Closed SirRufusss closed 1 month ago
SirRufusss
commented
2 months ago when i flash new my hard disk does not erase. How do I get the previous .iso files deleted? Can I access it from the recovery shell and do this?
But I'm still wondering about the 6Admins...
tlaurion
commented
2 months ago @nestire @daringer @jans23 : hello Nitrokey. As referred in past issues, nitrokey seems to miss official documentation on what this hotp-verification returned 4.11 version (what is this firmware part version?) of what nk3 firmware applet, and why there are counters going to more then 3 as in traditional OpenPGP compliant smartcard.
I will leave this question for Nitrokey to answer, and for this question to be used as base of Q&A to refer here to duplicates of issues raised in your repo.
The user here uses nitrokey boot firmware and nitrokey 3 and NK3 firmware, I will only answer for Heads related questions.
Nitrokey: create such documentation/patch hotp-verification as your choosing and refer here where users can make sense of the information provided by the user's screenshot. Thanks.
tlaurion
commented
2 months ago when i flash new my hard disk does not erase. How do I get the previous .iso files deleted? Can I access it from the recovery shell and do this?
But I'm still wondering about the 6Admins...
Your screenshot shows that Heads attempts to hash a lot of things in it's /boot partition.
No, Heads doesn't wipe disks. It parses it's content, and if irrelevant content under what is discovered /boot partition (isos or anytjing else), with hash them which is computing intense task leading to long wait time and prone to tampering detection if content there is rootfs which Heads doesn't support. Heads require seperate /boot partition where grub, kernel, initrd and Xen binaries are expected to be found only. If goal is to have a isos partition under disk used to boot system (I do that), that partition needs to be a seperated one then /boot.
I think instructions are pretty clear under https://osresearch.net where detached signed isos or installation media dd'ed to usb thumb drive should permit installation and where /boot partition needs to be created, seperated of root partition for Heads to not spin trying to hash everything under the same partition. That seems to be your issue.
The screenshot says that heads waits 5 seconds prior of attempting to boot. Any key press typed there will lead you to main menu and dodge automatic boot of default boot entry selected by Heads factory reset wizard, where recovery shell is under options menu.
From there it's typical Linux commands. If you want to delete files, you will have to remount filesystem in read write, or call fdisk and wipe your hard drive, or boot from USB thumb drive again to reinstall your OS properly as per documentation so your issue vanish.
Nitrokey distributes ISO for Ubuntu and QubesOS that will automatically deploy the OS with OEM mode.
You open issues under heads repo without using heads firnware binaries. If you bought laptop and usb security dongle from Nitrokey, use their support channel for both nk3 and heads support. Otherwise not sure why you use nitrokey heads firmware and why you report nitrokey firmware issues here and not there, as per template you filled when you opened this issue.
tlaurion
commented
1 month ago Took liberty to rename issue
tlaurion
commented
1 month ago This issue is about counters and firmware reported from hotp-verification on boot output.
Other issues need to be opened seperately. This issue will be left open until Nitrokey answers, others issues need to be dealt seperately.
Thank you for your cooperation @SirRufusss .
nestire
commented
1 month ago The Counters indicate how much trys you have left to enter a wrong pin in thiy case the GPG Pins . This used to be 3 but do to requirements for FIDO2 the Certification we increased this. Please see also here https://docs.nitrokey.com/nitrokey3/linux/set-pins if you have more questions please contact support@nitrokey.com
tlaurion
commented
1 month ago @SirRufusss discussion upon resolution of issue should continue at https://github.com/Nitrokey/nitrokey-hotp-verification/issues/36, closing this issue as duplicate of upstream created issue
If documentation unclear for other matter of subject of this issue(opened upstream), please open seperate issue under https://github.com/linuxboot/heads-wiki
Context of the Build
1. What board are you trying to build?
2. What repository:branch are you using to build from?
3. What version of coreboot are you trying to build
4. In building the rom where did you get the blobs?
5. If using the automated tools to get the blobs did you run the relevant scripts in the blobs directory
6. What operating system are you using
please specify
Please describe the problem
Describe the bug After reflashing the heads.rom I still have old .iso files.... In addition, the secure-shell unetr connected devices is set to “admin = 6”. I think admin are the users and I don't understand why I have more than one...
I used this .rom: https://github.com/Nitrokey/heads/releases/tag/v2.5.0
To Reproduce Steps to reproduce the behavior:
Expected behavior As I understand it, the old .rom will be replaced by the new .rom.
The hard disk and the GPG (i.e. the Nitrkey) should be deleted by a TPM re ownership, which I did... According to the documentation, TPM is the SecureChip of the hardware.
Screenshots
Additional context Hello HEADS-Team,
can someone please tell me why everything is not reset/deleted after flashing the HEADS.rom?
I can still find my previous attempts to install Fedora.iso in the boot options...
I also received a notification after flashing that the falshing was successful.
Afterwards I also performed an OEM factory reset, which as far as I know also deletes my Nitrokey (i.e. GPG). Nevertheless I could see with the ESCAPE button in the main menu that I am in the 6Admin usage... I even checked the nitrokey on my 2nd PC and it is completely empty