tpm: T7713: T7717: Multiple TPM fixes

[sarthurdev]

Change summary

• T7727: Adds prompt to overwrite existing config backup
• T7727: Move volume checks before prompting for key/recovery key
• T7720: Catch errors during config encryption and gracefully abort
• T7717: Recursively set vyattacfg group on mounted config directory
• T7713: Restore config bind mounts on config decrypt
• T7735: Don't prompt for key/recovery key if encrypted volume is mounted
• T7726: Copy encrypted config volume when using add system image
• T7726: Prompt user before clearing TPM on decrypt

Includes minor formatting changes, single-line imports.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

make testtpm passes and all error steps reported in Phorge now succeed.

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[alexk37]

@sarthurdev please check the following scenario (TPM emulation is on):

encryption enable
reboot
encryption disable

encryption disable fails with the following error:

vyos@vyos:~$ encryption disable 
Moving existing /config folder to /config.old
Failed to decrypt config: [Errno 32] failed to run command: None mount --bind /lib/live/mount/persistence/boot/2025.08.19-1848-integration/rw/config /opt/vyatta/etc/config
returned: 
exit code: 32

the actual error:

mount: /opt/vyatta/etc/config: mount(2) system call failed: No such file or directory.
       dmesg(1) may have more information after failed mount system call.

It seems like at this point the /opt/vyatta/etc/config folder gets corrupted

[alexk37]

@sarthurdev when disabling encryption - if we choose not to overwrite the existing config backup config.old further encryption enable aborts:

vyos@vyos:~$ encryption disable 
Moving existing /config folder to /config.old
Backup config path "/config.old" already exists. Overwrite? [y/N] 
Encrypted config volume has been disabled
Contents have been migrated to /config on rootfs

vyos@vyos:~$ encryption enable 
An encrypted config volume is already mapped, aborting.

[alexk37]

@sarthurdev add system image fails if we choose not to copy the active configuration:

vyos@vyos:~$ add system image vyos-2025.08.18-0022-rolling-generic-amd64.iso
Validating image compatibility
Validating image checksums
What would you like to name this image? (Default: 2025.08.18-0022-rolling) 
Would you like to set the new image as the default one for boot? [Y/n] 
An active configuration was found. Would you like to copy it to the new image? [Y/n] n
Cleaning up
Unmounting target filesystems
Removing temporary files
Error: [Errno 2] No such file or directory: '/usr/lib/live/mount/persistence/boot/2025.08.18-0022-rolling/rw/opt/vyatta/etc/config//config.boot'

vyos@vyos:~$ show system image 
Name                         Default boot    Running
---------------------------  --------------  ---------
2025.08.19-1848-integration  Yes             Yes

Exception occurs at this step of the process

[alexk37]

@sarthurdev in case we have image1 and image2
if we encrypt config in image1 and then in image2 - the second encryption overwrites TPM so the image1 can't load the config

[sarthurdev]

Thanks Alex, I'll update the PR this week.

[sarthurdev]

@alexk37 Hey Alex, if you have any time to check the new integration ISO?

I've done testing on the scenarios you've described and I think they should all be addressed now.

[alexk37]

@sarthurdev Hi Simon, kindly check the following issues, they reproduce in vyos-2025.09.09-1525-integration

1. Encryption disable after reboot
2. Add system image fails when we select not to copy the active configuration
3. If we choose to overwrite TPM with new key and then try to load the image which was encrypted previously - not possible to use recovery key for 'encryption load/disable'. So the case is when we have a key in TPM (it is not empty) but not able to decrypt it - error occurs and no option to use recovery key is given

Detailed testing log is available in Jira - https://internal.jira.vyos.com/browse/VD-1447?focusedCommentId=28569

[sever-sever]

Rolling is a good candidate for check fixes.

[alexk37]

@sever-sever apart from some tpm issues, currently there is an issue which causes 'add system image' to fail if we choose not to copy the active config, just wanted to inform in case this is major issue for rolling

[sarthurdev]

@sever-sever apart from some tpm issues, currently there is an issue which causes 'add system image' to fail if we choose not to copy the active config, just wanted to inform in case this is major issue for rolling

I'm not sure that issue relates to the TPM code or changes in this PR?

When I had a quick look it might be relating to this commit 3fe5f8f and might be better suited as a separate task.

Edit:

From latest rolling

Copying SSH host keys
Copying system image files
Cleaning up
Unmounting target filesystems
Removing temporary files
Cleaning up
Unmounting target filesystems
Removing temporary files
Error: [Errno 2] No such file or directory: '/usr/lib/live/mount/persistence/boot/asd/rw/opt/vyatta/etc/config//config.boot'
vyos@vyos:~$ sh ver
Version:          VyOS 2025.09.10-0018-rolling
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Wed 10 Sep 2025 00:18 UTC
Build UUID:       846c1b06-a380-48fa-b3dd-d954700da0a2
Build commit ID:  c6d3547904cfac

[alexk37]

@sarthurdev you are right, the error itself is related to another commit. With TPM changes the failing line of code was moved up so the image installation code is not executed anymore

UPD:
The root cause bug reported in T7818

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[sever-sever]

There are conflicts

 src/helpers/vyos-config-encrypt.py
5 conflicts


<<<<<<< tpm_fixes
from vyos.utils.process import cmd, run
=======
from vyos.utils.process import cmd
from vyos.defaults import directories
>>>>>>> current


<<<<<<< tpm_fixes
    for path in mount_paths:
        run(f'umount -l {path}')
        cmd(f'mount /dev/mapper/vyos_config {path}')
        cmd(f'chgrp -R vyattacfg {path}')
=======
    cmd(f'mount /dev/mapper/vyos_config {mount_path}')
    cmd(f'chgrp -R vyattacfg {mount_path}')
>>>>>>> current

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests (no interfaces) 👍 passed
• CLI Smoketests VPP 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• Config tests VPP 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed

[sever-sever]

Rolling is a good candidate for check fixes.

[dmbaturin]

I don't see any issues and now all suggestions are implemented, so let's give it a try.