LUKS2+TPM2 issue
PROBLEM
After a firmware update on a Lenovo ThinkPad X1 Carbon running Arch Linux, a LUKS2-encrypted root volume, which was previously unlocked automatically by the TPM2 chip, began prompting for a passphrase at every boot.
Attempts to re-enroll the TPM using systemd-cryptenroll
would not result in a working unlock. The process would often show a non-fatal but confusing warning: Failed to determine keyslot of JSON token 1, skipping: Wrong medium type
.
Extensive troubleshooting, including clearing the TPM, wiping LUKS slots, regenerating Secure Boot keys, and testing various PCR policies, did not resolve the issue, suggesting a deep hardware or firmware-level incompatibility.
FIX
The root cause was not a hardware fault, but a stale policy file located at /var/lib/systemd/pcrlock.json
. This file, likely created during a previous firmware update that involved the systemd-pcrlock
utility, was interfering with subsequent systemd-cryptenroll
operations.
The solution was to remove the stale policy and perform a clean enrollment:
-
Remove the Stale Policy File:
sudo rm /var/lib/systemd/pcrlock.json
-
Wipe the Old TPM Slot:
sudo systemd-cryptenroll --wipe-slot=tpm2 /dev/nvme0n1p2
-
Re-enroll the TPM: A robust PCR policy (
0+7
) was used, which is stable across most firmware and kernel updates.sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p2
After these steps, the TPM2 chip successfully and automatically unlocked the LUKS2 volume on reboot.
Comments ()