Skip to content

systemd: fix pcrlock failure on Hyper-V VMs with vTPM#16309

Open
liulanze wants to merge 2 commits into3.0-devfrom
user/lanzeliu/fix-pcrlock-hyperv
Open

systemd: fix pcrlock failure on Hyper-V VMs with vTPM#16309
liulanze wants to merge 2 commits into3.0-devfrom
user/lanzeliu/fix-pcrlock-hyperv

Conversation

@liulanze
Copy link
Copy Markdown
Contributor

@liulanze liulanze commented Mar 26, 2026

Merge Checklist
  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Backport upstream systemd fix for systemd-pcrlock failures on Hyper-V/Azure VMs with vTPM.

On Hyper-V, the vTPM event log lists hash algorithms in a different order in the records than declared in the header. systemd v255 uses strict positional index matching which fails with "Hash algorithms in event log record don't match log", causing systemd-pcrlock-firmware-code, systemd-pcrlock-firmware-config, systemd-pcrlock-make-policy, and systemd-pcrlock-secureboot-authority services to fail on boot.

The upstream fix (commit e90a255 from systemd v256, PR systemd/systemd#31429) replaces the positional index lookup with a search loop so the algorithm is matched by ID regardless of ordering.

Change Log
  • Add fix-pcrlock-hyperv-hash-algorithm-ordering.patch backported from upstream systemd v256 (commit e90a255)
  • Bump Release from 26 to 27
Does this affect the toolchain?

NO

Associated issues
Links to CVEs

N/A

Test Methodology
  • Built custom systemd RPM (255-27) with the patch using Azure Linux toolkit
  • Deployed to Azure Trusted Launch VM with Secure Boot and vTPM enabled
  • Verified systemd health check passes with 0 failed units and system state running
  • All pcrlock services complete successfully without any bypass workaround
  • Pipeline build for verifications listed above

@liulanze liulanze requested a review from a team as a code owner March 26, 2026 20:44
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@liulanze