I applied updates this morning and to my Tumbleweed installation and the laptop now shuts down instead of booting. The boot process gets as far as asking me for the password to unlock my disks, then moves on to the BIOS busy spinner thing before finally shutting down.
Rolling back to the snapshot from 21st July booted normally, so this isn’t a hardware issue.
I am using systemd-boot
I have configured TPMv2 and it was working on Wednesday last week before I went on vacation
After rolling back, I ran zypper dup again and paid closer attention to the output. I noticed the following error:
ERROR:esys:src/tss2-esys/api/Esys_PolicyOR.c:100:Esys_PolicyOR() Esys Finish ErrorCode (0x000001c4)
Failed to add OR policy to TPM: tpm:parameter(1):value is out of range or is not correct for the context
Failed to submit super PCR policy: State not recoverable
Error creating the systemd-pcrlock policy!
and this
Failed to add OR policy to TPM: tpm:parameter(1):value is out of range or is not correct for the context
I have a hunch that the new kernel couldn’t be registered with the TPM module - but how do I fix that?
I did what you suggested and I did get more of a log - and even the emergency root prompt that I didn’t get before.
Notable logs
xe 0:0000:00:02.0: [drm] *ERROR* GT1: GSC proxy component not found!
The boot process appeared to hang at that point, but I left it continue to see if would shut down. It didn’t. Instead, I got the following:
...
[FAILED] Failed to start Cryptography Setup for cr_swap
See 'systemctl status systemd-cryptsetup@cr_swap.service for details.
[DEPEND] Dependency failed for Local Encrypted Volumes.
Starting Validate LUKS2 devices...
Starting Cryptography setup for cr_root...
[ OK ] Finished validate LUKS2 devices.
[ OK ] Reached target Local File Systems.
Starting Create System Files and Directories...
Please enter passphrase for disk xxxxx (cr_root):
[FAILED] Failed to start Cryptography Setup for cr_root
See 'systemctl status systemd-cryptsetup@cr_root.service for details.
[DEPEND] Dependency failed for /dev/mapper/cr_root.
[DEPEND] Dependency failed for File System Check on /dev/mapper/cr_root.
[DEPEND] Dependency failed for /sysroot.
[DEPEND] Dependency failed for Initrd Root File System.
[DEPEND] Dependency failed for Mountpoints Configured in the Real Root.
[DEPEND] Dependency failed for OSTree Prepare OS/.
[ OK ] Stopped target Basic System.
...
Edit:
It then dropped me to the Ctrl-D emergency root prompt, and I could log in and run journalctl -b.
I’m sure I entered the correct password (I’ve rebooted a dozen times to debug this - I highly doubt I would have made a typo that many times…), and I can access all volumes normally from the previous snapshot. I’m using the same laptop with that earlier snapshot to type this, code, write emails and all the things I usually do.
One thing that puzzles me - if none of the volumes could be decrypted, how did it validate my root password? I’m going to reboot and check if it really asked me for a password, or if any/no password would work.
I am questioning my sanity… I can’t reproduce the behaviour where I got the Ctrl+D emergency prompt. I must have used the wrong kernel? The logs below are from a screenshot - I think the journal for the failed boot is lost when I boot from the snapshot, so this log is hand typed from a photo. Please excuse any typos!
What I get now (and I’ve tried several times in a row to make sure this isn’t some random fluke):
....
[ OK ] Finished Cryptography Setup for cr_swap.
Starting Cryptography Setup for cr_root...
[ OK ] Found device /dev/mapper/cr_root.
[ OK ] Finished Cryptography Setup for cr_root.
[ OK ] Reached target Local Encrypted Volumes
[ OK ] Reached target System Initialization.
[ OK ] Reached target Basic System.
Starting Validate LUKS2 devices...
ERROR: the validation of PCR 15 failed
*********************************************************************
ERROR: Missing measure-pcr-prediction file
Use 'measure-pcr-validator.ignore=yes' in cmdline to bypass the check
*********************************************************************
*** The system will be halted. Press any key ...
That actually aligns with what I experienced with Plymouth enabled.
# File created by sdbootutil. Comments will be removed
# Add the 'x-sdbootutil.ignore' option to un-track a device
cr_swap UUID=db54fcff-de89-4805-8fe5-d56fa4fbc8d2 none tpm2-device=auto,tpm2-measure-pcr=yes
cr_root UUID=30c9675b-909e-434b-a277-7fc5e6595ef4 none x-initrd.attach,tpm2-device=auto,tpm2-measure-pcr=yes
sdbootutil enforces validation of the root (and swap) key, but the required file is missing. It is difficult to say why. As you have just one LUKS volume anyway, thie measurements are not needed and you can simply remove tpm2-measure-pcr=yes from /etc/crypttab.
The system started to fail due to
commit 553d46cb8f0c258ae20c5670f0afcf308355bcb5 (HEAD -> main, origin/main, origin/HEAD)
Author: Alberto Planas
Date: Thu Jul 24 09:37:19 2025 +0200
measure-pcr-validator: fail if the file is missing
Signed-off-by: Alberto Planas