How to debug incorrect TOTP values?

[karolpiczak]

I am trying to integrate tpm2-totp with Fedora 40 Workstation (dracut hooks).

After tpm2-totp -P - -p 0,1,2,4,5,7 init TOTP generation & verification works fine when calling tpm2-totp show and plymouth-tpm2-totp on the running system. However, during the boot up phase (before LUKS unlock) the codes are shown, but are different from the expected values. After LUKS unlock and full boot, calling tpm2-totp show once again returns correct values.

I have verified that the time signatures in both cases are correct. What would be the best approach to debug this discrepancy in values generated during the boot process?

[karolpiczak]

I have found the culprit here. It seems that despite reporting the same effective timestamp to the user, one case seemed to be using the UTC clock directly, and the other adjusted it for time zone information.

I have successfully remedied the situation by adjusting the firmware clock to use UTC all along: timedatectl set-local-rtc 0