You are not logged in.
- Topics: Active | Unanswered
#1 2025-12-19 22:27:34
- satellite
- Member
- Registered: 2025-12-19
- Posts: 3
systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
Hi,
todays update to systemd version 259-1-arch introduced an issue on my thinkpad t480.
After the update i observed:
UKI boots, i get prompted for my TPM2-Pin, root gets decrypted, boot continues until systemd wants to run the following units:
systemd-pcrproduct.service
systemd-tpm2-setup.service and
systemd-pcrnvdone.service.
See the output of journalctl -b-1 (errors are located towards the bottom of the log).
After that it reboots the system forcefully.
Only workaround i've found so far is disabling the TPM2 chip in the UEFI settings.
Looking at /usr/share/doc/systemd/NEWS i get the impression that its directly linked to this release, since there are some specific changes for TPM2. I haven't changed any configuration between the last succesfull boot and the breaking update.
I'm not sure if it's a misconfig on my side/ some arch specific issue or if i should report it upstream.
Any help in figuring this out is much appreciated.
Regards
(edit: looks like first tpm errors appear at line 1091 in the linked pastebin.)
Last edited by satellite (2025-12-19 22:43:52)
Offline
#2 2025-12-20 02:38:19
- gromit
- Administrator
- From: Germany
- Registered: 2024-02-10
- Posts: 1,443
- Website
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
Do you get the same error when you use the linux-lts package? I'm asking because there is a kernel backtrace in there...
Offline
#3 2025-12-20 06:52:10
- satellite
- Member
- Registered: 2025-12-19
- Posts: 3
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
yes this happens with linux and linux-lts
edit: here is the log from a boot with linux-lts. There are also these kernel error messages, backtrace and systemd errors.
Last edited by satellite (2025-12-20 07:28:35)
Offline
#4 2025-12-20 08:10:28
- basin5243
- Member
- Registered: 2025-12-20
- Posts: 1
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
Same issue here on a Thinkpad 13 Gen2. Also booting a UKI, but I don't even use the TPM for anything. Disabling it in UEFI lets me boot again.
Offline
#5 2025-12-20 09:08:09
- sprabhu
- Member
- Registered: 2025-12-20
- Posts: 1
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
Experiencing the same issue here, T480. Boot fails during early TPM initialization. The kernel tpm_crb driver probing Intel PTT reports TPM_STS.x = 0xff and times out, after which systemd TPM units fail and the system resets via the watchdog.
journalctl -b -1 -p err output:
Dec 20 02:26:57 HousePrabhu-T480 kernel: x86/cpu: SGX disabled or unsupported by BIOS.
Dec 20 02:26:58 HousePrabhu-T480 kernel: tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
Dec 20 02:26:58 HousePrabhu-T480 kernel: Bluetooth: hci0: No support for _PRR ACPI method
Dec 20 02:26:58 HousePrabhu-T480 bootctl[544]: Mount point '/boot' which backs the random seed file is world accessible, which is a security hole!
Dec 20 02:26:58 HousePrabhu-T480 bootctl[544]: Random seed file '/boot/loader/random-seed' is world accessible, which is a security hole!
Dec 20 02:28:58 HousePrabhu-T480 kernel: tpm tpm0: Operation Timed out
Dec 20 02:28:58 HousePrabhu-T480 systemd-pcrextend[324]: Could not extend NvPCR: State not recoverable
Dec 20 02:28:58 HousePrabhu-T480 systemd-tpm2-setup[327]: Failed to unseal secret using TPM2: State not recoverable
Dec 20 02:28:58 HousePrabhu-T480 systemd-tpm2-setup[327]: Failed to acquire anchor secret: State not recoverable
Dec 20 02:28:58 HousePrabhu-T480 systemd[1]: Failed to start TPM NvPCR Product ID Measurement.
Dec 20 02:28:58 HousePrabhu-T480 systemd[1]: Failed to start Early TPM SRK Setup.
Dec 20 02:28:58 HousePrabhu-T480 systemd-pcrextend[586]: Failed to create TPM2 context: State not recoverable
Dec 20 02:28:58 HousePrabhu-T480 systemd[1]: Failed to start TPM PCR NvPCR Initialization Separator.
Dec 20 02:29:03 HousePrabhu-T480 kernel: watchdog: watchdog0: watchdog did not stop!
Offline
#6 2025-12-20 12:01:32
- satellite
- Member
- Registered: 2025-12-19
- Posts: 3
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
meanwhile it got reported upstream
Last edited by satellite (2025-12-20 12:01:48)
Offline
#7 2025-12-20 13:00:03
- catch-404
- Member
- Registered: 2025-12-20
- Posts: 1
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
Hi, I wrote that github issue.
Just wanted to mention that I'm not experiencing exactly the same thing, boot-up works fine for me with systemd-boot, UKI, secure-boot & TPM unlocking the LUKS root partition (with a TPM PIN). For reference, I bound my LUKS decryption secret to a PCR policy by doing the process explained in this wiki page: https://wiki.archlinux.org/title/Truste … R_policies
So, the two failing units (systemd-tpm2-setup-early.service and systemd-tpm2-setup.service) don't really seem to affect my system.
Not saying our issues aren't related, but I wanted to mention the differences with what I experienced for completeness sake.
Offline
#8 2025-12-21 16:03:48
- LarryDave
- Member
- Registered: 2022-05-03
- Posts: 27
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
I'm having the exact same issue with my ThinkPad E480. Started happening right after I updated to systemd 259 and rebooted.
For the record, I'm running Linux 6.18.1. My disk is encrypted with LUKS2 but I'm not using TPM2 in any capacity. Secure Boot is also disabled. I'm using a UKI to boot but I'm not using systemd-boot or any boot loader. I added the UKI directly to the UEFI with efibootmgr and I'm booting off of that.
[FAILED] Failed to start TPM NvPCR Product ID Measurement.
[FAILED] Failed to start Early TPM SRK Setup.
[FAILED] Failed to start TPM SRK Setup.
[FAILED] Failed to start TPM PCR NvPCR Initialization Separator.
[ !! ] Forcibly rebooting: unit systemd-pcrnvdone.service failed proceeding in 5sLast edited by LarryDave (2025-12-21 16:04:12)
Offline
#9 2025-12-22 11:42:37
- w0rty
- Member
- Registered: 2025-12-22
- Posts: 2
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
Same on ThinkPad E580:
kernel: tpm tpm0: invalid TPM_STS.x 0x01, dumping stack for forensics
kernel: CPU: 1 UID: 0 PID: 199 Comm: kworker/1:3 Tainted: G U 6.18.2-arch2-1 #1 PREEMPT(full) e9d53cde2ee9d1bdaa4464d2>
kernel: Tainted: [U]=USER
kernel: Hardware name: LENOVO 20KSCTO1WW/20KSCTO1WW, BIOS R0PET71W (1.48 ) 07/12/2022
kernel: Workqueue: tpm_dev_wq tpm_dev_async_work
kernel: Call Trace:
kernel: <TASK>
kernel: dump_stack_lvl+0x5d/0x80
kernel: tpm_tis_status.cold+0x19/0x1e
kernel: tpm_transmit+0x11b/0x300
kernel: tpm_dev_transmit.constprop.0+0x86/0x100
kernel: tpm_dev_async_work+0x6a/0xa0
kernel: process_one_work+0x193/0x350
kernel: worker_thread+0x2d7/0x410
kernel: ? __pfx_worker_thread+0x10/0x10
kernel: kthread+0xfc/0x240
kernel: ? __pfx_kthread+0x10/0x10
kernel: ? __pfx_kthread+0x10/0x10
kernel: ret_from_fork+0x1c2/0x1f0
kernel: ? __pfx_kthread+0x10/0x10
kernel: ret_from_fork_asm+0x1a/0x30
kernel: </TASK>
[...]
systemd-tpm2-setup[605]: Failed to unseal secret using TPM2: State not recoverable
systemd-tpm2-setup[605]: Failed to acquire anchor secret: State not recoverable
kernel: tpm tpm0: tpm2_load_context: failed with a TPM error 0x0100
systemd[1]: systemd-pcrproduct.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-pcrproduct.service: Failed with result 'exit-code'.
systemd[1]: Failed to start TPM NvPCR Product ID Measurement.
kernel: tpm tpm0: tpm2_load_context: failed with a TPM error 0x0100
systemd[1]: systemd-tpm2-setup-early.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-tpm2-setup-early.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Early TPM SRK Setup.
systemd[1]: Repartition Root Disk was skipped because no trigger condition checks were met.
systemd[1]: Starting TPM SRK Setup...
systemd-tpm2-setup[1629]: ERROR:tcti:src/tss2-tcti/tcti-device.c:489:Tss2_Tcti_Device_Init() Failed to read response header fd 4, got er>
systemd-tpm2-setup[1629]: Failed to create TPM2 context: State not recoverable
systemd-tpm2-setup[1629]: ERROR:tcti:src/tss2-tcti/tcti-device.c:489:Tss2_Tcti_Device_Init() Failed to read response header fd 4, got er>
systemd-tpm2-setup[1629]: Failed to create TPM2 context: State not recoverable
systemd[1]: systemd-tpm2-setup.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-tpm2-setup.service: Failed with result 'exit-code'.
systemd[1]: Failed to start TPM SRK Setup.
systemd[1]: Starting TPM PCR NvPCR Initialization Separator...
systemd-pcrextend[1631]: ERROR:tcti:src/tss2-tcti/tcti-device.c:489:Tss2_Tcti_Device_Init() Failed to read response header fd 4, got err>
systemd-pcrextend[1631]: Failed to create TPM2 context: State not recoverable
systemd[1]: systemd-pcrnvdone.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-pcrnvdone.service: Failed with result 'exit-code'.
systemd[1]: Failed to start TPM PCR NvPCR Initialization Separator.
systemd[1]: Forcibly rebooting: unit systemd-pcrnvdone.service failedOffline
#10 2025-12-23 00:17:10
- yakupefetuncay
- Member
- Registered: 2025-12-23
- Posts: 1
Re: systemd 259 (259-1-arch) issue: system fails to boot with TPM enabled
I'm experiencing same issue on ThinkPad T580.
Turning off TPM module on BIOS allows for boot to progress. I ended up downgrading systemd, systemd-libs, systemd-sysvcompat packages to 258-3 to solve my problems until upstream fixes it.
Offline