Comment # 7 on bug 1230909 from Alberto Planas Dominguez 
(In reply to Lucky from comment #5)

Thanks for reporting back!

> There is no pcrlock.json in /var - Evidence from my machine
> 
> https://paste.opensuse.org/pastes/4027fde40014

OK that is bad. /var/lib/systemd/pcrlock.json should be there

> I am not usre how to check it is in the ESP.

ls /boot/efi/EFI/systemd/pcrlock.json, but I guess that this should be missing
too?

Lets start checking the basic. Lets see what is enrolled:

# check the slots in rootfs. Replace $ROOTFS with the correct device
systemd-cryptenroll /dev/$ROOTFS

# same for home
systemd-cryptenroll /dev/$HOME

There should be maybe a "recovery", a "password" and a "tpm2" slot. It is OK if
the recovery is missing, but not the TPM2 one, as this will indicate that the
TPM2 was never enrolled.

We can try to re-enroll the TPM2, following
https://en.opensuse.org/Portal:MicroOS/FDE#Re-enrollment

# Remove the current policy and unenroll all devices
sdbootutil unenroll --method=tpm2

# Make a new policy and enroll all devices
PIN=<selected recovery PIN, like the current password used> sdbootutil enroll
--method=tpm2

You are receiving this mail because: