snapd

can't re-install uc20 with provisioned tpm, even after manually clearing

Bug #1879338 reported by Ian Johnson on 2020-05-18

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	snapd	Fix Released	High	Claudio Matsuoka	snapd 2.45

Bug Description

After installing a uc20 image with tpm and secure boot turned on, and going to re-install it I reset the tpm after shutting down the VM and upon booting it into install mode it still fails to reinstall with the following message:

$ snap tasks 2
Status Spawn Ready Summary
Error today at 14:35 UTC today at 14:35 UTC Setup system for run mode

......................................................................
Setup system for run mode

2020-05-18T14:35:38Z ERROR cannot create partitions: cannot seal the encryption key: cannot seal and store encryption key: cannot seal data: cannot create key data file: open /run/mnt/ubuntu-seed/device/fde/ubuntu-data.sealed-key: file exists

This seems to stem from https://github.com/snapcore/secboot/blob/master/seal.go#L169 which opens the key file with os.O_CREATE, so it cannot overwrite an existing keyfile, but I think in this situation we do want to overwrite the existing keyfile as the TPM is not provisioned (in my case I manually reset the swtpm permall file after it got provisioned for the first install mode boot) and so the keyfile that is there is in effect useless , so the expectation would be that upon re-install mode we would re-provision the TPM with a new keyfile.

Tags:

Ian Johnson (anonymouse67) on 2020-05-18

tags:

added: uc20

Revision history for this message

Samuele Pedroni (pedronis) wrote on 2020-05-18:

as we discussed the issue is really that the code clearing/recreating the partition should also remove the file (it is useless anyway once we drop the partition)

Michael Vogt (mvo) on 2020-05-19

Changed in snapd:
importance:	Undecided → High

Michael Vogt (mvo) on 2020-05-20

Changed in snapd:
assignee:	nobody → Claudio Matsuoka (cmatsuoka)

Ian Johnson (anonymouse67) on 2020-05-20

Changed in snapd:
status:	New → Confirmed

Revision history for this message

Vic Liu (zongminl) wrote on 2020-05-28:

snap-tasks-2 Edit (449 bytes, text/plain)

This issue could still be reproduced with uc20-beta-20200527.5

Revision history for this message

Vic Liu (zongminl) wrote on 2020-05-28:

IMG_20200528_151112.jpg Edit (4.0 MiB, image/jpeg)

Log in comment #2 was captured after a reboot with command systemd.debug-shell=1, this is the screen capture at the moment reinstall failed.

Revision history for this message

Claudio Matsuoka (cmatsuoka) wrote on 2020-05-28:

Ian has a fix for this but I believe it never landed. We'll confirm the status with him when he returns tomorrow.

Revision history for this message

Claudio Matsuoka (cmatsuoka) wrote on 2020-05-28:

Amend that, tomorrow would be too late so we'll see what to do today.

Revision history for this message

Michael Vogt (mvo) wrote on 2020-05-28:

https://github.com/snapcore/snapd/pull/8762 is currently being worked on

Michael Vogt (mvo) on 2020-05-29

Changed in snapd:
status:	Confirmed → In Progress

Ian Johnson (anonymouse67) on 2020-06-01

Changed in snapd:
status:	In Progress → Fix Released
milestone:	none → 2.45

Revision history for this message

Vic Liu (zongminl) wrote on 2020-06-02:

Tested 20200529.3 on Intel NUC NUC7CJYH with Secure Boot on, reinstalling system with provisioned TPM after manually cleared TPM with `echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request` is working fine now.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1878949

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.