Given the fact this 1) Bothers so many people, 2) Seems to be a bit down on Canonical's priority list, 3) Has no official workaround and 4) The relevant Discourse thread is closed, I'm posting a possible workaround here in case it's useful to someone:
WARNING: This is a rough outline. I had to do it in a hurry and am writing it down from memory. YMMV. Be prepared to lose all your data. A reinstall is probably the better approach – I just couldn't be bothered. This workaround (hopefully) restores a purely deb-based Ubuntu kernel with TPM2/FDE support and automatic unlocking. After conversion you can install kernel modules, sound firmware and the other things you need to carry on with your life. A typical disk layout if you installed Ubuntu with FDE and TPM2 on an NVMe drive looks like: /dev/nvme0n1p1: /boot/efi /dev/nvme0n1p2: /boot /dev/nvme0n1p3: unlocked/mapped to ubuntu-save (to do with snapd I think) /dev/nvme0n1p4: unlocked/mapped to ubuntu-data (your root partition) p1 and p2 are unencrypted, whilst p3 and p4 are luks encrypted. - First, get the recovery keys: snap recovery --show-keys - Get snap2luks.py from github: https://github.com/jps-help/python- snap2luks/blob/main/snap2luks.py - Run snap2luks.py and store key.out somewhere. - Set a passphrase for the ubuntu-data partition: cryptsetup luksAddKey /dev/nvme0n1p4 --key-file=/path/to/key.out - Reboot, disable secure boot and boot from a live USB. You need Internet access so configure the network... - Unlock the filesystem: cryptsetup luksOpen /dev/nvme0n1p4 luksroot - Mount the root filesystem somewhere: mount /dev/mapper/luksroot /mnt - Mount --bind dev, sys, proc, run into /mnt/dev, /mnt/sys etc. - Mount /mnt/boot - Destroy your EFI partition: mkfs.vfat -F32 /dev/nvme0n1p1 - mount the EFI partition on /mnt/boot/efi - chroot /mnt - Remove boot-managed-by-snapd: dpkg -P --force-all boot-managed-by-snapd - Remove snapd: apt purge snapd. - rm -rf /snap /var/lib/snapd /var/cache/snapd I know this is somewhat crude, but the problem is pc-kernel can't be uninstalled just like that due to the model dependency. I didn't have the patience for a surgical removal so took the viking approach and gutted it. You should probably run 'snap list' and store the output somewhere so you can reinstall later if you run anything from snap. Who knows, maybe you should back something up as well. - Install snapd and run snap list to ensure pc-kernel isn't listed. Reinstall the packages you want (or wait until you're booted up again). - Install the grub, kernel and clevis packages: apt install grub-efi grub-efi-amd64 grub-efi-amd64-signed shim-signed linux-image-generic linux-headers-generic clevis clevis-initramfs clevis-luks clevis-tpm2 - Install grub: grub-install --target=x64_64-efi --efi-directory=/boot/efi --bootloader-id=ubuntu - Update /etc/fstab to add entries for /boot and /boot/efi For reasons currently unfathomable to me, TPM2 support has been actively removed from Ubuntu's systemd-cryptenroll for "security reasons". Hence we'll resort to Clevis for unlocking for now: - Create /etc/crypttab and add a line (get the UUID from ls /dev/disk/by-uuid): luksroot UUID=youruuid luks,clevis,discard - clevis luks bind -d /dev/nvme0n1p4 tpm2 '{"pcr_ids":"0,2,7"}' - Update initramfs: update-initramfs -k all -u - Update grub: update-grub Reboot and enable Secure Boot. Depending on your UEFI you might have to fiddle around with keys, but it should normally boot up despite whining about something having changed. Then on the next reboot it'll usually be fine. YMMV. From here you should be able to install firmware-sof-signed, VirtualBox kernel modules, NVIDIA drivers, run fwupd, and so on until the official snap based FDE/TPM2 approach is out of alpha. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/2092363 Title: Missing (but referenced) SOF firmware in pc-kernel – No Audio Status in canonical-kernel-snaps: Confirmed Status in pc-kernel-snap: Invalid Status in apt package in Ubuntu: Invalid Status in boot-managed-by-snapd package in Ubuntu: Invalid Status in firmware-sof package in Ubuntu: Confirmed Status in linux package in Ubuntu: Invalid Bug description: I am encountering an issue with the pc-kernel snap on my HP EliteBook 840 G11 laptop running Ubuntu 24.04.1 LTS with the new TPM+FDE feature. Despite testing multiple kernel channels, the system fails to detect any audio devices. However, when booting into a live session of Ubuntu 24.04.1 LTS, audio functions as expected. This suggests the issue may be related to the pc-kernel snap. Right now I'm on channel 24/stable (version: 6.8.0-50.51), but I have tried 24-hwe/stable and 24.10/stable as well. For reference, I have first tried to seek help in the support section over at Ubuntu Discourse, and I was encouraged to file a bug report here against the linux package on Discourse: https://discourse.ubuntu.com/t/no-audio-device-detected-on-hp-elitebook-840-14-g11-running-ubuntu-24-04/51498/7 Details: OS: Ubuntu 24.04.1 LTS Setup: TPM-backed Full Disk Encryption (FDE) using pc-kernel snap Kernel Channels Tried: 24-hwe/stable, 24/stable, 24.10/stable Issue: aplay -l reports "no sound card found"; only "Dummy output" is listed in Audio settings. Observation: Audio works correctly in a live session of Ubuntu 24.04.1 LTS. Listing audio devices: $ aplay -l aplay: device_list:277: no soundcards found... Relevant lspci Output: 00:1f.3 Multimedia audio controller [0401]: Intel Corporation Meteor Lake-P HD Audio Controller [8086:7e28] (rev 20) Subsystem: Hewlett-Packard Company Meteor Lake-P HD Audio Controller [103c:8c26] Kernel driver in use: sof-audio-pci-intel-mtl Kernel modules: snd_hda_intel, snd_sof_pci_intel_mtl Additional Notes: Could the issue be related to missing kernel drivers or modules, such as firmware-sof-signed? Reference: https://packages.ubuntu.com/noble/firmware-sof-signed Please let me know if additional details, logs, or steps are required. ProblemType: Bug DistroRelease: Ubuntu 24.04 Package: linux-image-6.8.0-50-generic (not installed) ProcVersionSignature: Ubuntu 6.8.0-50.51-generic 6.8.12 Uname: Linux 6.8.0-50-generic x86_64 ApportVersion: 2.28.1-0ubuntu3.3 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/seq: kihen 3216 F.... pipewire CRDA: N/A CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Sun Dec 22 20:09:17 2024 MachineType: HP HP EliteBook 840 14 inch G11 Notebook PC ProcEnviron: LANG=en_US.UTF-8 PATH=(custom, no user) SHELL=/bin/bash TERM=xterm-256color XDG_RUNTIME_DIR=<set> ProcFB: 0 simpledrmdrmfb 1 i915drmfb ProcKernelCmdLine: snapd_recovery_mode=run console=ttyS0,115200n8 console=tty1 panic=-1 quiet splash PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RelatedPackageVersions: linux-restricted-modules-6.8.0-50-generic N/A linux-backports-modules-6.8.0-50-generic N/A linux-firmware N/A SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) WifiSyslog: dmi.bios.date: 06/20/2024 dmi.bios.release: 2.6 dmi.bios.vendor: HP dmi.bios.version: W70 Ver. 01.02.06 dmi.board.name: 8C26 dmi.board.vendor: HP dmi.board.version: KBC Version 02.43.50 dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.ec.firmware.release: 2.67 dmi.modalias: dmi:bvnHP:bvrW70Ver.01.02.06:bd06/20/2024:br2.6:efr2.67:svnHP:pnHPEliteBook84014inchG11NotebookPC:pvrSBKPF:rvnHP:rn8C26:rvrKBCVersion02.43.50:cvnHP:ct10:cvr:sku8M4W7AV: dmi.product.family: 103C_5336AN HP EliteBook dmi.product.name: HP EliteBook 840 14 inch G11 Notebook PC dmi.product.sku: 8M4W7AV dmi.product.version: SBKPF dmi.sys.vendor: HP To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-kernel-snaps/+bug/2092363/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
