As it’s showing red on TPM, I once tried OEM factory reset which I’ve done few times earlier also. As I do the factory reset, I’m getting the TOTP/HOTP verification success. Whereas at the time of attempting default boot, I’m getting the below issue.
Attempting default boot...
gpg: Signature made <DATE>
gpg: using RSA key <KEY>
gpg: Can't check signature: No public key
Invalid signature on kexec boot params
!!!!! Failed default boot
New value of PCR[4]: ******....
!!!!! Starting recovery shell
As I’m trying various options, I once got the following error also:
Verifying presence of GPG card...
Got error 'Authentication failed (Incorrect Password)' (0x1) from TPM_IncrementCounter.
Counter increment failed
Failed to sing default config; Please Enter to continue
I’m entering the computer recently from last few days using Options>Boot options> Ignore tampering and force a boot (Unsafe!).
Could anyone please help? I think @Kyle_Rankin or @joao.azevedo or @nicole.faerber might help on this. Please take a look into this issue. Any help is greatly appreciated.
Email support would be a better support avenue in general than this forum if you want timely answers, but I’ll see if I can help here. If you have performed OEM Factory Resets and they seem to work without error, then I would examine whether there are problems with your /boot partition that might make it read-only. The “no public key” error seems to indicate that the keyring in PureBoot is empty. You can check that by going to the GPG menu under Settings and getting GPG info. If your OEM Factory Reset was successful you should see a single key in there that corresponds to the new private keys that were generated on your Librem Key.
I checked that and it’s not empty. There’s an OEM-generated key. Also, I created a custom GPG key using all the instructions mentioned at this link: https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html#generate-gpg-keys-on-your-computer. When I checked the list of keys then I have 2 in the pubring. But still, it did give the same error that I mentioned above. I even deleted the first key using gpg --delete-key <key-ID> where I provided the ID of the first OEM-generated key. I listed using the keys using the GPG menu in the next time where I found the key that I generated. But, still I got the same error after all.
Oh sorry, I misread all the errors. It simply looks like for some reason the signatures on the files in /boot are wrong (possibly due to an update possibly due to something else). An OEM Factory Reset is supposed to replace all of that with new signatures. Could you please try that one last time and make note of any errors or warnings that might be output to the screen during the process? After it completes you should be able to just boot into the OS.
There is some problem with the /boot file system. Possibly a corrupted file, possibly a file system that needs fsck run on it. If you are comfortable with the command line you could investigate the state of that file system and run fsck using the PureBoot recovery console. If you aren’t comfortable with that but can still boot into your OS in warning mode, then I would investigate using the GUI Gnome Disks tool and see what it thinks is going on with /boot.
If it doesn’t make any power difference if we use GUI Gnome disk compared to fsck, we might prefer to go that path. otherwise, i’m comfortable with the command line also… If i could go ahead with recovery console, and fsck tool what commands do you suggest me… I’m on it…
On the command line then, I’d first use df to see if /boot is even mounted. If it is, then ls /boot to see if you can read it, then touch /boot/test to see if you can write to it.
If it is not mounted, then see if /dev/sda1 exists and if so, fsck /dev/sda1 and see if it returns any errors or complaints. Once it completes, mount /boot and see if that works and whether ls /boot returns any files and touch /boot/test works.
Is this a standard PureOS install? Did you reinstall the OS at any point?
It’s a standard PureOS install. And i got a roadblock in the second step only of the steps you mentioned. As i tried, touch /boot/test , i got the error:
I would be cautious about posting your secret in an open forum (or indeed posting it anywhere). I recommend always erasing QR codes completely from any image posted unless you know what the QR code is leaking.
To be clear, merely holding my iPhone up to the web browser window caused it to offer to add your secret to my repository of secrets. (For some reason it didn’t work on Linux - didn’t recognise the presence of a QR code - but I’m sure it could be made to work.)
Thank you so much @irvinewade for bringing this to my notice. I’ll be very cautious to do so from next time. Please look at the above recent issue if you can give any advise.
