Comment # 24 on bug 1228863 from Marc Thomas

(In reply to Alberto Planas Dominguez from comment #23)
> If I understand you, you mean that the system is asking again for a key. Can
> be the recovery PIN or any enrolled password. Right?

Correct, I was asked for the recovery PIN.

> To debug this, please, do not mangle with the TPM, nor re-enroll the system.
> Doing this actions first will hide the read bug that we can to get rid off,
> and more importantly, if you system gets compromised and a key is asked to
> continue the boot you will find yourself giving your password to a rogue
> system!

Understood, I will stop doing that.
Initially I thought that I did something wrong - so i tried the TPM
wipe/re-enroll.

> If a password is asked you need to discover what did goes wrong.  The
> password is asked if the measurements are not the expected one, and to debug
> this you need to check the table from
> 
>   /usr/lib/systemd/systemd-pcrlock
> 
>
I see that from the PCRs you mentioned the 7 has a red X on R and C.
Should I attach the output, or is this information that should stay on the
system?

I will not do the unenroll for now in case you need anything else from the
current state.
Please let me know if I can continue.