To improve TPM FDE support on Ubuntu Desktop, we’ve added a confirmation dialog to the firmware-updater that asks users to confirm that they are in possession of a recovery key before installing an update that affects the TPM state. While we can explicitly verify the validity of a recovery key for Ubuntu’s FDE, we cannot do that for other FDE setups, such as BitLocker. Since dual-boot setups alongside BitLocker-protected Windows installations are now supported by the installer we’d like to handle this case explicitly and display an appropriate warning.
- name: firmware-updater
- description: Firmware updater UI for Ubuntu Desktop
- snapcraft: snapcraft.yaml
- upstream: firmware-updater
- upstream-relation: We (the desktop team) maintain the application and the snap package
- interfaces:
- udisks2:
- request-type: auto-connection
- reasoning: The firmware updater needs to check for the presence of a BitLocker partition in order to show a dialog to the user reminding them they might need their recovery key when installing a firmware update that modifies the TPM’s PCR registers. See here for more details.
- udisks2:
Thanks, Dennis