Article: https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu
Based on my understanding of the article, one I have concern that I hope is addressed.
If my computer was stolen under under this system, they’d be able to boot into GDM. If they were somehow able to gain root privileges, they would be able to access user files.
Fedora is considering an encryption approach that may be able to rectify that issue (https://pagure.io/fedora-workstation/blob/master/f/notes/encryption.md). Basically, the OS itself is encrypted and automatically unencrypted using the TPM, but the user home is separately encrypted and only unlocked after logging in using GDM.
Is my understanding of encryption and TPM here correct? If so, would Fedora’s approach also be reasonable to include in Ubuntu? What possible downsides would it bring?
2 Likes
Yes I think your assumption is correct. Someone could try to brute force your local admin or root password from the booted system.
But I’m pretty sure both PAM and GDM have some rate limiting for incorrect password entry which should help slow down the process.
You could also configure pam_faillock.so which allows you to lock user accounts after X failed login attempts.
Sure, if the attacker REALLY wanted your data, they could spend months or years brute-forcing the login, but Ubuntu’s solution is a pretty good solution which takes encryption more into parity with BitLocker on Windows.
From enterprise perspective, TPM-backed encryption sounds like it would be a game changer for managed Linux laptops. Since we can setup the devices and have them unlock without affecting user-experience.
2 Likes
Maybe not the highlight of the announcement, but I think having the Kernel available as a snap is pretty cool.
The reason being, you can swap in/out different kernel versions like any other snap. I think this could make kernel version management super simple.
Although the downside seems to be that additional kernel modules like Nvidia driver are not supported. Not ideal since nvidia graphics are quite prevalent for gamers and scientific research.
This is indeed a concept we’re keen to explore and expand upon, don’t worry, we are working on a solution for NVIDIA driver support in kernel snaps.
4 Likes
Is this available right now in the mantic installer? I downloaded the current image as of today, and I don’t see any option about TPM FDE in the installer, just the normal LVM + encryption one.
Yes, it’s available in the mantic dailies now. If it’s not showing the option under the advanced dialog, that means it’s not detecting a TPM it can use. Confirm the following in the bios:
- Secureboot is enabled
- TPM is enabled
- Clear the TPM
Let us know how it goes!
2 Likes
The option for the TPM-based disk encryption isn’t an option for me in the latest ISO (from September 8th), booted off of Ventoy.
I have the following error: [ 20.938118] systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
I’m currently trying out NixOS 23.05 and I don’t have this issue.
I don’t think I’ve seen this specific error reported on launchpad yet. Best to open a bug report for ubuntu-desktop-installer and include this info.
Do we know yet whether this encryption feature will also be available for automated installations (server or desktop)?
We already have a deployment workflow for automatic desktop installations using subiquity installer. If we can add TPM-FDE on top, that would be the cherry-on-top.
It is available for automated installation for Desktop (GUI) and Server (CLI).
4 Likes
Does the TPM-backed disk encryption using a key which stored on the TPM chip mean that the drive only can decrypted when on the same motherboard used to install Ubuntu on the drive ?
Because from what I understand, with the current non-TPM FDE everything are on the drive, so in theory as long you have the passphrase you can unlock the drive even if you move it to a new computer. But logically if some of the needed data are stored only on the TPM, then the drive is locked in to a single motherboard unless you deactivate* in advance the TPM encryption, does some extensive hacking or format the disk.
This could cause issue when people upgrade their computer to a new CPU but it require a motherboard upgrade too, or in all other situations they change motherboard. (Like a component dying or wanting upgrading to DDR5 Ram or better PCIe etc…)
So is there tools to support transfering a TPM-backed FDE drive to a new motherboard and such to a new TPM chip?
Perhaps I’m going too far ahead… but are there any plans to provide kernels for classic Ubuntu in the future only as snap packages?
And if not, what prevents it from being done?
The fact is that the more packages (especially system ones) are replaced with snap, the less control and customization the user has.
And given the nature of snap and the unwillingness to allow anyone to freely create their own store and supply their own package, for example, for their own needs, I have a feeling that the day is coming when this (control and customization) will become very mediocre.
Not sure how much you looked at snaps yet, but every snap created on launchpad includes its snapcraft.yaml… I.e. the full build recipe to re-build the package from scratch…
If you do not want to upload a snap to the store to get it signed by the archive key, you can at any time “sideload” your local package using the --dangerous option of the snap install command… there is zero requirement for a store for a scenario where you want to exclusively use locally built packages like a custom personal kernel…
For network-wide solutions (I.e. if you want to serve a company network with a patched kernel) there is a store proxy that allows sideloaded packages to be served to your lan…
2 Likes
There is a recovery password which you can retrieve using the following command:
snap recovery --show-keys
So you can access the data from another machine, or live-session.
As for re-binding to another TPM chip, in the event of migrating to a new motherboard, I’m not sure about this.
Hopefully some documentation will emerge once Mantic is actually released.
2 Likes
Am I correct in assuming that it will then be visible to everyone and should meet the standards of supplying similar packages to the store?
I’ve looked into what the proxy store and brand store are, however, I still haven’t figured out which one to choose if I want to just distribute a modified kernel or some kind of modified snap package.
I’d appreciate it if you could help me figure it out here 
1 Like
As a follow up to my issue where I had no TPM option, it seems like the installer was updated to show why.
The Ubuntu Core docs says the solution is to run echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request. I closed out of the installer, ran that command, and retried, but the error didn’t go away. Maybe it requires a reboot to take effect? But the docs didn’t mention anything about that.
I also didn’t create a bug report because I get an error whenever I try to run into the bug tracker. It tells me to the report it in IRC or an email but I haven’t gotten around to doing that yet.
1 Like
I see this message
What is that CORE_BOOT_ENCRYPTION_UNAVAILABLE ? Should I clean the TPM ?
Moreover, I would like to install ubuntu alongside windows, can I enable TPM encryption if using an HD partition ?
I think yes. I’ve found that with the new installer, if I install a system with TPM-FDE, then try to perform a new installation over the top of it, it gives the same error.
So it seems like clearing the TPM is required for subsequent TPM-FDE installs. Probably to prevent trivially erasing the unlock keys
The below can be done from the live-installer in a terminal. Reboot afterwards and you might be prompted to confirm clearing of the TPM by your BIOS.
After that you should be able to install.
echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request
1 Like
I can only view the encryption key once using the command:
sudo snap recovery --show-keys
On the second attempt, snap shows the following message:
error: cannot communicate with server: timeout exceeded while waiting for response
After getting that message snap stops working, and I can’t run any more command with snap nor run snap apps, this is solved after restarting the computer, but I can’t see the encryption key again.
1 Like