Comment # 26 on bug 1228863 from Marc Thomas 
(In reply to Alberto Planas Dominguez from comment #25)
> It is possible that PCR7 is ignored in your system. Do you see a component
> associated in PCR7 in the row that has "Sbat-<some UUID>" in the description
> column?

There were a total of 9 lines for PCR7, 4 had components 1 of those had
SbatLevel-<uuid>

> Lets try what I wrote (unenroll, enroll, reboot, and check)
> 
> If recovery key is not requested, lets wait to the next update to see if now
> the it is required.  In than moment the first thing will be check the PCR
> values to understand what is broken.

I was asked for the recovery key again after running the commands below.

Commands and output (I had to add the method to get it running):

localhost:~ # sdbootutil unenroll --method=tpm2
dracut-install: ERROR: installing 'grub2-editenv'
dracut[E]: FAILED: /usr/lib/dracut/dracut-install -D
/var/tmp/dracut.aGwm26/initramfs -a date btrfs awk grub2-editenv
Wiped slot 0.

localhost:~ # systemd-cryptenroll /dev/nvme1n1p2
SLOT TYPE    
   2 recovery

localhost:~ # sdbootutil enroll --ask-pin --method=tpm2
Garbage after device path end, ignoring.
Garbage after device path end, ignoring.
Recovery PIN: Garbage after device path end, ignoring.
NVIndex policy created
Enrolling with TPM2 (pcrlock): /dev/nvme1n1p2
No slots to remove selected.
🔐 Please enter current passphrase for disk /dev/nvme1n1p2:
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
New TPM2 token enrolled as key slot 0.

localhost:~ # systemd-cryptenroll /dev/nvme1n1p2
SLOT TYPE    
   0 tpm2
   2 recovery

/usr/lib/systemd/systemd-pcrlock:

Garbage after device path end, ignoring.
Couldn't find component '250-firmware-config-early' in event log.
Couldn't find component '710-kernel-cmdline-boot-loader' in event log.
Couldn't find component '750-enter-initrd' in event log.
Didn't find component '800-leave-initrd' in event log, assuming system hasn't
reached it yet.
Didn't find component '850-sysinit' in event log, assuming system hasn't
reached it yet.
Didn't find component '900-ready' in event log, assuming system hasn't reached
it yet.
Skipped 2 components after location '940-' (950-shutdown, 990-final).
Unable to recognize 3 components in event log.
Event log record 10 (PCR 1, "Raw:
\fSmbiosTable\000\001\000\000\000\000\000\000\000D\025\375\362\224\227,J\231.\345\273\317
\343\224\000@\312w\000\000\000\000") not matching any component.
Event log record 37 (PCR 12, "String:
initrd=\aeon\6.10.3-1-default\initrd-927abaf71095967ff2c0c66a669b8abf774c661b
quiet loglevel=2 systemd.show_status=no console=ttyS0,115200 console=tty0
vt.global_cursor_default=0 ignition.platform.id=metal security=selinux
selinux=1 root=UUID=3b7b704d-a19d-4d5c-b3d8-844c2f43d595
rootflags=subvol=@/.snapshots/3/snapshot
systemd.machine_id=e0cdf1aa6e3f48d1ad509e14e955592f") not matching any
component.
Event log record 29 (PCR 14, "Raw: MokList\000") not matching any component.

PCR 0, 2, 4, 7 and 9 all have green checkmarks in every column now.
Is 10 somehow involved? That's the only one with an X in the H column and a red
hash.

You are receiving this mail because: