sergio-correia
commented
4 years ago Could please try the following command?
sudo tpm2_createprimary -C o -G ecc -c prim.ctx
Open bedawi opened 4 years ago
sergio-correia
commented
4 years ago Could please try the following command?
sudo tpm2_createprimary -C o -G ecc -c prim.ctx
bedawi
commented
4 years ago Hi @sergio-correia,
$ sudo tpm2_createprimary -C o -G ecc -c prim.ctx
WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:389:Esys_CreatePrimary_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x000002ca)
ERROR: Esys_CreatePrimary(0x2CA) - tpm:parameter(2):the type of the value is not appropriate for the use
ERROR: Unable to run tpm2_createprimaryThe key algorithm seems to be the problem here. sudo tpm2_createprimary -C o -G rsa2048 -c prim.ctxworks, as does leaving the algorithms at defaults. Is there a way to change clevis's settings or probably catch an error and then fall back to default algorithms?
sergio-correia
commented
4 years ago Yeah, and ecc is our default algorithm. Can you show the output of this next command, please?
sudo tpm2_getcap algorithms
bedawi
commented
4 years ago Here we go:
rsa:
value: 0x1
asymmetric: 1
symmetric: 0
hash: 0
object: 1
reserved: 0x0
signing: 0
encrypting: 0
method: 0
sha1:
value: 0x4
asymmetric: 0
symmetric: 0
hash: 1
object: 0
reserved: 0x0
signing: 0
encrypting: 0
method: 0
hmac:
value: 0x5
asymmetric: 0
symmetric: 0
hash: 1
object: 0
reserved: 0x0
signing: 1
encrypting: 0
method: 0
aes:
value: 0x6
asymmetric: 0
symmetric: 1
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 0
method: 0
keyedhash:
value: 0x8
asymmetric: 0
symmetric: 0
hash: 1
object: 1
reserved: 0x0
signing: 1
encrypting: 1
method: 0
xor:
value: 0xA
asymmetric: 0
symmetric: 1
hash: 1
object: 0
reserved: 0x0
signing: 0
encrypting: 0
method: 0
sha256:
value: 0xB
asymmetric: 0
symmetric: 0
hash: 1
object: 0
reserved: 0x0
signing: 0
encrypting: 0
method: 0
rsassa:
value: 0x14
asymmetric: 1
symmetric: 0
hash: 0
object: 0
reserved: 0x0
signing: 1
encrypting: 0
method: 0
rsaes:
value: 0x15
asymmetric: 1
symmetric: 0
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 1
method: 0
rsapss:
value: 0x16
asymmetric: 1
symmetric: 0
hash: 0
object: 0
reserved: 0x0
signing: 1
encrypting: 0
method: 0
oaep:
value: 0x17
asymmetric: 1
symmetric: 0
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 1
method: 0
kdf1_sp800_108:
value: 0x22
asymmetric: 0
symmetric: 0
hash: 1
object: 0
reserved: 0x0
signing: 0
encrypting: 0
method: 1
symcipher:
value: 0x25
asymmetric: 0
symmetric: 0
hash: 0
object: 1
reserved: 0x0
signing: 0
encrypting: 0
method: 0
ctr:
value: 0x40
asymmetric: 0
symmetric: 1
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 1
method: 0
ofb:
value: 0x41
asymmetric: 0
symmetric: 1
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 1
method: 0
cbc:
value: 0x42
asymmetric: 0
symmetric: 1
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 1
method: 0
cfb:
value: 0x43
asymmetric: 0
symmetric: 1
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 1
method: 0
ecb:
value: 0x44
asymmetric: 0
symmetric: 1
hash: 0
object: 0
reserved: 0x0
signing: 0
encrypting: 1
method: 0We can probably validate the key before trying to use it, and then display a more informative error message, in cases like this.
And you can specify the key with the "key" attribute, something like '{"key": "rsa", "pcr_ids": "7"}'
bedawi
commented
4 years ago Well thank you @sergio-correia, this solved my problem. :-) I leave it to you to close the problem - not sure if you like to follow up here. - Many greetings.
Hi there, I am having a TPM-related issue with clevis.
I already opened an issue at the tpm2-software repository and was kindly forwarded here, since it does not seem to be a problem on their side.
My system is a fedora 31, kernel 5.4.18-200.fc31.x86_64 and clevis 12.1 (as it comes with the distro).
Many greetings. Ben