Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd-pcrphase-initrd.service fails ConditionSecurity=tpm2 because tpm module is not loaded yet #2066

Closed
sammko opened this issue Nov 16, 2022 · 11 comments
Closed

systemd-pcrphase-initrd.service fails ConditionSecurity=tpm2 because tpm module is not loaded yet #2066

sammko opened this issue Nov 16, 2022 · 11 comments
Labels
bug Our bugs

Comments

@sammko
Copy link

sammko commented Nov 16, 2022

Describe the bug
The systemd-pcrphase-initrd.service added in #2014 fails ConditionSecurity=tpm2 on my system because it is evaluated before the tpm module is loaded. When I get a shell later in the initrd, the module is loaded and the condition is fine (as reported by systemd-analyze condition or trying to start the service).

Distribution used
Arch

Dracut version
git master (62f7e06)

Init system
systemd

To Reproduce
I don't know past enabling the systemd-pcrphase module and trying it.

Expected behavior
The systemd-pcrphase-initrd.service should be started
@sammko sammko added the bug Our bugs label Nov 16, 2022
@sammko sammko changed the title systemd-pcrphase-initrd.service fails ConditionSecurity=tpm2 because tpm module is not loaded yet systemd-pcrphase-initrd.service fails ConditionSecurity=tpm2 because tpm module is not loaded yet Nov 16, 2022
@johannbg
Copy link
Collaborator

We needs something to work with here ( logs ) in anycase are you sure the condition is failing? If so it indicates that the firmware does not report a TPM device and or the TPM subsystem is not enabled in the kernel which should result in the error msg "Failed to determine whether system has TPM2 support" you can simply disable the condition check to see if that's the case here.

@sammko
Copy link
Author

sammko commented Nov 16, 2022

Hey, I am sure, but I was reading source code of systemd master, while running 252, and just noticed there's a difference in exactly this: systemd/systemd@300bba7

I'm in the process of testing if this is indeed the case.

On a side note about logs, I do get the following

Nov 16 20:32:59 neutron systemd[1]: TPM2 PCR Barrier (initrd) was skipped because of an unmet condition check (ConditionSecurity=tpm2).

but once I enabled debug logging, I felt I was missing some lines. Is it possible that some log lines are lost before the journal is started? I was under the impression that this shouldn't happen--thanks.

@sammko
Copy link
Author

sammko commented Nov 17, 2022

Okay, Arch packages systemd-stable 252.1, which contains the mentioned commit as a backport. Hence, the actual check which is being performed on my system is TPM2_SUPPORT_SUBSYSTEM|TPM2_SUPPORT_FIRMWARE. (https://github.com/systemd/systemd/blob/305dd91adfde332e7e5c1b2470edb32774f9a032/src/shared/condition.c#L668-L676)

  • TPM2_SUPPORT_FIRMWARE is fine, it just checks if the TPM2 ACPI table is present, which it is and the corresponding file /sys/firmware/acpi/tables/TPM2 is present and readable.
  • For TPM2_SUPPORT_SUBSYSTEM to pass, the /sys/class/tpmrm directory needs to exist. This directory does not exist unless the tpm.ko module is loaded (CONFIG_TCG_TPM=m) note: fedora has CONFIG_TCG_TPM=y

I believe the tpm module is not loaded at the point in time when the ConditionSecurity=tpm2 condition is evaluated. Having a shell in the initrd after the module is loaded, the condition passes (as verified by systemd-analyze condition and manually restarting the affected pcrphase service). After unloading the tpm module, the tpmrm directory ceases to exist and ConditionSecurity=tpm2 no longer passes.

Solutions that come to mind:

  1. Ensure the tpm module is loaded before the condition is evaluated (how?)
  2. Change the behaviour of the ConditionSecurity=tpm2 check in systemd (not sure who to ask, @DaanDeMeyer?)
  3. Use CONFIG_TCG_TPM=y in the Arch kernel

I don't know which one is best

Regarding the logging side quest: once I enable debug logging, I no longer see the TPM2 PCR Barrier (initrd) was skipped because of an unmet condition line in the journal. This is with debug rd.debug log_buf_len=8M. I can only assume that larger chunks of the log are gone missing.

@johannbg
Copy link
Collaborator

  1. is the best.

@heftig
Copy link

heftig commented Nov 17, 2022

  1. Use CONFIG_TCG_TPM=y in the Arch kernel

Just TCG_TPM or also some of the suboptions?

@sammko
Copy link
Author

sammko commented Nov 17, 2022

My machine needed CONFIG_TCG_TPM=y for the condition to be met and also CONFIG_TCG_CRB=y. Without the second one systemd-pcrphase in the initrd just crashes (since the module is not yet loaded) trying to access a hardcoded path to /dev/tpmrm0

@DaanDeMeyer
Copy link
Contributor

I've also modified systemd to load the tpm module early so that ConditionSecurity=tpm2 will always see the directory if tpm is compiled as a module

archlinux-github pushed a commit to archlinux/svntogit-packages that referenced this issue Nov 26, 2022
Build in TCG_TPM, TCG_TIS and TCG_CRB
1afdfaf 
As requested by Christian, for systemd. These should match the built-in
TPM drivers of the Fedora kernel.

See: dracutdevs/dracut#2066 (comment)

git-svn-id: file:///srv/repos/svn-packages/svn@462603 eb2447ed-0c53-47e4-bac8-5bc4a241df78
archlinux-github pushed a commit to archlinux/svntogit-packages that referenced this issue Nov 26, 2022
Build in TCG_TPM, TCG_TIS and TCG_CRB
865813e 
As requested by Christian, for systemd. These should match the built-in
TPM drivers of the Fedora kernel.

See: dracutdevs/dracut#2066 (comment)

git-svn-id: file:///srv/repos/svn-packages/svn@462603 eb2447ed-0c53-47e4-bac8-5bc4a241df78
@johannbg
Copy link
Collaborator

@DaanDeMeyer did you make pr/file issues with your changes in upstream systemd ?

@sammko
Copy link
Author

sammko commented Dec 22, 2022
edited

It's in main via systemd/systemd#25422.

@johannbg
Copy link
Collaborator

@sammko is it safe to assume that all underlying issues have been resolved now and this issue can be closed?

@sammko
Copy link
Author

sammko commented Dec 22, 2022

The particular case on Arch is fixed, since the modules are now built in the kernel. The issue with the Condition is fixed in general as well by the patch in systemd. I think the only case that remains is if the modules are not built in and pcrphase runs before the concrete tpm driver is loaded (CONFIG_TCG_CRB in my case) and crashes. Maybe this is not relevant to dracut, however.

Marcool04 pushed a commit to Marcool04/linux-fix-e1000e that referenced this issue Jun 17, 2023
@heftig
Build in TCG_TPM, TCG_TIS and TCG_CRB
a6f239d 
As requested by Christian, for systemd. These should match the built-in
TPM drivers of the Fedora kernel.

See: dracutdevs/dracut#2066 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Our bugs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@heftig @sammko @johannbg @DaanDeMeyer @aafeijoo-suse