vpd_get_value does the following:

1) if VPD_IGNORE_CACHE is set, reads through 'vpd -g'. VPD_IGNORE_CACHE is apparently not set in Chrome.

2) if VPD_IGNORE_SYS_CACHE is not set and there exists /sys/firmware/ro, read from there. "/sys/firmware/ro" doesn't exist for link.

3) if /mnt/stateful_partition/unencrypted/cache/vpd/full-v2.txt exists, reads from there. This file does exist, but it doesn't seem to be updated when vpd -s/-d is called, or even at boot time. This is probably the main issue. Not sure what's the expected behavior here.

dump_vpd_log doesn't update /mnt/stateful_partition/unencrypted/cache/vpd/full-v2.txt if that file already exists. Not sure if that's correct.

Re comment #2: yes, that's the correct behavior unless --force is passed to dump_vpd_log.

"VPD_IGNORE_CACHE=1 /usr/sbin/vpd_get_value tpm_firmware_update_params" correctly reads the values through vpd -g.

So, looks like it is expected that VPD data is never changed once cached once. Or at least, the force dump is invoked by whoever changes it.

Either we need to update the vpd2.0.txt by running "dump_vpd_log --force" after making changes, or session_manager should use "vpd -g" directly or ignore the cache by setting VPD_IGNORE_CACHE env var when calling vpd_get_value in SessionManagerImpl::StartTPMFirmwareUpdate. Using 'vpd -g' is probably the easiest approach.

A potential performance hit is not important here since it only happens when the user performs powerwash with the 'Update firmware' flag set.