You are not logged in.
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000921)
Failed to unseal secret using TPM2: State not recoverable
I have Luks2 + btrfs + secure boot + dual boot windows setup
Using systemd as bootloader
It was working fine but out of nowhere started to give the following error.
Offline
I'm experiencing exactly the same issue here on a fresh Arch installation using systemd-boot + LUKS + BTRFS + Secure Boot
systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2
Please enter current passphrase for disk /dev/nvme0n1p2: ••••••••••
WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:391:Esys_StartAuthSession_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x00000921)
Failed to unseal secret using TPM2: Etat non récupérable
I obviously tripled checked the passphrase and also tried with the recovery key.
Some background checks that might help understanding the issue :
sbctl status
Installed: ✓ sbctl is installed
Owner GUID: fb6e4a56-7404-4e83-b63e-2c1518e7ae84
Setup Mode: ✓ Disabled
Secure Boot: ✓ Enabled
Vendor Keys: tpm-eventlog
systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 MSFT0101:00 tpm_crb
systemd-cryptenroll /dev/nvme0n1p2
SLOT TYPE
0 password
1 recovery
tpm2_getcap properties-variable
TPM2_PT_PERMANENT:
ownerAuthSet: 0
endorsementAuthSet: 0
lockoutAuthSet: 1
reserved1: 0
disableClear: 0
inLockout: 1
tpmGeneratedEPS: 0
reserved2: 0
TPM2_PT_STARTUP_CLEAR:
phEnable: 1
shEnable: 1
ehEnable: 1
phEnableNV: 1
reserved1: 0
orderly: 0
TPM2_PT_HR_NV_INDEX: 0x7
TPM2_PT_HR_LOADED: 0x0
TPM2_PT_HR_LOADED_AVAIL: 0x3
TPM2_PT_HR_ACTIVE: 0x0
TPM2_PT_HR_ACTIVE_AVAIL: 0x40
TPM2_PT_HR_TRANSIENT_AVAIL: 0x3
TPM2_PT_HR_PERSISTENT: 0x3
TPM2_PT_HR_PERSISTENT_AVAIL: 0x17
TPM2_PT_NV_COUNTERS: 0x2
TPM2_PT_NV_COUNTERS_AVAIL: 0x4
TPM2_PT_ALGORITHM_SET: 0x0
TPM2_PT_LOADED_CURVES: 0x2
TPM2_PT_LOCKOUT_COUNTER: 0x20
TPM2_PT_MAX_AUTH_FAIL: 0x20
TPM2_PT_LOCKOUT_INTERVAL: 0x1C20
TPM2_PT_LOCKOUT_RECOVERY: 0x15180
TPM2_PT_NV_WRITE_RECOVERY: 0x0
TPM2_PT_AUDIT_COUNTER_0: 0x0
TPM2_PT_AUDIT_COUNTER_1: 0x0
Offline
There is a closed Arch bug report related to this issue, which states this is not a bug, and that it can be fixed by clearing the TPM.
FS#79277 - [systemd] systemd-cryptenroll fails when enrolling TPM2
https://bugs.archlinux.org/task/79277
Figuring how to "clear the TPM" was not straightforward however.
The TPM was apparently in a locked state, and I found no comprehensive documentation about that.
This bit of information from https://github.com/tpm2-software/tpm2-t … 1443004660 helped me out :
To get out of the lockout mode (with clear) without BIOS you can try:
echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request
reboot.
tpm2_dictionarylockout -Tdevice:/dev/tpmrm0 --setup-parameters --max-tries=5 --clear-lockout
After that,
systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2
worked as expected and the TPM now unlocks my LUKS partition flawlessly at boot.
Last edited by licosan (2024-04-06 11:57:20)
Offline
I have the same issue:
systemd-cryptsetup attach mapping_name /dev/nvme0n1p2 - tpm2-device=auto
✔ 17s 07:59:38
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df)
Failed to unseal secret using TPM2: State not recoverable
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/nvme0n1p2.
WARNING:esys:src/tss2-esys/api/Esys_Load.c:324:Esys_Load_Finish() Received TPM Error
ERROR:esys:src/tss2-esys/api/Esys_Load.c:112:Esys_Load() Esys Finish ErrorCode (0x000001df)
Failed to unseal secret using TPM2: State not recoverable
TPM2 operation failed, falling back to traditional unlocking: State not recoverable
? Please enter passphrase for disk
Clearing TPM does'n help me.
What should i do to solve a problem?
Offline