Manual mistake

[kjeldonarch]

Dear Rowan,
i think there is a little mistake in the manual for implementing mkinitcpio-hooks.
We shall update grub to pass certain command line arguments for tpm2_encrypt by updating in /etc/default/grub the line GRUB_CMDLINE_LINUX_DEFAULT. Your short example is as
tpm_files_part=PARTUUID=some-uuid-for-dev-sda5 cryptdevice=PARTUUID=the-uuid-of-the-luks-partition:cryptroot
But in actual run_hook in tpm2_encrypt the tpm_files_part is mounted early, before cryptdevice is decrypted (line 20-21). So i think correct command line argument for grub shall identify the external USB-device, since this is readable yet.

So i think correct would be:
tpm_files_part=PARTUUID=some-uuid-for-dev-USB cryptdevice=PARTUUID=the-uuid-of-the-luks-partition:cryptroot

Best regards, Kjeld

[rowanmoul]

It's been quite a while since I have looked at this. Certainly usb is more clear than sda5, and it looks like I did previously use sda5 to refer to the archlinux root partition, which is indeed encrypted at that point. So if you followed everything to the letter, the two UUIDs you'd have here would actually be the same, which is obviously not correct! Even just that should be enough to tip you off and correct the mistake. Yes, you want to use the PARTUUID of the USB drive's partition as the tpm_files_part.
Do also take note of of this: https://github.com/rowanmoul/ArchSecureDualBoot/blob/master/README.md#update-january-2025

[kjeldonarch]

Thank you for the note ... i already recognized, that you don't actively maintain this anymore.
So my intention is to help other users: even your very good and detailed instructions need to be reflected.