Debian 11 - no autoboot after kernel upgrade

[eglyn]

Hi all,

Clevis works find on my Debian 11 with kernel 5.10 and TPM2, I just installed: clevis, clevis-tpm2, clevis-luks, clevis-initramfs and launch this command: clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"10,11"}' and everything was fine.

But I had to upgrade kernel for drivers issue ( --> kernel 6.1), and now, unlock does not work anymore :/

I try to follow all the procedure again, but it did not work :(

Any idea ?

[savchenko]

Try to re-key the slot. PCR 11 extends the kernel image.

[eglyn]

I try this: clevis luks unbind -d /dev/nvme0n1p3 -s 1 tpm2 clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha256", "pcr_ids":"0,1,2,3,4,5,6,7"}'

But it does not work :'(

the command: clevis luks list -d /dev/nvme0n1p3 tpm2 says: 1: tpm2 '{"hash":"sha256","key":"ecc","pcr_bank":"sha256","pcr_ids":"0,1,2,3,4,5,6,7"}'

Everything seems ok, but autoboot does not work :'(

[savchenko]

1. Make sure you are binding to meaningful set of PCRs, check sudo tpm2_pcrread before and after reboot.
2. Do a test bind: sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_bank":"sha1","pcr_ids":"0"}'
3. Confirm there is a 2nd LUKS keyslot: sudo cryptsetup luksDump /dev/nvme0n1p3
4. Reboot, regenerate the binding: sudo clevis luks regen -d /dev/nvme0n1p3 -s 1
5. Test that Clevis can unlock the disk: sudo clevis luks pass -d /dev/nvme0n1p3 -s 1
6. Reboot again and see if LUKS is unlocked automatically.

[eglyn]

I tried: 1: ok, but for my laptop I have only sha256, no sha1 2: I changed sha1 --> sha256: OK 3: There is a second keyslot for clevis. 4. After the reboot, auto unlock worked... but I have to wait about 10s before the key autocompletion...

The main difference I see with the old kernel, is that I have some warning firmware and error firmware (not corrected by Intel for now, i915) before the prompt asking the key. Maybe I have a temporisation issue ?