You are not logged in.
- Topics: Active | Unanswered
Pages: 1
Topic closed
#1 2025-10-21 03:22:02
- UrbenLegend
- Member
- Registered: 2021-03-26
- Posts: 33
How do I properly use PCR 15 for full disk encryption?
I have Secure Boot, UKIs, and LUKS full disk encryption all properly working. I currently bind to PCR 7 when I enroll the TPM, however the Arch wiki now warns that PCR 15 should also be used. I tried and could not for the life of me get it to automatically unlock. Here's what I did:
1. Added `rd.luks.options=tpm2-measure-pcr=yes` to my kernel commandline, so the full commandline is:
rd.luks.name=<UUID>=root rd.luks.options=tpm2-measure-pcr=yes root=/dev/mapper/root rw rootflags=subvol=@ quiet splash2. I then rebuilt the UKI and rebooted. Oddly enough it asked for my recovery key even though I didn't re-enroll the TPM yet.
3. Then I re-ran cryptenroll like the Arch wiki recommends:
sudo systemd-cryptenroll /dev/<device partition> --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000I rebooted again, and it still asked for my recovery key. What am I doing wrong here?
Offline
#2 2025-10-21 23:52:09
- nvann
- Member
- Registered: 2024-04-04
- Posts: 11
Re: How do I properly use PCR 15 for full disk encryption?
I had this problem too, have you done this step, as per the wiki?
If you set any rd.luks kernel parameters or use /etc/crypttab.initramfs, additionally add the tpm2-measure-pcr=yes option to rd.luks.options= or the fourth field in /etc/crypttab.initramfs
Last edited by nvann (2025-10-21 23:52:36)
Offline
#3 2025-10-22 00:37:36
- UrbenLegend
- Member
- Registered: 2021-03-26
- Posts: 33
Re: How do I properly use PCR 15 for full disk encryption?
Yes, I did mention in point number 1 of my post that I added `rd.luks.options=tpm2-measure-pcr=yes`. I do not have any other drives besides my root drive so I did not add anything into my crypttab. I also don't have a crypttab.initramfs file at all.
Offline
#4 Yesterday 09:47:57
- d.ALT
- Member
- Registered: 2019-05-10
- Posts: 958
Re: How do I properly use PCR 15 for full disk encryption?
... Arch wiki now warns that PCR 15 should also be used. I tried and could not for the life of me get it to automatically unlock.
...
What am I doing wrong here?
You cannot.
There's no unattended boot with TPM 2.0 with PCR15: auto-unlocking cannot be performed.
Seems no-one online knows this and everyone is NOT aware (or doesn't care at all) of PCR15 limitations.
Fortunately, I found someone (The Only One ... 
) who explain how PCR15 works: https://en.opensuse.org/Portal:MicroOS/FDE#PCR_#15
Oddly enough, nobody cares about PCR15 
Here's the catch:
This extension is happening after the device is open (and the TPM2 policy is applied), because the volume key can only be retrieved using the password associated from one of the keyslots. This means that the PCR #15 cannot participate in the TPM2 policy.
This is also very important to understand: NO Kernel Commandline Parameters involed at all!
systemd-cryptsetup can extend PCR #15 with the device volume key if tpm2-measure-pcr=yes is present in the device options in /etc/crypttab.
<49,17,III,I> Fama di loro il mondo esser non lassa;
<50,17,III,I> misericordia e giustizia li sdegna:
<51,17,III,I> non ragioniam di lor, ma guarda e passa.
Offline
#5 Yesterday 11:12:20
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,885
Re: How do I properly use PCR 15 for full disk encryption?
You did notice this thread is 5+ months old ?
Did you consider adding that info to the relevant wiki page ?
Moderator Note
Closing this old thread.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Pages: 1
Topic closed