On Fr, 07.11.25 10:02, Itxaka Serrano Garcia ([email protected]) wrote:
> Hey folks, > > I'm having a go at building systemd myself and I can't get my head around > this. > > If I disable the bootloader part, because I don't want systemd-boot, I also > dont get nice services like systemd-tpm2-setup and its binaries because of > reasons? I would expect the tpm2=enabled to be the one that enables those > services as they are not really tied to the sdboot itself no? The TPM support uses various PCRs and nvindexes for very specific purposes, and expects measurements to be placed in each in a very specific way: - systemd-stub measures what it is invoking, its parameters, profile, and so on. It also provides PCR signatures to userspace if available. - systemd-pcrextend measures various things during boot, phases and so on - systemd-tpm2-setup sets up SRK and so on - systemd-pcrlock locks against these measurements, done this way Taking possession of PCRs this way, and providing a measurement chain like this only really makes sense if this starts via sd-stub. And sd-stub is under the boot loader build time knob. Or to say this differently: we assume that if people opt into sd-stub they are fine with our pcr/nvindex usage, and accept our infra. But if you do not use sd-stub, then we better stay away from the tpm, because you quite likely use it in a very different way. > I can get things like systemd-boot-bless as that's kind of related to > sdboot and boot assessment, although again, I would think that should be a > separated service if we expect the bootloader to conform to the bootloader > specification, which means it doesn't really tie it to sdboot itself. > > In any case, any idea how I can build systemd-tpm2-setup without enabling > bootloader=true? This is not supported. Or to say this all differently: you really should not use Grub if you care about verified boot. Lennart -- Lennart Poettering, Berlin
