FS#79277 - [systemd] systemd-cryptenroll fails when enrolling TPM2

Attached to Project: Arch Linux
Opened by nl6720 (nl6720) - Wednesday, 02 August 2023, 10:29 GMT
Last edited by Toolybird (Toolybird) - Friday, 11 August 2023, 07:52 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
With systemd 254, systemd-cryptenroll fails to enroll TPM2 and its PCRs.

E.g.:
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=5+7+12 /dev/disk/by-partlabel/Arch\\x20Linux

🔐 Please enter current passphrase for disk /dev/disk/by-partlabel/Arch\x20Linux:
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x000002c4)
Failed to open session in TPM: tpm:parameter(2):value is out of range or is not correct for the context

No matter what values are passed to --tpm2-pcrs= or even if it's omitted, systemd-cryptenroll fails with this error.

If I downgrade systemd and systemd-libs to 253.7, then the command succeeds without any issue.


Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
systemd 254-1
systemd-libs 254-1
tpm2-tss 4.0.1-1


Steps to reproduce:
# systemd-cryptenroll --tpm2-device=auto /dev/insert_luks_device_here
This task depends upon

Closed by  Toolybird (Toolybird)
Friday, 11 August 2023, 07:52 GMT
Reason for closing:  Not a bug
Additional comments about closing:  "Fixed by clearing the TPM.
¯\_(ツ)_/¯"
Comment by Josef Schabasser (Mr_nUUb) - Wednesday, 02 August 2023, 16:40 GMT
Hi! I suffer the same issue. Unlocking the volume on boot using a systemd-based initrd fails, too.
Downgrading systemd, systemd-libs and systemd-sysvcompat to version 253.7-1 (found locally in /var/cache/pacman/pkg) helped.

This is the command I used to downgrade:
```
sudo pacman -U /var/cache/pacman/pkg/systemd*-253.7-1-x86_64.pkg.tar.zst
```

However, enrolling fails with a different error on my end:
```
ERROR:esys:src/tss2-esys/api/Esys_Create.c:134:Esys_Create() Esys Finish ErrorCode (0x00000184)
```

I don't have the warning before the error at hand, because I already downgraded and copied the error message from my search history.

EDIT: here's my initrd hooks: `base systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck`
Comment by nl6720 (nl6720) - Wednesday, 02 August 2023, 16:57 GMT
Unlocking in early userspace works for me. It's only enrolling that fails.
Comment by Josef Schabasser (Mr_nUUb) - Wednesday, 02 August 2023, 17:02 GMT
Unlocking using sd-encrypt works fine using the recovery code, but sd-encrypt with tpm2 is completely broken on my end.
Comment by Toolybird (Toolybird) - Wednesday, 02 August 2023, 22:32 GMT
Release notes mention some new TPM2 stuff...could easily be a regression. Hard to see this being a packaging issue. Bisected? Reported upstream?
Comment by nl6720 (nl6720) - Thursday, 03 August 2023, 07:20 GMT
Bisected to https://github.com/systemd/systemd/commit/acbb504eaf1be51572b1c0d0d490ac478bc41c64 and reported as https://github.com/systemd/systemd/issues/28655.
Comment by Toolybird (Toolybird) - Wednesday, 09 August 2023, 21:09 GMT
Upstream consensus appears to be "firmware bug". Therefore not much Arch can do here. But maybe a note could added to the ArchWiki [1]? @nl6720, you are clearly well on top of the subject matter here, so hopefully you can take care of this?

[1] https://wiki.archlinux.org/title/Trusted_Platform_Module

Loading...