Im trying to understand what is the intended output of tpm2-tools/tpm2_getcap with the option of handles-loaded-session, the description says:
handles-loaded-session: Display handles about both loaded HMAC and policy sessions.
I understand that tpm2-tools perform TPM2_ContextLoad -> operation -> TPM2_ContextSave whenever it is possible. Therefore, tpm2_getcap handles-saved-session will show the saved context in TPM, check the following:
tpm2_startauthsession -S session.dat --policy-session
tpm2_policypcr -S session.dat -l "sha256:16"
tpm2_getcap handles-saved-session
> 0x2000000
tpm2_flushcontext session.dat
tpm2_getcap handles-saved-session
> nil
However, tpm2_getcap handles-loaded-session always returns nothing. So my question is in what situation tpm2_getcap handles-loaded-session will show any output?
Indeed. If a TPM2.0 Session is active, loaded in the TPM and in use, then you would see it in the list of TPM_HT_LOADED_SESSION.
Because the "tss2-software" stack stores the context in a file outside the TPM by default, then you would not see that session in loaded.
You would find it only in saved, when asking TPM2_GetCapability for TPM_HT_SAVED_SESSION as you did in your example.
Does this answer your question?
ps: Typically, context saving is needed when you have multiple users or applications working with the TPM. So, I am curious, is there a particular reason you want to use context saving or observe loaded sessions?