Ubuntu
systemd package

systemd-cryptenroll poorly communicates libtss2-rc0 dependency

Bug #2001556 reported by Kyler Hornor
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
systemd (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

Description:

tpm2 support was added to jammy in 249.11-0ubuntu3.3 via LP1969375. libtss2-rc0 was added as a suggested package.

$ systemd-cryptenroll --tpm2-device=list
TPM2 support is not installed.

Installing libtss2-rc0 allows this to resolve:
$ sudo apt install libtss2-rc0
$ systemd-cryptenroll --tpm2-device=list
PATH DEVICE DRIVER
/dev/tpmrm0 VTPM0101:00 tpm_crb

While this isn't inherently an issue, two things are notable:

+ The manpage for systemd-cryptenroll makes no mention that the suggested package needs to be installed (that I could find), this is only noted via `apt depends`. I only happened to find this while building from source.

+ The presented error implies that the pkg was build with -Dtpm2=false (as I read it), which is not actually the case. It should properly indicate the missing dep.

The choice to leave this as a suggested dep was deliberate, so I believe resolution of the above two issues would suffice to provide enduser clarity.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I have not taken a close look at the man pages to see if it mentions this, but systemd-cryptenroll dlopen()'s the libraries needed for TPM2 support. So the message "TPM2 support is not installed." means the binary was compiled with TPM2 support, but you need to install the libraries. On the other hand, the message "TPM2 not supported on this build." means that the binary was built without TPM2 support (i.e. -Dtmp2=false).

I will take a closer look to see if we can improve the documentation upstream. My guess is that one hesitation of being too specific with the error message/man page is that the list of deps could go stale.

Changed in systemd (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
Avinash Sonawane (kearoot) wrote :

> "TPM2 support is not installed." means the binary was compiled with TPM2 support, but you need to install the libraries.

Which libraries? I personally installed handful of packages and then figured it out it to be the `libtss2-rc0` with trail and error. It took quite some time.

`systemd` suggests `libtss2-esys-3.0.2-0`, `libtss2-mu0`, `libtss2-rc0` (these 3 show same package description) among others. How am I (user) supposed to figure it out which package to install to "fix" the "TPM2 support is not installed." message?

I understand not mentioning the specific package name but maybe showing message like "Install TSS response code library" along with the the "TPM2 support is not installed." error message or in the manpage of `systemd-cryptenroll` will work?

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I missed this my first time looking at the code, but the specific filename is logged at the debug level. So you can at least do:

$ SYSTEMD_LOG_LEVEL=debug systemd-cryptenroll --tpm2-device=list
libtss2-esys.so.0 is not installed: libtss2-esys.so.0: cannot open shared object file: No such file or directory
TPM2 support is not installed.

We could probably up the log level so that this is printed by default, but for now this is a decent workaround.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I think the current log levels and messages are appropriate, so marking this won't fix.

Changed in systemd (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.