diff --git a/meson.build b/meson.build
index 8a4552d5bb..18170bdfcc 100644
--- a/meson.build
+++ b/meson.build
@@ -1494,11 +1494,14 @@ if want_tpm2 != 'false' and not skip_deps
         tpm2 = dependency('tss2-esys tss2-rc tss2-mu',
                           required : want_tpm2 == 'true')
         have = tpm2.found()
+        have_esys3 = tpm2.version().version_compare('>= 3.0.0')
 else
         have = false
+        have_esys3 = false
         tpm2 = []
 endif
 conf.set10('HAVE_TPM2', have)
+conf.set10('HAVE_TSS2_ESYS3', have_esys3)
 
 want_elfutils = get_option('elfutils')
 if want_elfutils != 'false' and not skip_deps
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 68a3af1716..327caa439f 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -1117,7 +1117,13 @@ static int tpm2_make_policy_session(
                                 ESYS_TR_NONE,
                                 NULL,
                                 &pubkey_tpm2,
+#if HAVE_TSS2_ESYS3
+                                /* tpm2-tss >= 3.0.0 requires a ESYS_TR_RH_* constant specifying the requested
+                                 * hierarchy, older versions need TPM2_RH_* instead. */
+                                ESYS_TR_RH_OWNER,
+#else
                                 TPM2_RH_OWNER,
+#endif
                                 &pubkey_handle);
                 if (rc != TSS2_RC_SUCCESS) {
                         r = log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),