LUKS2+TPM2 issue

PROBLEM

After a firmware update on a Lenovo ThinkPad X1 Carbon running Arch Linux, a LUKS2-encrypted root volume, which was previously unlocked automatically by the TPM2 chip, began prompting for a passphrase at every boot.

Attempts to re-enroll the TPM using systemd-cryptenroll would not result in a working unlock. The process would often show a non-fatal but confusing warning: Failed to determine keyslot of JSON token 1, skipping: Wrong medium type.

Extensive troubleshooting, including clearing the TPM, wiping LUKS slots, regenerating Secure Boot keys, and testing various PCR policies, did not resolve the issue, suggesting a deep hardware or firmware-level incompatibility.


FIX

The root cause was not a hardware fault, but a stale policy file located at /var/lib/systemd/pcrlock.json. This file, likely created during a previous firmware update that involved the systemd-pcrlock utility, was interfering with subsequent systemd-cryptenroll operations.

The solution was to remove the stale policy and perform a clean enrollment:

  1. Remove the Stale Policy File:

    sudo rm /var/lib/systemd/pcrlock.json
    
  2. Wipe the Old TPM Slot:

    sudo systemd-cryptenroll --wipe-slot=tpm2 /dev/nvme0n1p2
    
  3. Re-enroll the TPM: A robust PCR policy (0+7) was used, which is stable across most firmware and kernel updates.

    sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p2
    

After these steps, the TPM2 chip successfully and automatically unlocked the LUKS2 volume on reboot.