Issue with X230 on boot, possible compromise?

NitroPad, NitroPC
1

Hi, I’m I’m running into an issue just after setting up my new Nitropad X230.

System: Qubes OS and Heads installed, with a Nitrokey Pro.

On the first boot, the Nitrokey flashed green and the screen indicated “Success”. I then set the Qubes installation up according to the documentation, but did not yet change the disk password. The only thing I did on the Qubes install screen was to make sys-net disposable and setting up a user account.

After succcessfully loging into the new user account I shut down the device and rebooted it. It was sitting in front of me the whole time. The Nitrokey flashed green and the screen again indicated “success”. It then said however that two items of GRUB were changed and that this could indicate a compromise (unfortunately did not take a picture). It also asked me to sign the new Checksums. As I had the device in view the whole time, and there were no warnings on the initial boot, I felt secure enough to sign the checksums with my Nitrokey.

I can now boot without warning messages, but can’t seem to set the correct Default Boot as described in the docs (Default Boot - Nitrokey Documentation). I first select Qubes with Xen Hypervisor as my boot option, then hit “Make Qubes with Xen Hypervisor the default”. At this, the prompts differ from the docs at step #8, see my prompts below:

Saving a default will modify the disk. Proceed? Y

Do you wish to add a disk encryption to the TPM? Y

Encrypted LVM group (e.g. qubes_dom0 or blank)? blank

Block devices (blkid):

/dev/sda2: UUID=“xxxx”

/dev/sda1: UUID=“xxxx”

Encrypted devices? (e.g. /dev/sda2 or blank):

At this point, I ended the boot and shut the device down.

My questions:

  • Is this abnormal, i.e. is there any chance the integrity of my device was compromised or that it is insecure?

  • If not, what do I have to select at the prompts to make this work normally again?

EDIT: An addition:

By running ‘lsblk’ in dom0, I was able to see that /dev/sda1 is my boot partition with only a few GB, and /dev/sda2 seems to be the actual LUKS encrypted SSD (400+ GB).

2

Hi, regarding the checksum mismatch, check if this bug for heads 1.3.1 applies to your machine (probably).
Regarding the default entry: don’t add the disk encryption to the TPM (you can see this noted later in the instructions you linked in the post.). This was the reason you got prompted to select a LVM-device, which is in fact pre-configured in the boot entry and will prompt you for the disk encryption passphrase.