On Mo, 19.02.24 10:36, Mikko Rapeli (mikko.rapeli@xxxxxxxxxx) wrote: > > After=dev-tpmrm0.device tee-supplicant@teepriv0.service > > Wants=dev-tpmrm0.device tee-supplicant@teepriv0.service > > I think my problems come from: > > After=tee-supplicant@teepriv0.service > Wants=tee-supplicant@teepriv0.service > > Basically tee-supplicant should only be started if /dev/teepriv* device node > is available. Then in my case with fTPM devices, all TPM using and encrypted > rootfs creating services need to depend on the service which starts tee-supplicant > but only if /dev/teepriv0 exists. If teepriv0 doesn't exist, then tee-supplicant > should not be started and the dependencies to it should not exist > either. Is /dev/teepriv* guaranteed to be available when userspace is invoked? or is it something that itself requires some kmod loading to show up, i.e. that "udevadm trigger" causes to load? > How should this dependency be expressed in systemd services? > > Can tee-supplicant@.service include: > > Before=systemd-pcrphase-initrd.service systemd-pcrphase.service systemd-pcrmachine.service > WantedBy=systemd-pcrphase-initrd.service systemd-pcrphase.service systemd-pcrmachine.service > > In my testing this does not seem to work inside initramfs. > > If systemd-pcrphase-initrd.service systemd-pcrphase.service and systemd-pcrmachine.service > service have After= and Wants= to tee-supplicant@teepriv0.service then things work, > except on boards which have no optee and no /dev/teepriv0 where tee-supplicant seems > be started and fails due to missing optee which breaks the initramfs boot. For your usecase the new tpm2.target available in git main is what you really should focus on: all TPM using services should order themselves after that. All stuff needed to make a TPM device appear should be placed before that. The systemd-tpm2-generator that now exists in git main analyzes the uefi/acpi firmware situation and automatically adds a dev-tpm0.device dependency on tpm2.target if it comes to the conclusion that such a device will show up. This generator is not going to cover your specific case, but I think it would be a good blueprint for you: i.e. write a generator that checks if /dev/teepriv* exists. If not, just exit. If yes, generate the required deps to pull in tee-supplicatnt@.service, and add the dev-tpmrm0.device dep just like systemd-tpm2-generator does. Lennart -- Lennart Poettering, Berlin
Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Mon, 19 Feb 2024 11:53:14 +0100
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <ZdMTJQIk1hMPzAc_@nuoska>
- References: <ZaaNdktdXl5Jgnu4@nuoska> <Zc8qv0YS_tBWMUfA@nuoska> <ZdMTJQIk1hMPzAc_@nuoska>
- Follow-Ups:
- References:
- Handle device node timeout?
- From: Mikko Rapeli
- Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Handle device node timeout?
- Prev by Date: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by Date: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Previous by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Index(es):
 |