I have TPM-backed FDE Ubuntu 24.04.2 install. After dbx firmware update, automatic TPM unlocking does not work any more and I have to use backup key (snap recovery --show-keys) to unlock FDE.
How can I re-activate TPM auto-unlock?
The dbx update changed Secure-Boot variables, so PCR 7 in the TPM now has a different hash.
Your LUKS key was sealed to PCR 7 (default is 0+2+7), so the TPM refuses to unseal it.
You just need to wipe the old TPM token and enrol a fresh one that matches the new PCR
values (or drop PCR 7 entirely).
One minute fix
Boot once with your recovery passphrase (the one from snap-recovery --show-keys).
Open a terminal and find the LUKS device, e.g. lsblk -f → /dev/nvme0n1p3.
Re-enrol the disk in the TPM:
# wipe the old TPM slot
sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2
# add a new token; keep only PCR 0+2 (safer against future dbx updates)
sudo systemd-cryptenroll /dev/nvme0n1p3 --tpm2-pcrs=0+2
Re-create the initramfs so the new token is packed in:
sudo update-initramfs -u -k all
Reboot. The volume should auto-unlock again.
(If you’d rather keep PCR 7, omit the --tpm2-pcrs line; just be aware you’ll have to repeat this after every future Secure-Boot/dbx change.)
That’s it the disk key is now sealed to the current PCR values, and TPM
auto-unlock works like before. Keep the recovery key somewhere safe in case the
next firmware update changes things again.
You can not do that with a snap based kernel (snaps are readonly GPG signed filesystem images, with no way to change their content)
The TPM implementation offered by the installer uses a snap kernel…
Right
update-initramfs can’t touch it … but the good news is it doesn’t need to.
systemd-cryptsetup in the initramfs discovers TPM2 tokens by reading the LUKS
header directly; it doesn’t rely on a freshly rebuilt initramfs.
So the only steps you really have to run after a dbx change are the two
systemd-cryptenroll commands:
# 1 – boot once with the recovery passphrase, then:
sudo systemd-cryptenroll /dev/nvme0n1p3 --wipe-slot=tpm2
sudo systemd-cryptenroll /dev/nvme0n1p3 --tpm2-pcrs=0+2 # or omit to keep PCR 7
That writes a brand-new TPM2 token into the LUKS header.
After you reboot (sudo reboot or snap reboot) the snapped kernel’s
initramfs will find that token automatically and the disk will unlock again
no update-initramfs step required.
If you ever move back to a deb-packaged kernel you’d run update-initramfs,
but with the snap kernel you can skip that part safely.