From: Patrick Wicki <[email protected]> See https://github.com/systemd/systemd/pull/41231 or the patch commit message for details. The regression affects v259.1 to 259.5 as well as v260.1. Requested a backport to v259 but for now a patch is needed.
Signed-off-by: Patrick Wicki <[email protected]> --- ...il-fix-PCR-bank-guessing-without-EFI.patch | 62 +++++++++++++++++++ meta/recipes-core/systemd/systemd_259.5.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch diff --git a/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch b/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch new file mode 100644 index 0000000000..c590b01cd3 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch @@ -0,0 +1,62 @@ +From 3cef11c710e95bb5f891181e9b2a6d8f174712c3 Mon Sep 17 00:00:00 2001 +From: Patrick Wicki <[email protected]> +Date: Fri, 20 Mar 2026 15:56:56 +0100 +Subject: [PATCH] tpm2-util: fix PCR bank guessing without EFI + +Since 7643e4a89 efi_get_active_pcr_banks() is used to determine the +active PCR banks. Without EFI support, this returns -EOPNOTSUPP. This in +turns leads to cryptenroll and cryptsetup attach failures unless the PCR +bank is explicitly set, i.e. + +$ systemd-cryptenroll $LUKS_PART --tpm2-device=auto --tpm2-pcrs='7' +[...] +Could not read pcr values: Operation not supported + +But it works fine with --tpm2-pcrs='7:sha256'. + +Similarly, unsealing during cryptsetup attach also fails if the bank +needs to be determined: + +Failed to unseal secret using TPM2: Operation not supported + +Catch the -EOPNOTSUPP and fallback to the guessing strategy. + +Upstream-Status: Backport [https://github.com/systemd/systemd/pull/41231] + +Signed-off-by: Patrick Wicki <[email protected]> +--- + src/shared/tpm2-util.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index cf11b50695..c0590fe575 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -2702,11 +2702,11 @@ int tpm2_get_best_pcr_bank( + uint32_t efi_banks; + r = efi_get_active_pcr_banks(&efi_banks); + if (r < 0) { +- if (r != -ENOENT) ++ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP)) + return r; + + /* If variable is not set use guesswork below */ +- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks."); ++ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks."); + } else if (efi_banks == UINT32_MAX) + log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks."); + else { +@@ -2811,11 +2811,11 @@ int tpm2_get_good_pcr_banks( + uint32_t efi_banks; + r = efi_get_active_pcr_banks(&efi_banks); + if (r < 0) { +- if (r != -ENOENT) ++ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP)) + return r; + + /* If the variable is not set we have to guess via the code below */ +- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks."); ++ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks."); + } else if (efi_banks == UINT32_MAX) + log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks."); + else { diff --git a/meta/recipes-core/systemd/systemd_259.5.bb b/meta/recipes-core/systemd/systemd_259.5.bb index f0cc83095d..b824261578 100644 --- a/meta/recipes-core/systemd/systemd_259.5.bb +++ b/meta/recipes-core/systemd/systemd_259.5.bb @@ -35,6 +35,7 @@ SRC_URI += " \ file://0003-Do-not-create-var-log-README.patch \ file://0001-meson-use-libfido2_cflags-dependency.patch \ file://0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch \ + file://0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch \ " PAM_PLUGINS = " \ -- 2.53.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#234030): https://lists.openembedded.org/g/openembedded-core/message/234030 Mute This Topic: https://lists.openembedded.org/mt/118521085/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
