I recently updated my UEFI dbx and clevis auto unlock stopped working on boot of my device. After lots of debugging eventually I worked out it was because it was failing the TPM part of the process. When I did a clevis luks report -d /dev/nvme0n1p3 -s 1 it returns saying no problems. I manually rotated my tang server keys, then did a report. Which then it said tang keys had changed but also the TPM has an issue. This time when it rebinded the slot, the auto unlock worked once again.
Only thing that actually changed would of been the PCR value 7, because I updated my dbx. So I'm guessing the report function isn't checking the TPM, which I'd say is a bug because it's not fully checking the slot configuration.
{
"t": 2,
"pins": {
"tpm2": [
{
"hash": "sha256",
"key": "ecc",
"pcr_bank": "sha256",
"pcr_ids": "1,7"
}
],
"sss": {
"t": 1,
"pins": {
"tang": [
{
"url": "http://192.168.2.11:7500"
},
{
"url": "http://192.168.2.12:7500"
}
]
}
}
}
}OS: Fedora 42
Clevis: 21
I recently updated my
UEFI dbxand clevis auto unlock stopped working on boot of my device. After lots of debugging eventually I worked out it was because it was failing the TPM part of the process. When I did aclevis luks report -d /dev/nvme0n1p3 -s 1it returns saying no problems. I manually rotated my tang server keys, then did a report. Which then it said tang keys had changed but also the TPM has an issue. This time when it rebinded the slot, the auto unlock worked once again.Only thing that actually changed would of been the PCR value 7, because I updated my dbx. So I'm guessing the report function isn't checking the TPM, which I'd say is a bug because it's not fully checking the slot configuration.
{ "t": 2, "pins": { "tpm2": [ { "hash": "sha256", "key": "ecc", "pcr_bank": "sha256", "pcr_ids": "1,7" } ], "sss": { "t": 1, "pins": { "tang": [ { "url": "http://192.168.2.11:7500" }, { "url": "http://192.168.2.12:7500" } ] } } } }OS: Fedora 42
Clevis: 21