Subiquity 23.10.1 has been released to the stable channel

TPM-backed full disk encryption

Particularly notable in this release is the support for TPM-backed full disk encryption. See the Ubuntu blog for details. Note that TPMFDE requires ISOs that are constructed with this feature in mind, which only applies to the mantic-desktop ISO today.

TPMFDE can be triggered with autoinstall:

storage:
  layout:
    name: hybrid
    encrypted: yes

Guided ZFS

New in this release is the support for Guided ZFS, which is available for Desktop and Autoinstall. The guided ZFS structure is brought from Ubiquity and is very similar. (Encrypted Guided ZFS support is in plan for 24.04.)

To use ZFS from autoinstall, configure:

storage:
  layout:
    name: zfs

For Server installs, a recovery key option is now available.

Bugfixes

• CVE-2023-5182 (PR: 1820) - Address CVE by ensuring the autoinstall-user-data file is not readable by the adm group. The file contains the hashed password of a user with sudo capability.
• LP: #2009141 (PR: 1806) - Rework udev events handling in the storage code so that Subiquity does not crash if a large burst of events occurs.
• LP: #2037133 (PR: 1807) - Fix incorrect documentation. The locale is not implicitly made interactive when another section is marked interactive.
• LP: #2032961 (PR: 1811) - Ensure we run early and late commands with a clean environment to avoid potential failures in focal.
• LP: #2017278 (PR: 1812) - Fix crash when attempting to install ubuntu-restricted-addons during an offline install. Subiquity will now warn and skip the package instead. An additional change in the desktop installer was done to ensure that the installation is not wrongly considered offline in some scenarios.
• LP: #2017862 (Probert PR: 136, Curtin MP: 442225) - Fix partitioning failure when existing GPT partitions have UTF-8 partition names
• LP: #2039084 (PR: 1669, Curtin MP: 441769) - Fix partitioning failure when a swap partition is placed in an extended partition
• LP: #2018280 (PR: 1671) - Ensure curtin does not reorder UEFI boot entries since it is unsupported on Dell XPS and some other platforms
• PR: 1687 - Fix crash when a cloud-config is sent that adjusts the users but creates no default user
• LP: #2023265 (PR: 1688) - Fix list of third-party drivers considered empty when it has not yet finished being retrieved
• LP: #2029028 (PR: 1701) - Prevent Subiquity from discarding configuration in /etc/apt being deployed by deb packages
• PR: 1718 - Fix invalid source ID in documentation (ubuntu-server-minimized → ubuntu-server-minimal)
• PR: 1747 - Ensure that running snap start subiquity.probert works as intended
• PR: 1777 - Fix crash when refreshing the installer as part of an automated installation
• LP: #2039076 (PR: 1780) - Fix wrong order of lower layers when building an overlay – resulting in inconsistencies when listing third-party drivers
• LP: #2039075 (PR: 1782) - Fix invalid use of x-error-msg when the error message contains a newline character
• LP: #2039086 (PR: 1786) - Fix crash occurring upon accessing the Help menu after creating a bond interface
• LP: #2034270 (PR: 1787) - Fix crash when using guided storage with a small disk
• LP: #2012659 (PR: 1789) - Fix crash when a Wi-Fi or Ethernet interface gets removed from the system
• PR: 1796 - Fix crash when reusing an existing RAID
• LP: #2039090 (PR: 1797) - Disable unattended-upgrade minimal steps to speed up the installation
• LP: #2035034 (Curtin MP: 451298) - Fix curtin failing to handle partitions on 4k sectors disks
• LP: #2039080 (PR: 1808) - Fix race condition sometimes causing an early crash when using the desktop installer
• LP: #2039082 (PR: 1814) - Prevent Subiquity from restarting costly operations when selecting the same source (e.g., ubuntu-desktop-minimal) multiple times.
• PR: 1819 - Ensure cloud-init logs on the target system are owned by root since syslog:adm is not necessarily the same as that of the installer environment
• LP: #1933055 (PR: 1757) - Ensure the client saves the TUI mode (i.e., rich vs monochrome), so that it is restored after updating the installer

Bugfixes that are already in the stable channel but new since 23.04

• LP: #2033977 (PR: 1790) - Ensure the security archive is set to the proper URL
• LP: #2013201 (PR: 1759) - When setting the size of a partition, Subiquity may crash with an error about “size or offset not aligned”

Full Changelog: https://github.com/canonical/subiquity/compare/23.04.2...23.10.1

Perfect! Just what we were looking for to build our new encrypted Linux workstations.

Although I have run into an issue already when testing this. I get the following error:

"can only use name: hybrid when installing core boot classic"

Are there any other parameters that need to be set to get this working? Below is my autoinstall config.

autoinstall:
  version: 1
  locale: en_GB.UTF-8
  keyboard:
    layout: gb
  kernel:
    flavor: generic
  apt:
    geoip: true
    preserve_sources_list: false
    primary:
      - arches: [default]
        uri: 'http://archive.ubuntu.com/ubuntu'
  identity:
    hostname: unassigned-hostname
    username: redacted
    realname: redacted
    password: 'redacted'
  ssh:
    install-server: true
    authorized-keys: []
    allow-pw: true
  storage:
    grub:
      reorder_uefi: false
    layout:
      name: hybrid
      encrypted: yes
  user-data:
    timezone: Europe/London

I think I see the issue:

I didn’t read carefully enough. I was using the server ISO, since that’s what we’ve previously been doing. I will test again once the Desktop ISO has been released again

I’ve tested this again with the new desktop ISO and although the installer seems to complete successfully, after a reboot the device always asks for the recovery-key. Which I obviously cannot retrieve, since you can only get it from the booted system.

Manual installation works fine, but I have tested autoinstall on a VM and physical laptop and both fail as above.

For anyone else having the same issue, I’ve opened a bug report here: https://bugs.launchpad.net/ubuntu-desktop-installer/+bug/2039557