Closed jmpolom closed 2 months ago
Update: this is due to an update to the shim package from 15.6-2 to 15.8-3 that manifests as a difference in PCR 7 hashes. This may be due to version disagreement between the shim version in the installation os/environment that's booted and from where the bootc install
process is invoked.
bootc needs more configurability over the LUKS+TPM install process to avoid this issue in the future. see: https://github.com/containers/bootc/issues/421
Upon first reboot after installing the latest fedora-bootc image with
bootc install to-disk --block-setup tpm2-luks /dev/diskX
the LUKS encrypted root device fails to unlock via TPM. Eventually dracut times out and drops into a rescue shell in the initrd. The cryptsetup unit fails with aCurrent policy digest does not match stored policy digest, cancelling TPM2 authentication attempt.
error. Further, an error ofNo passphrase or recovery key registered
is also printed.Looks like between tags
eln-1710868505
andeln-1711401621
the fedora-bootc image began exhibiting this failure with the systemd-cryptsetup units on boot after install. It was working in the earlier build but now does not. I noticed a similar issue with a custom Fedora 39 based image (see https://github.com/containers/bootc/issues/421) build which also failed to unlock the LUKS root via TPM on reboot after install.Between the two builds some packages were updated. None of the ones I've looked at seem like obvious culprits though. It seems like this issue was most likely something changing in a package update?