Does not work with sd-encrypt

[Twister915]

Hi.

I tried to use this and a few variations of it, but was unable to get it to work.

Here's the relevant stuff:

/etc/initcpio/hooks/encrypt-tpm

#!/usr/bin/ash

run_hook() {
    echo "grabbing cryptokeyfile"
    modprobe -a -q tpm_crb
    tpm2_unseal -c 0x81000000 -p pcr:sha1:0,2,4,7 -o /crypto_keyfile.bin
    echo "got cryptokeyfile"
}

# vim: set ft=sh ts=4 sw=4 et:

/etc/initcpio/install/encrypt-tpm

#!/bin/bash

build() {
    local mod

    add_module "tpm_crb"

    add_binary "tpm2_unseal"
    add_binary "/usr/lib/libtss2-tcti-device.so"

    add_runscript
}

help() {
    cat <<HELPEOF
This hook allows for reading the encryption key from TPM.
HELPEOF
}

# vim: set ft=sh ts=4 sw=4 et:

These are the uncommented lines in /etc/mkinitcpio.conf

MODULES=(nvidia nvidia_modeset nvidia_uvm nvidia_drm)
BINARIES=()
FILES=()
HOOKS=(base systemd sd-plymouth autodetect modconf block keyboard sd-vconsole encrypt-tpm sd-encrypt sd-lvm2 fsck filesystems)

I validated and when I run tpm2_unseal -c 0x81000000 -p pcr:sha1:0,2,4,7 -o test.bin myself after booting, it produces the key from the TPM.

journalctl -b did not give much help, beyond this:

Jun 12 16:14:09 archlinux systemd-cryptsetup[499]: Failed to open key file.
Jun 12 16:14:09 archlinux systemd-cryptsetup[499]: Failed to activate with key file '/crypto_keyfile.bin'. (Key file missing?)

I put the keyfile in the kernel command line. Here's my /proc/cmdline, if that helps:

splash rd.udev.log_priority=3 vt.global_cursor_default=0 nvidia-drm.modeset=1 rd.luks.name=89524c40-70db-4af1-aded-3850ed8edc03=cryptlvm rd.luks.key=89524c40-70db-4af1-aded-3850ed8edc03=/crypto_keyfile.bin rd.luks.options=discard,timeout=0,keyfile-timeout=5s rootflags=x-systemd.device-timeout=0,discard rng_core.default_quality=1000 root=/dev/arch/root rw