Re: tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Do, 06.06.24 18:05, Mikko Rapeli (mikko.rapeli@xxxxxxxxxx) wrote:

> Hi,
>
> The initrd side startup and shutdown of tee-supplicant works now correctly
> with:
>
> [Unit]
> Description=TEE Supplicant on %i
> DefaultDependencies=no
> After=dev-%i.device
> Wants=dev-%i.device
> Conflicts=shutdown.target

> Before=systemd-pcrextend.socket systemd-pcrextend@.service
> systemd-pcrfs-root.service systemd-pcrfs@.service
> systemd-pcrmachine.service systemd-pcrphase-initrd.service
> systemd-pcrphase-sysinit.service systemd-pcrphase.service
> systemd-tpm2-setup-early.service systemd-tpm2-setup.service
> tpm2.target sysinit.target shutdown.target

You cannot have deps on templates, only of instances of
templates. i.e. Before=systemd-pcrextend@.service doesn't work.

It's also unnecessary since all those services have After=tpm2.target
anyway, so if you order yours service before that, you have all that's
needed. Hence all you need as Before= should be:

Before=tpm2.target sysinit.target shutdown.target

And you might want to add Wants=tpm2.target, so that if the tee
supplicant is explicitly started you definitely get the milestone
target pulled in too, even if usually it works the other way round.

>
> [Service]
> Type=simple
> ExitType=cgroup

This is very unusual for a system-level service. Are you sure this is OK?

> EnvironmentFile=-@sysconfdir@/default/tee-supplicant
> ExecStart=@sbindir@/tee-supplicant $OPTARGS

BTW, this pattern of havein /etc/default/ and then $OPTARG is
something we despise, it's a compat kludge, don't do that on systemd,
it has stronger tools for changing unit files, such as drop-ins and
override units. Adding multiple levels of changes like this is not how
you do things.

> [Install]

Just drop this line.

> To stop the tee-supplicant@.service in initrd after all TPM users,
> I used the long setup with Before=systemd-pcrphase-initrd etc. This
> seems to work.

How is this supposed to work anyway? is the supplicant supposed to
exit before initd transition, and be started anew after the
transition?

> But I'm failing to setup the start in main rootfs correctly before any of the TPM2 device
> using services. Since udev is starting the service somehow after initrd already did
> it once, then how to redo the same steps earlier also on main rootfs?
>
> Log from a run where main rootfs side tee-supplicant is started
> too late and some services already tried to use the TPM2 device
> which resulted in failures:
>
> [initrd boot finishing up]
>          Stopping [0;1;39mTEE Supplicant on teepriv0[0m...
> [[0;32m  OK  [0m] Stopped [0;1;39mTEE Supplicant on teepriv0[0m.
>
> ^ initrd side tee-supplicant stopped almost last so that all users
>   were shutdown already
>
> [[0;32m  OK  [0m] Finished [0;1;39mCleanup udev Database[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mSwitch Root[0m.
>          Starting [0;1;39mSwitch Root[0m...
> [[0;32m  OK  [0m] Stopped [0;1;39mSwitch Root[0m.
> [[0;32m  OK  [0m] Created slice [0;1;39mSlice /system/getty[0m.
> [[0;32m  OK  [0m] Created slice [0;1;39mSlice /system/serial-getty[0m.
> [[0;32m  OK  [0m] Created slice [0;1;39mUser and Session Slice[0m.
> [[0;32m  OK  [0m] Started [0;1;39mDispatch Password Requests to Console Directory Watch[0m.
> [[0;32m  OK  [0m] Started [0;1;39mForward Password Requests to Wall Directory Watch[0m.
>          Expecting device [0;1;39m/dev/ttyAMA0[0m...
>          Expecting device [0;1;39m/dev/ttyS2[0m...
> [[0;32m  OK  [0m] Reached target [0;1;39mBlock Device Preparation for /dev/mapper/usr[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mLocal Encrypted Volumes[0m.
> [[0;32m  OK  [0m] Stopped target [0;1;39mSwitch Root[0m.
> [[0;32m  OK  [0m] Stopped target [0;1;39mInitrd File Systems[0m.
> [[0;32m  OK  [0m] Stopped target [0;1;39mInitrd Root File System[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mLocal Integrity Protected Volumes[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mPath Units[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mRemote Encrypted Volumes[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mRemote File Systems[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mSlice Units[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mSwaps[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mLocal Verity Protected Volumes[0m.
> [[0;32m  OK  [0m] Listening on [0;1;39mRPCbind Server Activation Socket[0m.
> [[0;32m  OK  [0m] Listening on [0;1;39mRPCbind Server Activation Socket[0m.
> [[0;32m  OK  [0m] Reached target [0;1;39mRPC Port Mapper[0m.
> [[0;32m  OK  [0m] Listening on [0;1;39mSyslog Socket[0m.
> [[0;32m  OK  [0m] Listening on [0;1;39minitctl Compatibility Named Pipe[0m.
> [[0;32m  OK  [0m] Listening on [0;1;39mNetwork Service Netlink Socket[0m.
> [[0;32m  OK  [0m] Listening on [0;1;39mTPM2 PCR Extension (Varlink)[0m.
>
> ^ this should only be started once tee-supplicant is running again
> from main rootfs

This suggests tpm2.target hasn't been enqueued on the host system?
Maybe you forgot to include the generator in the host system?

Please provide proper boot logs, with debug logging enabled.

Lennart

--
Lennart Poettering, Berlin
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux