On 06.04.26 15:39, Sari, Sercan wrote:

systemd-cryptenroll persists its TPM2 SRK at handle 0x81000001
Is that handle number officially documented? Or was it retrieved from
the code?

Yes, officially documented in man page.

evict any stale handle before enrollment to avoid
"Failed to seal to TPM2: State not recoverable".

Signed-off-by: Sercan Sari <sari.sercan@...>
---
.../files/encrypt_partition.systemd.script | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
index 1b7c83b..841219c 100644
--- a/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
+++ b/recipes-initramfs/initramfs-crypt-hook/files/encrypt_partition.systemd.script
@@ -26,6 +26,11 @@ enroll_tpm2_token() {
#tpm_key_algorithm="$4"
#pcr_bank_hash_type="$5"

+ # systemd-cryptenroll persists its TPM2 SRK at handle 0x81000001
+ # evict any stale handle before enrollment to avoid
+ # "Failed to seal to TPM2: State not recoverable".
+ tpm2_evictcontrol -C o -c 0x81000001 2>/dev/null || true
"|| true" is always a bit fragile and bad for debugging. Can't we test
for the handle first and actually fail if eviction is then not successful?

Agreed, better to look at with tpm2_getcap first, then evict.