You are not logged in.
Actually I have successfully set up with
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/sda2
so that I don't need to input a long recovery key everytime I turn on my computer.
But the question is, I only clear the TPM before doing that and I didn't set any TPM's owner password.
I just wonder what is going on with that, is there any magic that I don't need to set the TPM's owner password
or just because the systemd-cryptenroll had set a random TPM's owner password and dropped it for security?
Last edited by OIhfes (2024-01-25 15:13:26)
Offline
I don't think a TPM owner password is necessary; I didn't set one when I set up on my new ThinkPad. I also didn't use the --tpm2-pcrs when I set it up. The TPM puts its hook in the LUKS2 slot, and the TPM stores what it needs to in its PCRs; you don't need to be that specific with it unless you really know what you're doing.
If the TPM key in the LUKS2 header doesn't match what the TPM has in its PCRs, the TPM will refuse to unlock the LUKS2 container, and you'll have to enter your recovery key. I ran into that problem the first time I upgraded my firmware; PCR 7 held the firmware hash, and because it didn't match the TPM wouldn't unlock.
Offline