1

Since upgrading my Ubuntu installation from 23.10 to 24.04, my Lenovo docks (Thunderbolt 4 dock and Hybrid USB-C dock) are not recognized in the initramfs. This issue occurs when I need to enter my hardware encryption password during boot. As a result:

  • Displays connected to the docks show nothing.
  • The keyboard connected via USB to the dock is not usable to enter my password.

However, once the system boots into the full OS, everything works as expected. This is particularly inconvenient as I have to open my Lenovo P14s Gen 4 (with AMD Ryzen 7) laptop just to enter the password.

What steps can I take to ensure that my docks are recognized during the initramfs stage so that I can use my external displays and keyboard to enter my encryption password?

Thank you in advance for your help!

Squall
  • 111

1 Answers1

0

I suffer the same issue as you. Please check Issues with Thunderbolt and Initramfs in Ubuntu 24: Devices (assume) blocked -> Lets exclude the module from being loaded and the ongoing discussion.

But despite your interpretation of missing Thunderbolt your issue sounds to me quite the opposite: You actually do have working Thunderbolt in initramfs but the Thunderbolt BootAccessControlList (BootACL) feature of the UEFI is not activate and therefor missing a User Authorization of your device, which causes this exact behavior that the Dock is blocked by security policy's in Pre-Boot environment. If Thunderbolt wouldnt work, your Dock would be recognized as USB device and work - only by Thunderbolt working and the security policy blocking it, this behavior may occur.

You may continue by checking the verbose log of boltd for BootACL support of your Domains (Thunderbolt Ports):

  • $ boltd -v

or if your $PATH variable is missing it, Ubuntu 22 and 24 store boltd in /usr/libexec, so to run it:

  • $ /usr/libexec/boltd -v

boltd by itself is just reading sysfs parameters, so you could readout sysfs directly too but I find it quite comfortable via boltd instead.

To gain BootACL capability you need to make changes to your UEFI: "BootACL" or "Pre-BootACL" should be activated and set to "User Authorization".

If BootACL support is present: To further investigate if a User Authorization for your device (the Dock) is set at the Domain (Thunderbolt Port) you may want to check:

  • $ boltctl domains

If the output says "bootacl: 0/0" the manual of boltctl suggests this to interpret as missing BootACL support.

If you have BootACL support but the device is not enlisted, do another enrollment:

  • unplug the cable of the device

  • $ boltctl forget --all

  • connect the device

  • Option 1: follow Ubuntu GUI prompt for authorization

  • Option 2: Manual enrollment

  • $ boltctl list -a

  • check the UUID of your desired device (the Dock)

  • $ boltctl enroll UUID

or maybe

  • $ boltctl enroll UUID --policy auto

Now check "$ boltctl domains" again if the device is listed in BootACL of a domain.

Your device should now be enlisted within the BootAccessControlList and working as desired for LUKS Passphrases.

Cheers

Napzkin
  • 41