Bug 2018978 - TPM support does not work on Fedora 35
Summary: TPM support does not work on Fedora 35
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: tpm2-tss
Version: 35
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Peter Robinson
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-01 12:07 UTC by Boris
Modified: 2021-11-04 11:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-04 11:18:21 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Drives (226.25 KB, image/png)
2021-11-01 16:10 UTC, Boris
no flags Details
Partition 2 (264.64 KB, image/png)
2021-11-01 16:15 UTC, Boris
no flags Details
Partition 3 (269.41 KB, image/png)
2021-11-01 16:16 UTC, Boris
no flags Details
wild boar Btrfs (266.11 KB, image/png)
2021-11-01 16:17 UTC, Boris
no flags Details

Description Boris 2021-11-01 12:07:31 UTC
Description of problem:

Both clevis encrypt and tcsd service, do not work, although I can find the TPM being active in the logs. Tried the enable operation from bios with no luck.

The system is https://frame.work/ laptop with the i5-1135G7 CPU


dmesg | grep -i tpm

[    0.000000] efi: ACPI=0x45bfe000 ACPI 2.0=0x45bfe014 TPMFinalLog=0x45ac5000 SMBIOS=0x439e3000 SMBIOS 3.0=0x439e1000 MEMATTR=0x3f8dc018 ESRT=0x3f8ea298 MOKvar=0x3f8df000 RNG=0x439e4b18 TPMEventLog=0x39f43018 
[    0.008084] ACPI: SSDT 0x0000000045BE1000 00077B (v02 INSYDE Tpm2Tabl 00001000 INTL 20160422)
[    0.008086] ACPI: TPM2 0x0000000045BE0000 00004C (v04 INSYDE TGL-ULT  00000002 ACPI 00040000)
[    0.008128] ACPI: Reserving TPM2 table memory at [mem 0x45be0000-0x45be004b]
[    1.192488] tpm_tis NTC0702:00: 2.0 TPM (device-id 0xFC, rev-id 1)


Version-Release number of selected component (if applicable):
tpm-tools.x86_64                               1.3.9-11.fc35                               
tpm2-tools.x86_64                              5.2-1.fc35                                  
tpm2-tss.x86_64                                3.1.0-3.fc35                                
clevis.x86_64                                      18-3.fc35                                 
clevis-dracut.x86_64                               18-3.fc35                                 
clevis-luks.x86_64                                 18-3.fc35                                 
clevis-pin-tpm2.x86_64                             0.3.0-2.fc35                              
clevis-systemd.x86_64                              18-3.fc35                                 
clevis-udisks2.x86_64                              18-3.fc35                                 


How reproducible:
Trying to start tcsd, it fails and the logs show:

Oct 31 00:21:27 fedora systemd[1]: Starting TCG Core Services Daemon...
Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS ioctl: (25) Inappropriate ioctl for device
Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS Falling back to Read/Write device support.
Oct 31 00:21:27 fedora tcsd[10119]: TCSD TCS[10119]: TrouSerS ERROR: TCS GetCapability failed with result = 0x1e
Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Control process exited, code=exited, status=30/n/a
Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Failed with result 'exit-code'.
Oct 31 00:21:27 fedora systemd[1]: Failed to start TCG Core Services Daemon.


Trying to do
sudo echo hi | clevis encrypt tpm2 '{}' > my.jwe

produces the following

Place your finger on the fingerprint reader
ERROR:tcti:src/tss2-tcti/tcti-device.c:442:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:154:tcti_from_file() Could not initialize TCTI file: device 
ERROR:tcti:src/tss2-tcti/tctildr.c:428:Tss2_TctiLdr_Initialize_Ex() Failed to instantiate TCTI 
Error executing command: TPM error: response code not recognized

Comment 1 Peter Robinson 2021-11-01 12:13:45 UTC
Is it a tpm2 or tpm1?

Comment 2 Peter Robinson 2021-11-01 12:14:08 UTC
Is it a tpm2 or tpm1?

Comment 3 Boris 2021-11-01 13:37:33 UTC
Hi @pbrobinson

Thanks for handling this bug. Its TPM2.

[    1.192488] tpm_tis NTC0702:00: 2.0 TPM (device-id 0xFC, rev-id 1)

Any other information I can provide that could be helpful?

Comment 4 Peter Robinson 2021-11-01 13:41:33 UTC
> How reproducible:
> Trying to start tcsd, it fails and the logs show:
> 
> Oct 31 00:21:27 fedora systemd[1]: Starting TCG Core Services Daemon...
> Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS ioctl: (25)
> Inappropriate ioctl for device
> Oct 31 00:21:27 fedora tcsd[10119]: TCSD TDDL[10119]: TrouSerS Falling back
> to Read/Write device support.
> Oct 31 00:21:27 fedora tcsd[10119]: TCSD TCS[10119]: TrouSerS ERROR: TCS
> GetCapability failed with result = 0x1e
> Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Control process exited,
> code=exited, status=30/n/a
> Oct 31 00:21:27 fedora systemd[1]: tcsd.service: Failed with result
> 'exit-code'.
> Oct 31 00:21:27 fedora systemd[1]: Failed to start TCG Core Services Daemon.

So all of the above looks like it's coming from TrouSerS which is purely for tpm1 and is irrelevant as it's not used for any of the tpm2 support.

Comment 5 Boris 2021-11-01 13:44:20 UTC
Ok, thanks! Makes sense, so I don't need this service running then.

The real problem is the other part though, where I try to use clevis: sudo echo hi | clevis encrypt tpm2 '{}' > my.jwe

and I get Error executing command: TPM error: response code not recognized
see the description for the complete log

Comment 6 Peter Robinson 2021-11-01 13:47:51 UTC
(In reply to Boris from comment #5)
> Ok, thanks! Makes sense, so I don't need this service running then.
> 
> The real problem is the other part though, where I try to use clevis: sudo
> echo hi | clevis encrypt tpm2 '{}' > my.jwe
> 
> and I get Error executing command: TPM error: response code not recognized
> see the description for the complete log

The error looks to be in the logs:
Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 

So what permissions does the device have.

Comment 7 Peter Robinson 2021-11-01 13:54:57 UTC
Also was it a clean install or upgrade?

Comment 8 Boris 2021-11-01 14:04:07 UTC
It was a clear install. 

[borko@fallen-robot ~]$ getfacl  /dev/tpmrm0
getfacl: Removing leading '/' from absolute path names
# file: dev/tpmrm0
# owner: tss
# group: tss
user::rw-
group::rw-
other::---

Comment 9 Peter Robinson 2021-11-01 14:06:55 UTC
what are you setting needinfo for? you're not asking for anything.

Comment 10 Boris 2021-11-01 14:29:08 UTC
Sorry, I though it will make you see you have a response.

I added my user to the tss group but it didn't help. sudo also doesn't help

id borko

uid=1000(borko) gid=1000(borko) groups=1000(borko),10(wheel),59(tss)

Comment 11 Peter Robinson 2021-11-01 15:05:20 UTC
are you unlocking at boot for the rootfs or is it a userspace filesystem?

Comment 12 Boris 2021-11-01 16:10:50 UTC
Created attachment 1838930 [details]
Drives

Comment 13 Boris 2021-11-01 16:15:16 UTC
Created attachment 1838931 [details]
Partition 2

I am not exactly what you are asking but the fs is btrfs on top of luks encrypted partition. This is the setup chosen by anaconda custom partitioning auto generation without any actual changes.

Please, see the Drives attachment above.

Attaching more pictures for the different partitions

Comment 14 Boris 2021-11-01 16:16:05 UTC
Created attachment 1838932 [details]
Partition 3

Comment 15 Boris 2021-11-01 16:17:06 UTC
Created attachment 1838933 [details]
wild boar Btrfs

Comment 16 Boris 2021-11-01 16:18:47 UTC
The LUKS2 encrypted Partition 3 is unlocked at boot time. I am actually trying to set the TPM to do that instead of using a password.

Comment 17 Boris 2021-11-04 11:18:21 UTC
Seems fixed after todays update!
@pbrobinson


Note You need to log in before you can comment on or make changes to this bug.