Fedora has issued an advisory on May 2: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFR7SVEWCOXORHPCLLGXEMHFMIGG2MFE/ The problem is fixed in version 5.7. Mageia 9 is also affected.
Whiteboard: (none) => MGA9TOOSource RPM: (none) => tpm2-tools-5.5-1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 5.7CVE: (none) => CVE-2024-29038, CVE-2024-29039
No packager in evidence, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Fixed both mga9 and Cauldron! Assigning to QA, Packages in 9/Core/Updates_testing: ====================== tpm2-tools-5.5.1-1.mga9 From SRPMS: tpm2-tools-5.5.1-1.mga9.src.rpm
Version: Cauldron => 9Assignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO => (none)CC: (none) => geiger.david68210
Mageia9, x64 tpm2 deals with the Trusted Platform Module chip in the BIOS if there is one. It is required for Windows 11 so is likely to be present on recently built computers. $ tpm2 getrandom 8 comes up with a list of errors which might imply either that there is no such module or it is not enabled. Checked the BIOS on two mini-PCs and found no sign of TPM2. One of them is probably about two years old. No problem with updating the package. I hesitate to pass this on since it affects basic hardware. If anybody has anything more recent I would encourage them to test this if that is possible. It would probably involve enabling the module but I have no idea how that might affect Linux.
CC: (none) => tarazed25
Keywords: (none) => advisory
Whiteboard: (none) => MGA9-64-OK
My research indicates that the errors you saw, at least in the 2 year old laptop, were probably due to the TPM being disabled. Several articles on the subject, but according to https://redmondmag.com/articles/2021/10/20/does-your-computer-have-a-tpm-chip.aspx TPM2 is built into Intel processors 8th generation or newer, and AMD Ryzen 2nd generation and newer. My newest machine just misses the cut.
CC: (none) => andrewsfarm
I am sure you are right Thomas. A more thorough check does reveal TPM technology on my Intel 12 machine which I attempted to enable. The getrandom test fails again with the same errors. Need to check the setings again.
I am sure you are right Thomas. A more thorough check does reveal TPM technology on my Intel 12 machine which I attempted to enable. The getrandom test fails again with the same errors. Need to check the setings again. Did that and confirmed that TPM feature was enabled. But I wonder if it has any effect if secure boot is disabled. No way to test that because the machine cannot boot with secure boot enabled. I do not intend to pursue this any further.
Having said that, I did look at my AMD Ryzen7 system and there the BIOS is quite explicit about the presence of the TPM2 device, which was already enabled. After booting it shows up in the device list: $ ls /dev/tpm* /dev/tpm0 /dev/tpmrm0 On a whim I tried root operation: $ sudo tpm2 getrandom 8 mߎ�C9�Mlcl@rutilicus:~ $ That looks like an attempt to show a binary quantity. $ sudo tpm2 getrandom 8 > whatever $ sudo vi whatever ÂvÌÑç<99>Aý Tried out some of the commands from the man page - most of them require some background knowledge. $ sudo tpm2 getrandom 8 | xxd -p f543fbbaeafa269e Send a startup command with flag TPM2_SU_CLEAR $ sudo tpm2 startup -c Did not get very far with tpm2 - there are dozens of tools but none adequately documented. e.g. $ tpm2 eventlog -h Usage: eventlog [<options>] <arguments> Where <options> are: [ --eventlog-version=<value>] So, what are the arguments? $ sudo tpm2 getpolicydigest -o --hex --session=1 WARNING:esys:src/tss2-esys/api/Esys_ReadPublic.c:320:Esys_ReadPublic_Finish() Received TPM Error ERROR:esys:src/tss2-esys/esys_tr.c:278:Esys_TR_FromTPMPublic_Finish() Error ReadPublic ErrorCode (0x00000184) ERROR:esys:src/tss2-esys/esys_tr.c:402:Esys_TR_FromTPMPublic() Error TR FromTPMPublic ErrorCode (0x00000184) ERROR: Esys_TR_FromTPMPublic(0x184) - tpm:handle(1):value is out of range or is not correct for the context ERROR: Unable to run getpolicydigest So, it is difficult to say anything constructive about this. The simplest commands seem to work.
Sounds like about as far as you can take it, Len. Thank you for giving it a go. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0170.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED