You are not logged in.
Following instructions on the wiki, and instructions and suggestions on systemd-cryptenroll's man page, I have used the following command to enroll TPM2 into both of my LUKS devices:
systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=/dev/tpmrm0 --tpm2-pcrs=1+7+11+14+15:sha256=0000000000000000000000000000000000000000000000000000000000000000 --tpm2-with-pin=yes /dev/sdXAnd, also following a few instructions and suggestions on crypttab's man page, I have also added
tpm2-measure-pcr=yesto both device's section in my crypttab.initramfs file.
However, after typing my TPM2 pin, I was once again prompted for my passphrase, now, the prompt specifies that it is for my second drive, in opposition to just asking for the "TPM2 pin".
Removing
tpm2-measure-pcr=yesfrom crypttab does seem to fix this, and simply asks for the second drive's password (instead of first asking for the TPM2 pin) and it does unlock both drives.
I have tried only using
tpm2-measure-pcr=yesand the 15:sha256 pcr for the first drive, but this just makes my system ask for the password thrice.
I suspect that this is expected behaviour, as the second drive wouldn't have knowledge of the TPM2 pin, if that is the case, how could I make it so both are unlocked at once?
Fixed? Removing pcr value 11 from my command seemed to have fixed this, now I am only prompted for the TPM2 Pin, then nothing more. Perhaps this is because I just use an efistub set with efibootmgr instead of something related to bootctl?
Last edited by nvann (2025-10-21 23:55:48)
Offline