systemd-pcrphase should become a NOP silently, if a TPM could not be found

[dryya]

systemd version the issue has been seen with

252.3-1-arch

Used distribution

Arch Linux

Linux kernel version used

6.0.12-arch1-1 #1 SMP PREEMPT_DYNAMIC

CPU architectures issue was seen on

x86_64

Component

other

Expected behaviour you didn't see

When booting with a unified kernel image (generated by mkinitcpio), the system is able to reach boot without service failures and launch a wayland compositor.

Unexpected behaviour you saw

When booting with a unified kernel images, I get dropped into emergency mode before boot finishes because the boot.mount service fails. (Boot, or rather the EFI system partition, has a vfat filesystem, the system has only one SSD, and it is not encrypted).

After commenting out my ESP from my /etc/fstab, I was able to boot successfully using the UKI. However, the services systemd-pcrphase(-sysinit) fail because the TCTI device file is not found at /dev/tpmrm0.

(Furthermore, attempting to launch a wayland compositor fails because sway reports no DRM backend can be found.)

Steps to reproduce the problem

1. Generate a UKI with mkinitcpio with only the setting:
   HOOKS=(systemd autodetect modconf kms keyboard keymap consolefont block filesystems fsck) and the preset:

# mkinitcpio preset file for the 'linux' package

ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"
ALL_cmdline="/etc/kernel/cmdline"
ALL_microcode=(/boot/*-ucode.img)

PRESETS=('default')

default_image="/boot/initramfs-linux.img"
default_uki="/boot/EFI/Linux/archlinux-linux.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

The kernel parameters in /etc/kernel/cmdline are quiet bgrt_disable nvidia-drm.modeset=1.
2. Boot from a usb and set the partition type GUID of the root partition to 8304 (corresponding to UUID 4f68bce3-e8cd-4db1-96e7-fbcaf984b709) with gdisk (I think I could also just pass the partition as a kernel parameter in /etc/kernel/cmdline, but thought I should mention I am using the discoverable partitions spec and it seems to be working fine).
3. Reboot into the system (I am using rEFInd's auto detection as a bootloader).

Notes: the system has an ASRock X370 Killer SLI/ac motherboard, a Ryzen 2600 CPU, and a GTX 1050 Ti GPU. Also, I saw #25352, and I do not have tpm2-abrmd installed.

Link to the complete log (1400 lines): https://www.klgrth.io/paste/u3z8p/raw

Additional program output to the terminal or log subsystem illustrating the issue

> journalctl
Dec 10 20:43:17 archlinux kernel: Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled
Dec 10 20:43:17 archlinux kernel: 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
Dec 10 20:43:17 archlinux kernel: Non-volatile memory driver v1.3
Dec 10 20:43:17 archlinux kernel: Linux agpgart interface v0.103
Dec 10 20:43:17 archlinux kernel: tpm_crb MSFT0101:00: [Firmware Bug]: ACPI region does not cover the entire command/response buffer. [mem 0xec6c2000-0xec6c2fff flags 0x200] vs ec6c2000 4000
Dec 10 20:43:17 archlinux kernel: fbcon: Taking over console
Dec 10 20:43:17 archlinux kernel: tpm_crb MSFT0101:00: can't request region for resource [mem 0xec6c2000-0xec6c2fff]
Dec 10 20:43:17 archlinux kernel: tpm_crb: probe of MSFT0101:00 failed with error -16
Dec 10 20:43:17 archlinux kernel: AMD-Vi: AMD IOMMUv2 loaded and initialized
Dec 10 20:43:17 archlinux kernel: ACPI: bus type drm_connector registered
Dec 10 20:43:17 archlinux kernel: ahci 0000:03:00.1: version 3.0
...
Dec 10 20:43:20 arch systemd-udevd[371]: nvidia: Process '/usr/bin/bash -c 'for i in $(cat /proc/driver/nvidia/gpus/*/information | grep Minor | cut -d \  -f 4); do /usr/bin/mknod -Z -m 666 /dev/nvidia${i} c $(grep nvidia-frontend /proc/devices | cut -d \  -f 1) ${i}; done'' failed with exit code 1.
Dec 10 20:43:20 arch kernel: nvidia_uvm: module uses symbols nvUvmInterfaceDisableAccessCntr from proprietary module nvidia, inheriting taint.
Dec 10 20:43:20 arch kernel: nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms  525.60.11  Wed Nov 23 22:49:17 UTC 2022
Dec 10 20:43:20 arch kernel: nvidia-uvm: Loaded the UVM driver, major device number 236.
Dec 10 20:43:20 arch systemd-modules-load[332]: Inserted module 'nvidia_uvm'
Dec 10 20:43:20 arch kernel: [drm] [nvidia-drm] [GPU ID 0x00002600] Loading driver
Dec 10 20:43:20 arch kernel: [drm] Initialized nvidia-drm 0.0.0 20160202 for 0000:26:00.0 on minor 0
Dec 10 20:43:20 arch systemd-modules-load[332]: Inserted module 'pkcs8_key_parser'
Dec 10 20:43:20 arch kernel: Asymmetric key parser 'pkcs8' registered
Dec 10 20:43:20 arch systemd[1]: Finished Load Kernel Modules.
...
Dec 10 20:43:21 arch systemd[1]: Reached target Socket Units.
Dec 10 20:43:21 arch systemd[1]: Starting TPM2 PCR Barrier (Initialization)...
Dec 10 20:43:21 arch systemd-pcrphase[601]: ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
Dec 10 20:43:21 arch systemd-pcrphase[601]: Failed to initialize TCTI context: tcti:IO failure
Dec 10 20:43:21 arch systemd[1]: systemd-pcrphase-sysinit.service: Main process exited, code=exited, status=1/FAILURE
Dec 10 20:43:21 arch systemd[1]: systemd-pcrphase-sysinit.service: Failed with result 'exit-code'.
Dec 10 20:43:21 arch systemd[1]: Failed to start TPM2 PCR Barrier (Initialization).
Dec 10 20:43:21 arch audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-pcrphase-sysinit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 10 20:43:21 arch systemd[1]: Reached target Basic System.
Dec 10 20:43:21 arch kernel: audit: type=1130 audit(1670726601.855:106): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-pcrphase-sysinit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Dec 10 20:43:21 arch systemd[1]: Started Monitor input devices for launching tasks.
Dec 10 20:43:21 arch audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=udevmon comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 10 20:43:21 arch systemd[1]: Starting Bluetooth service...
Dec 10 20:43:21 arch systemd[604]: ConfigurationDirectory 'bluetooth' already exists but the mode is different. (File system: 755 ConfigurationDirectoryMode: 555)
Dec 10 20:43:21 arch systemd[1]: Starting D-Bus System Message Bus...
Dec 10 20:43:21 arch audit: BPF prog-id=38 op=LOAD
Dec 10 20:43:21 arch audit: BPF prog-id=39 op=LOAD
Dec 10 20:43:21 arch audit: BPF prog-id=40 op=LOAD
Dec 10 20:43:21 arch systemd[1]: Starting User Login Management...
Dec 10 20:43:21 arch systemd[1]: Starting TPM2 PCR Barrier (User)...
Dec 10 20:43:21 arch audit: BPF prog-id=41 op=LOAD
Dec 10 20:43:21 arch systemd[1]: Starting Validating, recursive, and caching DNS resolver...
Dec 10 20:43:21 arch systemd-pcrphase[607]: ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory
Dec 10 20:43:21 arch systemd-pcrphase[607]: Failed to initialize TCTI context: tcti:IO failure
Dec 10 20:43:21 arch systemd[1]: systemd-pcrphase.service: Main process exited, code=exited, status=1/FAILURE
Dec 10 20:43:21 arch systemd[1]: systemd-pcrphase.service: Failed with result 'exit-code'.


> lspci
00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Root Complex
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) I/O Memory Management Unit
00:01.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
00:01.3 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) PCIe GPP Bridge
00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
00:03.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
00:03.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) PCIe GPP Bridge
00:04.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
00:07.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
00:07.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Internal PCIe GPP Bridge 0 to Bus B
00:08.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-1fh) PCIe Dummy Host Bridge
00:08.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Internal PCIe GPP Bridge 0 to Bus B
00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller (rev 59)
00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge (rev 51)
00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 0
00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 1
00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 2
00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 3
00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 4
00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 5
00:18.6 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 6
00:18.7 Host bridge: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 7
03:00.0 USB controller: Advanced Micro Devices, Inc. [AMD] X370 Series Chipset USB 3.1 xHCI Controller (rev 02)
03:00.1 SATA controller: Advanced Micro Devices, Inc. [AMD] X370 Series Chipset SATA Controller (rev 02)
03:00.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] X370 Series Chipset PCIe Upstream Port (rev 02)
1d:00.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 300 Series Chipset PCIe Port (rev 02)
1d:01.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 300 Series Chipset PCIe Port (rev 02)
1d:02.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 300 Series Chipset PCIe Port (rev 02)
1d:03.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 300 Series Chipset PCIe Port (rev 02)
1d:04.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 300 Series Chipset PCIe Port (rev 02)
1d:06.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 300 Series Chipset PCIe Port (rev 02)
1d:07.0 PCI bridge: Advanced Micro Devices, Inc. [AMD] 300 Series Chipset PCIe Port (rev 02)
1e:00.0 Network controller: Intel Corporation Dual Band Wireless-AC 3168NGW [Stone Peak] (rev 10)
1f:00.0 Ethernet controller: Intel Corporation I211 Gigabit Network Connection (rev 03)
26:00.0 VGA compatible controller: NVIDIA Corporation GP107 [GeForce GTX 1050 Ti] (rev a1)
26:00.1 Audio device: NVIDIA Corporation GP107GL High Definition Audio Controller (rev a1)
27:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc. [AMD] Zeppelin/Raven/Raven2 PCIe Dummy Function
27:00.2 Encryption controller: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) Platform Security Processor
27:00.3 USB controller: Advanced Micro Devices, Inc. [AMD] Zeppelin USB 3.0 Host controller
28:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc. [AMD] Zeppelin/Renoir PCIe Dummy Function
28:00.2 SATA controller: Advanced Micro Devices, Inc. [AMD] FCH SATA Controller [AHCI mode] (rev 51)
28:00.3 Audio device: Advanced Micro Devices, Inc. [AMD] Family 17h (Models 00h-0fh) HD Audio Controller

[poettering]

So, systemd-pcrphase says there is no TPM device.

Dec 10 20:43:21 arch systemd-pcrphase[601]: ERROR:tcti:src/tss2-tcti/tcti-device.c:452:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory

[poettering]

Hmm, looks like a firmware/kernel/driver bug:

Dec 10 20:43:17 archlinux kernel: tpm_crb MSFT0101:00: [Firmware Bug]: ACPI region does not cover the entire command/response buffer. [mem 0xec6c2000-0xec6c2fff flags 0x200] vs ec6c2000 4000
Dec 10 20:43:17 archlinux kernel: fbcon: Taking over console
Dec 10 20:43:17 archlinux kernel: tpm_crb MSFT0101:00: can't request region for resource [mem 0xec6c2000-0xec6c2fff]
Dec 10 20:43:17 archlinux kernel: tpm_crb: probe of MSFT0101:00 failed with error -16

i.e. Linux can't use the TPM, and doesn't expose a device for it hence, and hence we can't use it.

[poettering]

(smells to me the TPM driver should get some tweaks to make this work regardless of garbage firmware info. Please contact TPM driver people)

[dryya]

Hi, I reached out to the linux-integrity mailing list (thread can be seen here:
https://www.spinics.net/lists/linux-integrity/msg24124.html )

It looks like there's been a lot of recent activity on the TPM driver, so I will report back if anything changes when I update to kernel 6.1 (and eventually 6.2), or if there are any updates from the driver devs.

[poettering]

So I am not sure we can do anything about this: firmware tells us a TPM is available (and we thus enable our TPM codepaths), but then Linux is not able to take possession of this.

Maybe we should add a kernel cmdline option that can be used to at least escape this situation by forcing the TPM codepaths to be disabled?

[poettering]

or hmm, maybe pcrphase should simply exit cleanly if the device is simply not available.