Duplicate/Migratable key with PCR policy

[harpro777]

Apologies if this isn't the correct place to ask this but I'm not sure where else I should!.

I need to create a duplicate key which also allows for a PCR policy. Basically, I want to encrypt files on TPM-A and decrypt on TPM-B using the same object with a pcr policy so the decryption only work if the pcr values are the same.

I can create the duplicate object using tpm2_duplicate and migrate it do a another TPM but how do you then bind a PCR policy. I cant find documents suggesting it is possible but doesn't give and examples using tpm2_tools .

The two option's I've been investigating are as follows but I'm unsure which is correct or not.

1. Use tpm2_policycommandcode to create a policy with TPM2_CC_Duplicate and a policy with TPM2_CC_PolicyPCR and use tpm2_policyor to logically OR's two policies. Then apply the policy ?
2. Use tpm2_policyauthorize to mutable policies by tethering to a signing authority

Any help or assistance would be greatly apricated

[salrashid123]

i'll try again: i this seemd to work:

Transfer TPM based key using PCR policy

i used the policy_or from above and further used policy_duplicateselect