Skip to Main Content
Forums

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

LUKS volume does not get unsealed by the TPM after a update

User_EV0K7Aug 6 2019 — edited Aug 6 2019

Hello everyone,

I'm performing a Kickstart-installation from a USB-Stick of Oracle-Linux 7.6 on a Dell Optiplex 3060 where I also encrypt the volume and bind it to the TPM to unlock it automatically:

clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"7"}' 
$ luksmeta show -d /dev/nvme0n1p3
 0 active empty
 1 active cb6e8904-81ff-40da-a84a-07ab9ab5715e
 2 inactive empty
 (...)

After experimenting for quite some time this works fine and how I need it. When the system boots the volume gets automatically unlocked after around a minute. As you can see above, I bind it to PCR7, so how I understood this topic, a update to a new kernel singed by the same vendor should not alter the hash of the TPM and furthermore the automatic unlock should still work. But unfortunately after yum updateand a reboot that is not the case and it says

tpm tpm0: A TPM error (357) occurred flushing context
dracut-initqueue[355]: Unsealing jwk from TPM failed!
tpm tpm0: tpm_try_transmit: tpm_send: error -5

After the (first) reboot after the update, trying to execute the clevis luks bind-command once more failes (manual unlocking is still possible) :

$ clevis luks bind -d /dev/nvme0n1p3 tpm2 '{"pcr_ids":"7"}'
 ERROR: Failed tpm session start auth with params
 ERROR: Error starting the policy session.

After another reboot I am able to bind it and the automatic unlocking also works again.

$ luksmeta show -d /dev/nvme0n1p3
 0   active empty
 1   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
 2   active cb6e8904-81ff-40da-a84a-07ab9ab5715e
 3 inactive empty
 (...)

I compared the Key IDs of the originally installed kernel, with which the unlocking works before the update, with the new one and they are identical, but I'm not sure, if those signatures are the relevant ones

$ uname -r
 4.14.35-1818.3.3.el7uek.x86_64
$ find / -type f -name kernel-uek*.rpm
 (...)
 /run/media/sklera/OL-7_6/Packages/kernel-uek-4.14.35-1818.3.3.el7uek.x86_64.rpm
 /var/cache/yum/x86_64/7Server/VSE_Oracle_Linux_7_OEL_7_UEK5/packages/kernel-uek-4.14.35-1902.3.1.el7uek.x86_64.rpm

Original kernel:

$ rpm -qpi /run/media/sklera/OL-7_6/Packages/kernel-uek-4.14.35-1818.3.3.el7uek.x86_64.rpm
 (...)
 Signature   : RSA/SHA256, Tue 25 Sep 2018 12:11:55 AM CEST, Key ID 72f97b74ec551f03

New kernel:

$ rpm -qpi /var/cache/yum/x86_64/7Server/VSE_Oracle_Linux_7_OEL_7_UEK5/packages/kernel-uek-4.14.35-1902.3.1.el7uek.x86_64.rpm
 (...)
 Signature   : RSA/SHA256, Tue 25 Jun 2019 06:43:44 AM CEST, Key ID 72f97b74ec551f03

So my questions are:

  • How can I tell why the unlocking does fail after the update and why couldn't I bind it once more the fist time?
  • Are the signatures of the packages that I compared the correct ones?

I would appreciate your help and thanks beforehand.

Regards,
Markus
Comments
Post Details
Added on Aug 6 2019
#linux, #oracle-linux
2 comments
1,382 views