hotp-verification fails to detect touch on nk3a-mini with newer musl compiled binary

[tlaurion]

This was discovered while testing roms produced by linuxboot/heads#1841 (after musl-cross-make version bump)

tested on x230-hotp-maximized (hotp-verification 1.6, nk3a firmware 1.7.2)

• OEM Factory reset/Re-ownership works
• Resetting TPM/sealing TOTP through reverse HOTP fails

Screenshot:

Test output of that nk3a-mini dongle:

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.4.47
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0

Running tests for Nitrokey 3 at /dev/hidraw0

[1/5]	uuid     	UUID query              	SUCCESS  	EF25D848139028D30000000000000000
[2/5]	version  	Firmware version query  	SUCCESS  	v1.7.2
[3/5]	status   	Device status           	SUCCESS  	Status(init_status=<InitStatus: 0>, ifs_blocks=238, efs_blocks=465, variant=<Variant.NRF52: 2>)
Running SE050 test: |                                                                                                                                                                                              
[4/5]	se050    	SE050                   	SUCCESS  	SE050 firmware version: 3.1.1 - 1.11, (persistent: (31432,), transient_deselect: (607,), transient_reset: (592,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5]	fido2    	FIDO2                   	SUCCESS  	

5 tests, 5 successful, 0 skipped, 0 failed

Summary: 1 device(s) tested, 1 successful, 0 failed

EDIT: As recommended:

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 secrets reset
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to continue? [y/N]: y
Please touch the device if it blinks
Done

Redoing Heads TPM reset+reverse HOTP sealing of TPMTOTP secret succeeds after nitropy nk3 secrets reset , but I never got this error before. Success:

---

Ideally, this is not-reproducible/fixed before 2024-11-20 under hotp-verification and Heads pour point to newer fixed commit of hotp-verification as part of linuxboot/heads#1821

@jans23

[tlaurion]

Redoing same thing with NK3 NFC (firmware 1.7.2 too)

• factory reset succeeds
• waiting for prompt to touch even though dongle blinks

Success.

• Redoing factory reset, this time with on defaults. Prompts answers
  • default config options: N
  • passphrase change : N
  • reencrypt: N
  • Format encrypted USB thumb drive: N
  • Custom single secret: Y
    • PleaseChangeMe
  • Custom info provisioning for GPG key: N
  • Export pubkey to usb drive: N
• On reboot, reset TPM + seal TPMTOTP as reverse HOTP, using PleaseChangeMe : fails with same error above.
  • Hmmm, maybe its because HOTP Admin PIN is 12345678: yes

Hmmm. We have another problem here, but that may bot be because of musl.

Redoing nk3 test:

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.4.47
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0

Running tests for Nitrokey 3 at /dev/hidraw0

[1/5]	uuid     	UUID query              	SUCCESS  	7BE66C6C09655959911E4A5958996AEF
[2/5]	version  	Firmware version query  	SUCCESS  	v1.7.2
[3/5]	status   	Device status           	SUCCESS  	Status(init_status=<InitStatus: 0>, ifs_blocks=41, efs_blocks=462, variant=<Variant.LPC55: 1>)
Running SE050 test: |                                                                                                                                                                                              
[4/5]	se050    	SE050                   	SUCCESS  	SE050 firmware version: 3.1.1 - 1.11, (persistent: (32767,), transient_deselect: (191,), transient_reset: (176,))
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5]	fido2    	FIDO2                   	SUCCESS  	

5 tests, 5 successful, 0 skipped, 0 failed

Summary: 1 device(s) tested, 1 successful, 0 failed

Redoing secret app reset:

user@heads-tests-deb12-nix:~/heads$ nitropy nk3 secrets reset
Command line tool to interact with Nitrokey devices 0.4.47
Do you want to continue? [y/N]: y
Please touch the device if it blinks
Done

So logic here is that secret app key resposible for HOTP admin PIN (not same as Nk2/Librem Key as previously discussed) sets to 12345678 and is ready to seal in first HOTP sealing, will check.

Redoing factory reset with custom single PIN : PleaseChangeMe, expecting HOTP reverse sealing of TPMTOTP to seal it without error setting HOTP Admin PIN (secret app Admin PIN) on first use after reset:

Message: Not trying default PIN (12345678) only 0 attempt left si to say the least misleading, but that is #36

Otherwise, PleaseChangeMe is used to set the HOTP Admin PIN on first use, outside of this misleading message from Heads (since NK3 changed and #36 is not resolved).