TLDR: Trying to enable auto-decryption of two LUKS disks via TPM2 on an Ubuntu 22.04 server with FIPS-mode and secureboot enabled and running into a lot of problems interacting with TPM2, I assume because of FIPS-mode.
UPDATE 2025-05-22: I can at least confirm that this is FIPS related. I disabled FIPS (sudo ua disable fips-updates), set up clevis auto-unlock as per the linked post below, and rebooted and the auto-unlock worked. I then re-enabled FIPS (sudo ua enable fips-updates) and rebooted and auto-unlock stopped working. If anyone has an idea how to get this working with FIPS mode enabled that'd be much appreciated.
I'm trying to enable auto-decrypt of two LUKS encrypted disks (sda3 and sdb1) on startup using TPM2. The intent is that the disks are encrypted via LUKS in case somebody finds a way to pull the drive and run away with it, but the key is stored in TPM and auto-unlocked so that if the power goes out or the server reboots for some reason, somebody doesn't need to be in person to type the password to boot the server.
I have successfully set this up in a VM on my laptop using clevis as per this answer. The only issue I had was needing to fiddle with /etc/crypttab and /etc/fstab a bit to get clevis to automatically unlock both disks on boot.
When I try to mirror my VM's config on my actual server, I am unable to auto-decrypt the drives. Both the VM and the server are running Ubuntu 22.04.2 LTS. The server has secureboot enabled and FIPS mode enabled, which I suspect to likely be the problem I'm having but I'm not 100% sure.
When trying to bind the LUKS key with clevis luks bind -d /dev/sda3 '{"prc_bank":"sha256"}', I get cryptic error messages from tpm2-tools. Some research pointed me at this issue being potentially caused by the "kernel lockdown mode" (this is the first time I've dealt with this feature), so I went down a bit of a rabbit hole trying to figure out a way to disable that to no avail. I later realized my VM also seems to have this lockdown mode enabled (on both machines, the contents of the /sys/kernel/security/lockdown file are [none] integrity confidentiality).
Eventually, I tried booting into a livecd to bind the luks key. This worked (ran clevis luks bind -d /dev/sda3 and it wrote the entry and I was even able to see it after booting back into the actual install with clevis luks list -d /dev/sda3), but after rebooting and rebuilding initramfs (update-initramfs -u -k all) and grub (update-grub), clevis still isn't unlocking my disks on boot. I've tried both with and without pcr_ids specified and it doesn't seem to make a difference.
I don't believe I made a mistake in crypttab/fstab, as they seem to match on both my VM and my server.
My /etc/crypttab file looks like:
dm_crypt-0 UUID=<UUID> none luks
dm_crypt-1 UUID=<UUID> none luks,discard,initramfs
and my /etc/fstab file looks like:
...
# Auto-added on initial ubuntu install
/dev/disk/by-id/dm-uuid-LVM-<UUID> / ext4 defaults 0 1
# Manually added by me - I know this should be `0 2` at the end
# but on the VM this prevented clevis from auto-unlocking
# so I changed it to `0 0`
/dev/disk/by-id/dm-uuid-LVM-<UUID> /raid ext4 defaults 0 0
...
Today I tried going a different route and using systemd-cryptenroll, and seem to be getting the same error as what I got from clevis:
$ systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+4 --wipe-slot=1,2 /dev/sdb1
Running in FIPS mode.
Please enter current passphrase for disk /dev/sdb1: (no echo)
ERROR:esys_crypto:src/tss2-esys/esys_crypto_ossl.c:412:iesys_cryptossl_hmac_start() ErrorCode (0x00070001) DigestSignInit
ERROR:esys_crypto:src/tss2-esys/esys_crypto.c:185:iesys_crypto_authHmac() Error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1244:iesys_compute_hmac() HMAC error ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/esys_iutil.c:1354:iesys_gen_auths() Error while computing hmacs ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:186:Esys_Unseal_Async() Error in computation of auth values ErrorCode (0x00070001)
ERROR:esys:src/tss2-esys/api/Esys_Unseal.c:75:Esys_Unseal() Error in async function ErrorCode (0x00070001)
Failed to unseal HMAC key in TPM: esapi:Catch all for all errors not otherwise specified
I also tried that systemd-cryptenroll command without the wipe-slot or tpm2-pcrs options specified and get the same error message.
At this point I've run out of things to try and run out of suggested answers on random forum posts, so any suggestions/help would be greatly appreciated. I can't imagine I'm the first person in a FIPS-enabled environment to be trying to set this up, so I'm hoping someone that's gone through this sees this post and can help guide me in the right direction.
