Im trying to understand the difference between the option of --hmac-session and --policy-session in the tpm2_startauthsession command of tpm2-tools.

I am relativly new to TPM coding/commands and started to read the Practical GUide to TPM2.0 but its relativly hard.

My Problem right now: if i use:

tpm2_startauthsession --hmac-session -c primary.ctx -S session.ctx

the command:

tpm2_sign -p session:session.ctx -c key.ctx -g sha256 -o signature message

works just fine

however when i use

tpm2_startauthsession --policy-session -c primary.ctx -S session.ctx

it tells me a "policy-check" failed

I dont quite understand what the difference between hmac and policy sessions are and where in the startauthsession i declared i policy that i failed to provide here.

Im trying to understand it through documents and videos but none are very helpful so far.