Is it possible to know when my TPM was last used to decrypt my disk?
I use Linux on my laptop and I do Full Disk Encryption with the LUKS keys enrolled into TPM2 against proper PCRs to make sure firmware, UEFI and Secure Boot setup are in a known-good state. Additionally, my TPM setup has a 6-digit PIN with 24-hour delays between each 4 failed attempts. So the system only boots if the authenticity checks against the PCRs succeed and if the entered PIN is valid.
Finally, I would like to know if the TPM specification provides some reliable way to code something into my (signed) initramfs in order to wipe the NVMe disk and the TPM itself in case my laptop stays off (without a successful decrypt) for more than a week.
I wonder if the TPM itself has some reliable info on how long ago a valid PIN was last issued or how long ago the PCRs matched for the last time and the disk was decrypted.
