Implement status sub-command

[EvilBit]

Having a sub-command à la tpm2-totp status to show the currently enrolled configuration would be helpful and very much appreciated.

Infos to display could include:

• general enrollment status
• selected PCR registers
• • possibly with short description for well-known PCRs (man 1 systemd-cryptenroll has a nice summary)
• resealing possible? (enrolled with password or not)
• PCR banks
• nvindex used
• label
• etc.

Possibly/Optionally in YAML format.

[diabonas]

Sounds like a good idea! The following information should be easy enough to obtain:

• general enrollment status: test whether the well-known NV index 0x018094AF exists
• selected PCR registers: these are stored in the NV index
• resealing possible? (enrolled with password or not): see how tpm2totp_reseal determines wether the unseal blob is present
• PCR banks: stored in the NV index as well

The following information is not stored permanently at the moment:

• nvindex used: We'd need to store this information somewhere on disk since it can't be derived from the TPM (short of trying all defined NV indices, which doesn't seem feasible). Maybe we could parse the kernel command line /proc/cmdline for the tpm2_totp_nvindex/rd.tpm2totp.nvindex=index argument to cover at least the initramfs use case? I'm not sure if people really use this feature at all (though it might possibly make sense if you store multiple different TOTP secrets, possibly for different operating systems).
• label: the --label argument is only used during generation of the QR code containing the TOTP secret. It might make sense to store it in the NV index as well to make resealing easier, but it currently is a variable-length string, so not a good fit for a fixed-size index. We could limit it to e.g. a maximum of 32 characters though.