Bug 1770480

Summary: clevis-encrypt-tpm2 depends on removed tpm2_pcrlist program
Product: [Fedora] Fedora Reporter: Sam Morris <sam>
Component: clevisAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 31CC: bordjukov, dkopecek, fmartine, jeremy, mikhail.zabaluev, npmccallum, rsroka, scorreia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: clevis-11-8.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-19 15:16:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sam Morris 2019-11-09 17:15:31 UTC 
clevis-encrypt-tpm2 requires the tpm2_pcrlist program which doesn't appear to be available in Fedora 31.

Version-Release number of selected component (if applicable):
11-6.fc31

Reproduction:

$ echo hello | clevis encrypt tpm2 '{}'/usr/bin/clevis-encrypt-tpm2: line 62: tpm2_pcrlist: command not found

tpm2_pcrlist appears to have existed in an older version of tpm2-tools:

$ dnf whatprovides tpm2_pcrlist
Last metadata expiration check: 0:17:08 ago on Sat 09 Nov 2019 16:15:43 GMT.
tpm2-tools-3.2.0-3.fc31.x86_64 : A TPM2.0 testing tool build upon TPM2.0-TSS
Repo        : fedora
Matched from:
Filename    : /usr/bin/tpm2_pcrlist

But not in the current version:

$ rpm -q tpm2-tools
tpm2-tools-4.0.1-1.fc31.x86_64
Comment 1 Javier Martinez Canillas 2019-11-11 08:15:55 UTC 
(In reply to Sam Morris from comment #0)
> clevis-encrypt-tpm2 requires the tpm2_pcrlist program which doesn't appear
> to be available in Fedora 31.
> 
> Version-Release number of selected component (if applicable):
> 11-6.fc31
> 
> Reproduction:
> 
> $ echo hello | clevis encrypt tpm2 '{}'/usr/bin/clevis-encrypt-tpm2: line
> 62: tpm2_pcrlist: command not found
> 
> tpm2_pcrlist appears to have existed in an older version of tpm2-tools:
> 
> $ dnf whatprovides tpm2_pcrlist
> Last metadata expiration check: 0:17:08 ago on Sat 09 Nov 2019 16:15:43 GMT.
> tpm2-tools-3.2.0-3.fc31.x86_64 : A TPM2.0 testing tool build upon TPM2.0-TSS
> Repo        : fedora
> Matched from:
> Filename    : /usr/bin/tpm2_pcrlist
> 
> But not in the current version:
> 
> $ rpm -q tpm2-tools
> tpm2-tools-4.0.1-1.fc31.x86_64

The problem is that the tpm2-tools package was updated to 4.0 in Fedora 31 and this is a non-backward compatible change.

So clevis needs to be updated as well with the patches to support the tpm2-tools 4.0 version.
Comment 2 Jeremy Visser 2019-11-12 11:52:14 UTC 
This has already been fixed upstream in Clevis:

https://github.com/latchset/clevis/commit/c86cf48bd608a590cac11d79868140fd16fc0113

You'll need to ship this fix in the Fedora–packaged copy of Clevis.
Comment 3 Sergio Correia 2019-11-18 10:29:46 UTC 
There is an updated package in -testing that supports tpm2-tools 4.0: https://bodhi.fedoraproject.org/updates/FEDORA-2019-23fd8b9534
It should be available in -stable soon.
Comment 4 Mikhail Zabaluev 2019-11-26 10:51:37 UTC 
Works as expected with clevis-11-8.fc31. Thank you.
Comment 5 Sergio Correia 2019-12-19 15:16:37 UTC 
Closing as this was fixed in clevis-11-8.fc31.