Re: [systemd-devel] Permanently remove services
> > They are turning up as failed units, so they are being run, > > even if I don't have any TPM module. Also, I have a notifier in > > my waybar telling me of failed services and I don't want to see > > them there. > > Can you provide logs about this? The goal is definitely to make these > NOPs on TPM-less systems. I am a bit puzzled that the conditioning > they come with is not sufficient. We might need to tweak something > there then. > > The idea is that the system does TPM setup on systems that have a tpm > and on systems lacking that silently just skips all these so that > everything always works fully automatically and robustly without any > ugly error output. > > hence, any chance you can provide logs about this? and what kind of > system is this? i.e. does it really lack a tpm? In the past I have seen errors on systems which do not have libtss2/tpm2-tss installed though I am not sure if those should be silenced. After all, the unit being enabled means that one wants to use it if possible - and if the libraries are missing that should be noticeable to the user instead of a silent fail. @Morten Which distribution are you using and do you have the above libraries installed (or whatever they are called in your distro)? Greetings, Nils
Re: [systemd-devel] Permanently remove services
On Do, 18.01.24 22:53, Morten Bo Johansen (morte...@hotmail.com) wrote: > ~/ % systemd-creds has-tpm2 > partial > +firmware > -driver > +system > +subsystem > +libraries OK, so this indicates that your system has TPM support on all levels with a single exception: you lack an actual linux driver for your specific hw. And that puzzles me. because to my knowledge at least linux should support all relevant tpm2 interfaces just fine. THis suggests that you haven#t got the right modules installed. i don't know arch but is there possibly some extra package you have to install to get more drivers? tpm2 drivers are super basic stuff, it sound really weird to me to split this out. It's a condition this stuff indeed is not prepared for though: that everything is set up properly, from firmware to kernel to userspace, but the driver is not actually available. > The output from journalctl --unit systemd-tpm2-setup-early.service: > >-- Boot b3fca98d73f6441590174a72ac0d27fa -- >jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: Failed to create TPM2 > context: State not recoverable >jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: > ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to > open specified TCTI device file /dev/tpmrm0: No such file or direc> >jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: Main > process exited, code=exited, status=1/FAILURE >jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: > Failed with result 'exit-code'. >jan 18 18:13:03 gatsby systemd[1]: Failed to start TPM2 SRK Setup (Early). > > There is a /dev/tpm0 file but not a /dev/tpmrm0 file Oh, interesting. Is it possible that your system has only a TPM 1.2 device? (maybe your bios allows switching between TPM 2.0 and 1.2 modes) It could be that we simply misdetect the tpm 1.2 case, i admittedly never tested things on such a system. how old is that PC? Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Lennart Poettering wrote: > That sounds fairly recent, so I would assume that your machine has a > TPM. > > Which OS is this? Arch GNU/Linux. ~/ % uname -a Linux gatsby 6.7.0-arch3-1 #1 SMP PREEMPT_DYNAMIC Sat, 13 Jan 2024 14:37:14 + x86_64 GNU/Linux > Is it possible that your kernel has TPM2 support enabled, but > for some reason the driver for your hw is not available (for > example not included in the initrd)? I don't know. How may I find out? > The full output of "systemd-creds has-tpm2" would be good too. ~/ % systemd-creds has-tpm2 partial +firmware -driver +system +subsystem +libraries The output from journalctl --unit systemd-tpm2-setup-early.service: -- Boot b3fca98d73f6441590174a72ac0d27fa -- jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: Failed to create TPM2 context: State not recoverable jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or direc> jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: Main process exited, code=exited, status=1/FAILURE jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: Failed with result 'exit-code'. jan 18 18:13:03 gatsby systemd[1]: Failed to start TPM2 SRK Setup (Early). There is a /dev/tpm0 file but not a /dev/tpmrm0 file Here are all the lines in the kernel config with "TPM.*" in them: CONFIG_TCG_TPM=y CONFIG_HW_RANDOM_TPM=y... CONFIG_TCG_VTPM_PROXY=m... CONFIG_INTEL_SPEED_SELECT_TPMI=m... CONFIG_INTEL_UNCORE_FREQ_CONTROL_TPMI=m... CONFIG_INTEL_TPMI=m... CONFIG_INTEL_RAPL_TPMI=m... CONFIG_TRUSTED_KEYS_TPM=y. Thanks, Morten (further answers tommorow)
Re: [systemd-devel] Permanently remove services
On Do, 18.01.24 22:26, Morten Bo Johansen (morte...@hotmail.com) wrote: > On 2024-01-18 Lennart Poettering wrote: > > > hence, any chance you can provide logs about this? and what kind of > > system is this? i.e. does it really lack a tpm? > > I shall try to accommodate you. How do I get the log? > > The command "systemctl --plain --no-legend list-units --state=failed" > does not provide enough info. ideally boot with "systemd.log_level=debug" on the kernel cmdline, and then paste "journalctl -b" somewhere. The full output of "systemd-creds has-tpm2" would be good too. > I have no external TPM module installed and I don't think my > rather old cpu, "Intel(R) Core(TM) i5-4570T CPU @ 2.90GHz", has > any on-board TPM2 capablility? That sounds fairly recent, so I would assume that your machine has a TPM. Which OS is this? Is it possible that your kernel has TPM2 support enabled, but for some reason the driver for your hw is not available (for example not included in the initrd)? Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Lennart Poettering wrote: > hence, any chance you can provide logs about this? and what kind of > system is this? i.e. does it really lack a tpm? I shall try to accommodate you. How do I get the log? The command "systemctl --plain --no-legend list-units --state=failed" does not provide enough info. I have no external TPM module installed and I don't think my rather old cpu, "Intel(R) Core(TM) i5-4570T CPU @ 2.90GHz", has any on-board TPM2 capablility? The issue only arose after I installed a system with a LUKS-encrypted volume, EFI and secure boot. Thanks, Morten
Re: [systemd-devel] Permanently remove services
On Do, 18.01.24 19:43, Morten Bo Johansen (morte...@hotmail.com) wrote: > On 2024-01-18 Andy Pieters wrote: > > > Not being funny, but why care? They have got a conditional check in them > > and will only run when it makes sense. > > So these units will do nothing and won't delay your boot or take up > > resources > > They are turning up as failed units, so they are being run, > even if I don't have any TPM module. Also, I have a notifier in > my waybar telling me of failed services and I don't want to see > them there. Can you provide logs about this? The goal is definitely to make these NOPs on TPM-less systems. I am a bit puzzled that the conditioning they come with is not sufficient. We might need to tweak something there then. The idea is that the system does TPM setup on systems that have a tpm and on systems lacking that silently just skips all these so that everything always works fully automatically and robustly without any ugly error output. hence, any chance you can provide logs about this? and what kind of system is this? i.e. does it really lack a tpm? Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Andy Pieters wrote: > Not being funny, but why care? They have got a conditional check in them > and will only run when it makes sense. > So these units will do nothing and won't delay your boot or take up > resources They are turning up as failed units, so they are being run, even if I don't have any TPM module. Also, I have a notifier in my waybar telling me of failed services and I don't want to see them there. I know it doesn't have any consequences like you say but for tidiness's sake ... Thanks, Morten
Re: [systemd-devel] Permanently remove services
Morten Bo Johansen wrote > I have two services that are irrelevant to my system >systemd-tpm2-setup-early.service systemd-tpm2-setup.service Not being funny, but why care? They have got a conditional check in them and will only run when it makes sense. So these units will do nothing and won't delay your boot or take up resources
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Barry wrote: > Use systemctl mask? Seems like an interesting suggestion. Thank you, Morten
Re: [systemd-devel] Permanently remove services
> On 18 Jan 2024, at 17:30, Morten Bo Johansen wrote: > > How do I get rid of them once and for all? Use systemctl mask? Barry
[systemd-devel] Permanently remove services
I have two services that are irrelevant to my system systemd-tpm2-setup-early.service systemd-tpm2-setup.service that nonetheless are loaded with every boot. They cannot be disabled with systemctl. I can delete the service files under /usr/lib/systemd/system/, but that only lasts until systemd is upgraded, then they are installed again. How do I get rid of them once and for all? Thanks, Morten
