You are not logged in.
I have Secure Boot, UKIs, and LUKS full disk encryption all properly working. I currently bind to PCR 7 when I enroll the TPM, however the Arch wiki now warns that PCR 15 should also be used. I tried and could not for the life of me get it to automatically unlock. Here's what I did:
1. Added `rd.luks.options=tpm2-measure-pcr=yes` to my kernel commandline, so the full commandline is:
rd.luks.name=<UUID>=root rd.luks.options=tpm2-measure-pcr=yes root=/dev/mapper/root rw rootflags=subvol=@ quiet splash2. I then rebuilt the UKI and rebooted. Oddly enough it asked for my recovery key even though I didn't re-enroll the TPM yet.
3. Then I re-ran cryptenroll like the Arch wiki recommends:
sudo systemd-cryptenroll /dev/<device partition> --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000I rebooted again, and it still asked for my recovery key. What am I doing wrong here?
Offline
I had this problem too, have you done this step, as per the wiki?
If you set any rd.luks kernel parameters or use /etc/crypttab.initramfs, additionally add the tpm2-measure-pcr=yes option to rd.luks.options= or the fourth field in /etc/crypttab.initramfs
Last edited by nvann (2025-10-21 23:52:36)
Offline
Yes, I did mention in point number 1 of my post that I added `rd.luks.options=tpm2-measure-pcr=yes`. I do not have any other drives besides my root drive so I did not add anything into my crypttab. I also don't have a crypttab.initramfs file at all.
Offline