Built UC20 Rasperry Pi image hangs on boot

Previous issue reported has been solved also on armhf with:

This is encouraging,
but I am not sure it works using a recent generated key:

For the record I am still observing this:

[ 8.464501] the-tool[207]: 2021/04/26 10:28:50.214073 secboot_tpm.go:222: cannot open TPM connection: no TPM2 device is available
[ 8.488510] [the-toolFAILED[207]: ] error: cannot load metadata and verify essential bootstrap snaps [base kernel snapd gadget]: cannot accept some assertions:Failed to start the-tool.service.

[8.489324] the-tool[207]: - assertion is signed with expired public key “???” from “???”

[ 8.548594] systemd[1]: the-tool.service: Main process exited, code=exited, status=1/FAILURE
[ 8.568428] systemd[1]: the-tool.service: Failed with result ‘exit-code’.
[ 8.584401] systemd[1]: Failed to start the-tool.service.
[ 8.604353] systemd[1]: Startup finished in 2.246s (kernel) + 0 (initrd) + 6.273s (userspace) = 8.520s.

Image contains those edge’s snaps:

core20 1029
pi 101
pi-kernel 284
snapd 11990

I am using edge tools:

snapcraft 4.7.1 6466 latest/stable canonical✓ classic
snapd 2.50+git1685.g72d9b26 11987 latest/edge canonical✓ snapd
ubuntu-image 1.11+snap1 218 latest/edge canonical✓ classic

Relate-to:

https://forum.snapcraft.io/search?q=assertion%20is%20signed%20with%20expired%20public%20key

hmm, i would have expected this to be fixed by:

That fix needs to be released into the initrd, which takes a bit of time. The release process steps for the uc20 initrd are as follows:

1. Fix snap-bootstrap in master ✓
2. Release snapd Deb with fixed snap-bootstrap to snappy-dev image PPA for focal ✓
3. Rebuild the ubuntu-core-initramfs package to use the snapd Deb from 2
4. Rebuild the kernel snap using the ubuntu-core-initramfs PKG from 3

AIUI, 3 is being done right now, and 4 is done at least every 2 weeks as per kernel SRU cadence

@ijohnson ok thx for feedback I am looking at tip of this repo:

Currently " 2021-04-26 [UBUNTU: Ubuntu-pi-5.4.0-1035.38]"
so I guess a new version will be released soon.

Meanwhile I’ve tried Pi3 with an external RTC module (pcf8563) but I am afraid it won’t work on current base as I commented at:

I’ll try to rebuild kernel maybe later but I am unsure this can be done without signing it using canonical keys, BTW I’ll be curious to know if it is possible to rebuild from scratch all snaps from UC, and if this is documented anywhere.
Well, I’ve found some hints on this page:

Sorry if i am drifting a bit from the subject of this thread, but it might also help other blocked users.

To be clear about my steps above, step 3 is now done - version 45 of ubuntu-core-initramfs is now released to the snappy-dev image PPA, so we just need the 20 channel of the pi-kernel to be rebuilt to pick it up (step 4).

For the pi, since you don’t need to sign it with EFI keys or anything like that the way you need to do for amd64 due to UEFI, you can just rebuild the kernel and use a dangerous model assertion. I have not build the pi-kernel myself before, but I understand it to be a bit complicated, perhaps @ogra or @ondra have some pointers on how to build a kernel snap for UC20

At some point we should definitely have a doc page about how to build all the snaps from scratch like this, but it would take a while to get everything together for that

Totally not complicated … for custom kernels that do not need to be built from the binary deb the kernel trees all ship a snapcraft.yaml in the top-level of the tree … you just call snapcraft when in the tree … (current snapcraft does not support --target-arch so you need to do it on the native target architecture)

Some updates, it’s fixed !!!

thanks a lot to those who were involved in updates.

I was able to build and boot my own arm64 images for pi3 or pi4 using:

core20 1033
mir-kiosk 6981
pi 97
pi-kernel 285
pinball-table-hurd 20
snapd 12068

If curious there is more to come about this “demo” project:

Does core20 on stable channel work now?