Ubuntu
subiquity package

[canary] installation failed with "cannot seal the encryption keys"

Bug #2031896 reported by Jean-Baptiste Lallement
92
This bug affects 12 people
Affects Status Importance Assigned to Milestone
snapd
In Progress
Undecided
Unassigned
subiquity
Confirmed
Undecided
Unassigned
ubuntu-desktop-provision
Triaged
Critical
Unassigned
subiquity (Ubuntu)
Triaged
Critical
Unassigned

Bug Description

Mantic 20230817

For some reason installation in a VM failed with:

=====
2023-08-18 08:42:55,702 ERROR root:30 finish: subiquity/Install/install/curtin_install/finish_install: FAIL: cannot perform the following tasks:
- Finish setup of run system for "enhanced-secureboot-desktop" (cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between)
2023-08-18 08:42:55,702 ERROR root:30 finish: subiquity/Install/install/curtin_install: FAIL: cannot perform the following tasks:
- Finish setup of run system for "enhanced-secureboot-desktop" (cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between)
2023-08-18 08:42:55,702 DEBUG subiquity.common.errorreport:394 generating crash report
2023-08-18 08:42:55,714 INFO subiquity.common.errorreport:415 saving crash report 'install failed crashed with ClientError' to /var/crash/1692348175.702773333.install_fail.crash
2023-08-18 08:42:55,714 ERROR root:30 finish: subiquity/Install/install: FAIL: cannot perform the following tasks:
- Finish setup of run system for "enhanced-secureboot-desktop" (cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between)
2023-08-18 08:42:55,715 INFO root:30 start: subiquity/ErrorReporter/1692348175.702773333.install_fail/add_info:
2023-08-18 08:42:55,715 ERROR subiquity.server.server:414 top level error
Traceback (most recent call last):
  File "/snap/ubuntu-desktop-installer/1197/bin/subiquity/subiquity/server/controllers/shutdown.py", line 74, in _wait_install
    await self.app.controllers.Install.install_task
aiohttp.client_exceptions.ClientError: cannot perform the following tasks:
- Finish setup of run system for "enhanced-secureboot-desktop" (cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between)
2023-08-18 08:42:55,717 ERROR subiquity.server.server:414 top level error
Traceback (most recent call last):
  File "/snap/ubuntu-desktop-installer/1197/bin/subiquity/subiquity/server/controllers/shutdown.py", line 74, in _wait_install
    await self.app.controllers.Install.install_task
aiohttp.client_exceptions.ClientError: cannot perform the following tasks:
- Finish setup of run system for "enhanced-secureboot-desktop" (cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between)
=====

The error should be exposed to the user instead of crashing. There error is not displayed in the console of the installer either.

About the error itself, I've no clue what it means, since it's an installation from a fresh VM, straight to the live session.

Tags: fde
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :
Jean-Baptiste Lallement (jibel)
Changed in subiquity (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Jean-Baptiste Lallement (jibel)
no longer affects: ubuntu-desktop-installer
Changed in subiquity:
status: New → Confirmed
Jean-Baptiste Lallement (jibel)
Changed in ubuntu-desktop-installer:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
James Paton-Smith (jamesps) wrote :

I had the same error on a Dell laptop (Latitude 7420)

"cannot seal the encryption keys: cannot add EFI secure boot policy profile: cannot compute secure boot policy profile: the current boot was preceeded by a boot attempt to an EFI application that returned to the boot manager, without a reboot in between"

I'm not sure what to make of this error.

Revision history for this message
James Paton-Smith (jamesps) wrote :

Tested again on a VM and managed to get it working. As far as I can tell, the only thing I changed was the EFI boot order.

I simply made sure that CD/DVD was the first boot option and made sure to shutdown the VM before booting into the ISO image.

So potentially, having other boot options before the CD/DVD option, even if they don't succeed (e.g disk is unformatted), could be causing the issue.

Revision history for this message
Paddy Landau (paddy-landau) wrote :

@jamesps — Which VM did you use? I used VirtualBox (version 7.0), and I had also changed the EFI boot order before booting: DVD first, hard disk second, with no other drives attached.

Revision history for this message
Henry Coggill (hcoggillhome) wrote :

I encountered this issue whilst using a QEMU VM, as per the instructions for booting Ubuntu Core 22 with TPM: https://ubuntu.com/core/docs/testing-with-qemu

The boot process did take me to the EFI shell, from which I exited, and selected the Mantic DVD (ISO) as the boot device.

Revision history for this message
James Paton-Smith (jamesps) wrote :

@paddy-landau - I was using QEMU VM and virt-manager. As far as I can tell, that was the only difference between my tests.

I also deleted, then recreated the TPM device on the VM, but that was to make sure there was nothing stored from the previous attempt.

Jean-Baptiste Lallement (jibel)
Changed in subiquity (Ubuntu):
importance: Wishlist → Critical
Changed in ubuntu-desktop-installer:
importance: Wishlist → Critical
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

This should be fixed when:

- https://github.com/snapcore/secboot/pull/249 has landed, and snapd is using it.
- https://docs.google.com/document/d/1s-XJ56Ur6mQdJ3gVtWdJs12odgknM_2nqQ72RzWUDho/edit is implemented

Dan Bungert (dbungert)
Changed in snapd:
status: New → In Progress
Sebastien Bacher (seb128)
affects: ubuntu-desktop-installer → ubuntu-desktop-provision
Revision history for this message
Balázs Börcsök (minefserver) wrote :

I am pretty sure that this is connected to https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/2049999

In my case I think it is about TPM PCR bank capabilities (SHA-512 VS SHA-1).

It is an other question whether this is handled gracefully or checked against.

I see no problem allowing SHA-1 banks to be used as long as the user is notified about possible security risks. Also, for disk encryption, maybe add a PIN as well, systemd-cryptenroll supports it.

I think this is a developer oversight.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.