Public bug reported: The following bugs was addressed in the secboot project, which requires snapd to update the vendored revision on secboot:
- https://github.com/canonical/secboot/pull/535 Access to the HFSTS registers via the HECI is not possible on systems that use Intel's High Assurance Platform mode. This means that we can't check the BootGuard policy. However, the startup ACM mirrors some BootGuard policy settings to a MSR, so we can check this as a fallback in this case. - https://github.com/canonical/secboot/pull/534 Only check for the existence of an authorization policy for the lockout hierarchy if it has an authorization value. In this case, the presence of a policy is presented in the error message as additional information. We take ownerhip of the lockout hierarchy in tpm2.Connection.EnsureProvisioned, and for now, this function will clear any policy before the authorization value is set. A subsequent PR will set a more appropriate policy based on the requirement to be able to rotate the authorization value safely during reprovisioning ** Affects: snapd (Ubuntu) Importance: Undecided Assignee: Ernest Lotter (ernestl) Status: Fix Committed ** Affects: snapd (Ubuntu Resolute) Importance: Undecided Assignee: Ernest Lotter (ernestl) Status: Fix Committed ** Also affects: snapd (Ubuntu Resolute) Importance: Undecided Assignee: Ernest Lotter (ernestl) Status: Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2147645 Title: Snapd secboot update to fix TPM/FDE bugs for Resolute installer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2147645/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
