Hello, I made additional tests this morning showing that the problem is related to the secure boot (even when the secure-boot-policy PCR binding is not used).
- secure boot enabled, no PCR binding (--tpm2-pcrs="" passed to systemd-cryptenroll) : OK - secure boot enabled, PCR binding (--tpm2-pcrs=any value other than 7 passed to systemd-cryptenroll) : NOK - secure boot disabled, PCR binding (--tpm2-pcrs=any value other than 7 passed to systemd-cryptenroll) : OK According to the systemd-cryptenroll manual, if no PCR binding is specified the default is to use PCR 7 only. I can infer that when a PCR value other than 7 is passed to system-cryptenroll, the secure-boot-policy binding does not apply. In conclusion, linux-image-6.7.7-amd64 fails to decrypt the LUKS volume with tpm2 when secure boot is enabled and a PCR binding is used. Due to the secure boot involvement, this not something that I can debug myself using gitbisect (https://wiki.debian.org/DebianKernel/GitBisect says secure boot should be disable) Best regards