You are not logged in.

#1 2024-03-12 18:08:38

keertesh
Member
Registered: 2024-03-12
Posts: 1

Failed to unseal secret using TPM2: State not recoverable

WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000921)
Failed to unseal secret using TPM2: State not recoverable

I have Luks2 + btrfs + secure boot + dual boot windows setup
Using systemd as bootloader
It was working fine but out of nowhere started to give the following error.

Offline

#2 2024-04-04 10:26:19

licosan
Member
Registered: 2023-06-09
Posts: 2

Re: Failed to unseal secret using TPM2: State not recoverable

I'm experiencing exactly the same issue here on a fresh Arch installation using systemd-boot + LUKS + BTRFS + Secure Boot

systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2

Please enter current passphrase for disk /dev/nvme0n1p2: ••••••••••
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000921) 
Failed to unseal secret using TPM2: Etat non récupérable

I obviously tripled checked the passphrase and also tried with the recovery key.

Some background checks that might help understanding the issue :

sbctl status

Installed:	✓ sbctl is installed
Owner GUID:	fb6e4a56-7404-4e83-b63e-2c1518e7ae84
Setup Mode:	✓ Disabled
Secure Boot:	✓ Enabled
Vendor Keys:	tpm-eventlog

systemd-cryptenroll --tpm2-device=list

PATH        DEVICE      DRIVER 
/dev/tpmrm0 MSFT0101:00 tpm_crb

systemd-cryptenroll /dev/nvme0n1p2

SLOT TYPE    
   0 password
   1 recovery

tpm2_getcap properties-variable

TPM2_PT_PERMANENT:
  ownerAuthSet:              0
  endorsementAuthSet:        0
  lockoutAuthSet:            1
  reserved1:                 0
  disableClear:              0
  inLockout:                 1
  tpmGeneratedEPS:           0
  reserved2:                 0
TPM2_PT_STARTUP_CLEAR:
  phEnable:                  1
  shEnable:                  1
  ehEnable:                  1
  phEnableNV:                1
  reserved1:                 0
  orderly:                   0
TPM2_PT_HR_NV_INDEX: 0x7
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x3
TPM2_PT_HR_PERSISTENT_AVAIL: 0x17
TPM2_PT_NV_COUNTERS: 0x2
TPM2_PT_NV_COUNTERS_AVAIL: 0x4
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x20
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0

Offline

#3 2024-04-06 10:03:04

licosan
Member
Registered: 2023-06-09
Posts: 2

Re: Failed to unseal secret using TPM2: State not recoverable

There is a closed Arch bug report related to this issue, which states this is not a bug, and that it can be fixed by clearing the TPM.
FS#79277 - [systemd] systemd-cryptenroll fails when enrolling TPM2
https://bugs.archlinux.org/task/79277

Figuring how to "clear the TPM" was not straightforward however.
The TPM was apparently in a locked state, and I found no comprehensive documentation about that.
This bit of information from https://github.com/tpm2-software/tpm2-t … 1443004660 helped me out :

To get out of the lockout mode (with clear) without BIOS you can try:

echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request

reboot.

tpm2_dictionarylockout -Tdevice:/dev/tpmrm0 --setup-parameters --max-tries=5 --clear-lockout

After that,

systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2

worked as expected and the TPM now unlocks my LUKS partition flawlessly at boot.

Last edited by licosan (2024-04-06 11:57:20)

Offline

#4 2024-06-21 05:05:41

gerkujies
Member
Registered: 2024-06-21
Posts: 1

Re: Failed to unseal secret using TPM2: State not recoverable

I have the same issue:

systemd-cryptsetup attach mapping_name /dev/nvme0n1p2 - tpm2-device=auto 
                                                                                                                                                                                                                   ✔  17s  07:59:38 
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df) 
Failed to unseal secret using TPM2: State not recoverable
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/nvme0n1p2.
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error 
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df) 
Failed to unseal secret using TPM2: State not recoverable
TPM2 operation failed, falling back to traditional unlocking: State not recoverable
? Please enter passphrase for disk

Clearing TPM does'n help me.
What should i do to solve a problem?

Offline

Board footer

Powered by FluxBB