Can't boot after installation with TPM backed FDE on xps9320

Logs from first install

Logs from second install

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/2107457

Same result if I skip the "passphrase" screen during the installation.

Same result when installing 24.10 - so not a regression in that sense.

Can you try booting the hard-disk via the same boot menu you booted the installer from?

Some devices unfortunately have issues where the boot UI is included in the measurements and if you autoboot the HDD without going through the menu it fails.

Yes, if you could boot the ISO exactly how you booted it to create the install and then copy /sys/kernel/security/tpm0/binary_bios_measurements from the machine and either attach it to this bug or send it to me, then that would be great.

Hello Mate, hello Chris,

I did another install and tried booting the target system from the exact same menu but it still asked me for the recovery key.

Quickly after powering on the laptop, I hit F12 - "One-Time Boot Settings" then select the USB media if I want to boot the installer - or select the NVMe drive if I want to boot the target system.

I will attach some screenshots, along with:

* the measurements file (collected when booting the installer for the first time)
* the measurements file (collected after failing to boot the target system - and booting the installer again)

Some details that I assume are not relevant:

* The ISO was dd-ed onto the USB drive (i.e., dd if=plucky-desktop-amd64.iso of=/dev/sda bs=1M conv=sync)
* The USB drive is connected to the laptop using a USB3 to USB-C adapter.

Like Mate suggested, I suspect this is a case of there either being additional load events in PCR4 when running the initial install, resulting in an invalid PCR policy being created, or a case of us creating a valid PCR policy but there being additional load events in PCR4 when trying to boot the installed system. Unfortunately, the attached log doesn't show that. As this is a Dell and I have a spare XPS15 at home, I'll try some boots to see if I can recreate the issue. It would be nice for us to have a TCG log from a device that demonstrates the issue so that we know how to properly fix it.

I've just figured out what the issue is here - this device has a debugging endpoint built into the firmware which is indicated in PCR7

7 a62bd67b2cc295976651b354468c0047f8d1547d25056ded5952aaf5991762a3 EV_EFI_ACTION UEFI Debug Mode

This causes us to silently mis-predict the PCR7 value today. This will eventually be detected here and will prevent FDE from being enabled:

https://github.com/canonical/secboot/blob/2972449df0baab78eee8f5d99e01d479673651b0/efi/preinstall/check_host_security.go#L67