OpenShift Container Platform installation on AWS fails with TPM disk encryption

Solution Verified - Updated -

Issue

  • When trying to install a new OpenShift Container Platform Cluster on AWS with TPM v2 disk encryption enabled, it fails with the following error visible in the AWS Console:

    Startin[   46.779663] systemd[1]: Started Ignition (fetch).
g Check for FIPS mode...
[   46.787111] ignition[1000]: fetch: fetch complete
[   46.794097] systemd[1]: Starting Check for FIPS mode...
[   46.801649] rhcos-fips[1151]: FIPS mode is enabled.
[   46.808733] ignition[1000]: fetch: fetch passed
[   46.815566] ignition[1000]: Ignition finished successfully
[   46.828596] systemd[1]: Started Check for FIPS mode.
[ [0;32m  OK [0m] Started Check for FIPS mode.
[   46.835624] systemd[1]: Starting Ignition (disks)...
       Starting Ignition (disks)...
[   46.864121] ignition[1154]: Ignition 0.35.0
[   46.871109] ignition[1154]: Stage: disks
[   46.878063] ignition[1154]: reading system config file "/usr/lib/ignition/base.ign"
[   46.890171] ignition[1154]: Adding "root-ca" to list of CAs
[   46.897717] ignition[1154]: disks: disks passed
[0;32m  OK [0m] Started Ignition (disks).
[   46.904802] systemd[1]: Started Ignition (disks).
       Starting CoreOS Firstboot encryption of root device...
[   46.911963] ignition[1154]: Ignition finished successfully
[   46.919424] systemd[1]: Starting CoreOS Firstboot encryption of root device...
[   46.959664] coreos-cryptfs[1165]: coreos-cryptfs: Fetching clevis config
[   47.007161] coreos-cryptfs[1165]: coreos-cryptfs: Detected provided Clevis config
[   47.049915] loop: module loaded
[   47.056229] coreos-cryptfs[1165]: coreos-cryptfs: detected pin=tpm2
[   47.109835] coreos-cryptfs[1165]: Token 0 is not in use.
[   47.121229] systemd[1]: coreos-encrypt.service: Main process exited, code=exited, status=1/FAILURE
[   47.133415] systemd[1]: coreos-encrypt.service: Failed with result 'exit-code'.
[[0;1;31mFAILED[0m] Failed to start CoreOS Firstboot encryption of root device.
[   47.145674] systemd[1]: Failed to start CoreOS Firstboot encryption of root device.

Environment

  • OpenShift Container Platform 4.4
  • Amazon Web Services (AWS)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content