Hey, IIRC it used to be like that, the measure needed a TPM device, but that changed in 257 IIRC? Even on 256. So its just a docs issue for sure, we been signing stuff inside containers with no exposure to any tpm devices for a long time now :D
On Sun, Nov 23, 2025 at 3:17 PM Alexander Epaneshnikov <[email protected]> wrote: > Hello. > > in systemd-measure man I read this: > "Note that a TPM2 device must be available for this signing to take place, > even though the result is not tied to any TPM2 device or its state." > > but when I build UKI with this config on system without tpm it finishes > successfully and contains signed policy. > > $ cat /etc/kernel/uki.conf > [UKI] > SecureBootPrivateKey=/etc/kernel/secureboot-private-key.pem > SecureBootCertificate=/etc/kernel/secureboot-certificate.pem > > [PCRSignature:initrd] > PCRPrivateKey=/etc/systemd/tpm2-pcr-initrd-private-key.pem > PCRPublicKey=/etc/systemd/tpm2-pcr-initrd-public-key.pem > > $ ukify inspect linux-signed.uki > .... > .pcrpkey: > size: 451 bytes > sha256: 5ab997e5981f2deae028ca8111f7dda00be87cb8be972256278659203e94f4e4 > text: > -----BEGIN PUBLIC KEY----- > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqKcOkdZF/4ZlLq1Rt0Hu > OGs4O6ec+ljzjbZkfD5j51Psh/rN+UHjYF8RqzjVQLUgLvuy9TuS/fDEzcDJV3Ix > S1kIMl98S7nHQleYFwe+WOHMOUgic/zm8F1E6RybQPtP98aKXbrhxSVyIaRcOkoQ > PfVamqcXaNjsgtSz4st/X5bXSbFpFMk8tif2RWiul6l5KN10Lr6EiN6RvYv04HG/ > kXYukOFuIF4ic+83DPwY28MD1Ba5FcioN3NpRBCm5P80QfIcnoLAPISwTWR2tFUz > 9f1DUhvIuLW0XLPUr9HcyEmiqpUWhmRPH2wECwOqaqWJdKOGIQtHBupuxBf6tMo6 > uwIDAQAB > -----END PUBLIC KEY----- > ... > .pcrsig: > size: 8398 bytes > sha256: 39d6a4e2f681b353d2d1f7dceff82719b26636a42e572c909a314f3a9badc90c > text: > {"sha1": [{"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "55c940e19d750ae7bcfb95cbfd7d05a172a505dc0dcb66eb31a3649608a6cdbd", "sig": > "PtI/joAKwHECAU8NogqhkmethLHG7cqFHvc/lw+WukzIB79eJnVRmV8b9FLERU3r/AoKblnBBq4Pd6v9LHrjEAtNvsDnEuj8TbXK8Ic/LcO6dcA+hXBEaGSiCsRNCD32Jsx0Eon193C1pylOqPW6uXZqHarpAnZiET5h7njiJiFPsBxkgDfRW9PqH7Y6e1+WShdVh1M5l/ShP5OLhs46e3tRu3fVquhWiJ1Jpj5zPwD1Q62tna/MWI8rvNv5zhT7jR4LynE717c2EjFj+pvxiIsv7cFFnWE57JWvxMBl1Ekb4BFBcIpcz07VnPaUo7InMbTRs/vJZ3b5i/Rv1OZiJQ=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "047fb2197acf875900f3fb5afe68d8411c00163c8d08f31be201ef77ff5efba1", "sig": > "iJADeNEPa7NifAMn9mRHx7X1STgh07drcdCyPyjjMhw9GH8QIzYKFNhbwi/nXwLoP+o54DITIE4DU2rVfrbeKP0Hb/DfSmLrZWuEwIKmbTo65IREEgBKPTcncGxbEfJK9hTrs90JQ9yRkNmR0nwWPUiUhm17FhbYPCXznPFfsobLMcd6KcwvbiqWmAxn4r+8OEjrbgpIHNWCNz9h9TOuYMyCT/yQ4PlLtDrYwlvo0IQlaW6phyP+NkcJ9cRmZzj/FfW7AhZoF378+nyEy6C8dewsHAQ/GsEEiN89uNup9yPFirn+0zdT3Ewnkxhn+i3qdP0AUnf226ZI98bNppWrxQ=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "8138d17a97b88a8b14ce07ac064b9abeea0e3105327312d7f084c259492e7b7e", "sig": > "pPIsJyN5g2azrY62UQtX5abTF6ak9a954CJDaroM1VVVea1ujT3gwXK+Z76wFijCDNQ1db9tbIfhxvfv4YzQCHS7rTvdqxDbrnAq+jDfuc2BkKQzbJi9JLCMPuliUSbIE26lX9iSIMyCQFljBx2dLzFn9N0Kxz79exDiVdFwb9Qpm3e7/w14YKn4+l74rB5/H4NWvhU99uEpEMafBiiDAXn1ZqmfLYLKregGCaQiIFuVn1JqQfrMv2I5jZJuZQ1AtyJvlvX3LCO1SuXv6dRhJyRYok7oK/Z7jhNXWCV9SYgvHuEkTMhVzSs1nGzgJoCRAWWIHC3+o4bP8Km5imUxvQ=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "64f380910f0fc9082db1364e36743f83aedb571087af00fb3be0dfd1a9b26c96", "sig": > "lH38li+N2wSOBnpfAHnibaYhmrMQn7NTN+jqh5Ht1GXv6csOC/mABD00B+RR/NEcDKNdbF3jvXMp5Oy5GjZdMVQ1qjoz1KIAZWQcedT6Bt7O4bex76dXIPvPAdO0rOpoAwlD7o6T9zkgFhTNxJXW3BNyLYXuugZMWwP8dsDgyox8WnpR/dKHZroNscOVrUEZ7OJ/JGneOJZGbNRZvelomffrvApPhOQe0FHAGbMA4UVdF6l65HPukDxh8MBz2m6A4SS3ONiUF0g+Gld7rkQF3YOhRqAWqyoZuiPr+c5uZZ+0qYiCXDy0MtJxn3/g/zeIH4k2kUe6kPQRpKCRPAHxEA=="}], > "sha256": [{"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "ffdb3a51e4c340cacb93dbed18fd3d12e6d0da81a3d8df32c6bb2cc21a4f73cb", "sig": > "mvj3z75Xv0RYUML/2H/fWgqCbvhNHm1ozZcFFko6Fcj/AOkcH4NIFFfTAmPRKFmLDAl7h0V9TdfKtJjxBkezIfjcOvSNt+QnYD8tE8G6M032/cWtJ5I7eZOxVb3ogBp277cxdH0UAcVShBAYyDWSqcSRLu+wPFpLs5G+YQZ8TxcdzLqMEPnocaMxdrNmL02lLKlg3I7w5DY7HcEa3QcSGYXbMF7SCzT+z/oI3V1jYPSzbZvVsFzQcQmL4oBgW+c68ACPxy2qUwhsDTfHi8OLGrYqyDOLC5+1tsH3vnD5q5eYVP3E6wLnuVt7jgDs86kf/KffcwpHvy+sEwF9Xp/WbA=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "602a6ed99c65f78cdb4899281c442642dab44b476f689b671f8b5db6ee573478", "sig": > "Y4/TXwODM51bOPfeceWjZ3L5i1HE5h9Qbmhg6WtkPbZEX577ra31s19P/KTBYs0NYTAgMumLc7eWin9j0o7Z5Qi7irwWFNHEJXQO7EoBn21FdKtnJlBoqja7DxKXe6F6TpHLXF+JV9tEDSJG5TC4tKOo6gcmCiFIvezGNRZcAEa7EvfTRn6jDSq6kjHxh8bXmTmocFmVyhBtd74m6qwaFOLsoaRVLAuPuSxldWdk8fPTzJchSG/7BkaxSu/1IqzWkxQdDposwVbQGdU5CZ8JZOTS7GRY3spVb6MBBaKYzPe95eYOTdzJOSqFGYUurhM3ZVTb+EWi+ypxpWVgWwM4ig=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "be86ac61e17148e8ebb438a5704bc4b6121e1d174ac0af0e02e218d5cb3b4e6f", "sig": > "kzMTfOQ+r6QMEKOad752M0LWyvaNr2X+tCwq4IXWOwGMgcrbykTv9yDxpAjAEupeuLO/eb0hGkOkS0i7Ex1HNQIgaCCjSRMdnhb2n+zOocq8+K6bWuy5WfjKqMkW1uvwTBYg9JEyNJwQ85f7VcaWhOZ7/I9VH8wWuEpNs2C6g8fcUpRIhOPgPmDuB+uBe8sc9mFER2ux1yQu6XzJfdxLwXcC31DaEAzZXpXh3vARyJtIO2nk4ZwyD7hgrgin5t27tOe+xreqmt6hSRvXX8JBEN+M5e4J/pjzF05gbsZEGL8tI7Tu7Vtjv5yIq3ssD2KIXesMXjpGY+ZUdh3sVAA4xA=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "106b2b4ba97c5bf82c94e8a9701da4086a3dac8ad95e1723038f45a475861278", "sig": > "k6SBO+7kX5e2X7axNEAOWhqc3BZUVje79DhHJzGzTGI2/zGKtQGqjcTRxzE0SdR7dyFqQrCqnhY3ErpRuJZMr4n7xwR/lTZH0RAN/6bXJaopqVXRIu2BJK3jgFs2OPA5nCCLiukJ7n0X7F5+peAyEFWHVQ/PYz9krA6RDnIrTatIgba928V8mxtT0QWDTHqCRuVfVtPlI6SOP4wNPbUq6Gw66WV3QuSJuRqV5i7G5WgrmdRNXcHAXk0O15x83JbBNVr0X1AQMKD4V8McotGX7CIh18m/Je9ClEa4oF60TJNzTER/zFzc6bLw/FwfbMKvgrxPETcVzEI+56gQ5GkEXg=="}], > "sha384": [{"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "d084712eab440ac1ea5e75b334a02aa3b9b8893d63341bed7feab7d6dd52b559", "sig": > "fMsxLOGaHXBBADic5JJQUkndp6pUclupq11GKk4BG7uNBDyjJD26KadnfrOpwf+VLwqxCce2p9W080SdTHz+q9VwwTTyjXy5uciHknXpdjuCIDIx+oxsHpq8YGewkjoaQXUP5F3n1IvP8mz9SzaG1beZ0mQRd50D4lt9UEfDmJMNqHvR6cNs/LLujnYCaCDwFhbgyAS8V3f1L7+SYMVJl6FIhMnGywTmsjlqj1A0rzjqAWb9INB77HkgE/g6z9yK+yz7TkWwOtj3DeyDNWdOR6I8xLoedqOUm0b824URdg822TrC6J6uF9thdGG3ydY1eChV3+UbcoqMLJmVc2eebg=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "f2a9f180932c9852bd7335256937e7b2263a6681fc24fff60fe2b5ded65f5b35", "sig": > "PdDF1PGSWfESmeBeAujWWsU8pEhPn3IH3T0x1+o4WzzfitacxBJ4XRLi4bqeyKKWI+6OI5d97vDt48kKNRc8ZBkbHBoXPhP1RjogGyWodHLKmzaziLm3+J6vCqVDlCeQIV6pc9jzgyLZaOFdKtHEHgviXm6l6aw1cJ80BSkCzu0BuKcOJvRLkgu1xp+eXsDkFFpIqJO8eJ5HMNV9jaAd3v5Px1XwCDg00ykQjrkMhmTZDfKvskSDhtR/UGlmniyLzZaQe16jB/6gZ/WZoL8qCW5+I1yEj3G7vfRFmFISlqj0crpJZQ2AokXkGibzbEiATrLQGsamJO3gpIHPT7LTKA=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "588b8b98d1159fd5b6d5c083512dabe7acdb2cb74267ece902a354cb438418f0", "sig": > "QYjJNWvghhyGvDnaL0mQcM6JumPSZzEQt9J2c92XIADF7qe1+579956xhATp/a0RBdcjju2VnIWeHJanQR0p+EXtYGp0xnCXI6mBj35j7Fx3gxgKfzd0pDjaAUjWq3YcwLsUHQOEfOV9FDp7zbiHhRn9uivU4rW1SlOFmliRt9nthvoxhJ785PuoU9iwCHVUi73rBIAsyxgyqNVj6HGWGLPL1IJAZ75QlvZy7EJLO5amJP5lLvY6YMVGBmYQ1ehTOwQhKhjUpe+Hbc5F++ZtcgjN0Nlnt1uI8D54GvWiiQ2MPbDOHQ9mZBUPIpB9B976/jzTwzldZ8N441WZNzWzhA=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "2ab23e8c0e2b080d533baa9ae3a21ceac11adadc004142cd2a7f5a72026c35e7", "sig": > "GCU7IEPaYLc9pbN3eNDU1ya60M5Bsf4A5Zdu3Z8oO+na08H3vwEMqq0V5yi658d+6o40HjrcseM6awrhVRlLU1hDhY+0MTbElnUFYDvOdPfGfYGAPnFDvbbLrQMFE0zI+ohpgOCx9Qht5JTmDAPe0CXSQnR+8dBFNgADWDzfR34YPdVEOgAEX10bwW3id37tDabYChZzzCib9aFLPWxhOdEL1b00kLxVIcTAiVpn9BK7tkRCFRujo8S29yCD/vHVutlpi5Elmgt8FrWr9983xTJYNEOiPZEmgZSFCKMLUybZvKeIChSyGg2W4gpi3a1byOlSDdRP6pPW09aXKYsSCA=="}], > "sha512": [{"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "b1011bc97483484e707f264cb8160b43fad7c46532f619f01912dfde417993ec", "sig": > "Uzbd37u4chfbnQnk0qKBSJEXmZtvET5KvxfdwIfM0Zk9lXFsOP+BFQm4CGj4tfMZtWQjFQzAOXUcHgjWTeDXDprgbyiLlPv4SpXgZJrRDomP8bWSNf7ANt8HQzbO8qW5Z7w+adLkI0yxzqkd8QxpEwqqDSiEXaitMv/Mz9UKf60PaCjM7l0wAgdA7kLTrFx4vYGClPGynRIADIKthMIE724tyxqAb4QQW99n/gYcG1DHbA7EHEn8G+ksJk+jXmyEXf0YMqIgb0J6S+yY08i7N010l31dsblHvNB0+IanCipwtYc6qTOHlwHRY0xHElo/sckOjDX49s+ZTZ69edHacA=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "9690d72bd5988c58de000abd5fbe267308fc43306106cc96ebca534b597a35d7", "sig": > "lbhblAlGtjlK6xpl0xmKS+dAODA8hAOXU0YnRWdCDkFvuo9sdz9jmm1HC1ienVchLQbP1M2y7/vsNfx5nCARWxaM31e8VxtMW5xEdhXDSi9r7TpgQHx1aSXn2iyaz5dP0a+gT3MPqwc8EPfrNmguVm50rRjAFyt9qTgbFQxPkuxNgPu+kTVNW/9yjC4/bdrkDh7EUz/lo9Gyc54sTjy7EZljXQYiGSoamUt3t+iSPNHna848CwOjMZ4EA9Izi84pObvB4VTEXKWJ+M0Vw2z7zb5P2OWB5wCNk/Iw4+mRQnW2u4jqcWcHQGwlYQT/yREQCoC+gIvm5N0qcWSe7KFPTA=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "e5601bf9da9b11e52ad18bf690d603e09cda50bb246ff71b4f2cea14dd290a32", "sig": > "E1Eq3WWLlzeScxtiury0pjOAOo5WnT+r3siS5p/ixZu2wXRJi+3FjFPzIT8s+jt5TFrMA652SZdEqGaYKqZaHhonUQQtIHjsReslv3NOMXVQVFPz4TO6ksQSks874TGl60gWpyCmmMdXTk8XPVrVImPz18hffDaVAVK9r05y2chTwYvovSe2CR34VphNF54xvc3VgWovCC6KHpC/6t2HcoMk3lXZXxOH/zN3/X75yZGOjzMWDr8cqKZtXr55Zkff7WULqeE9vIrMaff73ZdEEOMumAH1yXjr60ILCq0E0hffnJHOaKJ4bHyggM9LJtI5xepHltDGMFqoyDJuHp2y1w=="}, > {"pcrs": [11], "pkfp": > "22fd7fc2dd94bfbc0b0f78c400f5e22f0de5281f37a0d9a9168d63df8005de43", "pol": > "a05bbe1160a57ec958571e2159baaf057532728e9bd5c5d978f55b4eb832f3c0", "sig": > "o/GrG7ZSTlff+3s//LqSey/s7LLGD5Dlr/zTpzX1f/EFuayD5iPuja9+4WaGaPSq5p7u820voy4RFWbIxNgXyI80XOjECIs6wLyn8JWkONQiHTOaW2VpmLY4JlyxHS44nnio/IeaR9J5vngN5ut5FWsBRVN0oi+NpYb7aaaqILEBxqE89tAc/1qPNqgGGKJxTK0yQXo6m8rb4LXdTPAq0766e9iho/UIEdktangpoHi+Lw0gD1RJyUpmFm7dma9Zlt/IEOcRLdd4dI3DBcbFM7iewQTz1sEyBK4NvE8VsPbvlKOl7vVz4lLErGB0FV2YRHNimPj2C+Jilp8/6sX+zw=="}]} > > my question: is systemd-measure man wrong about tpm2.0 or am I missing > something. > I done all of my tests on systemd 258.2 > > -- > Sincerely, Alexander >
