Hello,
According to your log, the error message at line 135 below in generated here [1]:SRK stands for "storage root key". According to [4]:The error code 0x0902 from:What is your boot loader ?
What is the output of the
Hope this helps.
--
[1] https://sources.debian.org/src/tpm2-tss/4.1.3-1.2/src/tss2-esys/api/Esys_CreatePrimary.c/#L135
[2] tpm2_rc_decode
[3] https://packages.debian.org/tpm2-tools
[4] TPM endorsement key and SRK (DPS)
[5] Freedesktop - systemd-tpm2-setup.service
According to your log, the error message at line 135 below in generated here [1]:
Code:
× systemd-tpm2-setup-early.service - Early TPM SRK Setup Loaded: loaded (/usr/lib/systemd/system/systemd-tpm2-setup-early.service; static) Active: failed (Result: exit-code) since Wed 2024-11-27 01:12:23 MST; 2 weeks 3 days ago Invocation: ea5a2493fa0a41b9a5b2874b75a310f7 Docs: man:systemd-tpm2-setup.service(8) Main PID: 535 (code=exited, status=1/FAILURE) Mem peak: 1.8M CPU: 19msNov 27 01:12:22 throne systemd-tpm2-setup[535]: WARNING:esys:src/tss2-esys/api/Esys_CreatePrimary.c:401:Esys_CreatePrimary_Finish() Received TPM ErrorNov 27 01:12:22 throne systemd-tpm2-setup[535]: ERROR:esys:src/tss2-esys/api/Esys_CreatePrimary.c:135:Esys_CreatePrimary() Esys Finish ErrorCode (0x000009a2)ov 27 01:12:22 throne systemd-tpm2-setup[535]: Failed to get or create SRK: State not recoverable[..]According to manual page of systemd-tpm2-setup.service [5], it is in charge of generating the Storage Root Key (SRK):[..] An SRK may be generated by the TPM's owner after it takes ownership of the TPM. Taking ownership of the TPM is the TPM-specific way of saying "someone sets a password on the HSM." If a TPM device is sold to a new owner, the new owner can take ownership of the TPM to generate a new SRK. The new SRK generation ensures the previous owner can't use the TPM. Because the SRK is unique to the owner of the TPM, the SRK can be used to seal data into the TPM itself for that owner. The SRK provides a sandbox for the owner to store their keys and provides access revocability if the device or TPM is sold. It's like moving into a new house: taking ownership is changing the locks on the doors and destroying all furniture left by the previous owners (SRK), but you can't change the address of the house (EK).
According to the manual page of thesystemd-tpm2-setup.service and systemd-tpm2-setup-early.service are services that generate the Storage Root Key (SRK) if it hasn't been generated yet, and stores it in the TPM.
The services will store the public key of the SRK key pair in a PEM file in /run/systemd/tpm2-srk-public-key.pem and /var/lib/systemd/tpm2-srk-public-key.pem. They will also store it in TPM2B_PUBLIC format in /run/systemd/tpm2-srk-public-key.tpm2_public and /var/lib/systemd/tpm2-srk-public-key.tpm2b_public.
systemd-tpm2-setup-early.service runs very early at boot (possibly in the initrd), and writes the SRK public key to /run/systemd/tpm2-srk-public-key.* (as /var/ is generally not accessible this early yet), while systemd-tpm2-setup.service runs during a later boot phase and saves the public key to /var/lib/systemd/tpm2-srk-public-key.*.
tpm2_rc_decode command (from the tpm2-tools package [2][3]), the error code 0x000009a2 generated by systemd-tpm2-setup-early.service means:Code:
$ tpm2_rc_decode 0x000009a2tpm:session(1):authorization failure without DA implicationsmeans:Also every 10 seconds is logged:Code:
tpm tpm0: tpm2_load_context: failed with a TPM error 0x0902
Code:
tpm2_rc_decode 0x00000902tpm:warn(2.0): out of memory for object contextsWhat is the output of the
bootctl command ?Hope this helps.
--
[1] https://sources.debian.org/src/tpm2-tss/4.1.3-1.2/src/tss2-esys/api/Esys_CreatePrimary.c/#L135
[2] tpm2_rc_decode
[3] https://packages.debian.org/tpm2-tools
[4] TPM endorsement key and SRK (DPS)
[5] Freedesktop - systemd-tpm2-setup.service
Statistics: Posted by Aki — 2024-12-16 17:18