One of our image latest builds is failing to install/bootstrap properly. It’s UC in secured mode. After resetting the TPM, we write the image to disk and reboot, It initially boots, runs through all the setup including encrypting the volumes, I don’t see any errors [ but some of the test goes by pretty fast ], and when it reboots for the first time it fails to mount the
It waits promoting for:
Please enter the recovery key for disk /dev/disk/by-partuuid/blah-blah
Then eventually there is an error from
error: cannon activate encrypted device "/dev/disk/by-partuuid/blah-blah": cannot activate with sealed key (cannon unseal key: invalid key data file: cannot complete authorization policy assertions: cannot complete OR assertions: current session digest not found in policy data) and activation with recovery key failed (cannot obtain recovery key: /usr/sbin/systemd-ask-password failed: exit status 1)
How can I debug this ? There may be a relevant message in the initial boot and setup, but some of it goes past very fast. Is there a log of the initial boot kept somewhere ? Anyway I can interrogate the tpm for anything that may help ?
Feels like something in a snap has changed, but I have a working image with the same gadget snap content and snapd revision on the same hardware. I’m really quite stuck for ideas at this point.