Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fedora 33 - NVMe Drive - clevis luks bind tpm2 issue #260

Closed
jchinyou opened this issue Nov 18, 2020 · 6 comments
Closed

Fedora 33 - NVMe Drive - clevis luks bind tpm2 issue #260

jchinyou opened this issue Nov 18, 2020 · 6 comments

Comments

@jchinyou
Copy link

jchinyou commented Nov 18, 2020
edited
Loading

Hi All,

I've been trying to leverage Clevis to decrypt my laptop hard drive on boot using TPM2. However when trying to bind celvis luks to my drive I get the following errors:

#sudo clevis luks bind -d /dev/nvme0n1p3 tpm2plus '{"pcr_ids":"7"}'
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
Error during parsing operation: No command provided

Also tried with just tpm2:
#sudo clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"7"}'
Warning: Value 512 is outside of the allowed entropy range, adjusting it.
Error during parsing operation: No command provided

Per chance is there a Debug Mode for Clevis?
@sergio-correia
Copy link
Collaborator

Hmm. Please remove the clevis-pin-tpm2 package and try again. Let's see if it works that way.

@jchinyou
Copy link
Author

Hmm. Please remove the clevis-pin-tpm2 package and try again. Let's see if it works that way.

Thanks Sergio! - That worked!

Now to troubleshoot why my TPM2 doesn't unlock the drive but we've made progress! Thank you!

Guessing some odd conflict? Any ideas why removing the pin package may have worked?

@sergio-correia
Copy link
Collaborator

Hmm. Please remove the clevis-pin-tpm2 package and try again. Let's see if it works that way.

Thanks Sergio! - That worked!

Now to troubleshoot why my TPM2 doesn't unlock the drive but we've made progress! Thank you!

Have you rebuilt the initramfs?

Guessing some odd conflict? Any ideas why removing the pin package may have worked?

I don't know yet, I will have to investigate this. clevis-pin-tpm2 should work. /cc @puiterwijk for insight.

@jchinyou
Copy link
Author

Have you rebuilt the initramfs?

I had! Got this fully working now, so the scope seems to be limited to the clevis-pin-tpm2 package.

My issue with the not auto-unlocking was I wasn't waiting long enough and i had the wrong key active. - So All good now! Thanks for all the help!

@puiterwijk
Copy link
Contributor

Hi, this is a known bug that I fixed upstream: fedora-iot/clevis-pin-tpm2@06b2cd9 .
I was unaware that this was all pushed to Fedora 33 stable, so I'll try to get a new build of the pin out to the fedora-33-updates repo soon.

@sarroutbi sarroutbi reopened this Jun 8, 2021
@sarroutbi
Copy link
Collaborator

@jchinyou : closing issue. This seems to be an issue in clevis-pin-tpm2 already addressed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sarroutbi @puiterwijk @jchinyou @sergio-correia