Comment # 60 on bug 1228863 from Alberto Planas Dominguez

(In reply to Artur Kaufmann from comment #59)

> Maybe the revision of the TPM2.0 chip is also important

This is true, as older revisions does not recognize NVIndex that are also
required.

> > sudo tpm2_getcap properties-fixed | grep TPM2_PT_REVISION -A2
> > TPM2_PT_REVISION:
> >   raw: 0x8A
> >   value: 1.38
> 
> BR

For sdbootutil I can fallback to pcr-oracle (signed policies).  We are doing
this when NVIndex fail, but a fail in PolicyOR is no detected until much (much)
later.

The check for the revision is a really good idea, but is hard to put it as a
strong threshold, as I am not sure that the number of branches is part of the
specification document (I did not see it at first glance)