Unable to encrypt due to PCR4 measurement error

[jamesps-ebi]

When booting the questing-desktop-amd64.iso (md5sum: a34d4a7677f882e8304b40ca81ba89f7) via a Ventoy bootable USB, the option to encrypt using TPM-FDE is greyed out with the above error.
The same ISO written directly to the USB works just fine and the option is available.

If I understand the error message correctly, this is because PCR 4 is measured using the Ventoy bootloader, which does not match the Ubuntu EFI bootloader included in the ISO (/cdrom/EFI/boot/bootx64.efi).

This seems like the correct behaviour, but I thought I should raise it anyway just in case it's not expected. I hadn't seen any reports of the same.

[chrisccoulson]

This error is expected in this case - the digests in PCR4 should be Authenticode digests, and in this case it isn't. We can't pre-compute a profile in the case where we don't know how the digests are calculated by any of the loader stages. I do wonder if we may be able to do something better for errors like this that only apply to the live environment and aren't likely to be a problem with the installed environment. Can you please attach /sys/kernel/security/tpm0/binary_bios_measurements from this machine when booted to the live environment in the same way that caused this error to occur?