TPM-backed Full Disk Encryption is coming to Ubuntu (opens in new tab)

(ubuntu.com)

61 pointsbpolverini2y ago70 comments

70 comments

> the bootloader (shim and GRUB) and kernel assets will be delivered as snap packages (via gadget and kernel snaps), as opposed to being delivered as Debian packages.

And there it is.

I suppose having your kernel command line signed by Canonical and unmodifiable by the system owner without a pain-in-the-ass manual 'machine owner key enrolment' process is very much on-brand for Snap.

distract89012y ago

Well shit, we were just joking the other day on mastodon about the kernel being distributed as a snap. I guess this is it, then.

I'm tired of computers being awful :(

palata2y ago

Just don't use Ubuntu, there are plenty of fish in the sea :-)

1 more reply

nine_k2y ago

Looks perfectly aligned with corporate and especially government IT practices. There the user is by far not the owner.

cgb2232y ago

So if Ubuntu is pivoting hard into big corporate/govt

Who’s the new big community desktop distro?

4 more replies

josephcsible2y ago

But even in those environments, Canonical isn't the owner.

mr3372y ago

Hard pass. I'm slowly been dumping Ubuntu due to the force snaps down your throat strategy they have. Still irritated I have to jump through hoops to get Firefox without a snap.

rjzzleep2y ago

Meanwhile my mom just asked me to switch her Dell to her favorite linux mint flavour and the key enrollment was literally 3 key presses plus the password away.

michaelt2y ago

Oops, I tried to install the nvidia drivers, but it doesn't seem to have worked.

I got a weird screen during the process, pretty sure it was blue, and the default option was 'continue boot' which I selected, I think maybe it was the 'BIOS' ?

I couldn't google what to do while at that screen, or screenshot it either, for some reason.

I've tried uninstalling then reinstalling the drivers, but that hasn't made the mystery screen to come up again, and hasn't fixed my problem.

I will now go and research a fix, but as a newbie I don't know keywords like 'mok enrolment' or 'mokutil' or 'dkms' or 'secure boot' or 'shim' because WTF do those even mean?

Go ahead and try searching, see how long it takes you to find the command you need to run when you don't know any of those terms, or even that the problem is secure boot related.

Meanwhile, the BIOS with its 'secure boot on/off' switch is available every single boot.

> the key enrollment was literally 3 key presses plus the password away

If you don't count the 8+ character password you have to enter three times, maybe.

1 more reply

heavyset_go2y ago

That's disappointing, but not surprising.

theandrewbailey2y ago

I'm in the process of moving away from Ubuntu, but this is a pretty cool feature. I've seen a tutorial here and there about how to manually set up LUKS with a TPM, but those have a downside of the TPM needing to be updated with every new kernel. I guess Ubuntu has found a way to integrate or work around that?

wiktor-k2y ago

> but those have a downside of the TPM needing to be updated with every new kernel.

This depends on the configuration. If you don't bind the key to PCRs at key creation time kernel updates don't affect the workflow and you still will take advantage of other TPM features such as locking the key after several unsuccessful attempts.

Take a look at the systemd configuration: https://www.freedesktop.org/software/systemd/man/systemd-cry...

I'm using it on my laptop and it works well.

jandrese2y ago

IMHO the PCRs are way too much trouble and defend against attacks that are rare outside of extremely spooky circles. They were the biggest problem with Bitlocker too.

2 more replies

FirmwareBurner2y ago

That's groovy baby, but can anyone give me the technicals on why we can't have Hibernate(not sleep) out of the box on Ubuntu like we can on Windows? That was one of the deal-breakers for me making the switch. If I understood it correctly, it's because of Z-RAM and if I'm also correct, full disk encryption is another roadblock in the path of the hibernate feature.

criddell2y ago

Windows these days prefers what they call modern standby and you probably don't want it.

I have a ThinkPad and this is what it's like:

Close the lid and stuff laptop into my backpack. I travel to work and when I pull my machine out of my bag, it has 12% battery left, is super hot, and the fan is screaming like the machine is trying to fly away. All because Microsoft thinks PCs should be more like iPhones.

FirmwareBurner2y ago

>Windows these days prefers what they call modern standby and you probably don't want it.

Who cares what Windows prefers, when I'm the user and I prefer Hibernate which works out of the box and I use it precisely because it avoids the issues you mentioned. Why don't you use Hibernate? SSDs are fast enough that a wake from hibernate is not much slower than a wake from sleep.

On Ubuntu I don't even have this option because ... reasons.

4 more replies

lostmsu2y ago

It might be broken on your laptop, but it does not seem to be broken in general.

julian-klode2y ago

So hibernate is somewhat unreliable and prone to data loss, image you hibernate after having installed a new kernel, so the decision was made to disable it due to that IIRC, independent of secure boot.

With secure boot and lockdown, hibernate is no longer possible on an alternative reason: We need to ensure that the kernel memory has not been tampered with. If you hibernate, you could then go and modify the memory in the swap and bypass the lock down security guarantees.

To address that you'd need to authenticate the swap using the TPM somehow, but I don't know enough about TPMs to know if that's feasible. Usually people would seal some crypto key against the TPM but here it's somewhat the opposite way around.

FredFS4562y ago

From my (shallow) understanding you can encrypt the swap using dm-crypt/LUKS as well and unlock using TPM. It's supported using systemd-cryptenroll on Arch.

FirmwareBurner2y ago

Thanks for the explanation. That kind of sucks though. I was spoiled by how good hibernate works on Windows and assumed any modern desktop OS should come with this feature if it wishes to "cut the king". I guess it's another nail in the "switching to Linux" coffin.

1 more reply

botanical2y ago

I have hibernate after following this:

https://ubuntuhandbook.org/index.php/2021/08/enable-hibernat...

But I don't have full disk encryption so I don't know how it works with it.

FirmwareBurner2y ago

I tried that and it didn't work on my work ThinkPad (also those steps are dangerous it could brick your system if you so much as make a single mistake).

But that doesn't answer my question of why something as basic as Hibernate (copy RAM contents to HDD on power-OFF, then reverse on power-ON) isn't something that works out of the box on Linux distros, and instead requires 2h of tutorial reading and dangerous low-lvel tinkering for it to (maybe) work or brick your system if you mess it up.

2 more replies

josephcsible2y ago

This sounds like TPM and passphrase (as opposed to TPM or passphrase) which seems like a recipe for eating your data.

Jigsy2y ago

Although I use Xubuntu on an old laptop, I'm hoping this is an option rather than a "suck it up!" change.

I'd rather just enter a password...

tbyehl2y ago

Only 11 years behind Windows 8 making BitLocker w/ Secure Boot easily accessible to the masses. Presumably not supporting TPM 1.2, which is why my oldest hardware runs Linux under Hyper-V instead of bare metal.

fatfingerd2y ago

What's the status for ZFS with a TPM and his will this affect it (competitively?)

j / k navigate · click thread line to collapse