From d35030e0b967edb6e29a79b486ce298072fa1278 Mon Sep 17 00:00:00 2001
From: Michael Hudson-Doyle <michael.hudson@canonical.com>
Date: Mon, 11 Aug 2025 13:18:57 +1200
Subject: [PATCH] Put the uc20-style system seed for TPM backed FDE in the live
 layer.

---
 debian/changelog                              |  6 ++
 .../hooks/020-ubuntu-enhanced-sb.binary       | 66 ++---------------
 .../hooks/030-ubuntu-live-system-seed.binary  | 74 +++++++++++++++++++
 3 files changed, 87 insertions(+), 59 deletions(-)
 create mode 100644 live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary

diff --git a/debian/changelog b/debian/changelog
index bbe6f3a8..81b8fff6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+livecd-rootfs (25.10.15) UNRELEASED; urgency=medium
+
+  * Put the uc20-style system seed for TPM backed FDE in the live layer.
+
+ -- Michael Hudson-Doyle <michael.hudson@ubuntu.com>  Mon, 11 Aug 2025 13:06:09 +1200
+
 livecd-rootfs (25.10.14) questing; urgency=medium
 
   [ Didier Roche-Tolomelli ]
diff --git a/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary b/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary
index 9737b671..d57e1ea8 100755
--- a/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary
+++ b/live-build/ubuntu/hooks/020-ubuntu-enhanced-sb.binary
@@ -1,76 +1,24 @@
 #! /bin/sh
 
+# We need to remove the snapd seed configuration for the layers that
+# will be the installation source for a TPM-backed FDE install or
+# snapd gets very confused on the boot of the target system.
+
 set -eux
 
 case ${PASS:-} in
-    minimal.standard.enhanced-secureboot)
-        ;;
-    minimal.enhanced-secureboot)
+    *.enhanced-secureboot)
         ;;
     *)
         exit 0
         ;;
 esac
 
+. config/functions
+
 if [ -n "${SUBPROJECT:-}" ]; then
     echo "We don't run Ubuntu Desktop hooks for this project."
     exit 0
 fi
 
-. config/binary
-. config/functions
-
-# Generation of the model:
-# * At https://github.com/canonical/models one can find a repo of raw,
-#   unsigned, input .json files, and their signed .model equivalents.
-# * At least once per cycle, update the json for the new Ubuntu version.
-#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
-#   rename for the new version, and do any necessary updates including fixing
-#   the versions of tracks.
-# * When this is done, the json needs to be signed.  This needs to be done by
-#   a Canonical employee - try asking someone who has recently opened PRs on
-#   https://github.com/canonical/models with the signed models.
-# * Ensure the signed and unsigned version of the models are updated in the
-#   models repo.
-# * The signed model can then be placed here in livecd-rootfs at
-#   live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
-model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
-
-# see below note about "dangerous" model
-CHANNEL=${CHANNEL:-stable}
-
-channel=""
-if [ -n "${CHANNEL:-}" ]; then
-    channel="--channel $CHANNEL"
-fi
-
 reset_snapd_state chroot
-
-# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
-# snap versions regardless of phasing status
-
-# this is the normal prepare-image invocation.  This is not used right now as
-# the model in question is the "dangerous" model so that we can override the
-# channel of pc-kernel and others to get a matching set of snaps.
-#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-#       --classic $model $channel chroot
-# FIXME - go back to the stable model and remove all the `--snap` overrides
-env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
-    --classic $model $channel \
-    --snap=pc=classic-25.10/stable \
-    --snap=pc-kernel=25.10/candidate \
-    --snap=firmware-updater=1/stable/ubuntu-25.10 \
-    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
-    --snap=prompting-client=1/stable/ubuntu-25.10 \
-    --snap=snap-store=2/stable/ubuntu-25.10 \
-    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
-    --snap=firefox=latest/stable/ubuntu-25.10 \
-    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
-    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
-    chroot
-
-mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
-rm -rf chroot/var/lib/snapd/seed
-mv chroot/system-seed chroot/var/lib/snapd/seed
diff --git a/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary b/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary
new file mode 100644
index 00000000..52d7b2ac
--- /dev/null
+++ b/live-build/ubuntu/hooks/030-ubuntu-live-system-seed.binary
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# create the system seed for TPM-backed FDE in the live layer of the installer.
+
+set -eux
+
+case ${PASS:-} in
+    *.live)
+        ;;
+    *)
+        exit 0
+        ;;
+esac
+
+if [ -n "${SUBPROJECT:-}" ]; then
+    echo "We don't run Ubuntu Desktop hooks for this project."
+    exit 0
+fi
+
+. config/binary
+. config/functions
+
+# Generation of the model:
+# * At https://github.com/canonical/models one can find a repo of raw,
+#   unsigned, input .json files, and their signed .model equivalents.
+# * At least once per cycle, update the json for the new Ubuntu version.
+#   To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file,
+#   rename for the new version, and do any necessary updates including fixing
+#   the versions of tracks.
+# * When this is done, the json needs to be signed.  This needs to be done by
+#   a Canonical employee - try asking someone who has recently opened PRs on
+#   https://github.com/canonical/models with the signed models.
+# * Ensure the signed and unsigned version of the models are updated in the
+#   models repo.
+# * The signed model can then be placed here in livecd-rootfs at
+#   live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model
+model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model
+
+# see below note about "dangerous" model
+CHANNEL=${CHANNEL:-stable}
+
+channel=""
+if [ -n "${CHANNEL:-}" ]; then
+    channel="--channel $CHANNEL"
+fi
+
+# Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest
+# snap versions regardless of phasing status
+
+# this is the normal prepare-image invocation.  This is not used right now as
+# the model in question is the "dangerous" model so that we can override the
+# channel of pc-kernel and others to get a matching set of snaps.
+#   env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+#       --classic $model $channel chroot
+# FIXME - go back to the stable model and remove all the `--snap` overrides
+env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \
+    --classic $model $channel \
+    --snap=pc=classic-25.10/stable \
+    --snap=pc-kernel=25.10/candidate \
+    --snap=firmware-updater=1/stable/ubuntu-25.10 \
+    --snap=desktop-security-center=1/stable/ubuntu-25.10 \
+    --snap=prompting-client=1/stable/ubuntu-25.10 \
+    --snap=snap-store=2/stable/ubuntu-25.10 \
+    --snap=gtk-common-themes=latest/stable/ubuntu-25.10 \
+    --snap=firefox=latest/stable/ubuntu-25.10 \
+    --snap=gnome-42-2204=latest/stable/ubuntu-25.10 \
+    --snap=snapd-desktop-integration=latest/stable/ubuntu-25.10 \
+    chroot
+
+mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop
+rm -rf chroot/var/lib/snapd/seed
+mv chroot/system-seed chroot/var/lib/snapd/seed