On Di, 16.04.24 15:02, Mikko Rapeli (mikko.rapeli@xxxxxxxxxx) wrote: > Hi, > > On Mon, Apr 15, 2024 at 05:41:00PM +0200, Lennart Poettering wrote: > > Would be good to have that with systemd.log_target=debug, to see if > > tpm2.target even gets enqueued. > > Here is the verbose log: > > https://people.linaro.org/~mikko.rapeli/systemd_255_tpm2_target_qemu_swtpm_boot_encryption_failure.txt So that shows that tpm2.target is only enqueued once the /dev/tpmrm0 device actually shows up. But that makes it useless. The idea is that the target is already enqueued when during very early setup in systemd-tpm2-generator we come to the conclusion that "yes, a tpm2 device has not been found and set up by Linux yet, but the firmware indicates there is one, hence let's schedule a job for it, that everything can sync on". But this determination never happened here, tpm2.target was never enqueued, hence never acted as a synchronization milestone. (As a temporary hack you can *force* systemd-tpm2-generator to assume that a TPM device will show up via systemd.tpm2_wait=1 on the kernel cmdline, and thus enqueue tpm2.target. But that's only suitable as local hack: we should be able to determine all this automatically based on firmware properties, see below.) > System is qemu arm64 with UEFI / ARM System Ready compatible firmware, > secure boot and TPM2 device via swtpm. So this firmware implements UEFI and ACPI? As indication whether the firmware supports TPM2, we check for the existance of the /sys/firmware/acpi/tables/TPM2 ACPI table. Does that exist for you? See src/share/efi-api.c, function efi_has_tpm2(). Do you have /sys/kernel/security/tpm0/binary_bios_measurements? > systemd-tpm2-setup-early.service: ConditionSecurity=measured-uki > failed. So this suggests you haven't booted the system with a UKI or that your firmware doesn#t actually do TPM. Or in other words: ConditionSecurity=measured-uki will only hold if the aforementioned ACPI table exists *and* the StubPcrKernelImage EFI variable is found to be set. Lennart -- Lennart Poettering, Berlin
Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Tue, 16 Apr 2024 16:03:25 +0200
- Cc: Aleksandar Kostadinov <akostadi@xxxxxxxxxx>, systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <Zh5o0WdGfyOQba1o@nuoska>
- References: <ZdMTJQIk1hMPzAc_@nuoska> <ZdMzGtyCVsbzOz6K@gardel-login> <ZhT-U4exTjg0wHlr@nuoska> <ZhY-hpEyib1WzCrd@nuoska> <CAPws7kZpX0ONPxvk+TV-XeBPPbhzq3i3Cs64BbMWwN8kpnBfmg@mail.gmail.com> <ZhzZXIUwHif1IRvC@nuoska> <Zh0zhqyw5JBs92VO@gardel-login> <Zh04e1t-yY2aEtJx@nuoska> <Zh1KjIoiATe_TbA5@gardel-login> <Zh5o0WdGfyOQba1o@nuoska>
- Follow-Ups:
- References:
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Aleksandar Kostadinov
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Prev by Date: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by Date: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Previous by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Index(es):
 |