Package Details: tpm2-totp 0.1.2-1

Git Clone URL: (read-only)
Package Base: tpm2-totp
Description: Attest the trustworthiness of a device against a human using time-based one-time passwords
Upstream URL:
Licenses: BSD
Submitter: diabonas
Maintainer: diabonas
Last Packager: diabonas
Votes: 0
Popularity: 0.000000
First Submitted: 2019-03-25 14:34
Last Updated: 2019-09-05 07:48

Latest Comments

1 2 Next › Last »

diabonas commented on 2019-09-11 11:32

@aminvakil Ok, feel free to open an issue in the upstream GitHub repository if you need help and can get hold of a more concrete error message.

aminvakil commented on 2019-09-11 10:36

@diabonas Thanks for your help but I couldn't make it work at last with or without plymouth, and I can't bother you anymore explaining to me, therefore I'm going to deal with it myself from now on.

diabonas commented on 2019-09-11 08:15

@aminvakil When you press escape during boot, do you see any log messages? If tpm2-totp fails to communicate with the TPM, there should be some warnings/errors along the lines of "failed to initialise TCTI". If there is no output at all, the only thing I can think of is that your system doesn't have enough entropy to communicate with the TPM and random.trust_cpu=on didn't help. In that case, try waiting a few minutes while spamming the keyboard with random key presses to allow the system to collect enough entropy, hopefully the TOTP should show up at some point then.

To get more helpful debugging output, you can also try using an initramfs without Plymouth: remove sd-plymouth from HOOKS and replace plymouth-tpm2-totp by tpm2-totp. In that case the initramfs blocks until you have verified the TOTP, so you should get a message saying "Verify the TOTP (press any key to continue):", and then either the TOTP or some kind of error message.

aminvakil commented on 2019-09-11 08:01

@diabonas I installed tpm2-tss-git and then tpm2-totp-git then change my hook to this:

HOOKS=(base systemd sd-plymouth autodetect keyboard sd-vconsole modconf block plymouth-tpm2-totp sd-encrypt sd-lvm2 filesystems fsck)

Regenerated initramfs, nothing shows in plymouth. Change GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub to this:

GRUB_CMDLINE_LINUX_DEFAULT=" root=/dev/aaa/bbb pci=nommconf nouveau.modeset=0 rd.driver.blacklist=nouveau ipv6.disable=1 quiet splash loglevel=3 rd.udev.log_priority=3 vt.global_cursor_default=0  random.trust_cpu=on"

Executed grub-mkconfig -o /boot/grub/grub.cfg and this doesn't work as well. Also after removing tpm2-top package and installing tpm2-totp-git, I executed these commands:

sudo tpm2-totp clean
sudo tpm2-totp -P amin generate

and then verified it by sudo tpm2-totp calculate.

diabonas commented on 2019-09-11 07:26

@aminvakil Ah, if you're using Plymouth, you currently need to use tpm2-totp-git since that stuff hasn't made it into the released version 0.1.x yet. Replace the tpm2-totp hook by plymouth-tpm2-totp and call it much earlier, e.g. before sd-encrypt, otherwise you will only see the TOTP for a very short time before boot is completed. If the TOTP still doesn't show then, you might also need to add random.trust_cpu=on to your kernel command line to have more entropy available during boot.

aminvakil commented on 2019-09-11 06:07

@diabonas Sorry for my late response, I installed plymouth from AUR and change my HOOKS arrary to this and regenerate initramfs.

HOOKS=(base systemd sd-plymouth autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck tpm2-totp)

Also I've changed my GRUB_CMDLINE_LINUX in /etc/default/grub to:

GRUB_CMDLINE_LINUX_DEFAULT=" root=/dev/xxx/xxx pci=nommconf nouveau.modeset=0 rd.driver.blacklist=nouveau ipv6.disable=1 quiet splash loglevel=3 rd.udev.log_priority=3 vt.global_cursor_default=0"

Actually I've only added quiet splash... and everything was there before.

Anyway plymouth is now showing ok, but I still can't view totp code.

I executed sudo tpm2-totp -P amin generate before any of this.

Also my laptop has an annoying weird problem which I don't what is causing it, but it may be a help for you to know about it.

diabonas commented on 2019-09-09 14:20

@aminvakil Did you add tpm2-totp to the HOOKS array in /etc/mkinitcpio.conf and regenerate your initramfs? If you have done that, you should see the message "Verification TOTP:" during boot, and after that either the calculated TOTP or at least some error message.

aminvakil commented on 2019-09-05 19:47


Thanks for your help, I could make it ok, but I couldn't fix it to show the code on plymouth on booting the system up, if there is something that I should to make it appear upon booting please let me know.

diabonas commented on 2019-09-05 17:56

@aminvakil If you want to set the recovery password, you need to use -P (uppercase P) instead of -p (lowercase p). The option you gave is used to specify the PCRs the TOTP should be sealed against and expects a comma-separated list of PCR indices (the default value if you omit it is 0,2,4).

aminvakil commented on 2019-09-05 17:50


You were right, my TPM was disabled.

I enabled it in my BIOS setup and now I face this:

sudo tpm2-totp -p change generate
Error parsing pcrs.

If it helps my BIOS setup is password-protected (not on startup, only on going to bios setup) and my ssd is luks-encrypted.