I’ve installed opensuse tumbleweed on bare metal using the usual btrfs layout, and luks encryption (but no lvm). I followed this guide also: Quickstart in Full Disk Encryption with TPM and YaST2 - openSUSE News
However when I rebooted after that, the splash screen warned of not being able to measure PCR 15 or something, and I had to add measure-pcr-validator.ignore=yes to be able to boot. After booting, I followed the instructions here: Portal:MicroOS/FDE - openSUSE Wiki, both verbatim and also just with pcr 7, but both times my system just asks for my passphrase/recovery key instead.
Also, this is the output of journalctl -b 0 | grep -i "tpm":
May 09 00:03:47 localhost kernel: efi: TPMFinalLog=0xdc8e4000 ACPI 2.0=0xdc87d000 ACPI=0xdc87d000 SMBIOS=0xdd584000 SMBIOS 3.0=0xdd583000 MEMATTR=0xd99f5018 ESRT=0xd9d69c18 MOKvar=0xdd5a4000 RNG=0xdc3e2f18 INITRD=0xd6fb5b18 TPMEventLog=0xdc3e0018
May 09 00:03:47 localhost kernel: ACPI: TPM2 0x00000000DC88D0B8 000038 (v04 ALASKA A M I 00000001 AMI 00000000)
May 09 00:03:47 localhost kernel: ACPI: Reserving TPM2 table memory at [mem 0xdc88d0b8-0xdc88d0ef]
May 09 00:03:47 localhost kernel: tpm_crb MSFT0101:00: Disabling hwrng
May 09 00:03:47 localhost systemd[1]: systemd 257.5+suse.8.gc10a66fb4d running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
May 09 00:03:49 localhost systemd[1]: Starting Import TPM2 crendentials into the initrd...
May 09 00:03:49 localhost systemd[1]: Finished Import TPM2 crendentials into the initrd.
May 09 00:04:18 localhost systemd[1]: Stopped Import TPM2 crendentials into the initrd.
May 08 18:04:19 localhost systemd[1]: systemd 257.5+suse.8.gc10a66fb4d running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
May 08 18:04:19 localhost systemd[1]: TPM PCR Measurements was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:19 localhost systemd[1]: Make TPM PCR Policy was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:19 localhost systemd[1]: TPM PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:19 localhost systemd[1]: Early TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:20 localhost systemd[1]: Condition check resulted in /dev/tpmrm0 being skipped.
May 08 18:04:20 localhost systemd[1]: TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:20 localhost systemd[1]: TPM PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:20 localhost systemd[1]: Early TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:20 localhost systemd[1]: TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:20 localhost systemd[1]: TPM PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:20 localhost systemd[1]: Early TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:20 localhost systemd[1]: TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:23 localhost systemd[1]: TPM PCR Barrier (Initialization) was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
May 08 18:04:23 localhost systemd[1]: TPM PCR Barrier (User) was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
lines 1-23/23 (END)
It should be mentioned that my motherboard’s tpm is actually an fTPM. Could that cause any issues?
I don’t know if this is the correct way to fix this but I just ran grep -r "ConditionSecurity=measured-uki" /etc/systemd/system/ /lib/systemd/system/ and commented out that line from the necessarry files. Of course, I still haven’t managed to get tpm to automatically decrypt my disk, but at least my tpm 2.0 is actually being used now (I think). Here are the logs now:
May 09 04:41:52 localhost kernel: efi: TPMFinalLog=0xdc8e4000 ACPI 2.0=0xdc87d000 ACPI=0xdc87d000 SMBIOS=0xdd584000 SMBIOS 3.0=0xdd583000 MEMATTR=0xd99f0018 ESRT=0xd9d4a198 MOKvar=0xdd5a4000 RNG=0xdc3e2f18 INITRD=0xd6fa9818 TPMEventLog=0xdc3e0018
May 09 04:41:52 localhost kernel: ACPI: TPM2 0x00000000DC88D0B8 000038 (v04 ALASKA A M I 00000001 AMI 00000000)
May 09 04:41:52 localhost kernel: ACPI: Reserving TPM2 table memory at [mem 0xdc88d0b8-0xdc88d0ef]
May 09 04:41:52 localhost kernel: tpm_crb MSFT0101:00: Disabling hwrng
May 09 04:41:52 localhost systemd[1]: systemd 257.5+suse.8.gc10a66fb4d running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
May 09 04:41:52 localhost systemd[1]: Condition check resulted in /dev/tpmrm0 being skipped.
May 09 04:41:54 localhost systemd[1]: Starting Import TPM2 crendentials into the initrd...
May 09 04:41:54 localhost systemd[1]: Finished Import TPM2 crendentials into the initrd.
May 09 04:41:54 localhost systemd-cryptsetup[686]: Automatically discovered security TPM2 token unlocks volume.
May 09 04:41:56 localhost systemd-cryptsetup[686]: WARNING:esys:src/tss2-esys/api/Esys_PolicyAuthorizeNV.c:311:Esys_PolicyAuthorizeNV_Finish() Received TPM Error
May 09 04:41:56 localhost systemd-cryptsetup[686]: Failed to unseal secret using TPM2: State not recoverable
May 09 04:41:56 localhost systemd-cryptsetup[686]: TPM2 operation failed, falling back to traditional unlocking: State not recoverable
May 09 04:42:10 localhost systemd[1]: Stopped Import TPM2 crendentials into the initrd.
May 08 22:42:11 localhost systemd[1]: systemd 257.5+suse.8.gc10a66fb4d running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE -SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
May 08 22:42:11 localhost systemd[1]: Listening on TPM PCR Measurements.
May 08 22:42:11 localhost systemd[1]: Listening on Make TPM PCR Policy.
May 08 22:42:11 localhost systemd[1]: Starting TPM PCR Machine ID Measurement...
May 08 22:42:11 localhost systemd[1]: Starting Early TPM SRK Setup...
May 08 22:42:11 localhost kernel: audit: type=1400 audit(1746722531.899:5): avc: denied { read } for pid=1179 comm="systemd-pcrexte" name="tpmrm" dev="sysfs" ino=11102 scontext=system_u:system_r:systemd_pcrextend_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
May 08 22:42:11 localhost systemd[1]: Finished TPM PCR Machine ID Measurement.
May 08 22:42:11 localhost systemd[1]: Finished Early TPM SRK Setup.
May 08 22:42:11 localhost systemd-tpm2-setup[1181]: SRK already stored in the TPM.
May 08 22:42:11 localhost systemd-tpm2-setup[1181]: SRK fingerprint is 9ad07894cd5b8bda1530d2cd4f06e381cca658f0559a4f620b882e86f5b2e98e.
May 08 22:42:11 localhost systemd-tpm2-setup[1181]: SRK public key saved to '/run/systemd/tpm2-srk-public-key.pem' in PEM format.
May 08 22:42:11 localhost systemd-tpm2-setup[1181]: SRK public key saved to '/run/systemd/tpm2-srk-public-key.tpm2b_public' in TPM2B_PUBLIC format.
May 08 22:42:12 localhost systemd[1]: Condition check resulted in /dev/tpmrm0 being skipped.
May 08 22:42:12 localhost systemd[1]: Starting TPM SRK Setup...
May 08 22:42:13 localhost systemd-tpm2-setup[1458]: SRK already stored in the TPM.
May 08 22:42:13 localhost systemd-tpm2-setup[1458]: SRK fingerprint is 9ad07894cd5b8bda1530d2cd4f06e381cca658f0559a4f620b882e86f5b2e98e.
May 08 22:42:13 localhost systemd-tpm2-setup[1458]: SRK saved in '/var/lib/systemd/tpm2-srk-public-key.pem' matches SRK in TPM2.
May 08 22:42:13 localhost systemd[1]: Finished TPM SRK Setup.
May 08 22:42:15 localhost systemd[1]: Starting TPM PCR Barrier (Initialization)...
May 08 22:42:15 localhost systemd[1]: Finished TPM PCR Barrier (Initialization).
May 08 22:42:20 localhost.localdomain systemd[1]: Starting TPM PCR Barrier (User)...
May 08 22:42:20 localhost.localdomain systemd[1]: Finished TPM PCR Barrier (User).