https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c26 --- Comment #26 from Marc Thomas <opensuse@radok.me> --- (In reply to Alberto Planas Dominguez from comment #25)
It is possible that PCR7 is ignored in your system. Do you see a component associated in PCR7 in the row that has "Sbat-<some UUID>" in the description column?
There were a total of 9 lines for PCR7, 4 had components 1 of those had SbatLevel-<uuid>
Lets try what I wrote (unenroll, enroll, reboot, and check)
If recovery key is not requested, lets wait to the next update to see if now the it is required. In than moment the first thing will be check the PCR values to understand what is broken.
I was asked for the recovery key again after running the commands below. Commands and output (I had to add the method to get it running): localhost:~ # sdbootutil unenroll --method=tpm2 dracut-install: ERROR: installing 'grub2-editenv' dracut[E]: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.aGwm26/initramfs -a date btrfs awk grub2-editenv Wiped slot 0. localhost:~ # systemd-cryptenroll /dev/nvme1n1p2 SLOT TYPE 2 recovery localhost:~ # sdbootutil enroll --ask-pin --method=tpm2 Garbage after device path end, ignoring. Garbage after device path end, ignoring. Recovery PIN: Garbage after device path end, ignoring. NVIndex policy created Enrolling with TPM2 (pcrlock): /dev/nvme1n1p2 No slots to remove selected. 🔐 Please enter current passphrase for disk /dev/nvme1n1p2: ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• New TPM2 token enrolled as key slot 0. localhost:~ # systemd-cryptenroll /dev/nvme1n1p2 SLOT TYPE 0 tpm2 2 recovery /usr/lib/systemd/systemd-pcrlock: Garbage after device path end, ignoring. Couldn't find component '250-firmware-config-early' in event log. Couldn't find component '710-kernel-cmdline-boot-loader' in event log. Couldn't find component '750-enter-initrd' in event log. Didn't find component '800-leave-initrd' in event log, assuming system hasn't reached it yet. Didn't find component '850-sysinit' in event log, assuming system hasn't reached it yet. Didn't find component '900-ready' in event log, assuming system hasn't reached it yet. Skipped 2 components after location '940-' (950-shutdown, 990-final). Unable to recognize 3 components in event log. Event log record 10 (PCR 1, "Raw: \fSmbiosTable\000\001\000\000\000\000\000\000\000D\025\375\362\224\227,J\231.\345\273\317 \343\224\000@\312w\000\000\000\000") not matching any component. Event log record 37 (PCR 12, "String: initrd=\aeon\6.10.3-1-default\initrd-927abaf71095967ff2c0c66a669b8abf774c661b quiet loglevel=2 systemd.show_status=no console=ttyS0,115200 console=tty0 vt.global_cursor_default=0 ignition.platform.id=metal security=selinux selinux=1 root=UUID=3b7b704d-a19d-4d5c-b3d8-844c2f43d595 rootflags=subvol=@/.snapshots/3/snapshot systemd.machine_id=e0cdf1aa6e3f48d1ad509e14e955592f") not matching any component. Event log record 29 (PCR 14, "Raw: MokList\000") not matching any component. PCR 0, 2, 4, 7 and 9 all have green checkmarks in every column now. Is 10 somehow involved? That's the only one with an X in the H column and a red hash. -- You are receiving this mail because: You are on the CC list for the bug.