Lanzaboote just broke my PC (no display)

[MysticalPvE]

I installed lanzaboote with niv and finished the QuickStart guide till the verification part. After verification, I booted into UEFI firmware to change the secure boot option to true and enroll PK keys to activate it. When I completed and booted my PC, no display. After 15 minutes, I decided to turn off my PC and boot again. Still no display. Then I began to troubleshoot.

Troubleshooting steps I performed:

• Reseating GPU
• Reseating RAM
• Clearing CMOS using battery and pins
• Checking monitor (it works)
• Connecting PC to another monitor (no display)

Things to note:

• GPU fans spin for a few seconds then stop
• CPU fans spin
• Case fans spin
• Power supply seems to work fine
• No light indicating the issue as far as I can see
• Mouse and keyboard recognised by PC
• Monitor gives “no signal” error
• I tried booting into BIOS but still no display

PC Specs:

• CPU: i5 12400f
• GPU: ASUS Dual RX 6600
• MOBO: H610M H V2 DDR4
• RAM: Corsair vengeance 8x2 3200mhz
• SSD: Kingston NV2 1TB
• PSU: Cooler Master MWE V2 550W Bronze

Any help on why this happened and fixes would be appreciated.

[RaitoBezarius]

I am sorry this happened.

Normally, the UEFI ecosystem ensured that any newer motherboards and systems implements the specification safely for the user, but OEM being the way they are, there's no way to be 100 % certain that enabling Secure Boot will not brick your system.

That being said. What you are describing looks like the fact there's an important component (graphical driver or Ethernet driver) that is being waited upon at boot and blocks further POST-ing in the firmware. This component was probably signed using an OEM set of Secure Boot keys.

When you cleared your Secure Boot keys and enrolled your own PK, you removed that OEM set of Secure Boot keys, rendering all these components as "not signed" according to the new policy.

What would help to restore your system is to perform a BIOS update without any graphical interface, some of the motherboards offers a special USB port where you plug and a BIOS upgrade triggers, this will factory reset your BIOS and bring back the old set of OEM Secure Boot keys. This has the highest chance of restoring the functionality of your system.

Please let us know how it goes and we can try to help you as much as our knowledge allows it. Again, really sorry this happened but also thank you for testing it and opening an issue.

[MysticalPvE]

Update: My motherboard does not support q-flash plus and thus I cannot rollback my bios. Any other suggestions or am I forced to RMA?

[RaitoBezarius]

Update: My motherboard does not support q-flash plus and thus I cannot rollback my bios. Any other suggestions or am I forced to RMA?

Alternatives includes:

• finding a switch or a thing on your motherboard that performs a factory reset of the UEFI variables (may or may not be documented, you may have to look carefully on the mobo traces)
• rebooting enough to trigger a factory reset if the motherboard detects cleverly there's a problem
• reflashing a stock image by connecting SOIC8 or SOIC16 clips on your UEFI NVRAM and performing an external reprogramming of your UEFI BIOS with another system

RMA may be the easiest choice if you don't feel expert enough on these kinds of things.

Just for our own information, how did you enroll the Secure Boot keys? Did you just run sbctl --enroll-keys --microsoft ?

[MysticalPvE]

Sorry for the late reply. I checked at various places and it turns out that I might be able to turn off secure boot by switching my GPU. Since the graphical drivers are preventing from further progress in the firmware, a switch of the GPU might let me turn off secure boot. I will borrow my friends GPU and test it out. Progress will be posted here.

As for your question, I did sbctl --enroll-keys <key name> to keys that have not been signed yet. Once all keys were signed according to the command, I proceeded to turn on secure boot.