On Fri, Nov 7, 2025 at 10:24 AM Lennart Poettering <[email protected]> wrote:
> On Fr, 07.11.25 10:02, Itxaka Serrano Garcia ( > [email protected]) wrote: > > > Hey folks, > > > > I'm having a go at building systemd myself and I can't get my head around > > this. > > > > If I disable the bootloader part, because I don't want systemd-boot, I > also > > dont get nice services like systemd-tpm2-setup and its binaries because > of > > reasons? I would expect the tpm2=enabled to be the one that enables those > > services as they are not really tied to the sdboot itself no? > > The TPM support uses various PCRs and nvindexes for very specific > purposes, and expects measurements to be placed in each in a very > specific way: > > - systemd-stub measures what it is invoking, its parameters, profile, > and so on. It also provides PCR signatures to userspace if available. > - systemd-pcrextend measures various things during boot, phases and so on > - systemd-tpm2-setup sets up SRK and so on > - systemd-pcrlock locks against these measurements, done this way > > Taking possession of PCRs this way, and providing a measurement chain > like this only really makes sense if this starts via sd-stub. And > sd-stub is under the boot loader build time knob. > > Or to say this differently: we assume that if people opt into sd-stub > they are fine with our pcr/nvindex usage, and accept our infra. But if > you do not use sd-stub, then we better stay away from the tpm, because > you quite likely use it in a very different way. > > > I can get things like systemd-boot-bless as that's kind of related to > > sdboot and boot assessment, although again, I would think that should be > a > > separated service if we expect the bootloader to conform to the > bootloader > > specification, which means it doesn't really tie it to sdboot itself. > > > > In any case, any idea how I can build systemd-tpm2-setup without enabling > > bootloader=true? > > This is not supported. > > Or to say this all differently: you really should not use Grub if you > care about verified boot. > > Lennart > > -- > Lennart Poettering, Berlin > Is it not about using grub at all? It's about building and supporting systemd features that accomodate tpm2 devices for other bootloaders that conform to the specification? Also mainly to build stuff separately, for example we build systemd-boot in a different package that we build systemd, so on one we set bootloader=disabled as it doesn't make sense to build it together, the less we build, the faster it goes :D Even more, the systemd-pcrextend is also linked to the bootloader switch, which makes no sense to me, as its independent of the bootloader used as long as it conforms to the specification. For example, pcrlock is not tied to the bootloader, which makes sense to me. I'm wondering if this was tied to it at the start and it's just a leftover? I'm willing to send patches to remove those deps and instead depend on tpm2=enabled to enable those tpm2 related services to build based on that if its wanted. Just wondering though, it would be simple enough to have local patches to enable this, but I was wondering if this was something we wanted directly upstream on systemd :) Cheers!
