TPM error during boot on fresh intstall

General system Kernel, boot, graphics & hardware
1

I get the following errors printed in red on the OEM splash screen (ASUS):

Error meassuring loader.conf into TPM: Volume full

Then on a new black screen, also printed in red:

Unable to add load options (i.e. kernel command) line measurements to PCR 12: Volume full

Couldn’t find an option to disable TPM in BIOS.

journalctl -k -b -0 --grep=tpm

dec 10 22:14:13 ux330 kernel: Command line: initrd=\5c066686c58c45bb92c458439675e6d7\6.12.1-arch1-1\initrd nvme_load=YES nowatchdog rw root=UUID=6b4a244a-88ab-422a-b9ad-7db428927688 rw root=UUID=6b4a244a-88ab-422a-b9ad-7db4>
dec 10 22:14:13 ux330 kernel: efi: TPMFinalLog=0x9ad87000 ESRT=0x9b173e58 ACPI=0x9a96d000 ACPI 2.0=0x9a96d000 SMBIOS=0x9b16f000 SMBIOS 3.0=0x9b16e000 RNG=0x9a96c018 INITRD=0x94a314d8 TPMEventLog=0x9a964018
dec 10 22:14:13 ux330 kernel: ACPI: TPM2 0x000000009A9A2920 000034 (v03        Tpm2Tabl 00000001 AMI  00000000)
dec 10 22:14:13 ux330 kernel: ACPI: Reserving TPM2 table memory at [mem 0x9a9a2920-0x9a9a2953]
dec 10 22:14:13 ux330 kernel: Kernel command line: initrd=\5c066686c58c45bb92c458439675e6d7\6.12.1-arch1-1\initrd nvme_load=YES nowatchdog rw root=UUID=6b4a244a-88ab-422a-b9ad-7db428927688 rw root=UUID=6b4a244a-88ab-422a-b9>
dec 10 22:14:14 ux330 kernel: tpm_crb MSFT0101:00: [Firmware Bug]: ACPI region does not cover the entire command/response buffer. [mem 0xfed40000-0xfed4087f flags 0x200] vs fed40080 f80
dec 10 22:14:14 ux330 kernel: tpm_crb MSFT0101:00: [Firmware Bug]: ACPI region does not cover the entire command/response buffer. [mem 0xfed40000-0xfed4087f flags 0x200] vs fed40080 f80
dec 10 22:14:14 ux330 systemd[1]: systemd 256.9-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPT>
dec 10 22:14:16 ux330 systemd[1]: systemd 256.9-1-arch running in system mode (+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPT>
dec 10 22:14:16 ux330 systemd[1]: TPM PCR Measurements was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
dec 10 22:14:16 ux330 systemd[1]: Make TPM PCR Policy was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
dec 10 22:14:16 ux330 systemd[1]: TPM PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
dec 10 22:14:16 ux330 systemd[1]: Early TPM SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).

The system boots without problems after this.
I didn’t get the error on my previous manjaro install.

2

You are wondering why you see that (seemingly harmless) output when you boot up normally?
PCR skipping measurements happens when not everything is talking right (kernel-sysd-tpm-bios) for lack of a better.
this is interesting: https://github.com/systemd/systemd/issues/30026

It’s been 15 min of excruciatingly hard reading, and while I cannot answer your question, I do know that there’s something in the loader.conf file that is irritating some component. It could be about 4-5 things. But if Endeavour boots and functions normally make it corrects itself before boot?

3

Thanks for taking a look, I’m wondering:

  • Is it harmless?
  • If so, how can I hide it?
  • If not, how can I fix it?

Maybe it’s just me, but I think a red error message right in the middle of the screen at boot is annoying and ugly :slight_smile:

The placement feels quite aggressive. My initial reaction to seeing an error there is to assume something is seriously wrong. If it’s harmless, I’d expect it to be logged somewhere instead of displayed so prominently.

4

I don’t know the answer to any of those questions, tbh. I know it looks aggressive and like something to address, I agree.

It’s a bios setting that’s not apparent or need to manually update kernels, or it’s a result of a LUKS password of crypt setting or even TPMs get updates or need to manually update firmware?
Those are all my instinctual (likely wrong) guesses.

I hope a DEV steps in here to address your strange error. the journalctl -k -b -0 --grep=tpm output is interesting but mostly indepiherable by me

1 Like