You are not logged in.
This is a follow-up to a now CLOSED topic I started almost two years ago. It was closed by Lone_Wolf because zhihuiuze necro bumped it.
DISCLAIMER: I had a very long conversation with Google Gemini to get to my ultimate fix; below is the problem summary and the solution.
PROBLEM
After a firmware update on my Lenovo ThinkPad X1 Carbon running Arch Linux, a LUKS2-encrypted root volume, which was previously unlocked automatically by the TPM2 chip, began prompting for a passphrase at every boot.
Attempts to re-enroll the TPM using `systemd-cryptenroll` would not result in a working unlock. The process would often show a non-fatal but confusing warning: "Failed to determine keyslot of JSON token 1, skipping: Wrong medium type".
Extensive troubleshooting, including clearing the TPM, wiping LUKS slots, regenerating Secure Boot keys, and testing various PCR policies, did not resolve the issue, suggesting a deep hardware or firmware-level incompatibility.
FIX
The root cause was not a hardware fault, but a stale policy file located at
/var/lib/systemd/pcrlock.json. This file, likely created during a previous firmware update that involved the `systemd-pcrlock` utility, was interfering with subsequent `systemd-cryptenroll` operations.
The solution was to remove the stale policy and perform a clean enrollment:
Remove the Stale Policy File:
sudo rm /var/lib/systemd/pcrlock.jsonWipe the Old TPM Slot:
sudo systemd-cryptenroll --wipe-slot=tpm2 /dev/nvme0n1p2Re-enroll the TPM: A robust PCR policy (
0+7) was used, which is stable across most firmware and kernel updates.
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p2After these steps, the TPM2 chip successfully and automatically unlocked the LUKS2 volume on reboot.
Offline