Boot Hash Mismatch on Nitropad X230

Heads boot menu shows HOTP as Success and TOTP: 019760.
After pressing default boot I get a prompt:

ERROR: Boot has mismatch
The following files failed the verification process:
This could indicate a compromise

Full story:
When I opened laptop after leaving it unattended it had many multiple red prompts saying key is not inserted or some thing like that so I restarted the laptop.
(This was the second time I ever opened the nitropad after I had setup qubes with a password and left it on unattended.)

When I restarted the main boot menu it showed success and nitrokey was green so I pressed default boot. Then the prompt showed up as shown above. Was that prompt because I had set up a new password?

I am about to factory reset the OEM should I also factory reset the Qubes software?
Also The instructions on say I should insert another usb to copy a security key. 1. Is this necessary if I didn’t even configure anything yet 2. What should I format the usb before plugging it in APFS/ Mac OS Journaled/ MS DOS FAT/ ExFAT?
3. At the end it says to copy the key from the usb to the computer where exactly would I be putting that key since I am using qubes, does it matter where?

Thank you in advance!

I am sorry for the delay.

Regarding the first problem and the error message, this should be easily solvable with the following:

Heads Boot Menu -> Options -> “Update checksums and sign all files in /boot”

As for the cause, I believe there might have been a Grub package update, which could have changed the default configuration.

Regarding factory reset for the Qubes OS, the installation process is mostly automatic. You can do so whenever you feel it became misconfigured. Please remember about data backup, as the whole disk would be cleared.

Factory reset of the Heads firmware is required only in couple of cases (see documentation page). After OS installation usually only signing of the /boot data is required.

  1. During the Heads factory reset process the new OpenPGP keypairs will be generated on the Nitrokey USB security device (either Nitrokey Pro or Nitrokey Storage), which will be used for signing the boot data. Aside from the private keys, public keys will be generated, which cannot be stored on the smart card, thus the USB storage is required to keep a backup of it, which can be later imported to locations where the private keys located on the smartcard are meant to be used. It is possible to use own OpenPGP keys as well (details in documentation).
  2. For the storage any FAT32 partition would do. It does not need to be empty.
  3. The public key needs to be imported to all GnuPG installations (or other applications based on it) where the smart card is meant to be used. In case of QubesOS that would mean to select one of the VM, where the GnuPG will be run (including other applications using it, like older Thunderbird 68), and import it there.

Mentioned documentation:

PS Again I am terribly sorry for the delay. Please remind yourself if you wait longer than 3 days for the reply - we can sometimes miss the message.