@local-optimum with 24.04 coming out, can you let us know if there have been any updates on kernel module support?
Howdy 
there has been significant progress in the architecture and implementation of support for kernel modules and third party drivers, however at launch they will not be supported. Our plan however is to have these foundational elements in the image so we can expand HW compatibility within the lifecycle of 24.04. Our first priority will be to land NVIDIA driver support which is one of the most complex use-cases.
2 Likes
Thanks! Since it looks like its gonna be at least 6.10 until the IPU6 patches make it into the upstream kernel, I’ll continue to watch this with interest.
On a unrelated note, is anyone else having issues updating firmware? I get “User has configured their system in a broken way” from firmware-updater (which seems a bit judgey to me ;)) and
“Secure boot is enabled, but shim isn’t installed to EFI/ubuntu/shimx64.efi” if I try to run fwupdmgr.
1 Like
I’ve seen the same issue with TPM FDE builds. There’s an open bug report for this: Conflict with TPM-backed Full Disk Encryption · Issue #236 · canonical/firmware-updater · GitHub
Okay. Glad to know its not just me. It looks like its possible to disable secureboot, boot a live image, and queue the updates there, followed by rebooting and letting them install, followed by turning secure boot back on works.
What is the status on this? I just downloaded the 24.04.0 Desktop ISO and wanted to check out this feature after is has been announced for a while. The new installer looks great, but the TPM backed option was always in disabled state.
What I checked an tried:
- Made sure that TPM Security Chip is enabled
- Started the Ubuntu ISO from Ventoy
- Used Rufus to create Bootable Media
- Used Fedora Media Writer to create Bootable Media
- Cleared TPM through UEFI settings and with this command:
echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request - Rebooted several times in the process and confirmed, that I do want to clear the TPM.
I checked the Arch Wiki and it said I should check with the following command and provide its output:
ubuntu@ubuntu:~$ journalctl -k --grep=tpm --no-pager
Apr 25 18:48:31 ubuntu kernel: efi: ACPI=0xcc3fd000 ACPI 2.0=0xcc3fd014 TPMFinalLog=0xcc22d000 SMBIOS=0xbf71c000 SMBIOS 3.0=0xbf70f000 MEMATTR=0xb9ce3018 ESRT=0xbe468000 MOKvar=0xbf74c000 INITRD=0xa47dbb98 RNG=0xcc3fc018 TPMEventLog=0xa28a4018
Apr 25 18:48:31 ubuntu kernel: ACPI: SSDT 0x00000000BF6EE000 000632 (v02 LENOVO Tpm2Tabl 00001000 INTL 20180313)
Apr 25 18:48:31 ubuntu kernel: ACPI: TPM2 0x00000000BF6ED000 000034 (v03 LENOVO TP-R1B 000013A0 PTEC 00000002)
Apr 25 18:48:31 ubuntu kernel: ACPI: Reserving TPM2 table memory at [mem 0xbf6ed000-0xbf6ed033]
Apr 25 18:48:31 ubuntu kernel: tpm_tis STM0125:00: 2.0 TPM (device-id 0x0, rev-id 78)
Apr 25 18:48:31 ubuntu systemd[1]: systemd 255.4-1ubuntu8 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Apr 25 18:48:31 ubuntu systemd[1]: systemd-pcrextend.socket - TPM2 PCR Extension (Varlink) was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Apr 25 18:48:31 ubuntu systemd[1]: systemd-pcrmachine.service - TPM2 PCR Machine ID Measurement was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Apr 25 18:48:31 ubuntu systemd[1]: systemd-tpm2-setup-early.service - TPM2 SRK Setup (Early) was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
Apr 25 18:48:31 ubuntu systemd[1]: systemd-tpm2-setup.service - TPM2 SRK Setup was skipped because of an unmet condition check (ConditionSecurity=measured-uki).
My device is a Thinkpad P14s Gen 1 with an AMD processor.
Edit: looks like a few more users are having this issue: Ubuntu 24.04 LTS Beta Testing - #25 by bambus89
Make sure you have done these steps:
- Enable Secure Boot
- Disable “Absolute” security if your BIOS supports it
- If your TPM supports both sha-1 and sha-256 modes, try switching to sha-256
Checked, it says it is enabled in the overview.
I don’t have that option. When I go the the “Manage Keys” section I see a lot of SHA-265 hashes in the deny list.
Okay, that was it. I was certain it was disabled, bu I confused it with the line below which said not activated.
After I disabled “Absolute” I can now select TPM-backed encryption in the installer. Sorry that I didn’t check thoroughly. So many options.
Should I enable TSME?
Edit: And I need to disable 3rd party drivers to see the option. There is currently no explanation in the installer that one option excludes the other at this point in time.
I’m wondering, has anyone tested this installation option with the 24.04 images?
My few attempts resulted in unbootable systems. No UEFI boot entry is created and when I select the SSD in the boot menu I’m prompted to enter the recovery keys, which I don’t have yet.
I tried running sudo snap recovery --show-keys to get the recovery keys, but it returned that it is not running an encrypted system. Do I have to do some kind of chroot trickery with /target?
Edit: I just tried installing on my older T580 (Intel processor). And it worked. What was different? I didn’t care about network connectitivity and updates, so I installed offline to check. Back to my P14s, installing offline also works! But it feels “not right” without the boot entry. I mean I can adjust the boot priority, that’s not a big deal. I will test some more to write a good bug report.
No trickery should be required if your device supports TPM FDE and you’ll only be able to run that command post install, if you can’t get that far something has gone wrong. Could you please file a bug against the project with your system info and setup and we’ll look into why it might not work for you. You’ve done a lot of testing and it would be good to bank those learnings. I appreciate you exploring all the options.
As I said we plan to expand hardware support significanlty within the lifecycle of the LTS, currently we are prioritising NVIDIA driver support. I think we can improve some of the messaging in the installer as well, I’ll add that to our backlog.
Here is the ticket for that issue.
Okay I just filed the following bug report:
I don’t know if this has been brought up before, but I’d like to access the encrypted partition when I boot another operating system like the Ubuntu ISO or Fedora. With standard LUKS partitions you can just add another key / passphrase to a slot in LUKS. But I failed getting this to work today on a test system.
# Add another key while running from /dev/nvme0n1p4
sudo cryptsetup luksAddKey --token-type systemd-tpm2 /dev/nvme0n1p4
# Attempt to unlock from Ubuntu Installation Media
sudo cryptsetup open /dev/nvme0n1p4 test
It didn’t accept the key I set before. With this being a test system and to rule out any mistyping I set the additional passphrase to 123456 and it didn’t work. Of course I also tried it in Gnome Disks and it didn’t work there either.
Side note: After all my struggles I can now install TPM-backed encryption on my laptops without hassle. I just reset the security chip and set secure boot keys to factory defaults. I have no idea why it was so difficult before.
H
The recovery key you get from snapd doesn’t directly function as a luks key to unlock the drive. There is some format wizardry which converts it on-the-fly when you type it in at the prompt.
However, there is a way to get a working key-file to unlock your drives.
A user online wrote a GO script which can convert the recovery-key string to a working luks key-file: https://lemmy.world/post/7029429
I have since written a comparable python script which can do the same: GitHub - jps-help/python-snap2luks: A simple python script to convert Ubuntu TPM-backed FDE snap recovery keys to a working LUKS key-file
Using the generated key-file, you should be able to add an extra passphrase using cryptsetup
1 Like
What do I need to do to make the FDE feature available in the installer on my HP EliteBook 840 G5?
I have done the following:
- Ensure Secure Boot is enabled.
- Ensure TPM is enabled.
- Wipe the SSD clean using Secure Erase from BIOS.
- Wipe the TPM clean (tried both from BIOS menu and using
echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request+ reboot + confirm wipe).
But the installer still won’t let me enable hardware-backed full disk encryption.
What does the UEFI Secure Boot section of your BIOS offer you? Unless it’s a fancy GUI BIOS it should look similar to most business laptops and should have a section that lets you choose between “Standard” and “Custom” Secure Boot Mode. Choose “Standard”. If there is an option where you can reset secure boot to factory key, do that.
This fixed my issues.
After I got my TPM module in the mail today I tried getting TPM FDE to work on another machine, but I have the same problem as befiore with my Thinkpads. I get asked for recovery keys on first boot which I don’t have yet.
After trying a lot of settings I performed a reset of all UFEI settings. I then took screenshots, here are some of the ones with relevant settings:
While this one says SHA-1 is enabled, I disabled it after taking the screenshot and tried again, but it failed like before when I tried with this option disabled.
If Secure Boot Mode is set to Custom here I can’t enter the menu below to clear keys and install default keys like I’m used to from Thinkpads. When I set the mode the Standard, I can install with TPM FDE, if I set it to custom, the option will be greyed out in the installer.
I got it to work: Bios Menu (F2) → Security → Restore Security Settings to Factory Defaults
Did you select to install 3rd party drivers? That is incompatible with TPM+FDE for the moment.
puts moderator hat on
Okay everyone, quick reminder:
No technical support or help questions. Do not ask for help solving a problem here. You’re told this when you’re signing up for an account, and it’s at the very top header.
Moderators will create new topics out of comments that are asking for help solving a problem in the “Support and Help” category, reply to them with instructions on how to seek support, and promptly close the topic. This is not up for debate since we, as a community, have abundant options for support and help.
1 Like