On Tue, 2024-12-10 at 07:13 +0100, Jiri Slaby wrote: [...] > Perhaps, you can give a hint why those happen exclusively with 6.12+? For which one: the ramdisk size not being modulo 4 or the unseal getting a PCR changed error? For the former I don't have much of an idea, it would seem to be a dracut (or whatever initrd builder you use) issue; the kernel doesn't care about the ramdisk size. For the latter, I would suspect something is delaying IMA measurements such that they're still going on when you're trying to unseal. The error you're getting occurs if any PCR changes, not just the ones the policy is locked to (thanks TCG). We have had syzbot reports of processes getting stuck in measurement that have been identified as exfat related: https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330 But it could be a more generic filesystem issue that measurement is slowing but not enough to trigger the stuck process warning. In particular systemd parallelizes a lot of stuff, so if it's doing something that causes IMA measurement in parallel with the unseal and this parallel process finished before unseal on an earlier kernel, that would explain it. You could probably verify this by adding more dependencies to the tpm target, but I'm not really well versed in systemd. Regards, James
