Firstly I should say I am non technical and my linux experience is about 1 on a scale of 1-10. If you can respond as if explaining this to a small child it would be very much appreciated
I successfully setup and booted my nitropad running qubes 4.0 yesterday. All working ok
Later that day I tried to boot and and got some errors and no matter what the machine would keep booting into emergency mode
After some time I decided to do an OEM factory reset. That process has ran successfully up until the point of generating a new TOTP/HOTP secret. I have a QR code, I hit enter, I used google authenticator to generate a new secret but it is never successful and I can go no further
I get “error setting HOTP secret, re-enter admin PIN and try again”
After that in the heads boot menu I get “TOTP 127301 | Error checking code, insert nitrokey and retry”
None of this works
Finally, if I do force a boot. It just asks me x3 times for the disk password and enters emergency mode after a long delay.
Could you tell more about your Nitrokey device? I do not see anything about it in your description. Do you have it inserted during the OEM factory reset? What model do you use?
Ah, I can see the cause now! Your smart card shows the Admin PIN counter being 0, which in consequence does not allow for any further write operations to it. With the OEM factory reset it should be possible to clear both smart card and the BIOS configuration to the initial working state. Will send the menu path in a minute.
Thank you for the response but I have repeated the OEM factory reset several times. The problem step is generating the new totp/hotp secret as described above
I see. I thought you have misunderstood TOTP/HOTP secret regeneration for the OEM factory reset.
Could you send screens please from the latter procedure? The device has to be reset during it as well.
If it does not work from the menu, you can run Options -> Exit to recovery shell and enter the following:
oem-factory-reset
then press <ENTER> button and follow the screen guide.
I don’t see any documentation in the above link with regard to generating the new totp/hotp secrets.
Can you confirm if the google authenticator app will generate a key?
Also, I suspect the BIOS time is incorrect on my machine. As the BIOS time from memory of the first successful boot was a few hours off. If this is different from the google authenticator app then I assume if would fail. If this is the case, can you tell me how to update the bbIOS time?
HOTP secret cannot be written to the device without working Admin access. Right now the latter is disabled (counter equal 0) due to invalid 3 attempts of entering it. The smart card has to be reset to make it work again, including GPG keys regeneration and signing the boot files.
Let’s make it working with the HOTP / Nitrokey device first. The TOTP verification is for cases, where user does not have the access to the Nitrokey device and still want to confirm the device was not maliciously modified in the meantime.
Hi, thank you again for your help. Just before we proceed can you define some of the terms for me
By ‘device’ do you mean the PC or the nitrokey?
By ‘smart card’ do you mean the nitrokey or something else?
With regard to the steps
Using ‘oem-factory-reset’ I enter the same factory reset flow I have completed >10 times now. Everything is fine until the TOTP/HOTP secret regeneration step. The errors I recieve are documented in link from earlier https://pastebin.com/MjpumSnC
“The smart card has to be reset to make it work again, including GPG keys regeneration and signing the boot files.”
Can you provide instructions on how to do this please?
“Let’s make it working with the HOTP / Nitrokey device first”
Can you provide instructions on how to do this please?
Sorry, I should have cleared that out in the beginning. By Nitrokey device I meant Nitrokey Pro or Nitrokey Storage, containing a smart card inside. By NitroPad I mean the Nitrokey Nitropad X230.
This is done during the OEM factory reset operation.
This is what we are working on right now. This should be fixed by OEM factory reset.
If (1) is true, then we will need to access to recovery console (available from options as written in [NitroPad] Generate new totp/hotp secret failing), then run gpg --card-edit and enter following:
> gpg2 --card-edit
Reader ...........: 20A0:4109:0000000000000:0
Application ID ...: D2760001240102010005000037C70000
Application type .: OpenPGP
(...)
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> factory-reset
gpg: OpenPGP card no. D2760001240102010005000037C70000 detected
gpg: Note: This command destroys all keys stored on the card!
Continue? (y/N) y
Really do a factory reset? (enter "yes") yes
gpg/card> quit
> gpg2 --card-status
Reader ...........: 20A0:4109:0000000000000:0
Application ID ...: D2760001240102010005000037C70000
Application type .: OpenPGP
(...)
General key info..: [none]
> oem-factory-reset
(...)
Then please run the OEM factory reset once again (as in the listing). The default Admin PIN is 12345678, and User PIN (a.k.a. just PIN) is 123456.
Note finally that when I do reboot I an asked for the disk password again which doesn not work after 3 attempts and then eventually goes back to emergency mode
1. You have not mentioned that - have you executed the oem-factory-reset afterwards as in the listing?
Yes this have been completed
2. If so, was the OTP secret written on the device successfully?
I still fail at the generate new secret step, it does not seem possible to successfully complete the generate new secret step
3. I understand, that the only issue right now is the not working boot due to the disk password lock, am I right?
Yes I can boot even though the new secret has not been generated. After booting it will not take the disk password that I previously made
1. Could you tell more about the disk password without revealing it?
When I received the machine I successfully completed the setup and during that time created a username and password. The disk password was complex and contains >20 characters
2. Have you booted the Qubes before with the password changed before?
After creating the password the I successfully logged in. On the very next boot the following day I got some errors (I can’t remember what exactly) even if I would force a boot it would not take my disk password
I assume after oem factory reset if does not change the disk password. Is there a reason the machines will not take my disk password?
