TPM FDE auto-unlock broken after enabling HAP (Intel ME disabled) — PCR mismatch — Ubuntu 24.04 — ThinkPad X1 Carbon 9th Gen

Support and Help
, , ,
1

Ubuntu Version: 24.04.4 LTS

Desktop Environment: GNOME

Problem Description:

I installed Ubuntu 24.04.4 LTS with TPM Full Disk Encryption using the native Subiquity installer on a ThinkPad X1 Carbon 9th Gen. TPM auto-unlock worked perfectly after installation. After enabling HAP (High Assurance Platform) mode in the BIOS — which disables Intel ME at the hardware level — TPM auto-unlock no longer works and I am required to enter the LUKS recovery key on every boot.

HAP changes the measurements written into PCR 0 and PCR 2 during early boot. The TPM policy sealed during installation was bound to the original PCR values with ME active. After HAP is enabled those values no longer match, the TPM policy assertion fails, the TPM enters DA (Dictionary Attack) lockout mode after repeated failed unseal attempts, and snapd hard-fails provisioning.

Relevant System Information:

  • Device: ThinkPad X1 Carbon 9th Gen

  • Ubuntu: 24.04.4 LTS classic install

  • FDE: TPM-backed, configured via Subiquity native installer

  • TPM device: /dev/tpmrm0

  • Encrypted partition: /dev/nvme0n1p4

  • HAP: enabled in BIOS (Intel ME disabled)

  • Recovery key: available

    snap-bootstrap 312: error with keyslot “default”:
    cannot recover keys from keyslot: incompatible key data role params:
    invalid PCR policy data: cannot complete authorization policy assertion:
    cannot execute PCR assertions:
    cannot execute PolicyOR assertions: current session digest not found in policy data

    stateengine.go:161: state ensure error: devicemgr:
    cannot mark boot successful: cannot provision TPM:
    the TPM is in DA lockout mode

    secboot_tpm.go:1051: TPM provisioning error: the TPM is in DA lockout mode

    What I’ve Tried:

    • Clearing the TPM from BIOS — did not resolve the issue

    • Filed upstream bugs LP: #2145165 and LP: #2145166

    • Submitted patches to snapcore/snapd and canonical/curtin to make TPM DA lockout non-fatal

    My Question:

    I have been given the following procedure to re-enroll TPM auto-unlock against the new HAP PCR baseline and would like confirmation it is correct and safe before running it on a live encrypted system:

    Step 1 - Verify TPM is available

    sudo systemd-cryptenroll --tpm2-device=list

    Step 2 - Check current LUKS header

    sudo cryptsetup luksDump /dev/nvme0n1p4

    Step 3 - Enroll TPM with HAP-safe PCR mask

    sudo systemd-cryptenroll
    –tpm2-device=/dev/tpmrm0
    –tpm2-pcrs=0+2
    /dev/nvme0n1p4

    Step 4 - Verify TPM policy before reboot

    sudo systemd-cryptenroll --tpm2-verify /dev/nvme0n1p4

    Step 5 - Reboot and test

    sudo reboot

    Specific questions:

    1. Is this procedure safe for Ubuntu 24.04 with snapd-managed FDE?

    2. Will snapd conflict with or overwrite a keyslot created directly via systemd-cryptenroll?

    3. Is PCR 0+2 the correct mask for HAP systems?

    4. Does the DA lockout need to be cleared before re-enrollment and if so what is the correct command on 24.04?

    5. Is there a snapd-native resealing command for 24.04 classic I should use instead?