heads icon indicating copy to clipboard operation
heads copied to clipboard

Published 20 hours ago verified publisher icon linuxboot

Heads fails to sign boot files if /boot was cleared (including rollback counter) (Ie: When OS is reinstalled and TPM was previously owned by user and TOTP is good)

Open marmarek opened this issue 10 months ago • 1 comments

Please identify some basic details to help process the report

A. Provide Hardware Details

  1. What board are you using? (Choose from the list of boards here)

  2. Does your computer have a dGPU or is it iGPU-only?

    • [ ] dGPU (Distinct GPU other then internal GPU)
    • [x] iGPU-only (Internal GPU, normally Intel GPU)

  3. Who installed Heads on this computer?

    • [ ] Insurgo (Issues to be reported at https://github.com/linuxboot/heads/issues)
    • [ ] Nitrokey (Issues to be reported at https://github.com/Nitrokey/heads/issues)
    • [ ] Purism (Issues to be reported at https://source.puri.sm/firmware/pureboot/-/issues)
    • [ ] Novacustom (Issues to be reported at https://github.com/Dasharo/dasharo-issues)
    • [ ] HardnenedVault (Issues to be reported at https://github.com/hardenedvault/vaultboot/issues)
    • [ ] Other provider
    • [x] Self-installed

  4. What PGP key is being used?

    • [ ] Librem Key (Nitrokey Pro 2 rebranded)
    • [ ] Nitrokey Pro
    • [x] Nitrokey Pro 2
    • [ ] Nitrokey 3 NFC
    • [ ] Nitrokey 3 NFC Mini
    • [ ] Nitrokey Storage
    • [ ] Nitrokey Storage 2
    • [ ] Yubikey
    • [ ] Other

  5. Are you using the PGP key to provide HOTP verification?

    • [x] Yes
    • [ ] No
    • [ ] I don't know

B. Identify how the board was flashed

  1. Is this problem related to updating heads or flashing it for the first time?

    • [ ] First-time flash
    • [x] Updating heads

  2. If the problem is related to an update, how did you attempt to apply the update?

    • [x] Using the Heads menus
    • [ ] Flashrom via the Recovery Shell
    • [ ] External flashing

  3. How was Heads initially flashed?

    • [x] External flashing
    • [ ] Internal-only / 1vyprep+1vyrain / skulls
    • [ ] Don't know

  4. Was the board flashed with a maximized or non-maximized/legacy rom?

    • [x] Maximized
    • [ ] Non-maximized / legacy
    • [ ] I don't know

  5. If Heads was externally flashed, was IFD unlocked?

    • [ ] Yes
    • [ ] No
    • [x] Don't know

C. Identify the rom related to this bug report

  1. Did you download or build the rom at issue in this bug report?

    • [x] I downloaded it
    • [ ] I built it

  2. If you downloaded your rom, where did you get it from?

    • [x] Heads CircleCi
    • [ ] Purism
    • [ ] Nitrokey
    • [ ] Dasharo DTS (Novacustom)
    • [ ] Somewhere else (please identify)

    Heads-v0.2.0-2407-gb36ed46

  3. If you built your rom, which repository:branch did you use?

    • [ ] Heads:Master
    • [ ] Other (please identify)

  4. What version of coreboot did you use in building? { You can find this information from github commit ID or once flashed, by giving the complete version from Sytem Information under Options --> menu}

  5. In building the rom, where did you get the blobs?

    • [ ] No blobs required
    • [ ] Provided by the company that installed Heads on the device
    • [ ] Extracted from a backup rom taken from this device
    • [ ] Extracted from another backup rom taken from another device (please identify the board model)
    • [ ] Extracted from the online bios using the automated tools provided in Heads
    • [ ] I don't know

Please describe the problem

Describe the bug

After Qubes OS install the first boot complains about missing /boot signatures (as expected). Signing those boot files fails with gpg card timeout: https://openqa.qubes-os.org/tests/127914#step/firstboot/32

To Reproduce Steps to reproduce the behavior:

  1. Install Qubes OS
  2. On first boot choose to regenerate HOTP/TOTP secret (in the options menu), follow all the steps
  3. Then choose to boot the OS, and see request for signing /boot files, follow all the steps
  4. See error

Expected behavior /boot files signed successfully

Screenshots Screenshots at https://openqa.qubes-os.org/tests/127914#step/firstboot/32, see also video in "Logs & Assets" tab.

Additional context Discussed at https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$qAvJUl-KNB8mf0Fa4GFah2fSbD4wPNsp9EGYwUqGk94?via=matrix.org&via=nitro.chat&via=tchncs.de

@tlaurion suggested the OS reinstall case should force TPM reset route instead of HOTP/TOTP regenerate.

marmarek avatar Feb 05 '25 23:02 marmarek

Fix will be forcing user to do a tpm reset when no tpm rollback counter is found under /boot while tpmtotp can be unsealed from TPM (TPM was previously reset on that laptop, but is has been reinstalled: was not taken into consideration up to now)

Mitigation will be enforced, warning user to do a tpm reset.

Ref https://matrix.to/#/!pAlHOfxQNPXOgFGTmo:matrix.org/$qAvJUl-KNB8mf0Fa4GFah2fSbD4wPNsp9EGYwUqGk94?via=matrix.org&via=nitro.chat&via=tchncs.de

tlaurion avatar Feb 05 '25 23:02 tlaurion