Hello everyone,
I’m kinda newbie here, so maybe I’m missing something. The issue is that every boot is slowed down by “A start job is running for /dev/tpmrm0 (13s / 1min 30s)”. I had this problem before on Arch and it fixes with systemctl mask dev-tpmrm0.device. Is there a way to implement this command in configurations.nix or fix it somehow in another way (leaving it declarative)? Also, I can’t turn off TPM in my BIOS, there’s literally no option for it.
What I already tried:
security.tpm2.enable = false;
boot.initrd.systemd.tpm2.enable = false;
systemd.services.tpm2.enable = false;
systemd.services.dev-tpmrm0.enable = false;
systemd.services.systemd-tpm2-setup.enable = false;
systemd.services.dev-tpm2.wantedBy = lib.mkForce [ ];
systemd.services.tpm2.wantedBy = lib.mkForce [ ];
systemd.services.dev-tpmrm0.wantedBy = lib.mkForce [ ];
systemd.services.systemd-tpm2-setup.wantedBy = lib.mkForce [ ];
systemd.services = {
dev-tpmrm0 = {
enable = false;
restartIfChanged = false;
};
};
Yeah, I’m feeling desperate at this point. You’re my last hope, guys. Thanks in advance.
It’s not a service unit, it’s a device unit. NixOS doesn’t have an interface for managing device units, except for the more auxiliary systemd.units option.
systemd.units."dev-tpmrm0.device".enable = false;
That said, the option you should use is systemd.tpm2.enable = false;, which disables the systemd unit hierarchy for TPM2 things altogether in stage 2 (boot.initrd.systemd.tpm2.enable controls the same thing but in stage 1 (and only for boot.initrd.systemd.enable = true;)). The security.tpm2.enable option is different, and IIRC is more about enabling the TPM2 access daemon that allows arbitrary users to use it for things safely, and isn’t enabled by default.
As an aside, I find this problem frustrating. Basically, the platform / firmware is indicating to the OS that a TPM2 is present, but there’s almost certainly a bug in either the firmware or the kernel that prevents the kernel from being able to use it. As a result, systemd just waits around dumbly waiting for a kernel device for it that’s never going to show up because the kernel driver already failed. I really wish systemd had some way to detect the TPM2 driver failure and fail the device unit early. See here for some more discussion on this: kernel: tpm_crb MSFT0101:00: can't request region for resource [mem 0xdc795000-0xdc795fff] · Issue #33412 · systemd/systemd · GitHub
2 Likes
Thanks!! It worked! Appreciate the detailed answer.
Oh, and I feel I little stupid for confusing service and device when it’s clearly written “tpmrm0 .device” 