[systemd-devel] Issues supporting systems with and without TPM and firmware TPM (was Re: Handle device node timeout?)

Mikko Rapeli mikko.rapeli at linaro.org
Tue Feb 20 08:14:24 UTC 2024


Hi,

On Mon, Feb 19, 2024 at 11:47:52AM +0100, Lennart Poettering wrote:
> On Fr, 16.02.24 11:28, Mikko Rapeli (mikko.rapeli at linaro.org) wrote:
> 
> > Support for fTPM devices is problematic. First, the kernel support must be modules
> > but loading needs to be specially handled after starting tee-supplicant. For normal
> > boot udev handles optee detection and triggers tee-supplicant at teepriv0.service
> > startup which unloads tpm_ftpm_tee kernel module, starts tee-supplicant and then
> > loads the kernel module again. After this RPMB works. To do the same in initramfs, I added
> > Wants: and After: dependencies from systemd-repart.service, systemd-cryptsetup at .service,
> > systemd-pcrmachine.service and systemd-pcrphase-initrd.service:
> 
> Kernel module unloading is not supposed to happen in clean
> codepaths. It's a debug/development feature, it's not safe to do as
> part of regular boot.
> 
> But why do you need an unload a kernel module at all? that smells...

Yes, I agree that this smells bad but it's the current optee/ftpm/kernel implementation
which requires tee-supplicant in userspace to be running at module load time for RPMB to work.
AFAIK there is some work on going to fix this and support RPMB directly from optee kernel
drivers.

Cheers,

-Mikko


More information about the systemd-devel mailing list