> 1. The dbx update causes breakage to TPM measured boot on this particular firmware.
The dbx update causes the measurements in PCR 7 to change yes. This is not breakage and is required and expected. BitLocker asking for a recovery key in this scenario is normal behavior. Entering the recovery key once should resolve that issue. The reason you clearing the dbx "resolves" this is because it resets to the outdated, insecure configuration the bitlocker key was sealed against. > 2. Shim considers failure in TPM measured boot to be fatal and refuses to boot at all (as oppose to Windows which will still at least boot even if it will have to ask for recovery key later on). What shim considers fatal here is the failure to write required UEFI variables to the system's variable store. These are used by shim to communicate important information to the kernel, hence this failure has to be fatal. This stems from the firmware's failure to perform UEFI variable garbage collection, leading to the variable store filling up and shim not being able to install the required variables. If the vendor in question has provided newer firmware updates, try applying that, otherwise there is little we can do here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2061551 Title: Merely booting Ubuntu 24.04 beta live CD breaks BitLocker & booting anything using Shim To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/2061551/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
