+++ This bug was initially created as a clone of Bug #1989321 +++ We're working on a C9S CoreOS (https://github.com/openshift/os/issues/604) and and our LUKS+TPM test is failing: https://github.com/openshift/os/issues/605 I suspect this may actually be an OpenSSL 3 interaction, but basically: ``` [root@cosa-devsh ~]# rpm -q tpm2-tools tpm2-tools-5.0-6.el9.x86_64 [root@cosa-devsh ~]# tpm2_createprimary ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:328:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1243:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1341:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:237:Esys_CreatePrimary_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00070001) ERROR: Esys_CreatePrimary(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run tpm2_createprimary [root@cosa-devsh ~]# ``` This works fine on current Fedora CoreOS and RHEL8 CoreOS. This is in qemu with swtpm. The test framework is in https://github.com/coreos/coreos-assembler/ --- Additional comment from Jonathan Lebon on 2021-09-20 10:49:10 EDT --- This is also affecting Fedora CoreOS rawhide too now. It's breaking any test which uses TPM2: ``` $ clevis luks bind -f -k /tmp/ignition-luks-1495034653 -d /run/ignition/dev_aliases/dev/disk/by-partlabel/varlog sss '{"pins":{"tpm2":{}},"t":1}' Warning: Value 512 is outside of the allowed entropy range, adjusting it. ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:327:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) EVP_PKEY_new_mac_key ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:244:Esys_CreatePrimary_Async() Error in computation of auth values ErrorCode (0x00070001) ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:110:Esys_CreatePrimary() Error in async function ErrorCode (0x00070001) ERROR: Esys_CreatePrimary(0x70001) - esapi:Catch all for all errors not otherwise specified ERROR: Unable to run tpm2_createprimary Creating TPM2 primary key failed! Invalid input! Usage: jose jwe fmt -i JWE [-I CT] [-o JWE] [-O CT] [-c] Converts a JWE between serialization formats ... Failed to import token from file. Error saving metadata to LUKS2 header in device /run/ignition/dev_aliases/dev/disk/by-partlabel/varlog Unable to update metadata; operation cancelled Error adding new binding to /run/ignition/dev_aliases/dev/disk/by-partlabel/varlog ``` Started happening with tpm2-tss-3.1.0-4.fc36, which was rebuilt for OpenSSL 3.0.0. So based on that and the stderr, I agree with Colin this is likely an OpenSSL-related issue. Moving to tpm2-tss since it seems like the error actually lies in libtss2. Wasn't sure if you preferred we cloned this to Fedora rawhide or you'd rather keep it all in this RHBZ. Can do the clone if you'd like. --- Additional comment from Timothée Ravier on 2021-09-21 06:21:09 EDT --- I'm raising the severity as this will prevent us from shipping RHEL 9 in RHCOS.
Looks like this might be fixed upstream with commit: https://github.com/tpm2-software/tpm2-tss/commit/362fda1daa398da2944e76013c215500761d46a5 But there's other OpenSSL fixes that may be required.
Is it worth pulling back that patch to our RPM and running a test?
(In reply to Peter Robinson from comment #1) > Looks like this might be fixed upstream with commit: > https://github.com/tpm2-software/tpm2-tss/commit/ > 362fda1daa398da2944e76013c215500761d46a5 > > But there's other OpenSSL fixes that may be required. We ran into this issue when running somes test for the keylime project[1]. This is also the likely cause of some clevis tests failing for IoT in rawhide. Perhaps you could apply these patches [2] that went into CentOS Stream 9? [1] https://github.com/keylime/keylime/pull/811#issuecomment-996014741 [2] https://gitlab.com/redhat/centos-stream/rpms/tpm2-tss/-/merge_requests/2
There's a new 3.2 release with support for openssl due next week.
support for openssl 3
this breaks functionalities like systemd-creds (https://github.com/systemd/systemd/issues/21747) or systemd-cryptenroll also the tpm2-tss-engine seems to be replaced with https://github.com/tpm2-software/tpm2-openssl for OpenSSL 3 support. Is there a way tpm support can be fixed in time for Fedora 36 release?
Proposed as a Blocker for 36-beta by Fedora user dustymabe using the blocker tracking app because: Using a TPM2 should work.
(In reply to Sergio Correia from comment #3) > We ran into this issue when running somes test for the keylime project[1]. > This is also the likely cause of some clevis tests failing for IoT in > rawhide. If this is confirmed, it's likely a final release blocker per https://fedoraproject.org/wiki/Fedora_35_Final_Release_Criteria#Automatic_partition_decryption_.28Clevis.29
Discussed during the 2022-02-07 blocker review meeting: [0] The decision to classify this bug as a "RejectedBlocker (Beta)" and an "AcceptedFreezeException (Beta)" was made as this does not appear to violate any Beta criteria, but it is useful functionality and would be a showstopper for anyone using it on F35 who upgrades to F36, so accepted as an FE issue. [0] https://meetbot.fedoraproject.org/fedora-blocker-review/2022-02-07/f36-blocker-review.2022-02-07-17.00.txt
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
FEDORA-2022-5204b0e8fb has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-385d633906 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-385d633906
FEDORA-2022-385d633906 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
Fixed clevis decryption in IoT with tpm2-tss-3.2.0-0.3.rc0.fc36