this post was submitted on 08 Feb 2026

40 points (100.0% liked)

Linux

62634 readers

311 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

nooter692@lemmy.ml

AgreeableLandscape@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Just "bricked" a VM while testing secure boot and I'm not sure how (lemmy.dbzer0.com)

submitted 2 days ago by Infernal_pizza@lemmy.dbzer0.com to c/linux@lemmy.ml

11 comments fedilink hide all child comments

I was testing out automatic disk decryption with the TPM and secure boot in a Qemu/KVM VM. I had Arch set up with a UKI, I followed this process to enable secure boot and enroll the keys which all worked fine. I then used systemd-cryptenroll to unlock the drive automatically which again worked great.

This is the part where I then messed up and I'm not quite sure how or why. I wanted to check that disabling secure boot prevented unlocking of the drive, so I enabled the boot menu in the VM settings, entered it and reset the secure boot settings. As expected I then needed to enter the password again. I then wanted to re-enable it so I re-ran sbctl enroll-keys -m to re-enroll the keys, and rebooted as my UKI was already signed. And that was that, VM completely dead. No matter whether I try to boot from the virtual disk, the virtual CD drive, or even the virtual network adapter all I get is a black screen with "Display output is not active". I can't even enter the firmware menu again because I no longer get that prompt.

It doesn't matter that this happened and I don't need to fix it because it was just a throwaway VM which I've now deleted, but I would like to know what caused it so I can avoid potentially bricking real hardware in the future

top 11 comments

sorted by: hot top controversial new old

[–] Natanael@slrpnk.net 8 points 2 days ago (1 children)

Could be a UEFI bug in the VM itself;

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_your_own_keys

Could also be that you didn't sign your boot image since that command seems to load the secure boot signing key into the UEFI firmware, if you cleared other signing keys then potentially no code can load. You would have to load the keys for whatever UEFI firmware vendor is used (presumably that made by the VM software maker) or sign it yourself, etc.

[–] Infernal_pizza@lemmy.dbzer0.com 0 points 2 days ago (1 children)

I'd have thought that would happen the first time I enrolled the keys though since I used the exact same command both times?

[–] Natanael@slrpnk.net 2 points 1 day ago

Could be that you loaded an incomplete set the second time...? 🤷

[–] wewbull@feddit.uk 6 points 2 days ago (2 children)

When you reset "secure boot settings" did you clear the TPM contents? Would that have included a. private key used in the disc encryption? Then when you regenerated keys it will have been with a different seed and so different.

I don't know much about his stuff, but that bit sounded odd to me.

[–] Infernal_pizza@lemmy.dbzer0.com 3 points 2 days ago

I didn't regenerate the keys I just re-enrolled them. I assumed the old ones were still in the file system since they were still being used to sign the UKI?

[–] Natanael@slrpnk.net 2 points 2 days ago

That would make it stop at the end of the bootloader with decryption failure, not full bricking

[–] in_my_honest_opinion@piefed.social 4 points 2 days ago (1 children)

Is the underlying file system you're hosting the VM on encrypted as well? If so, that might be your problem.

What does sudo qm terminal get you?

[–] Infernal_pizza@lemmy.dbzer0.com 2 points 1 day ago (1 children)

No my host is unencrypted. Unfortunately I deleted the VM and I can't replicate this issue so I can't run that command. I obviously did something different the first time but I can't think what!

[–] in_my_honest_opinion@piefed.social 2 points 1 day ago

Likely it was tpm related. Good luck.

[–] GaumBeist@lemmy.ml 2 points 2 days ago (1 children)

so I enabled the boot menu in the VM settings, entered it and reset the secure boot settings.

In BIOS/UEFI? What settings does this affect/what changes does this make?

[–] Infernal_pizza@lemmy.dbzer0.com 1 points 1 day ago

Yes, on this menu I unchecked attempt secure boot and reset the secure boot keys. This just disabled secure boot and the VM worked how it did before I set up secure boot.