fedora-bootc:eln install to-disk with LUKS + TPM broken

[jmpolom]

Upon first reboot after installing the latest fedora-bootc image with bootc install to-disk --block-setup tpm2-luks /dev/diskX the LUKS encrypted root device fails to unlock via TPM. Eventually dracut times out and drops into a rescue shell in the initrd. The cryptsetup unit fails with a Current policy digest does not match stored policy digest, cancelling TPM2 authentication attempt. error. Further, an error of No passphrase or recovery key registered is also printed.

Looks like between tags eln-1710868505 and eln-1711401621 the fedora-bootc image began exhibiting this failure with the systemd-cryptsetup units on boot after install. It was working in the earlier build but now does not. I noticed a similar issue with a custom Fedora 39 based image (see containers/bootc#421) build which also failed to unlock the LUKS root via TPM on reboot after install.

Between the two builds some packages were updated. None of the ones I've looked at seem like obvious culprits though. It seems like this issue was most likely something changing in a package update?

[jmpolom]

Update: this is due to an update to the shim package from 15.6-2 to 15.8-3 that manifests as a difference in PCR 7 hashes. This may be due to version disagreement between the shim version in the installation os/environment that's booted and from where the bootc install process is invoked.

[jmpolom]

bootc needs more configurability over the LUKS+TPM install process to avoid this issue in the future. see: containers/bootc#421