https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c60 --- Comment #60 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Artur Kaufmann from comment #59)

Maybe the revision of the TPM2.0 chip is also important

This is true, as older revisions does not recognize NVIndex that are also required.

...

sudo tpm2_getcap properties-fixed | grep TPM2_PT_REVISION -A2 TPM2_PT_REVISION: raw: 0x8A value: 1.38

BR

For sdbootutil I can fallback to pcr-oracle (signed policies). We are doing this when NVIndex fail, but a fail in PolicyOR is no detected until much (much) later. The check for the revision is a really good idea, but is hard to put it as a strong threshold, as I am not sure that the number of branches is part of the specification document (I did not see it at first glance) -- You are receiving this mail because: You are on the CC list for the bug.