#[SOLVED] Impossible to boot after erasing keys in UEFI

Hey all

So I'm trying to get Secure boot working. I installed arch with LUKS for disk encryption and UKI.

After a lot of work building the uki image and other stuff, I tried to enroll my new keys created with sbctl. To do that, I though I had to delete existing keys within UEFI, what I did.

When I rebooted, arch was stuck after, and before asking for the passphrase : ```start job is running for "/dev/mapper/root"
Cannot open access to console, the root account is locked

It looks like the bootloader isn't able anymore to load what it has to in order to decrypt the disk.

I was able to access the encrypted disk by using a live debian, however I can't repair what I broke.

I made so much checks and modifications/tries on different files:
/boot/loader/entries/arch.conf
/etc/mkinitcpio.conf
/etc/crypttab
...
that I don't know exactly where the problem lies.

I also rebuilded the .efi images each time.

Yet I think that I may have artefacts that could cause issues. 

Help would be greatly appreciated. Especially guidance of what to check in order to find the issue(s).

Thanks!

um

i dont think secure boot

works

wait

are u trying to install arch

well if so

u have to disable secure boot

after install pretty sure

werd

idk

I have a secure boot with TPM encryption setup. So it is, in fact, possible. Looks like you may have your hooks set up incorrectly, so it isn't able to run the Secure hook. Can I see your mkinitcpio.conf?

I also recommend using Arch install so you can chroot into your install.

Wait, looking at it closer, it looks like Secure Boot is blocking the kernel. So you should be able to boot just by putting your board in write mode and trying to write your keys again. Perhaps?

Regardless, this is the guide I followed to get probably what you want.

https://github.com/joelmathewthomas/archinstall-luks2-lvm2-secureboot-tpm2?tab=readme-ov-file#7-configure-mkinitcpio

I'll send the content of the file as soon as I get the hands on my PC

Do I need a live USB of Arch? I was doing this with a Debian live USB actually but I cannot enroll my keys with sbctl (error like I didn't boot in EFI mode). I'll give a shot

How can it block the kernel when it's disabled?

Nice guide, I don't remember spending time on /etc/cmdline.d/root.conf

Should I clean files on my esp?

Here are the uncommented lines:

MODULES=(btrfs)
BINARIES=(/usr/bin/btrfs)
FILES=()
HOOKS=(systemd autodetect microcode keyboard keymap sd-vconsole modconf kms consolefont block sd-encrypt filesystems fsck)

I followed the guide. It's better 'cause the bootloader is asking me the passphrase now. However it's still getting stuck with the job on /dev/mapper/root, after "Reached target Basic System"

you can chroot from the live usb yes

Hmmm, that is perplexing. I honestly suggest doing a fresh install. I have a feeling your bootloader is somehow loading the wrong binary. Sorry it took long to respond. If you want help, I can perhaps walk you through the install, at least what I did. Also, if you're unaware, I recommend SSHing in the live install on a phone or another computer so you can copy and paste and not worry about a typo messing something up. You got this man. I will be around today in case you get stuck.

Hey guys, followed the github. Everything worked well. I had an issue with /etc/cmdline.d/root.conf. Replaced rd.luks.name with the correct name and the system booted correctly