New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TPM not found on some hardware with kernel 6.4.11 #1555
Comments
First off I would like to say thank you for running We have tests that do test luks encryption, but we rely heavily on Virtual Machines for those tests. I'm wondering if this is somehow specific to particular hardware (or even just VM versus real hardware specific). Since I can't reproduce with our existing test suite could you help us try to figure out exactly which transition caused the regression? We have a
|
The datasheet for that system appears to say that there is no TPM chip included... 🤔 If there is no actual TPM2 device, then I don't think LUKS via TPM2 should ever work. Might be worth confirming the presence (or absence) of a TPM chip on that system with: $ dmesg | grep tpm
[ 1.042976] tpm_tis IFX0785:00: 2.0 TPM (device-id 0x1B, rev-id 22) |
If that's true what's weird is that @hervst reports it is currently working and then stops (i.e. existing systems have it working and then it ceases to work on upgrade). |
Thank you for the quick responses and help. Some time ago I also read this specification and saw that TPM is not included according to this document. But when I looked into the BIOS I could disable the "Intel® Platform Trust Technology" (which I thought implements TPM2). Additionally we are using Fedora CoreOS with enabled LUKS -> TPM2 encryption for more than 1 year on these devices. Therefor I thought that this is just an issue in the specification. Executing
unfortunately returned no output, so it really seams, that a (physical) TPM2 chip is not included. Additionally I tested every build of the testing-devel stream since "38.20230806.20.0". The last working version is "38.20230814.20.0". After deploying version "38.20230814.20.1" it stopped working. |
Maybe the problem is related to this: https://bugzilla.redhat.com/show_bug.cgi?id=2232888? |
Yeah that is interesting.. I honestly don't know enough about the LUKs+TPM bound encryption to say if this should or should not have been working.
Good to know.
Thanks for doing that. This points pretty clearly at:
Must be some sort of kernel regression. Could you try latest Of course all of these recommendations here are for debugging. We're asking you to run development versions, which could cause instability on the systems. Try to run it on systems where backups of critical data have been made and it would be OK if they needed to be reprovisioned. |
Looks promising! |
According to this page "Intel® Platform Trust Technology" is like a poor man's version of TPM. The page is for Dell server's, but I imagine the same applies here:
|
@hervst - can you add your information to bz#2232888? |
I tried the latest "rawhide" version (40.20230828.91.0) but unfortunately the problem remains. For all my tests I used a separate and newly installed system, so data loss is not an issue. I will create an account and add some information including a reference to bz#2232888 tomorrow in the morning (in around 12 hours). Thank you again for your help. |
We discussed this in the community meeting today.
For people already affected by this and you need your |
Another BZ about the same issue: BZ#2235100 |
Proposed fix in |
@hervst can you test with the latest |
The latest version of the Thank you for your work and the kernel freeze on |
Awesome! Any chance you could add positive feedback to the Bodhi update in Fedora to help promote the package to stable in the main Fedora repositories?
We'll close out the issue when it reaches the
No problem. Having more engagement from people like you will help us stay stable for everyone. Running the |
Positive feedback is added.
Unfortunately joining the upcoming test week is not possible for me. But I will check if we can run and monitor an additional device using the |
The fix for this went into |
The fix for this went into |
This issue never affected our |
Describe the bug
We have several bare metal installations of Fedora CoreOS on Intel NUCs running. Some of them use the "testing" stream. Therefor they upgraded from 38.20230806.2.0 to 38.20230819.2.0 recently. After the upgrade they fail decrypting the LUKS encrypted volume on boot. The error message is:
clevis-luks-askpass[XXX]: A TPM2 device with the in-kernel resource manager is needed!
When rolling back from 38.20230819.2.0 to 38.20230806.2.0 the system boots again without these issues.
Trying to reinstall Fedora CoreOS 38.20230819.2.0 on one of our base metal devices with LUKS enabled also fails. The same Ignition file works fine with older Fedora CoreOS versions.
Reproduction steps
Expected behavior
System should decrypt boot volume on start-up without any issues.
Actual behavior
System fails to decrypt boot volume on start-up.
System details
Butane or Ignition config
Additional information
Log while booting with version 38.20230806.2.0: fcosBootBeforeUpdate.txt
Log while booting with version 38.20230819.2.0: fcosBootAfterUpdate.txt
Please be aware that I manually typed the display outputs in both log files so there might be small typos.
Log while trying to install Fedora CoreOS 38.20230819.2.0 testing stream with LUKS enabled: rdsosreport.txt
The text was updated successfully, but these errors were encountered: