clevis-encrypt-tpm2 requires the tpm2_pcrlist program which doesn't appear to be available in Fedora 31. Version-Release number of selected component (if applicable): 11-6.fc31 Reproduction: $ echo hello | clevis encrypt tpm2 '{}'/usr/bin/clevis-encrypt-tpm2: line 62: tpm2_pcrlist: command not found tpm2_pcrlist appears to have existed in an older version of tpm2-tools: $ dnf whatprovides tpm2_pcrlist Last metadata expiration check: 0:17:08 ago on Sat 09 Nov 2019 16:15:43 GMT. tpm2-tools-3.2.0-3.fc31.x86_64 : A TPM2.0 testing tool build upon TPM2.0-TSS Repo : fedora Matched from: Filename : /usr/bin/tpm2_pcrlist But not in the current version: $ rpm -q tpm2-tools tpm2-tools-4.0.1-1.fc31.x86_64
(In reply to Sam Morris from comment #0) > clevis-encrypt-tpm2 requires the tpm2_pcrlist program which doesn't appear > to be available in Fedora 31. > > Version-Release number of selected component (if applicable): > 11-6.fc31 > > Reproduction: > > $ echo hello | clevis encrypt tpm2 '{}'/usr/bin/clevis-encrypt-tpm2: line > 62: tpm2_pcrlist: command not found > > tpm2_pcrlist appears to have existed in an older version of tpm2-tools: > > $ dnf whatprovides tpm2_pcrlist > Last metadata expiration check: 0:17:08 ago on Sat 09 Nov 2019 16:15:43 GMT. > tpm2-tools-3.2.0-3.fc31.x86_64 : A TPM2.0 testing tool build upon TPM2.0-TSS > Repo : fedora > Matched from: > Filename : /usr/bin/tpm2_pcrlist > > But not in the current version: > > $ rpm -q tpm2-tools > tpm2-tools-4.0.1-1.fc31.x86_64 The problem is that the tpm2-tools package was updated to 4.0 in Fedora 31 and this is a non-backward compatible change. So clevis needs to be updated as well with the patches to support the tpm2-tools 4.0 version.
This has already been fixed upstream in Clevis: https://github.com/latchset/clevis/commit/c86cf48bd608a590cac11d79868140fd16fc0113 You'll need to ship this fix in the Fedora–packaged copy of Clevis.
There is an updated package in -testing that supports tpm2-tools 4.0: https://bodhi.fedoraproject.org/updates/FEDORA-2019-23fd8b9534 It should be available in -stable soon.
Works as expected with clevis-11-8.fc31. Thank you.
Closing as this was fixed in clevis-11-8.fc31.