You are not logged in.
- Topics: Active | Unanswered
#1 2026-02-14 22:23:57
- dimich
- Member
- From: Kharkiv, Ukraine
- Registered: 2009-11-03
- Posts: 465
Are TPM-related services mandatory?
There is some TPM-related stuff starting on my laptop at boot:
$ systemctl | grep -i tpm
sys-devices-platform-MSFT0101:00-tpm-tpm0.device loaded active plugged /sys/devices/platform/MSFT0101:00/tpm/tpm0
sys-devices-platform-MSFT0101:00-tpmrm-tpmrm0.device loaded active plugged /sys/devices/platform/MSFT0101:00/tpmrm/tpmrm0
systemd-pcrmachine.service loaded active exited TPM PCR Machine ID Measurement
systemd-pcrnvdone.service loaded active exited TPM PCR NvPCR Initialization Separator
systemd-pcrphase-sysinit.service loaded active exited TPM PCR Barrier (Initialization)
systemd-pcrphase.service loaded active exited TPM PCR Barrier (User)
systemd-pcrproduct.service loaded active exited TPM NvPCR Product ID Measurement
systemd-tpm2-setup-early.service loaded active exited Early TPM SRK Setup
systemd-tpm2-setup.service loaded active exited TPM SRK Setup
systemd-pcrextend.socket loaded active listening TPM PCR Measurements
systemd-pcrlock.socket loaded active listening Make TPM PCR Policy
tpm2.target loaded active active Trusted Platform ModuleI use direct UKI boot without bootloader, busybox-based initramfs with manual password entry for dm-crypt setup.
The most I would use TPM for is a source of entropy, but I can opt out of that too.
Are all of these services and sockets required?
As I understand (maybe wrong), they are needed for systemd-stub to generate keys and check UKI parts on boot. But I sign UKI with custom key which corresponding KEK is enrolled into UEFI, so in my case UKI is verified by UEFI itself.
What could be pitfalls if I prevent these services and sockets from starting?
Interestigly, none of these services or sockets are explicitly enabled. I guess they are pulled by presence of TPM device AND "ConditionSecurity=measured-uki". However, I haven't found clear explanation where "measured-uki" value come from.
Online