The TPM2 gets put into the tss user/group via udev rules in /usr/lib/udev/rules.d/60-tpm-udev.rules but the tss user/group isn't created unless the trousers package is installed. This causes userspace issues with access to the TPM2, like if clevis is unlocking user partitions post root switch (AKA not in the initrd where everything is run as root). In most cases now the trousers package isn't installed because TPM2 has been the standard for a long time and TPM1 units are generally considered insecure so the tpm2-tss package should check if the user/group exists and if not create them per packaging policy. This affects userspace TPM2 access, it doesn't affect unlocking an encrypted root filesystem as this is done as the root user in the initrd, but it affects clevis unlocking non root filesystems on a different LUKS partition such as /home or /opt as well as other TPM2 access from userspace.
Proposed as a Freeze Exception for 33-beta by Fedora user pbrobinson using the blocker tracking app because: Causing issues on Fedora IoT and other TPM2 related bits. Not sure if it's considered a blocker or a FE as it works on clevis if it's a single LUKS partition with LVM for root and other filesystems, but if there's any LUKS that would get unlocked post switch root it's causing issues.
The tpm2-tss package is currently failing to build due to some change in doxygen, but the fix has been pushed.
FEDORA-2020-91532104d0 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-91532104d0
FEDORA-2020-91532104d0 has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-91532104d0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-91532104d0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
+3 votes in ticket (https://pagure.io/fedora-qa/blocker-review/issue/92 ), setting accepted.
FEDORA-2020-91532104d0 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.