tlaurion
commented
1 week ago Redoing same thing with NK3 NFC (firmware 1.7.2 too)
- factory reset succeeds
- waiting for prompt to touch even though dongle blinks
Success.
- Redoing factory reset, this time with on defaults. Prompts answers
- default config options: N
- passphrase change : N
- reencrypt: N
- Format encrypted USB thumb drive: N
- Custom single secret: Y
- PleaseChangeMe
- Custom info provisioning for GPG key: N
- Export pubkey to usb drive: N
- On reboot, reset TPM + seal TPMTOTP as reverse HOTP, using PleaseChangeMe : fails with same error above.
- Hmmm, maybe its because HOTP Admin PIN is 12345678: yes
Hmmm. We have another problem here, but that may bot be because of musl.
Redoing nk3 test:
user@heads-tests-deb12-nix:~/heads$ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.4.47
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0
Running tests for Nitrokey 3 at /dev/hidraw0
[1/5] uuid UUID query SUCCESS 7BE66C6C09655959911E4A5958996AEF
[2/5] version Firmware version query SUCCESS v1.7.2
[3/5] status Device status SUCCESS Status(init_status=<InitStatus: 0>, ifs_blocks=41, efs_blocks=462, variant=<Variant.LPC55: 1>)
Running SE050 test: |
[4/5] se050 SE050 SUCCESS SE050 firmware version: 3.1.1 - 1.11, (persistent: (32767,), transient_deselect: (191,), transient_reset: (176,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5] fido2 FIDO2 SUCCESS
5 tests, 5 successful, 0 skipped, 0 failed
Summary: 1 device(s) tested, 1 successful, 0 failedRedoing secret app reset:
user@heads-tests-deb12-nix:~/heads$ nitropy nk3 secrets reset
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to continue? [y/N]: y
Please touch the device if it blinks
DoneSo logic here is that secret app key resposible for HOTP admin PIN (not same as Nk2/Librem Key as previously discussed) sets to 12345678 and is ready to seal in first HOTP sealing, will check.
Redoing factory reset with custom single PIN : PleaseChangeMe, expecting HOTP reverse sealing of TPMTOTP to seal it without error setting HOTP Admin PIN (secret app Admin PIN) on first use after reset:
Message:
Not trying default PIN (12345678) only 0 attempt left si to say the least misleading, but that is https://github.com/Nitrokey/nitrokey-hotp-verification/issues/36
Otherwise, PleaseChangeMe is used to set the HOTP Admin PIN on first use, outside of this misleading message from Heads (since NK3 changed and https://github.com/Nitrokey/nitrokey-hotp-verification/issues/36 is not resolved).
This was discovered while testing roms produced by https://github.com/linuxboot/heads/pull/1841 (after musl-cross-make version bump)
tested on x230-hotp-maximized (hotp-verification 1.6, nk3a firmware 1.7.2)
Screenshot:
Test output of that nk3a-mini dongle:
EDIT: As recommended:
Redoing Heads TPM reset+reverse HOTP sealing of TPMTOTP secret succeeds after
nitropy nk3 secrets reset, but I never got this error before. Success:Ideally, this is not-reproducible/fixed before 2024-11-20 under hotp-verification and Heads pour point to newer fixed commit of hotp-verification as part of https://github.com/linuxboot/heads/issues/1821
@jans23