Anyone got the hardware based full disk encryption installation working on the FW16 for Ubuntu 26.04?
I get the following error:
“PCR_UNUSABLE
error with secure boot policy (PCR7) measurements: generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported”
Same here on a Framework Laptop 13 with the AMD Ryzen 7040 series, fresh Ubuntu 26.04 install. Cleared the TPM via UEFI, Secure Boot enabled, identical error:
PCR_UNUSABLE
error with secure boot policy (PCR7) measurements: generating secure boot profiles for systems with timestamp revocation (dbt) support is currently not supported
What my AI agent researched:
Tracked upstream at WithSecureBootPolicyProfile should accommodate systems that support timestamp revocation · Issue #306 · canonical/secboot · GitHub - opened May 2024, still open with no linked PR. The Framework UEFI exposes a dbt (timestamp revocation / forbidden timestamp signature database) variable, and Canonical’s secboot library currently can’t generate a valid PCR7 profile when that’s present, so the pre-install checks explicitly disable WithSecureBootPolicyProfile in this case.
Same error has also been reported on FW13 12th gen Intel in the Ubuntu 25.10 TPM/FDE thread, post #39, so it looks like all current Framework models are affected regardless of CPU generation/vendor.
dbt is a firmware property, not a toggleable UEFI setting, so there’s no BIOS-level workaround that I can find. Disabling Secure Boot isn’t an option either since TPM-FDE requires it. Falling back to classic LUKS with passphrase for now.
If anyone wants to add a datapoint to help prioritise the fix, Canonical has a TPM configuration feedback form. (Search for this on the internet, as I am not allowed to post more than two links on this forum)
BIOS 3.06 is out, but it does not look like this specific issue is addressed:
Here is the form:
I expect Framework bios updates will not fix this; timestamp revocation (dbt) support is a deliberate and good-practice security feature. Rather: Ubuntu should update their components to support (worst case ignore, best case utilise) timestamp revocation.
I would love to hear if and in what wat Framework is working with Ubuntu to assist them in developing this possibility.