Celvis error: cannot bind LUKS against TPM2 pcr_ids

[MoWeed]

Hi,
I'm relatively new to CentOS and currently working on binding LUKS using clevis tpm2.
Upon binding LUKS partition using clevis

Code: Select all

command: clevis luks bind -d /dev/sdb1 tpm2 '{"pcr_ids":"7"}'

it throws an error.

ERROR: pcr-input-file filesize does not match pcr set-list
ERROR: Failed parse_policy_type_and_send_command
ERROR: Unable to run tpm2_createpolicy

As per my findings, the error persists with the

"pcr_ids":"7"

I'm not sure if this is the right forum for such querry but i couldn't find any valid solution in a while now.

CentOS version: 8.2.2004
TPM2 library: tpm2-tools v 3.2.1
clevis: v 11
Machine: Dell Poweredge R440

[IICODECll]

If there is a TPM device available to the machine, you should see /dev/tpm0 and /dev/tpmrm0. If you do not see a TPM device, try starting the tpm2-abrmd service:

Code: Select all

$ sudo systemctl start tpm2-abrmd.service
$ sudo systemctl enable tpm2-abrmd.service

You may notice the permissions of the character device are assigned to root. I noticed this after installing the required packages for the first time. Use udevadm to reset the permissions appropriately, or reboot the machine.

Code: Select all

$ ls -l /dev/tpm*
crw-------. 1 root root  10,   224 Mar 15 14:58 /dev/tpm0
crw-------. 1 root root 254, 65536 Mar 15 14:58 /dev/tpmrm0
$ sudo udevadm trigger
$ ls -l /dev/tpm*
crw-rw----. 1 tss root  10,   224 Mar 15 14:58 /dev/tpm0
crw-rw----. 1 tss tss  254, 65536 Mar 15 14:58 /dev/tpmrm0

Test Clevis encryption and decryption with TPM device

Let’s ensure we can properly communicate with the TPM device. Use tpm2_pcrlist to display all possible PCR values. In my case I have a sha1 and sha256 bank.

Code: Select all

$ tpm2_pcrlist -s
Supported Bank/Algorithm: sha1(0x0004) sha256(0x000b)
$ tpm2_pcrlist
sha1 :
  0  : 0000000000000000000000000000000000000000
  1  : 0000000000000000000000000000000000000000
  2  : 0000000000000000000000000000000000000000
  3  : 0000000000000000000000000000000000000000
  4  : 0000000000000000000000000000000000000000
  5  : 0000000000000000000000000000000000000000
  6  : 0000000000000000000000000000000000000000
  7  : 0000000000000000000000000000000000000000
  8  : 0000000000000000000000000000000000000000
  9  : 0000000000000000000000000000000000000000
  10 : 0000000000000000000000000000000000000000
  11 : 0000000000000000000000000000000000000000
  12 : 0000000000000000000000000000000000000000
  13 : 0000000000000000000000000000000000000000
  14 : 0000000000000000000000000000000000000000
  15 : 0000000000000000000000000000000000000000
  16 : 0000000000000000000000000000000000000000
  17 : ffffffffffffffffffffffffffffffffffffffff
  18 : ffffffffffffffffffffffffffffffffffffffff
  19 : ffffffffffffffffffffffffffffffffffffffff
  20 : ffffffffffffffffffffffffffffffffffffffff
  21 : ffffffffffffffffffffffffffffffffffffffff
  22 : ffffffffffffffffffffffffffffffffffffffff
  23 : 0000000000000000000000000000000000000000
sha256 :
  0  : 0000000000000000000000000000000000000000000000000000000...
  1  : 0000000000000000000000000000000000000000000000000000000...
  2  : 0000000000000000000000000000000000000000000000000000000...
  3  : 0000000000000000000000000000000000000000000000000000000...
  4  : 0000000000000000000000000000000000000000000000000000000...
  5  : 0000000000000000000000000000000000000000000000000000000...
  6  : 0000000000000000000000000000000000000000000000000000000...
  7  : 0000000000000000000000000000000000000000000000000000000...
  8  : 0000000000000000000000000000000000000000000000000000000...
  9  : 0000000000000000000000000000000000000000000000000000000...
  10 : 0000000000000000000000000000000000000000000000000000000...
  11 : 0000000000000000000000000000000000000000000000000000000...
  12 : 0000000000000000000000000000000000000000000000000000000...
  13 : 0000000000000000000000000000000000000000000000000000000...
  14 : 0000000000000000000000000000000000000000000000000000000...
  15 : 0000000000000000000000000000000000000000000000000000000...
  16 : 0000000000000000000000000000000000000000000000000000000...
  17 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
  18 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
  19 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
  20 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
  21 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
  22 : fffffffffffffffffffffffffffffffffffffffffffffffffffffff...
  23 : 0000000000000000000000000000000000000000000000000000000...

To bind a Clevis encryption client to a TPM device, use the clevis encrypt tpm2 sub-command:

Code: Select all

$ echo "Hello World." > PLAINTEXT
$ clevis encrypt tpm2 '{}' < PLAINTEXT > JWE
$ cat JWE && echo
eyJhb...gI59Q

I’ve chosen to seal the data against the PCR index 7 and 11 for the sha-256 bank:

Code: Select all

$ echo "Hello World." > PLAINTEXT
$ sudo clevis encrypt tpm2 '{ "pcr_bank":"sha256", "pcr_ids": "7,11" }' < PLAINTEXT > JWE
$ cat JWE && echo
eyJhb...XZ3ug

If the machine has a TPM 2.0 device, PCR index 7 support is required. PCR indexes 7 and 11 are tied to the Security Boot for integrity validation. Other combinations may be used when the PCR index 7 is not available: PCR 0, 2, 4, and 11.

To decrypt the data, provide the ciphertext (JWE):

Code: Select all

$ sudo clevis decrypt tpm2 < JWE
Hello World.

Configure Manual Enrollment of Root Volumes

To automatically unlock an existing LUKS-encrypted volume, install the clevis-luks subpackage and bind the volume to the TPM device using the clevis luks bind command:

Code: Select all

$ sudo yum install clevis-luks
$ sudo clevis luks bind -d /dev/devnode tpm2 \
    '{ "pcr_bank":"sha256", "pcr_ids": "7,11" }'

Note: replace devnode with the appropriate block device.

[MoWeed]

Thank you for the quick reply @IICODECll

This really helped. I also found out that I was unable to do this before since i was using Intel TXT with TPM2: algorithm (Sha256) enabled.
As soon as i changed it back to SHA1 it started working.