as long as the device is not locked the caam error is the only problem.
But after locking the device, this error shows up:
[ 5.971928] trusted_key: key_unseal failed (-74)
and
Jan 22 11:32:45 localhost tdx-enc.sh[503]: caam: Encrypted key exists. Importing it...
Jan 22 11:32:45 localhost tdx-enc.sh[563]: add_key: Bad message
Jan 22 11:32:45 localhost tdx-enc.sh[503]: caam: ERROR: Error adding key to kernel keyring!
This is then the TDX_ENC_STORAGE failing.
But it looks like tdx-enc.sh expects a key blob in /var/local/private/.keys/, but /var/local/private does not exist. Also strange that /var/local says its read-only file system even though /var is a mounted tmpfs.
So probably not directly related to CAAM nor jobring.
Either setting TDX_ENC_KEY_DIR in tdx-enc.sh or /var/local/private/.keys must be present and writable.
I actually have TDX_ENC_KEY_LOCATION = “partition”, so default should be /tmp for the blob, where it is also present - /var/local/private should be default for TDX_ENC_KEY_LOCATION = “filesystem”.
If the module is booted in an unlocked state, the partition gets encrypted with the default key. When the module is then locked and rebooted it tries to use the safe key and that does not work.
Current solution is to do a new mkfs.ext4 on the partition and then reboot - then tdx-enc.sh succeedes.
If the module is booted in an unlocked state, the partition gets encrypted with the default key. When the module is then locked and rebooted it tries to use the safe key and that does not work.
