Can we please do something with the output of --attestation in tpm2_nvcertify (and possibly tpm2_certifycreation)?
I have no way of parsing it via any of the provided tools, it doesn't contain NV index contents as promised, and the man page is bringing extra confusion as per below google convo:

You are absolutely correct to be confused. I checked the man page documentation, and it does indeed say:

--attestation=FILE: The attestation data of the type TPM2_CREATION_INFO signed with signing key.

This is a documentation bug.

The man page is incorrect. This line appears to be a copy-paste error from the tpm2_certifycreation command documentation.

In reality, tpm2_nvcertify always outputs a TPMS_ATTEST structure (specifically containing TPMS_ATTEST_NV). It does not output TPM2_CREATION_INFO.

What to do

You should ignore the man page's claim about the type. Treat the output file as TPMS_ATTEST.

Use the command I provided earlier:

tpm2_print -t TPMS_ATTEST attestation.bin

Why the error exists (Technical Context)

• TPM2_CREATION_INFO is used only when certifying that a key was created on the TPM (using tpm2_certifycreation).
• TPMS_ATTEST is the generic structure used for almost all other attestations (NV certification, Quote/PCRs, Command Audit, etc.).

Since tpm2_nvcertify is proving the contents of an index, not the creation of a key, it uses the standard TPMS_ATTEST.