Bug 2229524

Summary: systemd-cryptenroll with tpm2 stopped working
Product: [Fedora] Fedora Reporter: Carl Roth <roth>
Component: systemdAssignee: systemd-maint
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dtardon, fedoraproject, filbranden, fsumsal, lnykryn, msekleta, ryncsn, systemd-maint, yuwatana, zbyszek
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: systemd-254.1-2.fc40 systemd-254.1-2.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-09 16:04:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carl Roth 2023-08-06 18:24:27 UTC 
This is a Fedora Kinoite system on a Dell Precision 5540 laptop (x86_64).

It was secure-booted and secured against the TPM using systemd-cryptenroll. Latest update (Rawhide.20230730.n.0 (2023-07-30T06:48:36Z) causes TPM to stop working (TPM does not unlock the LUKS root fileystem, systemd-cryptenroll is not able to enable the TPM).

See

[root@dell-c2-bf-b4 bin]# systemd-cryptenroll --tpm2-device=/dev/tpm0  $DEV
🔐 Please enter current passphrase for disk /dev/disk/by-uuid/[HIDDEN]:*******************      
WARNING:esys:src/tss2-esys/api/Esys_Create.c:399:Esys_Create_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Create.c:134:Esys_Create() Esys Finish ErrorCode (0x00000184) 
Failed to generate object in TPM: tpm:handle(1):value is out of range or is not correct for the context


Reproducible: Always

Steps to Reproduce:
1. clear systemd slot with systemd-cryptenroll --wipe-slot=tpm2 $DEV
2. re-enroll TPM with systemd-cryptenroll --tpm2-device=/dev/tpm0  $DEV
3.
Actual Results:  
systemd-cryptenroll command fails

Expected Results:  
should succeed

Additional system details

[root@dell-c2-bf-b4 bin]# rpm-ostree status
State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 1h 7min ago
Deployments:
...

● fedora:fedora/rawhide/x86_64/kinoite
                  Version: Rawhide.20230730.n.0 (2023-07-30T06:48:36Z)
               BaseCommit: 86f4889558765d4ae9e9f9e0d2f867f6cf33fc45cc157c0d8a638f00cdeea999
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
          LayeredPackages: efitools guestfs-tools kwalletcli libvirt-daemon livecd-tools openssl pam_yubico pass pesign
                           sbsigntools virt-install virt-manager virt-top virt-viewer ykclient ykpers yubico-piv-tool
                           yubikey-manager yubikey-personalization-gui
                Initramfs: regenerate

...

[root@dell-c2-bf-b4 bin]# rpm -q systemd
systemd-254-1.fc39.x86_64

[root@dell-c2-bf-b4 bin]# rpm -q --requires systemd
(systemd-rpm-macros = 254-1.fc39 if rpm-build)
(util-linux-core or util-linux)
/bin/sh
/bin/sh
/bin/sh
/usr/bin/bash
/usr/bin/sh
config(systemd) = 254-1.fc39
coreutils
dbus >= 1.9.18
glibc >= 2.37.9000-18
grep
ld-linux-x86-64.so.2()(64bit)
ld-linux-x86-64.so.2(GLIBC_2.3)(64bit)
libacl.so.1()(64bit)
libacl.so.1(ACL_1.0)(64bit)
libaudit.so.1()(64bit)
libblkid.so.1()(64bit)
libblkid.so.1(BLKID_2.15)(64bit)
libblkid.so.1(BLKID_2.17)(64bit)
libblkid.so.1(BLKID_2.18)(64bit)
libblkid.so.1(BLKID_2.30)(64bit)
libbz2.so.1()(64bit)
libc.so.6()(64bit)
libc.so.6(GLIBC_2.10)(64bit)
libc.so.6(GLIBC_2.11)(64bit)
libc.so.6(GLIBC_2.14)(64bit)
libc.so.6(GLIBC_2.16)(64bit)
libc.so.6(GLIBC_2.17)(64bit)
libc.so.6(GLIBC_2.2.5)(64bit)
libc.so.6(GLIBC_2.22)(64bit)
libc.so.6(GLIBC_2.25)(64bit)
libc.so.6(GLIBC_2.26)(64bit)
libc.so.6(GLIBC_2.27)(64bit)
libc.so.6(GLIBC_2.28)(64bit)
libc.so.6(GLIBC_2.3)(64bit)
libc.so.6(GLIBC_2.3.2)(64bit)
libc.so.6(GLIBC_2.3.4)(64bit)
libc.so.6(GLIBC_2.30)(64bit)
libc.so.6(GLIBC_2.32)(64bit)
libc.so.6(GLIBC_2.33)(64bit)
libc.so.6(GLIBC_2.34)(64bit)
libc.so.6(GLIBC_2.35)(64bit)
libc.so.6(GLIBC_2.36)(64bit)
libc.so.6(GLIBC_2.38)(64bit)
libc.so.6(GLIBC_2.4)(64bit)
libc.so.6(GLIBC_2.5)(64bit)
libc.so.6(GLIBC_2.6)(64bit)
libc.so.6(GLIBC_2.7)(64bit)
libc.so.6(GLIBC_2.8)(64bit)
libc.so.6(GLIBC_2.9)(64bit)
libcap.so.2()(64bit)
libcrypt.so.2()(64bit)
libcrypt.so.2(XCRYPT_2.0)(64bit)
libcrypt.so.2(XCRYPT_4.4)(64bit)
libcrypto.so.3()(64bit)
libcrypto.so.3(OPENSSL_3.0.0)(64bit)
libfdisk.so.1()(64bit)
libfdisk.so.1(FDISK_2.26)(64bit)
libgcc_s.so.1()(64bit)
libgcc_s.so.1(GCC_3.0)(64bit)
libgcc_s.so.1(GCC_3.3.1)(64bit)
libkmod.so.2()(64bit)
libkmod.so.2(LIBKMOD_5)(64bit)
liblz4.so.1()(64bit)
liblzma.so.5()(64bit)
liblzma.so.5(XZ_5.0)(64bit)
libm.so.6()(64bit)
libm.so.6(GLIBC_2.2.5)(64bit)
libm.so.6(GLIBC_2.29)(64bit)
libmount.so.1()(64bit)
libmount.so.1(MOUNT_2.19)(64bit)
libmount.so.1(MOUNT_2.20)(64bit)
libmount.so.1(MOUNT_2.22)(64bit)
libmount.so.1(MOUNT_2.23)(64bit)
libmount.so.1(MOUNT_2.26)(64bit)
libp11-kit.so.0()(64bit)
libp11-kit.so.0(LIBP11_KIT_1.0)(64bit)
libpam.so.0()(64bit)
libpam.so.0(LIBPAM_1.0)(64bit)
libpam.so.0(LIBPAM_EXTENSION_1.0)(64bit)
libseccomp.so.2()(64bit)
libselinux.so.1()(64bit)
libselinux.so.1(LIBSELINUX_1.0)(64bit)
libsystemd-core-254-1.fc39.so()(64bit)
libsystemd-core-254-1.fc39.so(SD_SHARED)(64bit)
libsystemd-shared-254-1.fc39.so()(64bit)
libsystemd-shared-254-1.fc39.so(SD_SHARED)(64bit)
libz.so.1()(64bit)
libzstd.so.1()(64bit)
openssl-libs
rpmlib(CaretInVersions) <= 4.15.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsZstd) <= 5.4.18-1
rpmlib(RichDependencies) <= 4.12.0-1
rpmlib(TildeInVersions) <= 4.10.0-1
rtld(GNU_HASH)
systemd-libs = 254-1.fc39
systemd-pam = 254-1.fc39

[root@dell-c2-bf-b4 bin]# dmesg | grep -i tpm
[    0.000000] Command line: BOOT_IMAGE=(hd0,gpt2)/ostree/fedora-345d0dd2333efe3bb90908e05645e8c967311bea6ba724bc17e5e769c4970be4/vmlinuz-6.5.0-0.rc3.20230728git57012c57536f.27.fc39.x86_64 rd.luks.uuid=luks-76a2d746-e0da-40d3-9736-837246803e94 rhgb quiet root=UUID=b8f410ba-64e1-4dd4-95ba-ed4b8c610e92 rootflags=subvol=root rw ostree=/ostree/boot.0/fedora/345d0dd2333efe3bb90908e05645e8c967311bea6ba724bc17e5e769c4970be4/0 vconsole.font=solar24x32 rd.luks.options=discard,tpm2-device=auto,tpm2-pin=yes
[    0.000000] efi: ACPI 2.0=0x6cea9000 ACPI=0x6cea9000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 TPMFinalLog=0x6d7c0000 ESRT=0x6fa1a018 MEMATTR=0x68d6b018 MOKvar=0x6faad000 RNG=0x6cea8018 TPMEventLog=0x5bd0d018 
[    0.009291] ACPI: TPM2 0x000000006CF007B0 000034 (v04 DELL\x CBX3     00000001 AMI  00000000)
[    0.009320] ACPI: Reserving TPM2 table memory at [mem 0x6cf007b0-0x6cf007e3]
[    0.096354] Kernel command line: BOOT_IMAGE=(hd0,gpt2)/ostree/fedora-345d0dd2333efe3bb90908e05645e8c967311bea6ba724bc17e5e769c4970be4/vmlinuz-6.5.0-0.rc3.20230728git57012c57536f.27.fc39.x86_64 rd.luks.uuid=luks-76a2d746-e0da-40d3-9736-837246803e94 rhgb quiet root=UUID=b8f410ba-64e1-4dd4-95ba-ed4b8c610e92 rootflags=subvol=root rw ostree=/ostree/boot.0/fedora/345d0dd2333efe3bb90908e05645e8c967311bea6ba724bc17e5e769c4970be4/0 vconsole.font=solar24x32 rd.luks.options=discard,tpm2-device=auto,tpm2-pin=yes
[    1.075137] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0xFC, rev-id 1)
[    1.626018] systemd[1]: systemd 254-1.fc39 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[   21.259259] systemd[1]: systemd 254-1.fc39 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[   22.388461] systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).

[root@dell-c2-bf-b4 bin]# dmesg | grep -i secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.009213] secureboot: Secure boot enabled
[    1.176850] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42'
[   23.288685] Bluetooth: hci0: Secure boot is enabled


[root@dell-c2-bf-b4 bin]# dmidecode
...
Handle 0x1602, DMI type 43, 31 bytes
TPM Device
        Vendor ID: 
        Specification Version: 2.0
        Firmware Revision: 7.2
        Description: NUVOTON
        Characteristics:
                Family configurable via platform software support
        OEM-specific Information: 0x00000000
...

Currently 'cryptsetup luksDump' shows a luks2 entry at keyslot 0 (PSK) with no other slots in use. No tokens are in use.
Comment 1 Fedora Update System 2023-08-09 15:57:13 UTC 
FEDORA-2023-f866360f34 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f866360f34
Comment 2 Fedora Update System 2023-08-09 16:01:11 UTC 
FEDORA-2023-20143faff8 has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-20143faff8
Comment 3 Fedora Update System 2023-08-09 16:04:37 UTC 
FEDORA-2023-20143faff8 has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Fedora Update System 2023-08-10 02:13:41 UTC 
FEDORA-2023-f866360f34 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.