I am trying to configure systemd, so it uses tpm2 to unlock the boot partition. The partition has two keys configured – passphrase and tpm2. However, at boot it still asks for the passphrase.
Here is the relevant boot config:
boot = {
loader.systemd-boot.enable = true;
initrd = {
availableKernelModules = ["tpm_tis"];
systemd = {
enableTpm2 = true;
emergencyAccess = true;
};
luks.devices = {
luksroot = {
device = "${nvme}-part3";
allowDiscards = true;
crypttabExtraOpts = ["tpm2-device=auto"];
};
};
};
};
The key was added like this:
$ systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p3 --tpm2-pcrs=0+1+2+3+7
<...>
$ sudo systemd-cryptenroll /dev/nvme0n1p3
SLOT TYPE
0 password
1 tpm2
I can attach the device using TPM2 key successfully, this works as expected:
$ systemd-cryptsetup attach foo /dev/nvme0n1p3 - tmp-device=auto
TPM2 is loaded:
$ sudo journalctl -k --grep=tpm
Jul 16 05:23:12 mtworx kernel: efi: ACPI=0x5a2fe000 ACPI 2.0=0x5a2fe014 TPMFinalLog=0x5a1ae000 SMBIOS=0x5c97e000 SMBIOS 3.0=0x5c971000 MEMATTR=0x8979a018 ESRT>
Jul 16 05:23:12 mtworx kernel: ACPI: SSDT 0x000000005C963000 00060E (v02 LENOVO Tpm2Tabl 00001000 INTL 20200717)
Jul 16 05:23:12 mtworx kernel: ACPI: TPM2 0x000000005C962000 00004C (v04 LENOVO TP-N3X 00001250 PTEC 00000002)
Jul 16 05:23:12 mtworx kernel: ACPI: Reserving TPM2 table memory at [mem 0x5c962000-0x5c96204b]
Jul 16 05:23:12 mtworx kernel: tpm_tis NTC0702:00: 2.0 TPM (device-id 0xFC, rev-id 1)
Why is it still asking for the passphrase at boot, how can I make it boot without one?