Hello, I urgently need your help. A customer of mine has a Nitropad NS50 with Ubuntu 22.04 with Coreboot, HEADS, Measured Boot and Nitrokey Pro. After the last system update of Ubuntu he could not boot into the latest kernel. I had to turn off the Nitropad, which apparently caused an error in the file system. I wanted to check the file system via the coreboot recovery shell, which was not possible with busybox. So I changed the grub.cfg to start a live rescue system. Unfortunately this did not work. Since then, the Nitropad switches itself off when Coreboot boots. The window regarding the TPM chip appears. Sometimes it shuts down immediately without me being able to interact, sometimes after I select an option.
Hi, changing grub.cfg will yield a warning at boot but have no other effect or firmware measurement.
Do you know if the disc encrpytion passphrase is input at boot, or sealed in the TPM? How did the Nitrokey blink last time you turned the notebook on?
Hi Ion, thank you for your support.
I have to enter the disc encryption passphrase.
Last try, suddenly i could boot into coreboot, but only plugged in. Battery was 0 %, i think because that i could boot again, because i read that in that states to remove battery and cmos.
The support told me to flash coreboot to newest version, because the kernel bug in the newest kernel of ubuntu. I could flash it, but now after flashing, i cannot choose a boot entry to make it default.
I get that error:
Received TPM Error
Unable to run unseal
Unable to unseal HOTP
Ah great, progress! The TPM error is to be expected after flashing an update if you did not retain settings. Compare with the documentation.
I can’t yet tell with the info, if you just need to update or reset the TPM, but that should best be done by/with the owner because it requires registering OTP tokens on the Nitrokey/second factor.
edit to add two points:
Once you start to update/reset the TPM, the grub.cfg you modified to obtain a rescue system will be parsed again. Be careful to select the correct Ubuntu kernel and not your edited rescue system (Ubuntu will do an fsck of the unclean dismounted root automatically).
I suggested you perform the update with the owner, because the PIN for the Nitrokey is required to update the OTP tokens (plus a TOTP app as a second factor, see the documentation). The owner needs to understand how to handle the tokens, or it will yield the functionality useless.
Hi Ion, thank you for your advise. I had also to make a faktory reset, now is all working. I have to explain all this the owner at the next meeting.
I learned that heads is a minimal linux system.
One Qestion i still have. At the bootoption, how can i display a custom menu entry from the grub custom script?
I think i have to edit the kexec configurations?
In the heads menu “boot options” is a menu item that lists the kexec boot options it parsed from the linux lines of grub.cfg. Look there first, it should have picked up the new kernel. If you select it, you can make it the new default.
Hi Ion, yes at boot options i can see my different kernels and i can make it as default. But heads do not list my custom entries. Heads list the entries from /etc/grub.d/10_linux but not the entries from /etc/grub.d/40_custom.
So i think i need to change the behave of heads to scan also this entries. Perhaps you know a config file, where i can change this?
Hi, I’m not sure actually. I noticed too that the latest heads displays less entries, that may be a bug! It used to pick up more.
In any case, what I do is edit grub.cfg directly. Just copy-paste a menu-item it does pick up, adjust item name, linux + initrd lines and done. Once you do it, it’ll be another warning from the measured boot, but the line should appear. Heads does not need anything from the grub modules, etc.
Yes, editing grub.cfg is an option, but this changes are not permanent. Any time the configuration is updated the changes are lost. Yes heads does not need this modules, but this modules are read by every grub update from the linux OS you have installed, like ubuntu, etc.
True, I forgot about Ubuntu’s automatic updates and don’t use /etc/grub.d/*.conf.
As I wrote earlier, if nitrokey-heads only parses the 10_linux section and not the 40_custom that should be a bug. Still, as you have seen it gives you a recovery boot option by default.
Hey please update to Heads 2.4 this is probaly the issue with the new kernel in Ubuntu 22.04. Updating heads to 2.4 solves this Firmware Update - Nitrokey Documentation