[systemd-devel] Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)
Mikko Rapeli
mikko.rapeli at linaro.org
Mon Apr 15 14:23:55 UTC 2024
Hi,
On Mon, Apr 15, 2024 at 04:02:46PM +0200, Lennart Poettering wrote:
> On Mo, 15.04.24 10:38, Mikko Rapeli (mikko.rapeli at linaro.org) wrote:
>
> > Hi,
> >
> > On Fri, Apr 12, 2024 at 05:03:18PM +0300, Aleksandar Kostadinov wrote:
> > > Shouldn't the kernel automatically load the necessary modues when
> > > devices are detected... given proper udev rules and module
> > > availability in the initrd filesystem? I guess it depends on how you
> > > build your initrd system for including them.
> >
> > The modules do get loaded but too late in the initramfs stage and something
> > in the tpm2.target and related service was failing and creating TPM2 encrypted
> > rootfs fails. I could not figure out at which stage the driver needs to be loaded,
> > e.g.
> > Before: modprobe at tpm_tis_core.service modprobe at tpm_tis.service modprobe at tpm_ftpm_tee.service
> >
> > But I'm also trying to fix the root causes why TPM modules can't be built into the
> > kernel so lucky that resolves these issues. Would be nice to know to which stage
> > the TPM2 module loading would need to happen though.
>
> This should not require manual handling. The driver should be
> auto-loaded via udev and stuff, like any other driver. Or does the
> "tpm-ftpm_tee" thing carry no modalias info that autoloads it if some
> specific hw is around?
With latest rebase/update from systemd 254 to 255 I'm not yet testing on fTPM devices
but trying to get TPM2 backed rootfs genereted with qemu and swtpm which required basic
tpm_tis_core and tpm_tis modules to be loaded. udev does load them but too late
for tpm2.target or the services needed for systemd-repart config with Encrypt=tpm2
to work. Changing TPM drivers to built-in fixed all these issues, and I'm now able to
do this since I have the RPMB in kernel patches applied and tee-supplicant is not needed
anymore. The issue with TPM drivers as modules was somewhere in the mount of the
newly created TPM2 backed filesystem, possibly ConditionSecurity=measured-uki failing.
Full boot log in: https://pastebin.com/raw/6xy5x5NP
Cheers,
-Mikko
More information about the systemd-devel
mailing list