Device enrollment fails on Linux: integrity check failed #53357

apast0r · 2025-03-24T16:01:59Z

Expected behavior:
Running the command: tsh device enroll --current-device -d , should enroll the device.

Current behavior:
The command exit with error "cannot load attestation key: Load() failed: parameter 1, error code 0x1f : integrity check failed"

Bug details:

Teleport v17.2.8 git:v17.2.8-0-g4504397 go1.23.6 X:boringcrypto
kenel 6.13.8-arch1-1
TPM2 libs : libtss2-esys.so.0, libtss2-rc.so.0, libtss2-mu.so.0
full trace teleport_enroll.txt

Error trace:

ERROR REPORT:
Original Error: *errors.errorString cannot load attestation key: Load() failed: parameter 1, error code 0x1f : integrity check failed
Stack Trace:
	github.com/gravitational/teleport/lib/devicetrust/native/tpm_device.go:95 github.com/gravitational/teleport/lib/devicetrust/native.loadAK
	github.com/gravitational/teleport/lib/devicetrust/native/tpm_device.go:143 github.com/gravitational/teleport/lib/devicetrust/native.(*tpmDevice).enrollDeviceInit
	github.com/gravitational/teleport/lib/devicetrust/native/device_linux.go:59 github.com/gravitational/teleport/lib/devicetrust/native.enrollDeviceInit
	github.com/gravitational/teleport/lib/devicetrust/native/api.go:38 github.com/gravitational/teleport/lib/devicetrust/native.EnrollDeviceInit
	github.com/gravitational/teleport/lib/devicetrust/enroll/enroll.go:87 github.com/gravitational/teleport/lib/devicetrust/enroll.(*Ceremony).RunAdmin
	github.com/gravitational/teleport/tool/tsh/common/device.go:135 github.com/gravitational/teleport/tool/tsh/common.(*deviceEnrollCommand).run.func1
	github.com/gravitational/teleport/lib/client/api.go:722 github.com/gravitational/teleport/lib/client.RetryWithRelogin
	github.com/gravitational/teleport/tool/tsh/common/device.go:118 github.com/gravitational/teleport/tool/tsh/common.(*deviceEnrollCommand).run
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:1627 github.com/gravitational/teleport/tool/tsh/common.Run
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:651 github.com/gravitational/teleport/tool/tsh/common.Main
	github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
	runtime/proc.go:272 runtime.main
	runtime/asm_amd64.s:1700 runtime.goexit
User Message: loading ak
	loading ak into tpm
		cannot load attestation key: Load() failed: parameter 1, error code 0x1f : integrity check failed

I found a similar issue in the repo page of the library that teleport uses: "error code 0x1f : integrity check failed" while loading an AK created with the ECC ParentKeyConfig

The text was updated successfully, but these errors were encountered:

zmb3 · 2025-03-24T21:54:47Z

What OS/version is running on the affected workstation?

apast0r · 2025-03-25T07:57:35Z

Hi @zmb3
I'm using Arch Linux.

I have downloaded the same package that we use in Ubuntu teleport-ent-v17.2.8-linux-amd64-fips-bin.tar.gz

programmerq · 2025-03-26T15:19:32Z

I tried to recreate this error in a ProxMox VM with a vTPM. I was able to successfully enroll the device. Here is what I did.

I imported the ArchLinux cloudinit qcow2 image to a ProxMox template using this script, and set basic options like disk size, core count, network, etc.:

Shell script to import an Arch Template to proxmox

#!/bin/bash -xe
# loosely based on https://wiki.archlinux.org/title/Arch_Linux_on_a_VPS Proxmox section.

export VMID=9200
#https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2

wget -S -N -c https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2

qm status ${VMID} && qm destroy ${VMID}
qm create ${VMID} --memory 16384 --cores 2 --net0 virtio,bridge=vmbr0 --cpu host
qm importdisk ${VMID} Arch-Linux-x86_64-cloudimg.qcow2 local-lvm
qm set ${VMID} --scsihw virtio-scsi-pci --scsi0 local-lvm:vm-${VMID}-disk-0
qm resize ${VMID} scsi0 16G
qm set ${VMID} --ide2 local-lvm:cloudinit
qm set ${VMID} --boot c --bootdisk scsi0
qm set ${VMID} --sshkey id_rsa.pub
qm set ${VMID} --agent 1 --ostype l26
qm set ${VMID} --name archlinux-cloudinit
qm set ${VMID} --serial0 socket --vga serial0
qm set ${VMID} --ipconfig0 ip=dhcp
qm template ${VMID}

Next, I cloned the template a new VM, and then manually added the TPM device using the web interface. It prompted me to also add a TPM state disk. I installed tsh from the teleport-ent-v17.3.4-linux-amd64-fips-bin.tar.gz file using sudo ./install. At first, tsh complained that there was no id or serial number. I stopped the VM and set a serial number in the SMBIOS settings in the Web UI options section for the VM.

I also had to add the default arch user to the tss group.

The raw config as seen by `qm config VMID` output:

agent: 1
boot: c
bootdisk: scsi0
cores: 2
cpu: host
ide2: local-lvm:vm-800-cloudinit,media=cdrom,size=4M
ipconfig0: ip=dhcp
memory: 16384
meta: creation-qemu=9.0.2,ctime=1742992392
name: deleteme-arch
net0: virtio=BC:24:11:7C:1A:AD,bridge=vmbr0
numa: 0
ostype: l26
scsi0: local-lvm:vm-800-disk-0,size=16G
scsihw: virtio-scsi-pci
serial0: socket
smbios1: uuid=c9713bfa-473c-4eaf-a45d-0090ec53670e,serial=TUhBWEM4NVE=,base64=1
sockets: 2
sshkeys: ...
tpmstate0: local-lvm:vm-800-disk-1,size=4M,version=v2.0
vga: serial0
vmgenid: 5dd10281-a53b-4355-89b5-c43397fe0f4d

The output of `sudo dmidecode`

# dmidecode 3.6
Getting SMBIOS data from sysfs.
SMBIOS 2.8 present.
11 structures occupying 520 bytes.
Table at 0x000F5220.

Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
	Vendor: SeaBIOS
	Version: rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org
	Release Date: 04/01/2014
	Address: 0xE8000
	Runtime Size: 96 kB
	ROM Size: 64 kB
	Characteristics:
		BIOS characteristics not supported
		Targeted content distribution is supported
	BIOS Revision: 0.0

Handle 0x0100, DMI type 1, 27 bytes
System Information
	Manufacturer: QEMU
	Product Name: Standard PC (i440FX + PIIX, 1996)
	Version: pc-i440fx-9.0
	Serial Number: MHAXC85Q
	UUID: c9713bfa-473c-4eaf-a45d-0090ec53670e
	Wake-up Type: Power Switch
	SKU Number: Not Specified
	Family: Not Specified

Handle 0x0300, DMI type 3, 22 bytes
Chassis Information
	Manufacturer: QEMU
	Type: Other
	Lock: Not Present
	Version: pc-i440fx-9.0
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Boot-up State: Safe
	Power Supply State: Safe
	Thermal State: Safe
	Security Status: Unknown
	OEM Information: 0x00000000
	Height: Unspecified
	Number Of Power Cords: Unspecified
	Contained Elements: 0
	SKU Number: Not Specified

Handle 0x0400, DMI type 4, 42 bytes
Processor Information
	Socket Designation: CPU 0
	Type: Central Processor
	Family: Other
	Manufacturer: QEMU
	ID: E4 06 03 00 FF FB 8B 0F
	Version: pc-i440fx-9.0
	Voltage: Unknown
	External Clock: Unknown
	Max Speed: 2000 MHz
	Current Speed: 2000 MHz
	Status: Populated, Enabled
	Upgrade: Other
	L1 Cache Handle: Not Provided
	L2 Cache Handle: Not Provided
	L3 Cache Handle: Not Provided
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Part Number: Not Specified
	Core Count: 2
	Core Enabled: 2
	Thread Count: 2
	Characteristics: None

Handle 0x0401, DMI type 4, 42 bytes
Processor Information
	Socket Designation: CPU 1
	Type: Central Processor
	Family: Other
	Manufacturer: QEMU
	ID: E4 06 03 00 FF FB 8B 0F
	Version: pc-i440fx-9.0
	Voltage: Unknown
	External Clock: Unknown
	Max Speed: 2000 MHz
	Current Speed: 2000 MHz
	Status: Populated, Enabled
	Upgrade: Other
	L1 Cache Handle: Not Provided
	L2 Cache Handle: Not Provided
	L3 Cache Handle: Not Provided
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Part Number: Not Specified
	Core Count: 2
	Core Enabled: 2
	Thread Count: 2
	Characteristics: None

Handle 0x1000, DMI type 16, 23 bytes
Physical Memory Array
	Location: Other
	Use: System Memory
	Error Correction Type: Multi-bit ECC
	Maximum Capacity: 16 GB
	Error Information Handle: Not Provided
	Number Of Devices: 1

Handle 0x1100, DMI type 17, 40 bytes
Memory Device
	Array Handle: 0x1000
	Error Information Handle: Not Provided
	Total Width: Unknown
	Data Width: Unknown
	Size: 16 GB
	Form Factor: DIMM
	Set: None
	Locator: DIMM 0
	Bank Locator: Not Specified
	Type: RAM
	Type Detail: Other
	Speed: Unknown
	Manufacturer: QEMU
	Serial Number: Not Specified
	Asset Tag: Not Specified
	Part Number: Not Specified
	Rank: Unknown
	Configured Memory Speed: Unknown
	Minimum Voltage: Unknown
	Maximum Voltage: Unknown
	Configured Voltage: Unknown

Handle 0x1300, DMI type 19, 31 bytes
Memory Array Mapped Address
	Starting Address: 0x00000000000
	Ending Address: 0x000BFFFFFFF
	Range Size: 3 GB
	Physical Array Handle: 0x1000
	Partition Width: 1

Handle 0x1301, DMI type 19, 31 bytes
Memory Array Mapped Address
	Starting Address: 0x00100000000
	Ending Address: 0x0043FFFFFFF
	Range Size: 13 GB
	Physical Array Handle: 0x1000
	Partition Width: 1

Handle 0x2000, DMI type 32, 11 bytes
System Boot Information
	Status: No errors detected

Handle 0x7F00, DMI type 127, 4 bytes
End Of Table

Output of `sudo pacman -Q` (package listing with versions)

acl 2.3.2-1
archlinux-keyring 20250123-1
attr 2.5.2-1
audit 4.0.3-1
base 3-2
bash 5.2.037-2
binutils 2.44-1
brotli 1.1.0-3
btrfs-progs 6.13-1
bzip2 1.0.8-6
ca-certificates 20240618-1
ca-certificates-mozilla 3.109-1
ca-certificates-utils 20240618-1
cloud-guest-utils 0.33-2
cloud-init 25.1-1
coreutils 9.6-4
cryptsetup 2.7.5-2
curl 8.12.1-1
dbus 1.16.2-1
dbus-broker 36-4
dbus-broker-units 36-4
dbus-units 36-4
device-mapper 2.03.31-1
dhclient 4.4.3.P1-4
diffutils 3.11-2
dmidecode 3.6-1
dosfstools 4.2-5
e2fsprogs 1.47.2-1
efibootmgr 18-3
efivar 39-1
expat 2.7.0-1
file 5.46-4
filesystem 2024.11.21-1
findutils 4.10.0-2
gawk 5.3.1-2
gcc-libs 14.2.1+r753+g1cd744a6828f-1
gdbm 1.24-2
gettext 0.24-1
glib2 2.84.0-1
glibc 2.41+r9+ga900dbaf70f0-1
gmp 6.3.0-2
gnulib-l10n 20241231-1
gnupg 2.4.7-1
gnutls 3.8.9-1
gpgme 1.24.2-1
gpm 1.20.7.r38.ge82d1a6-6
grep 3.11-1
grub 2:2.12.r226.g56ccc5ed-1
gzip 1.13-4
hwdata 0.393-1
iana-etc 20250213-1
icu 76.1-1
iproute2 6.14.0-1
iptables 1:1.8.11-1
iputils 20240905-1
jansson 2.14-4
json-c 0.18-1
kbd 2.7.1-2
keyutils 1.6.3-3
kmod 34.1-1
krb5 1.21.3-1
leancrypto 1.2.0-2
less 1:668-1
libarchive 3.7.7-4
libassuan 3.0.0-1
libbpf 1.5.0-1
libbsd 0.12.2-2
libcap 2.75-1
libcap-ng 0.8.5-3
libedit 20250104_3.1-1
libelf 0.192-4
libevent 2.1.12-4
libffi 3.4.7-1
libgcrypt 1.11.0-3
libgpg-error 1.51-1
libidn2 2.3.7-1
libksba 1.6.7-1
libldap 2.6.9-1
libmd 1.1.0-2
libmnl 1.0.5-2
libnetfilter_conntrack 1.0.9-2
libnfnetlink 1.0.2-2
libnftnl 1.2.8-1
libnghttp2 1.65.0-1
libnghttp3 1.8.0-1
libnl 3.11.0-1
libnsl 2.0.1-1
libp11-kit 0.25.5-1
libpcap 1.10.5-2
libpsl 0.21.5-2
libsasl 2.1.28-5
libseccomp 2.5.6-1
libsecret 0.21.7-1
libssh2 1.11.1-1
libsysprof-capture 48.0-1
libtasn1 4.20.0-1
libtirpc 1.3.6-1
libunistring 1.3-1
liburing 2.9-1
libusb 1.0.28-1
libverto 0.3.2-5
libxcrypt 4.4.38-1
libxml2 2.13.6-3
libyaml 0.2.5-3
licenses 20240728-1
linux 6.13.8.arch1-1
linux-api-headers 6.13-1
lmdb 0.9.33-1
lz4 1:1.10.0-2
lzo 2.10-5
mkinitcpio 39.2-3
mkinitcpio-busybox 1.36.1-1
mpdecimal 4.0.0-2
mpfr 4.2.2-1
ncurses 6.5-3
nettle 3.10.1-1
npth 1.8-1
numactl 2.0.19-1
openbsd-netcat 1.228_1-1
openssh 9.9p2-1
openssl 3.4.1-1
p11-kit 0.25.5-1
pacman 7.0.0.r6.gc685ae6-2
pacman-mirrorlist 20250311-1
pam 1.7.0-2
pambase 20230918-2
pciutils 3.13.0-2
pcre2 10.45-1
pinentry 1.3.1-5
plocate 1.1.23-1
popt 1.19-2
procps-ng 4.0.5-3
psmisc 23.7-1
python 3.13.2-1
python-attrs 23.2.0-4
python-cffi 1.17.1-2
python-charset-normalizer 3.4.1-1
python-configobj 5.0.9-5
python-cryptography 44.0.2-1
python-idna 3.10-2
python-jinja 1:3.1.5-1
python-jsonpatch 1.33-4
python-jsonpointer 3.0.0-2
python-jsonschema 4.23.0-2
python-jsonschema-specifications 2024.10.1-1
python-markupsafe 2.1.5-3
python-netifaces 0.11.0-7
python-oauthlib 3.2.2-4
python-pycparser 2.22-3
python-pyserial 3.5-7
python-referencing 0.35.1-3
python-requests 2.32.3-4
python-rpds-py 0.22.3-1
python-typing_extensions 4.12.2-3
python-urllib3 2.3.0-1
python-yaml 6.0.2-2
qemu-guest-agent 9.2.2-1
readline 8.2.013-1
run-parts 5.17-1
sed 4.9-3
shadow 4.17.4-1
sqlite 3.49.1-1
sudo 1.9.16.p2-2
systemd 257.4-1
systemd-libs 257.4-1
systemd-sysvcompat 257.4-1
tar 1.35-2
tpm2-tss 4.1.3-1
tzdata 2025b-1
util-linux 2.41-3
util-linux-libs 2.41-3
vim 9.1.1236-1
vim-runtime 9.1.1236-1
wget 1.25.0-2
xz 5.6.4-1
zlib 1:1.3.1-2
zstd 1.5.7-2

After running tsh login, I successfully completed the device enrollment:

$ tsh device enroll --current-device -d
2025-03-26T13:03:11.293Z INFO [CLIENT]    ALPN connection upgrade required for "teleport.example.com:443": false. client/api.go:915
2025-03-26T13:03:11.294Z INFO [CLIENT]    no host login given. defaulting to arch client/api.go:1260
2025-03-26T13:03:11.295Z WARN [CLIENT]    [KEY AGENT] Unable to connect to SSH agent on socket "": dial unix: missing address client/api.go:4837
2025-03-26T13:03:11.299Z INFO [KEYAGENT]  Loading SSH key for user "jeff" and cluster "teleport.example.com". client/keyagent.go:198
2025-03-26T13:03:11.387Z DEBU             TPM: Existing AK was found on disk, it will be reused. native/tpm_device.go:154
2025-03-26T13:03:11.388Z WARN             TPM: Failed to read device model and/or serial numbers error:[open product_serial: permission denied
open board_serial: no such file or directory] native/device_linux.go:195
2025-03-26T13:03:11.389Z DEBU             TPM: Running escalated `tsh device dmi-info` native/device_linux.go:217
Determining machine model and serial number, if prompted please type the sudo password
2025-03-26T13:03:11.869Z DEBU             TPM: Saved DMI information to local cache native/device_linux.go:325
2025-03-26T13:03:13.734Z DEBU             TPM: Existing AK was found on disk, it will be reused. native/tpm_device.go:154
2025-03-26T13:03:13.735Z DEBU             Device Trust: Using in-process cached device data native/api.go:91
2025-03-26T13:03:15.441Z DEBU             TPM: Performing platform attestation. native/tpm_device.go:451
2025-03-26T13:03:17.447Z DEBU             TPM: Activating credential. native/tpm_device.go:305
2025-03-26T13:03:17.449Z DEBU             TPM: Detected current process is elevated. Will run credential activation in current process. native/tpm_device.go:321
2025-03-26T13:03:18.028Z DEBU             TPM: Enrollment challenge completed. native/tpm_device.go:344
Device "MHAXC85Q"/Linux registered and enrolled

@apast0r Any other info you could share about the TPM, or other software making use of it would be great.

apast0r · 2025-03-27T09:54:26Z

Hi @programmerq

I paste more information:

User membership of tss

❯ id $USER
uid=893468259(apast0r) gid=893746610(ulinux) grupos=893746610(ulinux),998(wheel),994(input),974(tss),953(docker)

Teleport binaries:

❯ paru -Q teleport-ent-fips-client-bin
teleport-ent-fips-client-bin 17.2.8-1

❯ cat PKGBUILD
_pkgname=teleport-ent
pkgname=teleport-ent-fips-client-bin
pkgver=17.2.8
pkgrel=1
pkgdesc="Client-only (tsh, tctl) binary package for teleport enterpise with fips"
arch=('x86_64')
url="https://github.com/gravitational/teleport"
license=('Apache')
provides=('teleport-client' 'tctl' 'tsh')
conflicts=('teleport' 'teleport-client' 'tctl' 'tsh')

source_x86_64=("teleport-ent-bin-${pkgver}-x86_64-fips.tar.gz::https://cdn.teleport.dev/teleport-ent-v${pkgver}-linux-amd64-fips-bin.tar.gz")
sha256sums_x86_64=('3683161444d887ce15d371b25fd15a41020d1f10558317a4a962f6892d13aba1')

package() {
    cd "${srcdir}/${_pkgname}"

    # install -Dm755 teleport "${pkgdir}/usr/bin/teleport"
    install -Dm755 tctl "${pkgdir}/usr/bin/tctl"
    install -Dm755 tsh "${pkgdir}/usr/bin/tsh"
}

Current system boot config:

❯ sudo bootctl
System:
      Firmware: UEFI 2.70 (Dell 1.00)
 Firmware Arch: x64
   Secure Boot: enabled (deployed)
  TPM2 Support: yes
  Measured UKI: yes
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 255.3-1-arch
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✗ Multi-Profile UKIs are supported
               ✓ Boot loader set partition information
    Partition: /dev/disk/by-partuuid/bfabf75e-9829-41e2-9657-529eda4bb7b6
       Loader: └─/EFI/systemd/systemd-bootx64.efi
Current Entry: arch-linux.efi

❯ sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	121d9f11-24f1-4506-a582-ec7ace322e94
Setup Mode:	✓ Disabled
Secure Boot:	✓ Enabled
Vendor Keys:	microsoft builtin-db builtin-db builtin-KEK

PCRS contents:

❯ systemd-analyze pcrs
NR NAME                SHA256                                                          
 0 platform-code       34ce0f7aab2207e6f20c24fc4be1df9a448f2abda8d90383d3c651909f355b3c
 1 platform-config     3bbaf3411f2c98b61bb82b3ba419543668f15828cb861fd59ca2434e0629c899
 2 external-code       954edbf62e11c5daee3642f12a26df285fad7e67258239a9c5a5341c848922ef
 3 external-config     3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969
 4 boot-loader-code    e488058d54093c3f382288b8acae9c2ad787e37ca381bd9ad76f66ee5fb1f97f
 5 boot-loader-config  a038ecc508b8215a4b24fa1d84dd94c89ed7a13f03d050d33650616a267fdb78
 6 host-platform       5491115372a546987323017e83ae27156d7559f9669ded820a6119d3c0869083
 7 secure-boot-policy  1fde6fd4fa77fe85235d2330e460fb8967ed3ea2c5dc4fa4bd679fccaee879fe
 8 -                   0000000000000000000000000000000000000000000000000000000000000000
 9 kernel-initrd       1ffc7c6ac71d591aa1d9b4ffc19407d0f6b7ed23059f8f3c380110be14b8f47e
10 ima                 0000000000000000000000000000000000000000000000000000000000000000
11 kernel-boot         079e3111c6721549452ce02830c2152f745efd2578f0a7635e251fe3fae86e30
12 kernel-config       0000000000000000000000000000000000000000000000000000000000000000
13 sysexts             0000000000000000000000000000000000000000000000000000000000000000
14 shim-policy         0000000000000000000000000000000000000000000000000000000000000000
15 system-identity     7b6641edbfcb3b5c35b590eb39f2e11a5de69ceab5e94711356eecac647ca3c4
16 debug               0000000000000000000000000000000000000000000000000000000000000000
17 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
18 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
19 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
20 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
21 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
22 -                   ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
23 application-support 0000000000000000000000000000000000000000000000000000000000000000

I have cleared the TPM persistent objects and try to enroll:

❯ tpm2 clear
❯ tpm2 getcap handles-persistent
- 0x81800001
- 0x81800002
❯ tsh device enroll --current-device -d
2025-03-27T10:45:16.200+01:00 INFO [CLIENT]    ALPN connection upgrade required for "teleport.mycompany.com:443": false. client/api.go:915
2025-03-27T10:45:16.201+01:00 INFO [CLIENT]    no host login given. defaulting to apast0r client/api.go:1260
2025-03-27T10:45:16.201+01:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/run/user/893818259/gcr/ssh" client/api.go:4794
2025-03-27T10:45:16.225+01:00 INFO [KEYAGENT]  Loading SSH key for user "apast0r" and cluster "teleport.mycompany.com". client/keyagent.go:198

ERROR REPORT:
Original Error: *errors.errorString cannot load attestation key: Load() failed: parameter 1, error code 0x1f : integrity check failed
Stack Trace:
	github.com/gravitational/teleport/lib/devicetrust/native/tpm_device.go:95 github.com/gravitational/teleport/lib/devicetrust/native.loadAK
	github.com/gravitational/teleport/lib/devicetrust/native/tpm_device.go:143 github.com/gravitational/teleport/lib/devicetrust/native.(*tpmDevice).enrollDeviceInit
	github.com/gravitational/teleport/lib/devicetrust/native/device_linux.go:59 github.com/gravitational/teleport/lib/devicetrust/native.enrollDeviceInit
	github.com/gravitational/teleport/lib/devicetrust/native/api.go:38 github.com/gravitational/teleport/lib/devicetrust/native.EnrollDeviceInit
	github.com/gravitational/teleport/lib/devicetrust/enroll/enroll.go:87 github.com/gravitational/teleport/lib/devicetrust/enroll.(*Ceremony).RunAdmin
	github.com/gravitational/teleport/tool/tsh/common/device.go:135 github.com/gravitational/teleport/tool/tsh/common.(*deviceEnrollCommand).run.func1
	github.com/gravitational/teleport/lib/client/api.go:639 github.com/gravitational/teleport/lib/client.RetryWithRelogin
	github.com/gravitational/teleport/tool/tsh/common/device.go:118 github.com/gravitational/teleport/tool/tsh/common.(*deviceEnrollCommand).run
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:1627 github.com/gravitational/teleport/tool/tsh/common.Run
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:651 github.com/gravitational/teleport/tool/tsh/common.Main
	github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
	runtime/proc.go:272 runtime.main
	runtime/asm_amd64.s:1700 runtime.goexit
User Message: loading ak
	loading ak into tpm
		cannot load attestation key: Load() failed: parameter 1, error code 0x1f : integrity check failed
❯ tpm2 getcap handles-persistent
- 0x81000001
- 0x81800001
- 0x81800002
❯ tpm2 readpublic -c 0x81000001
name: 000b2996ef1b7f7ed7267883c4ffaa58fbe305e6006b9d88bb1334f0360898fbe522
qualified name: 000b048ad6b82dab962c60a6746fd66d847efb53832d15a78424999912bfe7f4f362
name-alg:
  value: sha256
  raw: 0xb
attributes:
  value: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt
  raw: 0x30472
type:
  value: rsa
  raw: 0x1
exponent: 65537
bits: 2048
scheme:
  value: null
  raw: 0x10
scheme-halg:
  value: (null)
  raw: 0x0
sym-alg:
  value: aes
  raw: 0x6
sym-mode:
  value: cfb
  raw: 0x43
sym-keybits: 128
rsa: b143985c597920a28d45[...]8c501dd4d0db5

apast0r added the bug label Mar 24, 2025

zmb3 added the devicetrust label Mar 24, 2025

zmb3 changed the title ~~Unable to enroll latop~~ Device enrollment fails on Linux: integrity check failed Mar 24, 2025

milos-teleport added the c-edm Internal Customer Reference label Mar 26, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Device enrollment fails on Linux: integrity check failed #53357

Device enrollment fails on Linux: integrity check failed #53357

apast0r commented Mar 24, 2025

zmb3 commented Mar 24, 2025

apast0r commented Mar 25, 2025

programmerq commented Mar 26, 2025

apast0r commented Mar 27, 2025

Device enrollment fails on Linux: integrity check failed #53357

Device enrollment fails on Linux: integrity check failed #53357

Comments

apast0r commented Mar 24, 2025

zmb3 commented Mar 24, 2025

apast0r commented Mar 25, 2025

programmerq commented Mar 26, 2025

apast0r commented Mar 27, 2025