I was working through the steps provided here to get my TPM2 device to unlock my partition automatically. All of the commands in the section run correctly, and my partition is LUKS2 encrypted with pbkdf2. The fdectl regenerate-key command runs successfully, but when I reboot, I get the following error:
error: ../../grub-core/tpm2/module.c:424:Could not create SRK (TPM2_CreatePrimary: 0x909)
error: ../../grub-core/disk/cryptodisk.c:1197:no key protector provided a usable key for hd0,gpt2 (UUID)
Does anyone have any idea what might be happening here? Googling around shows the 0x909 code corresponds to a tpm_rc_cancelled but I can’t seem to track things down any further.
I’m using UEFI. This system is a dual-boot with Windows 11, and I have that OS encrypted with bitlocker using TPM to decrypt as well. Additionally the test command for fdectl worked.
It’s possible that your TPM chip needs some initialization that is performed by (Linux) kernel but not by grub2. You should open bug report and describe your hardware in details.
Ah yeah that makes sense. I had the TPM working once before on EndeavourOS but I was using refind at the time so the bootloader itself didn’t need to decrypt anything.