On Thu, Apr 16, 2026 at 07:03 PM, Jan Kiszka wrote:

> 
> On 16.04.26 16:56, Quirin Gylstorff wrote:
> 
>> 
>>> 
>>>> evict any stale handle before enrollment to avoid
>>>> "Failed to seal to TPM2: State not recoverable".
>>> 
>>> 
>> 
>> Could you also write when this error occurs.
> 
> 

This occurs when systemd-cryptenroll tries to create a new primary key
at the same time the same handle is occupied. with trixie shipping systemd >= v255,
this issue is easy reproduce in consecutive installations.

> 
> But then we would parse an error string and re-run the cryptenroll -
> does not sound very appealing this way.

By checking tpm2_getcap before evicting we can overcome this. I'll send a new version of it.