Hi guys.
I saw in the past 'systemd' folks are good with pretty much
everything & since I' don't know/use of any specific
'cryptsetup/LUKS' community, I decided to ask here:
Is this a misbehavior of some sorts? I encrypt:
-> $ systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7
/dev/nvme0n1p3
and unless there is only one keyslot (my even have any ID)
or perhaps if it was first - but have not tired it - then
'cryptsetup' does not open the device @boot.
From what I understand 'cryptsetup' tires all keyslots - no
matter TPM provider/device is absent - I was thinking of
'timeout' but cryptsetup @boot does not report any such issues.
In this scenario, situation of mine - boot simply stops,
waiting for a passphrase.
I other words: it seems I need to remove all keyslots, old
ones, enrolled in the past for which TPM provider do not
exists any more, leave the keyslot I know is valid, only
then system boots with TPM, no passphrase prompt.
Or in even different words: I have on OS - in my case it's
Centos & Fedora - which is/was keysloted with TPM on one
hw-platform, then I moved it (boot-device with OS) to
another hw-platform (simply different mainboard) then
keyloted it there with its TPM, then device will not open
@boot - unless, again, all keyslots from previous, now
absent TPM provider, are removed.
That is not intended, expected behavior, right?
any thoughts much appreciated.
many thanks, L.
