Last Modified: Apr 05, 2023
Affected Product(s):
F5OS Velos
Known Affected Versions:
F5OS-A 1.1.0
Fixed In:
F5OS-A 1.3.0, F5OS-A 1.2.0, F5OS-A 1.1.1
Opened: Jun 26, 2022 Severity: 2-Critical
Due to an error that happens rarely in the HAL layer, the encryption key mechanism can misinterpret such an error as a valid identifier for the system. This causes the TPM to lock up, using that identifier, but then the actual identifier no longer unlocks the TPM.
The system is unusable. Installing a new ISO does not help. The TPM must be cleared to become unlocked. Once the TPM is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the ConfD system database be reset to default.
This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start ConfD. This will manifest itself as unable to start up the configuration by attempting to become admin.
The workaround is to do the following: # docker exec system_platform-mgr tpm2_takeownership -c # docker restart system_manager # su admin # config # (config) system database reset-to-default proceed yes # exit; exit # docker restart system_api_svc_gateway
The incorrect identifier is now ignored and the lockup is avoided. Note that the fix does not unlock a locked system. The workaround will have to be applied first.