Enabling secure boot and full disk encryption on Ubuntu Core

Key Value
Summary Learn how to enable Full Disk Encryption (FDE) and Secure Boot on Ubuntu Core for devices with Trusted Platform Module (TPM) support.
Categories iot
Difficulty 2
Author david.beamonte@canonical.com

Overview

Duration: 2:00

In this tutorial, we will show the simplicity of the process of enabling Full Disk Encryption (FDE) and Secure Boot on Ubuntu Core on platforms with Trusted Platform Module (TPM) support. A quick introduction for understanding the concepts and a simple walk through the process of preparing and flashing an Intel NUC image, will be followed.

FDE and Secure Boot are key security features which have been incorporated into Ubuntu Core 20 release, complementing the out-of-the-box security characteristics already available in previous versions.

Bear in mind, Ubuntu Core is production-friendly, not necessarily developer-friendly. We recommend you use Ubuntu Core for “fire and forget” purposes where you won’t want to iterate on the software.

With Ubuntu Core, you are able to execute remote updates and patches for your appliances and devices, but for development and prototyping, we recommend Ubuntu Server. Let’s start!

What you’ll learn

  1. Full Disk Encryption and Secure Boot fundamentals
  2. FDE and Secure Boot enablement

What you’ll need

  • An Ubuntu SSO account with an SSH key
  • An Intel NUC with BIOS updated to the latest version (update instructions)
  • 2 USB 2.0 or 3.0 flash drives (2GB minimum)
  • A monitor with an HDMI interface
  • A Mini HDMI to HDMI cable
  • A USB keyboard and a mouse
  • A monitor with VGA or HDMI interface
  • A VGA or HDMI cable
  • A network connection with Internet access
  • An Ubuntu Desktop 20.04.1 LTS image
  • An Ubuntu Core image

Understanding FDE and Secure Boot

Duration: 3:00

Fundamentals of FDE

Ubuntu Core 20 uses full disk encryption (FDE) whenever the hardware allows, protecting both the confidentiality and integrity of a device’s data when there’s physical access to a device, or after a device has been lost or stolen.

Built-in FDE support requires both UEFI Secure Boot and TPM (Trusted Platform Module) support, but its implementation in Ubuntu Core is generic and widely compatible to help support a range of hardware. TPM-based FDE seals the FDE secret key to the full EFI state, including the kernel command line, which is subsequently unsealed by the initrd code in the secure-boot protected kernel.efi at boot time.

For further reading about FDE, you can find the key aspects here and more extensive documentation can be found here.

Fundamentals of Secure Boot

The boot process can be detrimental to computers, if not secured. This is the case because booting is the initial stage of a computing cycle. Kernel, hardware peripherals, and user space processes are initiated at boot. Therefore, a vulnerability in boot firmware can have cascading effects on the entire system.

Secure Boot is an operation booting mode which denies the execution of any software which is neither signed nor certified, assuring software integrity.

You can read the full Secure Boot story here.

Understanding model assertion

Using FDE and Secure Boot features in Ubuntu Core is as simple as selecting the right image to flash. Ubuntu Core does the rest for you on the booting process.

Although it is possible to build your own Ubuntu Core images, the easiest starting point for any user is to make use of pre-built images. Latest stable images can always be found here.

In either case, each image has an associated model assertion file, a text-based document that contains the fundamental definition of the image for a specific device. It describes what the system image includes and is signed by the brand account owning the device definition.

There are two key fields in the model assertion file related to FDE and Secure Boot:

  • grade: It indicates the overall degree of security of the image
  • storage-safety: It reflects the preferred mode of filesystem encryption

Grade and Storage-safety are tightly coupled, and their combination along with the platform’s HW TPM support, results in the following operation modes:

  • Encrypted: Filesystem gets encrypted on first boot.
  • Unencrypted: Filesystem is not encrypted.
  • Error output: The image doesn’t boot. An error message is generated.
  • Invalid: It’s not possible to generate an image with such combination.

Which are summarized in the following table:

More detailed information on image building and model assertion files can be found in the Ubuntu Core Documentation.

Selecting the image

Duration: 3:00

As described in the previous section, using FDE and Secure Boot is just a matter of choosing the right image for your platform.

Prebuilt images

If you are using an standard platform with HW TPM support, such as an Intel NUC, you will probably want to use a prebuilt image, following the steps below:

  1. Download the latest image from here
  2. Download also the model assertion file and make sure the right combination of grade and storage-safety is set for your platform according to the previous table

Note: For Intel NUC platforms, the pre-built image [link to the download URL] enables FDE and Secure Boot by default. This can be checked in the model assertion file [line to the assertion file URL].

Custom images

If you are using your own board or if a custom self-built image is going to be used, it must be ensured that the combination of platform (HW TPM support) + grade + storage-safety, makes it possible to have FDE and Secure Boot support. The steps below must be followed:

  1. Check that your board has HW TPM support
  2. Generate a new model assertion file according to this instructions setting the appropriate grade and storage-safety options
{
…
"grade": "signed",
"storage-safety": "prefer-encrypted",
…
}
  1. Build your own image as described here

Flashing the image

Once you have selected the image, the process of flashing and first configuration of the board does not differ from the standard flashing process. Intel NUC flashing process can be found here.

And that’s it!

Wrapping up

Full Disk Encryption and Secure Boot are key features of Ubuntu Core. They don’t need to be specifically enabled on a configuration or on-boarding process, they are out-of-the-box features which will be applied if the combination of platform and image model assertion allows it.

In summary, security is no longer an option but a compulsory feature with Ubuntu Core when hardware TPM is available on the platform, making the process as simple as installing the image on the device.

Further reading

I was looking for more basic information: (e.g.) I didn’t realize that Secure Boot was not for a current Laptop with TPM that typically comes with secure Windows 11. I wanted to make this new HP Spectre x360 dual boot.

with UbuntuCore ?
(Ubuntu Core is designed for things lik embedded computing, IoT, industrial, digital signage, automotive, consumer electronics and robotics …)

Until I read through it I didn’t know. But why not with 20.04 or 22.04 LTS? I almost had it with Win10 on a Asus. It had some intermittent hardware (wireless). So I got the HP Spectre.

I’m pretty sure there is working secure boot for Ubuntu Desktop in the installer.

The above is documentation for Ubuntu Core though which is designed (and functions) quite differently to Ubuntu Desktop or Server installations …

Thanks, but so far nothing. In the Server Manual they elude to it in UEFI section. But that is all. Also, there is a certified hardware list - but they are older, and am not sure they are secure boot.

you should probably open a new topic in the Desktop category (i don’t think there is any unattended secure-boot implementation for server yet) … this here is really a documentation page that is used as the data input for:

A discussion about secure-boot on Desktop or Server should really take place in a new thread in the proper category …