oh, well deleting the VM and starting anew, the installation failure isn't what I thought: cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between

(I enrolled MS secure boot keys with sbctl from a nixos ISO, but there was a hard shutoff before booting into the ubuntu ISO)

In reply to @roosemberth:orbstheorem.ch
Anywho, I would like to understand exactly what measurements go into what TPM registry and where it's implemented (firmware, lanzaboote-stub, kernel or anything really).

18:32 ▬▬▶ jakogut (~oftc-webi@172-223-248-144.res.spectrum.com) a rejoint #edk2
18:36 <jakogut> Hello, I'm working on a Linux-based OS integrating secure boot and disk encryption using the TPM to encrypt the LUKS passphrase. It's working with a NUC, but with QEMU and OVMF, the digest of PCR7 isn't matching what I expect. Strangely, it seems the TPM event log isn't created in securityfs in QEMU. Even stranger, booting an Arch ISO with the exact same QEMU config creates it just fine.
18:39 <jakogut> Reviewing the kernel logs, it seems the only difference is the line starting with "efi:" on the system with the working event log shows the address of TPMEventLog in addition to TPMFinalLog, whereas the non-working system shows only "TPMFinalLog".
18:40 <jakogut> Any ideas on what may be going wrong here? If I can get the TPM event log working on this QEMU system, it'll get me a lot closer to debugging the unexpected PCR hash.