After struggling to understand what to do, and encountering some errors along the way, I've updated the instructions and scripts in the following ways:
Made all the scripts executable (had a failure with the service file because it couldn't execute tpm2PolicyConfig)
Added PCR 8 to the seal, based on some information I found online that's the GRUB, kernel, and boot commandlines. Note: I didn't have issues like #5, even after a dist-upgrade after sealing against fresh, un-updated Ubuntu install - although I can see the risk.
Updated README.md with step-by-step instructions
Updated script with information regarding which password/passphrase is being requested (I didn't know, for instance, that one of the passwords I was entering was for the MOK Enrollment)
Removed the service file, and instead instructed to run tpm2PolicyConfig directly after conditions have been met. I could be wrong on this, but I had to do some work turning Secure Boot off for Step 1, then back on after Step 1 - but before Step 2. Also seemed to help with clarity about what was going on, and if it was successful
Taking the persistent-handle right from the output of tpm2_evictcontrol (while still printing to the terminal), this fixes #8 (which I also encountered)
After struggling to understand what to do, and encountering some errors along the way, I've updated the instructions and scripts in the following ways:
tpm2PolicyConfig)scriptwith information regarding which password/passphrase is being requested (I didn't know, for instance, that one of the passwords I was entering was for the MOK Enrollment)tpm2PolicyConfigdirectly after conditions have been met. I could be wrong on this, but I had to do some work turning Secure Boot off for Step 1, then back on after Step 1 - but before Step 2. Also seemed to help with clarity about what was going on, and if it was successfulpersistent-handleright from the output oftpm2_evictcontrol(while still printing to the terminal), this fixes #8 (which I also encountered)