Bug#1065392: linux-image-6.7.7-amd64: Regression : "Failed to unseal secret using TPM2: Invalid argument"
Package: src:linux
Version: 6.7.7-1
Severity: normal
Dear Maintainer,
Decryting my home LUKS partition at boot with tpm2 works fine with linux-image-6.6.15-amd64 but fails with linux-image-6.7.7-amd64.
systemd-cryptsetup gives the folowing messages:
mars 03 17:10:51 myrtille systemd[1]: Starting systemd-cryptsetup@home.service - Cryptography Setup for home...
mars 03 17:10:52 myrtille systemd-cryptsetup[500]: WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
mars 03 17:10:52 myrtille systemd-cryptsetup[500]: ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x00000128)
mars 03 17:10:52 myrtille systemd-cryptsetup[500]: Failed to unseal secret using TPM2: Invalid argument
mars 03 17:10:52 myrtille systemd-cryptsetup[500]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/e560bff8-34ab-40d7-ac80->
mars 03 17:10:53 myrtille systemd-cryptsetup[500]: WARNING:esys:src/tss2-esys/api/Esys_Unseal.c:295:Esys_Unseal_Finish() Received TPM Error
mars 03 17:10:53 myrtille systemd-cryptsetup[500]: ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:98:Esys_Unseal() Esys Finish ErrorCode (0x00000128)
mars 03 17:10:53 myrtille systemd-cryptsetup[500]: Failed to unseal secret using TPM2: Invalid argument
I enrool the tpm key with systemd-cryptenroll using the default PCR 7 and secure boot is enabled.
$ systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 IFX1522:00 tpm_tis
Regards
-- Package-specific info:
** Version:
Linux version 6.7.7-amd64 (debian-kernel@lists.debian.org) (x86_64-linux-gnu-gcc-13 (Debian 13.2.0-16.1) 13.2.0, GNU ld (GNU Binutils for Debian) 2.42) #1 SMP PREEMPT_DYNAMIC Debian 6.7.7-1 (2024-03-02)
** Command line:
BOOT_IMAGE=/boot/vmlinuz-6.7.7-amd64 root=UUID=6dc0e7ec-e588-4c76-8c94-0ad097ce4975 ro acpi_backlight=video systemd.show-status=true systemd.restore_state=0 quiet
** Not tainted
** Kernel log:
[ 6.374921] skl_hda_dsp_generic skl_hda_dsp_generic: hda_dsp_hdmi_build_controls: no PCM in topology for HDMI converter 3
[ 6.389974] usb 3-10: new full-speed USB device number 3 using xhci_hcd
[ 6.392506] usb 3-4: Found UVC 1.50 device Integrated RGB Camera (30c9:0050)
[ 6.402456] input: sof-hda-dsp Mic as /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input16
[ 6.402480] input: sof-hda-dsp Headphone as /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17
[ 6.402552] input: sof-hda-dsp HDMI/DP,pcm=3 as /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input18
[ 6.402587] input: sof-hda-dsp HDMI/DP,pcm=4 as /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input19
[ 6.402614] input: sof-hda-dsp HDMI/DP,pcm=5 as /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input20
[ 6.406427] usbcore: registered new interface driver uvcvideo
[ 6.461599] iwlwifi 0000:00:14.3: WFPM_UMAC_PD_NOTIFICATION: 0x20
[ 6.461657] iwlwifi 0000:00:14.3: WFPM_LMAC2_PD_NOTIFICATION: 0x1f
[ 6.461666] iwlwifi 0000:00:14.3: WFPM_AUTH_KEY_0: 0x90
[ 6.461675] iwlwifi 0000:00:14.3: CNVI_SCU_SEQ_DATA_DW9: 0x0
[ 6.463101] iwlwifi 0000:00:14.3: RFIm is deactivated, reason = 4
[ 6.550379] usb 3-10: New USB device found, idVendor=8087, idProduct=0033, bcdDevice= 0.00
[ 6.550392] usb 3-10: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 6.558698] iwlwifi 0000:00:14.3: Registered PHC clock: iwlwifi-PTP, with index: 1
[ 6.595787] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
[ 6.716051] Bluetooth: Core ver 2.22
[ 6.716070] NET: Registered PF_BLUETOOTH protocol family
[ 6.716072] Bluetooth: HCI device and connection manager initialized
[ 6.716074] Bluetooth: HCI socket layer initialized
[ 6.716076] Bluetooth: L2CAP socket layer initialized
[ 6.716080] Bluetooth: SCO socket layer initialized
[ 6.760417] usbcore: registered new interface driver btusb
[ 6.764010] Bluetooth: hci0: Device revision is 0
[ 6.764014] Bluetooth: hci0: Secure boot is enabled
[ 6.764016] Bluetooth: hci0: OTP lock is enabled
[ 6.764017] Bluetooth: hci0: API lock is enabled
[ 6.764017] Bluetooth: hci0: Debug lock is disabled
[ 6.764018] Bluetooth: hci0: Minimum firmware build 1 week 10 2014
[ 6.764020] Bluetooth: hci0: Bootloader timestamp 2019.40 buildtype 1 build 38
[ 6.764244] ACPI Warning: \_SB.PC00.XHCI.RHUB.HS10._DSM: Argument #4 type mismatch - Found [Integer], ACPI requires [Package] (20230628/nsarguments-61)
[ 6.764274] Bluetooth: hci0: DSM reset method type: 0x00
[ 6.768607] bluetooth hci0: firmware: direct-loading firmware intel/ibt-0040-0041.sfi
[ 6.771091] Bluetooth: hci0: Found device firmware: intel/ibt-0040-0041.sfi
[ 6.771411] Bluetooth: hci0: Boot Address: 0x100800
[ 6.771412] Bluetooth: hci0: Firmware Version: 98-13.23
[ 7.490605] typec port1: bound usb3-port6 (ops connector_ops [usbcore])
[ 7.490629] typec port1: bound usb2-port3 (ops connector_ops [usbcore])
[ 9.119465] Bluetooth: hci0: Waiting for firmware download to complete
[ 9.119483] Bluetooth: hci0: Firmware loaded in 2293044 usecs
[ 9.119587] Bluetooth: hci0: Waiting for device to boot
[ 9.136636] Bluetooth: hci0: Device booted in 16724 usecs
[ 9.145624] bluetooth hci0: firmware: direct-loading firmware intel/ibt-0040-0041.ddc
[ 9.145660] Bluetooth: hci0: Found Intel DDC parameters: intel/ibt-0040-0041.ddc
[ 9.152358] Bluetooth: hci0: Applying Intel DDC parameters completed
[ 9.157044] Bluetooth: hci0: Firmware timestamp 2023.13 buildtype 1 build 62562
[ 12.096437] EXT4-fs (dm-0): mounted filesystem fefd59ff-3519-4b59-b87e-4a6a3a94c436 r/w with ordered data mode. Quota mode: none.
[ 12.114061] audit: type=1400 audit(1709491619.719:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=973 comm="apparmor_parser"
[ 12.114402] audit: type=1400 audit(1709491619.719:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=975 comm="apparmor_parser"
[ 12.114716] audit: type=1400 audit(1709491619.719:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lsb_release" pid=968 comm="apparmor_parser"
[ 12.114767] audit: type=1400 audit(1709491619.719:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oosplash" pid=972 comm="apparmor_parser"
[ 12.115029] audit: type=1400 audit(1709491619.719:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=969 comm="apparmor_parser"
[ 12.115032] audit: type=1400 audit(1709491619.719:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=969 comm="apparmor_parser"
[ 12.115390] audit: type=1400 audit(1709491619.719:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=971 comm="apparmor_parser"
[ 12.115392] audit: type=1400 audit(1709491619.719:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=971 comm="apparmor_parser"
[ 12.115395] audit: type=1400 audit(1709491619.719:12): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=971 comm="apparmor_parser"
[ 12.115424] audit: type=1400 audit(1709491619.719:13): apparmor="STATUS" operation="profile_load" profile="unconfined" name="unbound" pid=978 comm="apparmor_parser"
[ 12.202888] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 12.202890] Bluetooth: BNEP filters: protocol multicast
[ 12.202895] Bluetooth: BNEP socket layer initialized
[ 12.204067] Bluetooth: MGMT ver 1.22
[ 12.206114] NET: Registered PF_ALG protocol family
[ 12.224409] alg: No test for hmac(md4) (hmac(md4-generic))
[ 12.281375] Bluetooth: RFCOMM TTY layer initialized
[ 12.281379] Bluetooth: RFCOMM socket layer initialized
[ 12.281382] Bluetooth: RFCOMM ver 1.11
[ 12.404687] Bluetooth: hci0: Bad flag given (0x1) vs supported (0x0)
[ 12.578730] iwlwifi 0000:00:14.3: WFPM_UMAC_PD_NOTIFICATION: 0x20
[ 12.578790] iwlwifi 0000:00:14.3: WFPM_LMAC2_PD_NOTIFICATION: 0x1f
[ 12.578798] iwlwifi 0000:00:14.3: WFPM_AUTH_KEY_0: 0x90
[ 12.578856] iwlwifi 0000:00:14.3: CNVI_SCU_SEQ_DATA_DW9: 0x0
[ 12.580341] iwlwifi 0000:00:14.3: RFIm is deactivated, reason = 4
[ 13.023739] wlan0: authenticate with 30:b5:c2:d7:83:d9 (local address=84:7b:57:57:88:e3)
[ 13.024195] wlan0: send auth to 30:b5:c2:d7:83:d9 (try 1/3)
[ 13.057591] wlan0: 30:b5:c2:d7:83:d9 denied authentication (status 77)
[ 13.107760] wlan0: authenticate with 30:b5:c2:d7:83:d9 (local address=84:7b:57:57:88:e3)
[ 13.108478] wlan0: send auth to 30:b5:c2:d7:83:d9 (try 1/3)
[ 13.189234] wlan0: authenticate with 30:b5:c2:d7:83:d9 (local address=84:7b:57:57:88:e3)
[ 13.189809] wlan0: send auth to 30:b5:c2:d7:83:d9 (try 1/3)
[ 13.215794] systemd-journald[387]: /var/log/journal/2aaab0ab662b4aa1b20f86af01203165/user-1000.journal: Journal file uses a different sequence number ID, rotating.
[ 13.238879] wlan0: authenticated
[ 13.240268] wlan0: associate with 30:b5:c2:d7:83:d9 (try 1/3)
[ 13.242188] wlan0: RX AssocResp from 30:b5:c2:d7:83:d9 (capab=0x11 status=0 aid=1)
[ 13.246697] wlan0: associated
[ 16.951910] warning: `panel-13-wavela' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
[ 22.315948] input: BM20X-5.0 as /devices/virtual/misc/uhid/0005:000E:3412.0002/input/input21
[ 22.316860] hid-generic 0005:000E:3412.0002: input,hidraw1: BLUETOOTH HID v4.00 Mouse [BM20X-5.0] on 84:7b:57:57:88:e7
[ 26.120208] kauditd_printk_skb: 13 callbacks suppressed
[ 26.120214] audit: type=1400 audit(1709491633.801:27): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-ZFFHK2.png" pid=1594 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.161566] audit: type=1400 audit(1709491633.837:28): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-9YW7J2.png" pid=1599 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.197926] audit: type=1400 audit(1709491633.873:29): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-6TD7J2.png" pid=1604 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.238683] audit: type=1400 audit(1709491633.918:30): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-W5L9J2.png" pid=1609 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.272142] audit: type=1400 audit(1709491633.950:31): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-9B6AK2.png" pid=1614 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.316795] audit: type=1400 audit(1709491633.994:32): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-QHHAK2.png" pid=1619 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.351312] audit: type=1400 audit(1709491634.030:33): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-0FO2J2.png" pid=1624 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.426511] audit: type=1400 audit(1709491634.106:34): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-79Z1J2.png" pid=1629 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 26.494679] audit: type=1400 audit(1709491634.174:35): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince-thumbnailer" name="/tmp/tumbler-AOK3J2.png" pid=1635 comm="evince-thumbnai" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
[ 77.523677] audit: type=1400 audit(1709491685.225:36): apparmor="DENIED" operation="capable" class="cap" profile="/usr/sbin/cupsd" pid=1678 comm="cupsd" capability=12 capname="net_admin"
** Model information
sys_vendor: LENOVO
product_name: 21BVCTO1WW
product_version: ThinkPad T16 Gen 1
chassis_vendor: LENOVO
chassis_version: None
bios_vendor: LENOVO
bios_version: N3MET18W (1.17 )
board_vendor: LENOVO
board_name: 21BVCTO1WW
board_version: Not Defined
** Loaded modules:
uhid
ctr
snd_seq_dummy
snd_hrtimer
snd_seq
snd_seq_device
nls_ascii
nls_cp437
vfat
ccm
fat
algif_aead
rfcomm
crypto_null
des3_ede_x86_64
des_generic
libdes
cmac
md4
algif_skcipher
algif_hash
af_alg
bnep
binfmt_misc
dm_crypt
btusb
btrtl
btintel
btbcm
btmtk
bluetooth
sha3_generic
jitterentropy_rng
drbg
ansi_cprng
ecdh_generic
ecc
uvcvideo
videobuf2_vmalloc
uvc
videobuf2_memops
videobuf2_v4l2
videodev
videobuf2_common
snd_ctl_led
mc
snd_soc_skl_hda_dsp
snd_soc_hdac_hdmi
snd_soc_intel_hda_dsp_common
snd_sof_probes
snd_hda_codec_hdmi
snd_hda_codec_realtek
snd_hda_codec_generic
snd_soc_dmic
snd_sof_pci_intel_tgl
snd_sof_intel_hda_common
soundwire_intel
soundwire_generic_allocation
snd_sof_intel_hda_mlink
soundwire_cadence
snd_sof_intel_hda
snd_sof_pci
snd_sof_xtensa_dsp
intel_uncore_frequency
snd_sof
intel_uncore_frequency_common
joydev
x86_pkg_temp_thermal
intel_powerclamp
snd_sof_utils
snd_soc_hdac_hda
coretemp
iwlmvm
crc32_pclmul
snd_hda_ext_core
snd_soc_acpi_intel_match
ghash_clmulni_intel
snd_soc_acpi
sha512_ssse3
snd_soc_core
sha512_generic
snd_compress
mac80211
sha256_ssse3
snd_pcm_dmaengine
sha1_ssse3
soundwire_bus
snd_hda_intel
snd_intel_dspcfg
snd_intel_sdw_acpi
processor_thermal_device_pci
snd_hda_codec
aesni_intel
processor_thermal_device
processor_thermal_wt_hint
crypto_simd
snd_hda_core
thinkpad_acpi
iTCO_wdt
processor_thermal_rfim
cryptd
hid_multitouch
intel_pmc_bxt
snd_hwdep
libarc4
ucsi_acpi
processor_thermal_rapl
intel_rapl_msr
nvram
hid_generic
xhci_pci
rapl
mei_wdt
iTCO_vendor_support
iwlwifi
snd_pcm
typec_ucsi
intel_rapl_common
ledtrig_audio
mei_pxp
mei_hdcp
pmt_telemetry
intel_cstate
xhci_hcd
i2c_hid_acpi
watchdog
snd_timer
platform_profile
intel_lpss_pci
processor_thermal_wt_req
typec
cfg80211
pmt_class
mei_me
intel_uncore
usbcore
pcspkr
i2c_hid
i2c_i801
snd
intel_lpss
think_lmi
processor_thermal_power_floor
roles
mei
processor_thermal_mbox
int3403_thermal
e1000e
firmware_attributes_class
wmi_bmof
thunderbolt
soundcore
i2c_smbus
intel_hid
idma64
igen6_edac
hid
intel_vsec
usb_common
int3400_thermal
rfkill
battery
ac
int340x_thermal_zone
acpi_pad
intel_pmc_core
button
sparse_keymap
acpi_thermal_rel
acpi_tad
pkcs8_key_parser
dm_mod
efi_pstore
loop
configfs
nfnetlink
efivarfs
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
crc32c_generic
i915
i2c_algo_bit
drm_buddy
ttm
nvme
drm_display_helper
nvme_core
drm_kms_helper
t10_pi
crc64_rocksoft
drm
crc64
crc_t10dif
crct10dif_generic
evdev
cec
psmouse
crct10dif_pclmul
crc32c_intel
serio_raw
video
rc_core
crct10dif_common
fan
wmi
** PCI devices:
not available
** USB devices:
not available
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.7.7-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-6.7.7-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.142
ii kmod 31+20240202-2
ii linux-base 4.9
Versions of packages linux-image-6.7.7-amd64 recommends:
ii apparmor 3.0.12-1+b2
pn firmware-linux-free <none>
Versions of packages linux-image-6.7.7-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-efi-amd64 2.12-1
pn linux-doc-6.7 <none>
Versions of packages linux-image-6.7.7-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
ii firmware-iwlwifi 20230625-2
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
ii firmware-misc-nonfree 20230625-2
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: