Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0
Component/s: clevis
Labels:

Fixed in Build:
clevis-21-2.el10
Regression:
No
Severity:
Critical
sprint_count:
1

Pool Team:

rhel-sst-security-special-projects
Sub-System Group:

ssg_security

Internal Target Milestone:
13
Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
SECENGSP Cycle 10

Preliminary Testing:
Pass
Test Link:
https://github.com/RedHat-SP-Security/clevis-tests/blob/master/Other/clevis-boot-unlock-all-pins/runtest.sh
Errata Link:
https://errata.engineering.redhat.com/advisory/139485
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

As it has been discovered in v21, recent PKCS#11 changes are breaking Tang functionality at boot time.

For more information about failing scenario, please check next links:
https://github.com/cockpit-project/cockpit/issues/21048
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5f97e1176b

Steps to reproduce

Install clevis-21-1.el10.x86_64
Configure clevis to use tang pin and execute dracut
Reboot machine

Expected results

Clevis should boot automatically

Actual results

Machine gets blocked with message: "Detected empty PKCS#11 device, redetect (Y/N)?:"

clones

RHEL-61184 [RHEL9]: clevis: v21 breaks tang functionality at boot time

Release Pending

links to

RHBA-2024:139485 clevis bug fix and enhancement update

Assignee:: Patrik Končitý

Reporter:: Sergio Arroutbi

Developer:: Sergio Correia

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/10/01 2:24 PM

Updated:: 2024/11/04 11:42 AM

Target end:: 2024/11/18