[Bug 2119159] Re: [SRU] [Nano] [Agx] [Nx] DA Lockout issues when performing encrypt and decrypt operations using ECC or RSA through clevis-encrypt-tpm2

Fri, 29 Aug 2025 16:25:43 -0700 

I tested the Questing version of this package by following the test plan
described above:

1. Install a Noble image on a Jetson AGX Orin development kit:
`ubuntu-24.04-preinstalled-server-thor-arm64+jetson.img.xz`

2. Run the commands shown below, the following error will be displayed:
"authorizations for objects  subject to DA protection are not allowed at
this time because the TPM is in DA lockout mode".

   ```
   $ sudo apt install clevis-tpm2 -y
   $ sudo chmod 666 /dev/tpmrm0
   $ rand=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c32768)
   $ result=$(echo -n $rand | clevis-encrypt-tpm2 '{"hash": "sha256", 
"key":"ecc", "pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2)
   $ [[ $result == $rand ]] && echo "The strings are the same" || echo "there 
was an error"
   ```

3. Repeat the same as above using RSA instead i.e., `result=$(echo -n
$rand | clevis-encrypt-tpm2 '{"hash": "sha256", "key":"rsa",
"pcr_bank":"sha256","pcr_ids":"0,1"}' | clevis-decrypt-tpm2)` similarly,
the previously mentioned error will be diplayed.

4. Download the Questing version of the package using the commands
below.

   ```
   $ wget 
https://launchpad.net/ubuntu/+archive/primary/+files/nvidia-tegra-defaults_1.6_arm64.deb
   $ sudo dpkg -i nvidia-tegra-defaults_1.6_arm64.deb
   $ sudo dpkg -l nvidia-tegra-defaults
   Desired=Unknown/Install/Remove/Purge/Hold
   | 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
   |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
   ||/ Name                  Version      Architecture Description
   
+++-=====================-============-============-===================================================
   ii  nvidia-tegra-defaults 1.6          arm64        Configuration files 
specific to NVIDIA Tegra boards
   ```

5. Run again the ECC and the RSA testing commands now the following
message should be displayed on both cases: `The strings are the same`.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119159

Title:
  [SRU] [Nano] [Agx] [Nx] DA Lockout issues when performing encrypt and
  decrypt operations using ECC or RSA through clevis-encrypt-tpm2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-tegra-defaults/+bug/2119159/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to