[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1065392: Additional information : secure boot involved

Hello,

I made additional tests this morning showing that the problem is
related to the secure boot (even when the secure-boot-policy PCR binding
is not used).

- secure boot enabled, no PCR binding (--tpm2-pcrs="" passed to
  systemd-cryptenroll) : OK

- secure boot enabled, PCR binding (--tpm2-pcrs=any value other than 7
  passed to systemd-cryptenroll) : NOK

- secure boot disabled, PCR binding (--tpm2-pcrs=any value other than 7
  passed to systemd-cryptenroll) : OK

According to the systemd-cryptenroll manual, if no PCR binding is
specified the default is to use PCR 7 only. I can infer that when a
PCR value other than 7 is passed to system-cryptenroll, the
secure-boot-policy binding does not apply.

In conclusion, linux-image-6.7.7-amd64 fails to decrypt the LUKS volume
with tpm2 when secure boot is enabled and a PCR binding is used.

Due to the secure boot involvement, this not something that I can debug
myself using gitbisect (https://wiki.debian.org/DebianKernel/GitBisect
says secure boot should be disable)

Best regards
Reply to: