https://bugzilla.suse.com/show_bug.cgi?id=1231325 Bug ID: 1231325 Summary: dracut-pcr-signature races with udev for ESP symlinks Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: arvidjaar@gmail.com QA Contact: qa-bugs@suse.de CC: aplanas@suse.com Target Milestone: --- Found By: --- Blocker: --- My FDE VM systematically fails to automatically unlock root the first time after host has been restarted. I compared PCR values and TPM log between bad and good cases and no changes are present - the values are identical. Then I remembered that not so long ago the same VM failed to boot, with log in https://bugzilla.suse.com/attachment.cgi?id=873748. Which shows [ 23.780502] localhost pcr-signature.sh[417]: mount: /tmp/pcr-signature: wrong fs type, bad option, bad superblock on /dev/disk/by-partuuid/4d904b6d-6495-4891-8481-fe0fbdacec21, missing codepage or helper program, or other error. ... [ 24.814025] localhost systemd[1]: systemd-cryptsetup@cr_root.service: Control process exited, code=exited, status=1/FAILURE and then I looked into dracut-pcr-oracle changelog which says commit ae07fc611de1884207614125533482477e9e2f8b Author: Alberto Planas <aplanas@suse.com> Date: Tue Apr 16 19:19:21 2024 +0200 Do not hard fail when error in mount which explains why my VM stopped to fail, but continued to require manual unlocking. pcr-signature.sh is using DEV="/dev/disk/by-partuuid/${ESP_UUID}" where ${ESP_UUID} is taken from EFI NVRAM, but it never actually checks that it exists or waits for this link to appear. Which pretty much explains my failures. pcr-signature.sh must really be split into two parts 1. systemd generator that determines device and adds Requires and After for this device to (root device) systemd-cryptsetup@.service. 2. The script that mounts this device. Actually, if we go generator route we could just as well create the proper mount unit for the LoaderDevice and simply add the proper dependencies. Because currently there is obvious race condition between multiple encrypted device, each attempting to mount and then unmount LoaderDevice. Having the proper mount unit will solve this as well. Hmm ... I expected that it would race with /boot/efi mount on Tumbleweed, but I was surprised that with systemd-boot ESP is not mounted in initrd. I am not sure why, but this may be potential source of problems with grub2 BLS module. Because we cannot mount the same FAT filesystem twice. -- You are receiving this mail because: You are on the CC list for the bug.