TEST-70-TPM2: re-enable tpm2-setup test on Alpine/postmarketOS

After 64b5c5f593c8863316323568268e3d07f4f7cac7, the test passes on Alpine/postmarketOS. This partially reverts 9fafe89bcc91550f55a96f66972406ce678be2fb.
core/service: do not honor SuccessExitStatus= for our own helpers
2026-03-25 08:14:54 +01:00 · 2025-12-16 21:10:12 +00:00 · 2025-12-17 04:04:02 +09:00 · 2025-12-16 17:54:15 +00:00 · 2025-12-16 15:59:02 +00:00 · 2025-12-16 22:28:10 +09:00
10 changed files with 33 additions and 38 deletions
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@ -25,7 +25,7 @@ jobs:

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@5a476a92deca8ad54869e5d416217aa1bb137b25
+      - uses: systemd/mkosi@9e31235211d975bae25622d6205a8396d104335e

      # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
      # immediately, we remove the files in the background. However, we first move them to a different location
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -38,7 +38,7 @@ jobs:
          LINTER_RULES_PATH: .github/linters
          GITHUB_ACTIONS_CONFIG_FILE: actionlint.yml

-      - uses: systemd/mkosi@5a476a92deca8ad54869e5d416217aa1bb137b25
+      - uses: systemd/mkosi@9e31235211d975bae25622d6205a8396d104335e

      - name: Check that tabs are not used in Python code
        run: sh -c '! git grep -P "\\t" -- src/core/generate-bpf-delegate-configs.py src/boot/generate-hwids-section.py src/ukify/ukify.py test/integration-tests/integration-test-wrapper.py'
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -167,7 +167,7 @@ jobs:

    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: systemd/mkosi@5a476a92deca8ad54869e5d416217aa1bb137b25
+      - uses: systemd/mkosi@9e31235211d975bae25622d6205a8396d104335e

      # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
      # immediately, we remove the files in the background. However, we first move them to a different location
--- a/mkosi/mkosi.conf
+++ b/mkosi/mkosi.conf
@ -1,7 +1,7 @@
 # SPDX-License-Identifier: LGPL-2.1-or-later

 [Config]
-MinimumVersion=commit:5a476a92deca8ad54869e5d416217aa1bb137b25
+MinimumVersion=commit:9e31235211d975bae25622d6205a8396d104335e
 Dependencies=
        exitrd
        initrd
--- a/mkosi/mkosi.tools.conf/mkosi.conf.d/debian-ubuntu.conf
+++ b/mkosi/mkosi.tools.conf/mkosi.conf.d/debian-ubuntu.conf
@ -8,7 +8,6 @@ Distribution=|ubuntu
 PrepareScripts=%D/mkosi/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.prepare
 Packages=
        clang-tools
-        gh
        lcov
        mypy
        shellcheck
--- a/src/core/service.c
+++ b/src/core/service.c
@ -4116,7 +4116,8 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
        else
                clean_mode = EXIT_CLEAN_DAEMON;

-        if (is_clean_exit(code, status, clean_mode, &s->success_status))
+        /* Our own helper processes are not subject to SuccessExitStatus= as they're opaque to users */
+        if (is_clean_exit(code, status, clean_mode, s->control_pid.pid == pid && s->control_command_id < 0 ? NULL : &s->success_status))
                f = SERVICE_SUCCESS;
        else if (code == CLD_EXITED)
                f = SERVICE_FAILURE_EXIT_CODE;
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@ -7,6 +7,7 @@
 #include "ansi-color.h"
 #include "bitfield.h"
 #include "boot-entry.h"
+#include "chase.h"
 #include "constants.h"
 #include "creds-util.h"
 #include "cryptsetup-util.h"
@ -6947,9 +6948,10 @@ static int tpm2_nvpcr_write_anchor_secret(

        /* Writes the encrypted credential of the anchor secret to directory 'dir' and file 'fname' */

-        _cleanup_close_ int dfd = open_mkdir(dir, O_CLOEXEC, 0755);
-        if (dfd < 0)
-                return log_error_errno(dfd, "Failed to create '%s' directory: %m", dir);
+        _cleanup_close_ int dfd = -EBADF;
+        r = chase(dir, /* root= */ NULL, CHASE_MKDIR_0755|CHASE_MUST_BE_DIRECTORY, /* ret_path= */ NULL, &dfd);
+        if (r < 0)
+                return log_error_errno(r, "Failed to create '%s' directory: %m", dir);

        _cleanup_free_ char *joined = path_join(dir, fname);
        if (!joined)
--- a/test/units/TEST-70-TPM2.pcrextend.sh
+++ b/test/units/TEST-70-TPM2.pcrextend.sh
@ -9,7 +9,7 @@ set -o pipefail
 export SYSTEMD_LOG_LEVEL=debug
 SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"

-if [[ ! -x "${SD_PCREXTEND:?}" ]] || ! tpm_has_pcr sha256 11 || ! tpm_has_pcr sha256 15; then
+if [[ ! -x "${SD_PCREXTEND:?}" ]] || ! tpm_has_pcr sha256 16 || ! tpm_has_pcr sha256 15; then
    echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension tests"
    exit 0
 fi
@ -28,23 +28,23 @@ export SYSTEMD_FORCE_MEASURE=1

 "$SD_PCREXTEND" --help
 "$SD_PCREXTEND" --version
-"$SD_PCREXTEND" foo
+"$SD_PCREXTEND" --pcr=16 foo
 "$SD_PCREXTEND" --machine-id
 "$SD_PCREXTEND" --product-id
 "$SD_PCREXTEND" --tpm2-device=list
-"$SD_PCREXTEND" --tpm2-device=auto foo
-"$SD_PCREXTEND" --tpm2-device=/dev/tpm0 foo
-"$SD_PCREXTEND" --bank=sha256 foo
-"$SD_PCREXTEND" --bank=sha256 --bank=sha256 foo
-"$SD_PCREXTEND" --graceful foo
+"$SD_PCREXTEND" --tpm2-device=auto --pcr=16 foo
+"$SD_PCREXTEND" --tpm2-device=/dev/tpm0 --pcr=16 foo
+"$SD_PCREXTEND" --bank=sha256 --pcr=16 foo
+"$SD_PCREXTEND" --bank=sha256 --bank=sha256 --pcr=16 foo
+"$SD_PCREXTEND" --graceful --pcr=16 foo
 "$SD_PCREXTEND" --pcr=15 foo
 "$SD_PCREXTEND" --file-system=/
 "$SD_PCREXTEND" --file-system=/tmp --file-system=/
-"$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=11
+"$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=16
 "$SD_PCREXTEND" --nvpcr=hardware foo

-if tpm_has_pcr sha1 11; then
-    "$SD_PCREXTEND" --bank=sha1 --pcr=11 foo
+if tpm_has_pcr sha1 16; then
+    "$SD_PCREXTEND" --bank=sha1 --pcr=16 foo
 fi

 (! "$SD_PCREXTEND")
@ -88,9 +88,9 @@ DIGEST_CURRENT="$(jq --seq --slurp --raw-output ".[$RECORD_COUNT].digests[] | se
 test "$DIGEST_EXPECTED" == "$DIGEST_CURRENT"

 RECORD_COUNT=$((RECORD_COUNT + 1))
-# And similar for the boot phase measurement into PCR 11
-tpm2_pcrread sha256:11 -Q -o /tmp/oldpcr11
-# Do the equivalent of 'SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" foobar' via Varlink, just to test the Varlink logic (but first we need to patch out the conditionalization...)
+# And similar for a string measurement into PCR 16
+tpm2_pcrread sha256:16 -Q -o /tmp/oldpcr16
+# Do the equivalent of 'SYSTEMD_FORCE_MEASURE=1 "$SD_PCREXTEND" --pcr=16 foobar' via Varlink, just to test the Varlink logic (but first we need to patch out the conditionalization...)
 mkdir -p /run/systemd/system/systemd-pcrextend.socket.d
 cat >/run/systemd/system/systemd-pcrextend.socket.d/50-no-condition.conf <<EOF
 [Unit]
@ -99,14 +99,14 @@ ConditionSecurity=
 EOF
 systemctl daemon-reload
 systemctl restart systemd-pcrextend.socket
-varlinkctl call /run/systemd/io.systemd.PCRExtend io.systemd.PCRExtend.Extend '{"pcr":11,"text":"foobar"}'
-tpm2_pcrread sha256:11 -Q -o /tmp/newpcr11
+varlinkctl call /run/systemd/io.systemd.PCRExtend io.systemd.PCRExtend.Extend '{"pcr":16,"text":"foobar"}'
+tpm2_pcrread sha256:16 -Q -o /tmp/newpcr16

-diff /tmp/newpcr11 \
-    <(cat /tmp/oldpcr11 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
+diff /tmp/newpcr16 \
+    <(cat /tmp/oldpcr16 <(echo -n "foobar" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)

 # Check the event log for the 2nd new record since $RECORD_COUNT
-test "$(jq --seq --slurp ".[$RECORD_COUNT].pcr" </run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e11')"
+test "$(jq --seq --slurp ".[$RECORD_COUNT].pcr" </run/log/systemd/tpm2-measure.log)" == "$(printf '\x1e16')"
 DIGEST_EXPECTED="$(echo -n "foobar" | openssl dgst -hex -sha256 -r)"
 DIGEST_CURRENT="$(jq --seq --slurp --raw-output ".[$RECORD_COUNT].digests[] | select(.hashAlg == \"sha256\").digest" </run/log/systemd/tpm2-measure.log) *stdin"
 test "$DIGEST_EXPECTED" == "$DIGEST_CURRENT"
@ -124,4 +124,4 @@ tpm2_pcrread sha256:15 -Q -o /tmp/newpcr15
 diff /tmp/newpcr15 \
     <(cat /tmp/oldpcr15 <(echo -n "file-system:$FS_WORD" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)

-rm -f /tmp/oldpcr{11,15} /tmp/newpcr{11,15}
+rm -f /tmp/oldpcr{16,15} /tmp/newpcr{16,15}
--- a/test/units/TEST-70-TPM2.pcrlock.sh
+++ b/test/units/TEST-70-TPM2.pcrlock.sh
@ -42,6 +42,9 @@ PCRS="1+2+3+4+5+16"
 # (as the PCR values simply won't match the log).
 rm -f /run/log/systemd/tpm2-measure.log

+# Reset TPM PCR 16 ("debug") explicitly, so that we can use it in a known good state
+tpm2_pcrreset 16
+
 # Ensure a truncated log doesn't crash pcrlock
 echo -n -e \\x1e >/tmp/borked
 set +e
--- a/test/units/TEST-70-TPM2.tpm2-setup.sh
+++ b/test/units/TEST-70-TPM2.tpm2-setup.sh
@ -11,16 +11,6 @@ if [[ ! -x "${SD_TPM2SETUP:?}" ]]; then
    exit 0
 fi

-. /etc/os-release
-if [[ "${ID_LIKE:-}" == alpine ]]; then
-    # For some unknown reasons, the test fails with the following:
-    # --------
-    # Couldn't find signature for this PCR bank, PCR index and public key.
-    # Failed to unseal secret using TPM2: No such device or address
-    # --------
-    exit 0
-fi
-
 "$SD_TPM2SETUP" --help
 "$SD_TPM2SETUP" --version
 "$SD_TPM2SETUP" --tpm2-device=list
Author	SHA1	Message	Date
Yu Watanabe	650fc62526	TEST-70-TPM2: re-enable tpm2-setup test on Alpine/postmarketOS After 64b5c5f593c8863316323568268e3d07f4f7cac7, the test passes on Alpine/postmarketOS. This partially reverts 9fafe89bcc91550f55a96f66972406ce678be2fb.	2025-12-16 21:10:12 +00:00
Mike Yuan	552822992c	core/service: do not honor SuccessExitStatus= for our own helpers They're exclusively under our control, hence errors should not be suppressed based on external user input.	2025-12-17 04:04:02 +09:00
Luca Boccassi	c78d18096d	mkosi: drop gh from mkosi-tools debian/ubuntu It was removed from testing so building images fails	2025-12-16 17:54:15 +00:00
Luca Boccassi	830275f343	mkosi: update mkosi commit reference to 9e31235211d975bae25622d6205a8396d104335e * 9e31235211 pacman: Make sure hookdir exists * 20009b7f48 make_image: log systemd-repart .conf files at the --debug level b94b415db9 run: Increase string limit for strace when debugging sandbox * 9f6d9405d6 Ring the terminal bell after the last image has been built * b509b4246d Add glob in default initrd to exclude some exotic drivers * 189394b8b9 Allow KernelModules= globs to also match relative to modules root dir * 92bd086e4e zypper: add --force-resolution flag * 3637749702 kmod: Only add fully resolved fw path if it exists * d41ac276c9 Add details to KernelModulesInitrd= doc * 1b6960ddb1 Fix SplitArtifacts=repart-definitions for addons * 07464f38d6 Add log_step call in build_kernel_modules_initrd * 18f5885362 Use proper constants for ansi colors * 454c1602b6 mkosi-obs: add SplitArtifacts=repart-definitions and use it * 9e57461af6 Copy repart definitions to staging directory * 1acab18874 Add SplitArtifacts=repart-definitions * c5c5c225e8 mkosi-obs: always include verity certificate * ac5babb8e0 Revert "Use Path.relative_to instead of Path.parts" * cbb1daeb76 action: Use environment variables instead of inputs * 97c81eef72 portable: support split roothash	2025-12-16 15:59:02 +00:00
Lennart Poettering	200f792b3e	tpm2-util: create leading dirs for anchor secret Fixes #40087	2025-12-16 22:28:10 +09:00
Lennart Poettering	64b5c5f593	test: prefer tests with PCR 16 over PCR 11 PCR 16 is intended for debugging purposes, and is the only PCR that can be reset by software. Let's prefer that for testing. PCR 11 has a purpose (i.e. kernel is measured there on UKI systems, as are the boot phases), hence let's not use that for testing. That should remove any interference of boot time ordering and testing our tpm code, as we will write to PCR 16 only, and reset it before we rely on it. This likely, kind of fixes #39582, but the issue mixes two things, PCR 11 issues on real-life hardware, and PCR 11 isues in our artificial tests. Only the latter is addressed by this PR, the other issue needs more debugging, but without logs we cannot do much.	2025-12-16 22:28:10 +09:00