[Bug 1228859] New: Can not update TPM 2.0 predictions with nvidia drivers installed
https://bugzilla.suse.com/show_bug.cgi?id=1228859 Bug ID: 1228859 Summary: Can not update TPM 2.0 predictions with nvidia drivers installed Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: 3rd party software Assignee: screening-team-bugs@suse.de Reporter: vortex@z-ray.de QA Contact: screening-team-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Hello there this came to my attention during boo#1224773 and as it list a slightly different issue I felt like opening up a new bug for this one even though it might be some what related. After manually fixing the nvidia driver installation on Aeon RC3 as described in the other bug report: - Manually generating a new initrd file using tu initrd - Moving the initrd file to /boot/efi/opensuse-aeon/KERNEL_VERSION/ - Fixing the latest boot entry to point towards the new initrd The user will (obviously) promoted to in put the TPM recovery key on every boot. According to the Aeon wiki (https://en.opensuse.org/Portal:Aeon/Encryption#Remeasuring_Boot_Integrity) this should be fixable by simply running:
sudo sdbootutil update-predictions
WARNING:esys:src/tss2-esys/api/Esys_PolicyOR.c:286:Esys_PolicyOR_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_PolicyOR.c:100:Esys_PolicyOR() Esys Finish ErrorCode (0x000001c4) Failed to add OR policy to TPM: tpm:parameter(1):value is out of range or is not correct for the context Failed to submit super PCR policy: State not recoverable Error creating the policy! Please, provide the recovery PIN to register the new policy NVIndex policy created
But that doesn't work. Then I tried:
sudo sdbootutil --ask-pin update-predictions
Recovery PIN: WARNING:esys:src/tss2-esys/api/Esys_NV_Write.c:310:Esys_NV_Write_Finish() Received TPM Error ERROR:esys:src/tss2-esys/api/Esys_NV_Write.c:110:Esys_NV_Write() Esys Finish ErrorCode (0x0000099d) Failed to write to NV index: State not recoverable Error creating the policy! Provided PIN incorrect or TPM2 locked after too many retries NVIndex policy created
I tested this multiple times yesterday and today and I am 90% confident I input my recovery key right. I mean I booted the system with it ^^" but as you can see still no luck to update the predictions for the TPM module either. At this point I am not quite sure if the issue will solve itself as soon as issue 1224773 is solved as I manually tampered with the system and the initrd to fix the driver installation. Kind regards, Imo. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228859 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Product|openSUSE.org |openSUSE Aeon Assignee|screening-team-bugs@suse.de |rbrown@suse.com Component|3rd party software |Base QA Contact|screening-team-bugs@suse.de |qa-bugs@suse.de Version|unspecified |Current -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com