First boot after maximized ROM being flashed doesn't succeed (known: MRC cache not constructed, requires reboot) #1213
Comments
I will need an insight on where to put that better so that it reaches all users.
Then
As stated under #1021:
If when booting OS, the OS is syncing clock successfully, but time is lost on reboot, this is clear sign that RTC battery is dead. As to how to access early recovery console, this is by hitting 'r' keyboard's key. Will answer you other question under #1021. Another hypothesis here is that if you ran the factory reset on a computer that had a clock skew, even if the factory reset script doesn't implement public key expiry date in the future, I'm not sure how gpg handles key that are valid in the future. That may be why you experiment a 1- You could verify that from Heads recovery shell and checking the output of 2- Also having the output of |
yes, the 1st issue has disappeared now, thanks.
maybe good idea to repeat it under configuring keys the 2nd issue also disappear now, but yes, i think need to replace the RTC battery, i wonder if in case there is issue, and the heads cannot boot the OS, then after we fix the RTC clock |
Things are getting confusing here and should probably be on a complete different opened issue. The issue you are now talking about actually reflects the name of the original issue : "Starting new kernel takes a long time". Where prior, it was linked to "gpg: waiting for lock" and "First boot after flashing maximized rom doesn't succeed (MRC cache for trained memory doesn't exist" if I understand well. We are combining 3 issues under a single opened issue where none of the exposed problems are linked together. Would you rename this issue to something clearer? Issues cannot be used as a sliding problem diagnostic/resolution mechanism. Issues need to be for unique problem, so they can be reused and pointed at as duplicate when needed. So could you please rename this issue then open a new issue with a screenshot of the kexec call that you consider taking too long to happen and expectations as opposed to another use case on the same hardware? Saying "Starting new kernel takes a long time" is not specific enough, doesn't include the actual final booted OS details, or what "long time" means or expectation justifications. On my current x230 i7, a kexec call (which is actually loading, in case of Qubes, Xen, then initrd in dom0 (drivers and softwares needed, then disk unlock key as additional cpio to be passed to OS) and kernel takes a rough 3-5 seconds for the console to be replaced with final OS kernel output content, which might be creating anxiety but is pretty normal (explanations below). OSes will vary, depending on their used compression algorithms to pack intird and kernel, and what is happening before the actual framebuffer is being initialized and by which component, also depending on memory speed/SSD drive speed etc, with low variation, normally. Those things are technical. But in the case of x230, where "starting new kernel takes a long time" goes into the technical details of what is happening behind the scenes for the final actual initrd/kernel to initialize the graphical card (x230:i915 drm driver, i195 driver, drm helpers) to actually get a console. On some other platforms, including the new qemu-swtpm board config, that output between kexec call and having qemu showing console (framebuffer or not) is filled in host console which has the output until the emulated graphical card is initialized and the terminal is initialized there, and then the console is showed there. That is taking long, since plymouth is initializing the display way after the kernel is launched, and in some circumstances, requires some hacking around because the actual LUKS unlock prompt is happening on a console that may not be initialized yet... In short and factually: on x230, there is no coreboot graphic initialization. Heads kernel is actually the one giving framebufffer output, which gives access to graphical GUI. When kexec'ing, the same happens as said before and console is being refreshed only when the i915 driver is actually reinitialized by the kexec'ed kernel. So the question here is : how long "Starting new kernel takes a long time" is and compared to what? And then, that "long" would depend on the speed of the SSD/HDD drive, memory speed and chosen OS(and if plymouth is used and what hookds it uses). This is not Heads related. If we look at https://archive.org/details/Heads-Security-Components-Reownership?start=2894 (video at 48:14), we see that from the kexec call to Qubes dom0 console text showing dom0 kernel timestamps, we already have 5 seconds of boot time of kernel already having happenned there (my recording adapter taking that time to refresh screen output and output it), so that "booting" into the kernel (kexec) took actually 5 seconds. On most OSes, plymouth hooks are responsible to actually take control of the console and setup the framebuffer, which in those case you might not have any console output prior of that hook having happened. |
tlaurion
changed the title
tlaurion
changed the title
|
I took the liberty of renaming the original issue for its actual cause. |
|
Second was troubleshooted and confirmed to be linked to a critical time skewed being date in Real Time Clock (RTC) many years in the future and already covered under linuxboot/heads-wiki#103 which was bonified with additional content. |
Is a fourth issue. Yes, TOTP should match on both devices if time under Heads is configured to be in UTC/GMT timezone for RTC, meaning Greenwich time. (which network-recovery-init call will fix automatically) Phones are converting this automatically to generate TOTP codes in application UTC-0/GMT-0 timezone. Phone knows and deals with timezone differences between defined local timezone and knows the time difference against UTC (+- timezone difference). |
@tlaurion sorry, i thought before that the 3 issues are linked, because it happened in cycle. thanks for renaming the title, i think now it's better & more specific, okay, in summary: 1st issue, 1st boot after external flashing doesn't succeed, 2nd issue, after booting shows repeating gpg: waiting for lock 3rd issue, TOTP mismatch
thanks for solution, so the ticket can be closed |
Board: x230
Heads installer: self installed
PGP Key: Yubikey
PGP key for TOTP
1st time flash (external flashing)
Downloaded Maximized rom (from circle CI)
IFD unlocked: don't know
@tlaurion this ticket is a continuation from ticket 1st time heads configuration
I have configured the heads, but then there are 3 issues now, that happen in cycle:
After heads' 1st time configuration:
then after restart, i can boot into the OS, then after i restart again from OS, then next issue:
it shows nonstop gpg: waiting for lock , until then i restart again,
then after restart, i can boot into the OS,
these 2 issues goes in cycle:
1st issue, then booting into OS success, then 2nd issue, then 1st issue, then boot OS success, and so on
The text was updated successfully, but these errors were encountered: