clevis icon indicating copy to clipboard operation
clevis copied to clipboard

Published 20 hours ago verified publisher icon latchset

When running "clevis luks bind" encountering "Failed tpm session start auth with params"

Open darcyrailip opened this issue 4 years ago • 3 comments

Running into this issue lately with trying to bind:

# clevis luks bind -d /dev/sde3 tpm2 '{"pcr_ids":"7"}'
ERROR: Failed tpm session start auth with params
ERROR: Error starting the policy session.

My installation script typically runs this:

# --------------------------------------------------------------------------------------------------
# Setup HDD Encryption
# --------------------------------------------------------------------------------------------------
echo "Adding HDD TPM2 Encryption"
yum install -y clevis clevis-luks clevis-dracut
# Entries from previous installs can remain and cause problems:
echo "Removing existing keys"
luksmeta nuke -f -d /dev/sde3
# Move decryption to the TPM:
echo "Binding new key to tpm2"
clevis luks bind -f -k - -d /dev/sde3 tpm2 '{"pcr_ids":"7"}' <<< temppass
echo -n temppass | cryptsetup luksRemoveKey /dev/sde3 -
dracut -f

But does not seem to be setting the pass any longer, as during boot, when dracut is trying to unlock the device, I encounter this message over and over:

Unsealing jwk from TPM failed!

Similar to now, if I run:

# clevis luks unlock -d /dev/sde3
Unsealing jwk from TPM failed!

Any ideas on what may have changed in the clevis / luks packages? Or is there something wrong with my tpm2 chip?

darcyrailip avatar Mar 31 '21 14:03 darcyrailip

Hello:

  1. Which version of clevis are you using?
  2. Are you using RHEL? Fedora? CentOs?
  3. Can you please post output of "dmesg | grep -i tpm"?
  4. Can you please post output of command "rpm -qa | grep clevis-pin-tpm2"?
  5. Can you share output of command "clevis luks list -d /dev/sde3" after "clevis luks bind"?
  6. Can you please provide output of tpm2_pcrread to check output?

sarroutbi avatar Jun 07 '21 10:06 sarroutbi

Hi @sarroutbi,

  1. Clevis versions:
# rpm -qa | grep clevis
clevis-7-8.el7.x86_64
clevis-luks-7-8.el7.x86_64
clevis-dracut-7-8.el7.x86_64
clevis-systemd-7-8.el7.x86_64

  1. CentOS 7

  2. # dmesg | grep -i tpm output:

[    0.000000] ACPI: TPM2 000000007a55def8 00034 (v04 ALASKA   A M I  00000001 AMI  00000000)
[    0.651087] tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
[    0.656698] tpm tpm0: [Firmware Bug]: TPM interrupt not working, polling instead
[   54.705378] tpm tpm0: tpm_try_transmit: tpm_send: error -5
[   57.946087] tpm tpm0: tpm_try_transmit: tpm_send: error -5
[   61.181483] tpm tpm0: tpm_try_transmit: tpm_send: error -5
[   64.399404] tpm tpm0: tpm_try_transmit: tpm_send: error -5
[   67.631979] tpm tpm0: tpm_try_transmit: tpm_send: error -5

  1. rpm -qa | grep clevis-pin-tpm2 results in no output.

  2. clevis luks list -d /dev/sde3 does not appear to be a valid command:

# clevis luks list -d /dev/sde3

Usage: clevis COMMAND [OPTIONS]

  clevis decrypt      Decrypts using the policy defined at encryption time
  clevis encrypt http Encrypts using a REST HTTP escrow server policy
  clevis encrypt sss  Encrypts using a Shamir's Secret Sharing policy
  clevis encrypt tang Encrypts using a Tang binding server policy
  clevis encrypt tpm2 Encrypts using a TPM2.0 chip binding policy
  clevis luks bind    Binds a LUKSv1 device using the specified policy
  clevis luks unlock  Unlocks a LUKSv1 volume

clevis luks bind does not succeed without more options:

clevis luks bind
Did not specify a device!
  1. tpm2_pcrread does not exist as a command.

darcyrailip avatar Jun 18 '21 14:06 darcyrailip

Is it possible to check this issue with newer version of clevis? I sincerely doubt this is working properly in such an old version

sarroutbi avatar Jun 29 '21 14:06 sarroutbi