clevis icon indicating copy to clipboard operation
clevis copied to clipboard

Published 20 hours ago verified publisher icon latchset

clevis luks bind with tpm2 fails on Ubuntu 20.04-LTS

Open jayeye opened this issue 4 years ago • 2 comments

Clean install of Ubuntu 20.04 Server on a NUC10i7FNK.

I have already cleared the TPM (power-off, remove security jumper, power-on, clear TPM, power-off, replace security jumper, power-on).

# clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha1","pcr_ids":"0,1"}'
ERROR: pcr-input-file filesize does not match pcr set-list
ERROR: Could not build pcr policy
ERROR: Unable to run tpm2_createpolicy

What additional information can I provide?

jayeye avatar Sep 25 '20 02:09 jayeye

What additional information can I provide?

What's the output of tpm2_pcrread?

sergio-correia avatar Sep 25 '20 11:09 sergio-correia 

# tpm2_pcrread
sha1:
sha256:
  0 : 0x983E611CDFB0B8F390A44087703B867AE17D02DAB23669A48E203FB4C78737E9
  1 : 0x6BE7A948F2811FAB24BA546673F5118356DD48ABB6A93BC9EDEBDB4B5D772479
  2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  4 : 0x551961EEFA1E48EAE836843173595911E97AC88D2385DD53A6B32DB68F790C5D
  5 : 0x055C89BB3CDD1A73C17FF0744D38B79146EB465FB444A08EDB6F3A2AF84B25EB
  6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969
  7 : 0x2D18C27268194A396B0528D726C3C7B08C346D217F3AF3D7609C4646492279E3
  8 : 0x590477A3E71A57591CB2E1EC7505E666693C835E4090DA6CDD6049721E3A7800
  9 : 0x7F6E31508A019FED751D73F3A64F7A22151037DF9D79093E73C6DD86BC9A7FDA
  10: 0xB31780D2E2CACDA3CD3FF466BF801035B357479623A2A9B16FFB2421C76328C7
  11: 0x0000000000000000000000000000000000000000000000000000000000000000
  12: 0x0000000000000000000000000000000000000000000000000000000000000000
  13: 0x0000000000000000000000000000000000000000000000000000000000000000
  14: 0x0C2D4C5684DD6E02E14DB2A9E30DF2F1399B38ADE06760ADD3E33913EDE4814E
  15: 0x0000000000000000000000000000000000000000000000000000000000000000
  16: 0x0000000000000000000000000000000000000000000000000000000000000000
  17: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  18: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  19: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  20: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  21: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  22: 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  23: 0x0000000000000000000000000000000000000000000000000000000000000000

Aha! I see what happened. My TPM is measuring using sha256. This worked:

# clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1"}'
Enter existing LUKS password:
#

jayeye avatar Sep 25 '20 18:09 jayeye