Given the fact this 1) Bothers so many people, 2) Seems to be a bit down on Canonical's priority list, 3) Has no official workaround and 4) The relevant Discourse thread is closed, I'm posting a possible workaround here in case it's useful to someone:
WARNING: This is a rough outline. I had to do it in a hurry and am writing it down from memory. YMMV. Be prepared to lose all your data. A reinstall is probably the better approach – I just couldn't be bothered. This workaround (hopefully) restores a purely deb-based Ubuntu kernel with TPM2/FDE support and automatic unlocking. After conversion you can install kernel modules, sound firmware and the other things you need to carry on with your life. A typical disk layout if you installed Ubuntu with FDE and TPM2 on an NVMe drive looks like: /dev/nvme0n1p1: /boot/efi /dev/nvme0n1p2: /boot /dev/nvme0n1p3: unlocked/mapped to ubuntu-save (to do with snapd I think) /dev/nvme0n1p4: unlocked/mapped to ubuntu-data (your root partition) p1 and p2 are unencrypted, whilst p3 and p4 are luks encrypted. - First, get the recovery keys: snap recovery --show-keys - Get snap2luks.py from github: https://github.com/jps-help/python- snap2luks/blob/main/snap2luks.py - Run snap2luks.py and store key.out somewhere. - Set a passphrase for the ubuntu-data partition: cryptsetup luksAddKey /dev/nvme0n1p4 --key-file=/path/to/key.out - Reboot, disable secure boot and boot from a live USB. You need Internet access so configure the network... - Unlock the filesystem: cryptsetup luksOpen /dev/nvme0n1p4 luksroot - Mount the root filesystem somewhere: mount /dev/mapper/luksroot /mnt - Mount --bind dev, sys, proc, run into /mnt/dev, /mnt/sys etc. - Mount /mnt/boot - Destroy your EFI partition: mkfs.vfat -F32 /dev/nvme0n1p1 - mount the EFI partition on /mnt/boot/efi - chroot /mnt - Remove boot-managed-by-snapd: dpkg -P --force-all boot-managed-by-snapd - Remove snapd: apt purge snapd. - rm -rf /snap /var/lib/snapd /var/cache/snapd I know this is somewhat crude, but the problem is pc-kernel can't be uninstalled just like that due to the model dependency. I didn't have the patience for a surgical removal so took the viking approach and gutted it. You should probably run 'snap list' and store the output somewhere so you can reinstall later if you run anything from snap. Who knows, maybe you should back something up as well. - Install snapd and run snap list to ensure pc-kernel isn't listed. Reinstall the packages you want (or wait until you're booted up again). - Install the grub, kernel and clevis packages: apt install grub-efi grub-efi-amd64 grub-efi-amd64-signed shim-signed linux-image-generic linux-headers-generic clevis clevis-initramfs clevis-luks clevis-tpm2 - Install grub: grub-install --target=x64_64-efi --efi-directory=/boot/efi --bootloader-id=ubuntu - Update /etc/fstab to add entries for /boot and /boot/efi For reasons currently unfathomable to me, TPM2 support has been actively removed from Ubuntu's systemd-cryptenroll for "security reasons". Hence we'll resort to Clevis for unlocking for now: - Create /etc/crypttab and add a line (get the UUID from ls /dev/disk/by-uuid): luksroot UUID=youruuid luks,clevis,discard - clevis luks bind -d /dev/nvme0n1p4 tpm2 '{"pcr_ids":"0,2,7"}' - Update initramfs: update-initramfs -k all -u - Update grub: update-grub Reboot and enable Secure Boot. Depending on your UEFI you might have to fiddle around with keys, but it should normally boot up despite whining about something having changed. Then on the next reboot it'll usually be fine. YMMV. From here you should be able to install firmware-sof-signed, VirtualBox kernel modules, NVIDIA drivers, run fwupd, and so on until the official snap based FDE/TPM2 approach is out of alpha. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2092363 Title: Missing (but referenced) SOF firmware in pc-kernel – No Audio To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-kernel-snaps/+bug/2092363/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
