Hi, On Tue, Apr 16, 2024 at 04:03:25PM +0200, Lennart Poettering wrote: > On Di, 16.04.24 15:02, Mikko Rapeli (mikko.rapeli@xxxxxxxxxx) wrote: > > > Hi, > > > > On Mon, Apr 15, 2024 at 05:41:00PM +0200, Lennart Poettering wrote: > > > Would be good to have that with systemd.log_target=debug, to see if > > > tpm2.target even gets enqueued. > > > > Here is the verbose log: > > > > https://people.linaro.org/~mikko.rapeli/systemd_255_tpm2_target_qemu_swtpm_boot_encryption_failure.txt > > So that shows that tpm2.target is only enqueued once the /dev/tpmrm0 > device actually shows up. But that makes it useless. The idea is that > the target is already enqueued when during very early setup in > systemd-tpm2-generator we come to the conclusion that "yes, a tpm2 > device has not been found and set up by Linux yet, but the firmware > indicates there is one, hence let's schedule a job for it, that > everything can sync on". But this determination never happened > here, tpm2.target was never enqueued, hence never acted as a > synchronization milestone. > > (As a temporary hack you can *force* systemd-tpm2-generator to assume > that a TPM device will show up via systemd.tpm2_wait=1 on the kernel > cmdline, and thus enqueue tpm2.target. But that's only suitable as > local hack: we should be able to determine all this automatically > based on firmware properties, see below.) > > > System is qemu arm64 with UEFI / ARM System Ready compatible firmware, > > secure boot and TPM2 device via swtpm. > > So this firmware implements UEFI and ACPI? As indication whether the > firmware supports TPM2, we check for the existance of the > /sys/firmware/acpi/tables/TPM2 ACPI table. Does that exist for you? > > See src/share/efi-api.c, function efi_has_tpm2(). > > Do you have /sys/kernel/security/tpm0/binary_bios_measurements? > > > systemd-tpm2-setup-early.service: ConditionSecurity=measured-uki > > failed. > > So this suggests you haven't booted the system with a UKI or that your > firmware doesn#t actually do TPM. > > Or in other words: ConditionSecurity=measured-uki will only hold if > the aforementioned ACPI table exists *and* the StubPcrKernelImage EFI > variable is found to be set. At least in this case with qemu and swtpm, the TPM device support is available via devicetree and thus with check for /proc/device-tree/tpm-event-log via https://github.com/systemd/systemd/pull/32314 the TPM2 devices gets correctly detected and once kernel modules get loaded ConditionSecurity=measured-uki passes. Boot log here: https://people.linaro.org/~mikko.rapeli/systemd_255_tpm2_devicetree_fix.txt Cheers, -Mikko
Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>
- Date: Wed, 17 Apr 2024 13:56:03 +0300
- Cc: Aleksandar Kostadinov <akostadi@xxxxxxxxxx>, systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <Zh6FLVxmfn4zMdb2@gardel-login>
- References: <ZdMzGtyCVsbzOz6K@gardel-login> <ZhT-U4exTjg0wHlr@nuoska> <ZhY-hpEyib1WzCrd@nuoska> <CAPws7kZpX0ONPxvk+TV-XeBPPbhzq3i3Cs64BbMWwN8kpnBfmg@mail.gmail.com> <ZhzZXIUwHif1IRvC@nuoska> <Zh0zhqyw5JBs92VO@gardel-login> <Zh04e1t-yY2aEtJx@nuoska> <Zh1KjIoiATe_TbA5@gardel-login> <Zh5o0WdGfyOQba1o@nuoska> <Zh6FLVxmfn4zMdb2@gardel-login>
- References:
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Aleksandar Kostadinov
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Mikko Rapeli
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- From: Lennart Poettering
- Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Prev by Date: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by Date: Custom nobody user/group name not equivalent
- Previous by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Next by thread: Re: Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
- Index(es):
 |