I was testing out automatic disk decryption with the TPM and secure boot in a Qemu/KVM VM. I had Arch set up with a UKI, I followed this process to enable secure boot and enroll the keys which all worked fine. I then used systemd-cryptenroll to unlock the drive automatically which again worked great.
This is the part where I then messed up and I’m not quite sure how or why. I wanted to check that disabling secure boot prevented unlocking of the drive, so I enabled the boot menu in the VM settings, entered it and reset the secure boot settings. As expected I then needed to enter the password again. I then wanted to re-enable it so I re-ran sbctl enroll-keys -m to re-enroll the keys, and rebooted as my UKI was already signed. And that was that, VM completely dead. No matter whether I try to boot from the virtual disk, the virtual CD drive, or even the virtual network adapter all I get is a black screen with “Display output is not active”. I can’t even enter the firmware menu again because I no longer get that prompt.
It doesn’t matter that this happened and I don’t need to fix it because it was just a throwaway VM which I’ve now deleted, but I would like to know what caused it so I can avoid potentially bricking real hardware in the future
When you reset “secure boot settings” did you clear the TPM contents? Would that have included a. private key used in the disc encryption? Then when you regenerated keys it will have been with a different seed and so different.
I don’t know much about his stuff, but that bit sounded odd to me.
That would make it stop at the end of the bootloader with decryption failure, not full bricking
I didn’t regenerate the keys I just re-enrolled them. I assumed the old ones were still in the file system since they were still being used to sign the UKI?