Bug 2035643
| Summary: | ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x00000921) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | lejeczek <peljasz> |
| Component: | tpm2-tools | Assignee: | Štěpán Horáček <shoracek> |
| Status: | CLOSED WONTFIX | QA Contact: | Vilém Maršík <vmarsik> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bhu, bstinson, jsnitsel, jwboyer, miabbott, scorreia |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-26 07:28:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
(In reply to lejeczek from comment #0) > ERROR: Unable to run tpm2_load > ERROR: Unable to run tpm2_create These items are part of the `tpm2-tools` package; I've recategorized this BZ appropriately. Does this problem still persist?
I tried to reproduce it on a VM, but was unable to.
[root@localhost ~]# clevis luks list -d file
1: tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}'
[root@localhost ~]# clevis luks regen -d file -s 1
Regenerating binding (device file, slot 1):
Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}'
Do you want to proceed? [ynYN] y
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
Binding regenerated successfully
[root@localhost ~]# tpm2_pcrextend 0:sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[root@localhost ~]# clevis luks regen -d file -s 1
Regenerating binding (device file, slot 1):
Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}'
Do you want to proceed? [ynYN] y
WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x0000099d)
ERROR: Esys_Unseal(0x99D) - tpm:session(1):a policy check failed
ERROR: Unable to run tpm2_unseal
Unsealing jwk from TPM failed!
Enter existing LUKS password:
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
Binding regenerated successfully
[root@localhost ~]# tpm2_clear
[root@localhost ~]# clevis luks regen -d file -s 1
Regenerating binding (device file, slot 1):
Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}'
Do you want to proceed? [ynYN] y
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df)
ERROR: Eys_Load(0x1DF) - tpm:parameter(1):integrity check failed
ERROR: Unable to run tpm2_load
Loading jwk to TPM2 failed!
Enter existing LUKS password:
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
Binding regenerated successfully
Changed the PCR and also cleared the TPM, but in both cases the regeneration was successful.
"authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode" It looks like the TPM on that system is locked out. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: Hi. I have a luks device already clevis-pined and when I try to 'regen': -> clevis luks list -d /dev/nvme0n1p3 1: tpm2 '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' [root@dzien ~]# clevis luks regen -d /dev/nvme0n1p3 -s 1 Regenerating binding (device /dev/nvme0n1p3, slot 1): Pin: tpm2, Config: '{"hash":"sha256","key":"rsa","pcr_bank":"sha256","pcr_ids":"0,1"}' Do you want to proceed? [ynYN] y WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x00000921) ERROR: Eys_Load(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode ERROR: Unable to run tpm2_load Loading jwk to TPM2 failed! Enter existing LUKS password: Warning: Value 512 is outside of the allowed entropy range, adjusting it. WARNING:esys:src/tss2-esys/api/Esys_Create.c:375:Esys_Create_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_Create.c:120:Esys_Create() Esys Finish ErrorCode (0x00000921) ERROR: Esys_Create(0x921) - tpm:warn(2.0): authorizations for objects subject to DA protection are not allowed at this time because the TPM is in DA lockout mode ERROR: Unable to run tpm2_create Creating TPM2 object for jwk failed! Invalid input! Usage: jose jwe fmt -i JWE [-I CT] [-o JWE] [-O CT] [-c] Converts a JWE between serialization formats -i JSON --input=JSON Parse JWE from JSON -i FILE --input=FILE Read JWE from FILE -i - --input=- Read JWE from standard input -I FILE --detached=FILE Read decoded ciphertext from FILE -I - --detached=- Read decoded ciphertext from standard input -o JSON --output=JSON Parse JWE from JSON -o FILE --output=FILE Read JWE from FILE -o - --output=- Read JWE from standard input Default: "-" -O JSON --detach=JSON Parse JWE from JSON -O FILE --detach=FILE Read JWE from FILE -O - --detach=- Read JWE from standard input -c --compact Output JWE using compact serialization Failed to import token from file. Error saving metadata to LUKS2 header in device /dev/nvme0n1p3 Unable to update metadata; operation cancelled Unable to regenerate binding in /dev/nvme0n1p3:1 ----- It's a fresh install on AMD hardware, 'regen' needed for PCRs changed after PCI HW changes. Version-Release number of selected component (if applicable): clevis-luks-18-5.el9.x86_64 tpm2-tools-5.0-10.el9.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: