First attempt with production mode: FAILED

Hi, today i tryed to activate the Zymkey production mode in a raspberry 4 for my first time, but unfortunately the attempt was unsuccessful.
After encrypting root fs with LUKS (and tested of course), i disabled perimeter event actions on both channels. Then in sequence: i switched off raspberry, disconnected power cord, removed the zymkey from GPIO, cutted the lock tab (no battery in the key during the cut), remounted the zymkey on GPIO, reconnected power cord and turned on raspeberry.
This is the result:

Did I do something wrong?

@dmurgia85 I’m assuming everything was working properly prior to cutting the tab - you successfully rebooted/powercycled. Can you describe what the blue LED does from power on until this point? Maybe a short video. Also, which OS are you using?

Hi Bob, yes, I confirm that the system was working properly before the cut. Unfortunately I have already formatted the SD card, so I can’t record a video, but I will add some important details:

the operating system was raspbian buster lite.
After power on, the flash drive started with the usual rapid blinking, until the root filesystem decryption was reached, where the blue led on the zymkey stopped blinking.

There’s another detail that could be important: the shutdown of the raspberry before the cut was done from an operating system booted from usb stick, where there was a raspbian bullseye on which I had installed the zymbit software to use the zymkey and make some tests.

In fact later I tried booting the raspberry from that usb stick and the zymkey bound with that OS and it worked!

Is it possible that the binding failure with the encrypted SD Card depends on this?

Can you clarify a couple of things? Where are your /boot and / partitions - on the SD card or the USB stick, and what were you booted off of? Did you run “mk_encr_sd_rfs.sh” to encrypt the SD card / partition while booted off the SD card and just using your USB stick as space? If so, the encryption script will wipe the USB stick, unless you had already used it for a previous backup and there was an existing tarball named original_zk_root.tgz on the USB stick.

Off course i can.
I performed the following steps in this order:

  1. Installed a fresh Raspberry Pi OS on my SD Card using Raspberry PI Imager (buster lite), so “/boot” and “/” partitions was both on SD card.

  2. Booted the system from the newly prepared SDcard and Installed Zymkey client software following Quickstart, and then, tested. Everything worked as expected and i was able to use Zymkey python api.

  3. Encrypted root filesystem using option 1 with “mk_encr_sd_rfs.sh” and a USB Key as temporary storage. Encryption was successful and the system was working fine.

  4. After many test and work i prepared another device, a USB key, with Raspberry Pi Imager but with bullseye distro this time. So even in this case the /boot and root partitions were on the same device (the USB key).

  5. I booted raspberry from the new USB key, configured and installed Zimkey client software in this system too.

So at this point I had 2 devices prepared with the operating system and the Zymkey client, both with “/boot” and root “/” partitions, and both working with Zymkey in develop mode; The SD Card with encrypted root filesystem.

After that i done all the steps explained in my previous comment.

The last system startup before turning off the raspberry and enabling the Zymkey in production mode by cutting the tab, was done from the USB key, so the last time before the production mode, the Zymkey worked with Raspberry Pi OS bullseye on the USB key.

After cutting the tab, i reassembled the raspberry and Zymkey and tryed to boot from SD card (with encrypted root fs) with no luck.

I hope I have given you all the necessary details.

Regards,
Daniele

Hi Bob, can you think of anything that might be helpful?

Regards

If I understand this correctly, I think it’s working the way it is supposed to. The ZYMKEY would bind with the PI and the USB stick. Once you cut the tab, it would no longer work with that PI and the SD card. The LED would go OFF if you tried to boot off the SD card.

What is it that you ultimately want to do?

Bob

So the Zymkey binds with the last booted device and not the first boot device after cutting, right?
If so, there is a gap in the documentation.

I was interested in understanding what happened to prevent it from happening with subsequent raspberries.

I just need Raspberry with Zymkey in production mode binded with sdcard.

Daniele

Correct. I’ll review the documentation and adjust accordingly.

Ok thanks for the confirmation.