[systemd-devel] Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)

Lennart Poettering lennart at poettering.net
Mon Feb 19 10:47:52 UTC 2024


On Fr, 16.02.24 11:28, Mikko Rapeli (mikko.rapeli at linaro.org) wrote:

> Support for fTPM devices is problematic. First, the kernel support must be modules
> but loading needs to be specially handled after starting tee-supplicant. For normal
> boot udev handles optee detection and triggers tee-supplicant at teepriv0.service
> startup which unloads tpm_ftpm_tee kernel module, starts tee-supplicant and then
> loads the kernel module again. After this RPMB works. To do the same in initramfs, I added
> Wants: and After: dependencies from systemd-repart.service, systemd-cryptsetup at .service,
> systemd-pcrmachine.service and systemd-pcrphase-initrd.service:

Kernel module unloading is not supposed to happen in clean
codepaths. It's a debug/development feature, it's not safe to do as
part of regular boot.

But why do you need an unload a kernel module at all? that smells...

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list