Hi, Following up to my previous question which worked around with Wants: and After: to dev-tpmrm0.device and [email protected], which don't seem to work fully.
In short, I want to support devices with and without TPM. The TPM device can also be a firmware fTPM device which depends on tee-supplicant in userspace for RPMB storage. If TPM device is found, systemd repart in initramfs will create an encrypted rootfs and if not a plaintext ext4 partition. Support for TPM devices is ok and drivers are built into kernel. systemd repart config for rootfs is: [Partition] Type=root Weight=100 Format=ext4 Encrypt=tpm2 FactoryReset=yes MakeDirectories=/boot /usr /home /home/root # copying etc from build time /usr image CopyFiles=/usr/etc:/etc /usr partition generated at build time is dm-verity protected and contains /etc which is copied over to newly created rootfs. Support for fTPM devices is problematic. First, the kernel support must be modules but loading needs to be specially handled after starting tee-supplicant. For normal boot udev handles optee detection and triggers [email protected] startup which unloads tpm_ftpm_tee kernel module, starts tee-supplicant and then loads the kernel module again. After this RPMB works. To do the same in initramfs, I added Wants: and After: dependencies from systemd-repart.service, [email protected], systemd-pcrmachine.service and systemd-pcrphase-initrd.service: After=dev-tpmrm0.device [email protected] Wants=dev-tpmrm0.device [email protected] The base [email protected] is: [Unit] Description=TEE Supplicant on %i # Needs to be started earlier DefaultDependencies=no Conflicts=shutdown.target initrd-switch-root.target Before=local-fs-pre.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target systemd-sysext.service Before=systemd-pcrphase-initrd.service systemd-pcrphase.service systemd-pcrmachine.service [Service] User=root EnvironmentFile=-@sysconfdir@/default/tee-supplicant ExecStartPre=-@sbindir@/modprobe -r tpm_ftpm_tee ExecStartPre=@sbindir@/create-tee-supplicant-env @localstatedir@/run/tee-supplicant.env ExecStart=/bin/sh -c "if [ -c /dev/teepriv0 ]; then @sbindir@/tee-supplicant $RPMB_CID $OPTARGS; fi" ExecStartPost=-/bin/sh -c "while [ ! $(pgrep tee-supplicant) ]; do sleep 0.1; done; /sbin/modprobe tpm_ftpm_tee" ExecStop=-/sbin/modprobe -r tpm_ftpm_tee [Install] # fTPM encrypted filesystems, needs to start in initrd stage WantedBy=local-fs-pre.target These seem to work for devices with and without TPM, but on devices with missing optee and /dev/teepriv0 not. The missing TPM device is detected after timeout, which is ok, and the fallback to unencrypted ext4 happens since systemd-repart.service has: ExecStart=/bin/sh -c "/usr/bin/test -c /dev/tpmrm0 && /usr/bin/systemd-repart --dry-run=no --definitions=${nonarch_libdir}/repart.d/ || /usr/bin/systemd-repart --dry-run=no --definitions=${nonarch_libdir}/repart.d_notpm/" But the missing optee and /dev/teepriv0 causes issues where [email protected] gets started in initramfs stage but since optee is not found from firmware tee-supplicant exits with error. So what could be done better or correctly? The problematic part is to run these tee-supplicant and tpm_ftpm_tee loading steps only when /dev/teepriv0 is available and early enough for TPM2 dependencies to work for systemd. Should I rather setup a dedicated service for initramfs which emulates Wants: and After: for dev-tpmrm0.device and [email protected]? Thanks in advance, -Mikko
