[systemd-devel] tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device
Lennart Poettering
lennart at poettering.net
Thu Jun 6 16:43:11 UTC 2024
On Do, 06.06.24 18:05, Mikko Rapeli (mikko.rapeli at linaro.org) wrote:
> Hi,
>
> The initrd side startup and shutdown of tee-supplicant works now correctly
> with:
>
> [Unit]
> Description=TEE Supplicant on %i
> DefaultDependencies=no
> After=dev-%i.device
> Wants=dev-%i.device
> Conflicts=shutdown.target
> Before=systemd-pcrextend.socket systemd-pcrextend at .service
> systemd-pcrfs-root.service systemd-pcrfs at .service
> systemd-pcrmachine.service systemd-pcrphase-initrd.service
> systemd-pcrphase-sysinit.service systemd-pcrphase.service
> systemd-tpm2-setup-early.service systemd-tpm2-setup.service
> tpm2.target sysinit.target shutdown.target
You cannot have deps on templates, only of instances of
templates. i.e. Before=systemd-pcrextend at .service doesn't work.
It's also unnecessary since all those services have After=tpm2.target
anyway, so if you order yours service before that, you have all that's
needed. Hence all you need as Before= should be:
Before=tpm2.target sysinit.target shutdown.target
And you might want to add Wants=tpm2.target, so that if the tee
supplicant is explicitly started you definitely get the milestone
target pulled in too, even if usually it works the other way round.
>
> [Service]
> Type=simple
> ExitType=cgroup
This is very unusual for a system-level service. Are you sure this is OK?
> EnvironmentFile=- at sysconfdir@/default/tee-supplicant
> ExecStart=@sbindir@/tee-supplicant $OPTARGS
BTW, this pattern of havein /etc/default/ and then $OPTARG is
something we despise, it's a compat kludge, don't do that on systemd,
it has stronger tools for changing unit files, such as drop-ins and
override units. Adding multiple levels of changes like this is not how
you do things.
> [Install]
Just drop this line.
> To stop the tee-supplicant at .service in initrd after all TPM users,
> I used the long setup with Before=systemd-pcrphase-initrd etc. This
> seems to work.
How is this supposed to work anyway? is the supplicant supposed to
exit before initd transition, and be started anew after the
transition?
> But I'm failing to setup the start in main rootfs correctly before any of the TPM2 device
> using services. Since udev is starting the service somehow after initrd already did
> it once, then how to redo the same steps earlier also on main rootfs?
>
> Log from a run where main rootfs side tee-supplicant is started
> too late and some services already tried to use the TPM2 device
> which resulted in failures:
>
> [initrd boot finishing up]
> Stopping [0;1;39mTEE Supplicant on teepriv0[0m...
> [[0;32m OK [0m] Stopped [0;1;39mTEE Supplicant on teepriv0[0m.
>
> ^ initrd side tee-supplicant stopped almost last so that all users
> were shutdown already
>
> [[0;32m OK [0m] Finished [0;1;39mCleanup udev Database[0m.
> [[0;32m OK [0m] Reached target [0;1;39mSwitch Root[0m.
> Starting [0;1;39mSwitch Root[0m...
> [[0;32m OK [0m] Stopped [0;1;39mSwitch Root[0m.
> [[0;32m OK [0m] Created slice [0;1;39mSlice /system/getty[0m.
> [[0;32m OK [0m] Created slice [0;1;39mSlice /system/serial-getty[0m.
> [[0;32m OK [0m] Created slice [0;1;39mUser and Session Slice[0m.
> [[0;32m OK [0m] Started [0;1;39mDispatch Password Requests to Console Directory Watch[0m.
> [[0;32m OK [0m] Started [0;1;39mForward Password Requests to Wall Directory Watch[0m.
> Expecting device [0;1;39m/dev/ttyAMA0[0m...
> Expecting device [0;1;39m/dev/ttyS2[0m...
> [[0;32m OK [0m] Reached target [0;1;39mBlock Device Preparation for /dev/mapper/usr[0m.
> [[0;32m OK [0m] Reached target [0;1;39mLocal Encrypted Volumes[0m.
> [[0;32m OK [0m] Stopped target [0;1;39mSwitch Root[0m.
> [[0;32m OK [0m] Stopped target [0;1;39mInitrd File Systems[0m.
> [[0;32m OK [0m] Stopped target [0;1;39mInitrd Root File System[0m.
> [[0;32m OK [0m] Reached target [0;1;39mLocal Integrity Protected Volumes[0m.
> [[0;32m OK [0m] Reached target [0;1;39mPath Units[0m.
> [[0;32m OK [0m] Reached target [0;1;39mRemote Encrypted Volumes[0m.
> [[0;32m OK [0m] Reached target [0;1;39mRemote File Systems[0m.
> [[0;32m OK [0m] Reached target [0;1;39mSlice Units[0m.
> [[0;32m OK [0m] Reached target [0;1;39mSwaps[0m.
> [[0;32m OK [0m] Reached target [0;1;39mLocal Verity Protected Volumes[0m.
> [[0;32m OK [0m] Listening on [0;1;39mRPCbind Server Activation Socket[0m.
> [[0;32m OK [0m] Listening on [0;1;39mRPCbind Server Activation Socket[0m.
> [[0;32m OK [0m] Reached target [0;1;39mRPC Port Mapper[0m.
> [[0;32m OK [0m] Listening on [0;1;39mSyslog Socket[0m.
> [[0;32m OK [0m] Listening on [0;1;39minitctl Compatibility Named Pipe[0m.
> [[0;32m OK [0m] Listening on [0;1;39mNetwork Service Netlink Socket[0m.
> [[0;32m OK [0m] Listening on [0;1;39mTPM2 PCR Extension (Varlink)[0m.
>
> ^ this should only be started once tee-supplicant is running again
> from main rootfs
This suggests tpm2.target hasn't been enqueued on the host system?
Maybe you forgot to include the generator in the host system?
Please provide proper boot logs, with debug logging enabled.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list