You are not logged in.
With the update to kernel 6.2.2, I've started getting a red letter warning: 'Failed to start TPM2 barrier (initrd)'
System boot fine, but this is showing in spite of my silent boot efforts. And it's strange, since I've never used Secure Boot or TPM2 in any way. My guess is that the latest initramfs.img contains the effort to start TPM2 barrier, even though I don't want to.
Is there a way to remove the effort to start TPM2 barrier from the initrd? I assume that would end the red letter warning.
Last edited by dojero (2023-03-07 18:44:22)
Offline
pacman -Qs tpm
Offline
Tpm2-tss is installed. It is a dependency for libsecret, which in turn is necessary for several things (Bitwarden, for example). So I cannot simply remove it. But it should not try to start TPM2 barrier on boot. Again, it appears to be part of the initrd (See error message quotes in original post). But I don't know why, nor how to stop it from happening.
Offline
https://github.com/systemd/systemd/issues/25700 which was fixed in v253. Does the system have a TPM enabled that may be broken?
Offline
I don't think so. This is happening on more than one laptop. But I will try to make sure that I don't have an epidemic of TPM breakage.
Offline
Another user seeing "Failed to start TPM2 PCR Barrier (initrd)". How does one check if TPM is broken?
Edit: I don't think it's a TPM issue, but something related to the services with systemd 253.1-1. systemd-pcrphase-initrd.service is failing and restarting gives the error:
Condition: start condition failed at Sun 2023-03-05 21:57:41 EST; 9s ago
└─ ConditionPathExists=/etc/initrd-release was not met
Last edited by plasmamax1 (2023-03-06 03:15:32)
Offline
Is there anything more in the journal related to systemd-pcrphase-initrd.service. When a ConditionPathExists is not met the service should be skipped rather than failed.
Offline
Nothing shows in journalctl except the standard exit on failure line.
I've added console=tty2 to my kernel cmdline and that means that the error message doesn't show during the boot process (which, of course, is not the same as the error not occurring). I'd much prefer if systemd didn't automatically force tpm2 to be a part of initrd...or at least make is possible to not include it...but in the meantime, I'll live with the message not printing to my console.
Offline
Please post your complete system journal for the boot:
sudo journalctl -b | curl -F 'file=@-' 0x0.st
Offline
Result is here: http://0x0.st/HzRd.txt
Offline
Mar 06 17:28:37 archlinux systemd[1]: Starting TPM2 PCR Barrier (initrd)...
Mar 06 17:28:37 archlinux systemd[1]: systemd-pcrphase-initrd.service: Main process exited, code=exited, status=1/FAILURE
Mar 06 17:28:37 archlinux systemd[1]: systemd-pcrphase-initrd.service: Failed with result 'exit-code'.
Mar 06 17:28:37 archlinux systemd[1]: Failed to start TPM2 PCR Barrier (initrd).
Mar 06 17:28:37 archlinux systemd-pcrphase[153]: Failed to load TPM2 libraries: Operation not supported
Edit:
https://github.com/systemd/systemd/blob … ase.c#L346
https://github.com/systemd/systemd/blob … util.c#L66
Edit2:
https://github.com/archlinux/svntogit-p … 4b7fa8a180
The service file was added to the initrd which I am guessing automatically causes systemd-pcrphase to be added but the dlopened libraries that are required are not detected as required. So if the service is triggered it fails. That appears to be a packaging issue.
Last edited by loqs (2023-03-06 22:59:33)
Offline
Right. My question is: is there any way for me to remove the service from initrd?
Offline
https://wiki.archlinux.org/title/Mkinit … cted_image
Or patch /usr/lib/initcpio/install/systemd
That appears to be a packaging issue.
Do we (still) need to file a bug or is this recorded?
Offline
loqs wrote:That appears to be a packaging issue.
Do we (still) need to file a bug or is this recorded?
I think someone should request https://bugs.archlinux.org/task/77562 be reopened.
Edit:
If you add /usr/lib/libtss2-esys.so.0 to the BINARIES array of /etc/mkinitcpio.conf then rebuild the initrd, is the error message still produced? Is so please post the journal for that boot.
Last edited by loqs (2023-03-07 15:11:21)
Offline
Still there with the added binary line in mkinitcpio.conf, Journalctl is here: http://0x0.st/HisE.txt
Offline
Mar 07 10:48:25 archlinux systemd[1]: Starting TPM2 PCR Barrier (initrd)...
…
Mar 07 10:48:25 archlinux systemd[1]: Starting Rule-based Manager for Device Events and Files...
Mar 07 10:48:25 archlinux systemd[1]: systemd-pcrphase-initrd.service: Main process exited, code=exited, status=1/FAILURE
Mar 07 10:48:25 archlinux systemd[1]: systemd-pcrphase-initrd.service: Failed with result 'exit-code'.
Mar 07 10:48:25 archlinux systemd[1]: Failed to start TPM2 PCR Barrier (initrd).
…
Mar 07 10:48:25 archlinux systemd-pcrphase[156]: Failed to load TPM2 libraries: Operation not supported
https://github.com/systemd/systemd/blob … util.c#L62
* libtss2-esys.so.0
* libtss2-rc.so.0
* libtss2-mu.so.0
But the failure is also before the dlopen error …
Offline
I thought libtss2-rc.so.0 libtss2-mu.so.0 were both depends of libtss2-esys.so.0 so adding that would be enough. I had mistaken libtss2-sys.so.1 for libtss2-rc.so.0.
So at least libtss2-esys.so.0 and libtss2-rc.so.0 need to be in the binaries array. Then rebuild the initrd. Then check
# lsinitcpio /boot/initramfs-linux.img | grep tss
If libtss2-mu.so.0 is not in the output add it to the binaries and rebuild again. Then see what the result is.
Offline
Same issue here.
My setup:
- using my own keys, secure boot enabled
- using Unified Kernel Image
- not using TPM
- not using LUKS
- using systemd hooks (instead of base and udev) in mkinitcpio.conf: "HOOKS=(systemd autodetect modconf kms keyboard sd-vconsole block filesystems)"
Don't know what, if any, of the above matters, but I thought to contribute, without diluting the topic
Offline
@loqs, after adding the files you mentioned, the error changed, complaining about another file missing. Added it to BINARIES and now the error went away. So the BINARIES look like:
BINARIES=(/usr/lib/libtss2-esys.so.0 /usr/lib/libtss2-rc.so.0 /usr/lib/libtss2-tcti-device.so.0)
Thank you for your help!
Offline
Add sd-encrypt after systemd hook and rebuild.
It did the trick for me.
Offline
The addition of binaries worked for those of us not using secure boot as well. I've marked the thread solved and thank everyone for the assistance. I did not try the sd-encrypt hook suggested by @NeverTooLate
Offline
OK, tested with sd-encrypt hook suggested by @NeverTooLate (removed libtss2* from BINARIES) and the PCR barrrier error is not displayed. So now we have two "solutions", both working but ugly:
- using hardcoded libtss2* BINARIES
- using sd-encrypt which brings a warning regarding missing firmware for qat_4xxx from mkinitcpio
They are ugly because they both require configuration (either BINARIES or HOOKS) for TPM or encryption even if the functionality (encrypted filesystem) is not used at all, otherwise we are getting error messages.
Last edited by forumache (2023-03-07 22:26:05)
Offline
Please test systemd 253.1-3... It should work without workarounds.
ArchLinux - make it simple & lightweight
Offline
systemd 253.1-3 does fix it.... thanks eworm.
it's currently in the testing repo.
Why I run Arch? To "BTW I run Arch" the guy one grade younger.
And to let my siblings and cousins laugh at Arsch Linux...
Offline
Now truly fixed with systemd 253.1-3. Thanks again to all for the help.
Offline