Re: TPM/EFI issue [Was: Linux 6.12]

[James Bottomley]

On Tue, 2024-12-10 at 07:13 +0100, Jiri Slaby wrote:
[...]
> Perhaps, you can give a hint why those happen exclusively with 6.12+?

For which one: the ramdisk size not being modulo 4 or the unseal
getting a PCR changed error?  For the former I don't have much of an
idea, it would seem to be a dracut (or whatever initrd builder you use)
issue; the kernel doesn't care about the ramdisk size.  For the latter,
I would suspect something is delaying IMA measurements such that
they're still going on when you're trying to unseal.  The error you're
getting occurs if any PCR changes, not just the ones the policy is
locked to (thanks TCG).  We have had syzbot reports of processes
getting stuck in measurement that have been identified as exfat
related:

https://syzkaller.appspot.com/bug?extid=1de5a37cb85a2d536330

But it could be a more generic filesystem issue that measurement is
slowing but not enough to trigger the stuck process warning.

In particular systemd parallelizes a lot of stuff, so if it's doing
something that causes IMA measurement in parallel with the unseal and
this parallel process finished before unseal on an earlier kernel, that
would explain it.  You could probably verify this by adding more
dependencies to the tpm target, but I'm not really well versed in
systemd.

Regards,

James