https://bugzilla.suse.com/show_bug.cgi?id=1230909 https://bugzilla.suse.com/show_bug.cgi?id=1230909#c7 --- Comment #7 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Lucky from comment #5) Thanks for reporting back!

There is no pcrlock.json in /var - Evidence from my machine

https://paste.opensuse.org/pastes/4027fde40014

OK that is bad. /var/lib/systemd/pcrlock.json should be there

I am not usre how to check it is in the ESP.

ls /boot/efi/EFI/systemd/pcrlock.json, but I guess that this should be missing too? Lets start checking the basic. Lets see what is enrolled: # check the slots in rootfs. Replace $ROOTFS with the correct device systemd-cryptenroll /dev/$ROOTFS # same for home systemd-cryptenroll /dev/$HOME There should be maybe a "recovery", a "password" and a "tpm2" slot. It is OK if the recovery is missing, but not the TPM2 one, as this will indicate that the TPM2 was never enrolled. We can try to re-enroll the TPM2, following https://en.opensuse.org/Portal:MicroOS/FDE#Re-enrollment # Remove the current policy and unenroll all devices sdbootutil unenroll --method=tpm2 # Make a new policy and enroll all devices PIN=<selected recovery PIN, like the current password used> sdbootutil enroll --method=tpm2 -- You are receiving this mail because: You are on the CC list for the bug.