Hi, On Mon, Apr 15, 2024 at 05:41:00PM +0200, Lennart Poettering wrote: > Would be good to have that with systemd.log_target=debug, to see if > tpm2.target even gets enqueued. Here is the verbose log: https://people.linaro.org/~mikko.rapeli/systemd_255_tpm2_target_qemu_swtpm_boot_encryption_failure.txt System is qemu arm64 with UEFI / ARM System Ready compatible firmware, secure boot and TPM2 device via swtpm. It boots a uki binary with kernel 6.6.20 and systemd based initramfs which creates a TPM2 backed encrypted rootfs. Kernel TPM drivers are modules and available in the initramfs for udev to load. .wic file system image for qemu contains empty space for the rootfs and dm-verity protected /usr partition which is auto-detected based on kernel command line. systemd is version 255 from stable branch commit 387a14a7b67b8b76adaed4175e14bb7e39b2f738 and following patches applied to try to fix these TPM and module loading issues: cryptsetup-tokens: fix argument order mismatch in function tpm2-setup: Add --graceful units: add a tpm2.target synchronization point and small generator that pulls in units: order repart after systemd-tpm2-setup-early.service Creating the new rootfs via systemd-repart.service succeeds like blkid debug command also shows. Mounting the newly created rootfs fails at systemd-cryptsetup@root.service step. For some reason it is trying to open the disk with password or pin, it should be using keys etc protected with the TPM2 device. ConditionSecurity=measured-uki seems to fail in multiple locations. tpm_tis support gets detected by udev and modules are loaded, which is visible in the emergency shell with lsmod. tpm2.target does run. systemd-tpm2-setup-early.service: ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem succeeded. but systemd-tpm2-setup-early.service: ConditionSecurity=measured-uki failed. AFAIK this used to be ConditionSecurity=tpm2 in systemd 254 where this step worked for me, but with more backported patches. uki binary is not run with --measure/systemd-measure since the uki binary is already protected with UEFI secure boot signatures and /usr is dm-verity protected with kernel command line inside uki binding the two. TPM2 device is only used to setup a device specific protected and writable root partition on first boot. So something with the tpm2 drivers-as-modules approach is still not working even with the tpm2.target patches. Same system with built in TPM drivers is able mount the newly created TPM backed rootfs, and after initramfs phase, boot to the dm-verity protected /usr partition works too. Cheers, -Mikko
Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>
- Date: Tue, 16 Apr 2024 15:02:25 +0300
- Cc: Aleksandar Kostadinov <akostadi@xxxxxxxxxx>, systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <Zh1KjIoiATe_TbA5@gardel-login>
- References: <Zc8qv0YS_tBWMUfA@nuoska> <ZdMTJQIk1hMPzAc_@nuoska> <ZdMzGtyCVsbzOz6K@gardel-login> <ZhT-U4exTjg0wHlr@nuoska> <ZhY-hpEyib1WzCrd@nuoska> <CAPws7kZpX0ONPxvk+TV-XeBPPbhzq3i3Cs64BbMWwN8kpnBfmg@mail.gmail.com> <ZhzZXIUwHif1IRvC@nuoska> <Zh0zhqyw5JBs92VO@gardel-login> <Zh04e1t-yY2aEtJx@nuoska> <Zh1KjIoiATe_TbA5@gardel-login>
- Follow-Ups:
- References:
- Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Aleksandar Kostadinov
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Prev by Date: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by Date: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Previous by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Index(es):
 |