Description of problem: Both clevis encrypt and tcsd service, do not work, although I can find the TPM being active in the logs. Tried the enable operation from bios with no luck. The system is https://frame.work/ laptop with the i5-1135G7 CPU dmesg | grep -i tpm [ 0.000000] efi: ACPI=0x45bfe000 ACPI 2.0=0x45bfe014 TPMFinalLog=0x45ac5000 SMBIOS=0x439e3000 SMBIOS 3.0=0x439e1000 MEMATTR=0x3f8dc018 ESRT=0x3f8ea298 MOKvar=0x3f8df000 RNG=0x439e4b18 TPMEventLog=0x39f43018 [ 0.008084] ACPI: SSDT 0x0000000045BE1000 00077B (v02 INSYDE Tpm2Tabl 00001000 INTL 20160422) [ 0.008086] ACPI: TPM2 0x0000000045BE0000 00004C (v04 INSYDE TGL-ULT 00000002 ACPI 00040000) [ 0.008128] ACPI: Reserving TPM2 table memory at [mem 0x45be0000-0x45be004b] [ 1.192488] tpm_tis NTC0702:00: 2.0 TPM (device-id 0xFC, rev-id 1) Version-Release number of selected component (if applicable): tpm-tools.x86_64 1.3.9-11.fc35 tpm2-tools.x86_64 5.2-1.fc35 tpm2-tss.x86_64 3.1.0-3.fc35 clevis.x86_64 18-3.fc35 clevis-dracut.x86_64 18-3.fc35 clevis-luks.x86_64 18-3.fc35 clevis-pin-tpm2.x86_64 0.3.0-2.fc35 clevis-systemd.x86_64 18-3.fc35 clevis-udisks2.x86_64 18-3.fc35 How reproducible: Trying to start tcsd, it fails and the logs show: Oct 31 00:21:27 fedora systemd[1]: Starting TCG Core Services Daemon... Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS ioctl: (25) Inappropriate ioctl for device Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS Falling back to Read/Write device support. Oct 31 00:21:27 fedora tcsd[10119]: TCSD TCS[10119]: TrouSerS ERROR: TCS GetCapability failed with result = 0x1e Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Control process exited, code=exited, status=30/n/a Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Failed with result 'exit-code'. Oct 31 00:21:27 fedora systemd[1]: Failed to start TCG Core Services Daemon. Trying to do sudo echo hi | clevis encrypt tpm2 '{}' > my.jwe produces the following Place your finger on the fingerprint reader ERROR:tcti:src/tss2-tcti/tcti-device.c:442:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: device ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI Error executing command: TPM error: response code not recognized
Is it a tpm2 or tpm1?
Hi @pbrobinson Thanks for handling this bug. Its TPM2. [ 1.192488] tpm_tis NTC0702:00: 2.0 TPM (device-id 0xFC, rev-id 1) Any other information I can provide that could be helpful?
> How reproducible: > Trying to start tcsd, it fails and the logs show: > > Oct 31 00:21:27 fedora systemd[1]: Starting TCG Core Services Daemon... > Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS ioctl: (25) > Inappropriate ioctl for device > Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS Falling back > to Read/Write device support. > Oct 31 00:21:27 fedora tcsd[10119]: TCSD TCS[10119]: TrouSerS ERROR: TCS > GetCapability failed with result = 0x1e > Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Control process exited, > code=exited, status=30/n/a > Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Failed with result > 'exit-code'. > Oct 31 00:21:27 fedora systemd[1]: Failed to start TCG Core Services Daemon. So all of the above looks like it's coming from TrouSerS which is purely for tpm1 and is irrelevant as it's not used for any of the tpm2 support.
Ok, thanks! Makes sense, so I don't need this service running then. The real problem is the other part though, where I try to use clevis: sudo echo hi | clevis encrypt tpm2 '{}' > my.jwe and I get Error executing command: TPM error: response code not recognized see the description for the complete log
(In reply to Boris from comment #5) > Ok, thanks! Makes sense, so I don't need this service running then. > > The real problem is the other part though, where I try to use clevis: sudo > echo hi | clevis encrypt tpm2 '{}' > my.jwe > > and I get Error executing command: TPM error: response code not recognized > see the description for the complete log The error looks to be in the logs: Failed to open specified TCTI device file /dev/tpmrm0: Permission denied So what permissions does the device have.
Also was it a clean install or upgrade?
It was a clear install. [borko@fallen-robot ~]$ getfacl /dev/tpmrm0 getfacl: Removing leading '/' from absolute path names # file: dev/tpmrm0 # owner: tss # group: tss user::rw- group::rw- other::---
what are you setting needinfo for? you're not asking for anything.
Sorry, I though it will make you see you have a response. I added my user to the tss group but it didn't help. sudo also doesn't help id borko uid=1000(borko) gid=1000(borko) groups=1000(borko),10(wheel),59(tss)
are you unlocking at boot for the rootfs or is it a userspace filesystem?
Created attachment 1838930 [details] Drives
Created attachment 1838931 [details] Partition 2 I am not exactly what you are asking but the fs is btrfs on top of luks encrypted partition. This is the setup chosen by anaconda custom partitioning auto generation without any actual changes. Please, see the Drives attachment above. Attaching more pictures for the different partitions
Created attachment 1838932 [details] Partition 3
Created attachment 1838933 [details] wild boar Btrfs
The LUKS2 encrypted Partition 3 is unlocked at boot time. I am actually trying to set the TPM to do that instead of using a password.
Seems fixed after todays update! @pbrobinson