Bug 2220851

Summary: FDO onboarding doesn't do anything in edge device
Product: Red Hat Enterprise Linux 9 Reporter: Xiaofeng Wang <xiaofwan>
Component: fido-device-onboardAssignee: idiez
Status: POST --- QA Contact: Xiaofeng Wang <xiaofwan>
Severity: urgent Docs Contact:
Priority: urgent    
Version: CentOS StreamCC: bstinson, elpereir, idiez, jwboyer, miabbott, perobins
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xiaofeng Wang 2023-07-06 10:06:18 UTC 
Description of problem:
All configurations configured in serviceinfo-api-server are not configured in edge device.
Here's the fdo-client-linuxapp service log:

[admin@vm-1 ~]$ journalctl -u fdo-client-linuxapp
Jul 06 00:13:01 vm-1 systemd[1]: Starting FDO client...
Jul 06 00:13:01 vm-1 fdo-client-linuxapp[1251]:  2023-07-06T04:13:01.950Z INFO  fdo_client_linuxapp > No usable device credential located, skipping Device Onboarding
Jul 06 00:13:01 vm-1 systemd[1]: fdo-client-linuxapp.service: Deactivated successfully.
Jul 06 00:13:01 vm-1 systemd[1]: Finished FDO client.
-- Boot 3c48426e47a24fbbb644422526ab54b4 --
Jul 06 00:15:03 vm-1 systemd[1]: Starting FDO client...
Jul 06 00:15:03 vm-1 fdo-client-linuxapp[1122]:  2023-07-06T04:15:03.943Z INFO  fdo_client_linuxapp > No usable device credential located, skipping Device Onboarding
Jul 06 00:15:03 vm-1 mv[1136]: /usr/bin/mv: cannot stat '/boot/device-credentials': No such file or directory
Jul 06 00:15:03 vm-1 systemd[1]: fdo-client-linuxapp.service: Deactivated successfully.
Jul 06 00:15:03 vm-1 systemd[1]: Finished FDO client.

File device-credentials can be found in /etc folder, but can't be found in /boot folder.
[admin@vm-1 log]$ ll /boot
total 20
lrwxrwxrwx. 1 root root     1 Jul  6 00:04 boot -> .
drwx------. 3 root root 16384 Dec 31  1969 efi
-rw-r--r--. 1 root root    45 Jul  6 00:12 fdo-client-env

Everything worked on CentOS-Stream-9-20230626.0 repo, but failed on CentOS-Stream-9-20230704.1 repo.

Version-Release number of selected component (if applicable):
From Edge device:
fdo-client-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64

From aio server host:
fdo-rendezvous-server-0.4.7-3.el9.x86_64
fdo-owner-onboarding-server-0.4.7-3.el9.x86_64
fdo-owner-cli-0.4.7-3.el9.x86_64
fdo-manufacturing-server-0.4.7-3.el9.x86_64
fdo-init-0.4.7-3.el9.x86_64
fdo-client-0.4.7-3.el9.x86_64
fdo-admin-cli-0.4.7-3.el9.x86_64

How reproducible:

Steps to Reproduce:
1. Deploy a CS9 instance on GCP
2. git cone https://github.com/virt-s1/rhel-edge.git
3. cd rhel-edge
4. ./ostree-simplified-installer.sh

Actual results:
FDO onboarding configurations are not configured in Edge device.

Expected results:
FDO onboarding configuration should be configured.

Additional info:
Comment 1 idiez 2023-07-11 15:58:47 UTC 
 
This is the error that we are getting in the manufacturing-client in the initrms:

 2023-07-11T11:45:37.372Z INFO  fdo_manufacturing_client > No usable device credential located, performing Device Onboarding
 2023-07-11T11:45:37.402Z INFO  fdo_manufacturing_client > Performing DIUN
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
 2023-07-11T11:45:37.418Z ERROR tss_esapi::tcti_ldr      > Error when creating a TCTI context: response code not recognized
Comment 2 idiez 2023-07-11 16:43:06 UTC 
 2023-07-11T11:45:37.372Z INFO  fdo_manufacturing_client > No usable device credential located, performing Device Onboarding
                          INFO  fdo_manufacturing_client > Attempting manufacturing, url: http://192.168.122.199:8080, plain DI: false, DIUN public key verification: Insecure

 2023-07-11T11:45:37.402Z INFO  fdo_manufacturing_client > Performing DIUN
ERROR:tcti:src/tss2-tcti/tctildr.c:430:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
 2023-07-11T11:45:37.418Z ERROR tss_esapi::tcti_ldr      > Error when creating a TCTI context: response code not recognized

|-> that happens when we configure the manufacturing server with 
    allowed_key_storage_types:
    - Tpm
    - FileSystem

If we configure it with just 'FileSystem', the above error does not happen but we end up with a:

INFO  fdo_manufacturing_client > No usable device credential located, performing Device Onboarding
INFO  fdo_manufacturing_client > Attempting manufacturing, url: http://192.168.122.199:8080, plain DI: false, DIUN public key verification: Insecure
INFO  fdo_manufacturing_client > Performing DIUN
systemd[1]: manufacturing-client.service: Main process exited, code=killed, status=15/TERM
systemd[1]: manufacturing-client.service: Failed with result 'signal'
systemd[1]: Stopped Manufacturing client DIUN
Comment 3 idiez 2023-07-21 10:36:12 UTC 
PR with fix added: https://github.com/fedora-iot/fido-device-onboard-rs/pull/536