Bug 1770480 - clevis-encrypt-tpm2 depends on removed tpm2_pcrlist program
Summary: clevis-encrypt-tpm2 depends on removed tpm2_pcrlist program
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: clevis
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Kopeček
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-09 17:15 UTC by Sam Morris
Modified: 2019-12-19 15:16 UTC (History)
8 users (show)

Fixed In Version: clevis-11-8.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-19 15:16:37 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Sam Morris 2019-11-09 17:15:31 UTC 
clevis-encrypt-tpm2 requires the tpm2_pcrlist program which doesn't appear to be available in Fedora 31.

Version-Release number of selected component (if applicable):
11-6.fc31

Reproduction:

$ echo hello | clevis encrypt tpm2 '{}'/usr/bin/clevis-encrypt-tpm2: line 62: tpm2_pcrlist: command not found

tpm2_pcrlist appears to have existed in an older version of tpm2-tools:

$ dnf whatprovides tpm2_pcrlist
Last metadata expiration check: 0:17:08 ago on Sat 09 Nov 2019 16:15:43 GMT.
tpm2-tools-3.2.0-3.fc31.x86_64 : A TPM2.0 testing tool build upon TPM2.0-TSS
Repo        : fedora
Matched from:
Filename    : /usr/bin/tpm2_pcrlist

But not in the current version:

$ rpm -q tpm2-tools
tpm2-tools-4.0.1-1.fc31.x86_64
Comment 1 Javier Martinez Canillas 2019-11-11 08:15:55 UTC 
(In reply to Sam Morris from comment #0)
> clevis-encrypt-tpm2 requires the tpm2_pcrlist program which doesn't appear
> to be available in Fedora 31.
> 
> Version-Release number of selected component (if applicable):
> 11-6.fc31
> 
> Reproduction:
> 
> $ echo hello | clevis encrypt tpm2 '{}'/usr/bin/clevis-encrypt-tpm2: line
> 62: tpm2_pcrlist: command not found
> 
> tpm2_pcrlist appears to have existed in an older version of tpm2-tools:
> 
> $ dnf whatprovides tpm2_pcrlist
> Last metadata expiration check: 0:17:08 ago on Sat 09 Nov 2019 16:15:43 GMT.
> tpm2-tools-3.2.0-3.fc31.x86_64 : A TPM2.0 testing tool build upon TPM2.0-TSS
> Repo        : fedora
> Matched from:
> Filename    : /usr/bin/tpm2_pcrlist
> 
> But not in the current version:
> 
> $ rpm -q tpm2-tools
> tpm2-tools-4.0.1-1.fc31.x86_64

The problem is that the tpm2-tools package was updated to 4.0 in Fedora 31 and this is a non-backward compatible change.

So clevis needs to be updated as well with the patches to support the tpm2-tools 4.0 version.
Comment 2 Jeremy Visser 2019-11-12 11:52:14 UTC 
This has already been fixed upstream in Clevis:

https://github.com/latchset/clevis/commit/c86cf48bd608a590cac11d79868140fd16fc0113

You'll need to ship this fix in the Fedora–packaged copy of Clevis.
Comment 3 Sergio Correia 2019-11-18 10:29:46 UTC 
There is an updated package in -testing that supports tpm2-tools 4.0: https://bodhi.fedoraproject.org/updates/FEDORA-2019-23fd8b9534
It should be available in -stable soon.
Comment 4 Mikhail Zabaluev 2019-11-26 10:51:37 UTC 
Works as expected with clevis-11-8.fc31. Thank you.
Comment 5 Sergio Correia 2019-12-19 15:16:37 UTC 
Closing as this was fixed in clevis-11-8.fc31.
Note You need to log in before you can comment on or make changes to this bug.