Grub TPM Error 2

[proteansec]

Bug

When installing the CoreOS operating system to my laptop with the following command:

# coreos-install -d /dev/sda -C stable -c cloud-config.yaml

The installation was successful, but after rebooting the system, the grub is unable to boot the operating system, but instead it enters into the grub rescue mode and displays the following error:

error: TPM error 2
.
grub rescue>

Even if I enter any of the grub rescue mode commands like "ls (hd0,1)/", it displays the "TPM error 2". The TPM is enabled in the BIOS, so are the other security features. I've also tried experimenting with different BIOS settings without any difference.

CoreOS Version

I've downloaded the currently latest CoreOS 1068.9.0 iso in order to boot from a LiveCD, but then the "coreos-install" downloads the image from the internet - I'm guessing it downloads the same stable image.

Environment

This is on HP Elitebook 6930p bare-metal Laptop.

Expected Behavior

The coreos-install install grub on the /dev/sda partition, which should be able to boot into the CoreOS system.

Actual Behavior

The coreos-install script installs the grub on the /dev/sda partition, but Grub is unable to boot into the system, giving "TPM error 2" error.

Reproduction Steps

1. Boot from coreos livecd
2. Create cloud-config.yaml, which is really basic in order to be able to login after the installation:

cloud-config

ssh_authorized_keys:

• ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGdByTgSVHq.......
  1. Issue the following command to install the CoreOS to /dev/sda:

# coreos-install -d /dev/sda -C stable -c cloud-config.yaml

1. Reboot

[mischief]

@proteansec can you disable your tpm?

[proteansec]

@mischief even if I disable TPM, the result is the same. I'm unable to boot the CoreOS.

However, I did notice that once I install the CoreOS and reboot it for the first time, the system freezes and the '_' is blinking as if something is happening, but it is actually not. The system is frozen and nothing happens - I've left it running for an hour to no avail. But when I force it to shutdown (holding the power button for 10s), it is giving the GRUB command prompt and the same "TPM error 2".

[avongluck-r1soft]

Same issue here after installing CoreOS 1068.10.0 iso to disk. Dell PowerEdge T110 II. Enabled TPM, disabled TPM, cleared TPM in bios... no change.

[avongluck-r1soft]

Blanked drive, reinstalled from 1010.6.0 iso... same issue.

[avongluck-r1soft]

Work around:

• enabled tpm in bios and activate
• boot from coreos install media
• sudo tpmown
• system reboots
• BIOS asked to accept TPM modifications
• boot from disk.
• success

So.. it seems like some systems when you disable TPM it really isn't disabled and the system gets into a bad state.

[proteansec]

When I do that, the system freezes when I try to reboot, so instead of giving me a TPM error, it's back to the previous state - the system freeze as I've explained in the beginning.

So the system freezing is still a mystery and needs to be resolved. I'm guessing the system doesn't freeze in your case, so you don't have that problem. Again, when the system freezes and a black screen with a blinking cursor in the left upper corner appears as presented below.

[crawford]

I'm not sure if there is anything we can do about this. Sounds like a firmware bug. @mjg59 will probably have some ideas.

[samek]

So how about if you don't have an TPM present ? Is there a way to still use coreos? I'm getting same error - but there's no TPM present.

[marineam]

@samek No TPM should be fine but it is possibly some variation of the BIOS acting like there is one present but there really isn't one. I know we've had to work around something like that before. What is the system?

[samek]

@marineam we use hp moonshot m700 cartridges. They don't have tpm.

[alxzndr]

same here on a proliant server without TPM

[alxzndr]

Some extra info: grub loads normally (no rescue mode) but every command raises an error: TPM error 1

This system is a HP Proliant BL460c without any TPM options in the bios I have tried both stable and alpha releases.

EDIT: running tpmown with the livecd verifies this system has no TPM

[agiterman1]

same problem here with both stable and beta version. TPM error.

server: HP Proliant DL360 G4p no tpm installed.

tried both the stable and the beta version.

[mjg59]

https://github.com/coreos/grub/pull/40

[marineam]

Should be fixed as of October so closing this bug. Please note that GRUB is not touched by the upgrade process so installing from a newer image is required.