Trying to install tumbleweed and tpm2 to unlock drive

Operius · May 10, 2025, 3:48pm

Hi all,

I’m trying to install Tumbleweed and to make use of tpm2 on my laptop following this guide:
https://news.opensuse.org/2024/09/20/quickstart-fde-yast2/

But I’m stuck at one point.
I did the following steps from the guide.
Selected “Suggested Partitioning”
Then “Guided Setup”
Enabled “Disk Encryption”

At “installation settings”
Changed the bootloader to “Systemd Boot”
Made sure that tpm2.0-tools, tpm2-0-tss and libtss2-tcti-device0 are going to be installed.

Rebooted, and after entering the passphrase to unlock my drive I logged in.
Then did “sudo bash”
And then “sdbootutil enroll --method tpm2”
Wich resulted with the following:

16 lines with “Event log header has unexpected event type 0x00000008. (Probably not a TPM2 event log?)”
Error creating the systemd-pcrlock policy!
Predictions with systemd-pcrlock failed
Re-trying with pcr-oracle
Generating new RSA key
Warning: Encountered TPM event log apparently generated by a TPMv1 device
Warning: Things will most likely fail
Fatal: Event log lacks a hash for digest algorithm sha256
ERROR: Failed to install TPM predictions for opensuse-tumbleweed-6.14.5-1default-1.conf

This is all new to me.
I’ve never tried to use TPM2 before.
Can somebody shed some light on what’s going on here?

Thank you.

hui · May 10, 2025, 3:55pm

Did you verify that you have TPM2 hardware?
Can you show the output of

cat /sys/class/tpm/tpm0/tpm_version_major

Operius · May 10, 2025, 3:57pm

Hi,
Thank you for answering!

The command resulted in: 2

malcolmlewis · May 10, 2025, 4:00pm

@Operius That is still not enough, it needs to be TPM 2.0 but revision also needs to be >= 1.38, for example;

tpm2_getcap properties-fixed | grep TPM2_PT_REVISION -A2
TPM2_PT_REVISION:
  raw: 0x9F
  value: 1.59

Operius · May 10, 2025, 4:06pm

This results in:
raw: 0x74
value: 1.16

So I guess that’s a no-go for using tpm2 for me?

knurpht · May 10, 2025, 4:30pm

**Always post output in performatted text, including command and prompts. Like this

knurpht@Lenovo-P16:~> uname -a
Linux Lenovo-P16 6.14.5-1-default #1 SMP PREEMPT_DYNAMIC Sat May  3 07:13:47 UTC 2025 (74808df) x86_64 x86_64 x86_64 GNU/Linux
knurpht@Lenovo-P16:~>

Operius · May 10, 2025, 4:33pm

Ah, I was looking for the “code” option.
So it’s called “performatted text” now it seems.

Will use that in the future!

malcolmlewis · May 10, 2025, 4:33pm

@Operius Unfortunately I believe so… Perhaps there is a BIOS or TPM 2.0 update available at your hardware manufacturers support web site?

Operius · May 10, 2025, 4:37pm

It’s a pretty old HP Laptop (HP Pavilion 15-au110nd). I will take a look but I don’t think I’ll get firmware updates anymore.

malcolmlewis · May 10, 2025, 4:48pm

@Operius maybe @arvidjaar has some further insight into the features available with that revision?