I’ve spent a fair bit of time trying to get Full Disk Encryption (FDE) along with Secure Boot working on an Intel board. Here’s what I’ve done so far:
- Clear the TPM
- Use a LiveCD instance of Classic to flash out the amd64 UC20 image from 2021-06-30 using
xzcat /path/to/image.img.xz | sudo dd of=/dev/sda bs=32M status=progress; sync - Boot the system into the Core 20 environment
Everything seems to go fine this far:
What’s noteworthy in the above screenshot is that:
- The installer found the Secure Boot
- The system found the TPM device
- The installer was able to properly encrypt the file system
Now, after the system reboots, this is where it breaks:
Having had a chat with @ondra about this, he suggests that it most likely is an issue with the TPM is unable to unlock the disk, and thus reverting to trying to unlock it with the recovery key.
Booting up on a LiveCD, I was able to again verify that TPM seems to be working:
$ dmesg | grep -i tpm
[ 0.000000] efi: ACPI 2.0=0x8c5c6000 ACPI=0x8c5c6000 TPMFinalLog=0x8c62f000 SMBIOS=0x8cac2000 SMBIOS 3.0=0x8cac1000 MEMATTR=0x876b9018 ESRT=0x8991e298 RNG=0x8caeca98 TPMEventLog=0x82b04018
[ 0.021465] ACPI: TPM2 0x000000008C60DEC0 000034 (v04 ALASKA A.M.I 00000001 AMI 00000000)
[ 0.021508] ACPI: Reserving TPM2 table memory at [mem 0x8c60dec0-0x8c60def3]
I did also run across this post, which seems to describe a very similar issue but without any resolution.