What TPM2_GetCapability TPM_HT_LOADED_SESSION is intended to show?

Question

Im trying to understand what is the intended output of tpm2-tools/tpm2_getcap with the option of handles-loaded-session, the description says:

handles-loaded-session: Display handles about both loaded HMAC and policy sessions.

I understand that tpm2-tools perform TPM2_ContextLoad -> operation -> TPM2_ContextSave whenever it is possible. Therefore, tpm2_getcap handles-saved-session will show the saved context in TPM, check the following:

tpm2_startauthsession -S session.dat --policy-session
tpm2_policypcr -S session.dat -l "sha256:16"
tpm2_getcap handles-saved-session
    > 0x2000000
tpm2_flushcontext session.dat
tpm2_getcap handles-saved-session
    > nil

However, tpm2_getcap handles-loaded-session always returns nothing. So my question is in what situation tpm2_getcap handles-loaded-session will show any output?

Answer 1

Indeed. If a TPM2.0 Session is active, loaded in the TPM and in use, then you would see it in the list of TPM_HT_LOADED_SESSION.

Because the "tss2-software" stack stores the context in a file outside the TPM by default, then you would not see that session in loaded.

You would find it only in saved, when asking TPM2_GetCapability for TPM_HT_SAVED_SESSION as you did in your example.

Does this answer your question?

ps: Typically, context saving is needed when you have multiple users or applications working with the TPM. So, I am curious, is there a particular reason you want to use context saving or observe loaded sessions?