PCR 15 check fails on reboot - system shuts down

[stepkun]

This morning I started my Lenovo ThinkPad T490 running Aeon and it only shows the message PCR15 mismatch - shutting down.
No chance to interact, no reset to last known working state, no chance to revive the machine.
Last used on Sunday 5th October.

Reproducible: Always

Steps to Reproduce:

1. Press the power on button of my laptop

Actual Results:
machine is dead again

Expected Results:
a working machine

This is the fourth and fifth time Aeon "kills" my machines within 8 month unexpectedly with no chance to revive.
An experience worse than with MS Windows.

The error screen is:

ERROR: the validation of PCR 15 failed

********************************************************************
ERROR: PCR 15 mismatch. Encrypted devices compromised
Use 'measure-pcr-validator.ignore=yes' in cmdline to bypass the check
********************************************************************

*** The system will be halted. Press any key ...

Just tried to start my backup machine, an AMD 5700G desktop - same result, also PCR 15 error and no chance to do anything.
This machine has been off for a couple of days.

The only machine that still works is the one where I disabled the TPM chip.

For re-installation, I disabled the TPM on the Lenovo laptop.
Now, the current installation image from 2025-10-06 runs into error:
Command /usr/bin/chroot /var/lib/tkit/encrypt/mnt/sdbootutil -vv --esp-path /boot/efi --no-variables add-all-kernels FAILED

ryzen.tik.log

[stepkun]

lenovo.tik.log

Ok, uploading multiple files at once into GitHub did not work

[stepkun]

I am not a TPM expert, but read a little bit in the specs.
There it is said, that PCR 15 is a custom element to be used by applications.
Which for me means that anybody may use it for its purpose (which NVIDIA does I guess).

I use my Aeon machines for software development and only use "VsCode" with distroboxes running the Rust toolchain and "Firefox" on the affected machines. So these are candidates for having fiddled with PCR15.
But I noticed on my third (non-tpm) machine that there was installed a new Application called "Kindersicherung" (round shaped yellow Icon with parent & child) whithout me initiating it.
It was also installed on a fresh installation without me selecting it.
Maybe that app uses PCR 15 and changed it without your knowledge?

It seems that TPM is the new Cookie storage and has the same misuse/security problems but with much deeper impact.

[sysrich]

PCR15 is not custom

Our use of it directly complies with the UAPI Groups standards, a group Aeon is part of and who's standards we help write

https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/

[rasmus-kristensen]

I am also experiencing errors related to this since October 1st, the only way around for me is to pick a prior configuration from the boot manager, but it's a temporary solution. After the machine once again pulls updates and restarts then it works for 1 reboot only, from the 2nd and onward this error comes back again and again on every reboot.

I've had the same as stated in the original post, but at the moment my says the following:

ERROR: the validation of PCR 15 failed

********************************************************************
ERROR: Missing measure-pcr-prediction.sha256 signature file
Use `measure-pcr-validator.ignore=yes` in cmdline to bypass the check
********************************************************************

*** The system will be halted. Press any key ...
[FAILED] Failed to start Validate LUKS2 devices.
See `systemctl status measure-pcr-validtor.service` for details.

For now I'm on the older snapshot, not shutting the PC down, but it's not really a solution and I don't feel comfortable simply bypassing this check as the error message suggest.

[heipa0]

I can confirm this bug. It occurred on both my mum’s and my aunt’s computers which I set up about 3 month ago. Neither of them will boot anymore and both show the same error message mentioned by the original poster.

Unfortunately I’m too far away to troubleshoot in person, but I can confirm that both systems are 100% vanilla Aeon installations with no customizations or additional packages installed (except for flatpaks).

Both use a Beelink Mini S13 Mini PC if that helps anyhow.

[capfredf]

my workaround was:

1. boot into an older snapshot
2. re-enroll tpm2
3. manually update to the latest snapshot.

Alternatively, I could have added measure-pcr-validator.ignore=yes to the cmdline parameters before I was booting into the first snapshot (by pressing space, and e), and then I could have done reenrollment (not sure I would need to edit /etc/crypttab accordingly before that)

[rasmus-kristensen]

my workaround was:

1. boot into an older snapshot

2. re-enroll tpm2

3. manually update to the latest snapshot.

Alternatively, I could have added measure-pcr-validator.ignore=yes to the cmdline parameters before I was booting into the first snapshot (by pressing space, and e), and then I could have done reenrollment (not sure I would need to edit /etc/crypttab accordingly before that)

This did indeed seem to solve the problem, I'm on version 20251013 at the moment and have done several reboot to ensure my issue was solved. I followed the guidelines here
It's worth noting that it had to be done on the older snapshot before doing any updates again, otherwise you'd simply hit the same issue again upon the first reboot.