- Device nor key was physically tampered with
- Device was used for a period of 1 month without librem key, during this time a separate live usb was used
- I have not performed any modifications to my boot partition or installed operating systems
- TOTP is valid.
Today I plugged in my librem key to boot pureos for the first time in a month, I was met with “HOTP: Invalid Code”.
What are my options from here? Should I:
- Reflash heads, reformat, reinstall pureos
- Investigate the reason for the invalid code
So you registered the TOTP code with some sort of authenticator application on your phone?
I suspect what has happened is that if you are booting the system into PureBoot but not PureOS, and booting it without a Librem Key inserted, that PureBoot is still incrementing the counter it maintains in /boot, independently from the Librem Key’s counter. Now a month later, the counters are out of sync by a significant amount so they are generating different HOTP codes. Since TOTP is based on current system clock instead of a separate incrementing counter, it was unaffected. You can verify this by examining the datestamp on /boot/kexec_hotp_counter as it is likely getting updated each time you turn on the machine.
Ideally you would boot w/ the Librem Key inserted to verify the integrity of the boot firmware even if you don’t boot into PureOS. Since you fell back to the TOTP code you know your firmware is still safe, so it would be safe for you to tell PureBoot to generate a fresh HOTP/TOTP code so you can get your Librem Key’s incrementing counter synced with PureBoot’s.
I did register the TOTP code with an auth app on my phone.
I had opened the recovery shell and inspected my boot directory to see if I could see what files had been modified. kexec_hotp_counter is the only file that shows it was modified in the past month, and it was obviously modified today. Your theory seems to be spot on.