Bug ID 1121889: ConfD encryption key can lock up the TPM module

Last Modified: Dec 07, 2023

Affected Product(s):
F5OS Velos(all modules)

Fixed In:
F5OS-A 1.3.0, F5OS-A 1.2.0, F5OS-A 1.1.1

Opened: Jun 26, 2022

Severity: 2-Critical

Symptoms

Due to an error that happens rarely in the HAL layer, the encryption key mechanism can misinterpret such an error as a valid identifier for the system. This causes the TPM to lock up, using that identifier, but then the actual identifier no longer unlocks the TPM.

Impact

The system is unusable. Installing a new ISO does not help. The TPM must be cleared to become unlocked. Once the TPM is cleared, a new key is generated so existing encryptions need to be re-encrypted. This is will require that the ConfD system database be reset to default.

Conditions

This happens rarely but when it does, the system-manager cannot read the encryption keys and will not start ConfD. This will manifest itself as unable to start up the configuration by attempting to become admin.

Workaround

The workaround is to do the following: # docker exec system_platform-mgr tpm2_takeownership -c # docker restart system_manager # su admin # config # (config) system database reset-to-default proceed yes # exit; exit # docker restart system_api_svc_gateway

Fix Information

The incorrect identifier is now ignored and the lockup is avoided. Note that the fix does not unlock a locked system. The workaround will have to be applied first.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips