jmpolom
commented
2 months ago Update: this is due to an update to the shim package from 15.6-2 to 15.8-3 that manifests as a difference in PCR 7 hashes. This may be due to version disagreement between the shim version in the installation os/environment that's booted and from where the bootc install process is invoked.
Upon first reboot after installing the latest fedora-bootc image with
bootc install to-disk --block-setup tpm2-luks /dev/diskXthe LUKS encrypted root device fails to unlock via TPM. Eventually dracut times out and drops into a rescue shell in the initrd. The cryptsetup unit fails with aCurrent policy digest does not match stored policy digest, cancelling TPM2 authentication attempt.error. Further, an error ofNo passphrase or recovery key registeredis also printed.Looks like between tags
eln-1710868505andeln-1711401621the fedora-bootc image began exhibiting this failure with the systemd-cryptsetup units on boot after install. It was working in the earlier build but now does not. I noticed a similar issue with a custom Fedora 39 based image (see https://github.com/containers/bootc/issues/421) build which also failed to unlock the LUKS root via TPM on reboot after install.Between the two builds some packages were updated. None of the ones I've looked at seem like obvious culprits though. It seems like this issue was most likely something changing in a package update?