[Bug 2065229] Re: Upgrades to 24.04 LTS should be temporarily prevented for TPM FDE systems
Nick Rosbrook
2065229 at bugs.launchpad.net
Fri May 17 10:00:26 UTC 2024
I have verified using the upgrader tarball for noble-proposed.
To create a VM with Ubuntu Desktop TPM FDE, I did the following:
$ lxc storage volume import default ~/downloads/ubuntu-23.10.1-desktop-amd64.iso 23.10-desktop --type=iso
$ lxc init --empty --vm lxd-mantic-fde -c limits.memory=6GiB -c limits.cpu=4 -d root,size=32GiB
$ lxc config device add lxd-mantic-fde iso-volume disk pool=default source=23.10-desktop boot.priority=10
$ lxc config device add lxd-mantic-fde tpm tpm
$ lxc start --console=vga lxd-mantic-fde
I went through the installer, and selected TPM FDE from advanced
features. Then, after the installation, I ran the following in the VM:
ubuntu at ubuntu:~$ wget http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
--2024-05-17 11:02:12-- http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
Resolving archive.ubuntu.com (archive.ubuntu.com)... 185.125.190.39, 91.189.91.82, 185.125.190.36, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|185.125.190.39|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274850 (1.2M) [application/x-gzip]
Saving to: \u2018noble.tar.gz\u2019
noble.tar.gz 100%[===================>] 1.21M 542KB/s in
2.3s
2024-05-17 11:02:14 (542 KB/s) - \u2018noble.tar.gz\u2019 saved
[1274850/1274850]
ubuntu at ubuntu:~$ tar xf noble.tar.gz
ubuntu at ubuntu:~$ sudo ./noble --frontend DistUpgradeViewText
Reading cache
Checking package manager
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Hit http://security.ubuntu.com/ubuntu mantic-security InRelease
Hit http://nl.archive.ubuntu.com/ubuntu mantic InRelease
Hit http://nl.archive.ubuntu.com/ubuntu mantic-updates InRelease
Hit http://nl.archive.ubuntu.com/ubuntu mantic-backports InRelease
Fetched 0 B in 0s (0 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Sorry, cannot upgrade this system to 24.04 LTS
Upgrades for desktop systems running TPM FDE are not currently
supported. Please see https://launchpad.net/bugs/2065229 for more
information.
Restoring original system state
Aborting
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
So, the upgrade was blocked as expected.
I also tested in a container to make sure that upgrades were not
prevented there:
nr at six:~$ lxc launch ubuntu-daily:mantic mantic
Creating mantic
Starting mantic
nr at six:~$ lxc exec mantic bash
root at mantic:~# wget http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
--2024-05-17 09:11:47-- http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.83, 91.189.91.81, 185.125.190.39, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.83|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274850 (1.2M) [application/x-gzip]
Saving to: ‘noble.tar.gz’
noble.tar.gz
100%[================================================>] 1.21M
130KB/s in 9.6s
2024-05-17 09:11:58 (130 KB/s) - ‘noble.tar.gz’ saved [1274850/1274850]
root at mantic:~# tar xf noble.tar.gz
root at mantic:~# ./noble
[ ... ]
Checking package manager
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating the changes
Calculating the changes
Do you want to start the upgrade?
2 installed packages are no longer supported by Canonical. You can
still get support from the community.
44 packages are going to be removed. 64 new packages are going to be
installed. 492 packages are going to be upgraded.
You have to download a total of 194 M. This download will take about
38 seconds with a 40Mbit connection and about 5 minutes with a 5Mbit
connection.
Fetching and installing the upgrade can take several hours. Once the
download has finished, the process cannot be canceled.
Continue [yN] Details [d]
Hence, I was allowed to complete the upgrade. Finally, I tried an
upgrade from a normal (non-TPM FDE) VM:
nr at six:~$ lxc launch images:ubuntu/23.10/desktop ubuntu --vm -c limits.cpu=4 -c limits.memory=4GiB --console=vga
[...]
ubuntu at ubuntu:~$ wget http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
--2024-05-17 09:54:09-- http://archive.ubuntu.com/ubuntu/dists/noble-proposed/main/dist-upgrader-all/24.04.18/noble.tar.gz
Resolving archive.ubuntu.com (archive.ubuntu.com)... 91.189.91.83, 185.125.190.36, 91.189.91.81, ...
Connecting to archive.ubuntu.com (archive.ubuntu.com)|91.189.91.83|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1274850 (1.2M) [application/x-gzip]
Saving to: \u2018noble.tar.gz\u2019
noble.tar.gz 100%[===================>] 1.21M 65.8KB/s in
17s
2024-05-17 09:54:27 (72.9 KB/s) - \u2018noble.tar.gz\u2019 saved
[1274850/1274850]
ubuntu at ubuntu:~$ tar xf noble.tar.gz
ubuntu at ubuntu:~$ sudo ./noble --frontend DistUpgradeViewText
[...]
Checking package manager
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating the changes
Calculating the changes
Do you want to start the upgrade?
1 installed package is no longer supported by Canonical. You can
still get support from the community.
129 packages are going to be removed. 229 new packages are going to
be installed. 1134 packages are going to be upgraded.
You have to download a total of 1,448 M. This download will take
about 24 minutes with your connection.
Installing the upgrade can take several hours. Once the download has
finished, the process cannot be canceled.
Continue [yN] Details [d]
** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2065229
Title:
Upgrades to 24.04 LTS should be temporarily prevented for TPM FDE
systems
Status in ubuntu-release-upgrader package in Ubuntu:
Fix Committed
Status in ubuntu-release-upgrader source package in Noble:
Fix Committed
Bug description:
[Impact]
It is not currently supported to upgrade desktop systems installed with TPM-backed FDE, so we should not allow such upgrades to start. We should notify the user of this and abort the upgrade.
[Test Plan]
Attempt an upgrade from 23.10 to 24.04 LTS on various types of Ubuntu
installs:
1. Desktop with TPM FDE
2. Desktop classic
3. LXD Container
In case (1), the upgrade should be aborted with an appropriate message
to the user. In cases (2) and (3), the upgrade should proceed as
normally.
[Where problems could occur]
The test condition for determining that we are on Desktop with TPM FDE is checking that (a) pc-kernel snap is installed, and (b) ubuntu-desktop-minimal is installed. If the test condition is inadequate in some way, we would see bug reports about upgrades being blocked unnecessarily, or possibly users being allowed to upgrade despite running TPM FDE.
As always with these kinds of quirks, if any package or snap names
were spelled incorrectly, the quirk would not work correctly.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/2065229/+subscriptions
More information about the foundations-bugs
mailing list