Firmware updates with TPM based FDE don't work properly

[superm1]

What happened?

I installed a system with Ubuntu 23.10 beta and enabled TPM based FDE.
I tried to install a firmware update using fwupdtool, but it failed because shim isn't present.

What was expected?

Firmware update executed

Steps to reproduce

1. Install Ubuntu 23.10, enable TPM based FDE
2. Download a firmware update binary
3. Try to install it using fwupdtool or fwupdmgr

Additional context

Here is the flow that failed:

$ sudo fwupdtool install-blob isflash.bin
[sudo] password for test:
Writing…                 [************                           ]
0.      Cancel
1.      3743975ad7f64f8d6575a9ae49fb3a8856fe186f (SSD 980 PRO 1TB)
2.      a45df35ac0e948ee180fe216a5f703f32dda163f (System Firmware)
3.      362301da643102b9f38477387e2193e57abaa590 (UEFI dbx)
4.      7e2216d780d6359e8aea5949374f2813d5cb8b43 (Unifying Receiver)
Choose device [0-4]: 2
Decompressing…           [************                           ]
Secure boot is enabled, but shim isn't installed to EFI/ubuntu/shimx64.efi

I confirmed that the ESP was discovered correctly:

$ sudo fwupdtool esp-list
Selected volume: /org/freedesktop/UDisks2/block_devices/nvme0n1p1
/run/mnt/ubuntu-seed/EFI/boot/grubx64.efi
/run/mnt/ubuntu-seed/EFI/boot/bootx64.efi
/run/mnt/ubuntu-seed/EFI/ubuntu/grubenv
/run/mnt/ubuntu-seed/EFI/ubuntu/grub.cfg
/run/mnt/ubuntu-seed/EFI/ubuntu/fw/fwupd-12b99262-648c-4365-bafd-eb869fb7eb47.cap
/run/mnt/ubuntu-seed/device/fde/ubuntu-data.recovery.sealed-key
/run/mnt/ubuntu-seed/device/fde/ubuntu-save.recovery.sealed-key

fwupd is not aware of this layout.
In order for a firmware update to work, fwupd expects to be able to create a new NVRAM boot entry using shim to chainload fwupdx64.efi.

If it's not going to be possible for fwupd to create an NVRAM boot entry in this layout, one alternative is that fwupd supports GRUB based chainloading by adding this section to the fwupd.conf file.

[uefi_capsule]
EnableGrubChainLoad=true

When that is enabled firmware updates entries will be added to /etc/grub.d/35_fwupd and can be triggered through GRUB instead when a new grub.cfg has been built.

[superm1]

CC @d-loose and @valentindavid

[superm1]

I did experiment with adding to fwupd.conf, but I think development will still be needed because when TPM FDE is enabled grub-reboot doesn't exist neither does update-grub.

conffile:

$ sudo cat /etc/fwupd/fwupd.conf
# use `man 5 fwupd.conf` for documentation
[fwupd]
DisabledPlugins=test;test_ble
OnlyTrusted=true
AllowEmulation=false

[uefi_capsule]
EnableGrubChainLoad=true

attempt:

$ sudo fwupdtool install-blob isflash.bin
Writing…                 [************                           ]
0.      Cancel
1.      3743975ad7f64f8d6575a9ae49fb3a8856fe186f (SSD 980 PRO 1TB)
2.      a45df35ac0e948ee180fe216a5f703f32dda163f (System Firmware)
3.      362301da643102b9f38477387e2193e57abaa590 (UEFI dbx)
4.      7e2216d780d6359e8aea5949374f2813d5cb8b43 (Unifying Receiver)
Choose device [0-4]: 2
Decompressing…           [************                           ]
could not find grub-reboot

[Mafoelffen1]

< I just created an Issue on their issues not being addressed >
It is a good thing for you that it failed. reason? As in this bug: #2039741 TPM Backed install does not create valid LUKS recovery key
If the TPM is updated by fwupdate it clears the TPM, and you will be locked out of your LUKS Volume.Well, "not really". You will required to manually enter the recovery key each time you boot. I came up with a work-around for that, to repair that, but... Is a lot of work.

The fwupdate tool in 23.10.1 is now a Snap App. There is a thread on Ubuntu Forums on how to get that installed and working if that is what you really want to do. Just be prepared what it will do, and what you will have to do after that.

[superm1]

< I just created an Issue on their issues not being addressed >
It is a good thing for you that it failed. reason? As in this bug: #2039741 TPM Backed install does not create valid LUKS recovery key
If the TPM is updated by fwupdate it clears the TPM, and you will be locked out of your LUKS Volume.Well, "not really". You will required to manually enter the recovery key each time you boot. I came up with a work-around for that, to repair that, but... Is a lot of work.

The fwupdate tool in 23.10.1 is now a Snap App. There is a thread on Ubuntu Forums on how to get that installed and working if that is what you really want to do. Just be prepared what it will do, and what you will have to do after that.

A normal firmware update will not clear the TPM.

The only time the TPM will be cleared is when a user physically goes into BIOS setup and clears it.

[jamesps-ebi]

Just to add to this discussion, the new graphical firmware update tool gives the attached error when updating firmware on a TPM FDE system.

devices

[superm1]

Just to add to this discussion, the new graphical firmware update tool gives the attached error when updating firmware on a TPM FDE system.

Should be the same as the command line tool is encountering. I expect a similar error message as I originally posted if you try

fwupdmgr update