Bug 1228411

Summary: Still required to enter recovery key after running update-predictions
Product: [openSUSE] openSUSE Aeon Reporter: Tim Kwakman <tim>
Component: BaseAssignee: Richard Brown <rbrown>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Tim Kwakman 2024-07-29 11:24:20 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Build Identifier: 

After updating "Secure boot dbx Configuration" though Gnome Software I had to update my TPM so it would unlock my disk again but at first it threw an error (see log #1 in additional information) after removing the file "/var/lib/systemd/pcrlock.json" the error was gone (see log #2), but unlocking was still not automatic until I manually re-enrolled tpm:

systemd-cryptenroll --wipe-slot 2
systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2

Reproducible: Always

Steps to Reproduce:
1. Make some kind of change that changes the PCR policy
2. Try to run "sdbootutil -vv --ask-pin update-predictions"
Actual Results:  
I got an error: "Failed to write to NV index: State not recoverable" - See log #1 in additional information

Expected Results:  
Not having to enter my recovery key on boot after running update-predictions

Log #1: https://paste.opensuse.org/pastes/789f3934b500
Log #2: https://paste.opensuse.org/pastes/c0329cf757d2

To file this bug report I had to reproduce the problem by changing something in my ufi settings and because I already "solved" the issue with a workaround in the past by running:

systemd-cryptenroll --wipe-slot 2
systemd-cryptenroll --tpm2-device=auto /dev/nvme0n1p2

I'm not sure if that is the reason why I have to re-run those two commands to not get the recovery key prompt. I have not confirmed if removing the "/var/lib/systemd/pcrlock.json" file and simply re-running the "update-predictions" command works if I did not manually remove tpm and re-add it using systemd-cryptenroll as I'd have to reinstall.
Comment 1 Tim Kwakman 2024-07-29 11:25:39 UTC 
My system:

MB: Gigabyte Technology Co., Ltd. B550I AORUS PRO AX
CPU: AMD Ryzen™ 5 5600X × 12
GPU: AMD Radeon™ Pro WX 3200 Series
Comment 2 Richard Brown 2024-07-29 11:33:14 UTC 
Log 1 shows your TPM was hardware locked at the point of recording that log

"Provided PIN incorrect or TPM2 locked after too many retries"

The correct solution to resolving that issue is recorded here:

https://en.opensuse.org/Portal:Aeon/Troubleshooting#%22Provided_PIN_Incorrect_or_TPM2_locked_after_too_many_retries%22

There isn't a timestamp between Logs #1 and #2, but it's possible your workaround only worked because sufficient time passed between Log #1 to allow any re-enrollment to work

Because, if the TPM was still locked, your workaround of wiping slot should have been blocked also. (Or..it might have been blocked.. I think your removing the /var/lib/systemd/pcrlock.json did nothing besides spend time that might have helped)

Therefore there's no evidence of an actual bug here, just an incorrect reaction to your hardwares warning in Log #1 resulting in a satisfactory conclusion after time or persistence.
Comment 3 Tim Kwakman 2024-07-29 11:40:36 UTC 
(In reply to Richard Brown from comment #2)
> Log 1 shows your TPM was hardware locked at the point of recording that log
> 
> "Provided PIN incorrect or TPM2 locked after too many retries"
> 
> The correct solution to resolving that issue is recorded here:
> 
> https://en.opensuse.org/Portal:Aeon/
> Troubleshooting#%22Provided_PIN_Incorrect_or_TPM2_locked_after_too_many_retri
> es%22
> 
> There isn't a timestamp between Logs #1 and #2, but it's possible your
> workaround only worked because sufficient time passed between Log #1 to
> allow any re-enrollment to work
> 
> Because, if the TPM was still locked, your workaround of wiping slot should
> have been blocked also. (Or..it might have been blocked.. I think your
> removing the /var/lib/systemd/pcrlock.json did nothing besides spend time
> that might have helped)
> 
> Therefore there's no evidence of an actual bug here, just an incorrect
> reaction to your hardwares warning in Log #1 resulting in a satisfactory
> conclusion after time or persistence.

Creation of log #1: 29 July 2024 12∶36∶18
Creation of log #2: 29 July 2024 13∶03∶19

I did run "Clear TPM" from the bios settings, it did not resolve the issue. Yesterday I tried things for hours - The update-predictions command always returned the error, the wipe-slot command always worked if I remember correctly.

What can I check to confirm if this is a bug or just lucky timing?
Comment 4 Richard Brown 2024-07-29 11:42:04 UTC 
(In reply to Tim Kwakman from comment #3)

> 
> Creation of log #1: 29 July 2024 12∶36∶18
> Creation of log #2: 29 July 2024 13∶03∶19
> 
> I did run "Clear TPM" from the bios settings, it did not resolve the issue.
> Yesterday I tried things for hours - The update-predictions command always
> returned the error, the wipe-slot command always worked if I remember
> correctly.
> 
> What can I check to confirm if this is a bug or just lucky timing?


I don't know. that would have to be a function of your systems hardware TPM. 

It's your hardware which locked everything and there's no log shown so far that shows any problem with Aeon writing to an unlocked TPM but failing
Comment 5 Richard Brown 2024-07-30 10:34:13 UTC 
Considering this bug as a duplicate of 1228416 and that's likely to have been the root cause.. though it's hard to say for sure without a better understanding of the systems own TPM logs

*** This bug has been marked as a duplicate of bug 1228416 ***