You are not logged in.
- Topics: Active | Unanswered
- Index
- » System Administration
- » TPM2.0 asks for recovery key at boot after enrolling PCR11 public key
Pages: 1
Topic closed
#1 2025-02-03 21:22:59
- retractant0916
- Member
- Registered: 2024-09-17
- Posts: 6
TPM2.0 asks for recovery key at boot after enrolling PCR11 public key
Good evening,
After I enroll my TPM 2.0 (Intel PTT with sha1 banks only) by running this command:
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 --tpm2-public-key /etc/kernel/pcr-initrd.pub.pem /dev/nvme0n1p2 It asks for recovery key, even though it should just unlock my LUKS volume.
/etc/kernel/pcr-initrd.pub.pem is generated by systemd-ukify using this command:
sudo ukify genkey --config /etc/kernel/uki.confHere is the /etc/kernel/uki.conf:
[UKI]
OSRelease=@/etc/os-release
PCRBanks=sha1
[PCRSignature:initrd]
Phases=enter-initrd
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pemAny idea on how I could enroll my PCR11 public key signature, so I can achieve fully verified boot? Thank you!
Edit: attaching what happens during enter-initrd phase, with systemd.log_level=debug kernel parameter:
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Starting policy session.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Building sealing policy.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Reading PCR selection: [sha1(7+11)]
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Read PCR selection: [sha1(7+11)]
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: PCR value: 7:sha1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: PCR value: 11:sha1=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Adding PCR signature policy.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Loading external key into TPM.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Object name: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Submitting PCR hash policy.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Acquiring policy digest.
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Session policy digest: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Failed to validate signature in TPM: tpm:parameter(2):the signature is not valid
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: Failed to unseal secret using TPM2: State not recoverable
Feb 04 23:49:06 archlinux systemd-cryptsetup[189]: systemd-tpm2 open failed: State not recoverable.Last edited by retractant0916 (2025-02-04 22:20:14)
Offline
#2 2026-01-17 19:55:10
- benjarobin
- Member
- Registered: 2009-09-04
- Posts: 20
Re: TPM2.0 asks for recovery key at boot after enrolling PCR11 public key
For information, this uki.conf is "wrong" and will introduce bugs. See https://github.com/systemd/systemd/issu … 3764207106
You should not set Phases= only to enter-initrd. You should have a at least a PCRSignature section with the others phases. Or simply do not set Phases=, in this case proper default is going to be used.
Offline
#3 2026-01-17 23:14:58
- cryptearth
- Member
- Registered: 2024-02-03
- Posts: 1,928
Re: TPM2.0 asks for recovery key at boot after enrolling PCR11 public key
@benjarobin
you're long enough member of this forum to know the rules about necrobumping
if you feel the urge to spread new learnrd knowledge check whether the wiki might be a better place
Offline
#4 2026-01-18 10:42:57
- WorMzy
- Administrator
- From: Scotland
- Registered: 2010-06-16
- Posts: 13,287
- Website
Re: TPM2.0 asks for recovery key at boot after enrolling PCR11 public key
Mod note: Closing this old thread.
https://wiki.archlinux.org/title/Genera … bumping%22
Last edited by WorMzy (2026-01-18 10:44:45)
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
Pages: 1
Topic closed