Skip to content

Talos reset should wipe partition headers before device headers #12491

New issue
New issue
Open
Bug
Open
Talos reset should wipe partition headers before device headers#12491
Bug
@briantopping

Description

@briantopping
briantopping
opened on Dec 25, 2025

Bug Report

Description

When using TPM-based LUKS volume passwords, sequential installations using default partitioning can fail without visible cause due to stale LUKS headers left by the previous installation. Due to a lack of knowledge, this was discovered without logs, so most of this report is conjecture.

The problem was found as the author muddled through learning Secure Boot and Talos at the same time. Out of an abundance of caution, when rebuilding the practice node, they would erase the volumes via wipefs -fa /dev/sda[123] /def/sda, then clear the TPM in BIOS setup. Note the wipe of the partitions before the volume.

When both the disk and the TPM are cleared in this manner on the hardware available to test (Supermicro X10 vintage), install was reliable with the PCR7 fix in v12.0 (see #12476).

Later, when testing a new configuration, the "reset" functionality was discovered to clear the installation. This was a refreshing discovery that sped the development lifecycle, but added a new problem.

When the node was reset without clearing the TPM, it appears that the reinstall worked correctly. When the TPM was cleared with the reset, the node would boot to the splash screen and not progress.

Presumably, the reason for this is the same partition geometry was aligned around the leftover LUKS headers and the boot tried to use the headers with the wrong password from the wiped TPM.

Further investigation led to trying the wipefs technique from above, but with the partition table was already cleared, it impossible to wipe the LUKS labels. Finally, after zeroing the entire drive, the install started working again.

Resolution Strategy

It seems that when a node is reset, either the labels from each partition should be wiped as above (each partition before the partition map) and/or labels should be searched and erased when a geometry is written. Both would be valuable in various user situations.

Environment

  • Talos 1.12.0 secureboot ISO (standard, no custom kernel args needed)
  • Supermicro X10DRi-TR013 with Infineon SLB9665 TPM, (firmware 5.62.12.13824, TIS interface)
  • SecureBoot enabled

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    Planning

    Status

    To Do

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions