Server stuck in POST when Nitrokey HSM is inserted

As I learnt today when I had to reboot my server after several weeks for the first time again, my server won’t boot when the Nitrokey HSM is inserted into an USB slot during power-on.

The machine is stuck at the POST screen:

IMG_0165

No progress even after several minutes. I had to powercycle the machine.

When the Nitrokey HSM 2 is NOT inserted the machine properly boots and right away shows this POST screen:

IMG_0166

When the HSM key is inserted after boot-up there is no problem, everything works as expected (Ubuntu Linux 16.04. running).

Ofc this problem means, I cannot reboot my machine anymore unattended which is a nuisance.

Question:

  • Is this a known problem?
  • Are you aware of any workaround, e.g. special BIOS settings to jump over this issue

Machine: Fujitsu Celsius W420
BIOS: V4.6.5.3 R1.23.0 for D3162-C1x
Release Date: 12/01/2014

Yes I know it’s a dated machine and technically not really a “server”, but that’s the way it is.

I don’t know the answer, but maybe a few tips to think about that sometimes in the wheel are forgotten:

  • Have you enabled to boot from USB and that as a first entry in the boot order ?
  • Have you tried a different USB slot ?

Last solution: I am using a KVM, where I could also switch a USB slot between the machines. In your case - as a work-around - you could just connect that KVM and switch “away” the HSM during boot.

1 Like

Hi!

I think this is first time we hear about this. As @Peacekeeper said, try to change the boot settings.
Alternatively I would change Legacy USB devices setting too.
Nitrokey HSM does not have any other interfaces, than the CCID / smart card access, so BIOS should not really get stuck on it.

Thank you both! These are good suggestions! I will check those settings!

Unfortunately none of the approaches worked… :frowning:

  • USB Legacy Support = on
  • Boot from removable media = disabled
  • Boot order: does not contain any USB device
  • Tried different USB slot? Yes

Even if I put the Nitrokey in, when I am in the BIOS config menu, the BIOS freezes. So it seems, as soon as the USB device is recognizes and probed the system freezes… - until the OS (Here Linux) is booted…

I am sorry, but I do not have any other ideas.
Here I’ve found a similar topic with Nitrokey Pro: UEFI boot slow with Nitrokey Pro plugged in.
Regarding workaround for now, I would use another machine to access the device over the network, e.g. with a Raspberry PI.

Perhaps try a BIOS update, if available.

Thank you… Well I will cope with that somehow. It’s a matter of my old but trusty system which won’t get any BIOS updates anymore etc…

Regarding “access over the network”. Are you talking about “https://github.com/iksaif/pkcs11-proxy”? However, this appears to me to be a quite rickety setup :-/

Is there any good integraiton guide for the Nitrokey in combination with that remote access via the network?

Regarding pkcs11-proxy I think we had a guide in the production somewhere.
@jan @nitroalex?

Either way we should keep this issue in mind.
Edit: registered as nitrokey-pro-firmware#70.

Appreciate! Let me know if I should test some more things. Oh by the way: The red LED lights once before the BIOS freezes, as usual. Not sure if this could give you an indication that a “probe” of the device by the BIOS has already happened or not or is just a sign that it got proper power.

Could you please send me this guide for pkcs11-proxy?

Hi!
Sorry, but I could not find it for you. What I know right now:

I will look once again, but I have a feeling it is gone. Will post here when I stumble on it.

I got a reply from my colleague working on it, and it turns out we have changed the solution to this one:

It has better code quality and documentation, and is much more stable.

Thank you very much!