I found it in the installer (see the screenshot). Or what do you mean with “where”?
Best, Keywan
Thanks a lot for all your feedbacks here!
As explained in the original post, this is totally expected due to more restrictions set on the valid TPM configurations we are seeing. But there is typically room for improvements here!
Please report all your case either using a live system or on an installed ubuntu version by following the instructions and linked on this thread. That will help ensure your system is supported! Thanks.
1 Like
I don’t think TPM based FDE encryption should be implemented or promoted in its current state on Linux based distributions. It’s been known to be flawed. With the current implementation you would be entirely trusting the TPM to do its job properly because no additional key derivation is involved which ironically even Bitlocker does. That reminds me of Bitlocker having trusted TCG Opal drives in the past which turned out to be a fatal mistake and given how many manufacturers and types of TPMs there are, this should really make you reconsider.
On a different but related note, when will it be possible to upgrade an existing system to a newer release? I have a Framework 13 which was built with 24.04 from scratch with TPM/FDE enabled but now seem to be stuck on that release and most of the conversations are about doing a clean build.
Will future releases allow version upgrades without reinstallation, and if so, from what point is that being planned?
Is TPM backed FDE only for amd64? I tried to install the test snap, but it is not available for arm64.
Let me disagree. I’d like to share my opinion, which may be subjective and based on my experience (18 years in IT).
The TPM FDE needs to be implemented ASAP and refined along the way.
Ubuntu has many certified enterprise device models; if at least support is implemented for them, that’s already a victory; the others will catch up along the way.
But if we wait until the product reaches perfect condition, we won’t get it.
We need to learn from the mistakes of the past!
Windows once defeated its competitors because competitors spent years perfecting their products, which resulted in those products entering the market already outdated.
And although Microsoft rolled out a raw product, fixing flaws with updates along the way.
It ultimately sold a modern product that was needed now, not a year ago, and the bugs were fixed, and what’s more, the product gained functionality through updates thanks to user feedback.
In my opinion, this has been the brake on Linux’s development all these years: instead of developing what the market needs now, idealists start improving something no one cares about, or even worse, start reinventing a new distribution, the same as the old one, but with new widgets.
The problem is, in my opinion, Canonical is one of the few companies that realized that enthusiasm alone isn’t enough to develop a product; it can simply spawn a bunch of desktop environments with the same problems.
And to develop a product, corporate money is needed.
Let ordinary users not pay, and corporations pay for technical support and product development in the direction they need.
Ultimately, the ordinary user benefits; no one is stopping them from participating in the product’s development and implementing their ideas.
But I’ll share my pain.
A year ago, we had about 1.000 Linux PCs in our company; now there are fewer than 200, and this isn’t because other platforms are better, but because Linux lacks proper support (OOBE experience, Enrollment, Corporate account, SSO, Cloud native management).
All we need is for the distribution to have a built-in, user-friendly interface for enabling encryption, but we also need it to unlock automatically after rebooting the PC. This is critical for remote sessions, and we need it to work out of the box, not require a lot of fiddling around.
We’ve been waiting for two years for Landscape and authd to be integrated into the Ubuntu installer.
The average user doesn’t need this, but corporate users, once they receive these solutions, will happily switch to Ubuntu.
The worst part is that time has been lost. We already have free Intune included with our subscription, and its functionality is practically nonexistent.
But now it will be difficult to convince management to pay $25 per device, since Intune is free.
Getting a significant discount for 200 devices would be practically impossible (it wouldn’t be profitable for the seller).
And if this product had been released two years ago, as promised, we wouldn’t have Intune, it would be easy to get the budget to manage 1.000 Linux devices.
We could have rolled out a crude product with minimal functionality, raised corporate funding, and used it to fix the bugs.
I’d also like to point out that the TPM FDE is also essential for promoting gaming on Linux, as online shooters can’t run anti-cheat on Linux due to the lack of standardized TPM support out of the box.
And by using the standardized TPM FDE on Ubuntu, game developers will be able to add the necessary anti-cheat functionality to support Linux!
I personally didn’t uninstall Windows from my gaming laptop for a long time due to the lack of support for the Vanguard anti-cheat on Linux.
I’d just like to reiterate that this is just my opinion, and I don’t mean to offend anyone or claim that this opinion is 100% correct and there can be no other arguments.
3 Likes
I followed the instructions there and get the following output:
$ sudo test-ubuntu-tpmfde-compat /boot/efi/EFI/ubuntu/shimx64.efi /boot/efi/EFI/ubuntu/grubx64.efi /boot/vmlinuz
Testing this platform for compatibility with EFI based TPM protected FDE
This platform is not suitable for FDE: cannot filter unavailable actions: cannot test whether action “clear-tpm-via-firmware” is available: cannot obtain physical presence interface: not a linux tpm2.TPMDevice
But what would be the point of entering this in the Google survey form? The survey does not ask what “this platform” means. My platform is an HP laptop with full TPM2 support.
Hi @marrol777 , I don’t even have those files to test and that’s on a framework device where Ubuntu is supposed to be a preferred OS so you are not alone.
It is a bit difficult to answer the question when you can’t even run it.
bought a discrete TPM module for ASUS Mobo on AM5 just to test this functionality;
but the option is still not available at the moment it seems for AMD Platform?
or do i need to set addtional options in BIOS?
error is: error with system security: unsupported platform: checking host security is not yet implemented for AMD; Ubuntu 25.10
This is not enough sadly, it is just a initial prerequisite, but I feel without LVBS and so a security enclave, we won’t go anywhere (also for things such as secure unlock, secure fingerprints, integrated keyring and much more).
1 Like
I think here the Key point will be the pair of TPM and Secure Boot. For Anticheat, the main checking point must be the driver signature checking.
I’m not sure, but from my point of view, the driver signing and check-enforcing will be achieved if we use TPM and Secure Boot couple.
Yes, but the threat model of LVBS is: we trust the kernel as soon as it booted with secure-boot, as soon anything user-space starts the kernel cannot be trusted fully (as its memory can be potentially compromised), reason why we need a further layer on top of that.
Now, maybe anti-cheat systems are maybe not as strict, but in other security-related environments we may be required to go further.
1 Like
Thanks for the details!
Let’s consider the HW FDE as a first step. This option will essentially enable and simultaneously force the user to use the TPM module. Further security development will be based on the fact that the TPM is enabled and in use.
Hi everyone,
I have a Dell Latitude 5320, and I tried to enable TPM FDE in ubuntu 25.10, but the script that checks for compatibility keeps saying this:
This platform is not suitable for FDE: error with system security: access to the discrete TPM's startup locality is available to platform firmware and privileged OS code, preventing any mitigation against reset attacks
Does anyone knows if this is fixable or my laptop is just not compatible with TPM FDE ? Anyways, my laptop is fairly recent and is a model usually buyed by companies, so I thought it would be compatible with that. I enabled all I could in the UEFI settings but I may have done a mistake.
I hope to see ubuntu 26 LTS’s tpm fde available for a lot of computers.
Hi Mate
I 100% agree with comments on corporate uptake of, and issues with, Ubuntu/Linux (no opinion on gaming as that’s not my jam).
I managed desktop/end user for a couple of multinationals (~20,000 seats each), and I can guaranteee that we used Windows because
- It worked. so it made users lives easier.
- It was compatible with everything. so it makes users and admin lives easier
- It was managable at scale. so it make admins lives easier.
everything else came second.
If any OS wants to compete with MS they need to address this. I am keen to see (and assist) TPM be successfully implemented transparently in Ubuntu to help deliver on this.
I can’t currently make it work (25.10 or 26.04b), but I am about to start asking for assistance to make it happen.
2 Likes
A post was split to a new topic: TPM on 26.04 Testing
Since 25.10 has already been released and we are now moving forward, please pick up discussions about TPM/FDE in other categories.
For development releases, use Pre-Release Discussion
For support with current non-development releases, use Support and Help
For general, non-support discussions, use the Lounge
Topic closed.
Thanks to all those who participated.
2 Likes