heads
heads copied to clipboard
linuxboot
Unable to create rollback file after OS reinstall (Regenerate TOTP/HOTP)
Please identify some basic details to help process the report
A. Provide Hardware Details
1. What board are you using (see list of boards here)?
2. Does your computer have a dGPU or is it iGPU-only?
- [ ] dGPU
- [x] iGPU-only
3. Who installed Heads on this computer?
- [ ] Insurgo
- [ ] Nitrokey
- [ ] Purism
- [ ] Other provider
- [x] Self-installed
4. What PGP key is being used?
- [ ] Librem Key
- [x] Nitrokey Pro 2
- [ ] Nitrokey Storage
- [ ] Yubikey
- [ ] Other
5. Are you using the PGP key to provide HOTP verification?
- [x] Yes
- [ ] No
- [ ] I don't know
B. Identify how the board was flashed
1. Is this problem related to updating heads or flashing it for the first time?
- [ ] First-time flash
- [ ] Updating heads
2. If the problem is related to an update, how did you attempt to apply the update?
- [ ] Using the Heads GUI
- [x] Flashrom via the Recovery Shell
- [ ] External flashing
3. How was Heads initially flashed
- [ ] External flashing
- [x] Internal-only / 1vyrain
- [ ] Don't know
4. Was the board flashed with a maximized or non-maximized/legacy rom?
- [x] Maximized
- [ ] Non-maximized / legacy
- [ ] I don't know
5. If Heads was externally flashed, was IFD unlocked?
- [ ] Yes
- [ ] No
- [ ] Don't know
C. Identify the rom related to this bug report
1. Did you download or build the rom at issue in this bug report?
- [x] I downloaded it
- [ ] I built it
2. If you downloaded your rom, where did you get it from?
- [x] Heads CircleCi
- [ ] Purism
- [ ] Nitrokey
- [ ] Somewhere else (please identify)
Please provide the release number or otherwise identify the rom downloaded
https://circleci.com/gh/linuxboot/heads/14178 ( x230-hotp-maximized_usb-kb of https://github.com/linuxboot/heads/commit/4a57c615e972149eefd52d95ba919ff54d53bb0a)
Please describe the problem
Describe the bug
Creating rollback file fails after OS reinstall (including wiping /boot).
To Reproduce Steps to reproduce the behavior:
- Install Qubes OS 4.2.0
- On reboot choose to re-generate HOTP secret and then sign boot files
- When prompted creating TPM counter, provide TPM owner password as prompted
- See error:
sha256sum: can't open '/tmp/counter-': No such file or directory
sha256sum: can't open '65683996': No such file or directory
!! ERROR: /boot: Unable to create rollback file !!!
Expected behavior
Rollback file successfully created.
Screenshots
https://openqa.qubes-os.org/tests/88760/video?filename=video.ogv&t=92.9
The link above includes full flow leading to the failure, I recommend watching with 25% speed otherwise it's hard to follow.
Additional context
The problem didn't happened when I preserved heads-related files in /boot across reinstall (then it only required re-signing boot configs, which works fine).
@marmarek you need to reset TPM instead of resealing totp from TPM menu
Normally, flow after installing OS is to run oem factory reset / re-ownership.
Doing OEM re-ownership resets TPM as well.
Has it changed at some point? I think the current flow coded in that openQA test worked before (but not sure when, definitely not recently)...
Has it changed at some point? I think the current flow coded in that openQA test worked before (but not sure when, definitely not recently)...
I can check deeper in the next week but that code hasn't changed for 6 years. But string concatenation might be flaky here, while counter clearly doesn't exist here in shared output.
https://github.com/linuxboot/heads/blob/25d7b0606348c84824c691e0014805130e5f070c/initrd/bin/kexec-sign-config#L68