
+	printf("%s TPM_CC_Shutdown\n", string);
+	break;
+      case TPM_CC_StirRandom:
+	printf("%s TPM_CC_StirRandom\n", string);
+	break;
+      case TPM_CC_ActivateCredential:
+	printf("%s TPM_CC_ActivateCredential\n", string);
+	break;
+      case TPM_CC_Certify:
+	printf("%s TPM_CC_Certify\n", string);
+	break;
+      case TPM_CC_PolicyNV:
+	printf("%s TPM_CC_PolicyNV\n", string);
+	break;
+      case TPM_CC_CertifyCreation:
+	printf("%s TPM_CC_CertifyCreation\n", string);
+	break;
+      case TPM_CC_Duplicate:
+	printf("%s TPM_CC_Duplicate\n", string);
+	break;
+      case TPM_CC_GetTime:
+	printf("%s TPM_CC_GetTime\n", string);
+	break;
+      case TPM_CC_GetSessionAuditDigest:
+	printf("%s TPM_CC_GetSessionAuditDigest\n", string);
+	break;
+      case TPM_CC_NV_Read:
+	printf("%s TPM_CC_NV_Read\n", string);
+	break;
+      case TPM_CC_NV_ReadLock:
+	printf("%s TPM_CC_NV_ReadLock\n", string);
+	break;
+      case TPM_CC_ObjectChangeAuth:
+	printf("%s TPM_CC_ObjectChangeAuth\n", string);
+	break;
+      case TPM_CC_PolicySecret:
+	printf("%s TPM_CC_PolicySecret\n", string);
+	break;
+      case TPM_CC_Rewrap:
+	printf("%s TPM_CC_Rewrap\n", string);
+	break;
+      case TPM_CC_Create:
+	printf("%s TPM_CC_Create\n", string);
+	break;
+      case TPM_CC_ECDH_ZGen:
+	printf("%s TPM_CC_ECDH_ZGen\n", string);
+	break;
+      case TPM_CC_HMAC:
+	printf("%s TPM_CC_HMAC\n", string);
+	break;
+#if 0
+      case TPM_CC_MAC:
+	printf("%s TPM_CC_MAC\n", string);
+	break;
+#endif
+      case TPM_CC_Import:
+	printf("%s TPM_CC_Import\n", string);
+	break;
+      case TPM_CC_Load:
+	printf("%s TPM_CC_Load\n", string);
+	break;
+      case TPM_CC_Quote:
+	printf("%s TPM_CC_Quote\n", string);
+	break;
+      case TPM_CC_RSA_Decrypt:
+	printf("%s TPM_CC_RSA_Decrypt\n", string);
+	break;
+      case TPM_CC_HMAC_Start:
+	printf("%s TPM_CC_HMAC_Start\n", string);
+	break;
+#if 0
+      case TPM_CC_MAC_Start:
+	printf("%s TPM_CC_MAC_Start\n", string);
+	break;
+#endif
+      case TPM_CC_SequenceUpdate:
+	printf("%s TPM_CC_SequenceUpdate\n", string);
+	break;
+      case TPM_CC_Sign:
+	printf("%s TPM_CC_Sign\n", string);
+	break;
+      case TPM_CC_Unseal:
+	printf("%s TPM_CC_Unseal\n", string);
+	break;
+      case TPM_CC_PolicySigned:
+	printf("%s TPM_CC_PolicySigned\n", string);
+	break;
+      case TPM_CC_ContextLoad:
+	printf("%s TPM_CC_ContextLoad\n", string);
+	break;
+      case TPM_CC_ContextSave:
+	printf("%s TPM_CC_ContextSave\n", string);
+	break;
+      case TPM_CC_ECDH_KeyGen:
+	printf("%s TPM_CC_ECDH_KeyGen\n", string);
+	break;
+      case TPM_CC_EncryptDecrypt:
+	printf("%s TPM_CC_EncryptDecrypt\n", string);
+	break;
+      case TPM_CC_FlushContext:
+	printf("%s TPM_CC_FlushContext\n", string);
+	break;
+      case TPM_CC_LoadExternal:
+	printf("%s TPM_CC_LoadExternal\n", string);
+	break;
+      case TPM_CC_MakeCredential:
+	printf("%s TPM_CC_MakeCredential\n", string);
+	break;
+      case TPM_CC_NV_ReadPublic:
+	printf("%s TPM_CC_NV_ReadPublic\n", string);
+	break;
+      case TPM_CC_PolicyAuthorize:
+	printf("%s TPM_CC_PolicyAuthorize\n", string);
+	break;
+      case TPM_CC_PolicyAuthValue:
+	printf("%s TPM_CC_PolicyAuthValue\n", string);
+	break;
+      case TPM_CC_PolicyCommandCode:
+	printf("%s TPM_CC_PolicyCommandCode\n", string);
+	break;
+      case TPM_CC_PolicyCounterTimer:
+	printf("%s TPM_CC_PolicyCounterTimer\n", string);
+	break;
+      case TPM_CC_PolicyCpHash:
+	printf("%s TPM_CC_PolicyCpHash\n", string);
+	break;
+      case TPM_CC_PolicyLocality:
+	printf("%s TPM_CC_PolicyLocality\n", string);
+	break;
+      case TPM_CC_PolicyNameHash:
+	printf("%s TPM_CC_PolicyNameHash\n", string);
+	break;
+      case TPM_CC_PolicyOR:
+	printf("%s TPM_CC_PolicyOR\n", string);
+	break;
+      case TPM_CC_PolicyTicket:
+	printf("%s TPM_CC_PolicyTicket\n", string);
+	break;
+      case TPM_CC_ReadPublic:
+	printf("%s TPM_CC_ReadPublic\n", string);
+	break;
+      case TPM_CC_RSA_Encrypt:
+	printf("%s TPM_CC_RSA_Encrypt\n", string);
+	break;
+      case TPM_CC_StartAuthSession:
+	printf("%s TPM_CC_StartAuthSession\n", string);
+	break;
+      case TPM_CC_VerifySignature:
+	printf("%s TPM_CC_VerifySignature\n", string);
+	break;
+      case TPM_CC_ECC_Parameters:
+	printf("%s TPM_CC_ECC_Parameters\n", string);
+	break;
+#if 0
+      case TPM_CC_FirmwareRead:
+	printf("%s TPM_CC_FirmwareRead\n", string);
+	break;
+#endif
+      case TPM_CC_GetCapability:
+	printf("%s TPM_CC_GetCapability\n", string);
+	break;
+      case TPM_CC_GetRandom:
+	printf("%s TPM_CC_GetRandom\n", string);
+	break;
+      case TPM_CC_GetTestResult:
+	printf("%s TPM_CC_GetTestResult\n", string);
+	break;
+      case TPM_CC_Hash:
+	printf("%s TPM_CC_Hash\n", string);
+	break;
+      case TPM_CC_PCR_Read:
+	printf("%s TPM_CC_PCR_Read\n", string);
+	break;
+      case TPM_CC_PolicyPCR:
+	printf("%s TPM_CC_PolicyPCR\n", string);
+	break;
+      case TPM_CC_PolicyRestart:
+	printf("%s TPM_CC_PolicyRestart\n", string);
+	break;
+      case TPM_CC_ReadClock:
+	printf("%s TPM_CC_ReadClock\n", string);
+	break;
+      case TPM_CC_PCR_Extend:
+	printf("%s TPM_CC_PCR_Extend\n", string);
+	break;
+      case TPM_CC_PCR_SetAuthValue:
+	printf("%s TPM_CC_PCR_SetAuthValue\n", string);
+	break;
+      case TPM_CC_NV_Certify:
+	printf("%s TPM_CC_NV_Certify\n", string);
+	break;
+      case TPM_CC_EventSequenceComplete:
+	printf("%s TPM_CC_EventSequenceComplete\n", string);
+	break;
+      case TPM_CC_HashSequenceStart:
+	printf("%s TPM_CC_HashSequenceStart\n", string);
+	break;
+      case TPM_CC_PolicyPhysicalPresence:
+	printf("%s TPM_CC_PolicyPhysicalPresence\n", string);
+	break;
+      case TPM_CC_PolicyDuplicationSelect:
+	printf("%s TPM_CC_PolicyDuplicationSelect\n", string);
+	break;
+      case TPM_CC_PolicyGetDigest:
+	printf("%s TPM_CC_PolicyGetDigest\n", string);
+	break;
+      case TPM_CC_TestParms:
+	printf("%s TPM_CC_TestParms\n", string);
+	break;
+      case TPM_CC_Commit:
+	printf("%s TPM_CC_Commit\n", string);
+	break;
+      case TPM_CC_PolicyPassword:
+	printf("%s TPM_CC_PolicyPassword\n", string);
+	break;
+      case TPM_CC_ZGen_2Phase:
+	printf("%s TPM_CC_ZGen_2Phase\n", string);
+	break;
+      case TPM_CC_EC_Ephemeral:
+	printf("%s TPM_CC_EC_Ephemeral\n", string);
+	break;
+      case TPM_CC_PolicyNvWritten:
+	printf("%s TPM_CC_PolicyNvWritten\n", string);
+	break;
+      case TPM_CC_PolicyTemplate:
+	printf("%s TPM_CC_PolicyTemplate\n", string);
+	break;
+      case TPM_CC_CreateLoaded:
+	printf("%s TPM_CC_CreateLoaded\n", string);
+	break;
+      case TPM_CC_PolicyAuthorizeNV:
+	printf("%s TPM_CC_PolicyAuthorizeNV\n", string);
+	break;
+      case TPM_CC_EncryptDecrypt2:
+	printf("%s TPM_CC_EncryptDecrypt2\n", string);
+	break;
+#if 0
+      case TPM_CC_AC_GetCapability:
+	printf("%s TPM_CC_AC_GetCapability\n", string);
+	break;
+      case TPM_CC_AC_Send:
+	printf("%s TPM_CC_AC_Send\n", string);
+	break;
+      case TPM_CC_Policy_AC_SendSelect:
+	printf("%s TPM_CC_Policy_AC_SendSelect\n", string);
+	break;
+#endif
+      default:
+	printf("%s TPM_CC value %08x unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 17 - Definition of (INT8) TPM_CLOCK_ADJUST Constants <IN> */
+
+void TSS_TPM_CLOCK_ADJUST_Print(const char *string, TPM_CLOCK_ADJUST source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_CLOCK_COARSE_SLOWER:
+	printf("%s TPM_CLOCK_COARSE_SLOWER\n", string);
+	break;
+      case TPM_CLOCK_MEDIUM_SLOWER:
+	printf("%s TPM_CLOCK_MEDIUM_SLOWER\n", string);
+	break;
+      case TPM_CLOCK_FINE_SLOWER:
+	printf("%s TPM_CLOCK_FINE_SLOWER\n", string);
+	break;
+      case TPM_CLOCK_NO_CHANGE:
+	printf("%s TPM_CLOCK_NO_CHANGE\n", string);
+	break;
+      case TPM_CLOCK_FINE_FASTER:
+	printf("%s TPM_CLOCK_FINE_FASTER\n", string);
+	break;
+      case TPM_CLOCK_MEDIUM_FASTER:
+	printf("%s TPM_CLOCK_MEDIUM_FASTER\n", string);
+	break;
+      case TPM_CLOCK_COARSE_FASTER:
+	printf("%s TPM_CLOCK_COARSE_FASTER\n", string);
+	break;
+      default:
+	printf("%s TPM_CLOCK_ADJUST value %d unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 18 - Definition of (UINT16) TPM_EO Constants <IN/OUT> */
+
+void TSS_TPM_EO_Print(const char *string, TPM_EO source, unsigned int indent) 
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_EO_EQ:
+	printf("%s TPM_EO_EQ\n", string);
+	break;
+      case TPM_EO_NEQ:
+	printf("%s TPM_EO_NEQ\n", string);
+	break;
+      case TPM_EO_SIGNED_GT:
+	printf("%s TPM_EO_SIGNED_GT\n", string);
+	break;
+      case TPM_EO_UNSIGNED_GT:
+	printf("%s TPM_EO_UNSIGNED_GT\n", string);
+	break;
+      case TPM_EO_SIGNED_LT:
+	printf("%s TPM_EO_SIGNED_LT\n", string);
+	break;
+      case TPM_EO_UNSIGNED_LT:
+	printf("%s TPM_EO_UNSIGNED_LT\n", string);
+	break;
+      case TPM_EO_SIGNED_GE:
+	printf("%s TPM_EO_SIGNED_GE\n", string);
+	break;
+      case TPM_EO_UNSIGNED_GE:
+	printf("%s TPM_EO_UNSIGNED_GE\n", string);
+	break;
+      case TPM_EO_SIGNED_LE:
+	printf("%s TPM_EO_SIGNED_LE\n", string);
+	break;
+      case TPM_EO_UNSIGNED_LE:
+	printf("%s TPM_EO_UNSIGNED_LE\n", string);
+	break;
+      case TPM_EO_BITSET:
+	printf("%s TPM_EO_BITSET\n", string);
+	break;
+      case TPM_EO_BITCLEAR:
+	printf("%s TPM_EO_BITCLEAR\n", string);
+	break;
+      default:
+	printf("%s TPM_EO value %04hx unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 19 - Definition of (UINT16) TPM_ST Constants <IN/OUT, S> */
+
+void TSS_TPM_ST_Print(const char *string, TPM_ST source, unsigned int indent) 
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_ST_RSP_COMMAND:
+	printf("%s TPM_ST_RSP_COMMAND\n", string);
+	break;
+      case TPM_ST_NULL:
+	printf("%s TPM_ST_NULL\n", string);
+	break;
+      case TPM_ST_NO_SESSIONS:
+	printf("%s TPM_ST_NO_SESSIONS\n", string);
+	break;
+      case TPM_ST_SESSIONS:
+	printf("%s TPM_ST_SESSIONS\n", string);
+	break;
+      case TPM_ST_ATTEST_NV:
+	printf("%s TPM_ST_ATTEST_NV\n", string);
+	break;
+      case TPM_ST_ATTEST_COMMAND_AUDIT:
+	printf("%s TPM_ST_ATTEST_COMMAND_AUDIT\n", string);
+	break;
+      case TPM_ST_ATTEST_SESSION_AUDIT:
+	printf("%s TPM_ST_ATTEST_SESSION_AUDIT\n", string);
+	break;
+      case TPM_ST_ATTEST_CERTIFY:
+	printf("%s TPM_ST_ATTEST_CERTIFY\n", string);
+	break;
+      case TPM_ST_ATTEST_QUOTE:
+	printf("%s TPM_ST_ATTEST_QUOTE\n", string);
+	break;
+      case TPM_ST_ATTEST_TIME:
+	printf("%s TPM_ST_ATTEST_TIME\n", string);
+	break;
+      case TPM_ST_ATTEST_CREATION:
+	printf("%s TPM_ST_ATTEST_CREATION\n", string);
+	break;
+      case TPM_ST_ATTEST_NV_DIGEST:
+	printf("%s TPM_ST_ATTEST_NV_DIGEST\n", string);
+	break;
+      case TPM_ST_CREATION:
+	printf("%s TPM_ST_CREATION\n", string);
+	break;
+      case TPM_ST_VERIFIED:
+	printf("%s TPM_ST_VERIFIED\n", string);
+	break;
+      case TPM_ST_AUTH_SECRET:
+	printf("%s TPM_ST_AUTH_SECRET\n", string);
+	break;
+      case TPM_ST_HASHCHECK:
+	printf("%s TPM_ST_HASHCHECK\n", string);
+	break;
+      case TPM_ST_AUTH_SIGNED:
+	printf("%s TPM_ST_AUTH_SIGNED\n", string);
+	break;
+      default:
+	printf("%s TPM_ST value %04hx unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 20 - Definition of (UINT16) TPM_SU Constants <IN> */
+
+void TSS_TPM_SU_Print(const char *string, TPM_SU source, unsigned int indent) 
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_SU_CLEAR:
+	printf("%s TPM_SU_CLEAR\n", string);
+	break;
+      case TPM_SU_STATE:
+	printf("%s TPM_SU_STATE\n", string);
+	break;
+      default:
+	printf("%s TPM_SU value %04hx unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 21 - Definition of (UINT8) TPM_SE Constants <IN> */
+
+void TSS_TPM_SE_Print(const char *string, TPM_SE source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_SE_HMAC:
+	printf("%s TPM_SE_HMAC\n", string);
+	break;
+      case TPM_SE_POLICY:
+	printf("%s TPM_SE_POLICY\n", string); 
+	break;
+      case TPM_SE_TRIAL:
+	printf("%s TPM_SE_TRIAL\n", string); 
+	break;
+      default:
+	printf("%s TPM_SE value %02x unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 22 - Definition of (UINT32) TPM_CAP Constants */
+
+void TSS_TPM_CAP_Print(const char *string, TPM_CAP source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+     case TPM_CAP_ALGS:
+       printf("%s TPM_CAP_ALGS\n", string);
+	break;
+      case TPM_CAP_HANDLES:
+	printf("%s TPM_CAP_HANDLES\n", string);
+	break;
+      case TPM_CAP_COMMANDS:
+	printf("%s TPM_CAP_COMMANDS\n", string);
+	break;
+      case TPM_CAP_PP_COMMANDS:
+	printf("%s TPM_CAP_PP_COMMANDS\n", string);
+	break;
+      case TPM_CAP_AUDIT_COMMANDS:
+	printf("%s TPM_CAP_AUDIT_COMMANDS\n", string);
+	break;
+      case TPM_CAP_PCRS:
+	printf("%s TPM_CAP_PCRS\n", string);
+	break;
+      case TPM_CAP_TPM_PROPERTIES:
+	printf("%s TPM_CAP_TPM_PROPERTIES\n", string);
+	break;
+      case TPM_CAP_PCR_PROPERTIES:
+	printf("%s TPM_CAP_PCR_PROPERTIES\n", string);
+	break;
+      case TPM_CAP_ECC_CURVES:
+	printf("%s TPM_CAP_ECC_CURVES\n", string);
+	break;
+      case TPM_CAP_AUTH_POLICIES:
+	printf("%s TPM_CAP_AUTH_POLICIES\n", string);
+	break;
+      case TPM_CAP_VENDOR_PROPERTY:
+	printf("%s TPM_CAP_VENDOR_PROPERTY\n", string);
+	break;
+      default:
+	printf("%s TPM_CAP value %08x unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 26 - Definition of Types for Handles */
+
+void TSS_TPM_HANDLE_Print(const char *string, TPM_HANDLE source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_RH_SRK:
+	printf("%s TPM_RH_SRK\n", string);
+	break;
+      case TPM_RH_OWNER:
+	printf("%s TPM_RH_OWNER\n", string);
+	break;
+      case TPM_RH_REVOKE:
+	printf("%s TPM_RH_REVOKE\n", string);
+	break;
+      case TPM_RH_TRANSPORT:
+	printf("%s TPM_RH_TRANSPORT\n", string);
+	break;
+      case TPM_RH_OPERATOR:
+	printf("%s TPM_RH_OPERATOR\n", string);
+	break;
+      case TPM_RH_ADMIN:
+	printf("%s TPM_RH_ADMIN\n", string);
+	break;
+      case TPM_RH_EK:
+	printf("%s TPM_RH_EK\n", string);
+	break;
+      case TPM_RH_NULL:
+	printf("%s TPM_RH_NULL\n", string);
+	break;
+      case TPM_RH_UNASSIGNED:
+	printf("%s TPM_RH_UNASSIGNED\n", string);
+	break;
+      case TPM_RS_PW:
+	printf("%s TPM_RS_PW\n", string);
+	break;
+      case TPM_RH_LOCKOUT:
+	printf("%s TPM_RH_LOCKOUT\n", string);
+	break;
+      case TPM_RH_ENDORSEMENT:
+	printf("%s TPM_RH_ENDORSEMENT\n", string);
+	break;
+      case TPM_RH_PLATFORM:
+	printf("%s TPM_RH_PLATFORM\n", string);
+	break;
+      case TPM_RH_PLATFORM_NV:
+	printf("%s TPM_RH_PLATFORM_NV\n", string);
+	break;
+      default:
+	printf("%s TPM_HANDLE %08x\n", string, source);
+    }
+    return;
+}
+
+/* Table 30 - Definition of (UINT32) TPMA_ALGORITHM Bits */
+
+void TSS_TPM_TPMA_ALGORITHM_Print(TPMA_ALGORITHM source, unsigned int indent)
+{
+    if (source.val & TPMA_ALGORITHM_ASYMMETRIC) printf("%*s" "TPMA_ALGORITHM: asymmetric\n", indent, "");
+    if (source.val & TPMA_ALGORITHM_SYMMETRIC) printf("%*s" "TPMA_ALGORITHM: symmetric\n", indent, "");
+    if (source.val & TPMA_ALGORITHM_HASH) printf("%*s" "TPMA_ALGORITHM: hash\n", indent, "");
+    if (source.val & TPMA_ALGORITHM_OBJECT) printf("%*s" "TPMA_ALGORITHM: object\n", indent, "");
+    if (source.val & TPMA_ALGORITHM_SIGNING) printf("%*s" "TPMA_ALGORITHM: signing\n", indent, "");
+    if (source.val & TPMA_ALGORITHM_ENCRYPTING) printf("%*s" "TPMA_ALGORITHM: encrypting\n", indent, "");
+    if (source.val & TPMA_ALGORITHM_METHOD) printf("%*s" "TPMA_ALGORITHM: method\n", indent, "");
+    return;
+}
+
+/* Table 31 - Definition of (UINT32) TPMA_OBJECT Bits */
+
+void TSS_TPMA_OBJECT_Print(const char *string, TPMA_OBJECT source, unsigned int indent)
+{
+    printf("%*s%s: %08x\n", indent, "", string, source.val);
+    if (source.val & TPMA_OBJECT_FIXEDTPM) printf("%*s%s: fixedTpm\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_STCLEAR) printf("%*s%s: stClear\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_FIXEDPARENT) printf("%*s%s: fixedParent\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_SENSITIVEDATAORIGIN) printf("%*s%s: sensitiveDataOrigin\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_USERWITHAUTH) printf("%*s%s: userWithAuth\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_ADMINWITHPOLICY) printf("%*s%s: adminWithPolicy\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_NODA) printf("%*s%s: noDA\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_ENCRYPTEDDUPLICATION) printf("%*s%s: encryptedDuplication\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_RESTRICTED) printf("%*s%s: restricted\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_DECRYPT) printf("%*s%s: decrypt\n", indent, "", string);
+    if (source.val & TPMA_OBJECT_SIGN) printf("%*s%s: sign\n", indent, "", string);
+    return;
+}
+
+/* Table 32 - Definition of (UINT8) TPMA_SESSION Bits <IN/OUT> */
+
+void TSS_TPMA_SESSION_Print(TPMA_SESSION source, unsigned int indent)
+{
+    
+    if (source.val & TPMA_SESSION_CONTINUESESSION) printf("%*s" "TPMA_SESSION: continue\n", indent, "");
+    if (source.val & TPMA_SESSION_AUDITEXCLUSIVE) printf("%*s" "TPMA_SESSION: auditexclusive\n", indent, ""); 
+    if (source.val & TPMA_SESSION_AUDITRESET) printf("%*s" "TPMA_SESSION: auditreset\n", indent, ""); 
+    if (source.val & TPMA_SESSION_DECRYPT) printf("%*s" "TPMA_SESSION: decrypt\n", indent, ""); 
+    if (source.val & TPMA_SESSION_ENCRYPT) printf("%*s" "TPMA_SESSION: encrypt\n", indent, ""); 
+    if (source.val & TPMA_SESSION_AUDIT) printf("%*s" "TPMA_SESSION: audit\n", indent, ""); 
+    return;
+}
+
+/* Table 33 - Definition of (UINT8) TPMA_LOCALITY Bits <IN/OUT> */
+
+void TSS_TPMA_LOCALITY_Print(TPMA_LOCALITY source, unsigned int indent)
+{
+    if (source.val & TPMA_LOCALITY_ZERO) printf("%*s" "TPMA_LOCALITY: zero\n", indent, "");
+    if (source.val & TPMA_LOCALITY_ONE) printf("%*s" "TPMA_LOCALITY: one\n", indent, "");
+    if (source.val & TPMA_LOCALITY_TWO) printf("%*s" "TPMA_LOCALITY: two\n", indent, "");
+    if (source.val & TPMA_LOCALITY_THREE) printf("%*s" "TPMA_LOCALITY: three\n", indent, "");
+    if (source.val & TPMA_LOCALITY_FOUR) printf("%*s" "TPMA_LOCALITY: four\n", indent, "");
+    if (source.val & TPMA_LOCALITY_EXTENDED) printf("%*s" "TPMA_LOCALITY: extended\n", indent, "");
+    return;
+}
+
+/* Table 34 - Definition of (UINT32) TPMA_PERMANENT Bits <OUT> */
+
+void TSS_TPMA_PERMANENT_Print(TPMA_PERMANENT source, unsigned int indent)
+{
+    printf("%*s" "TPMA_PERMANENT: ownerAuthSet %s\n", indent, "",
+	   (source.val & TPMA_PERMANENT_OWNERAUTHSET) ? "yes" : "no"); 
+    printf("%*s" "TPMA_PERMANENT: endorsementAuthSet %s\n", indent, "",
+	   (source.val & TPMA_PERMANENT_ENDORSEMENTAUTHSET)  ? "yes" : "no"); 
+    printf("%*s" "TPMA_PERMANENT: lockoutAuthSet %s\n", indent, "",
+	   (source.val & TPMA_PERMANENT_LOCKOUTAUTHSET)  ? "yes" : "no"); 
+    printf("%*s" "TPMA_PERMANENT: disableClear %s\n", indent, "",
+	   (source.val & TPMA_PERMANENT_DISABLECLEAR) ? "yes" : "no"); 
+    printf("%*s" "TPMA_PERMANENT: inLockout %s\n", indent, "",
+	   (source.val & TPMA_PERMANENT_INLOCKOUT) ? "yes" : "no"); 
+    printf("%*s" "TPMA_PERMANENT: tpmGeneratedEPS %s\n", indent, "",
+	   (source.val & TPMA_PERMANENT_TPMGENERATEDEPS)  ? "yes" : "no"); 
+    return;
+}
+
+/* Table 35 - Definition of (UINT32) TPMA_STARTUP_CLEAR Bits <OUT> */
+
+void TSS_TPMA_STARTUP_CLEAR_Print(TPMA_STARTUP_CLEAR source, unsigned int indent)
+{
+    printf("%*s" "TPMA_STARTUP_CLEAR: phEnable %s\n", indent, "",
+	   (source.val & TPMA_STARTUP_CLEAR_PHENABLE)  ? "yes" : "no"); 
+    printf("%*s" "TPMA_STARTUP_CLEAR: shEnable %s\n", indent, "",
+	   (source.val & TPMA_STARTUP_CLEAR_SHENABLE)  ? "yes" : "no"); 
+    printf("%*s" "TPMA_STARTUP_CLEAR: ehEnable %s\n", indent, "",
+	   (source.val & TPMA_STARTUP_CLEAR_EHENABLE)  ? "yes" : "no"); 
+    printf("%*s" "TPMA_STARTUP_CLEAR: phEnableNV %s\n", indent, "",
+	   (source.val & TPMA_STARTUP_CLEAR_PHENABLENV)  ? "yes" : "no"); 
+    printf("%*s" "TPMA_STARTUP_CLEAR: orderly %s\n", indent, "",
+	   (source.val & TPMA_STARTUP_CLEAR_ORDERLY)  ? "yes" : "no"); 
+    return;
+}
+
+/* Table 36 - Definition of (UINT32) TPMA_MEMORY Bits <Out> */
+
+void TSS_TPMA_MEMORY_Print(TPMA_MEMORY source, unsigned int indent)
+{
+    printf("%*s" "TPMA_MEMORY: sharedRAM %s\n", indent, "",
+	   (source.val & TPMA_MEMORY_SHAREDRAM) ? "yes" : "no");
+    printf("%*s" "TPMA_MEMORY: sharedNV %s\n", indent, "",
+	   (source.val & TPMA_MEMORY_SHAREDNV) ? "yes" : "no");
+    printf("%*s" "TPMA_MEMORY: objectCopiedToRam %s\n", indent, "",
+	   (source.val & TPMA_MEMORY_OBJECTCOPIEDTORAM) ? "yes" : "no");
+    return;
+}
+
+/* Table 38 - Definition of (UINT32) TPMA_MODES Bits <Out> */
+
+void TSS_TPMA_MODES_Print(TPMA_MODES source, unsigned int indent)
+{
+    printf("%*s" "TPMA_MODES: TPMA_MODES_FIPS_140_2 %s\n", indent, "",
+	   (source.val & TPMA_MODES_FIPS_140_2) ? "yes" : "no");
+    return;
+}
+
+/* Table 39 - Definition of (BYTE) TPMI_YES_NO Type */
+
+void TSS_TPMI_YES_NO_Print(const char *string, TPMI_YES_NO source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case NO:
+	printf("%s no\n", string);
+	break;
+      case YES:
+	printf("%s yes\n", string);
+	break;
+      default:
+	printf("%s TPMI_YES_NO %02x unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 75 - Definition of TPMU_HA Union <IN/OUT, S> */
+
+
+void TSS_TPMU_HA_Print(TPMU_HA *source, uint32_t selector, unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_SHA1
+      case TPM_ALG_SHA1:
+	TSS_PrintAlli("sha1", indent, source->sha1, SHA1_DIGEST_SIZE);
+	break;
+#endif
+#ifdef TPM_ALG_SHA256
+      case TPM_ALG_SHA256:
+	TSS_PrintAlli("sha256", indent, source->sha256, SHA256_DIGEST_SIZE);
+	break;
+#endif
+#ifdef TPM_ALG_SHA384
+      case TPM_ALG_SHA384:
+	TSS_PrintAlli("sha384", indent, source->sha384, SHA384_DIGEST_SIZE);
+	break;
+#endif
+#ifdef TPM_ALG_SHA512
+      case TPM_ALG_SHA512:
+	TSS_PrintAlli("sha512", indent, source->sha512, SHA512_DIGEST_SIZE);
+	break;
+#endif
+#ifdef TPM_ALG_SM3_256
+      case TPM_ALG_SM3_256:
+	TSS_PrintAlli("sm3_256", indent, source->sm3_256, SM3_256_DIGEST_SIZE);
+	break;
+#endif
+      case TPM_ALG_NULL:
+	break;
+      default:
+	printf("%*s" "TPMU_HA: selection %08x not implemented\n", indent, "", selector);
+    }
+    return;
+}
+
+/* Table 76 - Definition of TPMT_HA Structure <IN/OUT> */
+
+void TSS_TPMT_HA_Print(TPMT_HA *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("hashAlg", source->hashAlg, indent+2);	
+    TSS_TPMU_HA_Print(&source->digest, source->hashAlg, indent+2);
+    return;
+}
+
+/* Table 89 - Definition of TPMS_PCR_SELECT Structure */
+
+void TSS_TPMS_PCR_SELECT_Print(TPMS_PCR_SELECT *source, unsigned int indent)
+{
+    printf("%*s" "TSS_TPMS_PCR_SELECT sizeofSelect %u\n", indent, "", source->sizeofSelect);
+    TSS_PrintAlli("pcrSelect", indent, source->pcrSelect, source->sizeofSelect);
+    return;
+}
+
+/* Table 90 - Definition of TPMS_PCR_SELECTION Structure */
+
+void TSS_TPMS_PCR_SELECTION_Print(TPMS_PCR_SELECTION *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("hash", source->hash, indent+2);
+    TSS_PrintAlli("TPMS_PCR_SELECTION", indent+2,
+		  source->pcrSelect,
+		  source->sizeofSelect);
+    return;
+}
+
+/* Table 93 - Definition of TPMT_TK_CREATION Structure */
+
+void TSS_TPMT_TK_CREATION_Print(TPMT_TK_CREATION *source, unsigned int indent)
+{
+    TSS_TPM_ST_Print("tag", source->tag, indent);
+    TSS_TPM_HANDLE_Print("hierarchy", source->hierarchy, indent);	
+    TSS_TPM2B_Print("TPMT_TK_CREATION digest", indent, &source->digest.b);
+    return;
+}
+
+/* Table 94 - Definition of TPMT_TK_VERIFIED Structure */
+
+void TSS_TPMT_TK_VERIFIED_Print(TPMT_TK_VERIFIED *source, unsigned int indent)
+{
+    TSS_TPM_ST_Print("tag", source->tag, indent);
+    TSS_TPM_HANDLE_Print("hierarchy", source->hierarchy, indent);	
+    TSS_TPM2B_Print("TPMT_TK_VERIFIED digest", indent, &source->digest.b);
+    return;
+}
+	
+/* Table 95 - Definition of TPMT_TK_AUTH Structure */
+
+void TSS_TPMT_TK_AUTH_Print(TPMT_TK_AUTH *source, unsigned int indent)
+{
+    TSS_TPM_ST_Print("tag", source->tag, indent);
+    TSS_TPM_HANDLE_Print("hierarchy", source->hierarchy, indent);	
+    TSS_TPM2B_Print("TPMT_TK_AUTH digest", indent, &source->digest.b);
+    return;
+}
+
+/* Table 96 - Definition of TPMT_TK_HASHCHECK Structure */
+
+void TSS_TPMT_TK_HASHCHECK_Print(TPMT_TK_HASHCHECK *source, unsigned int indent)
+{
+    TSS_TPM_ST_Print("tag", source->tag, indent);
+    TSS_TPM_HANDLE_Print("hierarchy", source->hierarchy, indent);	
+    TSS_TPM2B_Print("TPMT_TK_AUTH digest", indent, &source->digest.b);
+    return;
+}
+
+/* Table 101 - Definition of TPML_CC Structure */
+
+void TSS_TPML_CC_Print(TPML_CC *source, unsigned int indent)
+{
+    uint32_t i;
+    printf("%*s" "TPML_CC count %u\n", indent, "", source->count);
+    for (i = 0 ; (i < source->count) ; i++) {
+	TSS_TPM_CC_Print("commandCode", source->commandCodes[i], indent);
+    }
+    return;
+}
+
+/* Table 102 - Definition of TPML_PCR_SELECTION Structure */
+
+void TSS_TPML_PCR_SELECTION_Print(TPML_PCR_SELECTION *source, unsigned int indent)
+{
+    uint32_t i;
+    printf("%*s" "TPML_PCR_SELECTION count %u\n", indent, "", source->count);
+    for (i = 0 ; (i < source->count) ; i++) {
+	TSS_TPMS_PCR_SELECTION_Print(&source->pcrSelections[i], indent);
+    }
+    return;
+}
+
+/* Table 103 - Definition of TPML_ALG Structure */
+
+void TSS_TPML_ALG_Print(TPML_ALG *source, unsigned int indent)
+{
+    uint32_t i;
+    printf("%*s" "TPML_ALG count %u\n", indent, "", source->count);
+    for (i = 0 ; (i < source->count) ; i++) {
+	TSS_TPM_ALG_ID_Print("algorithms", source->algorithms[i], indent);
+    }
+    return;
+}
+
+/* Table 105 - Definition of TPML_DIGEST Structure */
+
+void TSS_TPML_DIGEST_Print(TPML_DIGEST *source, unsigned int indent)
+{
+    uint32_t i;
+    printf("%*s" "TPML_DIGEST count %u\n", indent, "", source->count);
+    for (i = 0 ; (i < source->count) ; i++) {
+	TSS_TPM2B_Print("TPML_DIGEST digest", indent, &source->digests[i].b);
+    }
+    return;
+}
+
+/* Table 106 - Definition of TPML_DIGEST_VALUES Structure */
+
+void TSS_TPML_DIGEST_VALUES_Print(TPML_DIGEST_VALUES *source, unsigned int indent)
+{
+    uint32_t i;
+    printf("%*s" "TPML_DIGEST_VALUES count %u\n", indent, "", source->count);
+    for (i = 0 ; (i < source->count) ; i++) {
+	TSS_TPMT_HA_Print(&source->digests[i], indent);
+    }
+    return;
+}
+
+/* Table 115 - Definition of TPMS_CLOCK_INFO Structure */
+
+void TSS_TPMS_CLOCK_INFO_Print(TPMS_CLOCK_INFO *source, unsigned int indent)
+{
+    printf("%*s" "TPMS_CLOCK_INFO clock %"PRIu64"\n", indent, "", source->clock);
+    printf("%*s" "TPMS_CLOCK_INFO resetCount %u\n", indent, "", source->resetCount);
+    printf("%*s" "TPMS_CLOCK_INFO restartCount %u\n", indent, "", source->restartCount);
+    printf("%*s" "TPMS_CLOCK_INFO safe %x\n", indent, "", source->safe);
+    return;
+}
+
+/* Table 116 - Definition of TPMS_TIME_INFO Structure */
+
+void TSS_TPMS_TIME_INFO_Print(TPMS_TIME_INFO *source, unsigned int indent)
+{
+    uint64_t days;
+    uint64_t hours;
+    uint64_t minutes;
+    uint64_t seconds;
+    printf("%*s" "TPMS_TIME_INFO time %"PRIu64" msec", indent, "", source->time);
+    days = source->time/(1000 * 60 * 60 * 24);
+    hours = (source->time % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60);
+    minutes = (source->time % (1000 * 60 * 60)) / (1000 * 60);
+    seconds = (source->time % (1000 * 60)) / (1000);
+    printf(" - %"PRIu64" days %"PRIu64" hours %"PRIu64" minutes %"PRIu64" seconds\n",
+	   days, hours, minutes, seconds);
+    TSS_TPMS_CLOCK_INFO_Print(&source->clockInfo, indent+2);
+    return;
+}
+    
+/* Table 117 - Definition of TPMS_TIME_ATTEST_INFO Structure <OUT> */
+
+void TSS_TPMS_TIME_ATTEST_INFO_Print(TPMS_TIME_ATTEST_INFO *source, unsigned int indent)
+{
+    TSS_TPMS_TIME_INFO_Print(&source->time, indent+2);
+    printf("%*s" "TPMS_TIME_ATTEST_INFO firmwareVersion %"PRIu64"\n", indent, "", source->firmwareVersion);
+    return;
+}
+
+/* Table 118 - Definition of TPMS_CERTIFY_INFO Structure <OUT> */
+
+void TSS_TPMS_CERTIFY_INFO_Print(TPMS_CERTIFY_INFO *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("TPMS_CERTIFY_INFO name", indent, &source->name.b);
+    TSS_TPM2B_Print("TPMS_CERTIFY_INFO qualifiedName", indent, &source->qualifiedName.b);
+    return;
+}
+
+/* Table 119 - Definition of TPMS_QUOTE_INFO Structure <OUT> */
+
+void TSS_TPMS_QUOTE_INFO_Print(TPMS_QUOTE_INFO *source, unsigned int indent)
+{
+    TSS_TPML_PCR_SELECTION_Print(&source->pcrSelect, indent+2);
+    TSS_TPM2B_Print("TPMS_QUOTE_INFO pcrDigest", indent+2, &source->pcrDigest.b);
+    return;
+}
+
+/* Table 120 - Definition of TPMS_COMMAND_AUDIT_INFO Structure <OUT> */
+
+void TSS_TPMS_COMMAND_AUDIT_INFO_Print(TPMS_COMMAND_AUDIT_INFO *source, unsigned int indent)
+{
+    printf("%*s" "TPMS_COMMAND_AUDIT_INFO auditCounter %"PRIu64"\n", indent, "", source->auditCounter);
+    TSS_TPM_ALG_ID_Print("digestAlg", source->digestAlg, indent);
+    TSS_TPM2B_Print("TPMS_COMMAND_AUDIT_INFO auditDigest", indent, &source->auditDigest.b);
+    TSS_TPM2B_Print("TPMS_COMMAND_AUDIT_INFO commandDigest", indent, &source->commandDigest.b);
+    return;
+}
+  
+/* Table 121 - Definition of TPMS_SESSION_AUDIT_INFO Structure */
+
+void TSS_TPMS_SESSION_AUDIT_INFO_Print(TPMS_SESSION_AUDIT_INFO *source, unsigned int indent)
+{
+    printf("%*s" "TPMS_SESSION_AUDIT_INFO exclusiveSession %d\n", indent, "",
+	   source->exclusiveSession);
+    TSS_TPM2B_Print("TPMS_SESSION_AUDIT_INFO sessionDigest", indent, &source->sessionDigest.b);
+   return;
+}
+
+/* Table 122 - Definition of TPMS_CREATION_INFO Structure <OUT> */
+
+void TSS_TPMS_CREATION_INFO_Print(TPMS_CREATION_INFO *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("TPMS_CREATION_INFO objectName", indent, &source->objectName.b);
+    TSS_TPM2B_Print("TPMS_CREATION_INFO creationHash", indent, &source->creationHash.b);
+    return;
+}
+
+/* Table 123 - Definition of TPMS_NV_CERTIFY_INFO Structure */
+
+void TSS_TPMS_NV_CERTIFY_INFO_Print(TPMS_NV_CERTIFY_INFO *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("TPMS_NV_CERTIFY_INFO indexName", indent, &source->indexName.b);
+    printf("%*s" "TPMS_NV_CERTIFY_INFO offset %d\n", indent, "",  source->offset);
+    TSS_TPM2B_Print("TPMS_NV_CERTIFY_INFO nvContents", indent, &source->nvContents.b);
+    return;
+}
+
+/* Table 125 - Definition of TPMS_NV_DIGEST_CERTIFY_INFO Structure <OUT> */
+void TSS_TPMS_NV_DIGEST_CERTIFY_INFO_Print(TPMS_NV_DIGEST_CERTIFY_INFO  *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("TPMS_NV_DIGEST_CERTIFY_INFO indexName", indent, &source->indexName.b);
+    TSS_TPM2B_Print("TPMS_NV_DIGEST_CERTIFY_INFO nvDigest", indent, &source->nvDigest.b);
+    return;
+}
+
+/* Table 124 - Definition of (TPM_ST) TPMI_ST_ATTEST Type <OUT> */
+
+void TSS_TPMI_ST_ATTEST_Print(const char *string, TPMI_ST_ATTEST selector, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (selector) {
+      case TPM_ST_ATTEST_CERTIFY:
+	printf("%s TPM_ST_ATTEST_CERTIFY\n", string);
+	break;
+      case TPM_ST_ATTEST_CREATION:
+	printf("%s TPM_ST_ATTEST_CREATION\n", string);
+	break;
+      case TPM_ST_ATTEST_QUOTE:
+	printf("%s TPM_ST_ATTEST_QUOTE\n", string);
+	break;
+      case TPM_ST_ATTEST_COMMAND_AUDIT:
+	printf("%s TPM_ST_ATTEST_COMMAND_AUDIT\n", string);
+	break;
+      case TPM_ST_ATTEST_SESSION_AUDIT:
+	printf("%s TPM_ST_ATTEST_SESSION_AUDIT\n", string);
+	break;
+      case TPM_ST_ATTEST_TIME:
+	printf("%s TPM_ST_ATTEST_TIME\n", string);
+	break;
+      case TPM_ST_ATTEST_NV:
+	printf("%s TPM_ST_ATTEST_NV\n", string);
+	break;
+      case TPM_ST_ATTEST_NV_DIGEST:
+	printf("%s TPM_ST_ATTEST_NV_DIGEST\n", string);
+	break;
+      default:
+	printf("%s TPMI_ST_ATTEST_Print: selection %04hx not implemented\n", string, selector);
+    }
+    return;
+}
+
+/* Table 125 - Definition of TPMU_ATTEST Union <OUT> */
+
+void TSS_TPMU_ATTEST_Print(TPMU_ATTEST *source, TPMI_ST_ATTEST selector, unsigned int indent)
+{
+    switch (selector) {
+      case TPM_ST_ATTEST_CERTIFY:
+	TSS_TPMS_CERTIFY_INFO_Print(&source->certify, indent+2);
+	break;
+      case TPM_ST_ATTEST_CREATION:
+	TSS_TPMS_CREATION_INFO_Print(&source->creation, indent+2);
+	break;
+      case TPM_ST_ATTEST_QUOTE:
+	TSS_TPMS_QUOTE_INFO_Print(&source->quote, indent+2);
+	break;
+      case TPM_ST_ATTEST_COMMAND_AUDIT:
+	TSS_TPMS_COMMAND_AUDIT_INFO_Print(&source->commandAudit, indent+2);
+	break;
+      case TPM_ST_ATTEST_SESSION_AUDIT:
+	TSS_TPMS_SESSION_AUDIT_INFO_Print(&source->sessionAudit, indent+2);
+	break;
+      case TPM_ST_ATTEST_TIME:
+	TSS_TPMS_TIME_ATTEST_INFO_Print(&source->time, indent+2);
+	break;
+      case TPM_ST_ATTEST_NV:
+	TSS_TPMS_NV_CERTIFY_INFO_Print(&source->nv, indent+2);
+	break;
+      case TPM_ST_ATTEST_NV_DIGEST:
+	TSS_TPMS_NV_DIGEST_CERTIFY_INFO_Print(&source->nvDigest, indent+2);
+	break;
+      default:
+	printf("%*s" "TPMU_ATTEST selection %04hx not implemented\n", indent, "", selector);
+    }
+    return;
+}
+
+/* Table 126 - Definition of TPMS_ATTEST Structure <OUT> */
+
+void TSS_TPMS_ATTEST_Print(TPMS_ATTEST *source, unsigned int indent)
+{
+    printf("%*s" "TPMS_ATTEST magic %08x\n", indent+2, "", source->magic);
+    TSS_TPMI_ST_ATTEST_Print("type", source->type, indent+2);
+    TSS_TPM2B_Print("TPMS_ATTEST qualifiedSigner", indent+2, &source->qualifiedSigner.b);
+    TSS_TPM2B_Print("TPMS_ATTEST extraData", indent+2, &source->extraData.b);
+    TSS_TPMS_CLOCK_INFO_Print(&source->clockInfo, indent+2);
+    printf("%*s" "TPMS_ATTEST firmwareVersion %"PRIu64"\n",  indent+2, "", source->firmwareVersion);
+    TSS_TPMU_ATTEST_Print(&source->attested, source->type, indent+2);
+    return;
+}
+
+#if 0	/* Removed because it required a large stack allocation.  The utilities didn't use it, but
+	   rather did the unmarshal and print themselves. */
+
+/* Table 127 - Definition of TPM2B_ATTEST Structure <OUT> */
+
+void TSS_TPM2B_ATTEST_Print(TPM2B_ATTEST *source, unsigned int indent)
+{
+    TPM_RC			rc = 0;
+    TPMS_ATTEST 		attests;
+    uint32_t			size;
+    uint8_t			*buffer = NULL;
+
+    /* unmarshal the TPMS_ATTEST from the TPM2B_ATTEST */
+    if (rc == 0) {
+	buffer = source->t.attestationData;
+	size = source->t.size;
+	rc = TSS_TPMS_ATTEST_Unmarshalu(&attests, &buffer, &size);
+    }
+    if (rc == 0) {
+	TSS_TPMS_ATTEST_Print(&attests, indent+2);
+    }
+    else {
+	printf("%*s" "TPMS_ATTEST_Unmarshal failed\n", indent, "");
+    }
+    return;
+}
+#endif
+
+/* Table 128 - Definition of TPMS_AUTH_COMMAND Structure <IN> */
+
+void TSS_TPMS_AUTH_COMMAND_Print(TPMS_AUTH_COMMAND *source, unsigned int indent)
+{
+    TSS_TPM_HANDLE_Print("sessionHandle", source->sessionHandle, indent);	
+    TSS_TPM2B_Print("TPMS_AUTH_COMMAND nonce", indent, &source->nonce.b);
+    TSS_TPMA_SESSION_Print(source->sessionAttributes, indent);
+    TSS_TPM2B_Print("TPMS_AUTH_COMMAND hmac", indent, &source->hmac.b);
+    return;
+}
+
+/* Table 129 - Definition of TPMS_AUTH_RESPONSE Structure <OUT> */
+
+void TSS_TPMS_AUTH_RESPONSE_Print(TPMS_AUTH_RESPONSE *source, unsigned int indent)
+{
+    TSS_PrintAlli("TPMS_AUTH_RESPONSE nonce", indent,
+		  source->nonce.t.buffer,
+		  source->nonce.t.size);
+    TSS_TPMA_SESSION_Print(source->sessionAttributes, indent);
+    TSS_TPM2B_Print("TPMS_AUTH_RESPONSE hmac", indent, &source->hmac.b);
+    return;
+}
+
+/* Table 130 - Definition of  {!ALG.S} (TPM_KEY_BITS) TPMI_!ALG.S_KEY_BITS   Type */
+
+void TSS_TPM_KEY_BITS_Print(TPM_KEY_BITS source, unsigned int indent)
+{
+    printf("%*s" "TPM_KEY_BITS %u\n", indent, "", source);
+    return;
+}
+
+/* Table 131 - Definition of TPMU_SYM_KEY_BITS Union */
+
+void TSS_TPMU_SYM_KEY_BITS_Print(TPMU_SYM_KEY_BITS *source, TPMI_ALG_SYM selector, unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_AES
+      case TPM_ALG_AES:
+	TSS_TPM_KEY_BITS_Print(source->aes, indent);
+	break;
+#endif
+#ifdef TPM_ALG_SM4
+      case TPM_ALG_SM4:
+	TSS_TPM_KEY_BITS_Print(source->sm4, indent);
+	break;
+#endif
+#ifdef TPM_ALG_CAMELLIA
+      case TPM_ALG_CAMELLIA:
+	TSS_TPM_KEY_BITS_Print(source->camellia, indent);
+	break;
+#endif
+#ifdef TPM_ALG_XOR
+      case TPM_ALG_XOR:
+	TSS_TPM_ALG_ID_Print("xorr", source->xorr, indent);
+	break;
+#endif
+      default:
+	printf("%*s" "TPMI_ALG_SYM value %04hx unknown\n", indent, "", selector);
+    }
+
+    return;
+}
+
+/* Table 134 - Definition of TPMT_SYM_DEF Structure */
+
+void TSS_TPMT_SYM_DEF_Print(TPMT_SYM_DEF *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("algorithm", source->algorithm, indent);
+    TSS_TPMU_SYM_KEY_BITS_Print(&source->keyBits, source->algorithm, indent);
+    TSS_TPM_ALG_ID_Print("mode", source->mode.sym, indent);		
+    return;
+}
+
+/* Table 135 - Definition of TPMT_SYM_DEF_OBJECT Structure */
+
+void TSS_TPMT_SYM_DEF_OBJECT_Print(TPMT_SYM_DEF_OBJECT *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("algorithm", source->algorithm, indent+2);
+    if (source->algorithm != TPM_ALG_NULL) {
+	printf("%*s" "keyBits: %u\n", indent+2, "", source->keyBits.sym);
+	TSS_TPM_ALG_ID_Print("mode", source->mode.sym, indent+2);
+    }
+    return;
+}
+
+/* Table 139 - Definition of TPMS_DERIVE Structure */
+
+void TSS_TPMS_DERIVE_Print(TPMS_DERIVE *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("TPMS_DERIVE label", indent, &source->label.b);
+    TSS_TPM2B_Print("TPMS_DERIVE context", indent, &source->context.b);
+    return;
+}
+
+/* Table 143 - Definition of TPMS_SENSITIVE_CREATE Structure <IN> */
+
+void TSS_TPMS_SENSITIVE_CREATE_Print(TPMS_SENSITIVE_CREATE *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("userAuth", indent, &source->userAuth.b);
+    TSS_TPM2B_Print("data", indent, &source->data.b);
+    return;
+}
+
+/* Table 144 - Definition of TPM2B_SENSITIVE_CREATE Structure <IN, S> */
+
+void TSS_TPM2B_SENSITIVE_CREATE_Print(const char *string, TPM2B_SENSITIVE_CREATE *source, unsigned int indent)
+{
+    printf("%*s" "%s\n", indent, "", string);
+    TSS_TPMS_SENSITIVE_CREATE_Print(&source->sensitive, indent+2);
+    return;
+}
+
+/* Table 146 - Definition of {ECC} TPMS_SCHEME_ECDAA Structure */
+
+void TSS_TPMS_SCHEME_ECDAA_Print(TPMS_SCHEME_ECDAA *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("hashAlg", source->hashAlg, indent+2);
+    printf("%*s" "TPMS_SCHEME_ECDAA count %u\n", indent+2, "", source->count);
+    return;
+}
+
+/* Table 149 - Definition of TPMS_SCHEME_XOR Structure */
+
+void TSS_TPMS_SCHEME_XOR_Print(TPMS_SCHEME_XOR *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("hashAlg", source->hashAlg, indent+2);
+    TSS_TPM_ALG_ID_Print("kdf", source->kdf, indent+2);
+    return;
+}
+
+/* Table 150 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
+
+void TSS_TPMU_SCHEME_KEYEDHASH_Print(TPMU_SCHEME_KEYEDHASH *source, TPMI_ALG_KEYEDHASH_SCHEME selector,
+				     unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	TSS_TPM_ALG_ID_Print("hmac", source->hmac.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_XOR
+      case TPM_ALG_XOR:
+	TSS_TPMS_SCHEME_XOR_Print(&source->xorr, indent+2);
+	break;
+#endif
+      default:
+	printf("%*s" "TPMU_SCHEME_KEYEDHASH selection %04hx not implemented\n", indent, "", selector);
+    }
+    return;
+}
+
+/* Table 151 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
+
+void TSS_TPMT_KEYEDHASH_SCHEME_Print(TPMT_KEYEDHASH_SCHEME *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("scheme", source->scheme, indent+2);
+    if (source->scheme != TPM_ALG_NULL) {
+	TSS_TPMU_SCHEME_KEYEDHASH_Print(&source->details, source->scheme, indent+2);
+    }
+    return;
+}
+
+/* Table 154 - Definition of TPMU_SIG_SCHEME Union <IN/OUT, S> */
+
+void TSS_TPMU_SIG_SCHEME_Print(TPMU_SIG_SCHEME *source, TPMI_ALG_SIG_SCHEME selector, unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	TSS_TPM_ALG_ID_Print("rsassa", source->rsassa.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	TSS_TPM_ALG_ID_Print("rsapss", source->rsapss.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	TSS_TPM_ALG_ID_Print("ecdsa", source->ecdsa.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	TSS_TPMS_SCHEME_ECDAA_Print(&source->ecdaa, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	TSS_TPM_ALG_ID_Print("sm2", source->sm2.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	TSS_TPM_ALG_ID_Print("ecSchnorr", source->ecSchnorr.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	TSS_TPM_ALG_ID_Print("hmac", source->hmac.hashAlg, indent+2);
+	break;
+#endif
+      default:
+	printf("%*s" "TPMU_SIG_SCHEME selection %04hx not implemented\n", indent, "", selector);
+    }
+    return;
+}
+
+/* Table " Definition", 155 - Definition of TPMT_SIG_SCHEME Structure */
+
+void TSS_TPMT_SIG_SCHEME_Print(TPMT_SIG_SCHEME *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("scheme", source->scheme, indent+2);
+    if (source->scheme != TPM_ALG_NULL) {
+	TSS_TPMU_SIG_SCHEME_Print(&source->details, source->scheme, indent+2);
+    }
+    return;
+}
+
+/* Table 160 - Definition of TPMT_KDF_SCHEME Structure */
+
+void TSS_TPMT_KDF_SCHEME_Print(TPMT_KDF_SCHEME *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("scheme", source->scheme, indent+2);
+    if (source->scheme != TPM_ALG_NULL) {
+	TSS_TPM_ALG_ID_Print("details", source->details.mgf1.hashAlg, indent+2);
+    }
+    return;
+}
+
+/* Table 162 - Definition of TPMU_ASYM_SCHEME Union */
+
+void TSS_TPMU_ASYM_SCHEME_Print(TPMU_ASYM_SCHEME *source, TPMI_ALG_ASYM_SCHEME selector, unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_ECDH
+      case TPM_ALG_ECDH:
+	TSS_TPM_ALG_ID_Print("ecdh", source->ecdh.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECMQV
+      case TPM_ALG_ECMQV:
+	TSS_TPM_ALG_ID_Print("ecmqvh", source->ecmqvh.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	TSS_TPM_ALG_ID_Print("rsassa", source->rsassa.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	TSS_TPM_ALG_ID_Print("rsapss", source->rsapss.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	TSS_TPM_ALG_ID_Print("ecdsa", source->ecdsa.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	TSS_TPMS_SCHEME_ECDAA_Print(&source->ecdaa, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	TSS_TPM_ALG_ID_Print("sm2", source->sm2.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	TSS_TPM_ALG_ID_Print("ecSchnorr", source->ecSchnorr.hashAlg, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_RSAES
+      case TPM_ALG_RSAES:
+	break;
+#endif
+#ifdef TPM_ALG_OAEP
+      case TPM_ALG_OAEP:
+	TSS_TPM_ALG_ID_Print("oaep", source->oaep.hashAlg, indent+2);
+	break;
+#endif
+      default:
+	printf("%*s" "TPMU_ASYM_SCHEME selection %04hx not implemented\n", indent, "", selector);
+    }
+    return;
+}
+
+/* Table 163 - Definition of TPMT_ASYM_SCHEME Structure <> */
+
+void TSS_TPMT_ASYM_SCHEME_Print(TPMT_ASYM_SCHEME *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("scheme", source->scheme, indent+2);
+    if (source->scheme != TPM_ALG_NULL) {
+	TSS_TPMU_ASYM_SCHEME_Print(&source->details, source->scheme, indent+2);
+    }
+    return;
+}
+	
+/* Table 165 - Definition of {RSA} TPMT_RSA_SCHEME Structure */
+
+void TSS_TPMT_RSA_SCHEME_Print(TPMT_RSA_SCHEME *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("scheme", source->scheme, indent);
+    if (source->scheme != TPM_ALG_NULL) {
+	TSS_TPM_ALG_ID_Print("details", source->details.anySig.hashAlg, indent+2);
+    }
+    return;
+}
+
+/* Table 167 - Definition of {RSA} TPMT_RSA_DECRYPT Structure */
+
+void TSS_TPMT_RSA_DECRYPT_Print(TPMT_RSA_DECRYPT *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("scheme", source->scheme, indent+2);
+    if (source->scheme != TPM_ALG_NULL) {
+	TSS_TPMU_ASYM_SCHEME_Print(&source->details, source->scheme, indent+2);
+    }
+    return;
+}
+
+/* Table 169 - Definition of {RSA} (TPM_KEY_BITS) TPMI_RSA_KEY_BITS Type */
+
+void TSS_TPMI_RSA_KEY_BITS_Print(TPMI_RSA_KEY_BITS source, unsigned int indent)
+{
+    printf("%*s" "TPM_KEY_BITS keyBits: %u\n", indent, "", source);
+    return;
+}
+
+/* Table 172 - Definition of {ECC} TPMS_ECC_POINT Structure */
+
+void TSS_TPMS_ECC_POINT_Print(TPMS_ECC_POINT *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("TPMS_ECC_POINT x", indent+2, &source->x.b);
+    TSS_TPM2B_Print("TPMS_ECC_POINT y", indent+2, &source->y.b);
+    return;
+}
+
+/* Table 173 - Definition of {ECC} TPM2B_ECC_POINT Structure */
+
+void TSS_TPM2B_ECC_POINT_Print(const char *string, TPM2B_ECC_POINT *source, unsigned int indent)
+{
+    printf("%*s" "%s\n", indent, "", string);
+    TSS_TPMS_ECC_POINT_Print(&source->point, indent);
+    return;
+}
+
+/* Table 175 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
+
+void TSS_TPMI_ECC_CURVE_Print(const char *string, TPMI_ECC_CURVE source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+      case TPM_ECC_BN_P256:
+	printf("%s TPM_ECC_BN_P256\n", string);
+	break;
+      case TPM_ECC_NIST_P256:
+	printf("%s TPM_ECC_NIST_P256\n", string);
+	break;
+      case TPM_ECC_NIST_P384:
+	printf("%s TPM_ECC_NIST_P384\n", string);
+	break;
+      default:
+	printf("%s TPMI_ECC_CURVE %04hx unknown\n", string, source);
+    }
+    return;
+}
+
+/* Table 176 - Definition of (TPMT_SIG_SCHEME) {ECC} TPMT_ECC_SCHEME Structure */
+
+void TSS_TPMT_ECC_SCHEME_Print(TPMT_ECC_SCHEME *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("scheme", source->scheme, indent+2);
+    if (source->scheme != TPM_ALG_NULL) {
+	TSS_TPM_ALG_ID_Print("details", source->details.anySig.hashAlg, indent+2);
+    }
+    return;
+}
+
+/* Table 177 - Definition of {ECC} TPMS_ALGORITHM_DETAIL_ECC Structure <OUT> */
+
+void TSS_TPMS_ALGORITHM_DETAIL_ECC_Print(TPMS_ALGORITHM_DETAIL_ECC *source, unsigned int indent)
+{
+    TSS_TPM_ECC_CURVE_Print("curveID", source->curveID, indent+2);
+    printf("%*s" "TPMS_ALGORITHM_DETAIL_ECC keySize %u\n", indent+2, "", source->keySize);
+    TSS_TPMT_KDF_SCHEME_Print(&source->kdf, indent+2);
+    TSS_TPMT_ECC_SCHEME_Print(&source->sign, indent+2);
+    TSS_TPM2B_Print("TPMS_ALGORITHM_DETAIL_ECC p", indent, &source->p.b);
+    TSS_TPM2B_Print("TPMS_ALGORITHM_DETAIL_ECC a", indent, &source->a.b);
+    TSS_TPM2B_Print("TPMS_ALGORITHM_DETAIL_ECC b", indent, &source->b.b);
+    TSS_TPM2B_Print("TPMS_ALGORITHM_DETAIL_ECC gX", indent, &source->gX.b);
+    TSS_TPM2B_Print("TPMS_ALGORITHM_DETAIL_ECC gY", indent, &source->gY.b);
+    TSS_TPM2B_Print("TPMS_ALGORITHM_DETAIL_ECC n", indent, &source->n.b);
+    TSS_TPM2B_Print("TPMS_ALGORITHM_DETAIL_ECC h", indent, &source->h.b);
+    return;
+}
+
+/* Table 178 - Definition of {RSA} TPMS_SIGNATURE_RSA Structure */
+
+void TSS_TPMS_SIGNATURE_RSA_Print(TPMS_SIGNATURE_RSA *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("hash", source->hash, indent+2);
+    TSS_TPM2B_Print("TPMS_SIGNATURE_RSA sig", indent+2, &source->sig.b);
+    return;
+}
+
+/* Table 179 - Definition of Types for {RSA} Signature */
+
+void TSS_TPMS_SIGNATURE_RSASSA_Print(TPMS_SIGNATURE_RSASSA *source, unsigned int indent)
+{
+    TSS_TPMS_SIGNATURE_RSA_Print(source, indent+2);
+    return;
+}
+
+/* Table 180 - Definition of {ECC} TPMS_SIGNATURE_ECC Structure */
+
+void TSS_TPMS_SIGNATURE_ECC_Print(TPMS_SIGNATURE_ECC *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("hash", source->hash, indent);
+    TSS_TPM2B_Print("TPMS_SIGNATURE_ECC signatureR", indent, &source->signatureR.b);
+    TSS_TPM2B_Print("TPMS_SIGNATURE_ECC signatureS", indent, &source->signatureS.b);
+    return;
+}
+
+/* Table 182 - Definition of TPMU_SIGNATURE Union <IN/OUT, S> */
+
+void TSS_TPMU_SIGNATURE_Print(TPMU_SIGNATURE *source, TPMI_ALG_SIG_SCHEME selector, unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_RSASSA
+      case TPM_ALG_RSASSA:
+	TSS_TPMS_SIGNATURE_RSA_Print(&source->rsassa, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_RSAPSS
+      case TPM_ALG_RSAPSS:
+	TSS_TPMS_SIGNATURE_RSA_Print(&source->rsapss, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECDSA
+      case TPM_ALG_ECDSA:
+	TSS_TPMS_SIGNATURE_ECC_Print(&source->ecdsa, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECDAA
+      case TPM_ALG_ECDAA:
+	TSS_TPMS_SIGNATURE_ECC_Print(&source->ecdaa, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_SM2
+      case TPM_ALG_SM2:
+	TSS_TPMS_SIGNATURE_ECC_Print(&source->sm2, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_ECSCHNORR
+      case TPM_ALG_ECSCHNORR:
+	TSS_TPMS_SIGNATURE_ECC_Print(&source->ecschnorr, indent+2);
+	break;
+#endif
+#ifdef TPM_ALG_HMAC
+      case TPM_ALG_HMAC:
+	TSS_TPMT_HA_Print(&source->hmac, indent+2);
+	break;
+#endif
+     default:
+	printf("%*s" "TPMU_SIGNATURE selection %04hx not implemented\n", indent, "", selector);
+	
+    }
+}
+
+/* Table 183 - Definition of TPMT_SIGNATURE Structure */
+
+void TSS_TPMT_SIGNATURE_Print(TPMT_SIGNATURE *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("sigAlg", source->sigAlg, indent+2);
+    if (source->sigAlg != TPM_ALG_NULL) {
+	TSS_TPMU_SIGNATURE_Print(&source->signature, source->sigAlg, indent);
+    }
+    return;
+}
+
+/* Table 186 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
+
+void TSS_TPMI_ALG_PUBLIC_Print(const char *string, TPMI_ALG_PUBLIC source, unsigned int indent)
+{
+    printf("%*s", indent, "");
+    switch (source) {
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	printf("%s TPM_ALG_KEYEDHASH\n", string);
+	break;
+#endif
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	printf("%s TPM_ALG_RSA\n", string);
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	printf("%s TPM_ALG_ECC\n", string);
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	printf("%s TPM_ALG_SYMCIPHER\n", string);
+	break;
+#endif
+      default:
+	printf("%s selection %04hx not implemented\n", string, source);
+    }
+    return;
+}
+    
+/* Table 187 - Definition of TPMU_PUBLIC_ID Union <IN/OUT, S> */
+
+void TSS_TPMU_PUBLIC_ID_Print(TPMU_PUBLIC_ID *source, TPMI_ALG_PUBLIC selector, unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	TSS_TPM2B_Print("TPM_ALG_KEYEDHASH keyedHash", indent, &source->keyedHash.b);
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	TSS_TPM2B_Print("TPM_ALG_SYMCIPHER sym", indent, &source->sym.b);
+	break;
+#endif
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA: 
+	TSS_TPM2B_Print("TPM_ALG_RSA rsa", indent, &source->rsa.b);
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	TSS_TPM2B_Print("TPM_ALG_ECC x", indent, &source->ecc.x.b);
+	TSS_TPM2B_Print("TPM_ALG_ECC y", indent, &source->ecc.y.b);
+	break;
+#endif
+      default:
+	printf("%*s" "TPMU_PUBLIC_ID_Print: selection %04hx not implemented\n", indent, "", selector);
+    }
+    return;
+}
+
+/* Table 188 - Definition of TPMS_KEYEDHASH_PARMS Structure */
+
+void TSS_TPMS_KEYEDHASH_PARMS_Print(TPMS_KEYEDHASH_PARMS *source, unsigned int indent)
+{
+    TSS_TPMT_KEYEDHASH_SCHEME_Print(&source->scheme, indent);
+    return;
+}
+
+/* Table 189 - Definition of TPMS_ASYM_PARMS Structure <> */
+
+void TSS_TPMS_ASYM_PARMS_Print(TPMS_ASYM_PARMS *source, unsigned int indent)
+{
+    TSS_TPMT_SYM_DEF_OBJECT_Print(&source->symmetric, indent+2);
+    TSS_TPMT_ASYM_SCHEME_Print(&source->scheme, indent+2);
+    return;
+}
+
+/* Table 190 - Definition of {RSA} TPMS_RSA_PARMS Structure */
+
+void TSS_TPMS_RSA_PARMS_Print(TPMS_RSA_PARMS *source, unsigned int indent)
+{
+    TSS_TPMT_SYM_DEF_OBJECT_Print(&source->symmetric, indent);
+    TSS_TPMT_RSA_SCHEME_Print(&source->scheme, indent);
+    TSS_TPMI_RSA_KEY_BITS_Print(source->keyBits, indent);
+    printf("%*s" "TPMS_RSA_PARMS exponent %08x\n", indent, "", source->exponent);
+    return;
+}
+
+/* Table 191 - Definition of {ECC} TPMS_ECC_PARMS Structure */
+
+void TSS_TPMS_ECC_PARMS_Print(TPMS_ECC_PARMS *source, unsigned int indent)
+{
+    TSS_TPMT_SYM_DEF_OBJECT_Print(&source->symmetric, indent);
+    TSS_TPMT_ECC_SCHEME_Print(&source->scheme, indent);
+    TSS_TPMI_ECC_CURVE_Print("curveID", source->curveID, indent);
+    TSS_TPMT_KDF_SCHEME_Print(&source->kdf, indent);
+    return;
+}
+
+/* Table 192 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
+
+void TSS_TPMU_PUBLIC_PARMS_Print(TPMU_PUBLIC_PARMS *source, uint32_t selector, unsigned int indent)
+{
+    switch (selector) {
+      case TPM_ALG_KEYEDHASH:
+	printf("%*s" "TPMU_PUBLIC_PARMS keyedHashDetail\n", indent, "");
+	TSS_TPMS_KEYEDHASH_PARMS_Print(&source->keyedHashDetail, indent);
+	break;
+#if 0
+      case TPM_ALG_SYMCIPHER:
+	printf("%*s" "TPMU_PUBLIC_PARMS symDetail\n", indent, "");
+	TSS_TPMS_SYMCIPHER_PARMS_Print(&source->symDetail, indent);
+	break;
+#endif
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	printf("%*s" "TPMU_PUBLIC_PARMS rsaDetail\n", indent, "");
+	TSS_TPMS_RSA_PARMS_Print(&source->rsaDetail, indent);
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	printf("%*s" "TPMU_PUBLIC_PARMS eccDetail\n", indent, "");
+	TSS_TPMS_ECC_PARMS_Print(&source->eccDetail, indent);
+	break;
+#endif
+      default:
+	printf("%*s" "TPMU_PUBLIC_PARMS: selector %04x not implemented\n", indent, "", selector);
+    }
+    return;
+}
+
+/* Table 193 - Definition of TPMT_PUBLIC_PARMS Structure */
+
+void TSS_TPMT_PUBLIC_PARMS_Print(TPMT_PUBLIC_PARMS *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("type", source->type, indent);
+    TSS_TPMU_PUBLIC_PARMS_Print(&source->parameters, source->type, indent);
+    return;
+}
+/* Table 194 - Definition of TPMT_PUBLIC Structure */
+
+void TSS_TPMT_PUBLIC_Print(TPMT_PUBLIC *source, unsigned int indent)
+{
+    TSS_TPMI_ALG_PUBLIC_Print("type", source->type, indent);
+    TSS_TPM_ALG_ID_Print("nameAlg", source->nameAlg, indent);
+    TSS_TPMA_OBJECT_Print("objectAttributes", source->objectAttributes, indent);	
+    TSS_TPM2B_Print("authPolicy", indent, &source->authPolicy.b);
+    TSS_TPMU_PUBLIC_PARMS_Print(&source->parameters, source->type, indent);		
+    TSS_TPMU_PUBLIC_ID_Print(&source->unique, source->type, indent);			
+    return;
+}
+
+/* Table 195 - Definition of TPM2B_PUBLIC Structure */
+
+void TSS_TPM2B_PUBLIC_Print(const char *string, TPM2B_PUBLIC *source, unsigned int indent)
+{
+    printf("%*s" "%s\n", indent, "", string);
+    TSS_TPMT_PUBLIC_Print(&source->publicArea, indent+2);		
+    return;
+}
+
+/* Table 198 - Definition of TPMU_SENSITIVE_COMPOSITE Union <IN/OUT, S> */
+
+void TSS_TPMU_SENSITIVE_COMPOSITE_Print(TPMU_SENSITIVE_COMPOSITE *source, uint32_t selector, unsigned int indent)
+{
+    switch (selector) {
+#ifdef TPM_ALG_RSA
+      case TPM_ALG_RSA:
+	TSS_TPM2B_Print("TPMU_SENSITIVE_COMPOSITE rsa", indent+2, &source->rsa.b);
+	break;
+#endif
+#ifdef TPM_ALG_ECC
+      case TPM_ALG_ECC:
+	TSS_TPM2B_Print("TPMU_SENSITIVE_COMPOSITE ecc", indent+2, &source->ecc.b);
+	break;
+#endif
+#ifdef TPM_ALG_KEYEDHASH
+      case TPM_ALG_KEYEDHASH:
+	TSS_TPM2B_Print("TPMU_SENSITIVE_COMPOSITE bits", indent+2, &source->bits.b);
+	break;
+#endif
+#ifdef TPM_ALG_SYMCIPHER
+      case TPM_ALG_SYMCIPHER:
+	TSS_TPM2B_Print("TPMU_SENSITIVE_COMPOSITE sym", indent+2, &source->sym.b);
+	break;
+#endif
+      default:
+	printf("%*s" "TPMU_SENSITIVE_COMPOSITE: selection %08x not implemented \n", indent+2, "", selector);
+    }
+    return;
+}
+
+/* Table 199 - Definition of TPMT_SENSITIVE Structure */
+
+void TSS_TPMT_SENSITIVE_Print(TPMT_SENSITIVE *source, unsigned int indent)
+{
+    TSS_TPM_ALG_ID_Print("sensitiveType", source->sensitiveType, indent+2);
+    TSS_TPM2B_Print("TPMT_SENSITIVE authValue", indent+2, &source->authValue.b);
+    TSS_TPM2B_Print("TPMT_SENSITIVE seedValue", indent+2, &source->seedValue.b);
+    TSS_TPMU_SENSITIVE_COMPOSITE_Print(&source->sensitive, source->sensitiveType, indent+2);
+    return;
+}
+
+/* Table 200 - Definition of TPM2B_SENSITIVE Structure <IN/OUT> */
+
+void TSS_TPM2B_SENSITIVE_Print(TPM2B_SENSITIVE *source, unsigned int indent)
+{
+    printf("%*s" "TPM2B_SENSITIVE size %u\n", indent+2, "", source->t.size);
+    if (source->t.size != 0) {
+	TSS_TPMT_SENSITIVE_Print(&source->t.sensitiveArea, indent+2);
+    }
+    return;
+}
+
+/* Table 207 - Definition of TPMS_NV_PIN_COUNTER_PARAMETERS Structure */
+
+void TSS_TPMS_NV_PIN_COUNTER_PARAMETERS_Print(TPMS_NV_PIN_COUNTER_PARAMETERS *source, unsigned int indent)
+{
+    printf("%*s" "pinCount %u\n", indent+2, "", source->pinCount);
+    printf("%*s" "pinLimit %u\n", indent+2, "", source->pinLimit);
+    return;
+}
+
+/* Table 208 - Definition of (UINT32) TPMA_NV Bits */
+
+void TSS_TPMA_NV_Print(TPMA_NV source, unsigned int indent)
+{
+    uint32_t nvType;
+
+    if (source.val & TPMA_NVA_PPWRITE) printf("%*s" "TPMA_NV_PPWRITE\n", indent, "");
+    if (source.val & TPMA_NVA_OWNERWRITE) printf("%*s" "TPMA_NV_OWNERWRITE\n", indent, "");
+    if (source.val & TPMA_NVA_AUTHWRITE) printf("%*s" "TPMA_NV_AUTHWRITE\n", indent, "");
+    if (source.val & TPMA_NVA_POLICYWRITE) printf("%*s" "TPMA_NV_POLICYWRITE\n", indent, "");
+
+    nvType = (source.val & TPMA_NVA_TPM_NT_MASK) >> 4;
+    switch (nvType) {
+      case TPM_NT_ORDINARY:
+	printf("%*s" "TPM_NT_ORDINARY\n", indent, "");
+	break;
+      case TPM_NT_COUNTER:
+	printf("%*s" "TPM_NT_COUNTER\n", indent, "");
+	break;
+      case TPM_NT_BITS:
+	printf("%*s" "TPM_NT_COUNTER\n", indent, "");
+	break;
+      case TPM_NT_EXTEND:
+	printf("%*s" "TPM_NT_EXTEND\n", indent, "");
+	break;
+      case TPM_NT_PIN_FAIL:
+	printf("%*s" "TPM_NT_PIN_FAIL\n", indent, "");
+	break;
+      case TPM_NT_PIN_PASS:
+	printf("%*s" "TPM_NT_PIN_PASS\n", indent, "");
+	break;
+      default:
+	printf("%*s" "TPMA_NV type %02x unknown\n", indent, "", nvType);
+    }
+
+    if (source.val & TPMA_NVA_POLICY_DELETE) printf("%*s" "TPMA_NV_POLICY_DELETE\n", indent, "");
+    if (source.val & TPMA_NVA_WRITELOCKED) printf("%*s" "TPMA_NV_WRITELOCKED\n", indent, "");
+    if (source.val & TPMA_NVA_WRITEALL) printf("%*s" "TPMA_NV_WRITEALL\n", indent, "");
+    if (source.val & TPMA_NVA_WRITEDEFINE) printf("%*s" "TPMA_NV_WRITEDEFINE\n", indent, "");
+    if (source.val & TPMA_NVA_WRITE_STCLEAR) printf("%*s" "TPMA_NV_WRITE_STCLEAR\n", indent, "");
+    if (source.val & TPMA_NVA_GLOBALLOCK) printf("%*s" "TPMA_NV_GLOBALLOCK\n", indent, "");
+    if (source.val & TPMA_NVA_PPREAD) printf("%*s" "TPMA_NV_PPREAD\n", indent, "");
+    if (source.val & TPMA_NVA_OWNERREAD) printf("%*s" "TPMA_NV_OWNERREAD\n", indent, "");
+    if (source.val & TPMA_NVA_AUTHREAD) printf("%*s" "TPMA_NV_AUTHREAD\n", indent, "");
+    if (source.val & TPMA_NVA_POLICYREAD) printf("%*s" "TPMA_NV_POLICYREAD\n", indent, "");
+    if (source.val & TPMA_NVA_NO_DA) printf("%*s" "TPMA_NV_NO_DA\n", indent, "");
+    if (source.val & TPMA_NVA_ORDERLY) printf("%*s" "TPMA_NV_ORDERLY\n", indent, "");
+    if (source.val & TPMA_NVA_CLEAR_STCLEAR) printf("%*s" "TPMA_NV_CLEAR_STCLEAR\n", indent, "");
+    if (source.val & TPMA_NVA_READLOCKED) printf("%*s" "TPMA_NV_READLOCKED\n", indent, "");
+    if (source.val & TPMA_NVA_WRITTEN) printf("%*s" "TPMA_NV_WRITTEN\n", indent, "");
+    if (source.val & TPMA_NVA_PLATFORMCREATE) printf("%*s" "TPMA_NV_PLATFORMCREATE\n", indent, "");
+    if (source.val & TPMA_NVA_READ_STCLEAR) printf("%*s" "TPMA_NV_READ_STCLEAR\n", indent, "");
+    return;
+}
+
+/* Table 209 - Definition of TPMS_NV_PUBLIC Structure */
+
+void TSS_TPMS_NV_PUBLIC_Print(TPMS_NV_PUBLIC *source, unsigned int indent)
+{
+    printf("%*s" "TPMS_NV_PUBLIC nvIndex %08x\n", indent+2, "", source->nvIndex);
+    TSS_TPM_ALG_ID_Print("nameAlg", source->nameAlg, indent+2);
+    TSS_TPMA_NV_Print(source->attributes, indent+2);
+    TSS_TPM2B_Print("TPMS_NV_PUBLIC authPolicy", indent+2, &source->authPolicy.b);
+    printf("%*s" "TPMS_NV_PUBLIC dataSize %u\n", indent+2, "", source->dataSize);
+    return;
+}
+
+/* Table 210 - Definition of TPM2B_NV_PUBLIC Structure */
+
+void TSS_TPM2B_NV_PUBLIC_Print(TPM2B_NV_PUBLIC *source, unsigned int indent)
+{
+    TSS_TPMS_NV_PUBLIC_Print(&source->nvPublic, indent+2);
+    return;
+}
+
+/* Table 212 - Definition of TPMS_CONTEXT_DATA Structure <IN/OUT, S> */
+
+void TSS_TPMS_CONTEXT_DATA_Print(TPMS_CONTEXT_DATA *source, unsigned int indent)
+{
+    TSS_TPM2B_Print("TPMS_CONTEXT_DATA integrity", indent+2, &source->integrity.b);
+    TSS_TPM2B_Print("TPMS_CONTEXT_DATA encrypted", indent+2, &source->encrypted.b);
+    return;
+}
+
+/* Table 214 - Definition of TPMS_CONTEXT Structure */
+
+void TSS_TPMS_CONTEXT_Print(TPMS_CONTEXT *source, unsigned int indent)
+{
+    printf("%*s" "TPMS_CONTEXT sequence %"PRIu64"\n", indent+2, "", source->sequence);
+    TSS_TPM_HANDLE_Print("savedHandle", source->savedHandle, indent+2);
+    TSS_TPM_HANDLE_Print("hierarchy", source->hierarchy, indent+2);
+    TSS_TPM2B_Print("TPMS_CONTEXT contextBlob", indent+2, &source->contextBlob.b);
+    return;
+}
+
+/* Table 216 - Definition of TPMS_CREATION_DATA Structure <OUT> */
+
+void TSS_TPMS_CREATION_DATA_Print(TPMS_CREATION_DATA *source, unsigned int indent)
+{
+    TSS_TPML_PCR_SELECTION_Print(&source->pcrSelect, indent+2);
+    TSS_TPM2B_Print("TPMS_CREATION_DATA pcrDigest", indent+2, &source->pcrDigest.b);
+    TSS_TPMA_LOCALITY_Print(source->locality, indent+2);
+    TSS_TPM_ALG_ID_Print("parentNameAlg", source->parentNameAlg, indent+2);
+    TSS_TPM2B_Print("TPMS_CREATION_DATA parentName", indent+2, &source->parentName.b);
+    TSS_TPM2B_Print("TPMS_CREATION_DATA parentQualifiedName", indent+2, &source->parentQualifiedName.b);
+    TSS_TPM2B_Print("TPMS_CREATION_DATA outsideInfo", indent+2, &source->outsideInfo.b);
+return;
+}
+
+/* Table 217 - Definition of TPM2B_CREATION_DATA Structure <OUT> */
+
+void TSS_TPM2B_CREATION_DATA_Print(TPM2B_CREATION_DATA *source, unsigned int indent)
+{
+    printf("%*s" "TPM2B_CREATION_DATA size %u\n", indent+2, "", source->size);
+    TSS_TPMS_CREATION_DATA_Print(&source->creationData, indent+2);
+    return;
+}
+
+#endif	/* TPM_TPM20 */
+
+#endif /* TPM_TSS_NO_PRINT */
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssprintcmd.c b/libstb/tss2/ibmtpm20tss/utils/tssprintcmd.c
new file mode 100644
index 0000000..45da7e1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssprintcmd.c
@@ -0,0 +1,920 @@
+/********************************************************************************/
+/*										*/
+/*			     Command Print Utilities				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2018 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdint.h>
+#include <stdio.h>
+#include <inttypes.h>
+
+#include <ibmtss/tssprintcmd.h>
+
+void ActivateCredential_In_Print(ActivateCredential_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ActivateCredential\n", indent, "");
+    TSS_TPM_HANDLE_Print("activateHandle", in->activateHandle, indent);
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPM2B_Print("credentialBlob", indent, &in->credentialBlob.b);
+    TSS_TPM2B_Print("TPM2B_ENCRYPTED_SECRET secret", indent, &in->secret.b);
+    return;
+}
+void CertifyCreation_In_Print(CertifyCreation_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_CertifyCreation\n", indent, "");
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM_HANDLE_Print("objectHandle", in->objectHandle, indent);
+    TSS_TPM2B_Print("qualifyingData", indent, &in->qualifyingData.b);
+    TSS_TPM2B_Print("creationHash", indent, &in->creationHash.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    printf("%*s" "creationTicket\n", indent, "");
+    TSS_TPMT_TK_CREATION_Print(&in->creationTicket, indent+2);
+    return;
+}
+void Certify_In_Print(Certify_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Certify\n", indent, "");
+    TSS_TPM_HANDLE_Print("objectHandle", in->objectHandle, indent);
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM2B_Print("qualifyingData", indent, &in->qualifyingData.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    return;
+}
+void CertifyX509_In_Print(CertifyX509_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_CertifyX509\n", indent, "");
+    TSS_TPM_HANDLE_Print("objectHandle", in->objectHandle, indent);
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM2B_Print("reserved", indent, &in->reserved.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    TSS_TPM2B_Print("partialCertificate", indent, &in->partialCertificate.b);
+    return;
+}
+void ChangeEPS_In_Print(ChangeEPS_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ChangeEPS\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    return;
+}
+void ChangePPS_In_Print(ChangePPS_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ChangePPS\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    return;
+}
+void ClearControl_In_Print(ClearControl_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ClearControl\n", indent, "");
+    TSS_TPM_HANDLE_Print("auth", in->auth, indent);
+    TSS_TPMI_YES_NO_Print("disable", in->disable, indent);
+    return;
+}
+void Clear_In_Print(Clear_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Clear\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    return;
+}
+void ClockRateAdjust_In_Print(ClockRateAdjust_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ClockRateAdjust\n", indent, "");
+    TSS_TPM_HANDLE_Print("auth", in->auth, indent);
+    TSS_TPM_CLOCK_ADJUST_Print("rateAdjust", in->rateAdjust, indent);
+    return;
+}
+void ClockSet_In_Print(ClockSet_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ClockSet\n", indent, "");
+    TSS_TPM_HANDLE_Print("auth", in->auth, indent);
+    printf("%*s" "newTime %"PRIu64"\n", indent, "", in->newTime);
+    return;
+}
+void Commit_In_Print(Commit_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Commit\n", indent, "");
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM2B_ECC_POINT_Print("P1", &in->P1, indent);
+    TSS_TPM2B_Print("s2", indent, &in->s2.b);
+    TSS_TPM2B_Print("y2", indent, &in->y2.b);
+    return;
+}
+void ContextLoad_In_Print(ContextLoad_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ContextLoad\n", indent, "");
+    TSS_TPMS_CONTEXT_Print(&in->context, indent);
+    return;
+}
+void ContextSave_In_Print(ContextSave_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ContextSave\n", indent, "");
+    TSS_TPM_HANDLE_Print("saveHandle", in->saveHandle, indent);
+    return;
+}
+void Create_In_Print(Create_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Create\n", indent, "");
+    TSS_TPM_HANDLE_Print("parentHandle", in->parentHandle, indent);
+    TSS_TPM2B_SENSITIVE_CREATE_Print("inSensitive", &in->inSensitive, indent);
+    TSS_TPM2B_PUBLIC_Print("inPublic", &in->inPublic, indent);
+    TSS_TPM2B_Print("outsideInfo", indent, &in->outsideInfo.b);
+    TSS_TPML_PCR_SELECTION_Print(&in->creationPCR, indent);
+    return;
+}
+void CreateLoaded_In_Print(CreateLoaded_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_CreateLoaded\n", indent, "");
+    TSS_TPM_HANDLE_Print("parentHandle", in->parentHandle, indent);
+    TSS_TPM2B_SENSITIVE_CREATE_Print("inSensitive", &in->inSensitive, indent);
+    TSS_TPM2B_Print("inPublic", indent, &in->inPublic.b);
+    return;
+}
+void CreatePrimary_In_Print(CreatePrimary_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_CreatePrimary\n", indent, "");
+    TSS_TPM_HANDLE_Print("primaryHandle", in->primaryHandle, indent);
+    TSS_TPM2B_SENSITIVE_CREATE_Print("inSensitive", &in->inSensitive, indent);
+    TSS_TPM2B_PUBLIC_Print("inPublic", &in->inPublic, indent);
+    TSS_TPM2B_Print("outsideInfo", indent, &in->outsideInfo.b);
+    TSS_TPML_PCR_SELECTION_Print(&in->creationPCR, indent);
+    return;
+}
+void DictionaryAttackLockReset_In_Print(DictionaryAttackLockReset_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_DictionaryAttackLockReset\n", indent, "");
+    TSS_TPM_HANDLE_Print("lockHandle", in->lockHandle, indent);
+    return;
+}
+void DictionaryAttackParameters_In_Print(DictionaryAttackParameters_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_DictionaryAttackParameters\n", indent, "");
+    TSS_TPM_HANDLE_Print("lockHandle", in->lockHandle, indent);
+    printf("%*s" "newMaxTries %u\n", indent, "", in->newMaxTries);
+    printf("%*s" "newRecoveryTime %u\n", indent, "", in->newRecoveryTime);
+    printf("%*s" "lockoutRecovery %u\n", indent, "", in->lockoutRecovery);
+    return;
+}
+void Duplicate_In_Print(Duplicate_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Duplicate\n", indent, "");
+    TSS_TPM_HANDLE_Print("objectHandle", in->objectHandle, indent);
+    TSS_TPM_HANDLE_Print("newParentHandle", in->newParentHandle, indent);
+    TSS_TPM2B_Print("encryptionKeyIn", indent, &in->encryptionKeyIn.b);
+    printf("%*s" "symmetricAlg\n", indent, "");
+    TSS_TPMT_SYM_DEF_OBJECT_Print(&in->symmetricAlg, indent);
+    return;
+}
+void ECC_Parameters_In_Print(ECC_Parameters_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ECC_Parameters\n", indent, "");
+    TSS_TPMI_ECC_CURVE_Print("curveID", in->curveID, indent);
+    return;
+}
+void ECDH_KeyGen_In_Print(ECDH_KeyGen_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ECDH_KeyGen\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    return;
+}
+void ECDH_ZGen_In_Print(ECDH_ZGen_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ECDH_ZGen\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPM2B_ECC_POINT_Print("inPoint", &in->inPoint, indent);
+    return;
+}
+void EC_Ephemeral_In_Print(EC_Ephemeral_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_EC_Ephemeral\n", indent, "");
+    TSS_TPMI_ECC_CURVE_Print("curveID", in->curveID, indent);
+    return;
+}
+void EncryptDecrypt_In_Print(EncryptDecrypt_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_EncryptDecrypt\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPMI_YES_NO_Print("decrypt", in->decrypt, indent);
+    TSS_TPM_ALG_ID_Print("mode", in->mode, indent);
+    TSS_TPM2B_Print("ivIn", indent, &in->ivIn.b);
+    TSS_TPM2B_Print("inData", indent, &in->inData.b);
+    return;
+}
+void EncryptDecrypt2_In_Print(EncryptDecrypt2_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_EncryptDecrypt2\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPM2B_Print("inData", indent, &in->inData.b);
+    TSS_TPMI_YES_NO_Print("decrypt", in->decrypt, indent);
+    TSS_TPM_ALG_ID_Print("mode", in->mode, indent);
+    TSS_TPM2B_Print("ivIn", indent, &in->ivIn.b);
+    return;
+}
+void EventSequenceComplete_In_Print(EventSequenceComplete_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_EventSequenceComplete\n", indent, "");
+    TSS_TPM_HANDLE_Print("pcrHandle", in->pcrHandle, indent);
+    TSS_TPM_HANDLE_Print("sequenceHandle", in->sequenceHandle, indent);
+    TSS_TPM2B_Print("buffer", indent, &in->buffer.b);
+    return;
+}
+void EvictControl_In_Print(EvictControl_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_EvictControl\n", indent, "");
+    TSS_TPM_HANDLE_Print("auth", in->auth, indent);
+    TSS_TPM_HANDLE_Print("objectHandle", in->objectHandle, indent);
+    TSS_TPM_HANDLE_Print("persistentHandle", in->persistentHandle, indent);
+    return;
+}
+void FlushContext_In_Print(FlushContext_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_FlushContext\n", indent, "");
+    TSS_TPM_HANDLE_Print("flushHandle", in->flushHandle, indent);
+    return;
+}
+void GetCapability_In_Print(GetCapability_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_GetCapability\n", indent, "");
+    TSS_TPM_CAP_Print("capability", in->capability, indent);
+    printf("%*s" "property %08x\n", indent, "", in->property);
+    printf("%*s" "propertyCount %u\n", indent, "", in->propertyCount);
+    return;
+}
+void GetCommandAuditDigest_In_Print(GetCommandAuditDigest_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_GetCommandAuditDigest\n", indent, "");
+    TSS_TPM_HANDLE_Print("privacyHandle", in->privacyHandle, indent);
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM2B_Print("qualifyingData", indent, &in->qualifyingData.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    return;
+}
+void GetRandom_In_Print(GetRandom_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_GetRandom\n", indent, "");
+    printf("%*s" "bytesRequested %u\n", indent, "", in->bytesRequested);
+    return;
+}
+void GetSessionAuditDigest_In_Print(GetSessionAuditDigest_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_GetSessionAuditDigest\n", indent, "");
+    TSS_TPM_HANDLE_Print("privacyAdminHandle", in->privacyAdminHandle, indent);
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM_HANDLE_Print("sessionHandle", in->sessionHandle, indent);
+    TSS_TPM2B_Print("qualifyingData", indent, &in->qualifyingData.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    return;
+}
+void GetTime_In_Print(GetTime_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_GetTime\n", indent, "");
+    TSS_TPM_HANDLE_Print("privacyAdminHandle", in->privacyAdminHandle, indent);
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM2B_Print("qualifyingData", indent, &in->qualifyingData.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    return;
+}
+void HMAC_Start_In_Print(HMAC_Start_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_HMAC_Start\n", indent, "");
+    TSS_TPM_HANDLE_Print("handle", in->handle, indent);
+    TSS_TPM2B_Print("auth", indent, &in->auth.b);
+    TSS_TPM_ALG_ID_Print("hashAlg", in->hashAlg, indent);
+    return;
+}
+void HMAC_In_Print(HMAC_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_HMAC\n", indent, "");
+    TSS_TPM_HANDLE_Print("handle", in->handle, indent);
+    TSS_TPM2B_Print("buffer", indent, &in->buffer.b);
+    TSS_TPM_ALG_ID_Print("hashAlg", in->hashAlg, indent);
+    return;
+}
+void HashSequenceStart_In_Print(HashSequenceStart_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_HashSequenceStart\n", indent, "");
+    TSS_TPM2B_Print("auth", indent, &in->auth.b);
+    TSS_TPM_ALG_ID_Print("hashAlg", in->hashAlg, indent);
+    return;
+}
+void Hash_In_Print(Hash_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Hash\n", indent, "");
+    TSS_TPM2B_Print("data", indent, &in->data.b);
+    TSS_TPM_ALG_ID_Print("hashAlg", in->hashAlg, indent);
+    TSS_TPM_HANDLE_Print("hierarchy", in->hierarchy, indent);
+    return;
+}
+void HierarchyChangeAuth_In_Print(HierarchyChangeAuth_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_HierarchyChangeAuth\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM2B_Print("newAuth", indent, &in->newAuth.b);
+    return;
+}
+void HierarchyControl_In_Print(HierarchyControl_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_HierarchyControl\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("enable", in->enable, indent);
+    TSS_TPMI_YES_NO_Print("state", in->state, indent);
+    return;
+}
+void Import_In_Print(Import_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Import\n", indent, "");
+    TSS_TPM_HANDLE_Print("parentHandle", in->parentHandle, indent);
+    TSS_TPM2B_Print("encryptionKey", indent, &in->encryptionKey.b);
+    TSS_TPM2B_PUBLIC_Print("objectPublic", &in->objectPublic, indent);
+    TSS_TPM2B_Print("duplicate", indent, &in->duplicate.b);
+    TSS_TPM2B_Print("inSymSeed", indent, &in->inSymSeed.b);
+    printf("%*s" "symmetricAlg\n", indent, "");
+    TSS_TPMT_SYM_DEF_OBJECT_Print(&in->symmetricAlg, indent);
+    return;
+}
+void IncrementalSelfTest_In_Print(IncrementalSelfTest_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_IncrementalSelfTest\n", indent, "");
+    TSS_TPML_ALG_Print(&in->toTest, indent);
+    return;
+}
+void LoadExternal_In_Print(LoadExternal_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_LoadExternal\n", indent, "");
+    if (in->inPrivate.t.size != 0) {	/* if there is a private area */
+	TSS_TPMT_SENSITIVE_Print(&in->inPrivate.t.sensitiveArea, indent);
+    }
+    TSS_TPM2B_PUBLIC_Print("inPublic", &in->inPublic, indent);
+    TSS_TPM_HANDLE_Print("hierarchy", in->hierarchy, indent);
+    return;
+}
+void Load_In_Print(Load_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Load\n", indent, "");
+    TSS_TPM_HANDLE_Print("parentHandle", in->parentHandle, indent);
+    TSS_TPM2B_Print("inPrivate", indent, &in->inPrivate.b);
+    TSS_TPM2B_PUBLIC_Print("inPublic", &in->inPublic, indent);
+    return;
+}
+void MakeCredential_In_Print(MakeCredential_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_MakeCredential\n", indent, "");
+    TSS_TPM_HANDLE_Print("handle", in->handle, indent);
+    TSS_TPM2B_Print("credential", indent, &in->credential.b);
+    TSS_TPM2B_Print("objectName", indent, &in->objectName.b);
+    return;
+}
+#if 0
+void NTC2_PreConfig_In_Print(NTC2_PreConfig_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NTC2_PreConfig\n", indent, "");
+    NTC2_CFG_STRUCT preConfig;
+    return;
+}
+#endif
+void NV_Certify_In_Print(NV_Certify_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_Certify\n", indent, "");
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    TSS_TPM2B_Print("qualifyingData", indent, &in->qualifyingData.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    printf("%*s" "size %u\n", indent, "", in->size);
+    printf("%*s" "offset %u\n", indent, "", in->offset);
+    return;
+}
+void NV_ChangeAuth_In_Print(NV_ChangeAuth_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_ChangeAuth\n", indent, "");
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    TSS_TPM2B_Print("newAuth", indent, &in->newAuth.b);
+    return;
+}
+void NV_DefineSpace_In_Print(NV_DefineSpace_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_DefineSpace\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM2B_Print("auth", indent, &in->auth.b);
+    printf("%*s" "publicInfo\n", indent, "");
+    TSS_TPM2B_NV_PUBLIC_Print(&in->publicInfo, indent);
+    return;
+}
+void NV_Extend_In_Print(NV_Extend_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_Extend\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    TSS_TPM2B_Print("data", indent, &in->data.b);
+    return;
+}
+void NV_GlobalWriteLock_In_Print(NV_GlobalWriteLock_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_GlobalWriteLock\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    return;
+}
+void NV_Increment_In_Print(NV_Increment_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_Increment\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    return;
+}
+void NV_ReadLock_In_Print(NV_ReadLock_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_ReadLock\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    return;
+}
+void NV_ReadPublic_In_Print(NV_ReadPublic_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_ReadPublic\n", indent, "");
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    return;
+}
+void NV_Read_In_Print(NV_Read_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_Read\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    printf("%*s" "size %u\n", indent, "", in->size);
+    printf("%*s" "offset %u\n", indent, "", in->offset);
+    return;
+}
+void NV_SetBits_In_Print(NV_SetBits_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_SetBits\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    printf("%*s" "bits %"PRIx64"\n", indent, "", in->bits);
+    return;
+}
+void NV_UndefineSpaceSpecial_In_Print(NV_UndefineSpaceSpecial_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_UndefineSpaceSpecial\n", indent, "");
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    TSS_TPM_HANDLE_Print("platform", in->platform, indent);
+    return;
+}
+void NV_UndefineSpace_In_Print(NV_UndefineSpace_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_UndefineSpace\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    return;
+}    
+void NV_WriteLock_In_Print(NV_WriteLock_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_WriteLock\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    return;
+}
+void NV_Write_In_Print(NV_Write_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_NV_Write\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    TSS_TPM2B_Print("data", indent, &in->data.b);
+    printf("%*s" "offset %u\n", indent, "", in->offset);
+    return;
+}
+void ObjectChangeAuth_In_Print(ObjectChangeAuth_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ObjectChangeAuth\n", indent, "");
+    TSS_TPM_HANDLE_Print("objectHandle", in->objectHandle, indent);
+    TSS_TPM_HANDLE_Print("parentHandle", in->parentHandle, indent);
+    TSS_TPM2B_Print("newAuth", indent, &in->newAuth.b);
+    return;
+}
+void PCR_Allocate_In_Print(PCR_Allocate_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PCR_Allocate\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPML_PCR_SELECTION_Print(&in->pcrAllocation, indent);
+    return;
+}
+void PCR_Event_In_Print(PCR_Event_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PCR_Event\n", indent, "");
+    TSS_TPM_HANDLE_Print("pcrHandle", in->pcrHandle, indent);
+    TSS_TPM2B_Print("eventData", indent, &in->eventData.b);
+    return;
+}
+void PCR_Extend_In_Print(PCR_Extend_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PCR_Extend\n", indent, "");
+    TSS_TPM_HANDLE_Print("pcrHandle", in->pcrHandle, indent);
+    TSS_TPML_DIGEST_VALUES_Print(&in->digests, indent);
+    return;
+}
+void PCR_Read_In_Print(PCR_Read_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PCR_Read\n", indent, "");
+    TSS_TPML_PCR_SELECTION_Print(&in->pcrSelectionIn, indent);
+    return;
+}
+void PCR_Reset_In_Print(PCR_Reset_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PCR_Reset\n", indent, "");
+    TSS_TPM_HANDLE_Print("pcrHandle", in->pcrHandle, indent);
+    return;
+}
+void PCR_SetAuthPolicy_In_Print(PCR_SetAuthPolicy_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PCR_SetAuthPolicy\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM2B_Print("authPolicy", indent, &in->authPolicy.b);
+    TSS_TPM_ALG_ID_Print("hashAlg", in->hashAlg, indent);
+    TSS_TPM_HANDLE_Print("pcrNum", in->pcrNum, indent);
+    return;
+}
+void PCR_SetAuthValue_In_Print(PCR_SetAuthValue_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PCR_SetAuthValue\n", indent, "");
+    TSS_TPM_HANDLE_Print("pcrHandle", in->pcrHandle, indent);
+    TSS_TPM2B_Print("auth", indent, &in->auth.b);
+    return;
+}
+void PP_Commands_In_Print(PP_Commands_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PP_Commands\n", indent, "");
+    TSS_TPM_HANDLE_Print("auth", in->auth, indent);
+    TSS_TPML_CC_Print(&in->setList, indent);
+    TSS_TPML_CC_Print(&in->clearList, indent);
+    return;
+}
+void PolicyAuthValue_In_Print(PolicyAuthValue_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyAuthValue\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    return;
+}
+void PolicyAuthorizeNV_In_Print(PolicyAuthorizeNV_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyAuthorizeNV\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    return;
+}
+void PolicyAuthorize_In_Print(PolicyAuthorize_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyAuthorize\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("approvedPolicy", indent, &in->approvedPolicy.b);
+    TSS_TPM2B_Print("policyRef", indent, &in->policyRef.b);
+    TSS_TPM2B_Print("keySign", indent, &in->keySign.b);
+    printf("%*s" "checkTicket\n", indent, "");
+    TSS_TPMT_TK_VERIFIED_Print(&in->checkTicket, indent+2);
+    return;
+}
+void PolicyCommandCode_In_Print(PolicyCommandCode_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyCommandCode\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM_CC_Print("code", in->code, indent);
+    return;
+}
+void PolicyCounterTimer_In_Print(PolicyCounterTimer_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyCounterTimer\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("operandB", indent, &in->operandB.b);
+    printf("%*s" "offset %u\n", indent, "", in->offset);
+    TSS_TPM_EO_Print("operation", in->operation, indent);
+    return;
+}
+void PolicyCpHash_In_Print(PolicyCpHash_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyCpHash\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("cpHashA", indent, &in->cpHashA.b);
+    return;
+}
+void PolicyDuplicationSelect_In_Print(PolicyDuplicationSelect_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyDuplicationSelect\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("objectName", indent, &in->objectName.b);
+    TSS_TPM2B_Print("newParentName", indent, &in->newParentName.b);
+    TSS_TPMI_YES_NO_Print("includeObject", in->includeObject, indent);
+    return;
+}
+void PolicyGetDigest_In_Print(PolicyGetDigest_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyGetDigest\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    return;
+}
+void PolicyLocality_In_Print(PolicyLocality_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyLocality\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPMA_LOCALITY_Print(in->locality, indent);
+    return;
+}
+void PolicyNV_In_Print(PolicyNV_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyNV\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("nvIndex", in->nvIndex, indent);
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("operandB", indent, &in->operandB.b);
+    printf("%*s" "offset %u\n", indent, "", in->offset);
+    TSS_TPM_EO_Print("operation", in->operation, indent);
+    return;
+}
+void PolicyNameHash_In_Print(PolicyNameHash_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyNameHash\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("nameHash", indent, &in->nameHash.b);
+    return;
+}
+void PolicyNvWritten_In_Print(PolicyNvWritten_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyNvWritten\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPMI_YES_NO_Print("writtenSet", in->writtenSet, indent);
+    return;
+}
+void PolicyOR_In_Print(PolicyOR_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyOR\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    printf("%*s" "pHashList\n", indent, "");
+    TSS_TPML_DIGEST_Print(&in->pHashList, indent+2);
+    return;
+}
+void PolicyPCR_In_Print(PolicyPCR_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyPCR\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("pcrDigest", indent, &in->pcrDigest.b);
+    TSS_TPML_PCR_SELECTION_Print(&in->pcrs, indent);
+    return;
+}
+void PolicyPassword_In_Print(PolicyPassword_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyPassword\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    return;
+}
+void PolicyPhysicalPresence_In_Print(PolicyPhysicalPresence_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyPhysicalPresence\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    return;
+}
+void PolicyRestart_In_Print(PolicyRestart_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyRestart\n", indent, "");
+    TSS_TPM_HANDLE_Print("sessionHandle", in->sessionHandle, indent);
+    return;
+}
+void PolicySecret_In_Print(PolicySecret_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicySecret\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("nonceTPM", indent, &in->nonceTPM.b);
+    TSS_TPM2B_Print("cpHashA", indent, &in->cpHashA.b);
+    TSS_TPM2B_Print("policyRef", indent, &in->policyRef.b);
+    printf("%*s" "expiration %d\n", indent, "", in->expiration);
+    return;
+}
+void PolicySigned_In_Print(PolicySigned_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicySigned\n", indent, "");
+    TSS_TPM_HANDLE_Print("authObject", in->authObject, indent);
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("nonceTPM", indent, &in->nonceTPM.b);
+    TSS_TPM2B_Print("cpHashA", indent, &in->cpHashA.b);
+    TSS_TPM2B_Print("policyRef", indent, &in->policyRef.b);
+    printf("%*s" "expiration %d\n", indent, "", in->expiration);
+    printf("%*s" "auth\n", indent, "");
+    TSS_TPMT_SIGNATURE_Print(&in->auth, indent+2);
+    return;
+}
+void PolicyTemplate_In_Print(PolicyTemplate_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyTemplate\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("templateHash", indent, &in->templateHash.b);
+    return;
+}
+void PolicyTicket_In_Print(PolicyTicket_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_PolicyTicket\n", indent, "");
+    TSS_TPM_HANDLE_Print("policySession", in->policySession, indent);
+    TSS_TPM2B_Print("timeout", indent, &in->timeout.b);
+    TSS_TPM2B_Print("cpHashA", indent, &in->cpHashA.b);
+    TSS_TPM2B_Print("policyRef", indent, &in->policyRef.b);
+    TSS_TPM2B_Print("authName", indent, &in->authName.b);
+    printf("%*s" "ticket\n", indent, "");
+    TSS_TPMT_TK_AUTH_Print(&in->ticket, indent+2);
+    return;
+}
+void Quote_In_Print(Quote_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Quote\n", indent, "");
+    TSS_TPM_HANDLE_Print("signHandle", in->signHandle, indent);
+    TSS_TPM2B_Print("qualifyingData", indent, &in->qualifyingData.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    TSS_TPML_PCR_SELECTION_Print(&in->PCRselect, indent);
+    return;
+}
+void RSA_Decrypt_In_Print(RSA_Decrypt_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_RSA_Decrypt\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPM2B_Print("cipherText", indent, &in->cipherText.b); 
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_RSA_DECRYPT_Print(&in->inScheme, indent);
+    TSS_TPM2B_Print("label", indent, &in->label.b);
+    return;
+}
+void RSA_Encrypt_In_Print(RSA_Encrypt_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_RSA_Encrypt\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPM2B_Print("message", indent, &in->message.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_RSA_DECRYPT_Print(&in->inScheme, indent);
+    TSS_TPM2B_Print("label", indent, &in->label.b);
+    return;
+}
+void ReadPublic_In_Print(ReadPublic_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ReadPublic\n", indent, "");
+    TSS_TPM_HANDLE_Print("objectHandle", in->objectHandle, indent);
+    return;
+}
+void Rewrap_In_Print(Rewrap_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Rewrap\n", indent, "");
+    TSS_TPM_HANDLE_Print("oldParent", in->oldParent, indent);
+    TSS_TPM_HANDLE_Print("newParent", in->newParent, indent);
+    TSS_TPM2B_Print("inDuplicate", indent, &in->inDuplicate.b);
+    TSS_TPM2B_Print("name", indent, &in->name.b);
+    TSS_TPM2B_Print("inSymSeed", indent, &in->inSymSeed.b);
+    return;
+}
+void SelfTest_In_Print(SelfTest_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_SelfTest\n", indent, "");
+    TSS_TPMI_YES_NO_Print("fullTest", in->fullTest, indent);
+    return;
+}
+void SequenceComplete_In_Print(SequenceComplete_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_SequenceComplete\n", indent, "");
+    TSS_TPM_HANDLE_Print("sequenceHandle", in->sequenceHandle, indent);
+    TSS_TPM2B_Print("buffer", indent, &in->buffer.b);
+    TSS_TPM_HANDLE_Print("hierarchy", in->hierarchy, indent);
+    return;
+}
+void SequenceUpdate_In_Print(SequenceUpdate_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_SequenceUpdate\n", indent, "");
+    TSS_TPM_HANDLE_Print("sequenceHandle", in->sequenceHandle, indent);
+    TSS_TPM2B_Print("buffer", indent, &in->buffer.b);
+    return;
+}
+void SetAlgorithmSet_In_Print(SetAlgorithmSet_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_SetAlgorithmSet\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    printf("%*s" "algorithmSet %08x\n", indent, "", in->algorithmSet);
+    return;
+}
+void SetCommandCodeAuditStatus_In_Print(SetCommandCodeAuditStatus_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_SetCommandCodeAuditStatus\n", indent, "");
+    TSS_TPM_HANDLE_Print("auth", in->auth, indent);
+    TSS_TPM_ALG_ID_Print("auditAlg", in->auditAlg, indent);
+    TSS_TPML_CC_Print(&in->setList, indent);
+    TSS_TPML_CC_Print(&in->clearList, indent);
+    return;
+}
+void SetPrimaryPolicy_In_Print(SetPrimaryPolicy_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_SetPrimaryPolicy\n", indent, "");
+    TSS_TPM_HANDLE_Print("authHandle", in->authHandle, indent);
+    TSS_TPM2B_Print("authPolicy", indent, &in->authPolicy.b);
+    TSS_TPM_ALG_ID_Print("hashAlg", in->hashAlg, indent);
+    return;
+}
+void Shutdown_In_Print(Shutdown_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Shutdown\n", indent, "");
+    TSS_TPM_SU_Print("shutdownType", in->shutdownType, indent);
+    return;
+}
+void Sign_In_Print(Sign_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Sign\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPM2B_Print("digest", indent, &in->digest.b);
+    printf("%*s" "inScheme\n", indent, "");
+    TSS_TPMT_SIG_SCHEME_Print(&in->inScheme, indent);
+    printf("%*s" "validation\n", indent, "");
+    TSS_TPMT_TK_HASHCHECK_Print(&in->validation, indent+2);
+    return;
+}
+void StartAuthSession_In_Print(StartAuthSession_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_StartAuthSession\n", indent, "");
+    TSS_TPM_HANDLE_Print("tpmKey", in->tpmKey, indent);
+    TSS_TPM_HANDLE_Print("bind", in->bind, indent);
+    TSS_TPM2B_Print("nonceCaller", indent, &in->nonceCaller.b);
+    TSS_TPM2B_Print("encryptedSalt", indent, &in->encryptedSalt.b);
+    TSS_TPM_SE_Print("sessionType", in->sessionType, indent);
+    TSS_TPMT_SYM_DEF_Print(&in->symmetric, indent);
+    TSS_TPM_ALG_ID_Print("authHash", in->authHash, indent);
+    return;
+}
+void Startup_In_Print(Startup_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Startup\n", indent, "");
+    TSS_TPM_SU_Print("startupType", in->startupType, indent);
+    return;
+}
+void StirRandom_In_Print(StirRandom_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_StirRandom\n", indent, "");
+    TSS_TPM2B_Print("inData", indent, &in->inData.b);
+    return;
+}
+void TestParms_In_Print(TestParms_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_TestParms\n", indent, "");
+    TSS_TPMT_PUBLIC_PARMS_Print(&in->parameters, indent);
+    return;
+}
+void Unseal_In_Print(Unseal_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_Unseal\n", indent, "");
+    TSS_TPM_HANDLE_Print("itemHandle", in->itemHandle, indent);
+    return;
+}
+void VerifySignature_In_Print(VerifySignature_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_VerifySignature\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyHandle", in->keyHandle, indent);
+    TSS_TPM2B_Print("digest", indent, &in->digest.b);
+    printf("%*s" "signature\n", indent, "");
+    TSS_TPMT_SIGNATURE_Print(&in->signature, indent);
+    return;
+}
+void ZGen_2Phase_In_Print(ZGen_2Phase_In *in, unsigned int indent)
+{
+    printf("%*s" "TPM2_ZGen_2Phase\n", indent, "");
+    TSS_TPM_HANDLE_Print("keyA", in->keyA, indent);
+    TSS_TPM2B_ECC_POINT_Print("inQsB", &in->inQsB, indent);
+    TSS_TPM2B_ECC_POINT_Print("inQsB", &in->inQeB, indent);
+    TSS_TPM_ALG_ID_Print("inScheme", in->inScheme, indent);
+    printf("%*s" "counter %u\n", indent, "", in->counter);
+    return;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssproperties.c b/libstb/tss2/ibmtpm20tss/utils/tssproperties.c
new file mode 100644
index 0000000..d80841c
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssproperties.c
@@ -0,0 +1,535 @@
+/********************************************************************************/
+/*										*/
+/*			    TSS Configuration Properties			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tsstransmit.h>
+#ifndef TPM_TSS_NOCRYPTO
+#include <ibmtss/tsscrypto.h>
+#endif
+#include <ibmtss/tssprint.h>
+
+#include "tssproperties.h"
+
+/* For systems where there are no environment variables, GETENV returns NULL.  This simulates the
+   situation when an environment variable is not set, causing the compiled in default to be used. */
+#ifndef TPM_TSS_NOENV
+#define GETENV(x) getenv(x)
+#else
+#define GETENV(x) NULL
+#endif
+
+/* local prototypes */
+
+static TPM_RC TSS_SetTraceLevel(const char *value);
+static TPM_RC TSS_SetDataDirectory(TSS_CONTEXT *tssContext, const char *value);
+static TPM_RC TSS_SetCommandPort(TSS_CONTEXT *tssContext, const char *value);
+static TPM_RC TSS_SetPlatformPort(TSS_CONTEXT *tssContext, const char *value);
+static TPM_RC TSS_SetServerName(TSS_CONTEXT *tssContext, const char *value);
+static TPM_RC TSS_SetServerType(TSS_CONTEXT *tssContext, const char *value);
+static TPM_RC TSS_SetInterfaceType(TSS_CONTEXT *tssContext, const char *value);
+static TPM_RC TSS_SetDevice(TSS_CONTEXT *tssContext, const char *value);
+static TPM_RC TSS_SetEncryptSessions(TSS_CONTEXT *tssContext, const char *value);
+
+/* globals for the library */
+
+/* tracing is global to avoid passing the context into every function call */
+int tssVerbose = TRUE;		/* initial value so TSS_Properties_Init errors emit message */
+int tssVverbose = FALSE;
+
+/* This is a total hack to ensure that the global verbose flags are only set once.  It's used by the
+   two entry points to the TSS, TSS_Create() and TSS_SetProperty() */
+
+int tssFirstCall = TRUE;
+
+/* defaults for global settings */
+
+#ifndef TPM_TRACE_LEVEL_DEFAULT 	
+#define TPM_TRACE_LEVEL_DEFAULT 	"0"
+#endif
+
+#ifndef TPM_COMMAND_PORT_DEFAULT
+#define TPM_COMMAND_PORT_DEFAULT 	"2321"		/* default for MS simulator */
+#endif
+
+#ifndef TPM_PLATFORM_PORT_DEFAULT
+#define TPM_PLATFORM_PORT_DEFAULT 	"2322"		/* default for MS simulator */
+#endif
+
+#ifndef TPM_SERVER_NAME_DEFAULT
+#define TPM_SERVER_NAME_DEFAULT		"localhost"	/* default to local machine */
+#endif
+
+#ifndef TPM_SERVER_TYPE_DEFAULT
+#define TPM_SERVER_TYPE_DEFAULT		"mssim"		/* default to MS simulator format */
+#endif
+
+#ifndef TPM_DATA_DIR_DEFAULT
+#define TPM_DATA_DIR_DEFAULT		"."		/* default to current working directory */
+#endif
+
+#ifndef TPM_INTERFACE_TYPE_DEFAULT
+#ifndef TPM_NOSOCKET
+#define TPM_INTERFACE_TYPE_DEFAULT	"socsim"	/* default to MS simulator interface */
+#else
+#define TPM_INTERFACE_TYPE_DEFAULT	"dev"		/* if no sockets, default to device driver */
+#endif
+#endif
+
+#ifndef TPM_DEVICE_DEFAULT
+#ifdef TPM_POSIX
+#define TPM_DEVICE_DEFAULT		"/dev/tpm0"	/* default to Linux device driver */
+#endif
+#ifdef TPM_WINDOWS
+#define TPM_DEVICE_DEFAULT		"tddl.dll"	/* default to Windows TPM interface dll */
+#endif
+#endif
+
+#ifndef TPM_ENCRYPT_SESSIONS_DEFAULT
+#define TPM_ENCRYPT_SESSIONS_DEFAULT	"1"
+#endif
+
+/* TSS_GlobalProperties_Init() sets the global verbose trace flags at the first entry points to the
+   TSS */
+
+TPM_RC TSS_GlobalProperties_Init(void)
+{
+    TPM_RC		rc = 0;
+    const char 		*value;
+
+    /* trace level is global, tssContext can be null */
+    if (rc == 0) {
+	value = GETENV("TPM_TRACE_LEVEL");
+	rc = TSS_SetTraceLevel(value);
+    }
+    return rc;
+}
+
+
+/* TSS_Properties_Init() sets the initial TSS_CONTEXT properties based on either the environment
+   variables (if set) or the defaults (if not).
+*/
+
+TPM_RC TSS_Properties_Init(TSS_CONTEXT *tssContext)
+{
+    TPM_RC		rc = 0;
+    const char 		*value;
+
+    if (rc == 0) {
+	tssContext->tssAuthContext = NULL;
+	tssContext->tssFirstTransmit = TRUE;	/* connection not opened */
+	tssContext->tpm12Command = FALSE;
+#ifdef TPM_WINDOWS
+	tssContext->sock_fd = INVALID_SOCKET;
+#endif
+#ifdef TPM_POSIX
+#ifndef TPM_NOSOCKET
+	tssContext->sock_fd = -1;
+#endif 	/* TPM_NOSOCKET */
+	tssContext->dev_fd = -1;
+#endif	/* TPM_POSIX */
+
+#ifdef TPM_SKIBOOT
+	tssContext->tpm_driver = NULL;
+	tssContext->tpm_device = NULL;
+#endif /* TPM_SKIBOOT */
+	
+#ifndef TPM_TSS_NOCRYPTO
+#ifndef TPM_TSS_NOFILE
+	tssContext->tssSessionEncKey = NULL;
+	tssContext->tssSessionDecKey = NULL;
+#endif
+#endif
+    }
+    /* for a minimal TSS with no file support */
+#ifdef TPM_TSS_NOFILE
+    {
+	size_t i;
+	for (i = 0 ; i < (sizeof(tssContext->sessions) / sizeof(TSS_SESSIONS)) ; i++) {
+	    tssContext->sessions[i].sessionHandle = TPM_RH_NULL;
+	    tssContext->sessions[i].sessionData = NULL;
+	    tssContext->sessions[i].sessionDataLength = 0;
+	}
+	for (i = 0 ; i < (sizeof(tssContext->objectPublic) / sizeof(TSS_OBJECT_PUBLIC)) ; i++) {
+	    tssContext->objectPublic[i].objectHandle = TPM_RH_NULL;
+	}
+	for (i = 0 ; i < (sizeof(tssContext->nvPublic) / sizeof(TSS_NVPUBLIC)) ; i++) {
+	    tssContext->nvPublic[i].nvIndex = TPM_RH_NULL;
+	}
+    }
+#endif
+    /* data directory */
+    if (rc == 0) {
+	value = GETENV("TPM_DATA_DIR");
+	rc = TSS_SetDataDirectory(tssContext, value);
+    }
+    /* flag whether session state should be encrypted */
+    if (rc == 0) {
+	value = GETENV("TPM_ENCRYPT_SESSIONS");
+	rc = TSS_SetEncryptSessions(tssContext, value);
+    }
+    /* TPM socket command port */
+    if (rc == 0) {
+	value = GETENV("TPM_COMMAND_PORT");
+	rc = TSS_SetCommandPort(tssContext, value);
+    }
+    /* TPM simulator socket platform port */
+    if (rc == 0) {
+	value = GETENV("TPM_PLATFORM_PORT");
+	rc = TSS_SetPlatformPort(tssContext, value);
+    }
+    /* TPM socket host name */
+    if (rc == 0) {
+	value = GETENV("TPM_SERVER_NAME");
+	rc = TSS_SetServerName(tssContext, value);
+    }
+    /* TPM socket server type */
+    if (rc == 0) {
+	value = GETENV("TPM_SERVER_TYPE");
+	rc = TSS_SetServerType(tssContext, value);
+    }
+    /* TPM interface type */
+    if (rc == 0) {
+	value = GETENV("TPM_INTERFACE_TYPE");
+	rc = TSS_SetInterfaceType(tssContext, value);
+    }
+    /* TPM device within the interface type */
+    if (rc == 0) {
+	value = GETENV("TPM_DEVICE");
+	rc = TSS_SetDevice(tssContext, value);
+    }
+    return rc;
+}
+
+/* TSS_SetProperty() sets the property to the value.
+
+   The format of the property and value the same as that of the environment variable.
+
+   A NULL value sets the property to the default.
+*/
+
+TPM_RC TSS_SetProperty(TSS_CONTEXT *tssContext,
+		       int property,
+		       const char *value)
+{
+    TPM_RC		rc = 0;
+
+    /* at the first call to the TSS, initialize global variables */
+    if (tssFirstCall) {
+#ifndef TPM_TSS_NOCRYPTO
+	/* crypto module initializations */
+	if (rc == 0) {
+	    rc = TSS_Crypto_Init();
+	}
+#endif
+	if (rc == 0) {
+	    rc = TSS_GlobalProperties_Init();
+	}
+	tssFirstCall = FALSE;
+    }
+    if (rc == 0) {
+	switch (property) {
+	  case TPM_TRACE_LEVEL:
+	    rc = TSS_SetTraceLevel(value);
+	    break;
+	  case TPM_DATA_DIR:
+	    rc = TSS_SetDataDirectory(tssContext, value);
+	    break;
+	  case TPM_COMMAND_PORT:	
+	    rc = TSS_SetCommandPort(tssContext, value);
+	    break;
+	  case TPM_PLATFORM_PORT:	
+	    rc = TSS_SetPlatformPort(tssContext, value);
+	    break;
+	  case TPM_SERVER_NAME:		
+	    rc = TSS_SetServerName(tssContext, value);
+	    break;
+	  case TPM_SERVER_TYPE:		
+	    rc = TSS_SetServerType(tssContext, value);
+	    break;
+	  case TPM_INTERFACE_TYPE:
+	    rc = TSS_SetInterfaceType(tssContext, value);
+	    break;
+	  case TPM_DEVICE:
+	    rc = TSS_SetDevice(tssContext, value);
+	    break;
+	  case TPM_ENCRYPT_SESSIONS:
+	    rc = TSS_SetEncryptSessions(tssContext, value);
+	    break;
+	  default:
+	    rc = TSS_RC_BAD_PROPERTY;
+	}
+    }
+    return rc;
+}
+
+/* TSS_SetTraceLevel() sets the trace level.
+
+   0:	no printing
+   1:	error printing
+   2:	trace printing
+*/
+
+static TPM_RC TSS_SetTraceLevel(const char *value)
+{
+    TPM_RC		rc = 0;
+    int			irc = 0;
+    int 		level;
+
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_TRACE_LEVEL_DEFAULT;
+	}
+    }
+#if !defined(__ULTRAVISOR__) && !defined(TPM_SKIBOOT)
+    if (rc == 0) {
+	irc = sscanf(value, "%u", &level);
+	if (irc != 1) {
+	    if (tssVerbose) printf("TSS_SetTraceLevel: Error, value invalid\n");
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+    /* disable tracing within the ultravisor and skiboot, which doesn't implement sscanf() anyway */
+#else
+    irc = irc;
+    level = 0;
+#endif
+    if (rc == 0) {
+	switch (level) {
+	  case 0:
+	    tssVerbose = FALSE;
+	    tssVverbose = FALSE;
+	    break;
+	  case 1:
+	    tssVerbose = TRUE;
+	    tssVverbose = FALSE;
+	    break;
+	  default:
+	    tssVerbose = TRUE;
+	    tssVverbose = TRUE;
+	    break;
+	}
+    }
+    return rc;
+}
+
+static TPM_RC TSS_SetDataDirectory(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_DATA_DIR_DEFAULT;
+	}
+    }
+    if (rc == 0) {
+	tssContext->tssDataDirectory = value;
+	/* appended to this is 17 characters /cccnnnnnnnn.bin[nul], add a bit of margin for future
+	   prefixes */
+	if (strlen(value) > (TPM_DATA_DIR_PATH_LENGTH - 24)) {
+	    if (tssVerbose) printf("TSS_SetDataDirectory: Error, value too long\n");
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+    return rc;
+}
+
+static TPM_RC TSS_SetCommandPort(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+    int			irc = 0;
+
+    /* close an open connection before changing property */
+    if (rc == 0) {
+	rc = TSS_Close(tssContext);
+    }
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_COMMAND_PORT_DEFAULT;
+	}
+    }
+#ifndef TPM_NOSOCKET
+    if (rc == 0) {
+	irc = sscanf(value, "%hu", &tssContext->tssCommandPort);
+	if (irc != 1) {
+	    if (tssVerbose) printf("TSS_SetCommandPort: Error, value invalid\n");
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+#else
+    tssContext->tssCommandPort = 0;
+    irc = irc;
+#endif /* TPM_NOSOCKET */
+    return rc;
+}
+
+static TPM_RC TSS_SetPlatformPort(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+    int			irc = 0;
+
+    /* close an open connection before changing property */
+    if (rc == 0) {
+	rc = TSS_Close(tssContext);
+    }
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_PLATFORM_PORT_DEFAULT;
+	}
+    }
+#ifndef TPM_NOSOCKET
+   if (rc == 0) {
+	irc = sscanf(value, "%hu", &tssContext->tssPlatformPort);
+	if (irc != 1) {
+	    if (tssVerbose) printf("TSS_SetPlatformPort: Error, , value invalid\n");
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+#else
+   tssContext->tssPlatformPort = 0;
+    irc = irc;
+#endif /* TPM_NOSOCKET */
+    return rc;
+}
+
+static TPM_RC TSS_SetServerName(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+
+    /* close an open connection before changing property */
+    if (rc == 0) {
+	rc = TSS_Close(tssContext);
+    }
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_SERVER_NAME_DEFAULT;
+	}
+    }
+    if (rc == 0) {
+	tssContext->tssServerName = value;
+    }
+    return rc;
+}
+
+static TPM_RC TSS_SetServerType(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+
+    /* close an open connection before changing property */
+    if (rc == 0) {
+	rc = TSS_Close(tssContext);
+    }
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_SERVER_TYPE_DEFAULT;
+	}
+    }
+    if (rc == 0) {
+	tssContext->tssServerType = value;
+    }
+    return rc;
+}
+
+static TPM_RC TSS_SetInterfaceType(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+
+    /* close an open connection before changing property */
+    if (rc == 0) {
+	rc = TSS_Close(tssContext);
+    }
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_INTERFACE_TYPE_DEFAULT;
+	}
+    }
+    if (rc == 0) {
+	tssContext->tssInterfaceType = value;
+    }
+    return rc;
+}
+
+static TPM_RC TSS_SetDevice(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+
+    /* close an open connection before changing property */
+    if (rc == 0) {
+	rc = TSS_Close(tssContext);
+    }
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_DEVICE_DEFAULT;
+	}
+    }
+    if (rc == 0) {
+	tssContext->tssDevice = value;
+    }
+    return rc;
+}
+
+static TPM_RC TSS_SetEncryptSessions(TSS_CONTEXT *tssContext, const char *value)
+{
+    TPM_RC		rc = 0;
+    int			irc = 0;
+
+    if (rc == 0) {
+	if (value == NULL) {
+	    value = TPM_ENCRYPT_SESSIONS_DEFAULT;
+	}
+    }
+#ifndef TPM_TSS_NOFILE
+   if (rc == 0) {
+	irc = sscanf(value, "%u", &tssContext->tssEncryptSessions);
+	if (irc != 1) {
+	    if (tssVerbose) printf("TSS_SetEncryptSessions: Error, value invalid\n");
+	    rc = TSS_RC_BAD_PROPERTY_VALUE;
+	}
+    }
+#else
+   tssContext->tssEncryptSessions = TRUE;
+   irc = irc;
+#endif /* TPM_TSS_NOFILE */
+   return rc;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssproperties.h b/libstb/tss2/ibmtpm20tss/utils/tssproperties.h
new file mode 100644
index 0000000..73139be
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssproperties.h
@@ -0,0 +1,185 @@
+/********************************************************************************/
+/*										*/
+/*			    TSS Configuration Properties			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This is an internal TSS file, subject to change.  Applications should not include it. */
+
+#ifndef TSSPROPERTIES_H
+#define TSSPROPERTIES_H
+
+#include <ibmtss/TPM_Types.h>
+
+#ifdef TPM_WINDOWS
+
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+
+#include <winsock2.h>
+#include <windows.h>
+#include <specstrings.h>
+
+#ifdef TPM_SKIBOOT
+#include <libstb/tpm_chip.h>
+#endif /* TPM_SKIBOOT */
+
+#ifdef TPM_WINDOWS_TBSI
+#include <tbs.h>
+#endif /* TPM_WINDOWS_TBSI */
+
+typedef SOCKET TSS_SOCKET_FD;
+
+#endif /* TPM_WINDOWS */
+
+#ifdef TPM_POSIX
+#ifndef TPM_NOSOCKET
+typedef int TSS_SOCKET_FD;
+#endif 	/* TPM_NOSOCKET */
+#endif	/* TPM_POSIX */
+
+/* There doesn't seem to be a portable Unix MAXPATHLEN variable, so pick a large number.  The
+   directory length will be (currently) 17 bytes smaller. */
+#define TPM_DATA_DIR_PATH_LENGTH 256
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <ibmtss/tss.h>
+#include "tssauth.h"
+
+    /* Structure to hold session data within the context */
+
+    typedef struct TSS_SESSIONS {
+	TPMI_SH_AUTH_SESSION sessionHandle;
+	uint8_t *sessionData;
+	uint16_t sessionDataLength;
+    } TSS_SESSIONS;
+
+    /* Structure to hold transient or persistent object data within the context */
+
+    typedef struct TSS_OBJECT_PUBLIC {
+	TPM_HANDLE objectHandle;
+	TPM2B_NAME name;
+	TPM2B_PUBLIC objectPublic;
+    } TSS_OBJECT_PUBLIC;
+
+    /* Structure to hold NV index  data within the context */
+
+    typedef struct TSS_NVPUBLIC {
+	TPMI_RH_NV_INDEX nvIndex;
+	TPM2B_NAME name;
+	TPMS_NV_PUBLIC	nvPublic;
+    } TSS_NVPUBLIC;
+
+    /* Context for TSS global parameters.
+
+       NOTE:  Keep this in sync with TSS_Properties_Init() and TSS_Delete() */
+
+    struct TSS_CONTEXT {
+
+	TSS_AUTH_CONTEXT *tssAuthContext;
+
+	/* directory for persistant storage */
+	const char *tssDataDirectory;
+
+	/* encrypt saved session state */
+	int tssEncryptSessions;
+
+	/* saved session encryption key.  This seems to port to openssl 1.0 and 1.1, but will have to
+	   become a malloced void * for other crypto libraries. */
+#ifndef TPM_TSS_NOCRYPTO
+	void *tssSessionEncKey;
+	void *tssSessionDecKey;
+#endif
+	/* a minimal TSS with no file support stores the sessions, objects, and NV metadata in a
+	   structure.  Scripting will not work, and persistent objects will not work, but a single
+	   application will otherwise work. */
+#ifdef TPM_TSS_NOFILE
+	TSS_SESSIONS sessions[MAX_ACTIVE_SESSIONS];
+	TSS_OBJECT_PUBLIC objectPublic[64];
+	TSS_NVPUBLIC nvPublic[64];
+#endif
+	/* ports, host name, server (packet) type for socket interface */
+	short tssCommandPort;
+	short tssPlatformPort;
+	const char *tssServerName;
+	const char *tssServerType;
+
+	/* interface type */
+	const char *tssInterfaceType;
+
+	/* device driver interface */
+	const char *tssDevice;
+
+	/* TRUE for the first time through, indicates that interface open must occur */
+	int tssFirstTransmit;
+	int tpm12Command;		/* TRUE for TPM 1.2 command */
+
+	/* socket file descriptor */
+#ifndef TPM_NOSOCKET
+	TSS_SOCKET_FD sock_fd;
+#endif 	/* TPM_NOSOCKET */
+
+	/* Linux device file descriptor */
+#ifdef TPM_POSIX
+	int dev_fd;
+#endif	/* TPM_POSIX */
+
+	/* Windows device driver handle */
+#ifdef TPM_WINDOWS
+#ifdef TPM_WINDOWS_TBSI
+	TBS_HCONTEXT hContext;
+#endif
+#endif
+
+#ifdef TPM_SKIBOOT
+	struct tpm_dev *tpm_device;
+	struct tpm_driver *tpm_driver;
+#endif /* TPM_SKIBOOT */
+    };
+
+    TPM_RC TSS_GlobalProperties_Init(void);
+    TPM_RC TSS_Properties_Init(TSS_CONTEXT *tssContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssresponsecode.c b/libstb/tss2/ibmtpm20tss/utils/tssresponsecode.c
new file mode 100644
index 0000000..fc974cd
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssresponsecode.c
@@ -0,0 +1,587 @@
+/********************************************************************************/
+/*										*/
+/*			     TPM2 Response Code Printer				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TPM_TSS_NO_PRINT
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#ifdef TPM_WINDOWS
+#ifdef TPM_WINDOWS_TBSI
+#include <winsock2.h>
+#include <windows.h>
+#include <tbs.h>
+#endif  /* TPM_WINDOWS_TBSI */
+#endif	/* TPM_WINDOWS */
+
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsserror.h>
+#ifdef TPM_TPM12
+#include <ibmtss/tsserror12.h>
+#endif
+#include <ibmtss/tssprint.h>
+
+/* The intended usage is:
+
+   const char *msg;
+   const char *submsg;
+   const char *num;
+
+   TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+
+   printf("%s%s%s\n", msg, submsg, num);
+*/
+
+/* 39.4	Response Code Details */
+
+/* tables to map response code to text */
+
+typedef struct {
+    TPM_RC rc;
+    const char *text;
+} RC_TABLE;
+
+#ifdef TPM_TPM12
+const RC_TABLE tpm12Table [] = {
+
+    {TPM_AUTHFAIL, "TPM 1.2 TPM_AUTHFAIL - Authentication failed"},
+    {TPM_BADINDEX, "TPM 1.2 TPM_BADINDEX - The index to a PCR, DIR or other register is incorrect"},
+    {TPM_BAD_PARAMETER, "TPM 1.2 TPM_BAD_PARAMETER - One or more parameter is bad"},
+    {TPM_AUDITFAILURE, "TPM 1.2 TPM_AUDITFAILURE - An operation completed successfully but the auditing of that operation failed. "},
+    {TPM_CLEAR_DISABLED, "TPM 1.2 TPM_CLEAR_DISABLED - The clear disable flag is set and all clear operations now require physical access"},
+    {TPM_DEACTIVATED, "TPM 1.2 TPM_DEACTIVATED - The TPM is deactivated"},
+    {TPM_DISABLED, "TPM 1.2 TPM_DISABLED - The TPM is disabled"},
+    {TPM_DISABLED_CMD, "TPM 1.2 TPM_DISABLED_CMD - The target command has been disabled"},
+    {TPM_FAIL, "TPM 1.2 TPM_FAIL - The operation failed"},
+    {TPM_BAD_ORDINAL, "TPM 1.2 TPM_BAD_ORDINAL - The ordinal was unknown or inconsistent"},
+    {TPM_INSTALL_DISABLED, "TPM 1.2 TPM_INSTALL_DISABLED - The ability to install an owner is disabled"},
+    {TPM_INVALID_KEYHANDLE, "TPM 1.2 TPM_INVALID_KEYHANDLE - The key handle presented was invalid"},
+    {TPM_KEYNOTFOUND, "TPM 1.2 TPM_KEYNOTFOUND - The target key was not found"},
+    {TPM_INAPPROPRIATE_ENC, "TPM 1.2 TPM_INAPPROPRIATE_ENC - Unacceptable encryption scheme"},
+    {TPM_MIGRATEFAIL, "TPM 1.2 TPM_MIGRATEFAIL - Migration authorization failed"},
+    {TPM_INVALID_PCR_INFO, "TPM 1.2 TPM_INVALID_PCR_INFO - PCR information could not be interpreted"},
+    {TPM_NOSPACE, "TPM 1.2 TPM_NOSPACE - No room to load key. "},
+    {TPM_NOSRK, "TPM 1.2 TPM_NOSRK - There is no SRK set"},
+    {TPM_NOTSEALED_BLOB, "TPM 1.2 TPM_NOTSEALED_BLOB - An encrypted blob is invalid or was not created by this TPM"},
+    {TPM_OWNER_SET, "TPM 1.2 TPM_OWNER_SET - There is already an Owner"},
+    {TPM_RESOURCES, "TPM 1.2 TPM_RESOURCES - The TPM has insufficient internal resources to perform the requested action. "},
+    {TPM_SHORTRANDOM, "TPM 1.2 TPM_SHORTRANDOM - A random string was too short"},
+    {TPM_SIZE, "TPM 1.2 TPM_SIZE - The TPM does not have the space to perform the operation."},
+    {TPM_WRONGPCRVAL, "TPM 1.2 TPM_WRONGPCRVAL - The named PCR value does not match the current PCR value."},
+    {TPM_BAD_PARAM_SIZE, "TPM 1.2 TPM_BAD_PARAM_SIZE - The paramSize argument to the command has the incorrect value"},
+    {TPM_SHA_THREAD, "TPM 1.2 TPM_SHA_THREAD - There is no existing SHA-1 thread. "},
+    {TPM_SHA_ERROR, "TPM 1.2 TPM_SHA_ERROR - The calculation is unable to proceed because the existing SHA-1 thread has already encountered an error. "},
+    {TPM_FAILEDSELFTEST, "TPM 1.2 TPM_FAILEDSELFTEST - Self-test has failed and the TPM has shutdown. "},
+    {TPM_AUTH2FAIL, "TPM 1.2 TPM_AUTH2FAIL - The authorization for the second key in a 2 key function failed authorization"},
+    {TPM_BADTAG, "TPM 1.2 TPM_BADTAG - The tag value sent to the TPM for a command is invalid"},
+    {TPM_IOERROR, "TPM 1.2 TPM_IOERROR - An IO error occurred transmitting information to the TPM"},
+    {TPM_ENCRYPT_ERROR, "TPM 1.2 TPM_ENCRYPT_ERROR - The encryption process had a problem. "},
+    {TPM_DECRYPT_ERROR, "TPM 1.2 TPM_DECRYPT_ERROR - The decryption process did not complete. "},
+    {TPM_INVALID_AUTHHANDLE, "TPM 1.2 TPM_INVALID_AUTHHANDLE - An invalid handle was used. "},
+    {TPM_NO_ENDORSEMENT, "TPM 1.2 TPM_NO_ENDORSEMENT - The TPM does not a EK installed"},
+    {TPM_INVALID_KEYUSAGE, "TPM 1.2 TPM_INVALID_KEYUSAGE - The usage of a key is not allowed"},
+    {TPM_WRONG_ENTITYTYPE, "TPM 1.2 TPM_WRONG_ENTITYTYPE - The submitted entity type is not allowed"},
+    {TPM_INVALID_POSTINIT, "TPM 1.2 TPM_INVALID_POSTINIT - The command was received in the wrong sequence relative to TPM_Init and a subsequent TPM_Startup"},
+    {TPM_INAPPROPRIATE_SIG, "TPM 1.2 TPM_INAPPROPRIATE_SIG - Signed data cannot include additional DER information"},
+    {TPM_BAD_KEY_PROPERTY, "TPM 1.2 TPM_BAD_KEY_PROPERTY - The key properties in TPM_KEY_PARMs are not supported by this TPM"},
+    {TPM_BAD_MIGRATION, "TPM 1.2 TPM_BAD_MIGRATION - The migration properties of this key are incorrect."},
+    {TPM_BAD_SCHEME, "TPM 1.2 TPM_BAD_SCHEME - The signature or encryption scheme for this key is incorrect or not permitted in this situation. "},
+    {TPM_BAD_DATASIZE, "TPM 1.2 TPM_BAD_DATASIZE - The size of the data (or blob) parameter is bad or inconsistent with the referenced key"},
+    {TPM_BAD_MODE, "TPM 1.2 TPM_BAD_MODE - A mode parameter is bad, such as capArea or subCapArea for TPM_GetCapability, physicalPresence parameter for TPM_PhysicalPresence, or migrationType for TPM_CreateMigrationBlob. "},
+    {TPM_BAD_PRESENCE, "TPM 1.2 TPM_BAD_PRESENCE- Either the physicalPresence or physicalPresenceLock bits have the wrong value"},
+    {TPM_BAD_VERSION, "TPM 1.2 TPM_BAD_VERSION - The TPM cannot perform this version of the capability"},
+    {TPM_NO_WRAP_TRANSPORT, "TPM 1.2 TPM_NO_WRAP_TRANSPORT - The TPM does not allow for wrapped transport sessions"},
+    {TPM_AUDITFAIL_UNSUCCESSFUL, "TPM 1.2 TPM_AUDITFAIL_UNSUCCESSFUL - TPM audit construction failed and the underlying command was returning a failure also"},
+    {TPM_AUDITFAIL_SUCCESSFUL, "TPM 1.2 TPM_AUDITFAIL_SUCCESSFUL - TPM audit construction failed and the underlying command was returning success"},
+    {TPM_NOTRESETABLE, "TPM 1.2 TPM_NOTRESETABLE - Attempt to reset a PCR register that does not have the resettable attribute"},
+    {TPM_NOTLOCAL, "TPM 1.2 TPM_NOTLOCAL - Attempt to reset a PCR register that requires locality and locality modifier not part of command transport"},
+    {TPM_BAD_TYPE, "TPM 1.2 TPM_BAD_TYPE - Make identity blob not properly typed"},
+    {TPM_INVALID_RESOURCE, "TPM 1.2 TPM_INVALID_RESOURCE - When saving context identified resource type does not match actual resource"},
+    {TPM_NOTFIPS, "TPM 1.2 TPM_NOTFIPS - The TPM is attempting to execute a command only available when in FIPS mode"},
+    {TPM_INVALID_FAMILY, "TPM 1.2 TPM_INVALID_FAMILY - The command is attempting to use an invalid family ID"},
+    {TPM_NO_NV_PERMISSION, "TPM 1.2 TPM_NO_NV_PERMISSION - The permission to manipulate the NV storage is not available"},
+    {TPM_REQUIRES_SIGN, "TPM 1.2 TPM_REQUIRES_SIGN - The operation requires a signed command"},
+    {TPM_KEY_NOTSUPPORTED, "TPM 1.2 TPM_KEY_NOTSUPPORTED - Wrong operation to load an NV key"},
+    {TPM_AUTH_CONFLICT, "TPM 1.2 TPM_AUTH_CONFLICT - NV_DefineSpace requires both owner and blob authorization"},
+    {TPM_AREA_LOCKED, "TPM 1.2 TPM_AREA_LOCKED - The NV area is locked and not writable"},
+    {TPM_BAD_LOCALITY, "TPM 1.2 TPM_BAD_LOCALITY - The locality is incorrect for the attempted operation"},
+    {TPM_READ_ONLY, "TPM 1.2 TPM_READ_ONLY - The NV area is read only and can't be written to  "},
+    {TPM_PER_NOWRITE, "TPM 1.2 TPM_PER_NOWRITE - There is no protection on the write to the NV area  "},
+    {TPM_FAMILYCOUNT, "TPM 1.2 TPM_FAMILYCOUNT - The family count value does not match"},
+    {TPM_WRITE_LOCKED, "TPM 1.2 TPM_WRITE_LOCKED - The NV area has already been written to"},
+    {TPM_BAD_ATTRIBUTES, "TPM 1.2 TPM_BAD_ATTRIBUTES - The NV area attributes conflict"},
+    {TPM_INVALID_STRUCTURE, "TPM 1.2 TPM_INVALID_STRUCTURE - The structure tag and version are invalid or inconsistent"},
+    {TPM_KEY_OWNER_CONTROL, "TPM 1.2 TPM_KEY_OWNER_CONTROL - The key is under control of the TPM Owner and can only be evicted by the TPM Owner. "},
+    {TPM_BAD_COUNTER, "TPM 1.2 TPM_BAD_COUNTER - The counter handle is incorrect"},
+    {TPM_NOT_FULLWRITE, "TPM 1.2 TPM_NOT_FULLWRITE - The write is not a complete write of the area"},
+    {TPM_CONTEXT_GAP, "TPM 1.2 TPM_CONTEXT_GAP - The gap between saved context counts is too large  "},
+    {TPM_MAXNVWRITES, "TPM 1.2 TPM_MAXNVWRITES - The maximum number of NV writes without an owner has been exceeded"},
+    {TPM_NOOPERATOR, "TPM 1.2 TPM_NOOPERATOR - No operator authorization value is set"},
+    {TPM_RESOURCEMISSING, "TPM 1.2 TPM_RESOURCEMISSING - The resource pointed to by context is not loaded  "},
+    {TPM_DELEGATE_LOCK, "TPM 1.2 TPM_DELEGATE_LOCK - The delegate administration is locked"},
+    {TPM_DELEGATE_FAMILY, "TPM 1.2 TPM_DELEGATE_FAMILY - Attempt to manage a family other then the delegated family"},
+    {TPM_DELEGATE_ADMIN, "TPM 1.2 TPM_DELEGATE_ADMIN - Delegation table management not enabled"},
+    {TPM_TRANSPORT_NOTEXCLUSIVE, "TPM 1.2 TPM_TRANSPORT_NOTEXCLUSIVE - There was a command executed outside of an exclusive transport session"},
+    {TPM_OWNER_CONTROL, "TPM 1.2 TPM_OWNER_CONTROL - Attempt to context save a owner evict controlled key"},
+    {TPM_DAA_RESOURCES, "TPM 1.2 TPM_DAA_RESOURCES - The DAA command has no resources available to execute the command"},
+    {TPM_DAA_INPUT_DATA0, "TPM 1.2 TPM_DAA_INPUT_DATA0 - The consistency check on DAA parameter inputData0 has failed."},
+    {TPM_DAA_INPUT_DATA1, "TPM 1.2 TPM_DAA_INPUT_DATA1 - The consistency check on DAA parameter inputData1 has failed."},
+    {TPM_DAA_ISSUER_SETTINGS, "TPM 1.2 TPM_DAA_ISSUER_SETTINGS - The consistency check on DAA_issuerSettings has failed."},
+    {TPM_DAA_TPM_SETTINGS, "TPM 1.2 TPM_DAA_TPM_SETTINGS - The consistency check on DAA_tpmSpecific has failed."},
+    {TPM_DAA_STAGE, "TPM 1.2 TPM_DAA_STAGE - The atomic process indicated by the submitted DAA command is not the expected process."},
+    {TPM_DAA_ISSUER_VALIDITY, "TPM 1.2 TPM_DAA_ISSUER_VALIDITY - The issuer's validity check has detected an inconsistency"},
+    {TPM_DAA_WRONG_W, "TPM 1.2 TPM_DAA_WRONG_W - The consistency check on w has failed."},
+    {TPM_BAD_HANDLE, "TPM 1.2 TPM_BAD_HANDLE - The handle is incorrect"},
+    {TPM_BAD_DELEGATE, "TPM 1.2 TPM_BAD_DELEGATE - Delegation is not correct"},
+    {TPM_BADCONTEXT, "TPM 1.2 TPM_BADCONTEXT - The context blob is invalid"},
+    {TPM_TOOMANYCONTEXTS, "TPM 1.2 TPM_TOOMANYCONTEXTS - Too many contexts held by the TPM"},
+    {TPM_MA_TICKET_SIGNATURE, "TPM 1.2 TPM_MA_TICKET_SIGNATURE - Migration authority signature validation failure  "},
+    {TPM_MA_DESTINATION, "TPM 1.2 TPM_MA_DESTINATION - Migration destination not authenticated"},
+    {TPM_MA_SOURCE, "TPM 1.2 TPM_MA_SOURCE - Migration source incorrect"},
+    {TPM_MA_AUTHORITY, "TPM 1.2 TPM_MA_AUTHORITY - Incorrect migration authority"},
+    {TPM_PERMANENTEK, "TPM 1.2 TPM_PERMANENTEK - Attempt to revoke the EK and the EK is not revocable"},
+    {TPM_BAD_SIGNATURE, "TPM 1.2 TPM_BAD_SIGNATURE - Bad signature of CMK ticket "},
+    {TPM_NOCONTEXTSPACE, "TPM 1.2 TPM_NOCONTEXTSPACE - There is no room in the context list for additional contexts"},
+    {TPM_RETRY, "TPM 1.2 TPM_RETRY - The TPM is too busy to respond to the command immediately, but the command could be submitted at a later time"},
+    {TPM_NEEDS_SELFTEST, "TPM 1.2 TPM_NEEDS_SELFTEST - TPM_ContinueSelfTest has has not been run"},
+    {TPM_DOING_SELFTEST, "TPM 1.2 TPM_DOING_SELFTEST - The TPM is currently executing the actions of TPM_ContinueSelfTest because the ordinal required resources that have not been tested."},
+    {TPM_DEFEND_LOCK_RUNNING, "TPM 1.2 TPM_DEFEND_LOCK_RUNNING - The TPM is defending against dictionary attacks and is in some time-out period."},
+
+};
+#endif	/*  TPM_TPM12 */
+
+static const char *TSS_ResponseCode_RcToText(const RC_TABLE *table, size_t tableSize, TPM_RC rc);
+static const char *TSS_ResponseCode_NumberToText(unsigned int num);
+
+const RC_TABLE ver1Table [] = {
+    {TPM_RC_INITIALIZE, "TPM_RC_INITIALIZE - TPM not initialized by TPM2_Startup or already initialized"},
+    {TPM_RC_FAILURE, "TPM_RC_FAILURE - commands not being accepted because of a TPM failure"},
+    {TPM_RC_SEQUENCE, "TPM_RC_SEQUENCE - improper use of a sequence handle"},
+    {TPM_RC_PRIVATE, "TPM_RC_PRIVATE - not currently used"},
+    {TPM_RC_HMAC, "TPM_RC_HMAC - HMAC failure"},
+    {TPM_RC_DISABLED, "TPM_RC_DISABLED - the command is disabled"},
+    {TPM_RC_EXCLUSIVE, "TPM_RC_EXCLUSIVE - command failed because audit sequence required exclusivity"},
+    {TPM_RC_AUTH_TYPE, "TPM_RC_AUTH_TYPE - authorization handle is not correct for command"},
+    {TPM_RC_AUTH_MISSING, "TPM_RC_AUTH_MISSING - command requires an authorization session"},
+    {TPM_RC_POLICY, "TPM_RC_POLICY - policy failure in math operation or an invalid authPolicy value"},
+    {TPM_RC_PCR, "TPM_RC_PCR - PCR check fail"},
+    {TPM_RC_PCR_CHANGED, "TPM_RC_PCR_CHANGED - PCR have changed since checked."},
+    {TPM_RC_UPGRADE, "TPM_RC_UPGRADE - TPM is in field upgrade mode"},
+    {TPM_RC_TOO_MANY_CONTEXTS, "TPM_RC_TOO_MANY_CONTEXTS - context ID counter is at maximum."},
+    {TPM_RC_AUTH_UNAVAILABLE, "TPM_RC_AUTH_UNAVAILABLE - authValue or authPolicy is not available for selected entity."},
+    {TPM_RC_REBOOT, "TPM_RC_REBOOT - a _TPM_Init and Startup(CLEAR) is required"},
+    {TPM_RC_UNBALANCED, "TPM_RC_UNBALANCED - the protection algorithms (hash and symmetric) are not reasonably balanced"},
+    {TPM_RC_COMMAND_SIZE, "TPM_RC_COMMAND_SIZE - command commandSize value is inconsistent with contents of the command buffer"},
+    {TPM_RC_COMMAND_CODE, "TPM_RC_COMMAND_CODE - command code not supported"},
+    {TPM_RC_AUTHSIZE, "TPM_RC_AUTHSIZE - the value of authorizationSize is out of range"},
+    {TPM_RC_AUTH_CONTEXT, "TPM_RC_AUTH_CONTEXT - use of an authorization session with a command that cannot have an authorization session"},
+    {TPM_RC_NV_RANGE, "TPM_RC_NV_RANGE - NV offset+size is out of range."},
+    {TPM_RC_NV_SIZE, "TPM_RC_NV_SIZE - Requested allocation size is larger than allowed."},
+    {TPM_RC_NV_LOCKED, "TPM_RC_NV_LOCKED - NV access locked."},
+    {TPM_RC_NV_AUTHORIZATION, "TPM_RC_NV_AUTHORIZATION - NV access authorization fails"},
+    {TPM_RC_NV_UNINITIALIZED, "TPM_RC_NV_UNINITIALIZED - an NV Index is used before being initialized"},
+    {TPM_RC_NV_SPACE, "TPM_RC_NV_SPACE - insufficient space for NV allocation"},
+    {TPM_RC_NV_DEFINED, "TPM_RC_NV_DEFINED - NV Index or persistent object already defined"},
+    {TPM_RC_BAD_CONTEXT, "TPM_RC_BAD_CONTEXT - context in TPM2_ContextLoad() is not valid"},
+    {TPM_RC_CPHASH, "TPM_RC_CPHASH - cpHash value already set or not correct for use"},
+    {TPM_RC_PARENT, "TPM_RC_PARENT - handle for parent is not a valid parent"},
+    {TPM_RC_NEEDS_TEST, "TPM_RC_NEEDS_TEST - some function needs testing."},
+    {TPM_RC_NO_RESULT, "TPM_RC_NO_RESULT - internal function cannot process a request due to an unspecified problem."},
+    {TPM_RC_SENSITIVE, "TPM_RC_SENSITIVE - the sensitive area did not unmarshal correctly after decryption"},
+};
+
+/* RC_FMT1 response code to text */
+
+const RC_TABLE fmt1Table [] = {
+    {TPM_RC_ASYMMETRIC, "TPM_RC_ASYMMETRIC - asymmetric algorithm not supported or not correct"},
+    {TPM_RC_ATTRIBUTES, "TPM_RC_ATTRIBUTES - inconsistent attributes"},
+    {TPM_RC_HASH, "TPM_RC_HASH - hash algorithm not supported or not appropriate"},
+    {TPM_RC_VALUE, "TPM_RC_VALUE - value is out of range or is not correct for the context"},
+    {TPM_RC_HIERARCHY, "TPM_RC_HIERARCHY - hierarchy is not enabled or is not correct for the use"},
+    {TPM_RC_KEY_SIZE, "TPM_RC_KEY_SIZE - key size is not supported"},
+    {TPM_RC_MGF, "TPM_RC_MGF - mask generation function not supported"},
+    {TPM_RC_MODE, "TPM_RC_MODE - mode of operation not supported"},
+    {TPM_RC_TYPE, "TPM_RC_TYPE - the type of the value is not appropriate for the use"},
+    {TPM_RC_HANDLE, "TPM_RC_HANDLE - the handle is not correct for the use"},
+    {TPM_RC_KDF, "TPM_RC_KDF - unsupported key derivation function or function not appropriate for use"},
+    {TPM_RC_RANGE, "TPM_RC_RANGE - value was out of allowed range."},
+    {TPM_RC_AUTH_FAIL, "TPM_RC_AUTH_FAIL - the authorization HMAC check failed and DA counter incremented"},
+    {TPM_RC_NONCE, "TPM_RC_NONCE - invalid nonce size or nonce value mismatch"},
+    {TPM_RC_PP, "TPM_RC_PP - authorization requires assertion of PP"},
+    {TPM_RC_SCHEME, "TPM_RC_SCHEME - unsupported or incompatible scheme"},
+    {TPM_RC_SIZE, "TPM_RC_SIZE - structure is the wrong size"},
+    {TPM_RC_SYMMETRIC, "TPM_RC_SYMMETRIC - unsupported symmetric algorithm or key size, or not appropriate for instance"},
+    {TPM_RC_TAG, "TPM_RC_TAG - incorrect structure tag"},
+    {TPM_RC_SELECTOR, "TPM_RC_SELECTOR - union selector is incorrect"},
+    {TPM_RC_INSUFFICIENT, "TPM_RC_INSUFFICIENT - the TPM was unable to unmarshal a value because there were not enough octets in the input buffer"},
+    {TPM_RC_SIGNATURE, "TPM_RC_SIGNATURE - the signature is not valid"},
+    {TPM_RC_KEY, "TPM_RC_KEY - key fields are not compatible with the selected use"},
+    {TPM_RC_POLICY_FAIL, "TPM_RC_POLICY_FAIL - a policy check failed"},
+    {TPM_RC_INTEGRITY, "TPM_RC_INTEGRITY - integrity check failed"},
+    {TPM_RC_TICKET, "TPM_RC_TICKET - invalid ticket"},
+    {TPM_RC_RESERVED_BITS, "TPM_RC_RESERVED_BITS - reserved bits not set to zero as required"},
+    {TPM_RC_BAD_AUTH, "TPM_RC_BAD_AUTH - authorization failure without DA implications"},
+    {TPM_RC_EXPIRED, "TPM_RC_EXPIRED - the policy has expired"},
+    {TPM_RC_POLICY_CC, "TPM_RC_POLICY_CC - the commandCode in the policy is not the commandCode of the command"},
+    {TPM_RC_BINDING, "TPM_RC_BINDING - public and sensitive portions of an object are not cryptographically bound"},
+    {TPM_RC_CURVE, "TPM_RC_CURVE - curve not supported	"},
+    {TPM_RC_ECC_POINT, "TPM_RC_ECC_POINT - point is not on the required curve."},
+};
+
+/* RC_WARN response code to text */
+
+const RC_TABLE warnTable [] = {
+    {TPM_RC_CONTEXT_GAP, "TPM_RC_CONTEXT_GAP - gap for context ID is too large"},
+    {TPM_RC_OBJECT_MEMORY, "TPM_RC_OBJECT_MEMORY - out of memory for object contexts"},
+    {TPM_RC_SESSION_MEMORY, "TPM_RC_SESSION_MEMORY - out of memory for session contexts"},
+    {TPM_RC_MEMORY, "TPM_RC_MEMORY - out of shared object/session memory or need space for internal operations"},
+    {TPM_RC_SESSION_HANDLES, "TPM_RC_SESSION_HANDLES - out of session handles - a session must be flushed before a new session may be created"},
+    {TPM_RC_OBJECT_HANDLES, "TPM_RC_OBJECT_HANDLES - out of object handles - the handle space for objects is depleted and a reboot is required"},
+    {TPM_RC_LOCALITY, "TPM_RC_LOCALITY - bad locality"},
+    {TPM_RC_YIELDED, "TPM_RC_YIELDED - the TPM has suspended operation on the command; forward progress was made and the command may be retried."},
+    {TPM_RC_CANCELED, "TPM_RC_CANCELED - the command was canceled"},
+    {TPM_RC_TESTING, "TPM_RC_TESTING - TPM is performing self-tests"},
+    {TPM_RC_REFERENCE_H0, "TPM_RC_REFERENCE_H0 - the 1st handle in the handle area references a transient object or session that is not loaded"},
+    {TPM_RC_REFERENCE_H1, "TPM_RC_REFERENCE_H1 - the 2nd handle in the handle area references a transient object or session that is not loaded"},
+    {TPM_RC_REFERENCE_H2, "TPM_RC_REFERENCE_H2 - the 3rd handle in the handle area references a transient object or session that is not loaded"},
+    {TPM_RC_REFERENCE_H3, "TPM_RC_REFERENCE_H3 - the 4th handle in the handle area references a transient object or session that is not loaded"},
+    {TPM_RC_REFERENCE_H4, "TPM_RC_REFERENCE_H4 - the 5th handle in the handle area references a transient object or session that is not loaded"},
+    {TPM_RC_REFERENCE_H5, "TPM_RC_REFERENCE_H5 - the 6th handle in the handle area references a transient object or session that is not loaded"},
+    {TPM_RC_REFERENCE_H6, "TPM_RC_REFERENCE_H6 - the 7th handle in the handle area references a transient object or session that is not loaded"},
+    {TPM_RC_REFERENCE_S0, "TPM_RC_REFERENCE_S0 - the 1st authorization session handle references a session that is not loaded"},
+    {TPM_RC_REFERENCE_S1, "TPM_RC_REFERENCE_S1 - the 2nd authorization session handle references a session that is not loaded"},
+    {TPM_RC_REFERENCE_S2, "TPM_RC_REFERENCE_S2 - the 3rd authorization session handle references a session that is not loaded"},
+    {TPM_RC_REFERENCE_S3, "TPM_RC_REFERENCE_S3 - the 4th authorization session handle references a session that is not loaded"},
+    {TPM_RC_REFERENCE_S4, "TPM_RC_REFERENCE_S4 - the 5th session handle references a session that is not loaded"},
+    {TPM_RC_REFERENCE_S5, "TPM_RC_REFERENCE_S5 - the 6th session handle references a session that is not loaded"},
+    {TPM_RC_REFERENCE_S6, "TPM_RC_REFERENCE_S6 - the 7th authorization session handle references a session that is not loaded"},
+    {TPM_RC_NV_RATE, "TPM_RC_NV_RATE - the TPM is rate-limiting accesses to prevent wearout of NV"},
+    {TPM_RC_LOCKOUT, "TPM_RC_LOCKOUT - authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode"},
+    {TPM_RC_RETRY, "TPM_RC_RETRY - the TPM was not able to start the command"},
+    {TPM_RC_NV_UNAVAILABLE, "the command may require writing of NV and NV is not current accessible"}, 
+    {TPM_RC_NOT_USED, "TPM_RC_NOT_USED - this value is reserved and shall not be returned by the TPM"},
+};
+    
+/* parameter and handle number to text */
+
+const char *num_table [] = {
+    "unspecified",
+    "1",
+    "2",
+    "3",
+    "4",
+    "5",
+    "6",
+    "7",
+    "8",
+    "9",
+    "10",
+    "11",
+    "12",
+    "13",
+    "14",
+    "15"
+};
+
+/* from tsserror.h */
+
+const RC_TABLE tssTable [] = {
+    {TSS_RC_OUT_OF_MEMORY, "TSS_RC_OUT_OF_MEMORY - Out of memory (malloc failed)"},
+    {TSS_RC_ALLOC_INPUT, "TSS_RC_ALLOC_INPUT - The input to an allocation is not NULL"},
+    {TSS_RC_MALLOC_SIZE, "TSS_RC_MALLOC_SIZE - The malloc size is too large or zero"},
+    {TSS_RC_INSUFFICIENT_BUFFER, "TSS_RC_INSUFFICIENT_BUFFER - A buffer was insufficient for a copy"},
+    {TSS_RC_BAD_PROPERTY, "TSS_RC_BAD_PROPERTY - The property parameter is out of range"},
+    {TSS_RC_BAD_PROPERTY_VALUE, "TSS_RC_BAD_PROPERTY_VALUE - The property value is invalid"},
+    {TSS_RC_INSUPPORTED_INTERFACE, "TSS_RC_INSUPPORTED_INTERFACE - The TPM interface type is not supported"},
+    {TSS_RC_NO_CONNECTION, "TSS_RC_NO_CONNECTION - Failure connecting to lower layer"},
+    {TSS_RC_BAD_CONNECTION, "TSS_RC_BAD_CONNECTION - Failure communicating with lower layer"},
+    {TSS_RC_MALFORMED_RESPONSE, "TSS_RC_MALFORMED_RESPONSE - A response packet was fundamentally malformed"},
+    {TSS_RC_NULL_PARAMETER, "TSS_RC_NULL_PARAMETER - A required parameter was NULL"},
+    {TSS_RC_NOT_IMPLEMENTED, "TSS_RC_NOT_IMPLEMENTED - TSS function is not implemented"},
+    {TSS_RC_BAD_READ_VALUE, "TSS_RC_BAD_READ_VALUE - Actual read value different from expected"},
+    {TSS_RC_FILE_OPEN, "TSS_RC_FILE_OPEN - The file could not be opened"},
+    {TSS_RC_FILE_SEEK, "TSS_RC_FILE_SEEK - A file seek failed"},
+    {TSS_RC_FILE_FTELL, "TSS_RC_FILE_FTELL - A file ftell failed"},
+    {TSS_RC_FILE_READ, "TSS_RC_FILE_READ - A file read failed"},
+    {TSS_RC_FILE_CLOSE, "TSS_RC_FILE_CLOSE - A file close failed"},
+    {TSS_RC_FILE_WRITE, "TSS_RC_FILE_WRITE - A file write failed"},
+    {TSS_RC_FILE_REMOVE, "TSS_RC_FILE_REMOVE - A file remove failed"},
+    {TSS_RC_RNG_FAILURE, "TSS_RC_RNG_FAILURE - The random number generator failed"},
+    {TSS_RC_BAD_PWAP_NONCE, "TSS_RC_BAD_PWAP_NONCE - Bad PWAP response nonce"},
+    {TSS_RC_BAD_PWAP_ATTRIBUTES, "TSS_RC_BAD_PWAP_ATTRIBUTES - Bad PWAP response attributes"},
+    {TSS_RC_BAD_PWAP_HMAC, "TSS_RC_BAD_PWAP_HMAC - Bad PWAP response HMAC"},
+    {TSS_RC_NAME_NOT_IMPLEMENTED, "TSS_RC_NAME_NOT_IMPLEMENTED - name calculation not implemented for handle type"},
+    {TSS_RC_MALFORMED_NV_PUBLIC, "TSS_RC_MALFORMED_NV_PUBLIC - The NV public structure does not match the name"},
+    {TSS_RC_NAME_FILENAME, "TSS_RC_NAME_FILENAME - The name filename function has inconsistent arguments"},
+    {TSS_RC_MALFORMED_PUBLIC, "TSS_RC_MALFORMED_PUBLIC -The public structure does not match the name"},
+    {TSS_RC_DECRYPT_SESSIONS, "TSS_RC_DECRYPT_SESSIONS - More than one command decrypt session"},
+    {TSS_RC_ENCRYPT_SESSIONS, "TSS_RC_ENCRYPT_SESSIONS - More than one response encrypt session"},
+    {TSS_RC_NO_DECRYPT_PARAMETER, "TSS_RC_NO_DECRYPT_PARAMETER - Command has no decrypt parameter"},
+    {TSS_RC_NO_ENCRYPT_PARAMETER, "TSS_RC_NO_ENCRYPT_PARAMETER - Respnse has no encrypt parameter"},
+    {TSS_RC_BAD_DECRYPT_ALGORITHM, "TSS_RC_BAD_DECRYPT_ALGORITHM - Session had an unimplemented decrypt symmetric algorithm"},
+    {TSS_RC_BAD_ENCRYPT_ALGORITHM, "TSS_RC_BAD_ENCRYPT_ALGORITHM - Session had an unimplemented encrypt symmetric algorithm"},
+    {TSS_RC_AES_ENCRYPT_FAILURE, "TSS_RC_AES_ENCRYPT_FAILURE - AES encryption failed"},
+    {TSS_RC_AES_DECRYPT_FAILURE, "TSS_RC_AES_DECRYPT_FAILURE - AES decryption failed\n"
+     "\tIf using command line utilities, set env variable TPM_ENCRYPT_SESSIONS to 0\n"
+     "\tor see TSS manual for more options"},
+    {TSS_RC_BAD_ENCRYPT_SIZE, "TSS_RC_BAD_ENCRYPT_SIZE - Parameter encryption size mismatch"},
+    {TSS_RC_AES_KEYGEN_FAILURE, "TSS_RC_AES_KEYGEN_FAILURE - AES key generation failed"},
+    {TSS_RC_SESSION_NUMBER, "TSS_RC_SESSION_NUMBER - session number out of range"},
+    {TSS_RC_BAD_SALT_KEY, "TSS_RC_BAD_SALT_KEY - Key is unsuitable for salt"},
+    {TSS_RC_KDFA_FAILED, "TSS_RC_KDFA_FAILED - KDFa function failed"},
+    {TSS_RC_HMAC, "TSS_RC_HMAC -  An HMAC calculation failed"},
+    {TSS_RC_HMAC_SIZE, "TSS_RC_HMAC_SIZE - nse HMAC is the wrong size"},
+    {TSS_RC_HMAC_VERIFY, "TSS_RC_HMAC_VERIFY - MAC does not verify"},
+    {TSS_RC_BAD_HASH_ALGORITHM, "TSS_RC_BAD_HASH_ALGORITHM - Unimplemented hash algorithm"},
+    {TSS_RC_HASH, "TSS_RC_HASH - A hash calculation failed"},
+    {TSS_RC_RSA_KEY_CONVERT, "TSS_RC_RSA_KEY_CONVERT - RSA key conversion failed"},
+    {TSS_RC_RSA_PADDING, "TSS_RC_RSA_PADDING - RSA add padding failed"},
+    {TSS_RC_RSA_ENCRYPT, "TSS_RC_RSA_ENCRYPT - RSA public encrypt failed"},
+    {TSS_RC_BIGNUM, "TSS_RC_BIGNUM - NUM operation failed"},
+    {TSS_RC_RSA_SIGNATURE, "TSS_RC_RSA_SIGNATURE - RSA signature is bad"},
+    {TSS_RC_EC_SIGNATURE, "TSS_RC_EC_SIGNATURE - EC signature is bad"},
+    {TSS_RC_EC_KEY_CONVERT, "TSS_RC_EC_KEY_CONVERT - EC key conversion failed"},
+    {TSS_RC_X509_ERROR, "TSS_RC_X509_ERROR - X509 parse error"},
+    {TSS_RC_PEM_ERROR, "TSS_RC_PEM_ERROR - PEM parse error"},
+    {TSS_RC_BAD_SIGNATURE_ALGORITHM, "TSS_RC_BAD_SIGNATURE_ALGORITHM - Unimplemented signature algorithm"},
+    {TSS_RC_COMMAND_UNIMPLEMENTED, "TSS_RC_COMMAND_UNIMPLEMENTED - Unimplemented command"},
+    {TSS_RC_IN_PARAMETER, "TSS_RC_IN_PARAMETER - Bad in parameter to TSS_Execute"},
+    {TSS_RC_OUT_PARAMETER, "TSS_RC_OUT_PARAMETER - Bad out parameter to TSS_Execute"},
+    {TSS_RC_BAD_HANDLE_NUMBER, "TSS_RC_BAD_HANDLE_NUMBER - Bad handle number for this command"},
+    {TSS_RC_KDFE_FAILED, "TSS_RC_KDFE_FAILED - KDFe function failed"},
+    {TSS_RC_EC_EPHEMERAL_FAILURE, "TSS_RC_EC_EPHEMERAL_FAILURE - Failed while making or using EC ephemeral key"},
+    {TSS_RC_FAIL, "TSS_RC_FAIL - TSS internal failure"},
+    {TSS_RC_NO_SESSION_SLOT, "TSS_RC_NO_SESSION_SLOT - TSS context has no session slot for handle"},
+    {TSS_RC_NO_OBJECTPUBLIC_SLOT, "TSS_RC_NO_OBJECTPUBLIC_SLOT - TSS context has no object public slot for handle"},
+    {TSS_RC_NO_NVPUBLIC_SLOT, "TSS_RC_NO_NVPUBLIC_SLOT -TSS context has no NV public slot for handle"},
+};
+
+#ifdef TPM_WINDOWS
+#ifdef TPM_WINDOWS_TBSI
+
+/* Windows TBS, see winerror.h */
+
+const RC_TABLE tbsTable [] = {
+    {TBS_E_INTERNAL_ERROR, "TBS_E_INTERNAL_ERROR - An internal software error occurred"},
+    {TBS_E_BAD_PARAMETER, "TBS_E_BAD_PARAMETER - One or more parameter values are not valid"},
+    {TBS_E_INVALID_OUTPUT_POINTER, "TBS_E_INVALID_OUTPUT_POINTER - A specified output pointer is bad"},
+    {TBS_E_INVALID_CONTEXT, "TBS_E_INVALID_CONTEXT - The specified context handle does not refer to a valid context"},
+    {TBS_E_INSUFFICIENT_BUFFER, "TBS_E_INSUFFICIENT_BUFFER - The specified output buffer is too small"},
+    {TBS_E_IOERROR, "TBS_E_IOERROR - An error occurred while communicating with the TPM"},
+    {TBS_E_INVALID_CONTEXT_PARAM, "TBS_E_INVALID_CONTEXT_PARAM - A context parameter that is not valid was passed when attempting to create a TBS context"},
+    {TBS_E_SERVICE_NOT_RUNNING, "TBS_E_SERVICE_NOT_RUNNING - The TBS service is not running and could not be started"},
+    {TBS_E_TOO_MANY_TBS_CONTEXTS, "TBS_E_TOO_MANY_TBS_CONTEXTS - A new context could not be created because there are too many open contexts"},
+    {TBS_E_TOO_MANY_RESOURCES, "TBS_E_TOO_MANY_RESOURCES - A new virtual resource could not be created because there are too many open virtual resources"},
+    {TBS_E_SERVICE_START_PENDING, "TBS_E_SERVICE_START_PENDING - The TBS service has been started but is not yet running"},
+    {TBS_E_PPI_NOT_SUPPORTED, "TBS_E_PPI_NOT_SUPPORTED - The physical presence interface is not supported"},
+    {TBS_E_COMMAND_CANCELED, "TBS_E_COMMAND_CANCELED - The command was canceled"},
+    {TBS_E_BUFFER_TOO_LARGE, "TBS_E_BUFFER_TOO_LARGE - The input or output buffer is too large"},
+    {TBS_E_TPM_NOT_FOUND, "TBS_E_TPM_NOT_FOUND - A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer"},
+    {TBS_E_SERVICE_DISABLED, "TBS_E_SERVICE_DISABLED - The TBS service has been disabled"},
+    {TBS_E_NO_EVENT_LOG, "TBS_E_NO_EVENT_LOG - The TBS event log is not available"},
+    {TBS_E_ACCESS_DENIED, "TBS_E_ACCESS_DENIED - The caller does not have the appropriate rights to perform the requested operation"},
+    {TBS_E_PROVISIONING_NOT_ALLOWED, "TBS_E_PROVISIONING_NOT_ALLOWED - The TPM provisioning action is not allowed by the specified flags"},
+    {TBS_E_PPI_FUNCTION_UNSUPPORTED, "TBS_E_PPI_FUNCTION_UNSUPPORTED - The Physical Presence Interface of this firmware does not support the requested method"},
+    {TBS_E_OWNERAUTH_NOT_FOUND, "TBS_E_OWNERAUTH_NOT_FOUND - The requested TPM OwnerAuth value was not found"},
+    {TBS_E_PROVISIONING_INCOMPLETE, "TBS_E_PROVISIONING_INCOMPLETE - The TPM provisioning did not complete."},
+    
+    {TPM_E_COMMAND_BLOCKED, "TPM_E_COMMAND_BLOCKED - The command was blocked"},
+    {TPM_E_INVALID_HANDLE, "TPM_E_INVALID_HANDLE - The specified handle was not found"},
+    {TPM_E_DUPLICATE_VHANDLE, "TPM_E_DUPLICATE_VHANDLE - The TPM returned a duplicate handle and the command needs to be resubmitted"},
+    {TPM_E_EMBEDDED_COMMAND_BLOCKED, "TPM_E_EMBEDDED_COMMAND_BLOCKED - The command within the transport was blocked"},
+    {TPM_E_EMBEDDED_COMMAND_UNSUPPORTED, "TPM_E_EMBEDDED_COMMAND_UNSUPPORTED - The command within the transport is not supported"},
+    {TPM_E_RETRY, "TPM_E_RETRY - The TPM is too busy to respond to the command immediately, but the command could be resubmitted at a later time"},
+    {TPM_E_NEEDS_SELFTEST, "TPM_E_NEEDS_SELFTEST - SelfTestFull has not been run"},
+    {TPM_E_DOING_SELFTEST, "TPM_E_DOING_SELFTEST - The TPM is currently executing a full selftest"},
+    {TPM_E_DEFEND_LOCK_RUNNING, "TPM_E_DEFEND_LOCK_RUNNING - The TPM is defending against dictionary attacks and is in a time-out period"},
+};
+
+#endif  /* TPM_WINDOWS_TBSI */
+#endif	/* TPM_WINDOWS */
+
+#define BITS1108	0xf00
+#define BITS1108SHIFT	8
+
+#define BITS1008	0x700
+#define BITS1008SHIFT	8
+
+#define BITS0600	0x07f
+#define BITS0500	0x03f
+
+#define BITS87		0x180
+#define BIT11		0x800
+#define BIT10		0x400
+#define BIT7		0x080
+#define BIT6		0x040
+
+#define TSSMASK		0x00ff0000	/* 23:16 */
+#define TBSMASK		0x80000000
+
+/* Test cases
+
+   TPM 	1.2	001
+   TPM 	param	1c1
+   TPM	handle  181
+   TPM	session	981
+   TSS		b0001
+*/
+
+/* TSS namespace starts with bit 16 */
+#define TSS_RC_LEVEL_SHIFT 16
+
+/* TSS error level name space */
+#define TSS_ERROR_LEVEL (11 << TSS_RC_LEVEL_SHIFT )
+
+/* Figure 26 - Response Code Evaluation */	    
+
+void TSS_ResponseCode_toString(const char **msg, const char **submsg,  const char **num, TPM_RC rc)
+{
+    *submsg = "";	/* sometimes no sub-message */
+    *num = "";		/* sometime no number */
+
+    if (rc == 0) {
+	*msg = "TPM_RC_SUCCESS";
+    }
+#ifdef TPM_WINDOWS
+#ifdef TPM_WINDOWS_TBSI
+    else if ((rc & TBSMASK) == TBSMASK) {
+	*msg = TSS_ResponseCode_RcToText(tbsTable, sizeof(tbsTable) / sizeof(RC_TABLE), rc);
+    }
+#endif  /* TPM_WINDOWS_TBSI */
+#endif	/* TPM_WINDOWS */
+    /* if TSS 11 << 16 */
+    else if ((rc & TSSMASK) == TSS_ERROR_LEVEL) {
+	*msg = TSS_ResponseCode_RcToText(tssTable, sizeof(tssTable) / sizeof(RC_TABLE), rc);
+    }
+    /* if bits 8:7 are 00 */
+    else if ((rc & BITS87) == 0) {
+	/* TPM 1.2  x000 0xxx xxxx */
+#ifdef TPM_TPM12
+	*msg = TSS_ResponseCode_RcToText(tpm12Table, sizeof(tpm12Table) / sizeof(RC_TABLE), rc);
+#else
+	*msg = "TPM 1.2 response code";
+#endif
+    }
+    /* if bits 8:7 are not 00 */
+    else {
+	/* if bit 7 is 0 */
+	if ((rc & BIT7) == 0) {
+	    /* if bit 10 is 1 */
+	    if ((rc & BIT10) != 0) {
+		/* vendor defined x101 0xxx xxxx */
+		*msg = "TPM2 vendor defined response code";
+	    }
+	    /* if bit 10 is 0 */
+	    else {
+		/* if bit 11 is 1 */
+		if ((rc & BIT11) != 0) {
+		    /* warning 1001 0xxx xxxx RC_WARN */
+		    *msg = TSS_ResponseCode_RcToText(warnTable,
+						     sizeof(warnTable) / sizeof(RC_TABLE),
+						     rc & (BITS0600 | RC_WARN));
+		}
+		/* if bit 11 is 0 */
+		else {
+		    /* error 0001 0xxx xxxx  RC_VER1 */
+		    *msg = TSS_ResponseCode_RcToText(ver1Table,
+						     sizeof(ver1Table) / sizeof(RC_TABLE),
+						     rc & (BITS0600 | RC_VER1));
+		}
+	    }
+	}
+	/* if bit 7 is 1 RC_FMT1 */
+	else {
+	    /* if bit 6 is 1 */
+	    if ((rc & BIT6) != 0) {
+		/* error xxxx 11xx xxxx */
+		*msg = TSS_ResponseCode_RcToText(fmt1Table,
+						 sizeof(fmt1Table) / sizeof(RC_TABLE),
+						 rc & (BITS0500 | RC_FMT1));
+		*submsg = " Parameter number ";
+		*num = TSS_ResponseCode_NumberToText((rc & BITS1108) >> BITS1108SHIFT); 
+	    }
+	    /* if bit 6 is 0 */
+	    else {
+		/* if bit 11 is 1 */
+		if ((rc & BIT11) != 0) {
+		    /* error 1xxx 10xx xxxx */
+		    *msg = TSS_ResponseCode_RcToText(fmt1Table,
+						     sizeof(fmt1Table) / sizeof(RC_TABLE),
+						     rc & (BITS0500 | RC_FMT1));
+		    *submsg = " Session number ";
+		    *num = TSS_ResponseCode_NumberToText((rc & BITS1008) >> BITS1008SHIFT); 
+		}
+		/* if bit 11 is 0 */
+		else {
+		    /* error 0xxx 10xx xxxx */
+		    *msg = TSS_ResponseCode_RcToText(fmt1Table,
+						     sizeof(fmt1Table) / sizeof(RC_TABLE),
+						     rc & (BITS0500 | RC_FMT1));
+		    *submsg = " Handle number ";
+		    *num = TSS_ResponseCode_NumberToText((rc & BITS1008) >> BITS1008SHIFT); 
+		}
+	    }
+	}
+    }
+    return;
+}
+
+static const char *TSS_ResponseCode_RcToText(const RC_TABLE *table, size_t tableSize, TPM_RC rc) 
+{
+    size_t i;
+
+    for (i = 0 ; i < tableSize ; i++) {
+	if (table[i].rc == rc) {
+	    return table[i].text;
+	}
+    }
+    return "response code unknown";
+}
+
+static const char *TSS_ResponseCode_NumberToText(unsigned int num)
+{
+    if (num < (sizeof(num_table) / sizeof(const char *))) {
+	return num_table[num];
+    }
+    else {
+	return "out of bounds";
+    }
+}
+
+#endif 	/* TPM_TSS_NO_PRINT */
diff --git a/libstb/tss2/ibmtpm20tss/utils/tsssocket.c b/libstb/tss2/ibmtpm20tss/utils/tsssocket.c
new file mode 100644
index 0000000..c5c9be1
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tsssocket.c
@@ -0,0 +1,706 @@
+/********************************************************************************/
+/*										*/
+/*			   Socket Transmit and Receive Utilities		*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tsssocket.c 1304 2018-08-20 18:31:45Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015, 2018.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <errno.h>
+
+#ifndef TPM_NOSOCKET
+
+/* TSS_SOCKET_FD encapsulates the differences between the Posix and Windows socket type */
+
+#ifdef TPM_POSIX
+#include <unistd.h>
+#include <arpa/inet.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#endif
+
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <sys/types.h>
+#include <fcntl.h>
+
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+#include "tssproperties.h"
+#include <ibmtss/tsstransmit.h>
+
+#include "tsssocket.h"
+
+/* local prototypes */
+
+static uint32_t TSS_Socket_Open(TSS_CONTEXT *tssContext, short port);
+static uint32_t TSS_Socket_SendCommand(TSS_CONTEXT *tssContext,
+				       const uint8_t *buffer, uint16_t length,
+				       const char *message);
+static uint32_t TSS_Socket_SendPlatform(TSS_SOCKET_FD sock_fd, uint32_t command, const char *message);
+static uint32_t TSS_Socket_ReceiveResponse(TSS_CONTEXT *tssContext, uint8_t *buffer, uint32_t *length);
+static uint32_t TSS_Socket_ReceivePlatform(TSS_SOCKET_FD sock_fd);
+static uint32_t TSS_Socket_ReceiveBytes(TSS_SOCKET_FD sock_fd, uint8_t *buffer, uint32_t nbytes);
+static uint32_t TSS_Socket_SendBytes(TSS_SOCKET_FD sock_fd, const uint8_t *buffer, size_t length);
+
+static uint32_t TSS_Socket_GetServerType(TSS_CONTEXT *tssContext,
+					 int *mssim,
+					 int *rawsingle);
+#ifdef TPM_WINDOWS
+static void TSS_Socket_PrintError(int err);
+#endif
+    
+extern int tssVverbose;
+extern int tssVerbose;
+
+/* TSS_Socket_TransmitPlatform() transmits MS simulator platform administrative commands */
+
+TPM_RC TSS_Socket_TransmitPlatform(TSS_CONTEXT *tssContext,
+				   uint32_t command, const char *message)
+{
+    TPM_RC 	rc = 0;
+    int 	mssim;	/* boolean, true for MS simulator packet format, false for raw packet
+			   format */
+    int 	rawsingle = FALSE;	/* boolean, true for raw format with an open and close per
+					   command */
+    /* open on first transmit */
+    if (tssContext->tssFirstTransmit) {	
+	/* detect errors before starting, get the server packet type, MS sim or raw */
+	if (rc == 0) {
+	    rc = TSS_Socket_GetServerType(tssContext, &mssim, &rawsingle);
+	}
+	/* the platform administrative commands can only work with the simulator */
+	if (rc == 0) {
+	    if (!mssim) {
+		if (tssVerbose) printf("TSS_Socket_TransmitPlatform: server type %s unsupported\n",
+				       tssContext->tssServerType);
+		rc = TSS_RC_INSUPPORTED_INTERFACE;	
+	    }
+	}
+	if (rc == 0) {
+	    rc = TSS_Socket_Open(tssContext, tssContext->tssPlatformPort);
+	}
+	if (rc == 0) {
+	    tssContext->tssFirstTransmit = FALSE;
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_Socket_SendPlatform(tssContext->sock_fd, command, message);
+    }
+    if (rc == 0) {
+	rc = TSS_Socket_ReceivePlatform(tssContext->sock_fd);
+    }
+    return rc;
+}
+
+/* TSS_Socket_TransmitCommand() transmits MS simulator in band administrative commands */
+
+TPM_RC TSS_Socket_TransmitCommand(TSS_CONTEXT *tssContext,
+				  uint32_t command, const char *message)
+{
+    TPM_RC 	rc = 0;
+    int 	mssim;	/* boolean, true for MS simulator packet format, false for raw packet
+			   format */
+    int 	rawsingle = FALSE;	/* boolean, true for raw format with an open and close per
+					   command */
+    /* open on first transmit */
+    if (tssContext->tssFirstTransmit) {	
+	/* detect errors before starting, get the server packet type, MS sim or raw */
+	if (rc == 0) {
+	    rc = TSS_Socket_GetServerType(tssContext, &mssim, &rawsingle);
+	}
+	/* the platform administrative commands can only work with the simulator */
+	if (rc == 0) {
+	    if (!mssim) {
+		if (tssVerbose) printf("TSS_Socket_TransmitCommand: server type %s unsupported\n",
+				       tssContext->tssServerType);
+		rc = TSS_RC_INSUPPORTED_INTERFACE;	
+	    }
+	}
+	if (rc == 0) {
+	    rc = TSS_Socket_Open(tssContext, tssContext->tssCommandPort);
+	}
+	if (rc == 0) {
+	    tssContext->tssFirstTransmit = FALSE;
+	}
+    }
+    if (message != NULL) {
+	if (tssVverbose) printf("TSS_Socket_TransmitCommand: %s\n", message);
+    }
+    if (rc == 0) {
+	uint32_t commandType = htonl(command);	/* command type is network byte order */
+	rc = TSS_Socket_SendBytes(tssContext->sock_fd, (uint8_t *)&commandType, sizeof(uint32_t));
+    }
+    /* FIXME The only command currently supported is TPM_STOP, which has no response */
+    return rc;
+}
+
+/* TSS_Socket_Transmit() transmits the TPM command and receives the response.
+
+   It can return socket transmit and receive packet errors, but normally returns the TPM response
+   code.
+
+*/
+
+TPM_RC TSS_Socket_Transmit(TSS_CONTEXT *tssContext,
+			   uint8_t *responseBuffer, uint32_t *read,
+			   const uint8_t *commandBuffer, uint32_t written,
+			   const char *message)
+{
+    TPM_RC 	rc = 0;
+    int 	mssim;	/* boolean, true for MS simulator packet format, false for raw packet
+			   format */
+    int 	rawsingle = FALSE;	/* boolean, true for raw packet format requiring an open and
+					   close for each command */
+
+    /* open on first transmit */
+    if (tssContext->tssFirstTransmit) {	
+	/* detect errors before starting, get the server packet type, MS sim or raw */
+	if (rc == 0) {
+	    rc = TSS_Socket_GetServerType(tssContext, &mssim, &rawsingle);
+	}
+	if (rc == 0) {
+	    rc = TSS_Socket_Open(tssContext, tssContext->tssCommandPort);
+	}
+	if (rc == 0) {
+	    tssContext->tssFirstTransmit = FALSE;
+	}
+    }
+    /* send the command over the socket.  Error if the socket send fails. */
+    if (rc == 0) {
+	rc = TSS_Socket_SendCommand(tssContext, commandBuffer, written, message);
+    }
+    /* receive the response over the socket.  Returns socket errors, malformed response errors.
+       Else returns the TPM response code. */
+    if (rc == 0) {
+	rc = TSS_Socket_ReceiveResponse(tssContext, responseBuffer, read);
+    }
+    /* rawsingle flags a close after each command */
+    if (rawsingle) {
+	TPM_RC rc1;
+	rc1 = TSS_Socket_Close(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+	tssContext->tssFirstTransmit = TRUE;	/* force reopen on next command */
+    }
+    return rc;
+}
+
+/* TSS_Socket_GetServerType() gets the type of server packet format
+
+   Currently, the formats supported are:
+
+   mssim, raw, rawsingle
+
+   mssim TRUE  - the MS simulator packet
+   mssim FALSE - raw TPM specification Part 3 packets
+   rawsingle is the same as mssim FALSE but forces an open and cose for each command
+*/
+
+static uint32_t TSS_Socket_GetServerType(TSS_CONTEXT *tssContext,
+					 int *mssim,
+					 int *rawsingle)
+{
+    uint32_t 	rc = 0;
+    if (rc == 0) {
+	if ((strcmp(tssContext->tssServerType, "mssim") == 0)) {
+	    *mssim = TRUE;
+	    *rawsingle = FALSE;
+	}
+	else if ((strcmp(tssContext->tssServerType, "raw") == 0)) {
+	    *mssim = FALSE;
+	    *rawsingle = FALSE;
+	}
+	else if ((strcmp(tssContext->tssServerType, "rawsingle") == 0)) {
+	    *mssim = FALSE;
+	    *rawsingle = TRUE;
+	}
+	else {
+	    if (tssVerbose) printf("TSS_Socket_GetServerType: server type %s unsupported\n",
+				   tssContext->tssServerType);
+	    rc = TSS_RC_INSUPPORTED_INTERFACE;	
+	}
+    }
+    return rc;
+}
+
+/* TSS_Socket_Open() opens the socket to the TPM Host emulation to tssServerName:port
+
+*/
+
+static uint32_t TSS_Socket_Open(TSS_CONTEXT *tssContext, short port)
+{
+#ifdef TPM_WINDOWS 
+    WSADATA 		wsaData;
+    int			irc;
+#endif
+    struct sockaddr_in 	serv_addr;
+    struct hostent 	*host = NULL;
+
+    if (tssVverbose) printf("TSS_Socket_Open: Opening %s:%hu-%s\n",
+			    tssContext->tssServerName, port, tssContext->tssServerType);
+    /* create a socket */
+#ifdef TPM_WINDOWS
+    if ((irc = WSAStartup(0x202, &wsaData)) != 0) {		/* if not successful */
+	if (tssVerbose) printf("TSS_Socket_Open: Error, WSAStartup failed\n");
+	WSACleanup();
+	return TSS_RC_NO_CONNECTION;
+    }
+    if ((tssContext->sock_fd = socket(AF_INET,SOCK_STREAM, 0)) == INVALID_SOCKET) {
+	if (tssVerbose) printf("TSS_Socket_Open: client socket() error: %u\n", tssContext->sock_fd);
+	return TSS_RC_NO_CONNECTION;
+    }
+#endif 
+#ifdef TPM_POSIX
+    if ((tssContext->sock_fd = socket(AF_INET,SOCK_STREAM, 0)) < 0) {
+	if (tssVerbose) printf("TSS_Socket_Open: client socket error: %d %s\n",
+			       errno,strerror(errno));
+	return TSS_RC_NO_CONNECTION;
+    }
+#endif
+    memset((char *)&serv_addr,0x0,sizeof(serv_addr));
+    serv_addr.sin_family = AF_INET;
+    serv_addr.sin_port = htons(port);
+
+    /* the server host name tssServerName came from the default or an environment variable */
+    /* first assume server is dotted decimal number and call inet_addr */
+    if ((int)(serv_addr.sin_addr.s_addr = inet_addr(tssContext->tssServerName)) == -1) {
+	/* if inet_addr fails, assume server is a name and call gethostbyname to look it up */
+	/* if gethostbyname also fails */
+	if ((host = gethostbyname(tssContext->tssServerName)) == NULL) {
+	    if (tssVerbose) printf("TSS_Socket_Open: server name error, name %s\n",
+				   tssContext->tssServerName);
+	    return TSS_RC_NO_CONNECTION;
+	}
+	serv_addr.sin_family = host->h_addrtype;
+	memcpy(&serv_addr.sin_addr, host->h_addr, host->h_length);
+    }
+    /* establish the connection to the TPM server */
+#ifdef TPM_POSIX
+    if (connect(tssContext->sock_fd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
+	if (tssVerbose) printf("TSS_Socket_Open: Error on connect to %s:%u\n",
+			       tssContext->tssServerName, port);
+	if (tssVerbose) printf("TSS_Socket_Open: client connect: error %d %s\n",
+			       errno,strerror(errno));
+	return TSS_RC_NO_CONNECTION;
+    }
+#endif
+#ifdef TPM_WINDOWS
+    if (connect(tssContext->sock_fd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) != 0) {
+	if (tssVerbose) {
+	    int err;
+	    printf("TSS_Socket_Open: Error on connect to %s:%u\n",
+			       tssContext->tssServerName, port);
+	    err = WSAGetLastError();
+	    printf("TSS_Socket_Open: client connect: error %d\n", err);
+	    TSS_Socket_PrintError(err);
+	}
+	return TSS_RC_NO_CONNECTION;
+    }
+#endif
+    else {
+	/*  	printf("TSS_Socket_Open: client connect: success\n"); */
+    }
+    return 0;
+}
+
+/* TSS_Socket_SendCommand() sends the TPM command packet over the socket.
+
+   The MS simulator packet is of the form:
+
+   TPM_SEND_COMMAND
+   locality 0
+   length
+   TPM command packet	(this is the raw packet format)
+
+   Returns an error if the socket send fails.
+*/
+
+static uint32_t TSS_Socket_SendCommand(TSS_CONTEXT *tssContext,
+				       const uint8_t *buffer, uint16_t length,
+				       const char *message)
+{
+    uint32_t 	rc = 0;
+    int 	mssim;	/* boolean, true for MS simulator packet format, false for raw packet
+			   format */
+    int 	rawsingle;
+    
+    if (message != NULL) {
+	if (tssVverbose) printf("TSS_Socket_SendCommand: %s\n", message);
+    }
+    /* trace the command packet */
+    if ((rc == 0) && tssVverbose) {
+	TSS_PrintAll("TSS_Socket_SendCommand",
+		     buffer, length);
+    }
+    /* get the server packet type, MS sim or raw */
+    if (rc == 0) {
+	rc = TSS_Socket_GetServerType(tssContext, &mssim, &rawsingle);
+    }
+    /* MS simulator wants a command type, locality, length */
+    if ((rc == 0) && mssim) {
+	uint32_t commandType = htonl(TPM_SEND_COMMAND);	/* command type is network byte order */
+	rc = TSS_Socket_SendBytes(tssContext->sock_fd, (uint8_t *)&commandType, sizeof(uint32_t));
+    }
+    if ((rc == 0) && mssim) {
+	uint8_t locality = 0;
+	rc = TSS_Socket_SendBytes(tssContext->sock_fd, &locality, sizeof(uint8_t));
+    }
+    if ((rc == 0) && mssim) {
+	uint32_t lengthNbo = htonl(length);	/* length is network byte order */
+	rc = TSS_Socket_SendBytes(tssContext->sock_fd, (uint8_t *)&lengthNbo, sizeof(uint32_t));
+    }
+    /* all packet formats (types) send the TPM command packet */
+    if (rc == 0) {
+	rc = TSS_Socket_SendBytes(tssContext->sock_fd, buffer, length);
+    }
+    return rc;
+}
+
+/* TSS_Socket_SendPlatform() transmits MS simulator platform administrative commands.  This function
+   should only be called if the TPM supports administrative commands.
+
+   Returns an error if the socket send fails.
+
+*/
+
+static uint32_t TSS_Socket_SendPlatform(TSS_SOCKET_FD sock_fd, uint32_t command, const char *message)
+{
+    uint32_t rc = 0;
+
+    if (message != NULL) {
+	if (tssVverbose) printf("TSS_Socket_SendPlatform: %s\n", message);
+    }
+    if (tssVverbose) printf("TSS_Socket_SendPlatform: Command %08x\n", command);
+    /* MS simulator platform commands */
+    if (rc == 0) {
+	uint32_t commandNbo = htonl(command);	/* command is network byte order */
+	rc = TSS_Socket_SendBytes(sock_fd, (uint8_t *)&commandNbo , sizeof(uint32_t));
+    }
+    return rc;
+}
+
+/* TSS_Socket_SendBytes() is the low level sent function that transmits the buffer over the socket.
+
+   It handles partial writes by looping.
+
+ */
+
+static uint32_t TSS_Socket_SendBytes(TSS_SOCKET_FD sock_fd, const uint8_t *buffer, size_t length)
+{
+    int nwritten = 0;
+    size_t nleft = 0;
+    unsigned int offset = 0;
+
+    nleft = length;
+    while (nleft > 0) {
+#ifdef TPM_POSIX
+	nwritten = write(sock_fd, &buffer[offset], nleft);
+	if (nwritten < 0) {        /* error */
+	    if (tssVerbose) printf("TSS_Socket_SendBytes: write error %d\n", (int)nwritten);
+	    return TSS_RC_BAD_CONNECTION;
+	}
+#endif
+#ifdef TPM_WINDOWS
+	/* cast for winsock.  Unix uses void * */
+	nwritten = send(sock_fd, (char *)(&buffer[offset]), nleft, 0);
+	if (nwritten == SOCKET_ERROR) {        /* error */
+	    if (tssVerbose) printf("TSS_Socket_SendBytes: write error %d\n", (int)nwritten);
+	    return TSS_RC_BAD_CONNECTION;
+	}
+#endif
+	nleft -= nwritten;
+	offset += nwritten;
+    }
+    return 0;
+}
+
+/* TSS_Socket_ReceiveResponse() reads a TPM response packet from the socket.  'buffer' must be at
+   least MAX_RESPONSE_SIZE bytes.  The bytes read are returned in 'length'.
+
+   The MS simulator packet is of the form:
+
+   length
+   TPM response packet		(this is the raw packet format)
+   acknowledgement uint32_t zero
+
+   If the receive succeeds, returns TPM packet error code.
+
+   Validates that the packet length and the packet responseSize match 
+*/
+
+static uint32_t TSS_Socket_ReceiveResponse(TSS_CONTEXT *tssContext,
+					  uint8_t *buffer, uint32_t *length)
+{
+    uint32_t 	rc = 0;
+    uint32_t 	responseSize = 0;
+    uint32_t 	responseLength = 0;
+    uint8_t 	*bufferPtr = buffer;	/* the moving buffer */
+    TPM_RC 	responseCode;
+    uint32_t 	size;		/* dummy for unmarshal call */
+    int 	mssim;		/* boolean, true for MS simulator packet format, false for raw
+				   packet format */
+    int		rawsingle;
+    TPM_RC 	acknowledgement;	/* MS sim acknowledgement */
+    
+    /* get the server packet type, MS sim or raw */
+    if (rc == 0) {
+	rc = TSS_Socket_GetServerType(tssContext, &mssim, &rawsingle);
+    }
+    /* read the length prepended by the simulator */
+    if ((rc == 0) && mssim) {
+	rc = TSS_Socket_ReceiveBytes(tssContext->sock_fd,
+				     (uint8_t *)&responseLength, sizeof(uint32_t));
+	responseLength = ntohl(responseLength);
+    }
+    /* read the tag and responseSize */
+    if (rc == 0) {
+	rc = TSS_Socket_ReceiveBytes(tssContext->sock_fd,
+				     bufferPtr, sizeof(TPM_ST) + sizeof(uint32_t));
+    }
+    /* extract the responseSize */
+    if (rc == 0) {
+	/* skip over tag to responseSize */
+	bufferPtr += sizeof(TPM_ST);
+	
+	size = sizeof(uint32_t);		/* dummy for call */
+	rc = TSS_UINT32_Unmarshalu(&responseSize, &bufferPtr, &size);
+	*length = responseSize;			/* returned length */
+
+	/* check the response size, see TSS_CONTEXT structure */
+	if (responseSize > MAX_RESPONSE_SIZE) {
+	    if (tssVerbose)
+		printf("TSS_Socket_ReceiveResponse: ERROR: responseSize %u greater than %u\n",
+		       responseSize, MAX_RESPONSE_SIZE);
+	    rc = TSS_RC_BAD_CONNECTION;
+	}
+	/* check that MS sim prepended length is the same as the response TPM packet
+	   length parameter */
+	if (mssim && (responseSize != responseLength)) {
+	    if (tssVerbose) printf("TSS_Socket_ReceiveResponse: "
+				   "ERROR: responseSize %u not equal to responseLength %u\n",
+				   responseSize, responseLength);
+	    rc = TSS_RC_BAD_CONNECTION;
+	}
+    }
+    /* read the rest of the packet */
+    if (rc == 0) {
+	rc = TSS_Socket_ReceiveBytes(tssContext->sock_fd,
+				     bufferPtr,
+				     responseSize - (sizeof(TPM_ST) + sizeof(uint32_t)));
+    }
+    if ((rc == 0) && tssVverbose) {
+	TSS_PrintAll("TSS_Socket_ReceiveResponse",
+		     buffer, responseSize);
+    }
+    /* read the MS sim acknowledgement */
+    if ((rc == 0) && mssim) {
+	rc = TSS_Socket_ReceiveBytes(tssContext->sock_fd,
+				     (uint8_t *)&acknowledgement, sizeof(uint32_t));
+    }
+    /* extract the TPM return code from the packet */
+    if (rc == 0) {
+	/* skip to responseCode */
+	bufferPtr = buffer + sizeof(TPM_ST) + sizeof(uint32_t);
+	size = sizeof(TPM_RC);		/* dummy for call */
+	rc = TSS_UINT32_Unmarshalu(&responseCode, &bufferPtr, &size);
+    }
+    /* if there is no other (receive or unmarshal) error, return the TPM response code */
+    if (rc == 0) {
+	rc = responseCode;
+    }
+    /* if there is no other (TPM response) error, return the MS simulator packet acknowledgement */
+    if ((rc == 0) && mssim) {
+	  rc = ntohl(acknowledgement);	/* should always be zero */
+    }
+    return rc;
+}
+
+/* TSS_Socket_ReceivePlatform reads MS simulator platform administrative responses.  This function
+   should only be called if the TPM supports administrative commands.
+
+   The acknowledgement is a uint32_t zero.
+
+*/
+
+static uint32_t TSS_Socket_ReceivePlatform(TSS_SOCKET_FD sock_fd)
+{
+    uint32_t 	rc = 0;
+    TPM_RC 	acknowledgement;
+    
+    /* read the MS sim acknowledgement */
+    if (rc == 0) {
+	rc = TSS_Socket_ReceiveBytes(sock_fd, (uint8_t *)&acknowledgement, sizeof(uint32_t));
+    }
+    /* if there is no other error, return the MS simulator packet acknowledgement */
+    if (rc == 0) {
+	rc = ntohl(acknowledgement);	/* should always be zero */
+    }
+    return rc;
+}
+
+/* TSS_Socket_ReceiveBytes() is the low level receive function that reads the buffer over the
+   socket.  'buffer' must be atleast 'nbytes'. 
+
+   It handles partial reads by looping.
+
+*/
+
+static uint32_t TSS_Socket_ReceiveBytes(TSS_SOCKET_FD sock_fd,
+					uint8_t *buffer,  
+					uint32_t nbytes)
+{
+    int nread = 0;
+    int nleft = 0;
+
+    nleft = nbytes;
+    while (nleft > 0) {
+#ifdef TPM_POSIX
+	nread = read(sock_fd, buffer, nleft);
+	if (nread < 0) {       /* error */
+	    if (tssVerbose)  printf("TSS_Socket_ReceiveBytes: read error %d\n", nread);
+	    return TSS_RC_BAD_CONNECTION;
+	}
+#endif
+#ifdef TPM_WINDOWS
+	/* cast for winsock.  Unix uses void * */
+	nread = recv(sock_fd, (char *)buffer, nleft, 0);
+	if (nread == SOCKET_ERROR) {       /* error */
+	    if (tssVerbose) printf("TSS_Socket_ReceiveBytes: read error %d\n", nread);
+	    return TSS_RC_BAD_CONNECTION;
+	}
+#endif
+	else if (nread == 0) {  /* EOF */
+	    if (tssVerbose) printf("TSS_Socket_ReceiveBytes: read EOF\n");
+	    return TSS_RC_BAD_CONNECTION;
+	}
+	nleft -= nread;
+	buffer += nread;
+    }
+    return 0;
+}
+
+/* TSS_Socket_Close() closes the socket.
+
+   It sends the TPM_SESSION_END required by the MS simulator.
+
+*/
+
+TPM_RC TSS_Socket_Close(TSS_CONTEXT *tssContext)
+{
+    uint32_t 	rc = 0;
+    int 	mssim;	/* boolean, true for MS simulator packet format, false for raw packet
+			   format */
+    int		rawsingle = TRUE;	/* boolean, true for raw format with an open and close per
+					   command.  Initialized to suppress false gcc -O3
+					   warning. */
+    
+    if (tssVverbose) printf("TSS_Socket_Close: Closing %s-%s\n",
+			    tssContext->tssServerName, tssContext->tssServerType);
+    /* get the server packet type, MS sim or raw */
+    if (rc == 0) {
+	rc = TSS_Socket_GetServerType(tssContext, &mssim, &rawsingle);
+    }
+    /* the MS simulator expects a TPM_SESSION_END command before close */
+    if ((rc == 0) && mssim) {
+	uint32_t commandType = htonl(TPM_SESSION_END);
+	rc = TSS_Socket_SendBytes(tssContext->sock_fd, (uint8_t *)&commandType, sizeof(uint32_t));
+    }
+#ifdef TPM_POSIX
+    /* always attempt a close, even though rawsingle should already have closed the socket */
+    if (close(tssContext->sock_fd) != 0) {
+	if (!rawsingle) {
+	    if (tssVerbose) printf("TSS_Socket_Close: close error\n");
+	    rc = TSS_RC_BAD_CONNECTION;
+	}
+    }
+#endif
+#ifdef TPM_WINDOWS
+    /* gracefully shut down the socket */
+    /* always attempt a close, even though rawsingle should already have closed the socket */
+    {
+	int		irc;
+	irc = shutdown(tssContext->sock_fd, SD_SEND);
+	if (!rawsingle) {
+	    if (irc == SOCKET_ERROR) {       /* error */
+		if (tssVerbose) printf("TSS_Socket_Close: shutdown error\n");
+		rc = TSS_RC_BAD_CONNECTION;
+	    }
+	}
+    }
+    closesocket(tssContext->sock_fd);
+    WSACleanup();
+#endif
+    return rc;
+}
+#endif 	/* TPM_NOSOCKET */
+
+#ifdef TPM_WINDOWS
+
+/* The Windows equivalent to strerror().  It also traces the error message.
+ */
+
+static void TSS_Socket_PrintError(int err)
+{
+    DWORD rc;
+    char *buffer = NULL;
+    /* mingw seems to output UTF-8 for FormatMessage().  For Visual Studio, FormatMessage() outputs
+       UTF-16, which would require wprintf(). FormatMessageA() outputs UTF-8, permitting printf()
+       for both compilers. */
+    rc = FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+			NULL,	/* formatting */
+			err,
+			0,	/* language */
+			(LPSTR)&buffer, 
+			0, 
+			NULL);
+    if (rc != 0) {
+	printf("%s\n", buffer);
+    }
+    LocalFree(buffer);
+    return;
+}
+#endif
+
+
diff --git a/libstb/tss2/ibmtpm20tss/utils/tsssocket.h b/libstb/tss2/ibmtpm20tss/utils/tsssocket.h
new file mode 100644
index 0000000..2a5a0c8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tsssocket.h
@@ -0,0 +1,67 @@
+/********************************************************************************/
+/*										*/
+/*		Socket Transmit and Receive Utilities  				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*	      $Id: tsssocket.h 1257 2018-06-27 20:52:08Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifndef TSSSOCKET_H
+#define TSSSOCKET_H
+
+/* This is not a public header.  It should not be used by applications. */
+
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+    TPM_RC TSS_Socket_TransmitPlatform(TSS_CONTEXT *tssContext,
+				       uint32_t command, const char *message);
+    TPM_RC TSS_Socket_TransmitCommand(TSS_CONTEXT *tssContext,
+				      uint32_t command, const char *message);
+    TPM_RC TSS_Socket_Transmit(TSS_CONTEXT *tssContext,
+			       uint8_t *responseBuffer, uint32_t *read,
+			       const uint8_t *commandBuffer, uint32_t written,
+			       const char *message);
+    TPM_RC TSS_Socket_Close(TSS_CONTEXT *tssContext);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/libstb/tss2/ibmtpm20tss/utils/tsstbsi.c b/libstb/tss2/ibmtpm20tss/utils/tsstbsi.c
new file mode 100644
index 0000000..869c508
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tsstbsi.c
@@ -0,0 +1,295 @@
+/********************************************************************************/
+/*										*/
+/*	Windows 10 Device Transmit and Receive Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#ifdef TPM_WINDOWS_TBSI
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <winsock2.h>
+#include <windows.h>
+#include <winerror.h>
+#include <specstrings.h>
+#include <tbs.h>
+
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssprint.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include "tssproperties.h"
+
+/* local prototypes */
+
+static uint32_t TSS_Tbsi_Open(TBS_CONTEXT_PARAMS2 *contextParams,
+			      TBS_HCONTEXT *hContext);
+static uint32_t TSS_Tbsi_SubmitCommand(TBS_HCONTEXT hContext,
+				       uint8_t *responseBuffer, uint32_t *read,
+				       const uint8_t *commandBuffer, uint32_t written,
+				       const char *message);
+static void TSS_Tbsi_GetTBSError(const char *prefix,
+				 TBS_RESULT rc);
+
+
+/* global configuration */
+
+extern int tssVverbose;
+extern int tssVerbose;
+
+/* TSS_Dev_Transmit() transmits the command and receives the response. 'responseBuffer' must be at
+   least MAX_RESPONSE_SIZE bytes.
+
+   Can return device transmit and receive packet errors, but normally returns the TPM response code.
+*/
+
+TPM_RC TSS_Dev_Transmit(TSS_CONTEXT *tssContext,
+			 uint8_t *responseBuffer, uint32_t *read,
+			 const uint8_t *commandBuffer, uint32_t written,
+			 const char *message)
+{
+    TPM_RC rc = 0;
+    TBS_CONTEXT_PARAMS2 contextParams;
+
+    if (rc == 0) {
+	contextParams.version = TBS_CONTEXT_VERSION_TWO;
+	if (!tssContext->tpm12Command) {	/* TPM 2.0 command */
+	    contextParams.includeTpm12 = 0;
+	    contextParams.includeTpm20 = 1;
+	}
+	else {					/* TPM 1.2 command */
+	    contextParams.includeTpm12 = 1;
+	    contextParams.includeTpm20 = 0;
+	}
+    }
+    *read = MAX_RESPONSE_SIZE;
+    /* open on first transmit */
+    if (tssContext->tssFirstTransmit) {	
+	if (rc == 0) {
+	    rc = TSS_Tbsi_Open(&contextParams, &tssContext->hContext);
+	}
+	if (rc == 0) {
+	    tssContext->tssFirstTransmit = FALSE;
+	}
+    }
+    /* send the command to the device.  Error if the device send fails. */
+    if (rc == 0) {
+	rc = TSS_Tbsi_SubmitCommand(tssContext->hContext,
+				    responseBuffer, read,
+				    commandBuffer, written,
+				    message);
+    }
+    return rc;
+}
+
+/* TSS_Tbsi_Open() opens the TPM device */
+
+static uint32_t TSS_Tbsi_Open(TBS_CONTEXT_PARAMS2 *contextParams,
+			      TBS_HCONTEXT *hContext)
+{
+    uint32_t rc = 0;
+
+    if (rc == 0) {
+	/* cast is safe because caller sets the version member for the subclass */
+	rc = Tbsi_Context_Create((TBS_CONTEXT_PARAMS *)contextParams, hContext);
+	if (tssVverbose) printf("TSS_Tbsi_Open: Tbsi_Context_Create rc %08x\n", rc);
+	if (rc != 0) {
+	    if (tssVerbose) TSS_Tbsi_GetTBSError("TSS_Tbsi_Open: Error Tbsi_Context_Create ", rc);
+	    rc = TSS_RC_NO_CONNECTION;
+	}
+    }
+    return rc;
+}
+
+/* TSS_Tbsi_Submit_Command sends the command to the TPM and receives the response.
+
+   If the submit succeeds, returns TPM packet error code.
+*/
+
+static uint32_t TSS_Tbsi_SubmitCommand(TBS_HCONTEXT hContext,
+				       uint8_t *responseBuffer, uint32_t *read,
+				       const uint8_t *commandBuffer, uint32_t written,
+				       const char *message)
+{
+    uint32_t 	rc = 0;
+    TPM_RC 	responseCode;
+
+    if (message != NULL) {
+	if (tssVverbose) printf("TSS_Tbsi_SubmitCommand: %s\n", message);
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Tbsi_SubmitCommand: Command",
+				      commandBuffer, written);
+    }
+    if (rc == 0) {
+	rc = Tbsip_Submit_Command(hContext,
+				  TBS_COMMAND_LOCALITY_ZERO,
+				  TBS_COMMAND_PRIORITY_NORMAL,
+				  commandBuffer,
+				  written,
+				  responseBuffer,
+				  read);
+	if (rc != 0) {
+	    TSS_Tbsi_GetTBSError("Tbsip_Submit_Command", rc);
+	    rc = TSS_RC_BAD_CONNECTION;
+
+	}
+    }
+    if (rc == 0) {
+	if (tssVverbose) TSS_PrintAll("TSS_Tbsi_SubmitCommand: Response",
+				      responseBuffer, *read);
+    }
+    /* read the TPM return code from the packet */
+    if (rc == 0) {
+	uint8_t		*bufferPtr;
+	uint32_t	size;
+
+	bufferPtr = responseBuffer + sizeof(TPM_ST) + sizeof(uint32_t);		/* skip to responseCode */
+	size = sizeof(TPM_RC);		/* dummy for call */
+	rc = TSS_UINT32_Unmarshalu(&responseCode, &bufferPtr, &size);
+    }
+    if (rc == 0) {
+	rc = responseCode;
+    }
+    return rc;
+}
+
+TPM_RC TSS_Dev_Close(TSS_CONTEXT *tssContext)
+{
+    TPM_RC rc = 0;
+    if (tssVverbose) printf("TSS_Dev_Close: Closing connection\n");
+    rc = Tbsip_Context_Close(tssContext->hContext);
+    return rc;
+}
+
+static void TSS_Tbsi_GetTBSError(const char *prefix,
+				 TBS_RESULT rc)
+{
+    const char *error_string;
+		     
+    switch (rc) {
+
+	/* error codes from the TBS html docs */
+      case TBS_SUCCESS:
+	error_string = "The function succeeded.";
+	break;
+      case TBS_E_INTERNAL_ERROR:
+	error_string = "An internal software error occurred.";
+	break;
+      case TBS_E_BAD_PARAMETER:
+	error_string = "One or more parameter values are not valid.";
+	break;
+      case TBS_E_INVALID_OUTPUT_POINTER:
+	error_string = "A specified output pointer is bad.";
+	break;
+      case TBS_E_INVALID_CONTEXT:
+	error_string = "The specified context handle does not refer to a valid context.";
+	break;
+      case TBS_E_INSUFFICIENT_BUFFER:
+	error_string = "The specified output buffer is too small.";
+	break;
+      case TBS_E_IOERROR:
+	error_string = "An error occurred while communicating with the TPM.";
+	break;
+      case TBS_E_INVALID_CONTEXT_PARAM:
+	error_string = "A context parameter that is not valid was passed when attempting to create a "
+		       "TBS context.";
+	break;
+      case TBS_E_SERVICE_NOT_RUNNING:
+	error_string = "The TBS service is not running and could not be started.";
+	break;
+      case TBS_E_TOO_MANY_TBS_CONTEXTS:
+	error_string = "A new context could not be created because there are too many open contexts.";
+	break;
+      case TBS_E_TOO_MANY_RESOURCES:
+	error_string = "A new virtual resource could not be created because there are too many open "
+		       "virtual resources.";
+	break;
+      case TBS_E_SERVICE_START_PENDING:
+	error_string = "The TBS service has been started but is not yet running.";
+	break;
+      case TBS_E_PPI_NOT_SUPPORTED:
+	error_string = "The physical presence interface is not supported.";
+	break;
+      case TBS_E_COMMAND_CANCELED:
+	error_string = "The command was canceled.";
+	break;
+      case TBS_E_BUFFER_TOO_LARGE:
+	error_string = "The input or output buffer is too large.";
+	break;
+      case TBS_E_TPM_NOT_FOUND:
+	error_string = "A compatible Trusted Platform Module (TPM) Security Device cannot be found "
+		       "on this computer.";
+	break;
+      case TBS_E_SERVICE_DISABLED:
+	error_string = "The TBS service has been disabled.";
+	break;
+      case TBS_E_NO_EVENT_LOG:
+	error_string = "The TBS event log is not available.";
+	break;
+      case TBS_E_ACCESS_DENIED:
+	error_string = "The caller does not have the appropriate rights to perform the requested operation.";
+	break;
+      case TBS_E_PROVISIONING_NOT_ALLOWED:
+	error_string = "The TPM provisioning action is not allowed by the specified flags.";
+	break;
+      case TBS_E_PPI_FUNCTION_UNSUPPORTED:
+	error_string = "The Physical Presence Interface of this firmware does not support the "
+		       "requested method.";
+	break;
+      case TBS_E_OWNERAUTH_NOT_FOUND:
+	error_string = "The requested TPM OwnerAuth value was not found.";
+	break;
+
+	/* a few error codes from WinError.h */
+      case TPM_E_COMMAND_BLOCKED:
+	error_string = "The command was blocked.";
+	break;
+
+      default:
+	error_string = "unknown error type\n";
+	break;
+
+    }
+    printf("%s %s\n", prefix, error_string);
+    return;
+}
+
+#endif	/* TPM_WINDOWS_TBSI */
diff --git a/libstb/tss2/ibmtpm20tss/utils/tsstransmit.c b/libstb/tss2/ibmtpm20tss/utils/tsstransmit.c
new file mode 100644
index 0000000..36ef7ad
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tsstransmit.c
@@ -0,0 +1,184 @@
+/********************************************************************************/
+/*										*/
+/*			    Transmit and Receive Utility			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2020.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This file contains the interface that is not platform or interface specific
+ */
+
+#include <string.h>
+#include <stdio.h>
+
+#include "tssproperties.h"
+#ifndef TPM_NOSOCKET
+#include "tsssocket.h"
+#endif
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+
+#include "tssdev.h"
+#include <ibmtss/tsstransmit.h>
+
+extern int tssVverbose;
+extern int tssVerbose;
+
+/* local prototypes */
+
+/* TSS_TransmitPlatform() transmits an administrative out of band command to the TPM through the
+   platform port.
+
+   Supported by the simulator, not the TPM device.
+*/
+
+TPM_RC TSS_TransmitPlatform(TSS_CONTEXT *tssContext, uint32_t command, const char *message)
+{
+    TPM_RC rc = 0;
+
+#ifndef TPM_NOSOCKET
+    if ((strcmp(tssContext->tssInterfaceType, "socsim") == 0)) {
+	rc = TSS_Socket_TransmitPlatform(tssContext, command, message);
+    }
+    else
+#else
+    command = command;
+    message = message;
+#endif
+    if ((strcmp(tssContext->tssInterfaceType, "dev") == 0)) {
+	if (tssVerbose) printf("TSS_TransmitPlatform: device %s unsupported\n",
+			       tssContext->tssInterfaceType);
+	rc = TSS_RC_INSUPPORTED_INTERFACE;	
+    }
+    else {
+	if (tssVerbose) printf("TSS_TransmitPlatform: device %s unsupported\n",
+			       tssContext->tssInterfaceType);
+	rc = TSS_RC_INSUPPORTED_INTERFACE;	
+    }
+    return rc;
+}
+
+/* TSS_TransmitCommand() transmits an administrative in band command to the TPM through the
+   command port.
+
+   Supported by the simulator, not the TPM device.
+*/
+
+TPM_RC TSS_TransmitCommand(TSS_CONTEXT *tssContext, uint32_t command, const char *message)
+{
+    TPM_RC rc = 0;
+
+#ifndef TPM_NOSOCKET
+    if ((strcmp(tssContext->tssInterfaceType, "socsim") == 0)) {
+	rc = TSS_Socket_TransmitCommand(tssContext, command, message);
+    }
+    else
+#else
+    command = command;
+    message = message;
+#endif
+    if ((strcmp(tssContext->tssInterfaceType, "dev") == 0)) {
+	if (tssVerbose) printf("TSS_TransmitCommand: device %s unsupported\n",
+			       tssContext->tssInterfaceType);
+	rc = TSS_RC_INSUPPORTED_INTERFACE;	
+    }
+    else {
+	if (tssVerbose) printf("TSS_TransmitCommand: device %s unsupported\n",
+			       tssContext->tssInterfaceType);
+	rc = TSS_RC_INSUPPORTED_INTERFACE;	
+    }
+    return rc;
+}
+
+/* TSS_Transmit() transmits a TPM command packet and receives a response using the command port.
+   The command type is hard coded to TPM_SEND_COMMAND.
+
+*/
+
+TPM_RC TSS_Transmit(TSS_CONTEXT *tssContext,
+		    uint8_t *responseBuffer, uint32_t *read,
+		    const uint8_t *commandBuffer, uint32_t written,
+		    const char *message)
+{
+    TPM_RC rc = 0;
+
+#ifndef TPM_NOSOCKET
+    if ((strcmp(tssContext->tssInterfaceType, "socsim") == 0)) {
+	rc = TSS_Socket_Transmit(tssContext,
+				 responseBuffer, read,
+				 commandBuffer, written,
+				 message);
+    }
+    else
+#endif
+    if (strcmp(tssContext->tssInterfaceType, "dev") == 0) {
+	rc = TSS_Dev_Transmit(tssContext,
+			      responseBuffer, read,
+			      commandBuffer, written,
+			      message);
+    }
+    else {
+	if (tssVerbose) printf("TSS_Transmit: device %s unsupported\n",
+			       tssContext->tssInterfaceType);
+	rc = TSS_RC_INSUPPORTED_INTERFACE;	
+    }
+    return rc;
+}
+
+/* TSS_Close() closes the connection to the TPM */
+
+TPM_RC TSS_Close(TSS_CONTEXT *tssContext)
+{
+    TPM_RC rc = 0;
+
+    /* only close if there was an open */
+    if (!tssContext->tssFirstTransmit) {
+#ifndef TPM_NOSOCKET
+	if ((strcmp(tssContext->tssInterfaceType, "socsim") == 0)) {
+	    rc = TSS_Socket_Close(tssContext);
+	}
+	else
+#endif
+        if (strcmp(tssContext->tssInterfaceType, "dev") == 0) {
+	    rc = TSS_Dev_Close(tssContext);
+	}
+	else {
+	    if (tssVerbose) printf("TSS_Transmit: device %s unsupported\n",
+				   tssContext->tssInterfaceType);
+	    rc = TSS_RC_INSUPPORTED_INTERFACE;	
+	}
+	tssContext->tssFirstTransmit = TRUE;
+    }
+    return rc;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssutils.c b/libstb/tss2/ibmtpm20tss/utils/tssutils.c
new file mode 100644
index 0000000..29124c3
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssutils.c
@@ -0,0 +1,364 @@
+/********************************************************************************/
+/*										*/
+/*			    TSS and Application Utilities			*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*		$Id: tssutils.c 1294 2018-08-09 19:08:34Z kgoldman $		*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2018					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#ifdef TPM_POSIX
+#include <netinet/in.h>
+#endif
+#ifdef TPM_WINDOWS
+#include <winsock2.h>
+#endif
+
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tsserror.h>
+#include <ibmtss/tssprint.h>
+
+/* the TSS context must be larger when files are not used, since TSS object and NV state is held in
+   the volatile context.  The major factor is the number of TSS_OBJECT_PUBLIC slots.  See
+   tssproperties.c */
+#ifdef TPM_TSS_NOFILE
+#define TSS_ALLOC_MAX  0x12000  /* 73k bytes */
+#else
+#define TSS_ALLOC_MAX  0x10000  /* 64k bytes */
+#endif
+
+extern int tssVerbose;
+extern int tssVverbose;
+
+/* TSS_Malloc() is a general purpose wrapper around malloc()
+ */
+
+TPM_RC TSS_Malloc(unsigned char **buffer, uint32_t size)
+{
+    TPM_RC          rc = 0;
+    
+    /* assertion test.  The coding style requires that all allocated pointers are initialized to
+       NULL.  A non-NULL value indicates either a missing initialization or a pointer reuse (a
+       memory leak). */
+    if (rc == 0) {
+        if (*buffer != NULL) {
+            if (tssVerbose)
+		printf("TSS_Malloc: Error (fatal), *buffer %p should be NULL before malloc\n",
+		       *buffer);
+            rc = TSS_RC_ALLOC_INPUT;
+        }
+    }
+    /* verify that the size is not "too large" */
+    if (rc == 0) {
+        if (size > TSS_ALLOC_MAX) {
+            if (tssVerbose) printf("TSS_Malloc: Error, size %u greater than maximum allowed\n",
+				   size);
+            rc = TSS_RC_MALLOC_SIZE;
+        }       
+    }
+    /* verify that the size is not 0, this would be implementation defined and should never occur */
+    if (rc == 0) {
+        if (size == 0) {
+            if (tssVerbose) printf("TSS_Malloc: Error (fatal), size is zero\n");
+            rc = TSS_RC_MALLOC_SIZE;
+        }       
+    }
+    if (rc == 0) {
+        *buffer = malloc(size);
+        if (*buffer == NULL) {
+            if (tssVerbose) printf("TSS_Malloc: Error allocating %u bytes\n", size);
+            rc = TSS_RC_OUT_OF_MEMORY;
+        }
+    }
+    return rc;
+}
+
+TPM_RC TSS_Realloc(unsigned char **buffer, uint32_t size)
+{
+    TPM_RC          	rc = 0;
+    unsigned char 	*tmpptr = NULL;
+    
+    /* verify that the size is not "too large" */
+    if (rc == 0) {
+        if (size > TSS_ALLOC_MAX) {
+            if (tssVerbose) printf("TSS_Realloc: Error, size %u greater than maximum allowed\n",
+				   size);
+            rc = TSS_RC_MALLOC_SIZE;
+        }       
+    }
+    /* verify that the size is not 0, this should never occur */
+    if (rc == 0) {
+        if (size == 0) {
+            if (tssVerbose) printf("TSS_Malloc: Error (fatal), size is zero\n");
+            rc = TSS_RC_MALLOC_SIZE;
+        }       
+    }
+    if (rc == 0) {
+	tmpptr = realloc(*buffer, size);
+	if (tmpptr == NULL) {
+            if (tssVerbose) printf("TSS_Realloc: Error reallocating %u bytes\n", size);
+	    rc = TSS_RC_OUT_OF_MEMORY;
+	}
+    }
+    if (rc == 0) {
+	*buffer = tmpptr;
+    }
+    return rc;
+}
+
+
+/* TSS_Structure_Marshal() is a general purpose "marshal a structure" function.
+   
+   It marshals the structure using "marshalFunction", and returns the malloc'ed stream.
+
+*/
+
+TPM_RC TSS_Structure_Marshal(uint8_t		**buffer,	/* freed by caller */
+			     uint16_t		*written,
+			     void 		*structure,
+			     MarshalFunction_t 	marshalFunction)
+{
+    TPM_RC 	rc = 0;
+    uint8_t	*buffer1 = NULL;	/* for marshaling, moves pointer */
+
+    /* marshal once to calculates the byte length */
+    if (rc == 0) {
+	*written = 0;
+	rc = marshalFunction(structure, written, NULL, NULL);
+    }
+    if (rc == 0) {
+	rc = TSS_Malloc(buffer, *written);
+    }
+    if (rc == 0) {
+	buffer1 = *buffer;
+	*written = 0;
+	rc = marshalFunction(structure, written, &buffer1, NULL);
+    }
+    return rc;
+}
+
+/* TSS_TPM2B_Copy() copies source to target if the source fits the target size */
+
+TPM_RC TSS_TPM2B_Copy(TPM2B *target, TPM2B *source, uint16_t targetSize)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	if (source->size > targetSize) {
+	    if (tssVerbose) printf("TSS_TPM2B_Copy: size %u greater than target %u\n",
+				   source->size, targetSize);	
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	memmove(target->buffer, source->buffer, source->size);
+	target->size = source->size;
+    }
+    return rc;
+}
+
+/* TSS_TPM2B_Append() appends the source TPM2B to the target TPM2B.
+   
+   It checks that the source fits the target size. The target size is the total size, not the size
+   remaining.
+*/
+
+TPM_RC TSS_TPM2B_Append(TPM2B *target, TPM2B *source, uint16_t targetSize)
+{
+    TPM_RC rc = 0;
+
+    if (rc == 0) {
+	if (target->size + source->size > targetSize) {
+	    if (tssVerbose) printf("TSS_TPM2B_Append: size %u greater than target %u\n",
+				   target->size + source->size, targetSize);	
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	memmove(target->buffer + target->size, source->buffer, source->size);
+	target->size += source->size;
+    }
+    return rc;
+}
+
+/* TSS_TPM2B_Create() copies the buffer of 'size' into target, checking targetSize */
+
+TPM_RC TSS_TPM2B_Create(TPM2B *target, uint8_t *buffer, uint16_t size, uint16_t targetSize)
+{
+    TPM_RC rc = 0;
+    
+    if (rc == 0) {
+	if (size > targetSize) {
+	    if (tssVerbose) printf("TSS_TPM2B_Create: size %u greater than target %u\n",
+				   size, targetSize);	
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	target->size = size;
+	if (size != 0) {	/* because buffer can be NULL if size os 0 */
+	    memmove(target->buffer, buffer, size);
+	}
+    }
+    return rc;
+}
+
+/* TSS_TPM2B_CreateUint32() creates a TPM2B from a uint32_t, typically a permanent handle */
+
+TPM_RC TSS_TPM2B_CreateUint32(TPM2B *target, uint32_t source, uint16_t targetSize)
+{
+    TPM_RC rc = 0;
+    
+    if (rc == 0) {
+	if (sizeof(uint32_t) > targetSize) {
+	    if (tssVerbose) printf("TSS_TPM2B_CreateUint32: size %u greater than target %u\n",
+				   (unsigned int)sizeof(uint32_t), targetSize);	
+	    rc = TSS_RC_INSUFFICIENT_BUFFER;
+	}
+    }
+    if (rc == 0) {
+	uint32_t sourceNbo = htonl(source);
+	memmove(target->buffer, (uint8_t *)&sourceNbo, sizeof(uint32_t));
+	target->size = sizeof(uint32_t);
+    }
+    return rc;
+}
+
+/* TSS_TPM2B_StringCopy() copies a NUL terminated string (omitting the NUL) from source to target.
+   
+   It checks that the string will fit in targetSize.
+
+   If source is NULL, creates a TPM2B of size 0.
+*/
+
+TPM_RC TSS_TPM2B_StringCopy(TPM2B *target, const char *source, uint16_t targetSize)
+{
+    TPM_RC rc = 0;
+    size_t length;
+    uint16_t length16;
+
+    if (source != NULL) {
+	if (rc == 0) {
+	    length = strlen(source);
+	    if (length > 0xffff) {	/* overflow TPM2B uint16_t */
+		if (tssVerbose) printf("TSS_TPM2B_StringCopy: size %u greater than 0xffff\n",
+				       (unsigned int)length);	
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	if (rc == 0) {
+	    length16 = (uint16_t )length;	/* cast safe after range test */
+	    if (length16 > targetSize) {
+		if (tssVerbose) printf("TSS_TPM2B_StringCopy: size %u greater than target %u\n",
+				       length16, targetSize);	
+		rc = TSS_RC_INSUFFICIENT_BUFFER;
+	    }
+	}
+	if (rc == 0) {
+	    target->size = length16;
+	    memcpy(target->buffer, source, length);
+	}
+    }
+    else {
+	target->size = 0;
+    }
+    return rc;
+}
+
+int TSS_TPM2B_Compare(TPM2B *expect, TPM2B *actual)
+{
+    int 	irc;
+    int 	match = YES;
+
+    if (match == YES) {
+	if (expect->size != actual->size) {
+	    match = NO;
+	}
+    }
+    if (match == YES) {
+	irc = memcmp(expect->buffer, actual->buffer, expect->size);
+	if (irc != 0) {
+	    match = NO;
+	}
+    }
+    return match;
+}
+
+/* TSS_GetDigestSize() returns the digest size in bytes based on the hash algorithm.
+
+   Returns 0 for an unknown algorithm.
+*/
+
+/* NOTE: Marked as const function in header */
+
+uint16_t TSS_GetDigestSize(TPM_ALG_ID hashAlg)
+{
+    uint16_t size;
+
+    switch (hashAlg) {
+#ifdef TPM_ALG_SHA1
+      case TPM_ALG_SHA1:
+	size = SHA1_DIGEST_SIZE;
+	break;
+#endif
+#ifdef TPM_ALG_SHA256
+     case TPM_ALG_SHA256:
+	size = SHA256_DIGEST_SIZE;
+	break;
+#endif
+#ifdef TPM_ALG_SHA384
+      case TPM_ALG_SHA384:
+	size = SHA384_DIGEST_SIZE;
+	break;
+#endif
+#ifdef TPM_ALG_SHA512
+     case TPM_ALG_SHA512:
+	size = SHA512_DIGEST_SIZE;
+	break;
+#endif
+#if 0
+      case TPM_ALG_SM3_256:
+	size = SM3_256_DIGEST_SIZE;
+	break;
+#endif
+      default:
+	size = 0;
+    }
+    return size;
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/tssutilsverbose.c b/libstb/tss2/ibmtpm20tss/utils/tssutilsverbose.c
new file mode 100644
index 0000000..e7d1a32
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/tssutilsverbose.c
@@ -0,0 +1,43 @@
+/********************************************************************************/
+/*										*/
+/*			tssUtilsVerbose Definition				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2019.						*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* This file is used for a minimal TSS that does not include the sample utilities code. */
+
+/* verbose tracing flag shared by command line utilities */
+
+int tssUtilsVerbose;
diff --git a/libstb/tss2/ibmtpm20tss/utils/unseal.c b/libstb/tss2/ibmtpm20tss/utils/unseal.c
new file mode 100644
index 0000000..661f8b8
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/unseal.c
@@ -0,0 +1,253 @@
+/********************************************************************************/
+/*										*/
+/*			   Unseal 						*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    Unseal_In 			in;
+    Unseal_Out 			out;
+    TPMI_DH_OBJECT		itemHandle = 0;
+    const char			*outDataFilename = NULL;
+    const char			*password = NULL; 
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RS_PW;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-ha") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &itemHandle);
+	    }
+	    else {
+		printf("Missing parameter for -ha\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-pwd") == 0) {
+	    i++;
+	    if (i < argc) {
+		password = argv[i];
+	    }
+	    else {
+		printf("-pwd option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-of") == 0) {
+	    i++;
+	    if (i < argc) {
+		outDataFilename = argv[i];
+	    }
+	    else {
+		printf("-of option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (itemHandle == 0) {
+	printf("Missing handle parameter -ha\n");
+	printUsage();
+    }
+    if (rc == 0) {
+	in.itemHandle = itemHandle;
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_Unseal,
+			 sessionHandle0, password, sessionAttributes0,
+			 sessionHandle1, NULL, sessionAttributes1,
+			 sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (outDataFilename != NULL)) {
+	rc = TSS_File_WriteBinaryFile(out.outData.t.buffer,
+				      out.outData.t.size,
+				      outDataFilename); 
+    }    
+    if (rc == 0) {
+	if (tssUtilsVerbose) TSS_PrintAll("outData",
+				  out.outData.t.buffer,
+				  out.outData.t.size);
+	if (tssUtilsVerbose) printf("unseal: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("unseal: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("unseal\n");
+    printf("\n");
+    printf("Runs TPM2_Unseal\n");
+    printf("\n");
+    printf("\t-ha\tsealed data item handle\n");
+    printf("\t[-pwd\tpassword sealed data item (default empty)]\n");
+    printf("\t[-of\toutput data (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/verifysignature.c b/libstb/tss2/ibmtpm20tss/utils/verifysignature.c
new file mode 100644
index 0000000..31551ab
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/verifysignature.c
@@ -0,0 +1,488 @@
+/********************************************************************************/
+/*										*/
+/*			    VerifySignature					*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/Unmarshal_fp.h>
+#include <ibmtss/tsscryptoh.h>
+#include <ibmtss/tsscrypto.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/tssresponsecode.h>
+
+#include "cryptoutils.h"
+
+static void printUsage(void);
+TPM_RC rawUnmarshal(TPMT_SIGNATURE *target,
+		    TPMI_ALG_PUBLIC algPublic,
+		    TPMI_ALG_HASH halg,
+		    uint8_t *buffer, size_t length);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    int				i;    /* argc iterator */
+    TSS_CONTEXT			*tssContext = NULL;
+    VerifySignature_In 		in;
+    VerifySignature_Out 	out;
+    TPMI_DH_OBJECT		keyHandle = 0;
+    const char			*pemFilename = NULL;
+    const char			*hmacKeyFilename = NULL;
+    const char			*signatureFilename = NULL;
+    TPMI_ALG_HASH		halg = TPM_ALG_SHA256;
+    TPMI_ALG_PUBLIC 		algPublic = TPM_ALG_RSA;
+    const char			*messageFilename = NULL;
+    int				doHash = TRUE;
+    const char			*ticketFilename = NULL;
+    int				raw = FALSE;	/* default TPMT_SIGNATURE */
+    unsigned char 		*data = NULL;	/* message */
+    size_t 			dataLength;
+    uint8_t			*buffer = NULL;		/* for the free */
+    uint8_t			*buffer1 = NULL;	/* for marshaling */
+    size_t 			length = 0;
+    uint32_t           		sizeInBytes;	/* hash algorithm mapped to size */
+    TPMT_HA 			digest;		/* digest of the message */
+    TPMI_SH_AUTH_SESSION    	sessionHandle0 = TPM_RH_NULL;
+    unsigned int		sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle1 = TPM_RH_NULL;
+    unsigned int		sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION    	sessionHandle2 = TPM_RH_NULL;
+    unsigned int		sessionAttributes2 = 0;
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1"); 
+    tssUtilsVerbose = FALSE;
+
+    /* command line argument defaults */
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-hk") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &keyHandle);
+	    }
+	    else {
+		printf("Missing parameter for -hk\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ipem") == 0) {
+	    i++;
+	    if (i < argc) {
+		pemFilename = argv[i];
+	    }
+	    else {
+		printf("-ipem option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ihmac") == 0) {
+	    i++;
+	    if (i < argc) {
+		hmacKeyFilename = argv[i];
+	    }
+	    else {
+		printf("-ihmac option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-halg") == 0) {
+	    i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"sha1") == 0) {
+		    halg = TPM_ALG_SHA1;
+		}
+		else if (strcmp(argv[i],"sha256") == 0) {
+		    halg = TPM_ALG_SHA256;
+		}
+		else if (strcmp(argv[i],"sha384") == 0) {
+		    halg = TPM_ALG_SHA384;
+		}
+		else if (strcmp(argv[i],"sha512") == 0) {
+		    halg = TPM_ALG_SHA512;
+		}
+		else {
+		    printf("Bad parameter %s for -halg\n", argv[i]);
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("-halg option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-rsa") == 0) {
+	    algPublic = TPM_ALG_RSA;
+	}
+	else if (strcmp(argv[i], "-ecc") == 0) {
+	    algPublic = TPM_ALG_ECC;
+	}
+	else if (strcmp(argv[i],"-if") == 0) {
+	    i++;
+	    if (i < argc) {
+		messageFilename = argv[i];
+	    }
+	    else {
+		printf("-if option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-ih") == 0) {
+	    i++;
+	    if (i < argc) {
+		messageFilename = argv[i];
+		doHash = FALSE;
+	    }
+	    else {
+		printf("-ih option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-is") == 0) {
+	    i++;
+	    if (i < argc) {
+		signatureFilename = argv[i];
+	    }
+	    else {
+		printf("-is option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-raw") == 0) {
+	    raw = TRUE;
+	}
+	else if (strcmp(argv[i],"-tk") == 0) {
+	    i++;
+	    if (i < argc) {
+		ticketFilename = argv[i];
+	    }
+	    else {
+		printf("-tk option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se0") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle0);
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes0);
+		if (sessionAttributes0 > 0xff) {
+		    printf("Out of range session attributes for -se0\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se0\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se1") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle1);
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes1);
+		if (sessionAttributes1 > 0xff) {
+		    printf("Out of range session attributes for -se1\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se1\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i],"-se2") == 0) {
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionHandle2);
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	    i++;
+	    if (i < argc) {
+		sscanf(argv[i],"%x", &sessionAttributes2);
+		if (sessionAttributes2 > 0xff) {
+		    printf("Out of range session attributes for -se2\n");
+		    printUsage();
+		}
+	    }
+	    else {
+		printf("Missing parameter for -se2\n");
+		printUsage();
+	    }
+	}
+ 	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if ((keyHandle == 0) && (pemFilename == NULL) && (hmacKeyFilename == NULL)) {
+	printf("Missing handle parameter -hk, PEM file name -ipem, or HMAC key file name -ihmac\n");
+	printUsage();
+    }
+    if (messageFilename == NULL) {
+	printf("Missing message file name -if or hash file name -ih\n");
+	printUsage();
+    }
+    if (signatureFilename == NULL) {
+	printf("Missing signature parameter -is\n");
+	printUsage();
+    }
+    if (rc == 0) {
+       rc = TSS_File_ReadBinaryFile(&data,     /* freed @1 */
+				    &dataLength,
+				    messageFilename);
+    }
+    /* hash the file */
+    if (rc == 0) {
+	if (doHash) {
+	    if (rc == 0) {
+		if (tssUtilsVerbose) printf("verifysignature: Hashing message file %s with halg %04x\n",
+				    messageFilename, halg);
+		digest.hashAlg = halg;
+		sizeInBytes = TSS_GetDigestSize(digest.hashAlg);
+		rc = TSS_Hash_Generate(&digest,
+				       dataLength, data,
+				       0, NULL);
+	    }
+	    if (rc == 0) {
+		if (tssUtilsVerbose) printf("verifysignature: Copying hash\n");
+		/* digest to be verified */
+		in.digest.t.size = sizeInBytes;
+		memcpy(&in.digest.t.buffer, (uint8_t *)&digest.digest, sizeInBytes);
+	    }
+	}
+	else {
+	    if (tssUtilsVerbose) printf("verifysignature: Using hash input file %s\n", messageFilename);
+	    in.digest.t.size = (uint16_t)dataLength;
+	    memcpy(&in.digest.t.buffer, (uint8_t *)data, dataLength);
+	}
+	if (rc == 0) {
+	    if (tssUtilsVerbose) TSS_PrintAll("verifysignature: hash",
+				      (uint8_t *)&in.digest.t.buffer, in.digest.t.size);
+	}
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadBinaryFile(&buffer,     /* freed @2 */
+				     &length,
+				     signatureFilename);
+    }
+    if (rc == 0) {
+	if (!raw) {
+	    uint32_t ilength = length;	/* values that can move during the unmarshal */
+	    buffer1 = buffer;
+	    /* input is TPMT_SIGNATURE */
+	    rc = TSS_TPMT_SIGNATURE_Unmarshalu(&in.signature, &buffer1, &ilength, NO);
+	}
+	else {
+	    /* input is raw bytes */
+	    rc = rawUnmarshal(&in.signature, algPublic, halg, buffer, length);
+	}
+    }
+    if (keyHandle != 0) {
+	if (rc == 0) {
+	    /* Handle of key that will perform verifying */
+	    in.keyHandle = keyHandle;
+	}
+	/* Start a TSS context */
+	if (rc == 0) {
+	    rc = TSS_Create(&tssContext);
+	}
+	/* call TSS to execute the command */
+	if (rc == 0) {
+	    rc = TSS_Execute(tssContext,
+			     (RESPONSE_PARAMETERS *)&out,
+			     (COMMAND_PARAMETERS *)&in,
+			     NULL,
+			     TPM_CC_VerifySignature,
+			     sessionHandle0, NULL, sessionAttributes0,
+			     sessionHandle1, NULL, sessionAttributes1,
+			     sessionHandle2, NULL, sessionAttributes2,
+			     TPM_RH_NULL, NULL, 0);
+	}
+	{
+	    TPM_RC rc1 = TSS_Delete(tssContext);
+	    if (rc == 0) {
+		rc = rc1;
+	    }
+	}
+	if ((rc == 0) && (ticketFilename != NULL)) {
+	    rc = TSS_File_WriteStructure(&out.validation,
+					 (MarshalFunction_t)TSS_TPMT_TK_VERIFIED_Marshalu,
+					 ticketFilename);
+	}
+    }
+    if (pemFilename != NULL) {
+	if (rc == 0) {
+	    rc = verifySignatureFromPem((uint8_t *)&in.digest.t.buffer,
+					in.digest.t.size,
+					&in.signature,
+					halg,
+					pemFilename);
+	}
+	if (tssUtilsVerbose) printf("verifysignature: verifySignatureFromPem rc %08x\n", rc);
+    }
+    if (hmacKeyFilename != NULL) {
+	if (rc == 0) {
+	    rc = verifySignatureFromHmacKey((uint8_t *)&in.digest.t.buffer,
+					    in.digest.t.size,
+					    &in.signature,
+					    halg,
+					    hmacKeyFilename); 
+	}
+	if (tssUtilsVerbose) printf("verifysignature: verifySignatureFromHmacKey rc %08x\n", rc);
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("verifysignature: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("verifysignature: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    free(data);		/* @1 */
+    free(buffer);	/* @2 */
+    return rc;
+}
+
+/* rawUnmarshal() unmarshals a raw openssl signature 'buffer' into the TPMT_SIGNATURE structure.
+
+   It handles RSA and ECC P256.
+*/
+
+TPM_RC rawUnmarshal(TPMT_SIGNATURE *tSignature,
+		    TPMI_ALG_PUBLIC algPublic,
+		    TPMI_ALG_HASH halg,
+		    uint8_t *signatureBin, size_t signatureBinLen)
+{
+    TPM_RC			rc = 0;
+    switch (algPublic) {
+      case TPM_ALG_RSA:
+	rc = convertRsaBinToTSignature(tSignature,
+				       halg,
+				       signatureBin,
+				       signatureBinLen);
+	break;
+#ifndef TPM_TSS_NOECC
+      case TPM_ALG_ECC:
+	/* TPM_ALG_ECC, the raw signature is DER encoded R and S elements */
+	rc = convertEcBinToTSignature(tSignature,
+				      halg,
+				      signatureBin,
+				      signatureBinLen);
+	break;
+#endif	/* TPM_TSS_NOECC */
+      default:
+	printf("rawUnmarshal: algorithm %04x not supported\n", algPublic);
+	rc = TPM_RC_ASYMMETRIC;
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("verifysignature\n");
+    printf("\n");
+    printf("Runs TPM2_VerifySignature and/or verifies using the PEM public key\n");
+    printf("\n");
+    printf("\t-if\tinput message file name\n");
+    printf("\t-ih\tinput hash file name\n");
+    printf("\n");
+    printf("\t\tOne of -if, -ih must be specified\n");
+    printf("\n");
+    printf("\t-is\tsignature file name\n");
+    printf("\t[-raw\tsignature specified by -is is in raw format]\n");
+    printf("\t\t(default TPMT_SIGNATURE)\n");
+    printf("\t-hk\tkey handle\n");
+    printf("\t-ipem\tpublic key PEM format file name to verify signature\n");
+    printf("\t-ihmac\tHMAC key in raw binary format file name to verify signature\n");
+    printf("\n");
+    printf("\t\tOne of -hk, -ipem, -ihmac must be specified\n");
+    printf("\n");
+    printf("\t[-tk\tticket file name (requires -hk)]\n");
+    printf("\n");
+    printf("\t[-halg\t(sha1, sha256, sha384 sha512) (default sha256)]\n");
+    printf("\n");
+    printf("\t[Asymmetric Key Algorithm]\n");
+    printf("\n");
+    printf("\t[-rsa\t(default)]\n");
+    printf("\t[-ecc\t]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default NULL)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t80\taudit\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/writeapp.c b/libstb/tss2/ibmtpm20tss/utils/writeapp.c
new file mode 100644
index 0000000..151a263
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/writeapp.c
@@ -0,0 +1,416 @@
+/********************************************************************************/
+/*										*/
+/*			    NV Write Application				*/
+/*			     Written by Ken Goldman				*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2015 - 2019.					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+   Demo application, and test of "no file TSS"
+
+   Create an EK for the salt
+
+   Start a session, salt with EK
+
+   Define an NV index, salted session
+
+   Flush the session
+
+   Start a session, salt with EK, bind to unwritten NV index
+
+   Write NV, changes the Name, bound, salt, encrypt session
+
+   Start a session, salt with EK, bind to written NV index
+   
+   Write NV, bound, salt, encrypt session
+
+   Undefine NV index
+
+   Flush EK
+*/
+
+#define NVINDEX 0x01000000
+#define NVPWD	"pwd" 
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssutils.h>
+#include "ekutils.h"
+#include "cryptoutils.h"
+
+static TPM_RC nvReadPublic(TSS_CONTEXT *tssContext);
+static TPM_RC startSession(TSS_CONTEXT *tssContext,
+			   TPMI_SH_AUTH_SESSION *sessionHandle,
+			   TPMI_DH_OBJECT tpmKey,
+			   TPMI_DH_ENTITY bind);
+static TPM_RC flush(TSS_CONTEXT *tssContext,
+		    TPMI_DH_CONTEXT flushHandle);
+static TPM_RC defineSpace(TSS_CONTEXT *tssContext,
+			  TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC nvWrite(TSS_CONTEXT *tssContext,
+		      TPMI_SH_AUTH_SESSION sessionHandle);
+static TPM_RC undefineSpace(TSS_CONTEXT *tssContext,
+			    TPMI_SH_AUTH_SESSION sessionHandle);
+			   
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC			rc = 0;
+    TSS_CONTEXT			*tssContext = NULL;
+    int 			pwSession = FALSE;		/* default HMAC session */
+    TPM_HANDLE 			ekKeyHandle = TPM_RH_NULL;	/* primary key handle */
+    TPMI_SH_AUTH_SESSION 	sessionHandle = TPM_RH_NULL;
+ 
+    int				i;    /* argc iterator */
+
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+    
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+	if (strcmp(argv[i],"-pwsess") == 0) {
+	    pwSession = TRUE;
+	}
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+#ifdef TPM_TSS_NOCRYPTO
+    if (!pwSession) {
+	printf("\n-pwsess is required when compiled for no crypto\n");
+	printUsage();
+    }
+#endif
+    /* Start a TSS context */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Create a TSS context\n");
+	rc = TSS_Create(&tssContext);
+    }
+#ifndef TPM_TSS_NOCRYPTO
+    /* createprimary first for salt.  processPrimary() also reads the EK certificate and validates
+       it against the primary key.   It doesn't walk the certificate chain.  */
+    if (rc == 0) {
+	if (!pwSession) {
+	    if (tssUtilsVerbose) printf("INFO: Create a primary EK for the salt\n");
+	    rc = processPrimary(tssContext,
+				&ekKeyHandle,
+				EK_CERT_RSA_INDEX, EK_NONCE_RSA_INDEX, EK_TEMPLATE_RSA_INDEX,
+				TRUE, tssUtilsVerbose);		/* do not flush */
+	}
+    }
+#endif	/* TPM_TSS_NOCRYPTO */
+    /* start a session, salt with EK, unbound */
+    if (rc == 0) {
+	if (!pwSession) {
+	    if (tssUtilsVerbose) printf("INFO: Start a salt session\n");
+	    rc = startSession(tssContext,
+			      &sessionHandle,
+			      ekKeyHandle, TPM_RH_NULL);	/* salt, no bind */
+	}
+	else {
+	    sessionHandle = TPM_RS_PW;
+	}
+    }
+    /* Probe to see if the index already exists.  NOTE: A real application would test that the
+       NV metadata or Name was correct for the application. */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Read the NV index at %08x\n", NVINDEX);
+	rc = nvReadPublic(tssContext);
+	/* on failure, define the index */
+	if (rc != 0) {
+	    if (tssUtilsVerbose) printf("INFO: Create the NV index at %08x\n", NVINDEX);
+	    rc = defineSpace(tssContext, sessionHandle);
+	}
+    }
+    /* flush the salt session */
+    if (!pwSession) {
+	if (tssUtilsVerbose) printf("INFO: Flush the salt session\n");
+	flush(tssContext, sessionHandle);
+    }
+    /* start a session, salt with EK, bind with unwritten NV index */
+    if (rc == 0) {
+	if (!pwSession) {
+	    if (tssUtilsVerbose) printf("INFO: Start a salt and bind session\n");
+	    rc = startSession(tssContext,
+			      &sessionHandle,
+			      ekKeyHandle, NVINDEX);	/* salt, bind */
+	}
+	else {
+	    sessionHandle = TPM_RS_PW;
+	}
+    }
+    /* first write, changes the Name (flushes the session)*/
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Write the index and written bit\n");
+	rc = nvWrite(tssContext, sessionHandle);
+    }
+    /* start a session, salt, bind.  The previous session can't be used (with no password) since the
+       first write changed the Name.  Thus the session is no longer bound to the index.  The write
+       could specify a password, but the point is to test bind. */
+    if (rc == 0) {
+	if (!pwSession) {
+	    if (tssUtilsVerbose) printf("INFO: Start a salt and bind session\n");
+	    rc = startSession(tssContext,
+			      &sessionHandle,
+			      ekKeyHandle, NVINDEX);	/* salt, bind */
+	}
+	else {
+	    sessionHandle = TPM_RS_PW;
+	}
+    }
+    /* second write, note that the Name change is tracked */
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("INFO: Write the index\n");
+	rc = nvWrite(tssContext, sessionHandle);
+    }
+    /* undefine NV index */
+    if (tssUtilsVerbose) printf("INFO: Undefine the index\n");
+    undefineSpace(tssContext, TPM_RS_PW);
+    /* flush the session */
+    if (!pwSession) {
+	if (tssUtilsVerbose) printf("INFO: Flush the session\n");
+	flush(tssContext, sessionHandle);
+	/* flush the primary key */
+	if (tssUtilsVerbose) printf("INFO: Flush the primary key\n");
+	flush(tssContext, ekKeyHandle);
+    }
+    {
+	TPM_RC rc1;
+	if (tssUtilsVerbose) printf("INFO: Delete the TSS context\n");
+	rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if (rc == 0) {
+	printf("writeapp: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("writeapp: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+static TPM_RC nvReadPublic(TSS_CONTEXT *tssContext)
+{
+    TPM_RC			rc = 0;
+    NV_ReadPublic_In 		in;
+    NV_ReadPublic_Out		out;
+
+    if (rc == 0) {
+	in.nvIndex = NVINDEX;
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_ReadPublic,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static TPM_RC startSession(TSS_CONTEXT *tssContext,
+			   TPMI_SH_AUTH_SESSION *sessionHandle,
+			   TPMI_DH_OBJECT tpmKey,		/* salt key */
+			   TPMI_DH_ENTITY bind)			/* bind object */
+{
+    TPM_RC			rc = 0;
+    StartAuthSession_In 	startAuthSessionIn;
+    StartAuthSession_Out 	startAuthSessionOut;
+    StartAuthSession_Extra	startAuthSessionExtra;
+     
+    /*	Start an authorization session */
+    if (rc == 0) {
+	startAuthSessionIn.tpmKey = tpmKey;		/* salt key */
+	startAuthSessionIn.bind = bind;			/* bind object */
+	startAuthSessionExtra.bindPassword = NVPWD;	/* bind password */
+	startAuthSessionIn.sessionType = TPM_SE_HMAC;	/* HMAC session */
+	startAuthSessionIn.authHash = TPM_ALG_SHA256;	/* HMAC SHA-256 */
+	startAuthSessionIn.symmetric.algorithm = TPM_ALG_AES;	/* parameter encryption */
+	startAuthSessionIn.symmetric.keyBits.aes = 128;
+	startAuthSessionIn.symmetric.mode.aes = TPM_ALG_CFB;
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&startAuthSessionOut, 
+			 (COMMAND_PARAMETERS *)&startAuthSessionIn,
+			 (EXTRA_PARAMETERS *)&startAuthSessionExtra,
+			 TPM_CC_StartAuthSession,
+			 TPM_RH_NULL, NULL, 0);
+	*sessionHandle = startAuthSessionOut.sessionHandle;
+    }
+    return rc;
+}
+
+static TPM_RC flush(TSS_CONTEXT *tssContext,
+		    TPMI_DH_CONTEXT flushHandle)
+{
+    TPM_RC			rc = 0;
+    FlushContext_In 		in;
+
+    if (rc == 0) {
+	in.flushHandle = flushHandle;
+	rc = TSS_Execute(tssContext,
+			 NULL, 
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_FlushContext,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static TPM_RC defineSpace(TSS_CONTEXT *tssContext,
+			  TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC			rc = 0;
+    NV_DefineSpace_In 		in;
+
+    if (rc == 0) {
+	rc = TSS_TPM2B_StringCopy(&in.auth.b,
+				  NVPWD, sizeof(in.auth.t.buffer));
+    }
+    if (rc == 0) {
+	in.authHandle = TPM_RH_OWNER;
+	in.publicInfo.nvPublic.authPolicy.t.size = 0;	/* default empty policy */
+	in.publicInfo.nvPublic.nvIndex = NVINDEX;	/* the handle of the data area */
+	in.publicInfo.nvPublic.nameAlg = TPM_ALG_SHA256;/* hash algorithm used to compute the name */
+	in.publicInfo.nvPublic.attributes.val = TPMA_NVA_NO_DA |
+						TPMA_NVA_AUTHWRITE | TPMA_NVA_AUTHREAD |
+						TPMA_NVA_ORDINARY;
+	in.publicInfo.nvPublic.dataSize = 1;
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_DefineSpace,
+			 /* Empty owner auth */
+			 sessionHandle, NULL, TPMA_SESSION_CONTINUESESSION,
+			 TPM_RH_NULL, NULL, 0);
+	
+    }
+    return rc;
+}
+
+static TPM_RC nvWrite(TSS_CONTEXT *tssContext,
+		      TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC			rc = 0;
+    NV_Write_In			nvWriteIn;
+    const char 			*pwd;
+
+    /* NV write */
+    if (rc == 0) {
+	nvWriteIn.authHandle = NVINDEX;		/* use index authorization */
+	nvWriteIn.nvIndex = NVINDEX;		/* NV index to write */
+	nvWriteIn.data.t.size = 1;		/* one byte */
+	nvWriteIn.data.t.buffer[0] = 0xff;	/* data */
+	nvWriteIn.offset = 0;
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	/* password session */
+	if (sessionHandle == TPM_RS_PW) {
+	    pwd = NVPWD;
+	}
+	/* NULL password, bound (password ignored), encrypt the data */
+	else {
+	    pwd = NULL;
+	}
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&nvWriteIn,	
+			 NULL,
+			 TPM_CC_NV_Write,
+			 sessionHandle, pwd, TPMA_SESSION_DECRYPT,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static TPM_RC undefineSpace(TSS_CONTEXT *tssContext,
+			    TPMI_SH_AUTH_SESSION sessionHandle)
+{
+    TPM_RC		rc = 0;
+    NV_UndefineSpace_In in;
+    
+    if (rc == 0) {
+	in.authHandle = TPM_RH_OWNER;
+	in.nvIndex = NVINDEX;
+	rc = TSS_Execute(tssContext,
+			 NULL,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_NV_UndefineSpace,
+			 sessionHandle, NULL, TPMA_SESSION_CONTINUESESSION,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    return rc;
+}
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("writeapp\n");
+    printf("\n");
+    printf("writeapp is a sample NV write application.  Provisions an NV location,\n");
+    printf("then does two writes with password 'pwd' using a bound, salted\n");
+    printf("HMAC session using AES CFB parameter encryption.\n");
+    printf("\n");
+    printf("Used to test minimal TSS build\n");
+    printf("\n");
+    printf("\t[-pwsess\tUse a password session, no HMAC or parameter encryption]\n");
+    printf("\n");
+    exit(1);	
+}
diff --git a/libstb/tss2/ibmtpm20tss/utils/zgen2phase.c b/libstb/tss2/ibmtpm20tss/utils/zgen2phase.c
new file mode 100644
index 0000000..d615411
--- /dev/null
+++ b/libstb/tss2/ibmtpm20tss/utils/zgen2phase.c
@@ -0,0 +1,366 @@
+/********************************************************************************/
+/*										*/
+/*			    ZGen_2Phase						*/
+/*	     		Written by Ken Goldman 					*/
+/*		       IBM Thomas J. Watson Research Center			*/
+/*										*/
+/* (c) Copyright IBM Corporation 2017 - 2019					*/
+/*										*/
+/* All rights reserved.								*/
+/* 										*/
+/* Redistribution and use in source and binary forms, with or without		*/
+/* modification, are permitted provided that the following conditions are	*/
+/* met:										*/
+/* 										*/
+/* Redistributions of source code must retain the above copyright notice,	*/
+/* this list of conditions and the following disclaimer.			*/
+/* 										*/
+/* Redistributions in binary form must reproduce the above copyright		*/
+/* notice, this list of conditions and the following disclaimer in the		*/
+/* documentation and/or other materials provided with the distribution.		*/
+/* 										*/
+/* Neither the names of the IBM Corporation nor the names of its		*/
+/* contributors may be used to endorse or promote products derived from		*/
+/* this software without specific prior written permission.			*/
+/* 										*/
+/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
+/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
+/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
+/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
+/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
+/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
+/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
+/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
+/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
+/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
+/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
+/********************************************************************************/
+
+/* 
+
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <ibmtss/tss.h>
+#include <ibmtss/tssutils.h>
+#include <ibmtss/tssresponsecode.h>
+#include <ibmtss/tssmarshal.h>
+#include <ibmtss/Unmarshal_fp.h>
+
+static void printUsage(void);
+
+extern int tssUtilsVerbose;
+
+int main(int argc, char *argv[])
+{
+    TPM_RC 			rc = 0;
+    int 			i;    /* argc iterator */
+    TSS_CONTEXT 		*tssContext = NULL;
+    ZGen_2Phase_In   		in;
+    ZGen_2Phase_Out   		out;
+    TPMI_DH_OBJECT      	keyHandle = 0;
+    const char          	*qsbFilename = NULL;
+    const char          	*qebFilename = NULL;
+    const char                  *counterFilename = NULL;
+    const char       		*z1Filename = NULL;
+    const char          	*z2Filename = NULL;
+    const char          	*keyPassword = NULL;
+    TPMI_SH_AUTH_SESSION        sessionHandle0 = TPM_RS_PW;
+    unsigned int                sessionAttributes0 = 0;
+    TPMI_SH_AUTH_SESSION        sessionHandle1 = TPM_RH_NULL;
+    unsigned int                sessionAttributes1 = 0;
+    TPMI_SH_AUTH_SESSION        sessionHandle2 = TPM_RH_NULL;
+    unsigned int                sessionAttributes2 = 0;
+ 
+    setvbuf(stdout, 0, _IONBF, 0);      /* output may be going through pipe to log file */
+    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "1");
+    tssUtilsVerbose = FALSE;
+
+    /* command line argument defaults */
+    in.inScheme = TPM_ALG_ECDH;
+
+    for (i=1 ; (i<argc) && (rc == 0) ; i++) {
+        if (strcmp(argv[i], "-hk") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &keyHandle);
+            }
+            else {
+                printf("Missing parameter for -hk\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-qsb") == 0) {
+            i++;
+            if (i < argc) {
+                qsbFilename = argv[i];
+            }
+            else {
+                printf("-s2 option needs a value\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-qeb") == 0) {
+            i++;
+            if (i < argc) {
+                qebFilename = argv[i];
+            }
+            else {
+                printf("-qeb option needs a value\n");
+                printUsage();
+            }
+        }
+	else if (strcmp(argv[i],"-scheme") == 0) {
+            i++;
+	    if (i < argc) {
+		if (strcmp(argv[i],"ecdh") == 0) {
+		    in.inScheme = TPM_ALG_ECDH;
+		}
+#if 0
+		else if (strcmp(argv[i],"ecmqv") == 0) {
+		    in.inScheme = TPM_ALG_ECMQV;
+		}
+#endif
+		else if (strcmp(argv[i],"sm2") == 0) {
+		    in.inScheme = TPM_ALG_SM2;
+		}
+		else {
+		    printf("Bad parameter %s for -scheme\n", argv[i]);
+		    printUsage();
+		}
+	    }
+        }
+        else if (strcmp(argv[i], "-cf")  == 0) {
+	    i++;
+	    if (i < argc) {
+		counterFilename = argv[i];
+	    } else {
+		printf("-cf option needs a value\n");
+		printUsage();
+	    }
+	}
+	else if (strcmp(argv[i], "-z1")  == 0) {
+	    i++;
+	    if (i < argc) {
+		z1Filename = argv[i];
+	    } else {
+		printf("-z1 option needs a value\n");
+		printUsage();
+	    }	
+	}
+	else if (strcmp(argv[i], "-z2")  == 0) {
+	    i++;
+	    if (i < argc) {
+                z2Filename = argv[i];
+	    } else {
+		printf("-z2 option needs a value\n");
+		printUsage();
+	    }
+	}
+        else if (strcmp(argv[i],"-pwdk") == 0) {
+            i++;
+            if (i < argc) {
+                keyPassword = argv[i];
+            }
+            else {
+                printf("-pwdk option needs a value\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-se0") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionHandle0);
+            }
+            else {
+                printf("Missing parameter for -se0\n");
+                printUsage();
+            }
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionAttributes0);
+                if (sessionAttributes0 > 0xff) {
+                    printf("Out of range session attributes for -se0\n");
+                    printUsage();
+                }
+            }
+            else {
+                printf("Missing parameter for -se0\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-se1") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionHandle1);
+            }
+            else {
+                printf("Missing parameter for -se1\n");
+                printUsage();
+            }
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionAttributes1);
+                if (sessionAttributes1 > 0xff) {
+                    printf("Out of range session attributes for -se1\n");
+                    printUsage();
+                }
+            }
+            else {
+                printf("Missing parameter for -se1\n");
+                printUsage();
+            }
+        }
+        else if (strcmp(argv[i],"-se2") == 0) {
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionHandle2);
+            }
+            else {
+                printf("Missing parameter for -se2\n");
+                printUsage();
+            }
+            i++;
+            if (i < argc) {
+                sscanf(argv[i],"%x", &sessionAttributes2);
+                if (sessionAttributes2 > 0xff) {
+                    printf("Out of range session attributes for -se2\n");
+                    printUsage();
+                }
+            }
+            else {
+                printf("Missing parameter for -se2\n");
+                printUsage();
+            }
+        }
+	else if (strcmp(argv[i],"-h") == 0) {
+	    printUsage();
+	}
+	else if (strcmp(argv[i],"-v") == 0) {
+	    tssUtilsVerbose = TRUE;
+	    TSS_SetProperty(NULL, TPM_TRACE_LEVEL, "2");
+	}
+	else {
+	    printf("\n%s is not a valid option\n", argv[i]);
+	    printUsage();
+	}
+    }
+    if (keyHandle == 0) {
+	printf("Missing handle parameter -hk\n");
+	printUsage();
+    }
+    if (qsbFilename == NULL) {
+	printf("Missing handle parameter -qsb\n");
+	printUsage();
+    }	
+    if (qebFilename == NULL) {
+	printf("Missing handle parameter -qeb\n");
+	printUsage();
+    }	
+    if (counterFilename == NULL) {
+	printf("Missing handle parameter -cf\n");
+	printUsage();
+    }	
+    if (rc == 0) {
+	in.keyA = keyHandle;
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.inQsB,
+				    (UnmarshalFunction_t)TSS_TPM2B_ECC_POINT_Unmarshalu,
+				    qsbFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.inQeB,
+				    (UnmarshalFunction_t)TSS_TPM2B_ECC_POINT_Unmarshalu,
+				    qebFilename);
+    }
+    if (rc == 0) {
+	rc = TSS_File_ReadStructure(&in.counter, 
+				    (UnmarshalFunction_t)TSS_UINT16_Unmarshalu,
+				    counterFilename);
+    }
+    /* Start a TSS context */
+    if (rc == 0) {
+	rc = TSS_Create(&tssContext);
+    }
+    /* call TSS to execute the command */
+    if (rc == 0) {
+	rc = TSS_Execute(tssContext,
+			 (RESPONSE_PARAMETERS *)&out,
+			 (COMMAND_PARAMETERS *)&in,
+			 NULL,
+			 TPM_CC_ZGen_2Phase,
+                         sessionHandle0, keyPassword, sessionAttributes0,
+                         sessionHandle1, NULL, sessionAttributes1,
+                         sessionHandle2, NULL, sessionAttributes2,
+			 TPM_RH_NULL, NULL, 0);
+    }
+    {
+	TPM_RC rc1 = TSS_Delete(tssContext);
+	if (rc == 0) {
+	    rc = rc1;
+	}
+    }
+    if ((rc == 0) && (z1Filename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outZ1,
+				     (MarshalFunction_t)TSS_TPM2B_ECC_POINT_Marshalu,
+				     z1Filename);
+
+
+    }
+    if ((rc == 0) && (z2Filename != NULL)) {
+	rc = TSS_File_WriteStructure(&out.outZ2,
+				     (MarshalFunction_t)TSS_TPM2B_ECC_POINT_Marshalu,
+				     z2Filename);
+
+
+    }
+    if (rc == 0) {
+	if (tssUtilsVerbose) printf("zgen2phase: success\n");
+    }
+    else {
+	const char *msg;
+	const char *submsg;
+	const char *num;
+	printf("zgen2phase: failed, rc %08x\n", rc);
+	TSS_ResponseCode_toString(&msg, &submsg, &num, rc);
+	printf("%s%s%s\n", msg, submsg, num);
+	rc = EXIT_FAILURE;
+    }
+    return rc;
+}
+
+
+static void printUsage(void)
+{
+    printf("\n");
+    printf("zgen2phase\n");
+    printf("\n");
+    printf("Runs TPM2_ZGen_2Phase\n");
+    printf("\n");
+    printf("\t-hk\tunrestricted decryption key handle\n");
+    printf("\t[-pwdk\tpassword for key (default empty)]\n");
+    printf("\t-qsb\tQsB point input file name\n");
+    printf("\t-qeb\tQeB point input file name\n");
+    printf("\t-cf\tcounter file name\n");
+    printf("\t[-scheme\t(default ecdh)]\n");
+    printf("\t\tecdh\n");
+    printf("\t\tecmqv\n");
+    printf("\t\tsm2\n");
+    printf("\t[-z1\tZ1 output data file name (default do not save)]\n");
+    printf("\t[-z2\tZ2 output data file name (default do not save)]\n");
+    printf("\n");
+    printf("\t-se[0-2] session handle / attributes (default PWAP)\n");
+    printf("\t01\tcontinue\n");
+    printf("\t20\tcommand decrypt\n");
+    printf("\t40\tresponse encrypt\n");
+    exit(1); 
+}
+
+
+