On Tue Dec 10, 2024 at 3:04 PM EET, James Bottomley wrote: > On Tue, 2024-12-10 at 07:13 +0100, Jiri Slaby wrote: > [...] > > Perhaps, you can give a hint why those happen exclusively with 6.12+? > > For which one: the ramdisk size not being modulo 4 or the unseal > getting a PCR changed error? For the former I don't have much of an > idea, it would seem to be a dracut (or whatever initrd builder you use) > issue; the kernel doesn't care about the ramdisk size. For the latter, > I would suspect something is delaying IMA measurements such that > they're still going on when you're trying to unseal. The error you're > getting occurs if any PCR changes, not just the ones the policy is > locked to (thanks TCG). We have had syzbot reports of processes > getting stuck in measurement that have been identified as exfat > related: > > https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330 > > But it could be a more generic filesystem issue that measurement is > slowing but not enough to trigger the stuck process warning. > > In particular systemd parallelizes a lot of stuff, so if it's doing > something that causes IMA measurement in parallel with the unseal and > this parallel process finished before unseal on an earlier kernel, that > would explain it. You could probably verify this by adding more > dependencies to the tpm target, but I'm not really well versed in > systemd. Yeah, I agree. This is too much looking for needle from the haystack. A bit more evidence for kernel issue is needed than just kernel version change in order to make progress. > Regards, > > James BR, Jarkko
