Hi EDK2 developers,
I am facing a weird situation, I think. I am setting up a VM with kvm,
the tpm being provided by swtpm. This is how I am creating it:
virt-install --name {{ host_name }} --vcpus {{ vm.vcpus }}
--memory {{ vm.memory }}
--virt-type kvm
--features smm.state=on --cpu host-model
--boot
loader=$WORKSPACE_PATH/uefi/OVMF_CODE_4M.secboot.fd,nvram.template=$WORKSPACE_PATH/uefi/OVMF_VARS_4M.ms.fd,loader.readonly=yes,loader.type=pflash
--tpm backend.type=emulator,backend.version=2.0,model=tpm-crb
The OVMF_CODE_4M.secboot.fd and OVMF_VARS_4M.fd come from an official
debian build:
http://ftp.nl.debian.org/debian/pool/main/e/edk2/ovmf_2025.08.01-1_all.deb
The TPM is working as expected, I can use the PCRs, policies, etc. But
the file /sys/kernel/security/tpm0/binary_bios_measurements is empty (0
bytes in length).
This are all the mentions to the TPM in the last boot:
# journalctl -b | grep -i tpm
Nov 20 21:10:35 k3s kernel: efi: SMBIOS=0x7e9d5000
TPMFinalLog=0x7ebe7000 ACPI=0x7eb7e000 ACPI 2.0=0x7eb7e014
MEMATTR=0x7d627018 MOKvar=0x7e980000 RNG=0x7eb72f18 INITRD=0x7c926398
TPMEventLog=0x7c8d3018
Nov 20 21:10:35 k3s kernel: ACPI: TPM2 0x000000007EB76000 00004C (v04
BOCHS BXPC 00000001 BXPC 00000001)
Nov 20 21:10:35 k3s kernel: ACPI: Reserving TPM2 table memory at [mem
0x7eb76000-0x7eb7604b]
Nov 20 21:10:35 k3s kernel: tpm_crb MSFT0101:00: Disabling hwrng
Nov 20 21:10:35 k3s systemd[1]: systemd 257.9-1~deb13u1 running in
system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP
+GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN
+IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2
+PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD
+BPF_FRAMEWORK +BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
Nov 20 21:10:35 k3s systemd[1]: Listening on systemd-pcrextend.socket -
TPM PCR Measurements.
Nov 20 21:10:35 k3s systemd[1]: Listening on systemd-pcrlock.socket -
Make TPM PCR Policy.
Nov 20 21:10:35 k3s systemd[1]: Starting systemd-pcrmachine.service -
TPM PCR Machine ID Measurement...
Nov 20 21:10:35 k3s systemd[1]: Starting
systemd-tpm2-setup-early.service - Early TPM SRK Setup...
Nov 20 21:10:35 k3s systemd[1]: Finished systemd-pcrmachine.service -
TPM PCR Machine ID Measurement.
Nov 20 21:10:35 k3s systemd[1]: Finished
systemd-tpm2-setup-early.service - Early TPM SRK Setup.
Nov 20 21:10:35 k3s systemd-tpm2-setup[442]: SRK already stored in the
TPM.
Nov 20 21:10:35 k3s systemd-tpm2-setup[442]: SRK fingerprint is
dcd141b954a0faf68ec4dbaffb22b2525b8f4e1f04a362bb1598444d0c61b4fb.
Nov 20 21:10:35 k3s systemd-tpm2-setup[442]: SRK public key saved to
'/run/systemd/tpm2-srk-public-key.pem' in PEM format.
Nov 20 21:10:35 k3s systemd-tpm2-setup[442]: SRK public key saved to
'/run/systemd/tpm2-srk-public-key.tpm2b_public' in TPM2B_PUBLIC format.
Nov 20 21:10:35 k3s systemd[1]: Starting systemd-tpm2-setup.service -
TPM SRK Setup...
Nov 20 21:10:35 k3s systemd-tpm2-setup[453]: SRK already stored in the
TPM.
Nov 20 21:10:35 k3s systemd-tpm2-setup[453]: SRK fingerprint is
dcd141b954a0faf68ec4dbaffb22b2525b8f4e1f04a362bb1598444d0c61b4fb.
Nov 20 21:10:35 k3s systemd-tpm2-setup[453]: SRK saved in
'/var/lib/systemd/tpm2-srk-public-key.pem' matches SRK in TPM2.
Nov 20 21:10:35 k3s systemd[1]: Finished systemd-tpm2-setup.service -
TPM SRK Setup.
Nov 20 21:10:35 k3s systemd[1]: Reached target tpm2.target - Trusted
Platform Module.
Nov 20 21:10:36 k3s systemd[1]: Starting
systemd-pcrphase-sysinit.service - TPM PCR Barrier (Initialization)...
Nov 20 21:10:36 k3s systemd[1]: Finished
systemd-pcrphase-sysinit.service - TPM PCR Barrier (Initialization).
Nov 20 21:10:36 k3s systemd[1]: Starting systemd-pcrphase.service - TPM
PCR Barrier (User)...
Nov 20 21:10:37 k3s systemd[1]: Finished systemd-pcrphase.service - TPM
PCR Barrier (User).
All this is happening in a fairly new kernel:
Linux k3s 6.16.3+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian
6.16.3-1~bpo13+1 (2025-09-06) x86_64 GNU/Linux
and... I do not know what else to report! I have checked in the mailing
list and there was 4 years ago a similar case, but that was related to
the kernel 5.12 with some commit not yet being applied. Might you know
if I am doing something wrong, or what is wrong with this?
Thank you very much!
--
Felix
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#121696): https://edk2.groups.io/g/devel/message/121696
Mute This Topic: https://groups.io/mt/116398385/21656
Group Owner: [email protected]
Unsubscribe: https://edk2.groups.io/g/devel/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
