Systemd boot and TPM2 issues and dual boot with Windows

I just switched to systemd-boot and I have some issues.

The system has an encrypted btrfs mounted as / but it does not get automatically mounted and always asks me to enter the password. I have checked many documentations and nothing helped.

Output of cryptsetup luksDump /dev/nvme1n1p2 contains systemd-tpm2 and the TPM 2.0 is available and I tried running sudo sdbootutil enroll --method=tpm2 and it says the key has been enrolled.

Moreover, I have a Windows installed in /dev/nvme0n1 and it has a separate ESP. I wish to add it into the systemd-boot list. How to do that anyway?

Thanks.

To unlock the key TPM2 must have the expected state. Which can change due to many reasons. You can try wipe out the slot and re-enroll the key again. E.g. as described in Quickstart in Full Disk Encryption with TPM and YaST2 - openSUSE News (I have not tried this particular procedure).

I do not think it is possible. systemd-boot looks for boot menu entries on the device from which it has been started. This includes Windows auto-detection . And you cannot explicitly refer to a device path in the loader entry, all paths are relative to the device systemd-boot was loaded from.

You should be able to select from the system BIOS boot menu for systemd-boot and the other system as it should be residing in the system NVRAM?

I’ve had to use this on Aeon in the early days… https://en.opensuse.org/Portal:Aeon/Encryption/Advanced#Complete_re-enrollment_of_tpm2

Yes I can boot it via system UEFI by changing the boot order but I simply think that should not be the only choice. I am now considering installing something like rEFInd and add systemd boot and Windows Boot Manager into it, if systemd boot cannot just do it.

I shall try it later. Thanks.

I have tried this but it still does not work.

sudo systemd-cryptenroll /dev/nvme0n1p2 
SLOT TYPE    
   0 password
   1 tpm2

And

sudo systemd-cryptenroll /dev/nvme0n1p2 
SLOT TYPE    
   0 password
vincent@VSONLAPTOPASUS:~> sudo sdbootutil enroll --method=tpm2 
Failed to stat //.snapshots/369/info.xml
Failed to stat //.snapshots/370/info.xml
Failed to stat //.snapshots/371/info.xml
Failed to stat //.snapshots/372/info.xml
Failed to stat //.snapshots/375/info.xml
Failed to stat //.snapshots/376/info.xml
Failed to stat //.snapshots/377/info.xml
Failed to stat //.snapshots/378/info.xml
Failed to stat //.snapshots/379/info.xml
Failed to stat //.snapshots/380/info.xml
Failed to stat //.snapshots/381/info.xml
loading 369 failed
loading 370 failed
loading 371 failed
loading 372 failed
loading 375 failed
loading 376 failed
loading 377 failed
loading 378 failed
loading 379 failed
loading 380 failed
loading 381 failed
Garbage after device path end, ignoring.
Garbage after device path end, ignoring.
Garbage after device path end, ignoring.
Garbage after device path end, ignoring.
NVIndex policy created
Password for /dev/nvme0n1p2: .......
New TPM2 token enrolled as key slot 1.

Seems everything should be working, but not.

In /etc/cryppttab

# File created by sdbootutil.  Comments will be removed
# Add the 'x-sdbootutil.ignore' option to un-track a device
cr_root UUID=39f63f0f-153c-4204-b9de-e2f036f39cc9 none x-initrd.attach,tpm2-device=auto,tpm2-measure-pcr=yes

I am wondering what is wrong.

Moreiver, may you help me figure out whether the output above means the snapshots are not working? Or maybe is there a way to manage the really long snapshot list in sdboot.

It does not work in my systemd-boot VM either. It could be reincarnartion of the 1231325 – dracut-pcr-signature races with udev for ESP symlinks or some other race condition, but honestly, I am tired fighting the windmills.

Boot with kernel command line options

systemd.log_level=debug printk.devkmsg=on log_buf_len=16M

and provide the full output of

journalctl -b --no-pager --full

upload to https://paste.opensuse.org/

It is interesting that I zypper dup and then reboot. Everything WORKS NOW.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.