TPM decrypt problem with kernel 6.4.11

hjavid · August 24, 2023, 6:38pm

Hi

I have a root partition encrypted with luks2 and separate boot partition that used to be unlocked with tpm using systemd-cryptenroll. but after updating with kernel 6.4.11 it hangs on boot (waits around 20 seconds) and then asks for password. likely problem with tpm.

also running systemd-cryptenroll again gives error while in kernel 6.4.10 it doesn’t

sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/nvme0n1p6 
🔐 Please enter current passphrase for disk /dev/nvme0n1p6: ********                
ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
Failed to initialize TCTI context: tcti:IO failure

Update: same on the kernel 6.4.12

mark61 · August 29, 2023, 2:26pm

I am having the same issue. I had to roll back to kernel 6.4.10 for TPM devices to show up in /dev.

steiner · August 29, 2023, 2:30pm

Apparently it’s a wider kernel issue with tpm_crb, the folks from Nix are experiencing this as well:

github.com/NixOS/nixpkgs

tpm_crb: probe of MSFT0101:00 failed with error 378

opened 10:51AM - 19 Aug 23 UTC

CnTeng

0.kind: bug

### Describe the bug I use tpm + luks, but recently when the kernel updating to… 6.4.11, the `tpm_crb` can't find `tpm` devices. And, if I switch to old kernel like 6.1, it can't work too. ### Steps To Reproduce Steps to reproduce the behavior: 1. Use the latest unstable 2. ```nix boot = { kernelPackages = pkgs.linuxPackages_latest; initrd = { availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "tpm" "tpm_tis" "tpm_crb" ]; systemd.enable = true; }; tmp.useTmpfs = true; }; ``` ### Expected behavior `tpm` work correctly. ### Screenshots ![图片](https://github.com/NixOS/nixpkgs/assets/56501688/3cad3f0a-a2c7-4798-9a46-00c7391edcb1) ![图片](https://github.com/NixOS/nixpkgs/assets/56501688/fe4b2707-c65a-48d4-ae05-49bcd6c1dae8) ### Additional context Add any other context about the problem here. ### Notify maintainers  ### Metadata Please run `nix-shell -p nix-info --run "nix-info -m"` and paste the result. ```console [user@system:~]$ nix-shell -p nix-info --run "nix-info -m" - system: `"x86_64-linux"` - host os: `Linux 6.4.11, NixOS, 23.11 (Tapir), 23.11pre-git` - multi-user?: `yes` - sandbox: `yes` - version: `nix-env (Nix) 2.17.0` - channels(yufei): `""` - nixpkgs: `/nix/store/5mj1vfslaf052b8s9nnbz31fb2l1qwdi-source` ```

hjavid · September 13, 2023, 1:17pm

Update 2: fixed with kernel 6.4.15

Topic		Replies	Views
System with Full Disk Encryption Stopped Offering LUKS Prompt On Boot Ask Fedora lvm , systemd , encryption , boot , luks2 , f39	53	2222	April 22, 2024
TPM module not identified - F38 Ask Fedora f38 , workstation	4	338	September 8, 2023
Purism Librem 11 with Fedora using kernel v6.6 and later Ask Fedora kernel , f39	6	270	February 10, 2024
Systemd-cryptenroll with tpm2-pin Ask Fedora f37 , systemd-cryptenroll , silverblue	0	1275	December 29, 2022
Unlock LUKS encrypted rootfs using TPM during boot Ask Fedora f35 , luks2 , silverblue	1	1905	March 21, 2022

TPM decrypt problem with kernel 6.4.11

Related topics