12 Feb
2024
12 Feb
'24
08:21
On 2024-02-10 06:27, Andrei Borzenkov wrote:
Well, every time there are significant changes I have to enter LUKS password on reboot until I run "sdbootutil update-predictions". Happened just now. I did check before reboot that /boot/efi/EFI/systemd/tpm2-pcr-public-key.pem and tpm2-pcr-signature.json had current timestamp which means sdbootutil has been called during update. But after I rebooted and run "sdbootutil update-predictions" I got entirely different signatures in signature.json file. So my best guess is that sdbootutil (or whatever does it) fails to *predict* the correct signatures and TPM2 unlock fails.
Indeed, that seems to be the case. I created this: https://bugzilla.opensuse.org/show_bug.cgi?id=1219807 to track this.