Discussed while reviewing: https://github.com/OpenXT/xenclient-oe/pull/1100
acmmatch will try to determine which ACM will be loaded on next reboot when forward sealing. Currently it assumes that only one ACM will match, which not guarantied.
Since only one event is emulated based on the ACM content currently, this is unlikely to fail forward-sealing, but this should still be fixed.
Find a machine that matches 2 ACMs (this can be tested using acmmatch and try to match all ACMs in /boot)
Forward seal will likely fail if
The machine matches more than one ACM,
One ACM reports tcg_evlog_capability and not the other.