intel

  1. Bug #1938678
  2. Comment #36

Comment 36 for bug 1938678

Revision history for this message
ethan.hsieh (ethan.hsieh) wrote : Re: [intel] [tgl-h][iotg] [hwe-tpm] Ubuntu Core hangs during bootup on TGL-H

Enroll KEK and Signature via BIOS settings but still get the same error message (comment#31).
But, I can install the test image on another x86 machine and FDE is enabled successfully.

Here are steps:
1. Remove key enrolled by mokutil
2. Re-flash uc20 test image
3. Enroll KEK and Signature via BIOS settings:
[Boot Maintenance Manager Menu][Secure Boot Configuration Menu][Secure Boot Mode][Custom Mode][Custom Secure Boot Option]
[KEK Option][Enroll KEK] => PkKek-1-snakeoil.der[1]
[DB Option][Enroll Signature] => PkKek-1-snakeoil.der
4. Clear TPM
[Intel Advanced Menu][TPM Configuration][TCG2 Configuration][TPM2 Operation]

Another x86 machine has different BIOS, so it has different steps to clear TPM and enroll key.
1. Flash uc20 test image
2. Enroll KEK and Signature via BIOS settings:
[Security][Secure Boot][Key Management]
[Key Exchange Keys][Append] => PkKek-1-snakeoil.der
[Authorized Signatures][Append] => PkKek-1-snakeoil.der
3. Clear TPM
$ sudo -s
$ echo 5 > /sys/class/tpm/tpm0/ppi/request

---
[1] PkKek-1-snakeoil
https://raw.githubusercontent.com/snapcore/pc-amd64-gadget/20/snakeoil/PkKek-1-snakeoil.key
https://raw.githubusercontent.com/snapcore/pc-amd64-gadget/20/snakeoil/PkKek-1-snakeoil.pem
# Convert PkKek-1-snakeoil.pem to PkKek-1-snakeoil.der
$ openssl x509 -in PkKek-1-snakeoil.pem -inform PEM -outform DER -out PkKek-1-snakeoil.der