Ubuntu
ubuntu-release-upgrader package

Upgrades to 24.04 LTS should be temporarily prevented for TPM FDE systems

Bug #2065229 reported by Nick Rosbrook
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
Fix Released
Undecided
Unassigned
Noble
Fix Released
High
Nick Rosbrook

Bug Description

[Impact]
It is not currently supported to upgrade desktop systems installed with TPM-backed FDE, so we should not allow such upgrades to start. We should notify the user of this and abort the upgrade.

[Test Plan]

Attempt an upgrade from 23.10 to 24.04 LTS on various types of Ubuntu installs:

1. Desktop with TPM FDE
2. Desktop classic
3. LXD Container

In case (1), the upgrade should be aborted with an appropriate message to the user. In cases (2) and (3), the upgrade should proceed as normally.

[Where problems could occur]
The test condition for determining that we are on Desktop with TPM FDE is checking that (a) pc-kernel snap is installed, and (b) ubuntu-desktop-minimal is installed. If the test condition is inadequate in some way, we would see bug reports about upgrades being blocked unnecessarily, or possibly users being allowed to upgrade despite running TPM FDE.

As always with these kinds of quirks, if any package or snap names were spelled incorrectly, the quirk would not work correctly.

See original description

Related branches

~enr0n/ubuntu-release-upgrader:lp-2065229
Steve Langasek: Approve
Diff: 62 lines (+37/-1)
2 files modified
DistUpgrade/DistUpgradeQuirks.py (+36/-0)
tests/data-deb822-migration-test/test_ports_sources_list_migration/expect/ubuntu.sources (+1/-1)
Nick Rosbrook (enr0n)
Changed in ubuntu-release-upgrader (Ubuntu):
status: New → Invalid
Changed in ubuntu-release-upgrader (Ubuntu Noble):
assignee: nobody → Nick Rosbrook (enr0n)
importance: Undecided → High
Nick Rosbrook (enr0n)
description: updated
Nick Rosbrook (enr0n)
Changed in ubuntu-release-upgrader (Ubuntu):
status: Invalid → New
Nick Rosbrook (enr0n)
Changed in ubuntu-release-upgrader (Ubuntu):
status: New → Fix Committed
Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: New → In Progress
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Nick, or anyone else affected,

Accepted ubuntu-release-upgrader into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-release-upgrader/1:24.04.18 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-noble
Revision history for this message
Nick Rosbrook (enr0n) wrote :
Download full text (6.0 KiB)

I have verified using the upgrader tarball for noble-proposed.

To create a VM with Ubuntu Desktop TPM FDE, I did the following:

$ lxc storage volume import default ~/downloads/ubuntu-23.10.1-desktop-amd64.iso 23.10-desktop --type=iso
$ lxc init --empty --vm lxd-mantic-fde -c limits.memory=6GiB -c limits.cpu=4 -d root,size=32GiB
$ lxc config device add lxd-mantic-fde iso-volume disk pool=default source=23.10-desktop boot.priority=10
$ lxc config device add lxd-mantic-fde tpm tpm
$ lxc start --console=vga lxd-mantic-fde

I went through the installer, and selected TPM FDE from advanced features. Then, after the installation, I ran the following in the VM:

ubuntu@ubuntu:~$ wget http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
--2024-05-17 11:02:12-- http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
Resolving archive.ubuntu.com (archive.ubuntu.com)... 185.125.190.39, 91.189.91.82, 185.125.190.36, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|185.125.190.39|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274850 (1.2M) [application/x-gzip]
Saving to: \u2018noble.tar.gz\u2019

noble.tar.gz 100%[===================>] 1.21M 542KB/s in 2.3s

2024-05-17 11:02:14 (542 KB/s) - \u2018noble.tar.gz\u2019 saved [1274850/1274850]

ubuntu@ubuntu:~$ tar xf noble.tar.gz
ubuntu@ubuntu:~$ sudo ./noble --frontend DistUpgradeViewText

Reading cache

Checking package manager
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Hit http://security.ubuntu.com/ubuntu mantic-security InRelease
Hit http://nl.archive.ubuntu.com/ubuntu mantic InRelease
Hit http://nl.archive.ubuntu.com/ubuntu mantic-updates InRelease
Hit http://nl.archive.ubuntu.com/ubuntu mantic-backports InRelease
Fetched 0 B in 0s (0 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done

Sorry, cannot upgrade this system to 24.04 LTS

Upgrades for desktop systems running TPM FDE are not currently
supported. Please see https://launchpad.net/bugs/2065229 for more
information.

Restoring original system state

Aborting
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done

So, the upgrade was blocked as expected.

I also tested in a container to make sure that upgrades were not prevented there:

nr@six:~$ lxc launch ubuntu-daily:mantic mantic
Creating mantic
Starting mantic
nr@six:~$ lxc exec mantic bash
root@mantic:~# wget http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
--2024-05-17 09:11:47-- http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.83, 91.189.91.81, 185.125.190.39, ...
Connec...

Read more...

tags: added: verification-done verification-done-noble
removed: verification-needed verification-needed-noble
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:24.10.3

---------------
ubuntu-release-upgrader (1:24.10.3) oracular; urgency=medium

  [ Nick Rosbrook ]
  * tests: fix un-templated expected ubuntu.sources
  * DistUpgradeQuirks: prevent upgrades of TPM FDE desktops (LP: #2065229)
  * Run pre-build.sh: updating mirrors, demotions, and translations.

  [ Dave Jones ]
  * New quirk to add KMS overlay on Pi Server images (LP: #2065051)

 -- Nick Rosbrook <email address hidden> Thu, 09 May 2024 15:29:17 -0400

Changed in ubuntu-release-upgrader (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:24.04.18

---------------
ubuntu-release-upgrader (1:24.04.18) noble; urgency=medium

  [ Nick Rosbrook ]
  * tests: fix un-templated expected ubuntu.sources
  * DistUpgradeQuirks: prevent upgrades of TPM FDE desktops (LP: #2065229)
  * Run pre-build.sh: updating mirrors, demotions, and translations.

  [ Dave Jones ]
  * New quirk to add KMS overlay on Pi Server images (LP: #2065051)

ubuntu-release-upgrader (1:24.04.17) noble; urgency=medium

  [ Nick Rosbrook ]
  * Revert "DistUpgrade.cfg.jammy: keep {netfilter,iptables}-persistent installed"
  * DistUpgradeQuirks: keep {netfilter,iptables}-persistent instead of ufw
    (LP: #2061891)

  [ Julian Andres Klode ]
  * DistUpgrade.cfg.jammy: Add systemd-resolved to PostUpgradeInstall
    (LP: #2063464)
  * Transition the automatically installed bit to t64 libraries, and
    do not write automatically installed bit in simulation (LP: #2064090)
  * Run pre-build.sh: updating mirrors, demotions, and translations.

 -- Nick Rosbrook <email address hidden> Thu, 09 May 2024 15:39:56 -0400

Changed in ubuntu-release-upgrader (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for ubuntu-release-upgrader has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.