FS#76527 : [systemd] boot is perpetually stalled waiting for TPM2 PCR Barrier to start

FS#76527 - [systemd] boot is perpetually stalled waiting for TPM2 PCR Barrier to start

Attached to Project: Arch Linux
Opened by LaserEyess (LaserEyess) - Friday, 11 November 2022, 15:43 GMT
Last edited by Christian Hesse (eworm) - Monday, 21 November 2022, 11:25 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Christian Hesse (eworm)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Yishen Miao (mys_721tx) (2022-11-14) Phillip Schichtel (pschichtel) (2022-11-13)
Private	No

Details

Description:

When using a setup where systemd-pcrphase-sysinit.service is active, the boot is stalled forever waiting for this service to stop. See the following image: https://0x0.st/o6eE.png

The following needs to hold for the service to work:

AssertPathExists=!/etc/initrd-release
ConditionSecurity=tpm2
ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f

Additional info:
* version: 252.1-1
* config and/or log files etc.: Not possible right now, working on it
* link to upstream bug report, if any: None (yet)

Steps to reproduce:

1. Create a scenario where systemd-pcrphase-sysinit.service is activated
2. Boot
3. Wait forever

This task depends upon

Closed by Christian Hesse (eworm)
Monday, 21 November 2022, 11:25 GMT
Reason for closing: Fixed
Additional comments about closing: systemd 252.1-2

Comment by LaserEyess (LaserEyess) - Friday, 11 November 2022, 15:47 GMT

Additional information about my setup that I think is relevant:

1. I am using dracut to create a unified kernel image with keys created with sbctl, this setup works in 251.x, on multiple machines
2. I use secure boot, this is working with 251.x
3. On this particular machine I do TPM2 based auto unlocking based on PCR 7 **only**
4. I use systemd-boot, which has been signed by sbctl and passes secure boot

Comment by LaserEyess (LaserEyess) - Friday, 11 November 2022, 16:17 GMT

Upstream bug report: https://github.com/systemd/systemd/issues/25352

Comment by LaserEyess (LaserEyess) - Saturday, 12 November 2022, 00:17 GMT

Masking the service works, boot continues fine. Interestingly, when I first booted after masking the service I got: "TPM2 device is in dictionary attack lockout mode." That might be related.

The full boot log from an instance when it stalled forever is attached.

wow.txt (170.1 KiB)

Comment by Christoph Wegener (cwegener) - Saturday, 12 November 2022, 06:30 GMT

I ran into the same scenario (TPM2 auto unlock with PIN, Universal Kernel Image).
As per Manjaro discussion forum [1], removing 'tpm2-abrmd' resolved the issue.

[1] https://forum.manjaro.org/t/testing-update-2022-11-08-kernels-gnome-43-openssl-3-0-firefox-thunderbird-mesa-kde-gear-22-08-3-libreoffice-lxqt-1-2-0/126303/15

Comment by Toolybird (Toolybird) - Sunday, 13 November 2022, 06:54 GMT

Dupe ~~FS#76532~~

There is ongoing activity in the linked upstream report. Please let us know if/when there is an outcome.

Comment by LaserEyess (LaserEyess) - Thursday, 17 November 2022, 03:24 GMT

Fixed upstream, scheduled for backport

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#76532 - [tpm2-abrmd] Boot Hang due to systemd-pcrphase~~

Arch Linux

FS#76527 - [systemd] boot is perpetually stalled waiting for TPM2 PCR Barrier to start

Details

Loading...