RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2017173 - clevis luks bind fails - The tpm2 pin requires a tpm2-tools version between 3 and 5
Summary: clevis luks bind fails - The tpm2 pin requires a tpm2-tools version between 3...
Keywords:
Status: CLOSED DUPLICATE of bug 2015941
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: clevis
Version: CentOS Stream
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Sergio Correia
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-25 21:34 UTC by lejeczek
Modified: 2021-11-05 15:19 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-05 15:19:14 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-100704 0 None None None 2021-10-25 21:38:09 UTC
Red Hat Issue Tracker SECENGSP-4170 0 None None None 2021-11-02 09:50:43 UTC

Description lejeczek 2021-10-25 21:34:53 UTC 
Description of problem:

-> $ clevis luks bind -d UUID=74b39db4-4bf1-478b-828d-8f9e9db12df6 tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0"}'
Enter existing LUKS password: 
No key available with this passphrase.
Enter existing LUKS password: 
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
The tpm2 pin requires a tpm2-tools version between 3 and 5
Invalid input!
Usage: jose jwe fmt -i JWE [-I CT] [-o JWE] [-O CT] [-c]

Converts a JWE between serialization formats

  -i JSON --input=JSON     Parse JWE from JSON
  -i FILE --input=FILE     Read JWE from FILE
  -i -    --input=-        Read JWE from standard input

  -I FILE --detached=FILE  Read decoded ciphertext from FILE
  -I -    --detached=-     Read decoded ciphertext from standard input

  -o JSON --output=JSON    Parse JWE from JSON
  -o FILE --output=FILE    Read JWE from FILE
  -o -    --output=-       Read JWE from standard input
                           Default: "-"

  -O JSON --detach=JSON    Parse JWE from JSON
  -O FILE --detach=FILE    Read JWE from FILE
  -O -    --detach=-       Read JWE from standard input

  -c      --compact        Output JWE using compact serialization

Failed to import token from file.
Error saving metadata to LUKS2 header in device UUID=74b39db4-4bf1-478b-828d-8f9e9db12df6
Unable to update metadata; operation cancelled
Error adding new binding to UUID=74b39db4-4bf1-478b-828d-8f9e9db12df6


Version-Release number of selected component (if applicable):

Package tpm2-tools-5.0-9.el9.x86_64 is already installed.

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Sergio Correia 2021-10-25 22:11:14 UTC 
This is an issue with tpm2-tools 5.0-9, which stopped reporting its version, so clevis is unable to determine its version. It is being tracked here: https://bugzilla.redhat.com/show_bug.cgi?id=2015941
I changed the component to clevis.
Comment 2 lejeczek 2021-11-02 09:50:08 UTC 
To confirm that tpm2-tools-5.0-10.el9.x86_64 from devel build fixes the problem.
Comment 3 Sergio Correia 2021-11-05 15:19:14 UTC 
Thanks for checking that tpm2-tools-5.0-10.el9 fixes the problem. I am marking this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=2015941.

*** This bug has been marked as a duplicate of bug 2015941 ***
Note You need to log in before you can comment on or make changes to this bug.