Hello
In late December 2025 I installed Tumbleweed on a Thinkpad X1 Carbon Gen13 with full disk encryption. I left the encryption settings to the default, which AFAIK uses the TPM2 and attestation.
This worked well until I updated the system firmware to 0.1.19 to (via fwupmgr) and since then sdbootutil-update-predictions.service fails with:
systemd-pcrlock[2841]: Garbage after device path end, ignoring.
sdbootutil[2841]: WARNING:esys:src/tss2-esys/api/Esys_PolicyOR.c:286:Esys_PolicyOR_Finish() Received TPM Error
sdbootutil[2841]: ERROR:esys:src/tss2-esys/api/Esys_PolicyOR.c:100:Esys_PolicyOR() Esys Finish ErrorCode (0x000001c4)
systemd-pcrlock[2841]: Failed to add OR policy to TPM: tpm:parameter(1):value is out of range or is not correct for the context
systemd-pcrlock[2841]: Failed to submit super PCR policy: State not recoverable
sdbootutil[2367]: Error creating the systemd-pcrlock policy!
systemd[1]: sdbootutil-update-predictions.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: sdbootutil-update-predictions.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Update TPM predictions.
A recent firmware update to 0.1.20 has not fixed the failure.
Is there something I have to do to get the predictions to update?
Luckily I can still boot into Tumbleweed, but it forces me to enter the TPM2 password 10 (!) times on each boot, which gets a bit annoying after a while 