Nitropad fails to boot showing ERROR: Invalid signatrue in kexec boot params

Since today booting my NitroPad T430 with Heads v2.5 stops:

gpg: verify signature failed: Unknown system error
!!! ERROR: Invalid signatrue in kexec boot params !!!
!!!!! Failed default boot
New value of ...
!!!!! Starting recovery shell

The message shows when booting

  • using a Nitrokey and
  • not using a Nitrokey, after choosing “Default Boot”.

Booting the OS using the “Boot Options” > “Ignore tampering and force a boot (unsafe)” works fine.

Any idea how to fix this?

I read the other 3 posts in this forum with the same error message - but my issue seems to be different.

In Heads TOTP has a value and HOTP shows “Success”.
The NitroPad runs a Debian 13 with standard kernel 6.12.74-2.
The Nitrokey itself is usable. E. g. I can change the PINs for admin and user using the nitrokey app.

What I tried so far:

  1. Update checksums leads to an error
    Heads > Options > “Update checksums and sign all files in /boot” leads to an error.

  2. OEM Factory Reset, which hangs
    Successfully ran

  • Reset TPM
  • Reset USB Security Dongles GPG smartcard
  • Changing the GPG Admin PIN to default
  • Changing the GPG User PIN to default

But re-flashing the firmware hangs:

Adding generated key to current firmware and re-flashing ...

Board t430-hotp-maximized detected, continuing ...
(long number) /tmp/t430-hotp-maximized.rom
Initializing Flash Programmer
Reading old flash contents. Please wait...
Flashing: [*        ] 0%

After 1 hour and 17 minutes it was still at 0%.

Hello what is the version of Heads your NitroPad is running?

Is your Debian OS encrypted?

Hello what is the version of Heads your NitroPad is running?

Heads v2.5 (I wrote this in the first line in my previous post).
I updated Heads 28 days ago and the T430 booted every day without any issues until April 22nd.

Is your Debian OS encrypted?

Yes. Encryption was done using LUKS of the standard Debian installer.

The day before the error was shown the first time, an “apt upgrade” installed some packages (only Debian stable repo is used). These 3 packages may be interesting (I found them in the /var/log files):
initramfs-tools:all 0.148.3
libc-bin:amd64 2.41-12+deb13u2
upgrade libngtcp2-crypto-gnutls8:amd64 1.11.0-1 1.11.0-1+deb13u1

This means the /boot initramfs was updated. If you are sure the notebook was not tampered with, that’s no problem - note your quoted error contains a typo

that’s not a heads typo, I believe.

Also, with updating initramfs you should have landed at the “boot issue” described in System update - Nitrokey Documentation on next boot. Check if the debian update completed successfully in /var/log. It may have failed to generate the boot entry, which lead to heads not processing it fully. If there was an error, you need to use something like debian’s “regenerate-grub” (I’m not sure of the exact script name now, standard debian update call for grub).

Now, there is another problem in that you apparently reset the Nitrokey gpg key linked to heads in your trial-error (your “Reset USB Security Dongles GPG smartcard”). You can check if the Nitrokey gpg keyring is empty via the recovery console or from booted system. To fix, you need to re-generate a new one from the heads menu.

it will again reset the Nitrokey and then you might be able to follow documentation. The gpg reset via heads is not described in the documentation, but upstream: Step 3 - Configuring-Keys | Heads - Wiki (not all of it, read up on what’s called “OEM factory reset / re-ownership”). DO NOT let heads add LUKS key on re-generation. This won’t work. Further, only do this if you are sure the notebook is not tampered with. If unsure, remove the SSD and back it up first.

!!! ERROR: Invalid signatrue in kexec boot params !!!
that’s not a heads typo, I believe.

Yes, that is a typo from me.

… to use something like debian’s “regenerate-grub”

On Debian it is “update-grub2”.
Meanwhile Kernel 6.12.85+deb13-amd64 is out which updated initramfs automatically.
The update shows no issues in the /var/log.
To be on the safe side I ran update-grub2 after the kernel was installed.

Both links provided by Alexandre did not help me much.

The current situation is:

  • When I boot the T430 it leads to recovery shell.
  • When go within the 5 seconds boot wait into Heads > Default boot > I end up in to the recovery shell. There is no Boot Hash Mismatch.
  • When in Heads > Options > “Update checksum and sing files in /boot” is chosen,
    • it asks if GPG card is inserted: Yes
    • it verifies the PGP card and than something like “Bad Counter” “TPM” and a number appears. Because this screen lasts less than a second I am not able to read it.
    • Then a new screen with the message “Failed to update checksums / sign default config” appears.

Now I am lost. I still can boot using “Boot Options” > “Ignore tampering and force a boot (unsafe)”.

Maybe it has to do something with the keys:

  • I have no key on the Nitrokey (key field is empty when using nitrokey-app)
  • I can see a Key in Heads: Heads > Options > GPG Options > “List GPG keys”
  • I wrote down the key / QR code result when reflashing (which never ended)

But I do not understand how the 2 keys belong together and if I need a key on the NitroKey usb stick.
Is one of the key a private key and the other the corresponding public key?
Or is one key only a recovery key and the other for 2FA?
Or is the TPM chip on the NitroPad T430 not used by default and because of that the key there is not relevant?

Thank you for any help.

In your situation a OEM factory reset should make the tampering verification with your Nitrokey work again.

But if it’s blocking during the re-flashing I’m assuming that something is wrong with your firmware.

Could you try to update your firmware to the 2.6.1 and try the reset again.

Afaik the nitrokey-app does not support the gpg features. OpenPGP Card - Nitrokey Documentation

You can use gpg --edit-card to see the keys on the nitrokey, both in the recovery console and in debian. The “bad counter” error you see has nothing to do with the gpg key, though.