Bug#1065392: Additional information : secure boot involved
Hello,
I made additional tests this morning showing that the problem is
related to the secure boot (even when the secure-boot-policy PCR binding
is not used).
- secure boot enabled, no PCR binding (--tpm2-pcrs="" passed to
systemd-cryptenroll) : OK
- secure boot enabled, PCR binding (--tpm2-pcrs=any value other than 7
passed to systemd-cryptenroll) : NOK
- secure boot disabled, PCR binding (--tpm2-pcrs=any value other than 7
passed to systemd-cryptenroll) : OK
According to the systemd-cryptenroll manual, if no PCR binding is
specified the default is to use PCR 7 only. I can infer that when a
PCR value other than 7 is passed to system-cryptenroll, the
secure-boot-policy binding does not apply.
In conclusion, linux-image-6.7.7-amd64 fails to decrypt the LUKS volume
with tpm2 when secure boot is enabled and a PCR binding is used.
Due to the secure boot involvement, this not something that I can debug
myself using gitbisect (https://wiki.debian.org/DebianKernel/GitBisect
says secure boot should be disable)
Best regards
Reply to: