On 18.01.2024 22:06, aplanas wrote:
On 2024-01-18 18:01, Andrei Borzenkov wrote:
On 21.12.2023 15:47, aplanas wrote:
Hi,
I had to manually enter LUKS password after "transactional-update dup" until I manually run "sdbootutil update-predictions". Is it expected?
No. That should be automatic. "sdbootutil" is called after the end of any transaction.
Last week we fixed some bugs in pcr-oracle, dracut-pcr-signature and sdbootutil itself. I think that most of the fixes should be going into Factory now, but none is related with not calling sdbootutil after an upgrade.
Well, every time there are significant changes I have to enter LUKS password on reboot until I run "sdbootutil update-predictions". Happened just now. I did check before reboot that /boot/efi/EFI/systemd/tpm2-pcr-public-key.pem and tpm2-pcr-signature.json had current timestamp which means sdbootutil has been called during update. But after I rebooted and run "sdbootutil update-predictions" I got entirely different signatures in signature.json file. So my best guess is that sdbootutil (or whatever does it) fails to *predict* the correct signatures and TPM2 unlock fails.