Re: Permanently remove services

Mantas Mikulėnas <grawity@xxxxxxxxx> · Fri, 19 Jan 2024 18:37:35 +0200

On Fri, Jan 19, 2024, 17:47 Morten Bo Johansen <mortenbo@xxxxxxxxxxx> wrote:
On 2024-01-18 Lennart Poettering wrote:

> On Do, 18.01.24 22:53, Morten Bo Johansen (mortenbo@xxxxxxxxxxx) wrote:

>

>> ~/ % systemd-creds has-tpm2

>> partial

>> +firmware

>> -driver

>> +system

>> +subsystem

>> +libraries

>

> OK, so this indicates that your system has TPM support on all levels

> with a single exception: you lack an actual linux driver for your

> specific hw. And that puzzles me. because to my knowledge at least

> linux should support all relevant tpm2 interfaces just fine. THis

> suggests that you haven#t got the right modules installed.

I think that perhaps systemd-creds gets it wrong? There really

does not seem to be any TPM support on this computer, either

version 1.2 or 2. In the bios settings, there is no "security

chip" entry under the "Security" tab and no other settings

pertaining to TPM in the bios at all.

In general I've learned to not quite trust what the firmware shows... we've had a batch of Skylake-or-so desktops that *did* have a CPU-integrated fTPM but it wasn't even mentioned until we did a BIOS update, even though CPU spec said it should be present.

However, your CPU is from Haswell era and according to the spec sheet it definitely seems to lack Intel's PTT "built-in TPM 2.0" feature (it has the older IPT but that's a different thing, not a TPM equivalent), so that seems correct. If I understand correctly, the only option for that CPU would be a discrete TPM chip, and if the manufacturer had bothered to include one, it ought to be showing up in the BIOS settings.

On the other hand, you said you have a /dev/tpm0... I'm somewhat curious about whether there are any mentions 'tpm' or 'tis' or something like that in your `dmesg`?

I ran Windows 11 in a VM

to check what it thinks about it and it also says that there is

no TPM support, either 1.2 or 2.

A virtual machine won't be able to see the real TPM either way (or any other real hardware; it's kinda what makes it a virtual machine). All it would see is a vTPM provided by the VM host software.