[systemd-devel] tee-supplicant initrd startup before tpm2.target and dev-tpmrm0.device

Lennart Poettering lennart at poettering.net
Fri May 24 08:20:22 UTC 2024


On Fr, 24.05.24 10:12, Lennart Poettering (lennart at poettering.net) wrote:

> And that's really all.
>
> To summarize, a unit file like this:
>
>     [Unit]
>     Description=TEE Supplicant on %i
>     Documentation=man:tee-supplicant(8)
>     DefaultDependencies=no
>     After=dev-%i.device
>     Wants=dev-%i.device
>     Conflicts=shutdown.target
>     Before=sysinit.target shutdown.target
>
>     [Service]
>     ExecStart=@sbindir@/tee-supplicant -d /dev/%I

So, I looked at the man page for that daemon:

https://manpages.debian.org/testing/tee-supplicant/tee-supplicant.8.en.html

This seems like the service is simply not suitable for running in the
initrd, i.e. it stores its data in /var/lib/optee-client/data/tee, but
/var/ is only available in late boot. During the initrd and even after
the initrd→host transition, until local-fs.target and
systemd-remount-fs.service have been invoked /var/ is not available.

Hence, what you are trying to do is not going to fly: you need to move
the service to early boot for disk encryption to work, but the service
wants to store stuff on the disk, hence only can run after disk
encryption succeeded. That means it simply doesn't work out.

(Except of course if that man page is completely out-of-date and the
service is nowadays fine with running with just /run/ around, and
without touching /var/ whatsoever).

(Also, the thing looks fishy generally, as it references /lib/, but
that's a legacy dir, in systemd we nowadays require merged /usr/ and
do not supported separate /lib/ hence)

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list