The "Sealing" section of nvram.md demonstrates the following command sequence:
$ tpm2_pcrread -o srtm.pcrvalues sha256:0,1,2,3
$ tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3 -f srtm.pcrvalues -L srtm.policy
$ tpm2_nvdefine 0x1500019 -C o -s 32 -L srtm.policy -a "policyread|policywrite"
$ tpm2_nvwrite 0x1500019 -C 0x1500019 -P pcr:sha256:0,1,2,3=srtm.pcrvalues -i testfile
$ tpm2_nvread 0x1500019 -C 0x1500019 -P pcr:sha256:0,1,2,3=srtm.pcrvalues
You don't have to provide a file for tpm2_createpolicy, it will implicitly use the current values of the specified PCRs.
But you show a more general case, and that's fine.
However, the inclusion of "=srtm.pcrvalues" in arguments for the last two tpm2_nvwrite and tpm2_nvread commands is totally bogus,
and arguably should raise an error from the tpm2-tools parser. Obviously, when invoking those commands with a PCR policy, the contents of that are irrelevant. The source of the PCR values is (and must be) only the current state of the specified PCRs, on the device.
The "Sealing" section of nvram.md demonstrates the following command sequence:
$ tpm2_pcrread -o srtm.pcrvalues sha256:0,1,2,3 $ tpm2_createpolicy --policy-pcr -l sha256:0,1,2,3 -f srtm.pcrvalues -L srtm.policy $ tpm2_nvdefine 0x1500019 -C o -s 32 -L srtm.policy -a "policyread|policywrite" $ tpm2_nvwrite 0x1500019 -C 0x1500019 -P pcr:sha256:0,1,2,3=srtm.pcrvalues -i testfile $ tpm2_nvread 0x1500019 -C 0x1500019 -P pcr:sha256:0,1,2,3=srtm.pcrvaluesYou don't have to provide a file for tpm2_createpolicy, it will implicitly use the current values of the specified PCRs.
But you show a more general case, and that's fine.
However, the inclusion of "=srtm.pcrvalues" in arguments for the last two
tpm2_nvwriteandtpm2_nvreadcommands is totally bogus,and arguably should raise an error from the tpm2-tools parser. Obviously, when invoking those commands with a PCR policy, the contents of that are irrelevant. The source of the PCR values is (and must be) only the current state of the specified PCRs, on the device.