doc: fix code/doc mismatches found in consistency review

tlaurion · tlaurion · commit f0926e98d100 · 2026-05-18T21:25:06.000-04:00
- Add da_state and bad_auth to the subcommand reference table
- Fix misleading NVRAM index claim (0x3135106223 is not fixed for TPM2)
- Fix bad_auth debug.log claim: increment output goes to console
- Fix _tpm_auth_retry comment: 'owner auth' -&gt; 'authorization' (handles counter auth too)

Signed-off-by: Thierry Laurion &lt;insurgo@riseup.net&gt;
diff --git a/doc/tpm.md b/doc/tpm.md
@@ -65,6 +65,8 @@ Both TPM1 and TPM2 boards may also enable `CONFIG_TPMTOTP=y` for the
 | `reset` | Reset the TPM |
 | `kexec_finalize` | Finalize PCR state before kexec (TPM2 only) |
 | `shutdown` | Orderly shutdown (TPM2 only) |
+| `da_state` | Query dictionary attack lockout state |
+| `bad_auth` | Deliberately trigger an auth failure to test DA lockout |
 
 ---
 
@@ -298,9 +300,11 @@ The rollback counter prevents **TPM swap attacks** and **/boot disk swap attacks
 
 ### How it works
 
-The counter is stored **in the TPM** (NVRAM index `0x3135106223`), ensuring
-hardware binding. A SHA-256 hash of the counter value is stored on **/boot**
-(`/boot/kexec_rollback.txt`). This creates a two-way binding:
+The counter value is stored **in the TPM** at a persistent NVRAM index
+(stored in `/boot/kexec_rollback.txt`; the index is a well-known value
+for TPM1 and randomly generated per TPM2 at provisioning time).  A SHA-256
+hash of the counter value is stored on **/boot** (`/boot/kexec_rollback.txt`).
+This creates a two-way binding:
 
 - Cannot swap TPM without breaking /boot consistency
 - Cannot swap /boot without breaking TPM consistency
@@ -574,7 +578,8 @@ lockout behavior by deliberately triggering an auth failure:
   owner auth may not increment on some implementations.  Shows DA state
   before and after each attempt.
 
-Both log detailed output to debug.log for post-mortem analysis.
+Test headers and DA state queries are logged to debug.log for analysis;
+the increment command output goes to the console during interactive use.
 
 #### Preventing future lockouts
 
diff --git a/initrd/bin/tpmr.sh b/initrd/bin/tpmr.sh
@@ -362,7 +362,7 @@ tpm2_counter_inc() {
 	DIE "Can't increment TPM counter for $index after 3 attempts, access denied."
 }
 
-# _tpm_auth_retry - Shared retry helper for TPM commands needing owner auth.
+# _tpm_auth_retry - Shared retry helper for TPM commands needing authorization.
 #
 # Handles both TPM1 (tpmtotp: errors to stdout, uses -pwdo/-pwdc flags)
 # and TPM2 (tpm2-tools: errors to stderr, uses -P parameter).

Original file line number	Diff line number	Diff line change
`@@ -362,7 +362,7 @@ tpm2_counter_inc() {`
`362`	`362`	`DIE "Can't increment TPM counter for $index after 3 attempts, access denied."`
`363`	`363`	`}`
`364`	`364`
`365`		`-# _tpm_auth_retry - Shared retry helper for TPM commands needing owner auth.`
	`365`	`+# _tpm_auth_retry - Shared retry helper for TPM commands needing authorization.`
`366`	`366`	`#`
`367`	`367`	`# Handles both TPM1 (tpmtotp: errors to stdout, uses -pwdo/-pwdc flags)`
`368`	`368`	`# and TPM2 (tpm2-tools: errors to stderr, uses -P parameter).`