Hello! I recently started using Aeon and have been loving it so much I helped a friend install it on their laptop too. It works great for them too, except that it prompts for the recovery key every time the system is rebooted, which is obviously annoying. This is on “default mode” encryption on a Thinkpad T490 laptop. I followed the instructions in the Wiki for when this happens, but no dice.
It says, among other things, that it failed “to add OR policy to TPM: tpm:parameter(1):value is out of range or is not correct for the context”. Not sure what that means!
I’m very new to using openSUSE and not super sure where this belongs so please forgive me if this is the wrong place to ask. There’s a bug report (124112) that seems similar to mine? But to be honest this is all a bit out of my depth so I don’t want to either add a redundant bug report or clutter that one with superfluous post in case I’m missing something really obvious >_<
Thank you for your reply! Apologies for not being more specific, I meant that I followed the Troubleshooting page here.
I was under the impression that running “update-predictions” was the appropriate thing to do if it kept prompting for the recovery key after a firmware update? When we first installed Aeon there were some firmware updates, and it hasn’t stopped prompting for the recovery key upon subsequent reboots. Is there something different I should be doing to make the current state match the expectations? (My apologies for neglecting to mention this!)
I will try to get the output of journalctl tomorrow, thanks!
And I meant that we do not know how you setup encryption to start with.
No. It is too late. update-predictions expects the valid measurements that match the current policy; only in this case will it extend policy with new information.
Ok, update-predictions will work if you have recovery PIN to access stored predictions. Do you have one? It is NOT the LUKS recovery key or LUKS password.
Sorry! The computer is using Aeon’s “default mode” encryption. It has secure boot enabled. I have the recovery key that was supplied when installing the system in the first place.
Here is the output of “journalctl --system -b” that you’d mentioned before!
Yes, I was just reading back through this! I will try this next and follow up, thank you so much!!
Well, it says the same - measurements do not match previously computed policy.
Did it ever work? When it stopped working?
And yes, complete re-enrollment works always. The problem is, as long as you do not know why it stopped working, you will likely get the same issue in the future.
Right, of course. And I would like to prevent its reoccurrence because I was just trying to set up a cozy and low maintenance system for a non-technical friend >_<
So if I’m understanding you correctly, I don’t think it ever worked. When we initially installed it there was a prompt for some firmware updates. We did those, rebooted, entered the key. There was another firmware update when we were back in the system, so we repeated. And it has since continued to prompt for the recovery key every time the system is rebooted. So I suppose something got mixed up in the course of those updates? Perhaps I should have updated the predictions between those two initial reboots?
I’m really sorry but I’m not quite sure what this means, or how I’d be able to check if this is what’s happening for me too. Is this just related to what the documentation talks about when it says one has to unenroll the previous tpm key?
@malcolmlewis Okay great! Then I will definitely try that when I can be in front of the machine again later today and hopefully that fixes it. Presumably I just need to re-enroll whenever there is a firmware update then?