I bought a pre installed notebook NS50 with a pre configured Nitrokey 3c.
I created a User (changed Password) and changed the disk encryption passphrase.
I had no active Internet connection and i have not done any updates.
After this, i left the notebook unattended…and received this message:
"The following files failed the verification process:
(new) ./vml i nuz-6.2.0-26-generic
This could indicate a compromise!
would you like to update your checksum now?"
The Nitrokey has blinked green and the HOTP was a success.
What would you advise me to do? Is this behaviour even possible without tampering as i did not do any updates?
Thank you for the help!
I don’t know if it applies in your case, but what you describe reminds me of this bug reported for heads firmware 1.3.1.
i can´t see why there is any connection between this bug and my case…
When you boot/reboot, the nitrokey will blink green even if the initrd boot files have changed. Those are hash checked only after you select the boot entry and that’s when the warning message appears. That’s why I linked the bug, because that behaviour is not obvious.
Even if you did not do an active update, it is still possible that system scripts updated the initrd after configuration/installation changes, hence prompting the warning. If this was the case, you will find the updates in the system logs from the time you set up the user/passphrase.
It takes a little to get used to. I think the easiest way is to get into a habit to let the system reboot after configuration changes that involve /boot files before turning it off. This way you have updated checksums. Also you can mount /boot read-only, so that you notice when files (invalidating) need to be changed.
If you’re still following it up, please mention which OS you are using, what heads release the notebook uses.
thank you very much for your help and sry for the late reply!
I made a complete reset of the Bios and OS. It was quite a journey, but now is everything fine.
However, i think this should get better communicated by Nitrokey:
"I think the easiest way is to get into a habit to let the system reboot after configuration changes that involve /boot files before turning it off. This way you have updated checksums. "
They write it in the documentation, but it should get marked as !Very important! imo.