From ce8b1104405b3949d090b59cb01770be253fbac0 Mon Sep 17 00:00:00 2001 From: Lanze Liu Date: Thu, 26 Mar 2026 13:37:26 -0700 Subject: [PATCH 1/2] Fix pcrlock failure on Hyper-V/Azure VMs with vTPM by backporting upstream. --- ...rlock-hyperv-hash-algorithm-ordering.patch | 58 +++++++++++++++++++ SPECS/systemd/systemd.spec | 7 ++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 SPECS/systemd/fix-pcrlock-hyperv-hash-algorithm-ordering.patch diff --git a/SPECS/systemd/fix-pcrlock-hyperv-hash-algorithm-ordering.patch b/SPECS/systemd/fix-pcrlock-hyperv-hash-algorithm-ordering.patch new file mode 100644 index 00000000000..716b002651d --- /dev/null +++ b/SPECS/systemd/fix-pcrlock-hyperv-hash-algorithm-ordering.patch @@ -0,0 +1,58 @@ +From e90a255e55e3af0effac927ccaa10c2662501e1a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 21 Feb 2024 14:43:42 +0100 +Subject: [PATCH] pcrlock: handle measurement logs where hash algs in header + are announced in different order than in records + +Apparently on HyperV the measurement logs announce the hash algs in a +different order in the header than the records have them. Let's handle +this gracefully +--- + src/pcrlock/pcrlock.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c +index e70c44c6..1fb9d692 100644 +--- a/src/pcrlock/pcrlock.c ++++ b/src/pcrlock/pcrlock.c +@@ -936,23 +936,30 @@ static int event_log_load_firmware(EventLog *el) { + assert(event->digests.count == n_algorithms); + + for (size_t i = 0; i < n_algorithms; i++, ha = ha_next) { +- ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[i].digestSize; +- + /* The TPMT_HA is not aligned in the record, hence read the hashAlg field via an unaligned read */ + assert_cc(__builtin_types_compatible_p(uint16_t, typeof(TPMI_ALG_HASH))); + uint16_t hash_alg = unaligned_read_ne16((const uint8_t*) ha + offsetof(TPMT_HA, hashAlg)); + +- if (hash_alg != algorithms[i].algorithmId) +- return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record don't match log."); ++ /* On some systems (some HyperV?) the order of hash algorithms announced in the ++ * header does not match the order in the records. Let's hence search for the right ++ * mapping */ ++ size_t j; ++ for (j = 0; j < n_algorithms; j++) ++ if (hash_alg == algorithms[j].algorithmId) ++ break; ++ if (j >= n_algorithms) ++ return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Hash algorithms in event log record not among those advertised by log header."); ++ ++ ha_next = (const uint8_t*) ha + offsetof(TPMT_HA, digest) + algorithms[j].digestSize; + +- if (!tpm2_hash_alg_to_string(algorithms[i].algorithmId)) ++ if (!tpm2_hash_alg_to_string(hash_alg)) + continue; + + r = event_log_record_add_bank( + record, +- algorithms[i].algorithmId, ++ hash_alg, + (const uint8_t*) ha + offsetof(TPMT_HA, digest), +- algorithms[i].digestSize, ++ algorithms[j].digestSize, + /* ret= */ NULL); + if (r < 0) + return log_error_errno(r, "Failed to add bank to event log record: %m"); +-- +2.45.4 + diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index 1dd8148e8b2..99728d658c2 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -50,7 +50,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 26%{?dist} +Release: 27%{?dist} # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore %global stable 1 @@ -149,6 +149,7 @@ Patch0905: ipc-call-0001-path-util-add-flavour-of-path_startswith-that-leav Patch0906: ipc-call-0003-core-cgroup-avoid-one-unnecessary-strjoina.patch Patch0907: ipc-call-0002-path-util-invert-PATH_STARTSWITH_ACCEPT_DOT_DOT-flag.patch Patch0908: ipc-call-0004-core-validate-input-cgroup-path-more-prudently.patch +Patch0909: fix-pcrlock-hyperv-hash-algorithm-ordering.patch %ifarch %{ix86} x86_64 aarch64 %global want_bootloader 1 @@ -1234,6 +1235,10 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog +* Wed Mar 26 2026 Lanze Liu - 255-27 +- Fix pcrlock failure on Hyper-V/Azure VMs with vTPM by backporting upstream + commit e90a255 from systemd v256 (PR #31429). + * Mon Mar 02 2026 Dan Streetman - 255-26 - Apply patches for ipc issue. From 144bab960880bbb5e9fc60216efcd1ec69c3e117 Mon Sep 17 00:00:00 2001 From: Lanze Liu Date: Thu, 26 Mar 2026 13:56:36 -0700 Subject: [PATCH 2/2] Bump release to match systemd spec --- SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec | 5 ++++- SPECS/systemd/systemd.spec | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec index c3d1fd46c5f..42cd24083ce 100644 --- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec +++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec @@ -20,7 +20,7 @@ Version: 255 # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') %endif -Release: 26%{?dist} +Release: 27%{?dist} License: LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later Vendor: Microsoft Corporation Distribution: Azure Linux @@ -98,6 +98,9 @@ popd /boot/efi/EFI/BOOT/%{grubefiname} %changelog +* Thu Mar 26 2026 Lanze Liu - 255-27 +- Bump release to match systemd spec + * Tue Mar 03 2026 Dan Streetman - 255-26 - Bump release to match systemd spec diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec index 99728d658c2..9f92c5fc9b8 100644 --- a/SPECS/systemd/systemd.spec +++ b/SPECS/systemd/systemd.spec @@ -1235,7 +1235,7 @@ rm -f %{name}.lang # %autochangelog. So we need to continue manually maintaining the # changelog here. %changelog -* Wed Mar 26 2026 Lanze Liu - 255-27 +* Thu Mar 26 2026 Lanze Liu - 255-27 - Fix pcrlock failure on Hyper-V/Azure VMs with vTPM by backporting upstream commit e90a255 from systemd v256 (PR #31429).