TPM2 LUKS decrypt fails with "Failed to publish PCR snapshot to UEFI variable GrubPcrSnapshot."

mchllyn · November 6, 2023, 6:49pm

Hi,

OpenSuse TW newbie here and still learning (but loving TW so far!).

I’m using a Lenovo L570 laptop and i’m trying to achieve an unattended boot using TPM2. I followed this guide: SDB:Encrypted root file system - openSUSE Wiki

Grub shows these errors:

error: ../../grub-core/commands/tpm.c:261:Failed to publish PCR snapshot to UEFI variable GrubPcrSnapshot.
error: ../../grub-core/disk/cryptodisk.c:1191:no key protector provided a usable key for hd0.gpt2 56da4887-4842-416f-8fc6-8e732e872a25

After i’ve entered the password and the OS boots i’m not prompted for the LUKS password again. In other words the automatic decryption at OS level works. I only need to enter the password for Grub.

Extra info:
lsblk:

NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda           8:0    0 238.5G  0 disk  
├─sda1        8:1    0   512M  0 part  /boot/efi
├─sda2        8:2    0 222.6G  0 part  
│ └─cr_root 254:0    0 222.6G  0 crypt /var
│                                      /usr/local
│                                      /srv
│                                      /root
│                                      /opt
│                                      /home
│                                      /boot/grub2/x86_64-efi
│                                      /boot/grub2/i386-pc
│                                      /.snapshots
│                                      /
└─sda3        8:3    0  15.4G  0 part  
  └─cr_swap 254:1    0  15.4G  0 crypt [SWAP]

/boot/efi/EFI/opensuse/grub.cfg

set btrfs_relative_path="yes"
tpm_record_pcrs 0-9
tpm2_key_protector_init -T $prefix/sealed.tpm
if ! cryptomount -u 56da48874842416f8fc68e732e872a25 --protector tpm2; then
    cryptomount -u 56da48874842416f8fc68e732e872a25
fi
search --fs-uuid --set=root fd679bfa-ce59-48ed-b869-6a9bebcfbc09
set prefix=(${root})/boot/grub2
source "${prefix}/grub.cfg"

/etc/crypttab

cr_swap  UUID=de535016-d928-4a7e-8a64-247cbb512366  /.fde-virtual.key  x-initrd.attach
cr_root  UUID=56da4887-4842-416f-8fc6-8e732e872a25  /.fde-virtual.key  x-initrd.attach

As i’m still learning i’ve tried several things (and even started over a few times), just to be sure i’ve not made any mistakes. Via another thread (and in a previous install) i checked the PCR values and they don’t change. I also changed to only check PCR0 but the GRUB error remains.

It also does not help nobody else seems to have this exact error (most issues are due changing PCR values, error creating a sealed tpm key, etc). I tried to search for the source code line 261, but as far as can see it just gives back the error which happened outside of the grub code.

Any suggestions?
Many thanks in advance!

mchllyn · November 7, 2023, 6:37pm

Did a full reinstall of TW and started over, same thing. I did notice this error when running fdectl regenerate-key

Unable to verify signature of a boot service; probably a driver residing in ROM.

mchllyn · November 8, 2023, 12:29pm

Update: posted to Reddit too. if one or the other should lead to a solution I will update both. Maybe this helps others who face the same issue.

https://www.reddit.com/r/openSUSE/comments/17qhw0g/tpm2_luks_decrypt_fails_with_failed_to_publish/

mchllyn · November 9, 2023, 9:18am

Update: I came across this repo and readme: GitHub - openSUSE/fde-tools: Tools for controlling full disk encryption

I added a secondary key using Authorized policy and now it works, my system boots to the login screen without asking for a password. Problem is I don’t know if this is how it’s supposed to work. The SDB does not mention this as a step…or I simply do not fully understand how it’s supposed to work.

It would be really nice if someone with more knowledge give some feedback