address review comments on PR #2117

tlaurion · tlaurion · commit 30a42016a09c · 2026-05-17T13:18:24.000-04:00
- Fix TPM2 time remaining table entry: estimate is derived from LOCKOUT_COUNTER vs MAX_AUTH_FAIL times LOCKOUT_INTERVAL, not LOCKOUT_RECOVERY (which is the lockout-auth-blocked-after-failure timer, not the remaining-until-unlock) - Reword migration WARN: 'older Heads version' not 'older firmware' (the migration case is caused by previous Heads code, not platform firmware) - Remove fragile PR #2117 reference from preventing-future-lockouts section: describe the fix generically (restoring empty counter auth) so the doc is correct regardless of branch context Signed-off-by: Thierry Laurion <insurgo@riseup.net>
diff --git a/doc/tpm.md b/doc/tpm.md
@@ -510,7 +510,7 @@ state.  Available for both TPM1 and TPM2:
 | Current failures | `currentCount` | `TPM2_PT_LOCKOUT_COUNTER` |
 | Lockout threshold | `thresholdCount` | `TPM2_PT_MAX_AUTH_FAIL` |
 | Lockout interval | -- | `TPM2_PT_LOCKOUT_INTERVAL` |
-| Time remaining | `actionDependValue` (seconds) | `TPM2_PT_LOCKOUT_RECOVERY` |
+| Time remaining | `actionDependValue` (seconds) | Estimate from `LOCKOUT_COUNTER` vs `MAX_AUTH_FAIL` times `LOCKOUT_INTERVAL` |
 
 The recovery shell can run `tpmr.sh da_state` at any time to check
 whether the TPM is locked and how much lockout time remains.
@@ -547,13 +547,12 @@ line is logged by the preflight guard in `increment_tpm_counter`.
 
 #### Preventing future lockouts
 
-Heads' counter auth regression (PR #2068) caused 3 TPM auth failures
-per boot by passing the owner passphrase as the counter auth while the
-counter was created with empty auth.  This was fixed in PR #2117 by
-restoring empty counter auth for both creation and increment,
-preventing any auth failures from counter operations.  All TPM1 boards
-that ran the regression code are affected identically; this is not
-platform-specific.
+Heads' counter auth regression caused 3 TPM auth failures per boot by
+passing the owner passphrase as the counter auth while the counter was
+created with empty auth.  Restoring empty counter auth for both creation
+and increment (as per TCG spec) prevents auth failures from counter
+operations.  All TPM1 boards that ran the regression code are affected
+identically; this is not platform-specific.
 
 ### TPM1 physical presence
 
diff --git a/initrd/etc/functions.sh b/initrd/etc/functions.sh
@@ -2165,7 +2165,7 @@ increment_tpm_counter() {
 						2>/dev/null | tee /tmp/counter-"$counter_id" >/dev/null
 			); then
 				increment_ok="y"
-				WARN "TPM counter created by older firmware (uses owner passphrase). This is a one-time migration; operation continues with owner-passphrase auth. Reset TPM in menu (Options -> TPM/TOTP/HOTP Options -> Reset the TPM) to create a new empty-auth counter (recommended), or leave as-is."
+				WARN "TPM counter created by older Heads version (uses owner passphrase). This is a one-time migration; operation continues with owner-passphrase auth. Reset TPM in menu (Options -> TPM/TOTP/HOTP Options -> Reset the TPM) to create a new empty-auth counter (recommended), or leave as-is."
 			fi
 		fi
 	fi
