I have been trying to get TPM2 decryption of my root partition working by following the " Encrypted root file system" guide at [1]. While doing that i ran into a few issues and I simply cannot get it working. Any help would be appreciated. I have just installed Tumbleweed and enabled LUKS2 using the YaST Expert Console as mentioned in the guide. I opted for encrypting root and swap and otherwise used default options for disk layout with a btrfs filesystem.
My first hurdle was that there seemed to be an incompatibility between fdectl v0.7.2 and pcr-oracle v0.5.4 . The result was that I could not run “fdectl tpm-present” because pcr-oracle complained about “Excess argument(s)”. Downgrading pcr-oracle to v0.5.2 resolved that issue. I reported this as a bug in [2].
Now however I am stuck at the “fdectl regenerate-key” stage.
First of all the guide [1] tells me that it should write a file in “/boot/efi/EFI/opensuse/sealed.tpm” but it explicitly tells me that it creates a file in “/etc/fde/authorized-policy” instead
fdectl regenerate-key
Authorized policy written to /etc/fde/authorized-policy/authorized-policy.tpm
Please enter LUKS recovery password:
Verifying LUKS recovery password (/dev/nvme0n1p2)
Sealing secret - this may take a moment
Sealed secret written to /etc/fde/authorized-policy/sealed.tpm
.
.
.
Then, in the middle of the output, it says that I do not have the correct files in my boot directory:
Timeout: 0 seconds
BootOrder: 0001,0000,2001,2002,2003
Boot0000* openSUSE HD(1,GPT,38348860-c437-4812-84df-cd529ccb76e9,0x800,0x100000)/File(\EFI\opensuse\grubx64.efi)RC
Boot2001* EFI USB Device RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network RC
Boot0001* opensuse-secureboot HD(1,GPT,38348860-c437-4812-84df-cd529ccb76e9,0x800,0x100000)/File(\EFI\opensuse\shim.efi)
Fatal: Unable to open file /boot/efi/boot/grub2/x86_64-efi/normal.mod: No such file or directory
copying /usr/share/efi/x86_64/grub.efi to /boot/efi/EFI/opensuse/grub.efi
BootCurrent: 0000
[1] SDB:Encrypted root file system - openSUSE Wiki
[2] 1218390 – "fdectl tpm-present" fails with the combination fdectl v0.7.2 / pcr-oracle v0.5.4