I have tried to update systemd to 259-rc2 on GNOME OS. But we seem to run into issues.
On a fresh swtpm, systemd-tpm2-setup.service fails. Here is the debug logs (I skipped until the anchor secret): Need anchor secret. Using TPM2 TCTI driver 'device' with device '/dev/tpmrm0'. Loaded 'libtss2-tcti-device.so.0' via dlopen() Loaded TCTI module 'tcti-device' (TCTI module for communication with Linux kernel interface.) [Version 2] TPM successfully started up. Getting TPM2 capability 0x0000 property 0x0001 count 127. Getting TPM2 capability 0x0002 property 0x011f count 256. Getting TPM2 capability 0x0008 property 0x0000 count 508. Getting TPM2 capability 0x0005 property 0x0000 count 1. Creating primary key on TPM. Successfully created primary key on TPM in 10ms. Loading HMAC key into TPM for shard 0. Loading object into TPM. Starting HMAC encryption session. Starting policy session. Building sealing policy. Reading PCR selection: [sha256(11)] Read PCR selection: [sha256(11)] PCR value: 11:sha256=1e7ad15c500222a0d08fed9a15502053ffd760322f6fc911708f9b2d9326a96d Adding PCR signature policy. Loading external key into TPM. Object name: 000bf4e103374080d6ed6c43b6dd3e11dc5d052c6186a6d80565e52afe617ddd0f85 Submitting PCR hash policy. Acquiring policy digest. Session policy digest: 11bfae03fb514a41dd91acf43e05748be5f33c3ef7dfa433205fc455913f65a0 Couldn't find signature for this PCR bank, PCR index and public key. Failed to unseal secret using TPM2: No such device or address Failed to acquire anchor secret: No such device or address The UKI is signed. So I am not totally sure what is wrong PCR 11. systemd-tpm2-setup-early.service in initrd on the other hands reports: "No NvPCRs defined, nothing initialized." I am wondering, what are the expected measurements on PCR 11 at the time systemd-tpm2-setup.service runs? Is there specific phase? Also, is there anything new with how systemd-measure has to be used? Does systemd-tpm2-setup handle multiple PCR11 signatures (we have 2 for initrd mounts and post initrd mounts). -- Valentin David [email protected]
