On Thu, Apr 16, 2026 at 07:03 PM, Jan Kiszka wrote:

On 16.04.26 16:56, Quirin Gylstorff wrote:

evict any stale handle before enrollment to avoid
"Failed to seal to TPM2: State not recoverable".

Could you also write when this error occurs.

This occurs when systemd-cryptenroll tries to create a new primary key

at the same time the same handle is occupied. with trixie shipping systemd >= v255,

this issue is easy reproduce in consecutive installations.

 

But then we would parse an error string and re-run the cryptenroll -
does not sound very appealing this way.

By checking tpm2_getcap before evicting we can overcome this. I'll send a new version of it.