TPM-backed Full Disk Encryption is coming to Ubuntu
ubuntu.com> the bootloader (shim and GRUB) and kernel assets will be delivered as snap packages (via gadget and kernel snaps), as opposed to being delivered as Debian packages.
And there it is.
I suppose having your kernel command line signed by Canonical and unmodifiable by the system owner without a pain-in-the-ass manual 'machine owner key enrolment' process is very much on-brand for Snap.
Well shit, we were just joking the other day on mastodon about the kernel being distributed as a snap. I guess this is it, then.
I'm tired of computers being awful :(
Just don't use Ubuntu, there are plenty of fish in the sea :-)
Yeah, I completely switched to Arch after I got the ads in my apt-get commands. It's a bit more annoying and unstable, but overall a much better experience than Ubuntu.
I still have a few server instances on Ubuntu, but I'm moving them to straight Debian or arch when they need major upgrades.
Looks perfectly aligned with corporate and especially government IT practices. There the user is by far not the owner.
So if Ubuntu is pivoting hard into big corporate/govt
Who’s the new big community desktop distro?
No idea! Debian proper? Fedora? Nix? Arch?..
(I personally run a relatively niche distro, https://voidlinux.org/)
Void's great although definitely for the tinker crowd (like arch was), debian seems like the better community choice
Arch
The transition from Ubuntu to Debian is about as simple as it gets, since Ubuntu derives much of their base from Debian..
As someone said, "Ubuntu is Debian-based like milk is grass-based" :)
But certainly the bulk of the tools must be familiar.
Perhaps not exactly 'community distro', but Fedora is genuinely a joy to use.
Linux Mint of course
But even in those environments, Canonical isn't the owner.
Hard pass. I'm slowly been dumping Ubuntu due to the force snaps down your throat strategy they have. Still irritated I have to jump through hoops to get Firefox without a snap.
Meanwhile my mom just asked me to switch her Dell to her favorite linux mint flavour and the key enrollment was literally 3 key presses plus the password away.
Oops, I tried to install the nvidia drivers, but it doesn't seem to have worked.
I got a weird screen during the process, pretty sure it was blue, and the default option was 'continue boot' which I selected, I think maybe it was the 'BIOS' ?
I couldn't google what to do while at that screen, or screenshot it either, for some reason.
I've tried uninstalling then reinstalling the drivers, but that hasn't made the mystery screen to come up again, and hasn't fixed my problem.
I will now go and research a fix, but as a newbie I don't know keywords like 'mok enrolment' or 'mokutil' or 'dkms' or 'secure boot' or 'shim' because WTF do those even mean?
Go ahead and try searching, see how long it takes you to find the command you need to run when you don't know any of those terms, or even that the problem is secure boot related.
Meanwhile, the BIOS with its 'secure boot on/off' switch is available every single boot.
> the key enrollment was literally 3 key presses plus the password away
If you don't count the 8+ character password you have to enter three times, maybe.
Most laptops don't have nvidia cards. And none of those issues you're talking about occurred. She's been a happy linux mint user for more than 5 years. I was just trying to get her off her old ultramobile celeron laptop and she refused to use the new one until I ran the mint installer. For me the biggest challenge was figuring out whether to install the Mate or Cinnamon version.
It asked me for an 8 character password during install, rebooted, i entered enroll existing key. I entered the password and then continued the install, that was it. Runs like a charm, boots like a charm.
She's over 70 and she absolutely loathes the random software that various windows things try to install, or the antivirus sneaks in with the next update and stuff like that.
She just browses the web, streams stuff and wants to make sure she can screencapture the streams she watches. Turns out for that use case Thunderbird is also quite good and to my surprise the google 2FA oauth phone login makes it really easy for her to log in to google. I still remember the times when I would have to reset her google password for her.
Not to dismiss your experience, but I think for a lot of basic users it works really well.
That's disappointing, but not surprising.
I'm in the process of moving away from Ubuntu, but this is a pretty cool feature. I've seen a tutorial here and there about how to manually set up LUKS with a TPM, but those have a downside of the TPM needing to be updated with every new kernel. I guess Ubuntu has found a way to integrate or work around that?
> but those have a downside of the TPM needing to be updated with every new kernel.
This depends on the configuration. If you don't bind the key to PCRs at key creation time kernel updates don't affect the workflow and you still will take advantage of other TPM features such as locking the key after several unsuccessful attempts.
Take a look at the systemd configuration: https://www.freedesktop.org/software/systemd/man/systemd-cry...
I'm using it on my laptop and it works well.
IMHO the PCRs are way too much trouble and defend against attacks that are rare outside of extremely spooky circles. They were the biggest problem with Bitlocker too.
Yeah, I recently went down this path. It’s all doable but frankly I’m not a nation state target and getting locked out after a kernel update or similar would be far more annoying.
Instead I’m leaning toward separate boot and root disks, with a root/data disk encrypted with LUKS with a detached header. dm verity on a read only root with a separate data partition also seems simple/appealing. Of course, these all allow attacks full secure boot/tpm/etc avoid, but it’s a balance.
PCRs being problematic was actually one of the issues policy mechanism in TPM 2.0 was meant to resolve (see "Non-Brittle PCRs (New in 2.0)" in [0]).
Tldr version is that you'd authorize OS manufacturer's kernel signing key to use the TPM key so that each time your OS vendor signs the kernel it's OK for the TPM.
Sadly I don't think I've seen this deployed in the wild.
[0]: https://ebrary.net/24725/computer_science/quick_loading
That's groovy baby, but can anyone give me the technicals on why we can't have Hibernate(not sleep) out of the box on Ubuntu like we can on Windows? That was one of the deal-breakers for me making the switch. If I understood it correctly, it's because of Z-RAM and if I'm also correct, full disk encryption is another roadblock in the path of the hibernate feature.
Windows these days prefers what they call modern standby and you probably don't want it.
I have a ThinkPad and this is what it's like:
Close the lid and stuff laptop into my backpack. I travel to work and when I pull my machine out of my bag, it has 12% battery left, is super hot, and the fan is screaming like the machine is trying to fly away. All because Microsoft thinks PCs should be more like iPhones.
>Windows these days prefers what they call modern standby and you probably don't want it.
Who cares what Windows prefers, when I'm the user and I prefer Hibernate which works out of the box and I use it precisely because it avoids the issues you mentioned. Why don't you use Hibernate? SSDs are fast enough that a wake from hibernate is not much slower than a wake from sleep.
On Ubuntu I don't even have this option because ... reasons.
Windows can wake itself from hibernate.
Killing all of the wake timers and editing specific keys in the registry will usually fix this, but it's messy and not something typical users are comfortable doing.
This. During lockdowns, I dusted off an old PC and set it up with windows for gaming. The computer was in front of my bed. One out of two nights, the thing would randomly wake out of hibernation, blasting the freaking blue bitlocker screen at me (password unlock, since that PC didn't have a tpm).
This PC was kept reasonably up to date, too (usually installed whatever update at the most a day or two after they came out, complete with the reboot), so not sure what it was hoping to do, exactly.
>One out of two nights, the thing would randomly wake out of hibernation
I'm sure you mistakenly used sleep instead of hibernate without knowing or remembering, to have that issue, or you had the issue where hibernate didn't work and reverted to sleep instead.
I also had that issue and discovered that the Linux dual-boot installation with Grub's changes to the MBR broke Window's capability to hibernate, so me hitting hibernate was actually triggering sleep instead.
Hibernate does not randomly wake up.
On Windows, hibernate is a sleep state.
https://learn.microsoft.com/en-us/windows-hardware/drivers/k...
Here’s an example of a Windows machine waking from hibernate and how it was fixed:
https://www.bleepingcomputer.com/forums/t/707115/windows-10-...
These kinds of problems are not uncommon and are not always due to users confusing the different sleep states.
Right, I have the same problem with my PC, guess I'll look for those hacks.
> Windows can wake itself from hibernate.
The USB bus and sound system is still the weak spot on a windows computer in my experience, this website, reddit, youtube, or dailymail generally takes them out.
Surprised that people used sleep and hibernate, considering TSR's were invented in the dos days and the browser can do lots of fancy stuff.
Theres even a reg setting to clear the page file on shutdown.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ ClearPageFileAtShutdown Dword32 1
>Windows can wake itself from hibernate.
You're confusing that with sleep. Windows can't wake itself from hibernate as the machine is fully powered off, not in some sleep state.
No, he's right. Windows can wake the computer from total shut down even (S5). It uses RTC alarms: https://en.wikipedia.org/wiki/Real-time_clock_alarm
"Can be set to wake up" doesn't mean "will wake up".
Modern versions wake up out of the box, you need to tinker with them to stop that.
What do you mean? Hibernate works out of the box. There nothing to "fix" in the registry for that to work.
He means Windows can set a timer to wake up after a while to run scheduled tasks. You might not have noticed those wake timers because they are few and it usually works as expected with windows hibernating back after a few minutes.
The difficulty of disabling wake timers has been exaggerated, though. It's in the advanced power settings, there's no need for the big scary registry.
https://www.tenforums.com/tutorials/63070-enable-disable-wak...
>He means Windows can set a timer to wake up after a while to run scheduled tasks.
Yes, it can se timer to wake automatically from hibernate, but that doesn't mean it does that automatically withotu you setting those timers. I can understand there have been some bugs in the past but that's anon-issue today.
There are supposedly fixes for it to stay hibernating.
The issue isn't that it doesn't go to sleep. It's that it doesn't stay asleep.
In hibernate the laptop stays powered off and nothing is running, you can even pull the power cord. It can't wake up from that. It will only wake up when you power it back on, not by itself. The wake up issues are for sleep mode, not hibernate where the CPU is completely off and unpowered.
That very much depends on your definition of "works".
Does the machine go through the steps to save memory to disk and enter a low power state? Yes.
But then windows can and does decide to wake itself up at any time, resulting in physical damage to the machine if it's stored in a closed bag. Discharging the battery and heating up the entire machine dramatically reduces your battery's lifetime. You cannot disable this behavior without going into the registry.
So yes, it 'works', with the caveat that the machine may wake itself at any time, burn through the entire battery and possibly do irreprable damage to your machine.
>So yes, it 'works', with the caveat that the machine may wake itself at any time, burn through the entire battery and possibly do irreprable damage to your machine.
You haven't read my comment fully or are confusing hibernate with sleep. I was talking about hibernate which 100% works, not sleep. Hibernate can't wake up your laptop as your machine is completely powered off.
> Hibernate can't wake up your laptop as your machine is completely powered off.
That is quite simply not true.
I have had windows wake itself up after I clicked the “hibernate” button in the start menu. It’s pretty infuriating.
Is that the case anymore with a battery and Intel ME? I don’t believe it is.
After hibernate Windows thinks I have a laptop keyboard. If num lock is turned on then yuihjkbnm keys turn into a numpad. A restart or replugging the keyboard fixes it. Still annoying though.
Windows also likes waking itself up for various reasons, but I don't remember if that was hibernate or sleep. Turning off everything except the power button wake up fixed it though.
But I do agree - I would like a working hibernate in any OS I use. The next best thing is never turning it off though.
On Ubuntu you do have this option, you just have to set it up yourself. They don't prioritize support for it because "people who want to hibernate a laptop" is a rounding error in their customer population statistics.
>On Ubuntu you do have this option, you just have to set it up yourself.
Which means it's not available. Technically my car can also go diving underwater, you just have to set it up yourself for that.
I expect stuff on my OS to work out of the box, not require hours of dangerous tinkering with the risk of braking, to get something basic to work.
>They don't prioritize support for it because "people who want to hibernate a laptop" is a rounding error in their customer population statistics.
I mean, it's feature that I absolutely use on Windows regularly, which means it matters a lot to me, the userbase of 1, to have it on Linux as well, I don't really care what the opinionated Ubuntu dev team think on the way I'm supped to use my own computer.
Sounds like Ubuntu is not for you, then. For different reasons, it's not for me either. Good thing you've got Windows.
It might be broken on your laptop, but it does not seem to be broken in general.
So hibernate is somewhat unreliable and prone to data loss, image you hibernate after having installed a new kernel, so the decision was made to disable it due to that IIRC, independent of secure boot.
With secure boot and lockdown, hibernate is no longer possible on an alternative reason: We need to ensure that the kernel memory has not been tampered with. If you hibernate, you could then go and modify the memory in the swap and bypass the lock down security guarantees.
To address that you'd need to authenticate the swap using the TPM somehow, but I don't know enough about TPMs to know if that's feasible. Usually people would seal some crypto key against the TPM but here it's somewhat the opposite way around.
From my (shallow) understanding you can encrypt the swap using dm-crypt/LUKS as well and unlock using TPM. It's supported using systemd-cryptenroll on Arch.
Thanks for the explanation. That kind of sucks though. I was spoiled by how good hibernate works on Windows and assumed any modern desktop OS should come with this feature if it wishes to "cut the king". I guess it's another nail in the "switching to Linux" coffin.
There's also the issue of hibernating a 32Gb image to a 512Gb ssd several times a day. That can't be good for longevity.
>hibernating a 32Gb image to a 512Gb ssd several times a day
1) It's 16GB image to 1TB SSD for me, but who needs to hibernate several times a day? I only use it when I take my laptop out of the house on long journeys which is a couple of times a month at most.
2) It's my SSD, I paid for it, and I should be allowed to use it how I please, even like in your example of hibernating it several times a day if I wish. Why should the OS dev stop me from doing this? It's my HW, not theirs.
I would understand this angle if he OS developer(Canonical) was also responsible for the longevity and the warranty of the HW I bought from them, the way Apple and sometimes Microsoft is, but since for Canonical this is not the case since they don't sell laptops, why should they limit me like that? You can show a disclaimer telling the user that hibernate will degrade the SSD if that's a big legal issue for them.
Heck, even Microsoft let's you enable hibernate with just 3 clicks.
I have hibernate after following this:
https://ubuntuhandbook.org/index.php/2021/08/enable-hibernat...
But I don't have full disk encryption so I don't know how it works with it.
I tried that and it didn't work on my work ThinkPad (also those steps are dangerous it could brick your system if you so much as make a single mistake).
But that doesn't answer my question of why something as basic as Hibernate (copy RAM contents to HDD on power-OFF, then reverse on power-ON) isn't something that works out of the box on Linux distros, and instead requires 2h of tutorial reading and dangerous low-lvel tinkering for it to (maybe) work or brick your system if you mess it up.
It worked out of the box on my Arch install. I'm running a LUKS volume which holds an LVM with the ext4 fs for the system and the swap.
I'm also running TPM + PIN / FIDO2 unlocking.
Didn't need to fiddle with anything. The most part of this install was going through the manual process of creating filesystems and whatnot.
Bonus points compared to Windows for actually staying asleep instead of randomly waking up while in my bag.
>It worked out of the box on my Arch install.
Ubuntu isn't Arch I think. Average Joe switching away form Windows isn't gonna start learning Arch.
>Bonus points compared to Windows for actually staying asleep instead of randomly waking up while in my bag.
That doesn't happen under hibernate. You used sleep thinking it was hibernate, that's why you had that issue.
> That doesn't happen under hibernate. You used sleep thinking it was hibernate, that's why you had that issue.
I mean, while asleep, the PC blinks its annoying light every second. While hibernating, it doesn't. I'm pretty sure there were no blinky lights, they would have prevented me from falling asleep. It's why I went out of my way to enable hibernating.
Also, see the other posts around the thread. There are absolutely ways to wake up a PC from hibernation. Even from full shutdown.
The Linux kernel disable hibernation when secure boot is enabled for security reasons (it enables the lockdown mode). I don't think it's especially an Ubuntu/distro problem. When secure boot is disabled, I think hibernation is supposed to work fine.
It works fine with secure boot enabled on my arch install.
But I do use a unified image which the UEFI boots directly (EFISTUB, no grub or anything). I don't know if that makes a difference.
>But I do use a unified image which the UEFI boots directly (EFISTUB, no grub or anything).
Do you have any links on this kind of image? Or did you build it yourself?
Apparently systemd supports building it now somehow (search for UKI, unified kernel image), but I'm too lazy to switch, since my current setup works great. But sooner or later I may be forced to, since my solution is apparently no longer maintained.
I've followed this: https://wiki.archlinux.org/title/Unified_Extensible_Firmware...
Basically, my distro will install the kernel, initrd and cpu microcode normally to /boot. But at the end of it, there's a hook being triggered, that calls sbupdate with stitches together the kernel, command line, initrd, and cpu microcode, signs it and dumps it in the /EFI partition as a single file. /boot is not a separate partition on my system, it lives inside the encrypted /. I also told my UEFI about this specific image using efibootmgr. This allows me to register the image as a bootable OS and use the UEFI's boot manager to choose between Linux and Windows on startup.
If you browse around that Arch Wiki page, they also tell you how to sign your own boot images. I've installed my own keys in the UEFI, since Arch's kernel isn't signed by anybody.
This sounds like TPM and passphrase (as opposed to TPM or passphrase) which seems like a recipe for eating your data.
Although I use Xubuntu on an old laptop, I'm hoping this is an option rather than a "suck it up!" change.
I'd rather just enter a password...
Only 11 years behind Windows 8 making BitLocker w/ Secure Boot easily accessible to the masses. Presumably not supporting TPM 1.2, which is why my oldest hardware runs Linux under Hyper-V instead of bare metal.
What's the status for ZFS with a TPM and his will this affect it (competitively?)