Measure-pcr-validator service failed

Sauerland · October 10, 2025, 5:03pm

This ones:

[bug]: measure-pcr-validator halts system which should run unattended 24/7

offen 09:29AM - 10 Sep 25 UTC

bug

### Pre‑submission checklist - [x] I searched existing issues and discussions t…o avoid duplicates - [x] I tested with the latest released packages or the current git (if applicable) - [x] I can reproduce this on a clean boot or after reboot ### Short summary System halts if rebooted by rebootmgr ### Observed behavior ```text I run MicroOS on a ARM64 (BananaPI R4 with only kernel which is custom, rest is standard) with u-boot booting MicroOS via UEFI. I'm very happy with how systemd-boot integration works. I don't have or need FDE (not sure if system has TPM module), but it just feels less bloated than GRUB and straight to the point. However I noticed that whenever transactional-update updates the system and it is rebooted via rebootmgr it doesn't come up. Power-cycle (or physical reset) brings it back. Since it happens only when system is updated and 4 in the morning was tricky to debug / reproduce. But connecting serial cable and grabbing logs continuously via serial adapter got some results. Failed boot: [ 7.060054] systemd[1]: Finished dracut initqueue hook. [ 7.073731] systemd[1]: Reached target Preparation for Remote File Systems. [ 7.084405] systemd[1]: Reached target Remote File Systems. [ 7.096548] systemd[1]: Mounted ESP (/boot/efi). [ 7.108424] systemd[1]: Starting Import TPM2 credentials into the initrd... [ 7.120452] systemd[1]: Finished Import TPM2 credentials into the initrd. [ 7.132392] systemd[1]: Reached target Local Encrypted Volumes (Pre). [ 7.144416] s[ 7.411916][ T417] usb 1-1.5: New USB device found, idVendor=2109, idProduct=8822, bcdDevice= 0.01 ystemd[1]: Reach[ 7.421663][ T417] usb 1-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3 ed target Local [ 7.431025][ T417] usb 1-1.5: Product: USB Billboard Device Encrypted Volume[ 7.438313][ T417] usb 1-1.5: Manufacturer: VIA Labs, Inc. s. [ 7.446038][ T417] usb 1-1.5: SerialNumber: 0000000000000001 [ 7.194253] systemd[1]: dracut pre-mount hook was skipped because no trigger condition checks were met. [ 7.208514] systemd[1]: Starting Validate LUKS2 devices... [ 7.220828] (alidator)[478]: measure-pcr-validator.service: Failed to set up standard input: No such device [ 7.236433] (alidator)[478]: measure-pcr-validator.service: Failed at step STDIN spawning /usr/bin/measure-pcr-validator: No such device [ 7.256440] systemd[1]: measure-pcr-validator.service: Main process exited, code=exited, status=208/STDIN [ 7.539988][ T1] kvm: exiting hardware virtualization PANIC at PC : 0x00000000430047b8 After power cycle it boots (the same entry): 6.813089] systemd[1]: Mounting ESP (/boot/efi)... [ 7.096396][ T473] FAT-fs (nvme0n1p1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck. [ OK ] Mounted ESP (/boot/efi). [ 6.843768] systemd[1]: Mounted ESP (/boot/efi). Starting Import TPM2 credentials into the initrd... [ 6.860591] systemd[1]: Starting Import TPM2 credentials into the initrd... [ 6.921616] systemd[1]: Finished Import TPM2 credentials into the initrd. [ OK ] Finished Import TPM2 credentials into the initrd. [ OK ] Reached target Local Encrypted Volumes (Pre). [ 6.945874] systemd[1]: Reached target Local Encrypted Volumes (Pre). [ OK ] Reached target Local Encrypted Volumes. [ 6.964585] systemd[1]: Reached target Local Encrypted Volumes. Starting Validate LUKS2 devices... [ 6.992444] systemd[1]: dracut pre-mount hook was skipped because no trigger condition checks were met. [ 7.004650] systemd[1]: Starting Validate LUKS2 devices... [ OK ] Finished Validate LUKS2 devices. [ 7.080373] systemd[1]: Finished Validate LUKS2 devices. [ OK ] Reached target Initrd Root Device. [ 7.104399] systemd[1]: Reached target Initrd Root Device. ``` ### Expected behavior ```text System boots Probably `FailureAction=poweroff-immediate` should not be the default option. Or maybe it would be good to allow opting out from sdbootutil-dracut-measure-pcr on a system without FDE / TPM. In any case it's quite confusing that MicroOS is positioned as a server system with automatic rollback etc, but relies on user interaction. ``` ### Product / distro MicroOS ### Architecture aarch64 ### Platform Bare metal ### Bootloader systemd-boot ### sdbootutil version 1+git20250903.f5a076b-1.1 ### System specs (paste output) ```shell ## os-release NAME="openSUSE MicroOS" # VERSION="20250908" ID="opensuse-microos" ID_LIKE="suse opensuse opensuse-tumbleweed microos sl-micro" VERSION_ID="20250908" PRETTY_NAME="openSUSE MicroOS" SYSEXT_LEVEL="glibc-2.42" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:opensuse:microos:20250908" BUG_REPORT_URL="https://bugzilla.opensuse.org" SUPPORT_URL="https://bugs.opensuse.org" HOME_URL="https://www.opensuse.org/" DOCUMENTATION_URL="https://en.opensuse.org/Portal:MicroOS" LOGO="distributor-logo-MicroOS" ## uname Linux bifrost 6.13.8-7-default #1 SMP PREEMPT_DYNAMIC Mon Mar 24 08:31:14 UTC 2025 (7089702) aarch64 aarch64 aarch64 GNU/Linux ## bootctl status System: Firmware: UEFI 2.100 (Das U-Boot 8229.256) Firmware Arch: aa64 Secure Boot: disabled (setup) TPM2 Support: no Measured UKI: no Boot into FW: not supported Current Boot Loader: Product: systemd-boot 257.7+suse.22.g835af70f4e Features: ✓ Boot counting ✓ Menu timeout control ✓ One-shot menu timeout control ✓ Default entry control ✓ One-shot entry control ✓ Support for XBOOTLDR partition ✓ Support for passing random seed to OS ✓ Load drop-in drivers ✓ Support Type #1 sort-key field ✓ Support @saved pseudo-entry ✓ Support Type #1 devicetree field ✓ Enroll SecureBoot keys ✓ Retain SHIM protocols ✓ Menu can be disabled ✓ Multi-Profile UKIs are supported ✓ Boot loader set partition information Partition: /dev/disk/by-partuuid/09b685a4-f10b-4dc4-b4ae-54916ebc46ab Loader: └─//EFI/systemd/grub.efi Current Entry: opensuse-microos-6.13.8-7-default-64.conf Random Seed: System Token: not set Exists: yes Available Boot Loaders on ESP: ESP: /boot/efi (/dev/disk/by-partuuid/09b685a4-f10b-4dc4-b4ae-54916ebc46ab) File: ├─/EFI/systemd/MokManager.efi ├─/EFI/systemd/shim.efi ├─/EFI/systemd/grub.efi (systemd-boot 257.7+suse.22.g835af70f4e) ├─/EFI/BOOT/MokManager.efi ├─/EFI/BOOT/fallback.efi └─/EFI/BOOT/BOOTAA64.EFI Boot Loaders Listed in EFI Variables: Title: openSUSE Boot Manager ID: 0x0002 Status: active, boot-order Partition: /dev/disk/by-partuuid/09b685a4-f10b-4dc4-b4ae-54916ebc46ab File: └─/EFI/systemd/shim.efi Boot Loader Entries: $BOOT: /boot/efi (/dev/disk/by-partuuid/09b685a4-f10b-4dc4-b4ae-54916ebc46ab) token: opensuse-microos Default Boot Loader Entry: type: Boot Loader Specification Type #1 (.conf) title: openSUSE MicroOS 20250905 (64@6.13.8-7-default) id: opensuse-microos-6.13.8-7-default-64.conf source: /boot/efi//loader/entries/opensuse-microos-6.13.8-7-default-64.conf (on the EFI System Partition) sort-key: opensuse-microos version: 64@6.13.8-7-default linux: /boot/efi//opensuse-microos/6.13.8-7-default/linux-9892893338acbf85da2081fc774eb6bae8285280 initrd: /boot/efi//opensuse-microos/6.13.8-7-default/initrd-e9850c08121e9bed323172a579e09fbf95d6c5b6 options: systemd.log_level=info systemd.journald.forward_to_console=1 console=ttyS0,115200 security=selinux selinux=1 earlycon=uart8250,mmio32,0x11000000 root=UUID=c910cc40-f272-4b6b-bb85-82d907b41a89 rootflags=subvol=@/.snapshots/64/snapshot systemd.machine_id=59a6f67859f54af4abc674cedb68b2d7 ## lsblk NAME SIZE TYPE FSTYPE MOUNTPOINTS mmcblk0 7,3G disk ├─mmcblk0p1 4M part ├─mmcblk0p2 512K part ├─mmcblk0p3 2M part ├─mmcblk0p4 4M part ├─mmcblk0p5 256M part └─mmcblk0p6 6,8G part mmcblk0boot0 4M disk mmcblk0boot1 4M disk nvme0n1 476,9G disk ├─nvme0n1p1 500M part vfat /boot/efi └─nvme0n1p2 476,5G part btrfs /var/lib/containers/storage/volumes/dns-data/_data /var/lib/containers/storage/btrfs /var/lib/containers/storage /srv /usr/local /opt /home /boot/writable /.snapshots /var /root /etc / ## systemd-detect-virt none ## sdbootutil version sdbootutil-1+git20250903.f5a076b-1.1.aarch64 ```