You are not logged in.

#1 2023-03-05 14:48:50

dojero
Member
Registered: 2011-11-26
Posts: 36

[SOLVED] TPM2 barrier not starting error...when I don't use TPM@

With the update to kernel 6.2.2, I've started getting a red letter warning: 'Failed to start TPM2 barrier (initrd)'

System boot fine, but this is showing in spite of my silent boot efforts. And it's strange, since I've never used Secure Boot or TPM2 in any way. My guess is that the latest initramfs.img contains the effort to start TPM2 barrier, even though I don't want to.

Is there a way to remove the effort to start TPM2 barrier from the initrd? I assume that would end the red letter warning.

Last edited by dojero (2023-03-07 18:44:22)

Offline

#2 2023-03-05 15:23:16

seth
Member
Registered: 2012-09-03
Posts: 49,963

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

pacman -Qs tpm

Online

#3 2023-03-05 19:07:30

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Tpm2-tss is installed. It is a dependency for libsecret, which in turn is necessary for several things (Bitwarden, for example). So I cannot simply remove it. But it should not try to start TPM2 barrier on boot. Again, it appears to be part of the initrd (See error message quotes in original post). But I don't know why,  nor how to stop it from happening.

Offline

#4 2023-03-05 19:19:22

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

https://github.com/systemd/systemd/issues/25700 which was fixed in v253.  Does the system have a TPM enabled that may be broken?

Offline

#5 2023-03-06 00:30:34

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

I don't think so. This is happening on more than one laptop. But I will try to make sure that I don't have an epidemic of TPM breakage.

Offline

#6 2023-03-06 02:48:30

plasmamax1
Member
Registered: 2023-03-06
Posts: 1

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Another user seeing "Failed to start TPM2 PCR Barrier (initrd)". How does one check if TPM is broken?

Edit: I don't think it's a TPM issue, but something related to the services with systemd 253.1-1. systemd-pcrphase-initrd.service is failing and restarting gives the error:
Condition: start condition failed at Sun 2023-03-05 21:57:41 EST; 9s ago
                  └─ ConditionPathExists=/etc/initrd-release was not met

Last edited by plasmamax1 (2023-03-06 03:15:32)

Offline

#7 2023-03-06 03:54:17

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Is there anything more in the journal related to systemd-pcrphase-initrd.service.  When a ConditionPathExists is not met the service should be skipped rather than failed.

Offline

#8 2023-03-06 19:00:07

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Nothing shows in journalctl except the standard exit on failure line.

I've added console=tty2 to my kernel cmdline and that means that the error message doesn't show during the boot process (which, of course, is not the same as the error not occurring). I'd much prefer if systemd didn't automatically force tpm2 to be a part of initrd...or at least make is possible to not include it...but in the meantime, I'll live with the message not printing to my console.

Offline

#9 2023-03-06 20:42:36

seth
Member
Registered: 2012-09-03
Posts: 49,963

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Please post your complete system journal for the boot:

sudo journalctl -b | curl -F 'file=@-' 0x0.st

Online

#10 2023-03-06 22:32:52

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Result is here: http://0x0.st/HzRd.txt

Offline

#11 2023-03-06 22:50:42

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Mar 06 17:28:37 archlinux systemd[1]: Starting TPM2 PCR Barrier (initrd)...
Mar 06 17:28:37 archlinux systemd[1]: systemd-pcrphase-initrd.service: Main process exited, code=exited, status=1/FAILURE
Mar 06 17:28:37 archlinux systemd[1]: systemd-pcrphase-initrd.service: Failed with result 'exit-code'.
Mar 06 17:28:37 archlinux systemd[1]: Failed to start TPM2 PCR Barrier (initrd).
Mar 06 17:28:37 archlinux systemd-pcrphase[153]: Failed to load TPM2 libraries: Operation not supported

Edit:
https://github.com/systemd/systemd/blob … ase.c#L346
https://github.com/systemd/systemd/blob … util.c#L66
Edit2:
https://github.com/archlinux/svntogit-p … 4b7fa8a180
The service file was added to the initrd which I am guessing automatically causes systemd-pcrphase to be added but the dlopened libraries that are required are not detected as required.  So if the service is triggered it fails.  That appears to be a packaging issue.

Last edited by loqs (2023-03-06 22:59:33)

Offline

#12 2023-03-07 04:17:03

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Right. My question is: is there any way for me to remove the service from initrd?

Offline

#13 2023-03-07 07:07:33

seth
Member
Registered: 2012-09-03
Posts: 49,963

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

https://wiki.archlinux.org/title/Mkinit … cted_image
Or patch /usr/lib/initcpio/install/systemd

loqs wrote:

That appears to be a packaging issue.

Do we (still) need to file a bug or is this recorded?

Online

#14 2023-03-07 11:50:59

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

seth wrote:
loqs wrote:

That appears to be a packaging issue.

Do we (still) need to file a bug or is this recorded?

I think someone should request https://bugs.archlinux.org/task/77562 be reopened.
Edit:
If you add /usr/lib/libtss2-esys.so.0 to the BINARIES array of /etc/mkinitcpio.conf then rebuild the initrd,  is the error message still produced?  Is so please post the journal for that boot.

Last edited by loqs (2023-03-07 15:11:21)

Offline

#15 2023-03-07 15:51:53

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Still there with the added binary line in mkinitcpio.conf, Journalctl is here: http://0x0.st/HisE.txt

Offline

#16 2023-03-07 15:59:42

seth
Member
Registered: 2012-09-03
Posts: 49,963

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Mar 07 10:48:25 archlinux systemd[1]: Starting TPM2 PCR Barrier (initrd)...
…
Mar 07 10:48:25 archlinux systemd[1]: Starting Rule-based Manager for Device Events and Files...
Mar 07 10:48:25 archlinux systemd[1]: systemd-pcrphase-initrd.service: Main process exited, code=exited, status=1/FAILURE
Mar 07 10:48:25 archlinux systemd[1]: systemd-pcrphase-initrd.service: Failed with result 'exit-code'.
Mar 07 10:48:25 archlinux systemd[1]: Failed to start TPM2 PCR Barrier (initrd).
…
Mar 07 10:48:25 archlinux systemd-pcrphase[156]: Failed to load TPM2 libraries: Operation not supported

https://github.com/systemd/systemd/blob … util.c#L62
* libtss2-esys.so.0
* libtss2-rc.so.0
* libtss2-mu.so.0

But the failure is also before the dlopen error … hmm

Online

#17 2023-03-07 16:34:29

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

I thought libtss2-rc.so.0  libtss2-mu.so.0 were both depends of libtss2-esys.so.0 so adding that would be enough.  I had mistaken libtss2-sys.so.1 for  libtss2-rc.so.0.
So at least libtss2-esys.so.0 and libtss2-rc.so.0 need to be in the binaries array.  Then rebuild the initrd.  Then check

# lsinitcpio /boot/initramfs-linux.img | grep tss

If libtss2-mu.so.0 is not in the output add it to the binaries and rebuild again.  Then see what the result is.

Offline

#18 2023-03-07 16:35:11

forumache
Member
From: Netherlands
Registered: 2011-09-02
Posts: 55

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Same issue here.

My setup:
- using my own keys, secure boot enabled
- using Unified Kernel Image
- not using TPM
- not using LUKS
- using systemd hooks (instead of base and udev) in mkinitcpio.conf: "HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block filesystems)"

Don't know what, if any, of the above matters, but I thought to contribute, without diluting the topic wink

Offline

#19 2023-03-07 16:53:46

forumache
Member
From: Netherlands
Registered: 2011-09-02
Posts: 55

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

@loqs, after adding the files you mentioned, the error changed, complaining about another file missing. Added it to BINARIES and now the error went away. So the BINARIES look like:

BINARIES=(/usr/lib/libtss2-esys.so.0 /usr/lib/libtss2-rc.so.0 /usr/lib/libtss2-tcti-device.so.0)

Thank you for your help!

Offline

#20 2023-03-07 17:31:29

NeverTooLate
Member
From: France
Registered: 2020-06-04
Posts: 6

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Add sd-encrypt after systemd hook and rebuild.
It did the trick for me.

Offline

#21 2023-03-07 18:46:19

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

The addition of binaries worked for those of us not using secure boot as well. I've marked the thread solved and thank everyone for the assistance. I did not try the sd-encrypt hook suggested by @NeverTooLate

Offline

#22 2023-03-07 22:25:20

forumache
Member
From: Netherlands
Registered: 2011-09-02
Posts: 55

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

OK, tested with sd-encrypt hook suggested by @NeverTooLate (removed libtss2* from BINARIES) and the PCR barrrier error is not displayed. So now we have two "solutions", both working but ugly:
- using hardcoded libtss2* BINARIES
- using sd-encrypt which brings a warning regarding missing firmware for qat_4xxx from mkinitcpio

They are ugly because they both require configuration (either BINARIES or HOOKS) for TPM or encryption even if the functionality (encrypted filesystem) is not used at all, otherwise we are getting error messages.

Last edited by forumache (2023-03-07 22:26:05)

Offline

#23 2023-03-08 15:28:16

eworm
Package Maintainer (PM)
From: Oberhausen, Germany
Registered: 2010-01-30
Posts: 105
Website

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Please test systemd 253.1-3... It should work without workarounds.


ArchLinux - make it simple & lightweight

Offline

#24 2023-03-09 08:21:10

jl2
Member
From: 47° 18' N 8° 34' E
Registered: 2022-06-01
Posts: 251
Website

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

systemd 253.1-3 does fix it.... thanks eworm.
it's currently in the testing repo.


Why I run Arch? To "BTW I run Arch" the guy one grade younger.
And to let my siblings and cousins laugh at Arsch Linux...

Offline

#25 2023-03-09 20:26:53

dojero
Member
Registered: 2011-11-26
Posts: 36

Re: [SOLVED] TPM2 barrier not starting error...when I don't use TPM@

Now truly fixed with systemd 253.1-3. Thanks again to all for the help.

Offline

Board footer

Powered by FluxBB