乌班图

密封硬件的验证

If you have ordered the unit with the option “sealed screws and sealed bag”, please verify the sealing before unpacking. If you do not know what this means, skip this section.

安全启动程序

With the NitroPad and NitroPC, malicious changes to the BIOS, operating system, and software can be easily detected. For example, if you left your NitroPad in a hotel room, you can use your Nitrokey to check if it has been tampered with while you were away. If an attacker modifies the NitroPad’s firmware or operating system, the Nitrokey will detect this (instructions below).

Each time you start the NitroPad or the NitroPC, you should - if possible - connect your Nitrokey. If the Nitrokey is plugged in and the system has not been modified, the following screen will appear when it is turned on.

img1

The box marked in red contains the information that the BIOS has not been changed and that the shared secret of the NitroPad or the NitroPC and the Nitrokey match. But this information is not sufficient, because an attacker could have faked it. If at the same time the Nitrokey also flashes green, everything is fine. An attacker would have to have had access to the NitroPad or NitroPC and Nitrokey to achieve this result. It is therefore important that you do not leave both devices unattended.

If the information on the NitroPad or NitroPC does not match the information on the Nitrokey, the background would turn red and the message “Invalid Code” would appear. This could indicate that manipulation has taken place.

img2

如果系统被改变了(例如在更新之后),启动过程可能是什么样子的,还有可能出现什么错误信息,下面会进一步描述。

小技巧

The NitroPad and NitroPC can also be started without the Nitrokey. If you don’t have the Nitrokey with you, but are sure that the hardware has not been manipulated, you can boot your system without checking.

解决方法 Ubuntu 24.04.

有一个 (`issue<https://github.com/linuxboot/heads/issues/1641>`__)问题,如果用头启动 Ubuntu,它会阻止 Ubuntu 显示 luks 解密屏幕。有了这个问题,你可以盲打密码,之后 Ubuntu 就会正常启动。请按照以下步骤操作:

  1. 头部启动。如果不需要做任何事情,Ubuntu 会自动启动

  2. 过一会儿,您会看到一个黑色屏幕,最后一行写着白色文字:

Locking TPM2 platform hierarchy...
Starting the new kernel

这几行表示 Ubuntu 正在启动。

  1. 等待**5 秒** ,然后输入您的**密码** (如果是首次启动,则输入 "12345678"),接着**输入** 。

  2. 现在,你将看到 Ubuntu 的正常界面。首次启动时,必须完成初始配置。

入门

购买后,密码被设置为默认值,必须由您来更改。

  1. 在启动系统后按回车键("默认启动"),前提是NitroPad没有显示任何错误,且Nitrokey亮起绿色(见上文)。

  2. 接下来,系统会提示你输入密码来解密硬盘。密码最初为 "12345678"。10.04.2024 版本对此进行了更改,因此如果 "12345678 "不起作用,请尝试使用旧的默认值:"PleaseChangeMe"。

    img3

  3. 然后,系统将引导你完成创建用户账户的过程。之后,你应该已经成功启动了系统,并且已经可以正常使用。

  4. Open the pre-installed Nitrokey App and change the PINs of your Nitrokey. To learn more about how to change the PINs, please refer to chapter Change User and Admin PIN.

  5. 更改磁盘加密的口令。要了解更多关于如何改变磁盘加密的口令,请参考`改变磁盘加密口令<change-disk-encryption-passphrase.html>`_章节。这个口令与你的用户账户的口令不同。

系统更新后的行为

The NitroPad and NitroPC firmware checks certain system files for changes. If your operating system has updated important components, you will be warned the next time you boot the NitroPad or NitroPC. This could look like this, for example:

img4

That’s why it’s important to restart your NitroPad or your NitroPC under controlled conditions after a system update. Only when the new status has been confirmed can you leave the device unattended again. Otherwise, you will not be able to distinguish a possible attack from a system update. Detailed instructions for a system update can be found here.