add example usage

Author: DavisRayM

content/blog/tpm-startup-and-provisioning/index.md

@@ -551,3 +551,36 @@ From the TPM’s perspective, a “normal” provisioning flow looks roughly lik
      - `TPM2_CreatePrimary(parent = 0x40000001)`.
    - Use that key as a parent for children:
      - `TPM2_Create`, `TPM2_Load`, etc.
+
+## 5. A Concrete Example: Signing Data with a TPM
+
+Everything above can feel abstract until you actually use a TPM for something real.
+
+To make this concrete, I’ve put together a small sample project that walks through a complete, minimal TPM signing flow using [TSS](https://tpm2-tss.readthedocs.io/en/latest/index.html):
+
+👉 [TPMSign](https://github.com/DavisRayM/tpm-sign)
+
+### What the Project Demonstrates
+
+The project shows how to:
+
+1. Initialize and verify TPM state
+    - Assumes the TPM has completed `_TPM_Init()` and `TPM2_Startup`.
+    - Verifies that a usable storage hierarchy exists.
+2. Create (or reuse) a primary key
+    - Uses `TPM2_CreatePrimary` under the storage hierarchy (0x40000001).
+    - Produces a transient handle in the 0x8000_0000 range.
+3. Create a signing key under that primary
+    - Uses `TPM2_Create` + `TPM2_Load`.
+    - The private portion of the key never leaves the TPM.
+4. Sign user-supplied data
+    - Hashes the input message
+    - Uses `TPM2_Sign` to generate a signature inside the TPM.
+    - Returns a standard RSA signature that can be verified outside the TPM.
+
+At no point does the signing key’s private material leave the TPM — all
+cryptographic operations are bound to TPM handles, exactly as described earlier
+in this post.
+
+If you understood the annotated command dumps in this post, the project should
+feel familiar — it’s the same flow, just applied to a practical task