From: patrick@subset.ch
To: openembedded-core@lists.openembedded.org
Cc: Patrick Wicki <patrick.wicki@siemens.com>
Subject: [PATCH] systemd: backport fix for tpm2 without efi support
Date: Thu, 26 Mar 2026 17:06:50 +0100 [thread overview]
Message-ID: <20260326160650.559827-1-patrick@subset.ch> (raw)
From: Patrick Wicki <patrick.wicki@siemens.com>
See https://github.com/systemd/systemd/pull/41231 or the patch commit
message for details. The regression affects v259.1 to 259.5 as well as
v260.1. Requested a backport to v259 but for now a patch is needed.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
---
...il-fix-PCR-bank-guessing-without-EFI.patch | 62 +++++++++++++++++++
meta/recipes-core/systemd/systemd_259.5.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch
diff --git a/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch b/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch
new file mode 100644
index 0000000000..c590b01cd3
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch
@@ -0,0 +1,62 @@
+From 3cef11c710e95bb5f891181e9b2a6d8f174712c3 Mon Sep 17 00:00:00 2001
+From: Patrick Wicki <patrick.wicki@subset.ch>
+Date: Fri, 20 Mar 2026 15:56:56 +0100
+Subject: [PATCH] tpm2-util: fix PCR bank guessing without EFI
+
+Since 7643e4a89 efi_get_active_pcr_banks() is used to determine the
+active PCR banks. Without EFI support, this returns -EOPNOTSUPP. This in
+turns leads to cryptenroll and cryptsetup attach failures unless the PCR
+bank is explicitly set, i.e.
+
+$ systemd-cryptenroll $LUKS_PART --tpm2-device=auto --tpm2-pcrs='7'
+[...]
+Could not read pcr values: Operation not supported
+
+But it works fine with --tpm2-pcrs='7:sha256'.
+
+Similarly, unsealing during cryptsetup attach also fails if the bank
+needs to be determined:
+
+Failed to unseal secret using TPM2: Operation not supported
+
+Catch the -EOPNOTSUPP and fallback to the guessing strategy.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/41231]
+
+Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
+---
+ src/shared/tpm2-util.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
+index cf11b50695..c0590fe575 100644
+--- a/src/shared/tpm2-util.c
++++ b/src/shared/tpm2-util.c
+@@ -2702,11 +2702,11 @@ int tpm2_get_best_pcr_bank(
+ uint32_t efi_banks;
+ r = efi_get_active_pcr_banks(&efi_banks);
+ if (r < 0) {
+- if (r != -ENOENT)
++ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP))
+ return r;
+
+ /* If variable is not set use guesswork below */
+- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks.");
++ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks.");
+ } else if (efi_banks == UINT32_MAX)
+ log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks.");
+ else {
+@@ -2811,11 +2811,11 @@ int tpm2_get_good_pcr_banks(
+ uint32_t efi_banks;
+ r = efi_get_active_pcr_banks(&efi_banks);
+ if (r < 0) {
+- if (r != -ENOENT)
++ if (!IN_SET(r, -ENOENT, -EOPNOTSUPP))
+ return r;
+
+ /* If the variable is not set we have to guess via the code below */
+- log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable, we have to guess the used PCR banks.");
++ log_debug("Boot loader didn't set the LoaderTpm2ActivePcrBanks EFI variable or EFI support is unavailable, we have to guess the used PCR banks.");
+ } else if (efi_banks == UINT32_MAX)
+ log_debug("Boot loader set the LoaderTpm2ActivePcrBanks EFI variable to indicate that the GetActivePcrBanks() API is not available in the firmware. We have to guess the used PCR banks.");
+ else {
diff --git a/meta/recipes-core/systemd/systemd_259.5.bb b/meta/recipes-core/systemd/systemd_259.5.bb
index f0cc83095d..b824261578 100644
--- a/meta/recipes-core/systemd/systemd_259.5.bb
+++ b/meta/recipes-core/systemd/systemd_259.5.bb
@@ -35,6 +35,7 @@ SRC_URI += " \
file://0003-Do-not-create-var-log-README.patch \
file://0001-meson-use-libfido2_cflags-dependency.patch \
file://0018-shared-fdset-add-detailed-debug-logging-to-fdset_new.patch \
+ file://0004-tpm2-util-fix-PCR-bank-guessing-without-EFI.patch \
"
PAM_PLUGINS = " \
--
2.53.0
reply other threads:[~2026-03-26 16:07 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260326160650.559827-1-patrick@subset.ch \
--to=patrick@subset.ch \
--cc=openembedded-core@lists.openembedded.org \
--cc=patrick.wicki@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox