I am trying to run UC20 with FDE on amd64. Booting seems to work first, TPM is found, but install fails then with:
taskrunner.go: 271: [change 2 "Setup system for run mode" task] failed: cannot make system runnable: cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: no bootable paths with current EFI signature database.
Any idea how to solve/debug the issue? Without FDE, everything works as expected.
Can you provide full boot logs from this device? This message alone is not quite enough for us to see what the problem is. Also are you using a released image or are you building your own?
Thanks for your reply, @ijohnson. Is there a good way to get the logs out of the box? netconsole works only for kernel messages, or? Here a screenshot:
The image is self-built but uses basically only the latest/stable components, e.g. snapd 2.51.4. Few days ago, I tried also the edge version of snapd without success.
Another try was to remove manually the fatal error from the snapd package by patching the secboot code, but this had only the effect that TPM got finally locked for some time.
I installed UC20 before on the hardware and it worked. I run into the same error when I installed another image on the same hardware. Do we need to clean up the keys in TPM?
Well, the gadget is likely where the issue is in this case.
Without knowing all the differences with the reference x86 gadget it will be hard to give you any advice I think. Using an efi executable signed with the incorrect keys can lead to that error, but Iām sure there are many other reasons. Itās probably a good idea to examine all the differences between the reference gadget and your own.
It appears, for some reason the key to unlock your data volume was not retrieved from the TPM. Perhaps there are more log lines before that error that can help.
Thanks Just, will take a look into the logs. I upgraded BIOS to support Secure Boot and then enabled Secure Boot in BIOS. I also found there is an EFI partition in hardware. I saw grub64.efi and bootx64.efi. Are they used to boot UC20? Iām not sure how the EFI boot works since there are 2 places having *.efi files.
I am trying UC20 with fde on arm64 machine and I get
secboot_tpm.go:77: checking if secure boot is enabledā¦
secboot_tpm.go:79: secure boot not enabled: not a supported EFI system
taskrunner.go:271: [change 2 "Setup system for run mode" task] failed: cannot encrypt device storage as mandated by model grade secured: not a supported EFI system
May I ask how you enabled secure boot . I get a /dev/tpm0 port but during first boot TPM was not mentioned at all.
Also please note do NOT use the code verbatim from those hooks - the āencryptionā implemented there is just XORāing bytes to test that the hooks work, it is not a secure implementation.
I did add fde-setup hook and added fde-revel-key into initrd/usr/bin. I have compiled the kernel and created an image. But I want to boot the image in Secure boot. I am following this documentation
But I am not able to quiet follow the procedure explained. Could you help me with this process.
I have created keys to sign the image. But when signing it requires PE/COFF image and I am not able to understand what that is.
@rahul-tt where do you see the information from that page where it says to use signing-tool? Iām not familiar with that tool, when I need to resign EFI assets like grub, or kernel.efi to test secure boot with snakeoil keys for development I use this command: