You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The automatic LUKS unlock by the systemd-gpt-auto generator calling /usr/bin/systemd-cryptsetup attach root /dev/gpt-auto-root-luks "" fido2-device=auto
Unexpected behaviour you saw
Attempted (and failed) LUKS unlock by the systemd-gpt-auto generator calling /usr/bin/systemd-cryptsetup attach root /dev/gpt-auto-root-luks "" tpm2-device=auto,tpm2-measure-pcr=yes when no tpm keyslot was previously configured by systemd-cryptenroll.
Then automatic fallback to recovery passphrase unlock
Steps to reproduce the problem
Configure system with a LUKS-protected rootfs in a DPS GPT partition, along with a TPM installed (for measured boot) but unused for LUKS key storage.
Configure the LUKS keyslots as follow :
i. Slot 0: Recovery Passphrase
ii. Slot 1: Fido2 token
iii. Slots 2-7: Empty
Attempt to boot the system
Additional program output to the terminal or log subsystem illustrating the issue
Ideally, gpt-auto-generator should check the existing LUKS keyslot contents of the discovered root partition prior to adding the tpm2-device=auto or fido2-device=auto options, where relevant
systemd version the issue has been seen with
255 (255.5-3-arch)
Used distribution
CachyOS (rolling)
Linux kernel version used
6.8.8-2-cachyos
CPU architectures issue was seen on
x86_64
Component
systemd-cryptsetup, systemd-gpt-auto-generator
Expected behaviour you didn't see
The automatic LUKS unlock by the systemd-gpt-auto generator calling
/usr/bin/systemd-cryptsetup attach root /dev/gpt-auto-root-luks "" fido2-device=auto
Unexpected behaviour you saw
Attempted (and failed) LUKS unlock by the systemd-gpt-auto generator calling
/usr/bin/systemd-cryptsetup attach root /dev/gpt-auto-root-luks "" tpm2-device=auto,tpm2-measure-pcr=yes
when no tpm keyslot was previously configured by systemd-cryptenroll.Then automatic fallback to recovery passphrase unlock
Steps to reproduce the problem
i. Slot 0: Recovery Passphrase
ii. Slot 1: Fido2 token
iii. Slots 2-7: Empty
Additional program output to the terminal or log subsystem illustrating the issue
Likely related to #30176 / #30185
cryptenroll output :
Relevant bootctl logs for systemd-cryptsetup and systemd-gpt-auto-generator (in debug mode):
The text was updated successfully, but these errors were encountered: