can't sign multiple OSes with LUKS (0x45 from TPM_IncrementCounter)

[toothlesslizard]

trafficstars

Qubes 4.2.0-rc4 LUKS (/dev/nvme*) Ubuntu 23.10 LUKS (/dev/sda*) third disk drive - /dev/mmcblk0 - empty

FW_VER - CBET4000 Heads-v0.2.0-1914-g1f39d16-dirty X230-maximized-eDP gpg smart card : Nitrokey start

here steps what i do :

1. OEM Factory Reset / Re-Ownershp
2. Qubes signed /boot normally and works
3. Go to -> Change configurations settings -> Change boot device -> /dev/sda2
4. Default boot -> Yes -> Failed update checksums /sign and TPM want to reset himself.
5. Reset and goto step 1. Loop.

The same thing happens in reverse order. Ubuntu sign first, then Qubes won't.

In previous firmware I remember that it worked fine but Qubes + Void

[tlaurion]

@toothlesslizard were qubes and Ubuntu sharing the same /boot partition? The TPM counter is unique per TPM, and stored under /boot for validation per Heads.

If both OSes were sharing /boot then that might be why there was no issue in the past?