UEFI – Fix TPM Recovery Key Prompt on Every Boot After Firmware Update on Ubuntu 23.10

23.10tpmuefi

As the title says, I'm using Ubuntu 23.10 with the newly introduced TPM based FDE, i got a firmware update (for UEFI dbx) the other day so i did the update, then after reboot it asked me to enter TMP recovery keys, thankfully I made sure to backup them during installation so i was able to boot by entering it, but since then everytime i turn on my laptop it shows a message like this:

Please enter the recovery key for disk /dev/disk/by-partuuid/c7f7971b: (press TAB for no echo)

Again since I've my recovery key backed up, I'm able to boot, but it's getting very annoying to write the 40 words long recovery key everytime to turn on my laptop, shouldn't it save the recovery key when I first entered it after firmware upgrade? Is there anyway to save the key manually & fix this issue so i don't have to write the TPM recovery key on literary every boot?

Here's the image https://te.legra.ph/file/d7279dbe24979871cee2f.jpg

Best Answer

Finally found a solution! Thanks to jamesps on Ubuntu discourse

Apparently updating the kernel refreshes the TPM binding and hence fixes this issue.

So now you got two options

Either wait for the new kernel update
Force it by switching to a new kernel snap channel by doing:

sudo snap refresh pc-kernel --channel=23.10/beta

## REBOOT

sudo snap refresh pc-kernel --channel=23.10/stable

## REBOOT

Related Solutions

Ubuntu – Can’t boot Ubuntu 18.04.2 LTS or its LiveUSB after enrolling MOK

After a lot of searching, I found the following here:

The EUFI contains a database of registered trusted authorities. Users can add their own trusted authorities to this database in order to enable the loading of non-Microsoft operating systems.

This is where Trusted Platform Modules (TPMs) are used. TPMs can be used to store keys, or perform encryption/signing/verification routines. The TPM combined with the UEFI is what allows for the verification of the boot loader, and the loading of an operating system.

So it appears that proprietary Nvidia and AMD display drivers want to store their keys in the TPM.

TPM has two mode settings that are confusing - Active and Enabled. They mean different things. Active shows up as "TPM on" checkbox on my Dell Precision workstation. In this state, some functions of TPM are available. These include key storage and lookup. "Enabled" means that the TPM is fully functional; it can be used for things such as encrypting disks. This explains why TPM must be "on" or "active" for Ubuntu to boot (especially with proprietary display drivers) but it's not necessary to "enable" the TPM for Secure Boot.

With this understanding, I then used this article to remove old and unnecessary keys.

Boot – Ubuntu 23.10 Does Not Start After CHKDSK from Windows

Not sure if and how my activity on Windows could have raised the issue in Ubuntu, but I found the solution inspecting /var/log/syslog:

2024-02-02T15:39:46.874574+01:00 mark gdm3: Gdm: GdmSession: no session desktop files installed, aborting...

Hence I wild guessed a:

sudo apt install --reinstall ubuntu-session

and it fixed the issue.

Best Answer

Related Solutions

Ubuntu – Can’t boot Ubuntu 18.04.2 LTS or its LiveUSB after enrolling MOK

Boot – Ubuntu 23.10 Does Not Start After CHKDSK from Windows

Related Question