You are not logged in.
Hi everyone,
I'm experiencing a persistent issue with sbctl after a failed kernel update, and I need help understanding what went wrong and how to recover my TPM auto-unlock setup.
During a pacman kernel update, the process hung and I forcefully terminated it. After reinstalling the kernel, the automated signing workflow consistently fails with:
failed validating signature: crypto/rsa: verification error The log at that time was the same as it is now by using mkinitcpio
[root@archlinux-laptop ~]# mkinitcpio -P
==> Building image from preset: /etc/mkinitcpio.d/linux-g14.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux-g14 -U /boot/EFI/Linux/arch-linux-g14.efi
==> Starting build: '6.16.8-arch3-1.1-g14'
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_6xxx'
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
-> Running build hook: [sd-vconsole]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Creating unified kernel image: '/boot/EFI/Linux/arch-linux-g14.efi'
-> Using ukify to build UKI
-> Using cmdline file: '/etc/kernel/cmdline'
Using config file: /etc/kernel/uki.conf
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /boot/vmlinuz-linux-g14 --output /tmp/linux-signedbxju6xsr
Wrote signed PE binary to /tmp/linux-signedbxju6xsr
+ /usr/lib/systemd/systemd-measure sign --osrel=/tmp/mkinitcpio.V6Zcat --cmdline=/tmp/mkinitcpio.YMElvl --uname=/tmp/tmp.unamezkewcka2 --pcrpkey=/etc/tpm/pcr_policy_public.key --linux=/tmp/linux-signedbxju6xsr --initrd=/tmp/mkinitcpio.zlg3HX --sbat=/tmp/tmp.sbatsqpgssju --bank=sha256 --private-key=/etc/tpm/pcr_policy_private.key --public-key=/etc/tpm/pcr_policy_public.key --phase=enter-initrd
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /tmp/uki_srudkz9 --output /boot/EFI/Linux/arch-linux-g14.efi
Wrote signed PE binary to /boot/EFI/Linux/arch-linux-g14.efi
Wrote signed /boot/EFI/Linux/arch-linux-g14.efi
==> Unified kernel image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/EFI/Linux/arch-linux-g14.efi
failed validating signature: crypto/rsa: verification error
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1
==> Building image from preset: /etc/mkinitcpio.d/linux-g14.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux-g14 -U /boot/EFI/Linux/arch-linux-g14-fallback.efi -S autodetect
==> Starting build: '6.16.8-arch3-1.1-g14'
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: 'bfa'
==> WARNING: Possibly missing firmware for module: 'aic94xx'
==> WARNING: Possibly missing firmware for module: 'qla2xxx'
==> WARNING: Possibly missing firmware for module: 'qla1280'
==> WARNING: Possibly missing firmware for module: 'wd719x'
==> WARNING: Possibly missing firmware for module: 'qed'
==> WARNING: Possibly missing firmware for module: 'xhci_pci_renesas'
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_6xxx'
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
-> Running build hook: [sd-vconsole]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Creating unified kernel image: '/boot/EFI/Linux/arch-linux-g14-fallback.efi'
-> Using ukify to build UKI
-> Using cmdline file: '/etc/kernel/cmdline'
Using config file: /etc/kernel/uki.conf
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /boot/vmlinuz-linux-g14 --output /tmp/linux-signedjlr5kn8c
Wrote signed PE binary to /tmp/linux-signedjlr5kn8c
+ /usr/lib/systemd/systemd-measure sign --osrel=/tmp/mkinitcpio.vbMdxp --cmdline=/tmp/mkinitcpio.ww8qd9 --uname=/tmp/tmp.unamex20qtj3t --pcrpkey=/etc/tpm/pcr_policy_public.key --linux=/tmp/linux-signedjlr5kn8c --initrd=/tmp/mkinitcpio.7XosYu --sbat=/tmp/tmp.sbatt_0j0q7x --bank=sha256 --private-key=/etc/tpm/pcr_policy_private.key --public-key=/etc/tpm/pcr_policy_public.key --phase=enter-initrd
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /tmp/ukir_relaas --output /boot/EFI/Linux/arch-linux-g14-fallback.efi
Wrote signed PE binary to /boot/EFI/Linux/arch-linux-g14-fallback.efi
Wrote signed /boot/EFI/Linux/arch-linux-g14-fallback.efi
==> Unified kernel image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/EFI/Linux/arch-linux-g14-fallback.efi
failed validating signature: crypto/rsa: verification error
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img
==> Starting build: '6.16.8-arch3-1'
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_6xxx'
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
-> Running build hook: [sd-vconsole]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux.img'
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/vmlinuz-linux
File has already been signed /boot/vmlinuz-linux
==> Post processing done
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: '6.16.8-arch3-1'
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: 'aic94xx'
==> WARNING: Possibly missing firmware for module: 'qla2xxx'
==> WARNING: Possibly missing firmware for module: 'bfa'
==> WARNING: Possibly missing firmware for module: 'wd719x'
==> WARNING: Possibly missing firmware for module: 'qed'
==> WARNING: Possibly missing firmware for module: 'qla1280'
==> WARNING: Possibly missing firmware for module: 'xhci_pci_renesas'
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_6xxx'
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
-> Running build hook: [sd-vconsole]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img'
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/vmlinuz-linux
File has already been signed /boot/vmlinuz-linux
==> Post processing done
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux-zen -U /boot/EFI/Linux/arch-linux-zen.efi
==> Starting build: '6.16.8-zen3-1-zen'
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_6xxx'
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
-> Running build hook: [sd-vconsole]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Creating unified kernel image: '/boot/EFI/Linux/arch-linux-zen.efi'
-> Using ukify to build UKI
-> Using cmdline file: '/etc/kernel/cmdline'
Using config file: /etc/kernel/uki.conf
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /boot/vmlinuz-linux-zen --output /tmp/linux-signedpw3pu8ck
Wrote signed PE binary to /tmp/linux-signedpw3pu8ck
+ /usr/lib/systemd/systemd-measure sign --osrel=/tmp/mkinitcpio.WoVxOR --cmdline=/tmp/mkinitcpio.eSIq2K --uname=/tmp/tmp.unamex0ng4hzr --pcrpkey=/etc/tpm/pcr_policy_public.key --linux=/tmp/linux-signedpw3pu8ck --initrd=/tmp/mkinitcpio.eElsBY --sbat=/tmp/tmp.sbatwtradz7_ --bank=sha256 --private-key=/etc/tpm/pcr_policy_private.key --public-key=/etc/tpm/pcr_policy_public.key --phase=enter-initrd
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /tmp/uki7389d04e --output /boot/EFI/Linux/arch-linux-zen.efi
Wrote signed PE binary to /boot/EFI/Linux/arch-linux-zen.efi
Wrote signed /boot/EFI/Linux/arch-linux-zen.efi
==> Unified kernel image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/EFI/Linux/arch-linux-zen.efi
failed validating signature: crypto/rsa: verification error
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux-zen -U /boot/EFI/Linux/arch-linux-zen-fallback.efi -S autodetect
==> Starting build: '6.16.8-zen3-1-zen'
-> Running build hook: [base]
-> Running build hook: [systemd]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: 'qla2xxx'
==> WARNING: Possibly missing firmware for module: 'qed'
==> WARNING: Possibly missing firmware for module: 'wd719x'
==> WARNING: Possibly missing firmware for module: 'bfa'
==> WARNING: Possibly missing firmware for module: 'aic94xx'
==> WARNING: Possibly missing firmware for module: 'qla1280'
==> WARNING: Possibly missing firmware for module: 'xhci_pci_renesas'
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_6xxx'
-> Running build hook: [lvm2]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
-> Running build hook: [sd-vconsole]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Creating unified kernel image: '/boot/EFI/Linux/arch-linux-zen-fallback.efi'
-> Using ukify to build UKI
-> Using cmdline file: '/etc/kernel/cmdline'
Using config file: /etc/kernel/uki.conf
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /boot/vmlinuz-linux-zen --output /tmp/linux-signedcbplcpqg
Wrote signed PE binary to /tmp/linux-signedcbplcpqg
+ /usr/lib/systemd/systemd-measure sign --osrel=/tmp/mkinitcpio.0xgk0B --cmdline=/tmp/mkinitcpio.zuBFqa --uname=/tmp/tmp.unameoljir1k2 --pcrpkey=/etc/tpm/pcr_policy_public.key --linux=/tmp/linux-signedcbplcpqg --initrd=/tmp/mkinitcpio.s09a7j --sbat=/tmp/tmp.sbat4qxm3xrf --bank=sha256 --private-key=/etc/tpm/pcr_policy_private.key --public-key=/etc/tpm/pcr_policy_public.key --phase=enter-initrd
+ /usr/lib/systemd/systemd-sbsign sign --private-key /var/lib/sbctl/keys/db/db.key --certificate /var/lib/sbctl/keys/db/db.pem /tmp/ukimad1wtbv --output /boot/EFI/Linux/arch-linux-zen-fallback.efi
Wrote signed PE binary to /boot/EFI/Linux/arch-linux-zen-fallback.efi
Wrote signed /boot/EFI/Linux/arch-linux-zen-fallback.efi
==> Unified kernel image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/EFI/Linux/arch-linux-zen-fallback.efi
failed validating signature: crypto/rsa: verification error
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1Despite this error, TPM auto-unlock with PIN still works perfectly after reboot (using PCR 7+11 policy). This suggests Secure Boot is actually functioning correctly, right?
But I want to understand why this happened, because I tried deleting the built kernel files and rebuilding them. Then I re-signed with sbctl and got the same error, so I attempted to reset Secure Boot. As a result, both TPM and Secure Boot stopped working.
What I've tried:
1 . Deleted kernel files and rebuilt with mkinitcpio -P - same error persists
2. Suspected the interrupted update corrupted sbctl's keys, so I cleared Platform Keys (PK) and other settings in BIOS Secure Boot menu (I may have accidentally cleared TPM keys too?)
3 . Regenerated keys with:
sbctl create-keys
sbctl enroll-keys --microsoft
sbctl sign-all
Still getting the same signature verification error
Envirement
[root@archlinux-laptop ~]# sbctl status
Installed: ✓ sbctl is installed
Owner GUID: 0470fa84-7514-4b14-8e22-089b34b206a4
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
[root@archlinux-laptop ~]# [UKI]
SecureBootSigningTool=systemd-sbsign
SignKernel=true
SecureBootPrivateKey=/var/lib/sbctl/keys/db/db.key
SecureBootCertificate=/var/lib/sbctl/keys/db/db.pem
PCRBanks=sha256
PCRPKey=/etc/tpm/pcr_policy_public.key
[PCRSignature:initrd]
PCRPrivateKey=/etc/tpm/pcr_policy_private.key
PCRPublicKey=/etc/tpm/pcr_policy_public.key
Phases=enter-initrd[root@archlinux-laptop mkinitcpio.d]# ls
linux-g14.preset linux.preset linux-zen.preset
[root@archlinux-laptop mkinitcpio.d]# cat linux-g14.preset
# mkinitcpio preset file for the 'linux-g14' package
#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux-g14"
PRESETS=('default' 'fallback')
#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-linux-g14.img"
default_uki="/boot/EFI/Linux/arch-linux-g14.efi"
#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-linux-g14-fallback.img"
fallback_uki="/boot/EFI/Linux/arch-linux-g14-fallback.efi"
fallback_options="-S autodetect"
[root@archlinux-laptop mkinitcpio.d]# cat linux.preset
# mkinitcpio preset file for the 'linux' package
#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"
PRESETS=('default' 'fallback')
#default_config="/etc/mkinitcpio.conf"
default_image="/boot/initramfs-linux.img"
#default_uki="/efi/EFI/Linux/arch-linux.efi"
#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
#fallback_config="/etc/mkinitcpio.conf"
fallback_image="/boot/initramfs-linux-fallback.img"
#fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"
[root@archlinux-laptop mkinitcpio.d]# cat linux-zen.preset
# mkinitcpio preset file for the 'linux-zen' package
#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux-zen"
PRESETS=('default' 'fallback')
#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-linux-zen.img"
default_uki="/boot/EFI/Linux/arch-linux-zen.efi"
#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-linux-zen-fallback.img"
fallback_uki="/boot/EFI/Linux/arch-linux-zen-fallback.efi"
fallback_options="-S autodetect"
[root@archlinux-laptop mkinitcpio.d]# Any insights would be greatly appreciated!
Edit:
# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
archlinux-laptop% sudo cryptsetup luksDump /dev/nvme0n1p2
LUKS header information
Version: 2
Epoch: 74
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: 1101ff97-2720-4676-8561-8693ca7ae6da
Label: (no label)
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 512 [bytes]
Keyslots:
0: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 12
Memory: 1048576
Threads: 4
Salt: 93 bc e1 4f 8e e6 91 64 ca 65 c2 32 d3 bb bc 39
95 64 b9 dd bf 35 4b 1c 8f e7 a1 70 06 b9 68 e4
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:258048 [bytes]
Digest ID: 0
1: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 70 fe 4a c5 36 67 14 0f 6d 80 32 6c 44 78 de d7
e3 31 62 9c e8 fe b8 6e 04 71 7d 40 bd 8c cb d1
AF stripes: 4000
AF hash: sha512
Area offset:290816 [bytes]
Area length:258048 [bytes]
Digest ID: 0
7: luks2
Key: 512 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 512 bits
PBKDF: argon2id
Time cost: 12
Memory: 1048576
Threads: 4
Salt: 94 23 6d de 73 01 a0 00 f1 7f 3c 46 d2 da dd cb
12 4f 29 e8 4a 66 33 71 d2 29 8a 7b f5 b9 d2 87
AF stripes: 4000
AF hash: sha256
Area offset:806912 [bytes]
Area length:258048 [bytes]
Digest ID: 0
Tokens:
0: systemd-tpm2
tpm2-hash-pcrs: 7
tpm2-pcr-bank: sha256
tpm2-pubkey:
2d 2d 2d 2d 2d 42 45 47 49 4e 20 50 55 42 4c 49
43 20 4b 45 59 2d 2d 2d 2d 2d 0a 4d 49 49 42 49
6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41
51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43
67 4b 43 41 51 45 41 76 69 68 6f 62 50 39 6e 66
38 63 4b 73 31 49 6b 2b 4b 48 31 0a 38 77 35 59
41 34 42 34 38 4e 67 67 4d 78 61 4e 70 32 6c 70
39 42 5a 53 59 76 31 4e 67 47 38 49 57 6d 63 77
63 49 66 66 4b 5a 69 2f 49 77 30 41 77 66 39 59
6c 64 32 65 38 51 42 58 42 56 38 5a 0a 39 70 47
48 32 65 31 39 31 2f 71 70 6f 42 2f 62 4a 6f 76
66 39 6d 74 69 4d 52 77 58 6e 2b 78 36 4e 55 52
4b 35 55 44 78 39 47 53 6b 65 6c 39 39 2b 4c 74
43 34 6e 36 6b 52 54 65 69 6d 30 42 55 0a 4c 57
78 6b 63 74 47 4e 66 37 31 47 68 67 48 66 32 33
36 32 41 75 52 46 43 4a 2f 75 50 5a 78 36 71 56
42 53 79 6d 58 4b 48 67 79 36 4e 65 31 66 77 4a
33 42 49 76 30 31 48 34 6c 34 56 51 65 57 0a 37
41 6a 7a 62 41 64 39 67 5a 6a 74 65 54 67 58 73
53 48 31 49 56 78 2f 67 50 64 58 6f 6b 64 68 70
37 71 34 70 38 63 6e 61 36 48 32 4f 31 70 5a 4d
68 2f 33 53 61 61 51 73 39 6c 5a 67 46 46 6a 0a
54 4a 70 53 71 4a 5a 47 58 66 43 52 47 50 43 51
5a 72 70 4e 74 59 68 39 33 39 32 70 2f 52 30 53
64 73 39 2f 59 6e 4a 33 38 57 47 79 33 30 39 57
77 5a 2f 74 32 4c 63 79 4c 61 75 6d 6c 38 2b 6e
0a 34 77 49 44 41 51 41 42 0a 2d 2d 2d 2d 2d 45
4e 44 20 50 55 42 4c 49 43 20 4b 45 59 2d 2d 2d
2d 2d 0a
tpm2-pubkey-pcrs: 11
tpm2-primary-alg: ecc
tpm2-pin: true
tpm2-pcrlock: false
tpm2-salt: true
tpm2-srk: true
tpm2-pcrlock-nv: false
tpm2-policy-hash:
c6 f2 d3 ef 2c 33 fb 8e d6 fe bb 4b 63 7d 87 50
4a e6 d5 02 f6 e2 4b 28 86 6d 43 76 31 46 58 ff
tpm2-blob: 00 9e 00 20 8f 66 0a 30 72 95 05 60 33 0c 9e d9
60 9f 2c 61 50 b6 ad 48 31 01 19 f4 5c f3 ef 22
3f b3 04 21 00 10 74 89 2b 8b aa 8f 88 7a b5 c3
3d 39 10 c3 de 01 7b b4 c1 db 3a d1 61 d6 8f 1d
a2 cf e6 3e 93 fc 70 4e 9f a3 c4 36 df e3 6b d9
30 c7 b3 a5 c1 7c de d4 96 ff 31 4b 9e 5e 48 ed
2c 47 da c9 0c 7c 9a d3 66 2d bd 89 0c 4e 99 88
07 1e 02 0c 07 64 7d 5e ea 93 35 bb ec 77 c5 7e
97 cd 78 34 5b 34 8d 47 b2 03 52 b5 ee bf 7a f8
36 b4 7f a8 8c c9 38 3e f6 57 68 a4 34 25 8c 89
00 4e 00 08 00 0b 00 00 00 12 00 20 c6 f2 d3 ef
2c 33 fb 8e d6 fe bb 4b 63 7d 87 50 4a e6 d5 02
f6 e2 4b 28 86 6d 43 76 31 46 58 ff 00 10 00 20
11 37 e2 84 72 12 87 73 d2 a1 84 bb 58 3a da ae
16 7b 82 89 d1 3e 83 85 bc 7d 84 4c 39 19 d4 85
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 694421
Salt: 3c c7 ba 9d 69 81 fe 4b 40 b6 cf bc d9 c5 4b 56
73 af 7f 70 7f 4e 3e 36 64 6c 0a ba 29 72 ed fb
Digest: 61 1e 10 bb 3b bf 18 76 ff 0b 17 b5 47 0b 94 65
6c 6e 0b 41 b5 d0 7e a4 54 e3 a9 ba d2 95 97 9a
archlinux-laptop% After re-enabling Secure Boot, everything functions normally, but I still get failed validating signature: crypto/rsa: verification error when signing the kernel - the same issue as before. However, since PCR 7+11 validates the Secure Boot state, could this be a false positive from sbctl?
Last edited by zhihuiyuze (2025-10-02 14:54:27)
Offline