Description of problem: Hi. I have a luks device already clevis-pined and when I try to 'regen': -> clevis luks list -d /dev/nvme0n1p3 1: tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' [root@dzien ~]# clevis luks regen -d /dev/nvme0n1p3 -s 1 Regenerating binding (device /dev/nvme0n1p3, slot 1): Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' Do you want to proceed? [ynYN] y WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x00000921) ERROR: Eys_Load(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode ERROR: Unable to run tpm2_load Loading jwk to TPM2 failed! Enter existing LUKS password: Warning: Value 512 is outside of the allowed entropy range, adjusting it. WARNING:esys:src/tss2-esys/api/Esys_Create.c:375:Esys_Create_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Create.c:120:Esys_Create() Esys Finish ErrorCode (0x00000921) ERROR: Esys_Create(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode ERROR: Unable to run tpm2_create Creating TPM2 object for jwk failed! Invalid input! Usage: jose jwe fmt -i JWE [-I CT] [-o JWE] [-O CT] [-c] Converts a JWE between serialization formats -i JSON --input=JSON Parse JWE from JSON -i FILE --input=FILE Read JWE from FILE -i - --input=- Read JWE from standard input -I FILE --detached=FILE Read decoded ciphertext from FILE -I - --detached=- Read decoded ciphertext from standard input -o JSON --output=JSON Parse JWE from JSON -o FILE --output=FILE Read JWE from FILE -o - --output=- Read JWE from standard input Default: "-" -O JSON --detach=JSON Parse JWE from JSON -O FILE --detach=FILE Read JWE from FILE -O - --detach=- Read JWE from standard input -c --compact Output JWE using compact serialization Failed to import token from file. Error saving metadata to LUKS2 header in device /dev/nvme0n1p3 Unable to update metadata; operation cancelled Unable to regenerate binding in /dev/nvme0n1p3:1 ----- It's a fresh install on AMD hardware, 'regen' needed for PCRs changed after PCI HW changes. Version-Release number of selected component (if applicable): clevis-luks-18-5.el9.x86_64 tpm2-tools-5.0-10.el9.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
(In reply to lejeczek from comment #0) > ERROR: Unable to run tpm2_load > ERROR: Unable to run tpm2_create These items are part of the `tpm2-tools` package; I've recategorized this BZ appropriately.
Does this problem still persist? I tried to reproduce it on a VM, but was unable to. [root@localhost ~]# clevis luks list -d file 1: tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' [root@localhost ~]# clevis luks regen -d file -s 1 Regenerating binding (device file, slot 1): Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' Do you want to proceed? [ynYN] y Warning: Value 512 is outside of the allowed entropy range, adjusting it. Binding regenerated successfully [root@localhost ~]# tpm2_pcrextend 0:sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 [root@localhost ~]# clevis luks regen -d file -s 1 Regenerating binding (device file, slot 1): Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' Do you want to proceed? [ynYN] y WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000099d) ERROR: Esys_Unseal(0x99D) - tpm:session(1):a policy check failed ERROR: Unable to run tpm2_unseal Unsealing jwk from TPM failed! Enter existing LUKS password: Warning: Value 512 is outside of the allowed entropy range, adjusting it. Binding regenerated successfully [root@localhost ~]# tpm2_clear [root@localhost ~]# clevis luks regen -d file -s 1 Regenerating binding (device file, slot 1): Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' Do you want to proceed? [ynYN] y WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df) ERROR: Eys_Load(0x1DF) - tpm:parameter(1):integrity check failed ERROR: Unable to run tpm2_load Loading jwk to TPM2 failed! Enter existing LUKS password: Warning: Value 512 is outside of the allowed entropy range, adjusting it. Binding regenerated successfully Changed the PCR and also cleared the TPM, but in both cases the regeneration was successful.
"authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode" It looks like the TPM on that system is locked out.
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.