[systemd-devel] luks device won't open if TPM provider is missing?

[lejeczek]

Hi guys.
I saw in the past 'systemd' folks are good with pretty much 
everything & since I' don't know/use of any specific 
'cryptsetup/LUKS' community, I decided to ask here:

Is this a misbehavior of some sorts? I encrypt:
-> $ systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 
/dev/nvme0n1p3
and unless there is only one keyslot (my even have any ID) 
or perhaps if it was first - but have not tired it - then 
'cryptsetup' does not open the device @boot.
 From what I understand 'cryptsetup' tires all keyslots - no 
matter TPM provider/device is absent - I was thinking of 
'timeout' but cryptsetup @boot does not report any such issues.
In this scenario, situation of mine - boot simply stops, 
waiting for a passphrase.
I other words: it seems I need to remove all keyslots, old 
ones, enrolled in the past for which TPM provider do not 
exists any more, leave the keyslot I know is valid, only 
then system boots with TPM, no passphrase prompt.
Or in even different words: I have on OS - in my case it's 
Centos & Fedora - which is/was keysloted with TPM on one 
hw-platform, then I moved it (boot-device with OS) to 
another hw-platform (simply different mainboard) then 
keyloted it there with its TPM, then device will not open 
@boot - unless, again, all keyslots from previous, now 
absent TPM provider, are removed.

That is not intended, expected behavior, right?

any thoughts much appreciated.
many thanks, L.