[Bug 2119159] Re: [SRU] [Nano] [Agx] [Nx] DA Lockout issues when performing encrypt and decrypt operations using ECC or RSA through clevis-encrypt-tpm2

Fri, 29 Aug 2025 16:25:43 -0700 

Hello Timo and Andreas thanks for the updates, today I tested the
corresponding packages, please refer to my comments.

I tested the Jammy version of this package by following the test plan
described above:

1. Install a Jammy image on a Jetson AGX Orin development kit: `jammy-
preinstalled-server-arm64+tegra-jetson.img.xz`

2. Run the commands shown below, the following error will be displayed:
"authorizations for objects  subject to DA protection are not allowed at
this time because the TPM is in DA lockout mode".

   ```
   $ sudo apt install clevis-tpm2 -y
   $ sudo chmod 666 /dev/tpmrm0
   $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768)
   $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", 
"key":"ecc", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2)
   $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there 
was an error"
   ```

3. Repeat the same as above using RSA instead i.e., `result=$(echo -n
$rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"rsa",
"pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2)` similarly,
the previously mentioned error will be diplayed.

4. Enable jammy-proposed packages and upgrade the package from
1.3~22.04.3 to 1.3~22.04.4, using the commands below.

   ```
   $ sudo sh -c "echo 'deb http://ports.ubuntu.com/ubuntu-ports/ $(lsb_release 
-cs)-proposed restricted main multiverse universe' | sudo tee 
/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list"
   $ sudo apt update
   $ sudo apt install -y nvidia-tegra-defaults/jammy-proposed
   $ sudo dpkg -l nvidia-tegra-defaults
   Desired=Unknown/Install/Remove/Purge/Hold
   | 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
   |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
   ||/ Name                  Version      Architecture Description
   
+++-=====================-============-============-===========================>
   ii  nvidia-tegra-defaults 1.3~22.04.4  arm64        Configuration files 
specifi
   ```

5. Run again the ECC and the RSA testing commands now the following
message should be displayed on both cases: `The strings are the same`.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119159

Title:
  [SRU] [Nano] [Agx] [Nx] DA Lockout issues when performing encrypt and
  decrypt operations using ECC or RSA through clevis-encrypt-tpm2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-tegra-defaults/+bug/2119159/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to