The change introduce by the Bug931513 (https://bugs.gentoo.org/931513), break tpm2 luks key enrollment when using app-crypt/clevis, may also happen with other tools. Bellow is the error logs: ``` ERROR:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: device ERROR:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not load tcti, got: "device:/dev/tpmrm0" Unable to validate combination of PCR bank 'sha256' and PCR IDs '0,1,2,3,5,6,7'. Unable to perform encryption with PIN 'tpm2' and config '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,6,7"}' ``` Reproducible: Always Steps to Reproduce: 1. Emerge app-crypt/tpm2-tss-4.1.1-r1 2. Try enroll the key using this command: clevis luks bind -d $NVME_1_UUID tpm2 '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,6,7"}' 3. Get the error above Actual Results: Get this error: ``` ERROR:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: device ERROR:tcti:/var/tmp/portage/app-crypt/tpm2-tss-4.1.1-r1/work/tpm2-tss-4.1.1/src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not load tcti, got: "device:/dev/tpmrm0" Unable to validate combination of PCR bank 'sha256' and PCR IDs '0,1,2,3,5,6,7'. Unable to perform encryption with PIN 'tpm2' and config '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,6,7"}' ``` Expected Results: Enroll the luks key in TPM sucefully Since the downgrade to app-crypt/tpm2-tss-4.0.2 fix it, the problem is cause by the disable of this two build flags (the two are need because it depend how the TPM2 is wired in the motherboard): ``` --disable-tcti-spi-ftdi --disable-tcti-i2c-ftdi ``` and the new automagic dependencies on dev-embedded/libftdi I could try to make a PR in to fix it.
(In reply to Gonçalo Negrier Duarte from comment #0) > > Since the downgrade to app-crypt/tpm2-tss-4.0.2 fix it, the problem is cause > by the disable of this two build flags (the two are need because it depend > how the TPM2 is wired in the motherboard): > ``` > --disable-tcti-spi-ftdi > --disable-tcti-i2c-ftdi > ``` > and the new automagic dependencies on dev-embedded/libftdi I could try to > make a PR in to fix it. Forget to mention also happen on app-crypt/tpm2-tss-4.1.1 after testing again
A couple of question: What platform are you running? Does it work on 4.0.2? Are you using tpm2-abrmd ? IS you user in the "tss" group?
(In reply to Christopher Byrne from comment #2) > A couple of question: > > What platform are you running? AMD64 > Does it work on 4.0.2? Yes it work with 4.0.2 > Are you using tpm2-abrmd ? No, I don't have it install on my system > IS you user in the "tss" group? No, but after add my user to the tss it and retest with app-crypt/tpm2-tss-4.1.1 it also fails, also I run the clevis command as root so the group would never be a issue.
Created attachment 892890 [details] emerge --info
I have doubts the PR you referenced is the problem. FTDI support wasn't introduced until 4.1.0, so if you actually have the hardware, it would not work in 4.0.2. I think something else is doing on. I'm going to run some tests in VM with Clevis and see what happens.
(In reply to Christopher Byrne from comment #5) > I have doubts the PR you referenced is the problem. FTDI support wasn't > introduced until 4.1.0, so if you actually have the hardware, it would not > work in 4.0.2. I think something else is doing on. I'm going to run some > tests in VM with Clevis and see what happens. Now that you say that, yes it look very strange my hardware only break after the 4.1.1 changes, since I use this setup many time before 4.1.0 release.
Created attachment 892907 [details] TCTI debug log under tpm2-tss-4.1.1 I can reproduce this. Its only happens under clang/lld. The libtss2-tcti-device.so file is incorrect. The TCTI loader returns "file too short" on dlopen(). This isn't the first problem with clang and tpm2-tss, either: See bug 923411
(In reply to Christopher Byrne from comment #7) > Created attachment 892907 [details] > TCTI debug log under tpm2-tss-4.1.1 > > I can reproduce this. Its only happens under clang/lld. The > libtss2-tcti-device.so file is incorrect. The TCTI loader returns "file too > short" on dlopen(). > > This isn't the first problem with clang and tpm2-tss, either: See bug 923411 Maybe the solution is to compile with gcc and wait for a upstream fix?
First, you should try GCC and tell us if that helps.
(In reply to Sam James from comment #9) > First, you should try GCC and tell us if that helps. I wasn't at the laptop have the time, that why I made the question :) After trying I can confirm it dosen't work, even without lto, gcc-full.conf: ---- COMMON_FLAGS="-march=native -O3 -pipe" CFLAGS="${COMMON_FLAGS}" CXXFLAGS="${COMMON_FLAGS}" LDFLAGS="-Wl,--as-needed" FCFLAGS="${COMMON_FLAGS}" FFLAGS="${COMMON_FLAGS}" CC="gcc" CXX="g++" CPP="gcc -E" AR="ar" NM="nm" RANLIB="ranlib" LD=ld.bfd OBJCOPY="objcopy" --- But the error is smaller this time: ``` tpm2_createprimary: symbol lookup error: tpm2_createprimary: undefined symbol: Tss2_TctiLdr_Finalize Unable to perform encryption with PIN 'tpm2' and config '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,6,7"}' ``` I gonna try to get the build log
Created attachment 892923 [details] app-crypt/tpm2-tss-4.1.1-r1 using gcc
According to the build.log, it still compiled with clang/lld
Created attachment 892924 [details] app-crypt/tpm2-tss-4.1.1-r1 using gcc Now it using gcc, I use the ebuild command still confused why didn't use gcc.
Do you get the result with Clevis, or does it work now?
(In reply to Christopher Byrne from comment #14) > Do you get the result with Clevis, or does it work now? Same result but the error is smaller: ``` Enter existing LUKS password: tpm2_createprimary: symbol lookup error: tpm2_createprimary: undefined symbol: Tss2_TctiLdr_Finalize Unable to perform encryption with PIN 'tpm2' and config '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,6,7"}' ```
(In reply to Gonçalo Negrier Duarte from comment #15) > (In reply to Christopher Byrne from comment #14) > > Do you get the result with Clevis, or does it work now? > > Same result but the error is smaller: > ``` > Enter existing LUKS password: > tpm2_createprimary: symbol lookup error: tpm2_createprimary: undefined > symbol: Tss2_TctiLdr_Finalize > Unable to perform encryption with PIN 'tpm2' and config > '{"pcr_bank":"sha256","pcr_ids":"0,1,2,3,5,6,7"}' > ``` Don't know if this can be because of libc++ on the LLVM profile
No its some kinda of linking issue, probably same one bug 923411. The correct library is being dlopen'd but dlsym returns the symbol for the "wrong" library.
Created attachment 893145 [details, diff] TCTI: Separate namespaces for internal struct Try this patch. It works for me.
(In reply to Christopher Byrne from comment #18) > Created attachment 893145 [details, diff] [details, diff] > TCTI: Separate namespaces for internal struct > > Try this patch. It works for me. Can confirm the key did enroll on the tpm using clevis, now I gonna test after reboot, if the two drives unlock or not.
(In reply to Gonçalo Negrier Duarte from comment #19) > (In reply to Christopher Byrne from comment #18) > > Created attachment 893145 [details, diff] [details, diff] [details, diff] > > TCTI: Separate namespaces for internal struct > > > > Try this patch. It works for me. > > Can confirm the key did enroll on the tpm using clevis, now I gonna test > after reboot, if the two drives unlock or not. After recreating the initramfs with dracut the drives unlock just fine.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1bdd9fe492eb63a8a06d40d6a4ee34a39c72b24 commit e1bdd9fe492eb63a8a06d40d6a4ee34a39c72b24 Author: Christopher Byrne <salah.coronya@gmail.com> AuthorDate: 2024-05-21 14:52:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-05-24 06:52:50 +0000 app-crypt/tpm2-tss: add 4.1.3 Closes: https://bugs.gentoo.org/931885 Signed-off-by: Christopher Byrne <salah.coronya@gmail.com> Signed-off-by: Sam James <sam@gentoo.org> app-crypt/tpm2-tss/Manifest | 1 + app-crypt/tpm2-tss/tpm2-tss-4.1.3.ebuild | 110 +++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+)
