snapd

Ubuntu Core 20 randomly fails to boot and asking for recovery key

Bug #2017728 reported by Sunil Kumar on 2023-04-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	snapd	Triaged	Medium	Unassigned

Bug Description

Summary:
We are working on Dell EGW devices using the Ubuntu 20.04 Core from Canonical. Our EGW device is using TMP device from Infineon SLB9665 FW 6.3.
During Ubuntu Core installation boot is stuck at “please enter the recovery key for disk <LONG_DISK_NAME>” (which we don’t have, we have never inserted it, it is configured by itself).

Following are the steps to reproduce:
1. Enable TPM and Secure boot in BIOS.
2. Clear TPM in BIOS
3. Boot into live Ubuntu USB key.
4. Flash ubuntu-core-20-amd64+intel-iot.img.xz to the system.
5. Reboot and remove live Ubuntu USB key.

Expected behavior:
The system could boot into OS normally.

Observed behavior:
The system is stuck in the console with an activated encrypted device issue.

Failure rate: 100%

Tags:

Revision history for this message

Sunil Kumar (sunilkumar4476) wrote on 2023-04-26:

fails_to_boot_asking_for_recovery_key.jpg Edit (1.3 MiB, image/jpeg)

Sunil Kumar (sunilkumar4476) on 2023-04-27

tags:

added: bug

Revision history for this message

Sunil Kumar (sunilkumar4476) wrote on 2023-04-29:

Hi,
I did not get any response yet. This very critical issue for us. All our devices gets stuck during installation.
Please help.

Thank you

Revision history for this message

Sergio Cazzolato (sergio-j-cazzolato) wrote on 2023-05-09:

Hi Sunil, thanks for the report. I'll work on analyzing and reproducing the issue.

Revision history for this message

Sergio Cazzolato (sergio-j-cazzolato) wrote on 2023-05-10:

Could you please provide the boot logs produced before the error is displayed?

Revision history for this message

Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote on 2023-05-11:

The problem probably comes from having boot previously from live Ubuntu to flash the Core image. The new shim introduced in the live image creates a sbat UEFI variable that needs to be cleaned up before installing UC, that has an older shim/grub. See https://discourse.ubuntu.com/t/sbat-revocations-boot-process/34996 for details on how to delete the variable.

The real fix will happen when we release a newer snapd that will support the new shim/grub, plus a pc gadget containing them. This will happen when snapd 2.59.3 is released and pc from 22/edge is released.

Revision history for this message

Sunil Kumar (sunilkumar4476) wrote on 2023-05-11:

Hi Sergio,

Thank you for your response.

The system gets stuck during installation and there is no way to pull out the logs since the partitions are locked.

I have only recorded video and we go frame by frame to look at the logs.

We observe while scanning frames that there is no error message which can let the user know the actual situation.

Revision history for this message

Sunil Kumar (sunilkumar4476) wrote on 2023-05-12:

Hi Sergio,

I tried to follow the following steps to clear sbat.
1. Disable secure boot
2. Boot from Ubuntu-22-10 live USB
3. run following commands
$sudo mokutil --set-sbat-policy delete
$sudo reboot
4. Press F7 and check if sbat removed
5. Go to setup and enable secure boot
6. Boot from Ubuntu-20-04 live USB and use dd command to copy image to ssd.
7. Reboot and go to BIOS to clear TPM2

But the same issue still exists.

Revision history for this message

Alfonso Sanchez-Beato (alfonsosanchezbeato) wrote on 2023-05-12:

Hi Sunil,

shim 15.7 has actually been ported to 20.04 too, so probably sbat uefi var is being recreated after booting with 20.04, so you will still have the problem if your iso has been recently built. I would try with an old version instead of latest live, maybe

https://old-releases.ubuntu.com/releases/20.04.1/ubuntu-20.04.1-desktop-amd64.iso

could be fine.

Sergio Cazzolato (sergio-j-cazzolato) on 2023-08-24