https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c2 --- Comment #2 from Martin Abele <happymab.dev@outlook.com> --- Above output is the current state of the system after clearing the TPM2 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c4 Artur Kaufmann <arturkaufmann@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arturkaufmann@gmail.com --- Comment #4 from Artur Kaufmann <arturkaufmann@gmail.com> --- This is my output, after troubleshooting referred to clear TPM and then update-predictions [artur@gregory ~]$ sudo sdbootutil -v update-predictions Garbage after device path end, ignoring. Garbage after device path end, ignoring. /var/lib/pcrlock.d/250-firmware-code-early.pcrlock.d/generated.pcrlock written. /var/lib/pcrlock.d/550-firmware-code-late.pcrlock.d/generated.pcrlock written. Garbage after device path end, ignoring. Garbage after device path end, ignoring. /var/lib/pcrlock.d/250-firmware-config-early.pcrlock.d/generated.pcrlock written. /var/lib/pcrlock.d/550-firmware-config-late.pcrlock.d/generated.pcrlock written. /var/lib/pcrlock.d/600-gpt.pcrlock.d/generated.pcrlock written. /var/lib/pcrlock.d/630-shim-efi-application.pcrlock.d/generated.pcrlock written. /var/lib/pcrlock.d/640-boot-loader-efi-application.pcrlock.d/generated.pcrlock written. /var/lib/pcrlock.d/641-sdboot-loader-conf.pcrlock written. /var/lib/pcrlock.d/650-kernel-efi-application.pcrlock.d/linux-1.pcrlock written. /tmp/sdbootutil.xIRias/cmdline.pcrlock written. /var/lib/pcrlock.d/710-kernel-cmdline-boot-loader.pcrlock.d/cmdline-1.pcrlock written. /tmp/sdbootutil.xIRias/cmdline.pcrlock written. /var/lib/pcrlock.d/710-kernel-cmdline-boot-loader.pcrlock.d/cmdline-2.pcrlock written. /tmp/sdbootutil.xIRias/cmdline.pcrlock written. /var/lib/pcrlock.d/710-kernel-cmdline-boot-loader.pcrlock.d/cmdline-3.pcrlock written. Garbage after device path end, ignoring. Garbage after device path end, ignoring. Couldn't find component '350-action-efi-application' in event log. Couldn't find component '750-enter-initrd' in event log. Didn't find component '800-leave-initrd' in event log, assuming system hasn't reached it yet. Didn't find component '850-sysinit' in event log, assuming system hasn't reached it yet. Didn't find component '900-ready' in event log, assuming system hasn't reached it yet. Skipped 2 components after location '940-' (950-shutdown, 990-final). Unable to recognize 2 components in event log. Event log record 9 (PCR 6, "Raw: Dell Configuration Information 1") not matching any component. Event log record 30 (PCR 14, "Raw: MokList\000") not matching any component. PCR 0 (platform-code) matches event log and fully consists of recognized measurements. Including in set of PCRs. PCR 4 (boot-loader-code) is touched by component we can't find in event log. Removing from set of PCRs. PCR 5 (boot-loader-config) matches event log and fully consists of recognized measurements. Including in set of PCRs. PCR 7 (secure-boot-policy) matches event log and fully consists of recognized measurements. Including in set of PCRs. PCR 9 (kernel-initrd) matches event log and fully consists of recognized measurements. Including in set of PCRs. PCRs dropped from protection mask: 4 (boot-loader-code) PCRs in protection mask: 0 (platform-code), 5 (boot-loader-config), 7 (secure-boot-policy), 9 (kernel-initrd) Predicted future PCRs in 1.503ms. WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x0000018b) Failed to allocate encryption session: State not recoverable Error creating the policy! Please, provide the recovery PIN to register the new policy NVIndex policy created -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c6 --- Comment #6 from Martin Abele <happymab.dev@outlook.com> --- Created attachment 876487 --> https://bugzilla.suse.com/attachment.cgi?id=876487&action=edit Output of "sudo sdbootutil -v update-predictions" -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c8 --- Comment #8 from Richard Brown <rbrown@suse.com> --- (In reply to Martin Abele from comment #7)

Is it a chicken - egg problem? With ask-pin option the pin is not valid because the TPM was wiped and without the option, the system insists to provide the recovery pin...

What command is used to enroll the TPM during the installation or during firstboot respectively?

I think it’s more likely your claim that you’re resetting or clearing your TPM is false/incorrect, or incomplete If you compare the logs from comments #4 and #6 you see evidence of different event log entries which should be impossible if the system is booting the same OS each time with a clear TPM Are you sure you’re clearing the TPM each time, and not booting into any other OS? (Dell maintenance/recovery tools would count as a different OS) -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c11 --- Comment #11 from Martin Abele <happymab.dev@outlook.com> --- Oh. now I see what you mean by contradicting logs of comment #4 and comment #6. This are indeed two different cases. It seems that Artur Kaufmann has a similar issue and posted his logs and comments also. This is indeed not the same system. My (Martin Abele) logs and comments are one case and Artur Kaufmann's logs and comments are a different case. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c22 Marc Thomas <opensuse@radok.me> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |opensuse@radok.me --- Comment #22 from Marc Thomas <opensuse@radok.me> --- While the re-enrollment was working for me with 20240807 and I could start without PIN, I got the recovery PIN again with 20240808. Initially I thought this was because I messed around with the recovery key slots to rotate my recovery key, but the update ran in the background at the same time. To make sure it's not me I did a reinstall and then did the following: Cleared TPM via: echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request Reboot Entered PIN. localhost:~ # tpm2_dictionarylockout -Tdevice:/dev/tpmrm0 --setup-parameters --max-tries=5 --clear-lockout localhost:~ # /usr/lib/systemd/systemd-pcrlock remove-policy WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x0000018b) Failed to remove NV index, assuming data out of date, removing policy file. Removed policy file '/var/lib/systemd/pcrlock.json'. Removed policy file '/boot/efi/loader/credentials/pcrlock.aeon.cred'. localhost:~ # systemd-cryptenroll --wipe=tpm2 /dev/nvme1n1p2 Wiped slot 0. localhost:~ # sdbootutil --ask-pin update-predictions Garbage after device path end, ignoring. Garbage after device path end, ignoring. Recovery PIN: Garbage after device path end, ignoring. NVIndex policy created localhost:~ # systemd-cryptenroll --tpm2-device=auto /dev/nvme1n1p2 Automatically using pcrlock policy '/var/lib/systemd/pcrlock.json'. Please enter current passphrase for disk /dev/nvme1n1p2: (press TAB for no ec••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• New TPM2 token enrolled as key slot 0. localhost:~ # systemd-cryptenroll /dev/nvme1n1p2 SLOT TYPE 0 tpm2 2 recovery After the next reboot the system still requests the PIN. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c26 --- Comment #26 from Marc Thomas <opensuse@radok.me> --- (In reply to Alberto Planas Dominguez from comment #25)

It is possible that PCR7 is ignored in your system. Do you see a component associated in PCR7 in the row that has "Sbat-<some UUID>" in the description column?

There were a total of 9 lines for PCR7, 4 had components 1 of those had SbatLevel-<uuid>

Lets try what I wrote (unenroll, enroll, reboot, and check)

If recovery key is not requested, lets wait to the next update to see if now the it is required. In than moment the first thing will be check the PCR values to understand what is broken.

I was asked for the recovery key again after running the commands below. Commands and output (I had to add the method to get it running): localhost:~ # sdbootutil unenroll --method=tpm2 dracut-install: ERROR: installing 'grub2-editenv' dracut[E]: FAILED: /usr/lib/dracut/dracut-install -D /var/tmp/dracut.aGwm26/initramfs -a date btrfs awk grub2-editenv Wiped slot 0. localhost:~ # systemd-cryptenroll /dev/nvme1n1p2 SLOT TYPE 2 recovery localhost:~ # sdbootutil enroll --ask-pin --method=tpm2 Garbage after device path end, ignoring. Garbage after device path end, ignoring. Recovery PIN: Garbage after device path end, ignoring. NVIndex policy created Enrolling with TPM2 (pcrlock): /dev/nvme1n1p2 No slots to remove selected. 🔐 Please enter current passphrase for disk /dev/nvme1n1p2: ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• New TPM2 token enrolled as key slot 0. localhost:~ # systemd-cryptenroll /dev/nvme1n1p2 SLOT TYPE 0 tpm2 2 recovery /usr/lib/systemd/systemd-pcrlock: Garbage after device path end, ignoring. Couldn't find component '250-firmware-config-early' in event log. Couldn't find component '710-kernel-cmdline-boot-loader' in event log. Couldn't find component '750-enter-initrd' in event log. Didn't find component '800-leave-initrd' in event log, assuming system hasn't reached it yet. Didn't find component '850-sysinit' in event log, assuming system hasn't reached it yet. Didn't find component '900-ready' in event log, assuming system hasn't reached it yet. Skipped 2 components after location '940-' (950-shutdown, 990-final). Unable to recognize 3 components in event log. Event log record 10 (PCR 1, "Raw: \fSmbiosTable\000\001\000\000\000\000\000\000\000D\025\375\362\224\227,J\231.\345\273\317 \343\224\000@\312w\000\000\000\000") not matching any component. Event log record 37 (PCR 12, "String: initrd=\aeon\6.10.3-1-default\initrd-927abaf71095967ff2c0c66a669b8abf774c661b quiet loglevel=2 systemd.show_status=no console=ttyS0,115200 console=tty0 vt.global_cursor_default=0 ignition.platform.id=metal security=selinux selinux=1 root=UUID=3b7b704d-a19d-4d5c-b3d8-844c2f43d595 rootflags=subvol=@/.snapshots/3/snapshot systemd.machine_id=e0cdf1aa6e3f48d1ad509e14e955592f") not matching any component. Event log record 29 (PCR 14, "Raw: MokList\000") not matching any component. PCR 0, 2, 4, 7 and 9 all have green checkmarks in every column now. Is 10 somehow involved? That's the only one with an X in the H column and a red hash. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c29 --- Comment #29 from Marc Thomas <opensuse@radok.me> --- Is there anything else I could get from the systems current state that could help? If not I would try it with tumbleweed and systemd-boot for now and reinstall Aeon if needed. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c33 --- Comment #33 from Marc Thomas <opensuse@radok.me> --- Created attachment 876698 --> https://bugzilla.suse.com/attachment.cgi?id=876698&action=edit Output of dracut --reproducible --force --tmpdir /var/tmp my_initrd -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c40 --- Comment #40 from Marc Thomas <opensuse@radok.me> --- Created attachment 876707 --> https://bugzilla.suse.com/attachment.cgi?id=876707&action=edit Output of localhost:~ # /usr/lib/systemd/systemd-pcrlock >> pcrlock I added the messages shown in the shell on top. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c44 --- Comment #44 from Marc Thomas <opensuse@radok.me> --- (In reply to Alberto Planas Dominguez from comment #42)

(In reply to Marc Thomas from comment #41)

...

It seems after the rename of the file the enrollment no longer works.

localhost:~ # systemd-cryptenroll /dev/nvme0n1p2

No longer shows a TPM entry.

What file are you referring, initrd? No new initrd is generated?

Since I did the rename of initrd-a67e4f4c8aca4aa4f1b50919c64448ccb79b13b3 I had issues enrolling the TPM again (see comment 39). It did not ask for the recovery key but created a new initrd. Also systemd-cryptenroll /dev/nvme0n1p2 did not show that the TPM was enrolled. Somehow this is now working again and the TPM could be enrolled today. Yes, secure boot is enabled: localhost:~ # mokutil --sb-state SecureBoot enabled Did another unrenroll/enroll - nothing changed. I have also attached the current pcrlock. I would like to give a reinstall a try if you don't mind. Nothing on the system is currently important - so it's quick and painless. Could it also be that the fTPM is causing these issues? Should I wipe that beforehand? -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c46 --- Comment #46 from Marc Thomas <opensuse@radok.me> --- This is now a completely different machine. I gave up running Aeon on the other one, as it was a dual boot one which is not a supported configuration. This happened on a machine where only Aeon is installed. After installing 20241030 the recovery key was requested. Running sudo sdbootutil -vvv update-predictions is not successful (see file sdbootutil_update-predictions.txt) and ends with: WARNING:esys:src/tss2-esys/api/Esys_PolicyOR.c:286:Esys_PolicyOR_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_PolicyOR.c:100:Esys_PolicyOR() Esys Finish ErrorCode (0x000001c4) Failed to add OR policy to TPM: tpm:parameter(1):value is out of range or is not correct for the context Failed to submit super PCR policy: State not recoverable Error creating the policy! Please, provide the recovery PIN to register the new policy NVIndex policy created Running sudo sdbootutil -vvv --ask-pin update-predictions is also not successful (see file sdbootutil_ask-pin_update-predictions.txt) and ends with: WARNING:esys:src/tss2-esys/api/Esys_NV_Write.c:310:Esys_NV_Write_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:110:Esys_NV_Write() Esys Finish ErrorCode (0x0000099d) Failed to write NV index: tpm:session(1):a policy check failed Failed to write to NV index: State not recoverable Error creating the policy! Provided PIN incorrect or TPM2 locked after too many retries NVIndex policy created Pin has been copy/pasted to rule out typos. I have rebooted the machine before the re-enroll to make sure it still does not work. The only way to fix this for me was a re-enroll of the TPM via the guide. After these steps the machine boots normally without asking for the recovery. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c48 --- Comment #48 from Marc Thomas <opensuse@radok.me> --- Created attachment 878343 --> https://bugzilla.suse.com/attachment.cgi?id=878343&action=edit sdbootutil -vvv --ask-pin update-predictions after update to 20241030 -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c50 --- Comment #50 from Marc Thomas <opensuse@radok.me> ---

...

The only way to fix this for me was a re-enroll of the TPM via the guide. After these steps the machine boots normally without asking for the recovery.

I understand then that we cannot reproduce the PolicyOR error message now?

Currently not, anything I should run next time? If so, I would also forward this to the Telegram channel as I was not the only one with the issue. Maybe someone there still has it and can chime in. -- You are receiving this mail because: You are on the CC list for the bug.

https://bugzilla.suse.com/show_bug.cgi?id=1228863 https://bugzilla.suse.com/show_bug.cgi?id=1228863#c61 Guillermo Perez <guillermopf10@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillermopf10@gmail.com --- Comment #61 from Guillermo Perez <guillermopf10@gmail.com> --- Got the same problem, booting after update always prompts for recovery key. Previously, the machine always booted in default mode without any problems. Aeon is installed on a SSD and there aren't any other disks with boot partitions, I have a HDD formatted in NTFS from an old windows installation but it was always used as mass storage and got no traces of any OS installation on it. There wasn't any recent hardware nor UEFI changes. Tried the following solutions: 1) reverting to various snapshots, without any luck 2) Running # sdbootutil --ask-pin update-predictions 3)Following the instructions on comment 56, which got me the following results: Ran # rm -fr /var/lib/pcrlock.d . File gets removed. Tried to update and got the following error: ~> sdbootutil -v --ask-pin update-predictions Error: Can't determine root subvolume After that, tried # systemd-cryptenroll to see if the PC could boot in default mode and got: No device specified, defaulting to '/dev/nvme0n1p2'. SLOT TYPE 1 tpm2 2 recovery But the fact that can't determine root subvolume and there's not a device, I'm afraid after rebooting, instead of getting the recovery key prompt, I simply will be unable to boot. So, as a summary: * I'm getting asked for a recovery key after an update. * None of the provided solutions ITT seems to work, and * I may have made it worse and I don't know why. -- You are receiving this mail because: You are on the CC list for the bug.