Re: [systemd-devel] Permanently remove services
On Sat, Jan 20, 2024 at 8:02 AM Andrei Borzenkov wrote: > On 19.01.2024 20:22, Mantas Mikulėnas wrote: > > On Fri, Jan 19, 2024, 19:12 Morten Bo Johansen > wrote: > > > >> On 2024-01-19 Mantas Mikulėnas wrote: > >> > >>> In general I've learned to not quite trust what the firmware shows... > >> we've > >>> had a batch of Skylake-or-so desktops that *did* have a CPU-integrated > >> fTPM > >>> but it wasn't even mentioned until we did a BIOS update, even though > CPU > >>> spec said it should be present. > >>> > >>> However, your CPU is from Haswell era and according to the spec sheet > it > >>> definitely seems to lack Intel's PTT "built-in TPM 2.0" feature (it has > >> the > >>> older IPT but that's a different thing, not a TPM equivalent), so that > >>> seems correct. If I understand correctly, the only option for that CPU > >>> would be a discrete TPM chip, and if the manufacturer had bothered to > >>> include one, it ought to be showing up in the BIOS settings. > >>> > >>> On the other hand, you said you have a /dev/tpm0... I'm somewhat > curious > >>> about whether there are any mentions 'tpm' or 'tis' or something like > >> that > >>> in your `dmesg`? > >> > >> ~/ % dmesg | grep -i tpm > >> > >> [0.275738] tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78) > >> > > > > Well, that also looks like a TPM1.2 is present; it matches the absence of > > /dev/tpmrm0 (which is a 2.0 thing). > > > > (It's not very useful in general; I've used it to store my SSH key in the > > past, but it's slow and only does RSA-2048, and the software is > completely > > different from what's used for newer variants. You can use it through > > TrouSerS + OpenCryptoki.) > > > > I wonder what makes systemd think it's a 2.0. > > > > systemd does not check for TPM 2.0 at all. The conditions in these > services are > > ConditionSecurity=measured-uki > ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem > > Where "measured-uki" basically checks if specific EFI variable > (StubPcrKernelImage) exists and has "correct" value. > That must be commits 03d808c and 9f32bb9 then. -- Mantas Mikulėnas
Re: [systemd-devel] Permanently remove services
On 19.01.2024 20:22, Mantas Mikulėnas wrote: On Fri, Jan 19, 2024, 19:12 Morten Bo Johansen wrote: On 2024-01-19 Mantas Mikulėnas wrote: In general I've learned to not quite trust what the firmware shows... we've had a batch of Skylake-or-so desktops that *did* have a CPU-integrated fTPM but it wasn't even mentioned until we did a BIOS update, even though CPU spec said it should be present. However, your CPU is from Haswell era and according to the spec sheet it definitely seems to lack Intel's PTT "built-in TPM 2.0" feature (it has the older IPT but that's a different thing, not a TPM equivalent), so that seems correct. If I understand correctly, the only option for that CPU would be a discrete TPM chip, and if the manufacturer had bothered to include one, it ought to be showing up in the BIOS settings. On the other hand, you said you have a /dev/tpm0... I'm somewhat curious about whether there are any mentions 'tpm' or 'tis' or something like that in your `dmesg`? ~/ % dmesg | grep -i tpm [0.275738] tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78) Well, that also looks like a TPM1.2 is present; it matches the absence of /dev/tpmrm0 (which is a 2.0 thing). (It's not very useful in general; I've used it to store my SSH key in the past, but it's slow and only does RSA-2048, and the software is completely different from what's used for newer variants. You can use it through TrouSerS + OpenCryptoki.) I wonder what makes systemd think it's a 2.0. systemd does not check for TPM 2.0 at all. The conditions in these services are ConditionSecurity=measured-uki ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem Where "measured-uki" basically checks if specific EFI variable (StubPcrKernelImage) exists and has "correct" value.
Re: [systemd-devel] Permanently remove services
On 19.01.2024 19:47, Morten Bo Johansen wrote: On 2024-01-19 Mantas Mikulėnas wrote: In general I've learned to not quite trust what the firmware shows... we've had a batch of Skylake-or-so desktops that *did* have a CPU-integrated fTPM but it wasn't even mentioned until we did a BIOS update, even though CPU spec said it should be present. However, your CPU is from Haswell era and according to the spec sheet it definitely seems to lack Intel's PTT "built-in TPM 2.0" feature (it has the older IPT but that's a different thing, not a TPM equivalent), so that seems correct. If I understand correctly, the only option for that CPU would be a discrete TPM chip, and if the manufacturer had bothered to include one, it ought to be showing up in the BIOS settings. On the other hand, you said you have a /dev/tpm0... I'm somewhat curious about whether there are any mentions 'tpm' or 'tis' or something like that in your `dmesg`? ~/ % dmesg | grep -i tpm [0.275738] tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78) This message means that driver detected TPM 1.2. Enabling debug messages may provide some more information. [ 26.180565] systemd[1]: systemd 255.2-3-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified) [ 26.852953] systemd[1]: Listening on TPM2 PCR Extension (Varlink). [ 26.891210] systemd[1]: Starting TPM2 PCR Machine ID Measurement... So systemd probably should not be trying anything TPM 2.0 related. ~/ % dmesg | grep -i tis [0.275738] tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78) A virtual machine won't be able to see the real TPM either way (or any other real hardware; it's kinda what makes it a virtual machine). All it would see is a vTPM provided by the VM host software. Okay. I shall try to upgrade the bios to the latest version and see if something shows up. Thanks, Morten
Re: [systemd-devel] Permanently remove services
On Fri, Jan 19, 2024, 19:12 Morten Bo Johansen wrote: > On 2024-01-19 Mantas Mikulėnas wrote: > > > In general I've learned to not quite trust what the firmware shows... > we've > > had a batch of Skylake-or-so desktops that *did* have a CPU-integrated > fTPM > > but it wasn't even mentioned until we did a BIOS update, even though CPU > > spec said it should be present. > > > > However, your CPU is from Haswell era and according to the spec sheet it > > definitely seems to lack Intel's PTT "built-in TPM 2.0" feature (it has > the > > older IPT but that's a different thing, not a TPM equivalent), so that > > seems correct. If I understand correctly, the only option for that CPU > > would be a discrete TPM chip, and if the manufacturer had bothered to > > include one, it ought to be showing up in the BIOS settings. > > > > On the other hand, you said you have a /dev/tpm0... I'm somewhat curious > > about whether there are any mentions 'tpm' or 'tis' or something like > that > > in your `dmesg`? > > ~/ % dmesg | grep -i tpm > > [0.275738] tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78) > Well, that also looks like a TPM1.2 is present; it matches the absence of /dev/tpmrm0 (which is a 2.0 thing). (It's not very useful in general; I've used it to store my SSH key in the past, but it's slow and only does RSA-2048, and the software is completely different from what's used for newer variants. You can use it through TrouSerS + OpenCryptoki.) I wonder what makes systemd think it's a 2.0.
Re: [systemd-devel] Permanently remove services
On 2024-01-19 Morten Bo Johansen wrote: > I shall try to upgrade the bios to the latest version and see > if something shows up. The bios was already the latest version.
Re: [systemd-devel] Permanently remove services
On 2024-01-19 Mantas Mikulėnas wrote: > In general I've learned to not quite trust what the firmware shows... we've > had a batch of Skylake-or-so desktops that *did* have a CPU-integrated fTPM > but it wasn't even mentioned until we did a BIOS update, even though CPU > spec said it should be present. > > However, your CPU is from Haswell era and according to the spec sheet it > definitely seems to lack Intel's PTT "built-in TPM 2.0" feature (it has the > older IPT but that's a different thing, not a TPM equivalent), so that > seems correct. If I understand correctly, the only option for that CPU > would be a discrete TPM chip, and if the manufacturer had bothered to > include one, it ought to be showing up in the BIOS settings. > > On the other hand, you said you have a /dev/tpm0... I'm somewhat curious > about whether there are any mentions 'tpm' or 'tis' or something like that > in your `dmesg`? ~/ % dmesg | grep -i tpm [0.275738] tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78) [ 26.180565] systemd[1]: systemd 255.2-3-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified) [ 26.852953] systemd[1]: Listening on TPM2 PCR Extension (Varlink). [ 26.891210] systemd[1]: Starting TPM2 PCR Machine ID Measurement... ~/ % dmesg | grep -i tis [0.275738] tpm_tis 00:05: 1.2 TPM (device-id 0x0, rev-id 78) > A virtual machine won't be able to see the real TPM either way (or any > other real hardware; it's kinda what makes it a virtual machine). All it > would see is a vTPM provided by the VM host software. Okay. I shall try to upgrade the bios to the latest version and see if something shows up. Thanks, Morten
Re: [systemd-devel] Permanently remove services
On Fri, Jan 19, 2024, 17:47 Morten Bo Johansen wrote: > On 2024-01-18 Lennart Poettering wrote: > > > On Do, 18.01.24 22:53, Morten Bo Johansen (morte...@hotmail.com) wrote: > > > >> ~/ % systemd-creds has-tpm2 > >> partial > >> +firmware > >> -driver > >> +system > >> +subsystem > >> +libraries > > > > OK, so this indicates that your system has TPM support on all levels > > with a single exception: you lack an actual linux driver for your > > specific hw. And that puzzles me. because to my knowledge at least > > linux should support all relevant tpm2 interfaces just fine. THis > > suggests that you haven#t got the right modules installed. > > I think that perhaps systemd-creds gets it wrong? There really > does not seem to be any TPM support on this computer, either > version 1.2 or 2. In the bios settings, there is no "security > chip" entry under the "Security" tab and no other settings > pertaining to TPM in the bios at all. In general I've learned to not quite trust what the firmware shows... we've had a batch of Skylake-or-so desktops that *did* have a CPU-integrated fTPM but it wasn't even mentioned until we did a BIOS update, even though CPU spec said it should be present. However, your CPU is from Haswell era and according to the spec sheet it definitely seems to lack Intel's PTT "built-in TPM 2.0" feature (it has the older IPT but that's a different thing, not a TPM equivalent), so that seems correct. If I understand correctly, the only option for that CPU would be a discrete TPM chip, and if the manufacturer had bothered to include one, it ought to be showing up in the BIOS settings. On the other hand, you said you have a /dev/tpm0... I'm somewhat curious about whether there are any mentions 'tpm' or 'tis' or something like that in your `dmesg`? I ran Windows 11 in a VM > to check what it thinks about it and it also says that there is > no TPM support, either 1.2 or 2. > A virtual machine won't be able to see the real TPM either way (or any other real hardware; it's kinda what makes it a virtual machine). All it would see is a vTPM provided by the VM host software.
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Lennart Poettering wrote: > On Do, 18.01.24 22:53, Morten Bo Johansen (morte...@hotmail.com) wrote: > >> ~/ % systemd-creds has-tpm2 >> partial >> +firmware >> -driver >> +system >> +subsystem >> +libraries > > OK, so this indicates that your system has TPM support on all levels > with a single exception: you lack an actual linux driver for your > specific hw. And that puzzles me. because to my knowledge at least > linux should support all relevant tpm2 interfaces just fine. THis > suggests that you haven#t got the right modules installed. I think that perhaps systemd-creds gets it wrong? There really does not seem to be any TPM support on this computer, either version 1.2 or 2. In the bios settings, there is no "security chip" entry under the "Security" tab and no other settings pertaining to TPM in the bios at all. I ran Windows 11 in a VM to check what it thinks about it and it also says that there is no TPM support, either 1.2 or 2. > It could be that we simply misdetect the tpm 1.2 case, i admittedly > never tested things on such a system. how old is that PC? It is about 11-12 years old. It is a Lenovo M93p computer. Morten
Re: [systemd-devel] Permanently remove services
On Do, 18.01.24 23:40, Nils Kattenbeck (nilskem...@gmail.com) wrote: > > > They are turning up as failed units, so they are being run, > > > even if I don't have any TPM module. Also, I have a notifier in > > > my waybar telling me of failed services and I don't want to see > > > them there. > > > > Can you provide logs about this? The goal is definitely to make these > > NOPs on TPM-less systems. I am a bit puzzled that the conditioning > > they come with is not sufficient. We might need to tweak something > > there then. > > > > The idea is that the system does TPM setup on systems that have a tpm > > and on systems lacking that silently just skips all these so that > > everything always works fully automatically and robustly without any > > ugly error output. > > > > hence, any chance you can provide logs about this? and what kind of > > system is this? i.e. does it really lack a tpm? > > In the past I have seen errors on systems which do not have > libtss2/tpm2-tss installed though I am not sure if those should be > silenced. After all, the unit being enabled means that one wants to > use it if possible - and if the libraries are missing that should be > noticeable to the user instead of a silent fail. No, the libs are installed, that's what the "systemd-creds has-tpm2" output shows. Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Permanently remove services
> > They are turning up as failed units, so they are being run, > > even if I don't have any TPM module. Also, I have a notifier in > > my waybar telling me of failed services and I don't want to see > > them there. > > Can you provide logs about this? The goal is definitely to make these > NOPs on TPM-less systems. I am a bit puzzled that the conditioning > they come with is not sufficient. We might need to tweak something > there then. > > The idea is that the system does TPM setup on systems that have a tpm > and on systems lacking that silently just skips all these so that > everything always works fully automatically and robustly without any > ugly error output. > > hence, any chance you can provide logs about this? and what kind of > system is this? i.e. does it really lack a tpm? In the past I have seen errors on systems which do not have libtss2/tpm2-tss installed though I am not sure if those should be silenced. After all, the unit being enabled means that one wants to use it if possible - and if the libraries are missing that should be noticeable to the user instead of a silent fail. @Morten Which distribution are you using and do you have the above libraries installed (or whatever they are called in your distro)? Greetings, Nils
Re: [systemd-devel] Permanently remove services
On Do, 18.01.24 22:53, Morten Bo Johansen (morte...@hotmail.com) wrote: > ~/ % systemd-creds has-tpm2 > partial > +firmware > -driver > +system > +subsystem > +libraries OK, so this indicates that your system has TPM support on all levels with a single exception: you lack an actual linux driver for your specific hw. And that puzzles me. because to my knowledge at least linux should support all relevant tpm2 interfaces just fine. THis suggests that you haven#t got the right modules installed. i don't know arch but is there possibly some extra package you have to install to get more drivers? tpm2 drivers are super basic stuff, it sound really weird to me to split this out. It's a condition this stuff indeed is not prepared for though: that everything is set up properly, from firmware to kernel to userspace, but the driver is not actually available. > The output from journalctl --unit systemd-tpm2-setup-early.service: > >-- Boot b3fca98d73f6441590174a72ac0d27fa -- >jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: Failed to create TPM2 > context: State not recoverable >jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: > ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to > open specified TCTI device file /dev/tpmrm0: No such file or direc> >jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: Main > process exited, code=exited, status=1/FAILURE >jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: > Failed with result 'exit-code'. >jan 18 18:13:03 gatsby systemd[1]: Failed to start TPM2 SRK Setup (Early). > > There is a /dev/tpm0 file but not a /dev/tpmrm0 file Oh, interesting. Is it possible that your system has only a TPM 1.2 device? (maybe your bios allows switching between TPM 2.0 and 1.2 modes) It could be that we simply misdetect the tpm 1.2 case, i admittedly never tested things on such a system. how old is that PC? Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Lennart Poettering wrote: > That sounds fairly recent, so I would assume that your machine has a > TPM. > > Which OS is this? Arch GNU/Linux. ~/ % uname -a Linux gatsby 6.7.0-arch3-1 #1 SMP PREEMPT_DYNAMIC Sat, 13 Jan 2024 14:37:14 + x86_64 GNU/Linux > Is it possible that your kernel has TPM2 support enabled, but > for some reason the driver for your hw is not available (for > example not included in the initrd)? I don't know. How may I find out? > The full output of "systemd-creds has-tpm2" would be good too. ~/ % systemd-creds has-tpm2 partial +firmware -driver +system +subsystem +libraries The output from journalctl --unit systemd-tpm2-setup-early.service: -- Boot b3fca98d73f6441590174a72ac0d27fa -- jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: Failed to create TPM2 context: State not recoverable jan 18 18:13:02 gatsby systemd-tpm2-setup[329]: ERROR:tcti:src/tss2-tcti/tcti-device.c:451:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or direc> jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: Main process exited, code=exited, status=1/FAILURE jan 18 18:13:03 gatsby systemd[1]: systemd-tpm2-setup-early.service: Failed with result 'exit-code'. jan 18 18:13:03 gatsby systemd[1]: Failed to start TPM2 SRK Setup (Early). There is a /dev/tpm0 file but not a /dev/tpmrm0 file Here are all the lines in the kernel config with "TPM.*" in them: CONFIG_TCG_TPM=y CONFIG_HW_RANDOM_TPM=y... CONFIG_TCG_VTPM_PROXY=m... CONFIG_INTEL_SPEED_SELECT_TPMI=m... CONFIG_INTEL_UNCORE_FREQ_CONTROL_TPMI=m... CONFIG_INTEL_TPMI=m... CONFIG_INTEL_RAPL_TPMI=m... CONFIG_TRUSTED_KEYS_TPM=y. Thanks, Morten (further answers tommorow)
Re: [systemd-devel] Permanently remove services
On Do, 18.01.24 22:26, Morten Bo Johansen (morte...@hotmail.com) wrote: > On 2024-01-18 Lennart Poettering wrote: > > > hence, any chance you can provide logs about this? and what kind of > > system is this? i.e. does it really lack a tpm? > > I shall try to accommodate you. How do I get the log? > > The command "systemctl --plain --no-legend list-units --state=failed" > does not provide enough info. ideally boot with "systemd.log_level=debug" on the kernel cmdline, and then paste "journalctl -b" somewhere. The full output of "systemd-creds has-tpm2" would be good too. > I have no external TPM module installed and I don't think my > rather old cpu, "Intel(R) Core(TM) i5-4570T CPU @ 2.90GHz", has > any on-board TPM2 capablility? That sounds fairly recent, so I would assume that your machine has a TPM. Which OS is this? Is it possible that your kernel has TPM2 support enabled, but for some reason the driver for your hw is not available (for example not included in the initrd)? Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Lennart Poettering wrote: > hence, any chance you can provide logs about this? and what kind of > system is this? i.e. does it really lack a tpm? I shall try to accommodate you. How do I get the log? The command "systemctl --plain --no-legend list-units --state=failed" does not provide enough info. I have no external TPM module installed and I don't think my rather old cpu, "Intel(R) Core(TM) i5-4570T CPU @ 2.90GHz", has any on-board TPM2 capablility? The issue only arose after I installed a system with a LUKS-encrypted volume, EFI and secure boot. Thanks, Morten
Re: [systemd-devel] Permanently remove services
On Do, 18.01.24 19:43, Morten Bo Johansen (morte...@hotmail.com) wrote: > On 2024-01-18 Andy Pieters wrote: > > > Not being funny, but why care? They have got a conditional check in them > > and will only run when it makes sense. > > So these units will do nothing and won't delay your boot or take up > > resources > > They are turning up as failed units, so they are being run, > even if I don't have any TPM module. Also, I have a notifier in > my waybar telling me of failed services and I don't want to see > them there. Can you provide logs about this? The goal is definitely to make these NOPs on TPM-less systems. I am a bit puzzled that the conditioning they come with is not sufficient. We might need to tweak something there then. The idea is that the system does TPM setup on systems that have a tpm and on systems lacking that silently just skips all these so that everything always works fully automatically and robustly without any ugly error output. hence, any chance you can provide logs about this? and what kind of system is this? i.e. does it really lack a tpm? Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Andy Pieters wrote: > Not being funny, but why care? They have got a conditional check in them > and will only run when it makes sense. > So these units will do nothing and won't delay your boot or take up > resources They are turning up as failed units, so they are being run, even if I don't have any TPM module. Also, I have a notifier in my waybar telling me of failed services and I don't want to see them there. I know it doesn't have any consequences like you say but for tidiness's sake ... Thanks, Morten
Re: [systemd-devel] Permanently remove services
Morten Bo Johansen wrote > I have two services that are irrelevant to my system >systemd-tpm2-setup-early.service systemd-tpm2-setup.service Not being funny, but why care? They have got a conditional check in them and will only run when it makes sense. So these units will do nothing and won't delay your boot or take up resources
Re: [systemd-devel] Permanently remove services
On 2024-01-18 Barry wrote: > Use systemctl mask? Seems like an interesting suggestion. Thank you, Morten
Re: [systemd-devel] Permanently remove services
> On 18 Jan 2024, at 17:30, Morten Bo Johansen wrote: > > How do I get rid of them once and for all? Use systemctl mask? Barry
[systemd-devel] Permanently remove services
I have two services that are irrelevant to my system systemd-tpm2-setup-early.service systemd-tpm2-setup.service that nonetheless are loaded with every boot. They cannot be disabled with systemctl. I can delete the service files under /usr/lib/systemd/system/, but that only lasts until systemd is upgraded, then they are installed again. How do I get rid of them once and for all? Thanks, Morten
