Bug 2231734

Summary: tpm_crb regression in kernel 6.5.0
Product: [Fedora] Fedora Reporter: Carl Roth <roth>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: acaringi, adscvr, airlied, alciregi, bskeggs, hdegoede, hpa, jarod, josef, kernel-maint, lgoncalv, linville, masami256, mchehab, ptalbert, steved
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carl Roth 2023-08-13 17:19:22 UTC 
1. Please describe the problem:

This is on a Fedora Silverblue system on an HP laptop (14-dq0xxx). In its working state the system was secure-booted with the root device unlocked via TPM (systemd-cryptenroll). After a recent ostree update the TPM module will not load and systemd-cryptenroll reports "no TPM devices".

2. What is the Version-Release number of the kernel:

6.5.0-0.rc5.20230811git25aa0bebba72.40.fc40.x86_64

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :

known working version
6.5.0-0.rc2.17.fc39.x86_64

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:

- boot the system
- test for TPM presence with 'systemd-cryptenroll --tpm2-device=list'

5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:


6. Are you running any modules that not shipped with directly Fedora's kernel?:

no

7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.

System information:

[root@hp-14-dq0xxx tpm]# dmidecode
...
Handle 0x0001, DMI type 1, 27 bytes
System Information
        Manufacturer: HP
        Product Name: HP Laptop 14-dq0xxx
        Version:  
        Serial Number: 5CD9482K06
        UUID: 39444335-3834-4b32-3036-364b38344435
        Wake-up Type: Reserved
        SKU Number: 8BA38UA#ABA
        Family: 103C_5335KV HP Notebook
...
Handle 0x0018, DMI type 43, 31 bytes
TPM Device
        Vendor ID: CTNI
        Specification Version: 2.0
        Firmware Revision: 403.0
        Description: INTEL
        Characteristics:
                Family configurable via platform software support
        OEM-specific Information: 0x00000000
...

[root@hp-14-dq0xxx tpm]# rpm-ostree status
State: busy
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Transaction: upgrade
  Initiator: caller :1.132
Deployments:
● fedora:fedora/rawhide/x86_64/silverblue
                  Version: Rawhide.20230812.n.0 (2023-08-12T05:52:50Z)
               BaseCommit: b3333d8260208af568375b62f848502270a240bb29d6ae222037aad6d2484d74
             GPGSignature: Valid signature by 115DF9AEF857853EE8445D0A0727707EA15B79CC
          LayeredPackages: efitools gnome-tweaks guestfs-tools libvirt-daemon pam_yubico pass pesign sbsigntools virt-install
                           virt-manager virt-top virt-viewer ykclient ykpers yubico-piv-tool yubikey-manager
                           yubikey-personalization-gui
                Initramfs: --force-add tpm2-tss 

  fedora:fedora/rawhide/x86_64/silverblue
                  Version: Rawhide.20230719.n.0 (2023-07-19T06:07:43Z)
               BaseCommit: a9c89f00d1612591c822df0d3d5e1c3b0ba59c2961258b282e2e68614aefef2f
             GPGSignature: Valid signature by E8F23996F23218640CB44CBE75CF5AC418B8E74C
          LayeredPackages: efitools gnome-tweaks guestfs-tools libvirt-daemon pam_yubico pass pesign sbsigntools virt-install
                           virt-manager virt-top virt-viewer ykclient ykpers yubico-piv-tool yubikey-manager
                           yubikey-personalization-gui
                Initramfs: --force-add tpm2-tss 

Working ostree version is     Rawhide.20230719.n.0 (2023-07-19T06:07:43Z)
Non-working ostree version is Rawhide.20230812.n.0 (2023-08-12T05:52:50Z)

Here are logs from a working kernel:

[root@hp-14-dq0xxx toolbox]# dmesg | grep -i 'secure\|tpm\|trusted'
[    0.000000] Command line: BOOT_IMAGE=(hd0,gpt3)/ostree/fedora-7c178c0dcd8dd4fb117f6389a0a30b0d3eb84348fa827d7b79934f5fda7e76de/vmlinuz-6.5.0-0.rc2.17.fc39.x86_64 rd.luks.uuid=luks-aeaa0b4f-14f4-404c-a3a8-72b625280a37 rhgb quiet root=UUID=257fd0b9-8918-4a1a-97e8-47d117321e3f rootflags=subvol=root rw ostree=/ostree/boot.1/fedora/7c178c0dcd8dd4fb117f6389a0a30b0d3eb84348fa827d7b79934f5fda7e76de/0 rd.luks.options=discard,tpm2-device=auto,tpm2-pin=yes
[    0.000000] efi: ACPI 2.0=0x78477000 ACPI=0x78477000 TPMFinalLog=0x784cc000 SMBIOS=0x79b4c000 SMBIOS 3.0=0x79b4b000 MEMATTR=0x728df118 ESRT=0x74bd4e18 MOKvar=0x79b62000 RNG=0x7846e018 TPMEventLog=0x6e195018 
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.014307] secureboot: Secure boot enabled
[    0.014589] ACPI: TPM2 0x0000000078494810 000034 (v04 HPQOEM 864D     00000001 HP   00000000)
[    0.014706] ACPI: Reserving TPM2 table memory at [mem 0x78494810-0x78494843]
[    0.104376] Kernel command line: BOOT_IMAGE=(hd0,gpt3)/ostree/fedora-7c178c0dcd8dd4fb117f6389a0a30b0d3eb84348fa827d7b79934f5fda7e76de/vmlinuz-6.5.0-0.rc2.17.fc39.x86_64 rd.luks.uuid=luks-aeaa0b4f-14f4-404c-a3a8-72b625280a37 rhgb quiet root=UUID=257fd0b9-8918-4a1a-97e8-47d117321e3f rootflags=subvol=root rw ostree=/ostree/boot.1/fedora/7c178c0dcd8dd4fb117f6389a0a30b0d3eb84348fa827d7b79934f5fda7e76de/0 rd.luks.options=discard,tpm2-device=auto,tpm2-pin=yes
[    0.614012] Initialise system trusted keyrings
[    2.185669] Key type trusted registered
[    2.193197] integrity: Loaded X.509 cert 'HP Inc.: HP UEFI Secure Boot DB 2017: d9c01b50cfcae89d3b05345c163aa76e5dd589e7'
[    2.209108] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42'
[    2.703367] systemd[1]: systemd 254~rc2-4.fc39 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[    3.962585] sdhci: Secure Digital Host Controller Interface driver
[   22.163179] systemd[1]: systemd 254~rc2-4.fc39 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[   24.002743] systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).

[root@hp-14-dq0xxx toolbox]# systemd-cryptenroll --tpm2-device=list
PATH        DEVICE      DRIVER 
/dev/tpmrm0 MSFT0101:00 tpm_crb


Here are logs from a non-working kernel:
[root@hp-14-dq0xxx toolbox]# dmesg | grep -i 'secure\|tpm\|trusted'
[    0.000000] Command line: BOOT_IMAGE=(hd0,gpt3)/ostree/fedora-9227060068e668fa57d8f9377abf696ea916ddebee1a2735fe4ddddba7c778e3/vmlinuz-6.5.0-0.rc5.20230811git25aa0bebba72.40.fc40.x86_64 rd.luks.uuid=luks-aeaa0b4f-14f4-404c-a3a8-72b625280a37 rhgb quiet root=UUID=257fd0b9-8918-4a1a-97e8-47d117321e3f rootflags=subvol=root rw ostree=/ostree/boot.0/fedora/9227060068e668fa57d8f9377abf696ea916ddebee1a2735fe4ddddba7c778e3/0 rd.luks.options=discard,tpm2-device=auto,tpm2-pin=yes
[    0.000000] efi: ACPI 2.0=0x78477000 ACPI=0x78477000 TPMFinalLog=0x784cc000 SMBIOS=0x79b4c000 SMBIOS 3.0=0x79b4b000 MEMATTR=0x728df118 ESRT=0x74bd4e18 MOKvar=0x79b62000 RNG=0x7846e018 TPMEventLog=0x6e195018 
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[    0.014800] secureboot: Secure boot enabled
[    0.015102] ACPI: TPM2 0x0000000078494810 000034 (v04 HPQOEM 864D     00000001 HP   00000000)
[    0.015228] ACPI: Reserving TPM2 table memory at [mem 0x78494810-0x78494843]
[    0.104956] Kernel command line: BOOT_IMAGE=(hd0,gpt3)/ostree/fedora-9227060068e668fa57d8f9377abf696ea916ddebee1a2735fe4ddddba7c778e3/vmlinuz-6.5.0-0.rc5.20230811git25aa0bebba72.40.fc40.x86_64 rd.luks.uuid=luks-aeaa0b4f-14f4-404c-a3a8-72b625280a37 rhgb quiet root=UUID=257fd0b9-8918-4a1a-97e8-47d117321e3f rootflags=subvol=root rw ostree=/ostree/boot.0/fedora/9227060068e668fa57d8f9377abf696ea916ddebee1a2735fe4ddddba7c778e3/0 rd.luks.options=discard,tpm2-device=auto,tpm2-pin=yes
[    0.647120] Initialise system trusted keyrings
[    2.125716] tpm_crb: probe of MSFT0101:00 failed with error 378
[    2.224239] integrity: Loaded X.509 cert 'HP Inc.: HP UEFI Secure Boot DB 2017: d9c01b50cfcae89d3b05345c163aa76e5dd589e7'
[    2.240044] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42'
[    2.240050] ima: No TPM chip found, activating TPM-bypass!
[    2.680381] systemd[1]: systemd 254.1-2.fc40 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[    3.927989] sdhci: Secure Digital Host Controller Interface driver
[   50.790432] systemd[1]: systemd 254.1-2.fc40 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP -GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
[   52.649977] systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).

[root@hp-14-dq0xxx toolbox]# systemd-cryptenroll --tpm2-device=list
No suitable TPM2 devices found.


Reproducible: Always