-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tpm2-setup: Don't fail if we can't access the TPM due to authorization failure #32899
base: main
Are you sure you want to change the base?
Conversation
Important An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released. |
Is this for #32898? |
Can we please add a structured log message with message id/catalog entry for this? |
I'd like to understand better what kind of "lock" you ran into. The error check you are doing here suggests to me that you might have a PIN (aka "authValue") set on the "owner" hierarchy of your TPM? Which is different from "dictionary attack lockout" (aka "DA lockout") which I assumed this was about. So what is it actually about here? How did you run into this? And do you have debug logs of how tpm2-setup fails on that system? |
I don't have debug logs anymore, but the gist of it is that the unit fails with |
Well, "TPM locked" is a bit vague. Could mean "in DA lockout", or could be "requires a PIN to access"... |
But if you turn on debug logs, then you should see more info, that might be helpeful |
https://lore.kernel.org/all/e423eaa2-cf2e-6b3f-dff6-61726cb5c0bf@intel.com/T/ Judging by this this is really about a PIN (i.e. authValue) having been set for the "owner" hierarchy, and not about DA lockout. |
Or in other words you are running into #22129. On what kind of system did you run into with btw? How come a password was set for owner auth there? The proper way to fix this is probably by using ask_password_auto() to simply query for the authValue and then use it. But then again, interactivity might suck |
@poettering The TPM has an auth because we don't want anything messing with it. I should have clarified, but I don't actually want this to work, I couldn't care less about setting up an SRK on these systems, I just want tpm2-setup.service to not fail in these cases. |
So I think we can merge something like this, but please clean up the wording. I checked the specs btw: while DA lockout mode is on, any attempt to access a DA protected object results in TPM_RC_LOCKOUT. Any attempt to access an object with an authValue set without an authValue or with a TPM_RC_BAD_AUTH error. hence, what you are doing here is the latter. We probably should have an explict error message /catalog entry for the lockout thing too, but without testing that we shouldn't add this, hence out of scope for now i guess. But, please reword this, do not say just "locked", that's too misleading. |
2b5d47d
to
74c5973
Compare
…n failure The TPM might be password/pin protected for various reasons even if there is no SRK yet. Let's handle those cases gracefully instead of failing the unit as it is enabled by default.
The TPM might be password/pin protected for various reasons even if
there is no SRK yet. Let's handle those cases gracefully instead of
failing the unit as it is enabled by default.