Installation issue with hardware encryption

yann-pautre · April 24, 2026, 10:16am

Hello everyone,
I’m trying out Ubuntu 26.04.
I’m using a Ryzen 5700X, 32 GB of RAM, and a B550 motherboard.
When I try to install with hardware encryption, I get this error message:

Hardware-backed encryption could not be enabled
This computer does not have the required security hardware (TPM 2.0)
For this encryption method.
Contact IT support, or choose a different encryption method.
Learn more about hardware-backed encryption
~“ Technical details
NO SUITABLETPM2 DEVICE
error with TPM2 device: TPM2 device is present but it is not a PC-Client

I ran a TPM clear; FTPM is enabled, as are Secure Boot and IOMMU.

On Ubuntu 25.10, I get the same error message.

Any ideas, please?

Thanks and have a great day.

ogra · April 24, 2026, 11:09am

There is another thread where TPM support has been tested during the 26.04 development cycle, perhaps people in there could help…

yann-pautre · April 24, 2026, 11:29am

Thanks, I saw that post. However, the error message is different.

Note that BitLocker works perfectly on Windows 11.

marcelstevano · April 24, 2026, 11:36am

It seems you are hitting a known edge case with the TPM-backed Full Disk Encryption (FDE) implementation on Ubuntu 26.04. Even though your Ryzen 5700X and B550 board support fTPM and work fine with BitLocker, Ubuntu’s installer (Subiquity) has stricter requirements for PCR7 measurements.

“NO SUITABLE TPM2 DEVICE” error often points to a configuration mismatch rather than a hardware failure. Check this:

Secure Boot Mode: Ensure Secure Boot is set to “Standard Mode” in your BIOS, not “Custom Mode.” If you have previously enrolled your own keys or cleared them, try resetting to “Restore Factory Keys.”
Third-party Drivers: Did you select the option to “Install third-party software for graphics and Wi-Fi” during the setup? Currently, TPM-FDE is often incompatible with proprietary drivers during the initial install phase. Try a clean install without checking that box to see if the option becomes available.
CSM (Compatibility Support Module): Make sure CSM is completely Disabled. TPM-backed encryption requires a pure UEFI environment.
Disk Partition Table: Ensure your target drive is using a GPT partition table. Legacy MBR will cause the TPM check to fail immediately.

Since it works on Windows 11, your hardware is definitely capable. This is likely a matter of the installer not being able to validate the Secure Boot chain to its satisfaction.

Actionparsnip · April 24, 2026, 12:48pm

This error is a bit of a classic when dealing with modern Linux distributions (like Ubuntu, Fedora, or Arch) on hardware that doesn’t follow the standard PC-Client specification. Essentially, your system sees a TPM 2.0 chip, but it can’t communicate with it because the driver expects a standard PC interface and the hardware is providing something else (often found on ARM devices, certain servers, or virtual machines).

Here is how to troubleshoot and potentially fix this.

1. Check BIOS/UEFI Settings

The most common cause is a setting in your firmware that defines how the TPM is exposed to the Operating System.

TPM Mode: Look for a setting to toggle between PTT (Intel), fTPM (AMD), and Discrete TPM. If you have a discrete chip but it’s set to firmware mode (or vice versa), the driver may mismatch.
Interface Type: Some BIOS allow you to switch between TIS (TPM Interface Specification) and CRB (Command Response Buffer). Modern Linux kernels generally prefer CRB for TPM 2.0.
Clear TPM: Sometimes the TPM state is “hung.” Clearing it from the BIOS (note: this deletes your encryption keys!) can reset the interface.

2. Kernel Module Conflicts

The error “not a PC-Client” usually means the tpm_tis driver (the standard PC driver) tried to grab the device but realized it isn’t a standard PC-Client chip.

You can try forcing the kernel to use a more generic driver or reloading the modules. Try running these commands to see what’s happening:

Bashdmesg | grep -i tpm lsmod | grep tpm

If you see tpm_tis failing, you might need to ensure tpm_crb is loaded instead.

yann-pautre · April 24, 2026, 4:29pm

Thank you all; I’ll look into it.

yann-pautre · April 24, 2026, 5:29pm

I went into the BIOS. The TPM chip is in CRB mode.

Here are the results of the orders:

dmesg | grep -i tpm
[ 0.000000] efi: ACPI=0xbcc36000 ACPI 2.0=0xbcc36014 TPMFinalLog=0xbcc00000 SMBIOS=0xbda24000 SMBIOS 3.0=0xbda23000 MEMATTR=0xb97b6118 ESRT=0xb254ce18 MOKvar=0xbda6a000 INITRD=0xb7761118 RNG=0xbc907018 TPMEventLog=0xbc8e0018
[ 0.004068] ACPI: TPM2 0x00000000BC8FE000 00004C (v04 ALASKA A M I 00000001 AMI 00000000)
[ 0.004095] ACPI: Reserving TPM2 table memory at [mem 0xbc8fe000-0xbc8fe04b]
[ 2.787038] tpm_crb MSFT0101:00: Disabling hwrng
[ 16.505361] systemd[1]: systemd 259.5-0ubuntu3 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +BTF -XKBCOMMON -UTMP +SYSVINIT +LIBARCHIVE)
[ 16.984359] systemd[1]: systemd-pcrextend.socket - TPM PCR Measurements skipped, unmet condition check ConditionSecurity=measured-uki
[ 16.984370] systemd[1]: systemd-pcrlock.socket - Make TPM PCR Policy skipped, unmet condition check ConditionSecurity=measured-uki
[ 17.026817] systemd[1]: systemd-pcrmachine.service - TPM PCR Machine ID Measurement skipped, unmet condition check ConditionSecurity=measured-uki
[ 17.026844] systemd[1]: systemd-pcrproduct.service - TPM NvPCR Product ID Measurement skipped, unmet condition check ConditionSecurity=measured-uki
[ 17.027648] systemd[1]: systemd-tpm2-setup-early.service - Early TPM SRK Setup skipped, unmet condition check ConditionSecurity=measured-uki
[ 17.143901] systemd[1]: systemd-tpm2-setup.service - TPM SRK Setup skipped, unmet condition check ConditionSecurity=measured-uki
[ 17.143921] systemd[1]: systemd-pcrnvdone.service - TPM PCR NvPCR Initialization Separator skipped, unmet condition check ConditionSecurity=measured-uki

lsmod | grep tpm => no response

How can I force the kernel to use a more generic driver or reload modules, please?

Actionparsnip · April 25, 2026, 8:54am

Try the “tpm_tis” Fix: Add tpm_tis.interrupts=0 to your kernel boot parameters. This forces the driver to use “polling” instead of “interrupts,” which bypasses many firmware bugs.

Edit /etc/default/grub.
Add the parameter to the GRUB_CMDLINE_LINUX_DEFAULT line:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash tpm_tis.interrupts=0"

Update your grub (sudo update-grub) and reboot.

graymech · April 25, 2026, 10:50am

I would like to offer this discussion the official information on TPM FED hardware requirements.

Official Ubuntu information of TPM FDE hardware requirements

Regards

yann-pautre · April 25, 2026, 12:29pm

Thanks, everyone.
Things are looking up. I’ve made some progress. Now I’m getting a “PCR7” error. It’s telling me to set Secure Boot to deployed mode. But I’ve already configured Secure Boot correctly.
Just so you know, I have the latest BIOS version.
Any ideas?

yann-pautre · April 26, 2026, 4:24pm

gower9 · April 26, 2026, 7:02pm

I have the same error message. Motherboard is Gigabyte X870E Aorus Pro X3D, and the Secure Mode is enabled and active, showing System Mode as “User”. There is no option to change it to “Deployed” though, so I’m not sure how to proceed with the installation.