You are not logged in.
- Topics: Active | Unanswered
#1 2026-04-06 13:28:45
- d.ALT
- Member
- Registered: 2019-05-10
- Posts: 958
[UNSOLVABLE] Unattended TPM boot with PCR15 (LUKS auto-unlock)
>> UNSOLVABLE!!
>> Please have a look at: https://bbs.archlinux.org/viewtopic.php … 3#p2293633
>> UNSOLVABLE!!
- - - - - - -
I can’t get TPM auto-unlock with PCR15 binding.
I already tried resetting the TPM itself multiple times while wiping the tpm2 slot of PCR15.
I did not perform such thing as:
… A solution for the root volume is to bind to an empty PCR 15 using —tpm2-pcrs=other_pcrs+15:sha256=0000000000000000000000000000000000000000000000000000000000000000 …
Why on Earth should someone clear-out the PCR15 bank???????? 
Must I generate the UKI via mkinitcpio+ukify?
\Why systemd does not ever mention /etc/crypttab.initramfs (https://wiki.archlinux.org/title/Dm-cry … -generator) into their manpages⁽²⁾?
What’s wrong with it??! … meh ...
⁽²⁾https://man.archlinux.org/man/crypttab.5.en
⁽²⁾https://man.archlinux.org/man/cryptsetup.8.en
\1.2.4.4.4 Pinning a LUKS volume:
… hash of a LUKS volume key in the crypttab configuration⁽³⁾ using the fixate-volume-key= option …Well… Is this a Kernel Commandline Parameter or… not?
\no /etc/fstab in use (https://wiki.archlinux.org/title/Dm-cry … -generator)
⁽³⁾as reported in crypttab manpage:
SYNOPSIS
/etc/crypttabDESCRIPTION
The /etc/crypttab file describes encrypted block devices that are set up during system boot.…
…fixate-volume-key=
Pin the expected hash of the volume key.In certain cases, e.g. for LUKS volumes where the key is sealed to
the TPM2, this may be required to provide a guarantee that the
volume being attached is the volume which was previously created.
fixate-volume-key= can be used to set the expected volume key hash
and refuse to attach the volume if it has a different one. The
expected hash matches the digest which is measured to the sha256
PCR bank of the TPM2 when tpm2-measure-pcr= is used.For newly created LUKS volumes, the expected hash can be generated
by systemd-repart(8). For additional details, see the
EncryptedVolume= description at repart.d(5).Added in version 260.
...
...
.
tpm2_pcrread | sed ‘s/\(0x\)\([0-9A-Z]\{32\}\)/\1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/g’
sha1:
sha256:
0 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX10C10C09F95F2C53EA9CAC2CE91894A8
1 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX62A853E16B45EDCA3AE1A792B2EF3C8E
2 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX641BF307158A02A428FADE5923EAB98F
3 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXF51C75E14A9FCF9A7234A13F198E7969
4 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCF685258596320568E93E09B1AEACF9B
5 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX25D280285B6DB712C0D4BCD846A49E75
6 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXF51C75E14A9FCF9A7234A13F198E7969
7 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXB17CFE188ADF1738F1DEF20D14E1A1B6
8 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00000000000000000000000000000000
9 : 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6B630B02776CCF087C9103677CDE1D96
10: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00000000000000000000000000000000
11: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX0E045D1310FE055FF9D7842115FA0958
12: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX182C40467858A5F943B701D2F2668543
13: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00000000000000000000000000000000
14: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00000000000000000000000000000000
15: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX70EF8DE530D3286FBA7C2525E518655A
16: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00000000000000000000000000000000
17: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
18: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
19: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
20: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
21: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
22: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
23: 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX00000000000000000000000000000000.
cat /proc/cmdline | sed ‘s/[0-9a-z]\{12\}/XXXXXXXXXXXX/g’
mitigations=off usb-storage.quirks=0bda:9210:u rd.luks.options=a0ffc25b-8e6a-43a6-b065-XXXXXXXXXXXX=tpm2-device=auto,tpm2-measure-pcr=yes,fixate-volume-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXc641 rw.
grep tpm2 /etc/crypttab | sed ‘s/[0-9a-z]\{12\}/XXXXXXXXXXXX/g’
root UUID=a0ffc25b-8e6a-43a6-b065-XXXXXXXXXXXX none tpm2-device=auto,tpm2-measure-pcr=yes,fixate-volume-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXc641.
grep \^HOOKS /etc/mkinitcpio.conf
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck).
cat /etc/mkinitcpio.d/linux.preset
# mkinitcpio preset file for the 'linux' package
#ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"
#ALL_kerneldest="/boot/vmlinuz-linux"
#PRESETS=('default')
PRESETS=('default' 'fallback')
#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-linux.img"
default_uki="/efi/EFI/Linux/archlinux.efi"
#default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"
#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-linux-fallback.img"
fallback_uki="/efi/EFI/Linux/archlinux-fallback.efi"
fallback_options="-S autodetect".
cryptsetup luksDump /dev/sdc2 | sed 's/[0-9a-z]\{12\}/XXXXXXXXXXXX/g'
LUKS header information
Version: 2
Epoch: 62
Metadata area: 16384 [bytes]
Keyslots area: 16744448 [bytes]
UUID: a0ffc25b-8e6a-43a6-b065-XXXXXXXXXXXX
Label: archlinux_CRYPTO
Subsystem: (no subsystem)
Flags: (no flags)
Data segments:
0: crypt
offset: 16777216 [bytes]
length: (whole device)
cipher: aes-xts-plain64
sector: 4096 [bytes]
Keyslots:
0: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 256 bits
PBKDF: pbkdf2
Hash: sha256
Iterations: 11397564
Salt: 11 7b 9c ae be 91 fd 01 4e aa f0 58 09 1f d5 d5
8a ee c0 c2 3b 1d 6a d4 d5 d8 0d 5c f4 97 26 26
AF stripes: 4000
AF hash: sha256
Area offset:32768 [bytes]
Area length:131072 [bytes]
Digest ID: 0
1: luks2
Key: 256 bits
Priority: normal
Cipher: aes-xts-plain64
Cipher key: 256 bits
PBKDF: pbkdf2
Hash: sha512
Iterations: 1000
Salt: 85 b9 f9 ee 09 d1 a6 6d 97 b0 33 5b 5b 23 70 ee
ea c5 5e d5 94 d7 36 c1 44 f0 7f fb 57 26 12 49
AF stripes: 4000
AF hash: sha512
Area offset:163840 [bytes]
Area length:131072 [bytes]
Digest ID: 0
Tokens:
0: systemd-tpm2
tpm2-hash-pcrs: 15
tpm2-pcr-bank: sha256
tpm2-pubkey:
(null)
tpm2-pubkey-pcrs:
tpm2-primary-alg: ecc
tpm2-pin: false
tpm2-pcrlock: false
tpm2-salt: false
tpm2-srk: true
tpm2-pcrlock-nv: false
tpm2-policy-hash:
07 e7 d7 74 fe af 8d fe 6f 2f 6c f9 0c 2f ad fe
e9 99 db 75 19 fc 5a 72 8f ac a7 99 a1 43 17 f4
tpm2-blob: 00 9e 00 20 87 91 49 63 ba 2f 3d 7e 17 86 37 2e
1c 79 11 02 67 2f b1 c0 5a 7a aa 5d d5 25 ca b8
5d 49 f6 4e 00 10 d4 4e 72 35 65 a0 e1 0c d2 c3
f6 a5 ad eb a0 d0 e8 67 60 9b 9d 04 5b f6 eb fe
7b 7f eb b0 f6 58 9b e0 e0 95 34 d1 e5 6c 94 c7
15 bf 12 d0 a6 b1 d7 65 b7 c6 c2 66 a0 79 f1 a6
0f c1 46 e4 44 57 43 af 8d af 0f fc ed 08 8f cb
db 82 cc e9 2f aa bd 9e c9 51 c2 1a a6 18 b5 a9
3c 4e 98 8f 28 d8 79 df d3 77 28 07 ba 32 23 ae
7e 9a 8b c7 ac f4 12 1b 2e 23 84 19 6c c6 36 91
00 4e 00 08 00 0b 00 00 04 12 00 20 07 e7 d7 74
fe af 8d fe 6f 2f 6c f9 0c 2f ad fe e9 99 db 75
19 fc 5a 72 8f ac a7 99 a1 43 17 f4 00 10 00 20
19 25 70 17 3a 39 bf c9 6f 17 1b 3e f0 6d 88 52
5c 35 93 1a 26 0c eb d5 0e ea 87 9a 39 b4 23 86
Keyslot: 1
Digests:
0: pbkdf2
Hash: sha256
Iterations: 701858
Salt: 14 1b 1f a5 5c 05 3f 3b 55 a9 15 f3 e8 2d f0 14
50 fa a3 68 88 63 d7 bd fb 4e ef 72 fd 24 47 16
Digest: 1e b5 ec e9 b0 ad 93 44 d5 c2 d3 b8 48 3f ae d7
ea 12 c3 ae 73 9a da 06 8b 40 21 95 e0 f7 9f e9 Last edited by d.ALT (2026-04-07 09:51:54)
<49,17,III,I> Fama di loro il mondo esser non lassa;
<50,17,III,I> misericordia e giustizia li sdegna:
<51,17,III,I> non ragioniam di lor, ma guarda e passa.
Offline