recovering clevis token fails

[Roger-Roger-debug]

Since upgrading my kernel to 6.9.X I have been having issues with getting automatic decryption working. I first suspected that something about the kernel config changed (gentoo-kernel) like in #258, but after trying a few things I no longer believe that that's the case.

After enabling debug logging for booster (adding booster.log=debug to my cmdline arguments) I'm seeing errors like
recovering clevis token #0 failed: unable to unseal data: error code 0x28 : PCR have changed since checked or
recovering clevis token #0 failed: unable to unseal data: session 1, error code 0x1d : a policy check failed.

Because I wasn't sure about PCRs changing I sealed the tpm key against just register 7 (secure boot policy). On the next boot I get the message that secure boot is enabled but still booster complains about changed PCR values.

One thing I figured out is that it always works when I change the cmdline to booster.log=debug,console (at least I can't remember it ever failing) though I don't see how enabling logging would suddenly change the behavior of booster/clevis.

Any help on this is appreciated :)

[Roger-Roger-debug]

Suddenly working again without me doing anything