If you are using ubuntu 22.04 I am 100% sure that the issue is due to the old dracut version that is shipped with this Ubuntu.
Run
dracut --list-modules | grep tpm2
to confirm that this module is missed or check if you have folder /usr/lib/dracut/modules.d/91tpm2-tss/

There is a simple fix. Copy required modules folders from the dracut-059 Releases · dracutdevs/dracut · GitHub

01systemd-sysusers
01systemd-udevd
91tpm2-tss

Detailed steps can be found on the gist - Dual booting Windows 11 and Ubuntu 22.04 LTS with LUKS and TPM2 encryption · GitHub

I have been doing this for months, and for the first time it is failing.

systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+8 /dev/nvme0n1p5

(found from reddit) and

systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "1+3+5+7+11+12+14+15" /dev/nvme0n1p3

gets

Failed to add TPM2 JSON token to LUKS2 header: No space left on device

I’m having a bit of trouble with parts of this. PCRs 0 through 7 all work fine for me, but I can’t seem to get 15 working with either the machine-id or the LUKS volume key measurements. From a couple of different sites, it looks like not having a userspace verification can lead to compromising the TPM key, so I would like to get this resolved.

I enrolled my TPM with PCRs 0+1+2+3+5+6+7. I am using a UKI, self-signed, so I excluded 4, 9, and 11 intentionally since they are covered by 7, from what I understand, and including 4 would cause my password to be required every time I updated the initramfs.

When I try to add 15 to the mix, my password ends up always being required, even though it matches on each boot. I checked with both systemd-analyze pcrs to compare the hash values in PCR 15 before and after making the change, as well as with systemd-pcrlock log, which indicates that the machine-id key matches.

If I try to add the LUKS volume key hash to the mix, things get even stranger. It still doesn’t work, despite the hash values being correct once the system is booted, but if I use systemd-pcrlock log, it provides a different hash for the LUKS volume key than the one in the PCR. Basically, the scenarios below are the ones I tested, none of which work. After enrolling the TPM, I regenerate the initramfs with mkinitcpio, which generates a UKI at /boot/EFI/BOOT/BOOTX64.efi

Scenario 1 - PCR 15 with just machine-id

systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm-pcrs=0+1+2+3+5+6+7+15 <partition>

Scenario 2 - PCR 15 with machine-id and LUKS volume key

systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm-pcrs=0+1+2+3+5+6+7+15 <partition>

Kernel command line also has rd.luks.options=tpm2-measure-pcr=yes

Scenario 3 - PCR 8 with just LUKS volume key

systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm-pcrs=0+1+2+3+5+6+7+8 <partition>

Kernel command line also has rd.luks.options=tpm2-measure-pcr=8

This particular scenario also causes systemd-pcrlock log to indicate that the calculated hash value for my volume key does not match with the value stored in the PCR. I also attempted this with PCR 23 instead of 8 to the same effect.

Scenario 4 - Adding LUKS volume key at all

systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm-pcrs=0+1+2+3+5+6+7 <partition>

Kernel command line also has rd.luks.options=tpm2-measure-pcr=8

Despite not binding the TPM to PCR 8, if I have systemd-cryptenroll store the hash value to a PCR (8, 15, and 23 tested), I am asked for the password.

System information:

Framework 16 | BIOS 3.05
Arch Linux   | Linux Kernel 6.13.5-arch1-1

Can you try wiping the token first (separately), then enrolling the new one? I’ve noticed it seems to enroll the new one before unenrolling the old one

For those using Bluefin Linux, or another UBlue variant (Aurora, Bazzite, etc…), you can enable TPM unlock with a single terminal command. ujust setup-luks-tpm-unlock see Bluefin on Framework Laptops | Bluefin

That being said the above guides, and posts, are great for understanding what is really going on. Also if you either don’t like, or want to review, the PCR’s being used.