You are not logged in.

Pages: 1

#1 2025-02-03 21:22:59

retractant0916
Member
Registered: 2024-09-17
Posts: 6

TPM2.0 asks for recovery key at boot after enrolling PCR11 public key

Good evening,

After I enroll my TPM 2.0 (Intel PTT with sha1 banks only) by running this command:

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 --tpm2-public-key /etc/kernel/pcr-initrd.pub.pem /dev/nvme0n1p2

It asks for recovery key, even though it should just unlock my LUKS volume.
/etc/kernel/pcr-initrd.pub.pem is generated by systemd-ukify using this command:

sudo ukify genkey --config /etc/kernel/uki.conf

Here is the /etc/kernel/uki.conf:

[UKI]
OSRelease=@/etc/os-release
PCRBanks=sha1

[PCRSignature:initrd]
Phases=enter-initrd
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem

Any idea on how I could enroll my PCR11 public key signature, so I can achieve fully verified boot? Thank you!

Edit: attaching what happens during enter-initrd phase, with systemd.log_level=debug kernel parameter:

Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Starting policy session.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Building sealing policy.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Reading PCR selection: [sha1(7+11)]
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Read PCR selection: [sha1(7+11)]
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: PCR value: 7:sha1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: PCR value: 11:sha1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Adding PCR signature policy.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Loading external key into TPM.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Object name: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Submitting PCR hash policy.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Acquiring policy digest.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Session policy digest: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Failed to validate signature in TPM: tpm:parameter(2):the signature is not valid
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Failed to unseal secret using TPM2: State not recoverable
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: systemd-tpm2 open failed: State not recoverable.

Last edited by retractant0916 (2025-02-04 22:20:14)

Offline

Pages: 1

Board footer

Powered by FluxBB