snapd

TPM backed FDE does not re-enroll the key upon recovery

Bug #2052601 reported by Michał Sawicz on 2024-02-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	New	Undecided	Unassigned

Bug Description

Following a mainboard replacement, I installed daily Noble with TPM FDE and stored the recovery key from `snap recovery --show-keys`.

I then proceeded to clear the TPM to check that I would be able to recover, and while the system booted after prompting for the key, it didn't re-enroll it into the TPM, which means I have to re-enter it every time.

The documentation [1] states this should not be the case:

> Ubuntu Core will decrypt the device, proceed with the boot, and restore the TPM from the recovered key.

Attached is the output from the debug script.

[1] https://ubuntu.com/core/docs/use-recovery-mode#heading--recovery-keys

Revision history for this message

Michał Sawicz (saviq) wrote on 2024-02-07:

snap-debug-info.txt Edit (79.0 KiB, text/plain)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

snap-debug-info.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.