Bug 2018978
Summary: | TPM support does not work on Fedora 35 | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Boris <bsh666> | ||||||||||
Component: | tpm2-tss | Assignee: | Peter Robinson <pbrobinson> | ||||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||
Severity: | high | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 35 | CC: | fmartine, jsnitsel, michael.scheiffler, pbrobinson, yunying.sun | ||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | x86_64 | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2021-11-04 11:18:21 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
Boris
2021-11-01 12:07:31 UTC
Is it a tpm2 or tpm1? Is it a tpm2 or tpm1? Hi @pbrobinson Thanks for handling this bug. Its TPM2. [ 1.192488] tpm_tis NTC0702:00: 2.0 TPM (device-id 0xFC, rev-id 1) Any other information I can provide that could be helpful? > How reproducible:
> Trying to start tcsd, it fails and the logs show:
>
> Oct 31 00:21:27 fedora systemd[1]: Starting TCG Core Services Daemon...
> Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS ioctl: (25)
> Inappropriate ioctl for device
> Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS Falling back
> to Read/Write device support.
> Oct 31 00:21:27 fedora tcsd[10119]: TCSD TCS[10119]: TrouSerS ERROR: TCS
> GetCapability failed with result = 0x1e
> Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Control process exited,
> code=exited, status=30/n/a
> Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Failed with result
> 'exit-code'.
> Oct 31 00:21:27 fedora systemd[1]: Failed to start TCG Core Services Daemon.
So all of the above looks like it's coming from TrouSerS which is purely for tpm1 and is irrelevant as it's not used for any of the tpm2 support.
Ok, thanks! Makes sense, so I don't need this service running then. The real problem is the other part though, where I try to use clevis: sudo echo hi | clevis encrypt tpm2 '{}' > my.jwe and I get Error executing command: TPM error: response code not recognized see the description for the complete log (In reply to Boris from comment #5) > Ok, thanks! Makes sense, so I don't need this service running then. > > The real problem is the other part though, where I try to use clevis: sudo > echo hi | clevis encrypt tpm2 '{}' > my.jwe > > and I get Error executing command: TPM error: response code not recognized > see the description for the complete log The error looks to be in the logs: Failed to open specified TCTI device file /dev/tpmrm0: Permission denied So what permissions does the device have. Also was it a clean install or upgrade? It was a clear install. [borko@fallen-robot ~]$ getfacl /dev/tpmrm0 getfacl: Removing leading '/' from absolute path names # file: dev/tpmrm0 # owner: tss # group: tss user::rw- group::rw- other::--- what are you setting needinfo for? you're not asking for anything. Sorry, I though it will make you see you have a response. I added my user to the tss group but it didn't help. sudo also doesn't help id borko uid=1000(borko) gid=1000(borko) groups=1000(borko),10(wheel),59(tss) are you unlocking at boot for the rootfs or is it a userspace filesystem? Created attachment 1838930 [details]
Drives
Created attachment 1838931 [details]
Partition 2
I am not exactly what you are asking but the fs is btrfs on top of luks encrypted partition. This is the setup chosen by anaconda custom partitioning auto generation without any actual changes.
Please, see the Drives attachment above.
Attaching more pictures for the different partitions
Created attachment 1838932 [details]
Partition 3
Created attachment 1838933 [details]
wild boar Btrfs
The LUKS2 encrypted Partition 3 is unlocked at boot time. I am actually trying to set the TPM to do that instead of using a password. Seems fixed after todays update! @pbrobinson |