Anyone got the hardware based full disk encryption installation working on the FW16 for Ubuntu 26.04?
I get the following error:
“PCR_UNUSABLE
error with secure boot policy (PCR7) measurements: generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported”
Same here on a Framework Laptop 13 with the AMD Ryzen 7040 series, fresh Ubuntu 26.04 install. Cleared the TPM via UEFI, Secure Boot enabled, identical error:
PCR_UNUSABLE
error with secure boot policy (PCR7) measurements: generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported
What my AI agent researched:
Tracked upstream at WithSecureBootPolicyProfile should accommodate systems that support timestamp revocation · Issue #306 · canonical/secboot · GitHub - opened May 2024, still open with no linked PR. The Framework UEFI exposes a dbt (timestamp revocation / forbidden timestamp signature database) variable, and Canonical’s secboot library currently can’t generate a valid PCR7 profile when that’s present, so the pre-install checks explicitly disable WithSecureBootPolicyProfile in this case.
Same error has also been reported on FW13 12th gen Intel in the Ubuntu 25.10 TPM/FDE thread, post #39, so it looks like all current Framework models are affected regardless of CPU generation/vendor.
dbt is a firmware property, not a toggleable UEFI setting, so there’s no BIOS-level workaround that I can find. Disabling Secure Boot isn’t an option either since TPM-FDE requires it. Falling back to classic LUKS with passphrase for now.
If anyone wants to add a datapoint to help prioritise the fix, Canonical has a TPM configuration feedback form. (Search for this on the internet, as I am not allowed to post more than two links on this forum)
BIOS 3.06 is out, but it does not look like this specific issue is addressed:
Here is the form:
I expect Framework bios updates will not fix this; timestamp revocation (dbt) support is a deliberate and good-practice security feature. Rather: Ubuntu should update their components to support (worst case ignore, best case utilise) timestamp revocation.
I would love to hear if and in what wat Framework is working with Ubuntu to assist them in developing this possibility.
Dell Latitude 5520 - I went through every error, correcting and restarting the machine, until it simply said “hardware backed encryption could not be enabled,” with nothing under it, and no next button to try to ignore and see if it worked.
Ran a fresh install of 24.04.4 and it worked perfectly. Trying to run do-release-upgrade -d returns that there’s an update to 26.04 available, but aborts specifically because of TPM backed encryption being enabled. After reading some more, it seems as though it isn’t supported yet for 26, and rumored to be available in the .1 release. I could be wrong, but it’s the only thing that makes sense at this point.