Unable to create rollback file after OS reinstall (Regenerate TOTP/HOTP)

[marmarek]

Please identify some basic details to help process the report

A. Provide Hardware Details

1. What board are you using (see list of boards here)?

2. Does your computer have a dGPU or is it iGPU-only?

• [ ] dGPU
• [x] iGPU-only

3. Who installed Heads on this computer?

• [ ] Insurgo
• [ ] Nitrokey
• [ ] Purism
• [ ] Other provider
• [x] Self-installed

4. What PGP key is being used?

• [ ] Librem Key
• [x] Nitrokey Pro 2
• [ ] Nitrokey Storage
• [ ] Yubikey
• [ ] Other

5. Are you using the PGP key to provide HOTP verification?

• [x] Yes
• [ ] No
• [ ] I don't know

B. Identify how the board was flashed

1. Is this problem related to updating heads or flashing it for the first time?

• [ ] First-time flash
• [ ] Updating heads

2. If the problem is related to an update, how did you attempt to apply the update?

• [ ] Using the Heads GUI
• [x] Flashrom via the Recovery Shell
• [ ] External flashing

3. How was Heads initially flashed

• [ ] External flashing
• [x] Internal-only / 1vyrain
• [ ] Don't know

4. Was the board flashed with a maximized or non-maximized/legacy rom?

• [x] Maximized
• [ ] Non-maximized / legacy
• [ ] I don't know

5. If Heads was externally flashed, was IFD unlocked?

• [ ] Yes
• [ ] No
• [ ] Don't know

C. Identify the rom related to this bug report

1. Did you download or build the rom at issue in this bug report?

• [x] I downloaded it
• [ ] I built it

2. If you downloaded your rom, where did you get it from?

• [x] Heads CircleCi
• [ ] Purism
• [ ] Nitrokey
• [ ] Somewhere else (please identify)

Please provide the release number or otherwise identify the rom downloaded

https://circleci.com/gh/linuxboot/heads/14178 ( x230-hotp-maximized_usb-kb of https://github.com/linuxboot/heads/commit/4a57c615e972149eefd52d95ba919ff54d53bb0a)

Please describe the problem

Describe the bug

Creating rollback file fails after OS reinstall (including wiping /boot).

To Reproduce Steps to reproduce the behavior:

1. Install Qubes OS 4.2.0
2. On reboot choose to re-generate HOTP secret and then sign boot files
3. When prompted creating TPM counter, provide TPM owner password as prompted
4. See error:

sha256sum: can't open '/tmp/counter-': No such file or directory
sha256sum: can't open '65683996': No such file or directory
!! ERROR: /boot: Unable to create rollback file !!!

Expected behavior

Rollback file successfully created.

Screenshots

https://openqa.qubes-os.org/tests/88760/video?filename=video.ogv&t=92.9

The link above includes full flow leading to the failure, I recommend watching with 25% speed otherwise it's hard to follow.

Additional context

The problem didn't happened when I preserved heads-related files in /boot across reinstall (then it only required re-signing boot configs, which works fine).

[tlaurion]

@marmarek you need to reset TPM instead of resealing totp from TPM menu

Normally, flow after installing OS is to run oem factory reset / re-ownership.

Doing OEM re-ownership resets TPM as well.

[marmarek]

Has it changed at some point? I think the current flow coded in that openQA test worked before (but not sure when, definitely not recently)...

[tlaurion]

Has it changed at some point? I think the current flow coded in that openQA test worked before (but not sure when, definitely not recently)...

I can check deeper in the next week but that code hasn't changed for 6 years. But string concatenation might be flaky here, while counter clearly doesn't exist here in shared output.

https://github.com/linuxboot/heads/blob/25d7b0606348c84824c691e0014805130e5f070c/initrd/bin/kexec-sign-config#L68