systemd-measure in cross compile environment, and measured-uki vs tpm2 in ConditionSecurity?

[Mikko Rapeli <mikko.rapeli@xxxxxxxxxx>]

Hi,

After update from systemd 254 to 256 (and even 256.4) I had some failures
related to TPM related services depending on ConditionSecurity=measured-uki.

I have basic ukify.py and sbsign signatures working in yocto cross compile
environment but I have doubts that systemd-measure will work there.
It looks like systemd-measure in src/boot/measure.c open TPM devices files
to calculate the PCR values and this doesn't work in cross compile environment.
Thus it looks systemd-measure and ukify.py --measure will not work in
yocto, at least without qemu and swtpm hacks. Am I right on this?

As an alternative I can switch ConditionSecurity from measured-uki back
to tpm2 which was working with v254 and backported tpm2.target. Without measured-uki,
creating the TPM2 backed encrypted rootfs works[1] but just mounting it in initrd
fails which is a bit odd. Would have expected that creating it with systemd-repart
also fails if measured-uki isn't true.

I guess in an environment where I rely on UEFI secure boot to cover full
uki binary, measured-uki doesn't bring any benefits in addition to plain
tpm2 in ConditionSecurity. What's the usecase then?

[1] https://people.linaro.org/~mikko.rapeli/systemd_256_tpm2_rootfs_fail.txt

Cheers,

-Mikko