From ed06b416a5976b4a3ec5981512f8cd513683e133 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Wed, 2 Apr 2025 15:56:46 -0400
Subject: [PATCH 1/4] initrd/etc/luks-functions: fix logic for nvme/non-nvme
 based LUKS partitions detection

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/etc/luks-functions | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/initrd/etc/luks-functions b/initrd/etc/luks-functions
index eb2d1fb6..4abcd4f2 100644
--- a/initrd/etc/luks-functions
+++ b/initrd/etc/luks-functions
@@ -14,7 +14,9 @@ list_local_luks_devices() {
 		if cryptsetup isLuks "$device"; then
 			DEBUG "Device $device is a LUKS device"
 			dev_name=$(basename "$device")
-			parent_dev_name=$(echo "$dev_name" | sed 's/[0-9]*$//')
+			# Dynamically determine parent device name
+			parent_dev_name=$(echo "$dev_name" | sed -E 's/(p?[0-9]+)$//') # Handles both NVMe (pX) and non-NVMe (X)
+			DEBUG "Derived parent device name: $parent_dev_name"
 			if [ -e "/sys/block/$parent_dev_name" ]; then
 				DEBUG "Device $device exists in /sys/block"
 				if ! stat -c %N "/sys/block/$parent_dev_name" 2>/dev/null | grep -q "usb"; then
@@ -50,7 +52,7 @@ prompt_luks_passphrase() {
 # Test LUKS passphrase against all found LUKS containers that are not USB
 test_luks_passphrase() {
 	TRACE_FUNC
-
+	DEBUG "Testing LUKS passphrase against all found LUKS containers"
 	list_local_luks_devices >/tmp/luks_devices.txt
 	if [ ! -s /tmp/luks_devices.txt ]; then
 		warn "No LUKS devices found"
@@ -59,7 +61,7 @@ test_luks_passphrase() {
 
 	valid_luks_devices=()
 	while read -r luks_device; do
-		DEBUG "Testing passphrase on $luks_device"
+		DEBUG "Testing passphrase on device: $luks_device"
 		if cryptsetup open --test-passphrase "$luks_device" --key-file /tmp/secret/luks_current_Disk_Recovery_Key_passphrase; then
 			DEBUG "Passphrase valid for $luks_device"
 			valid_luks_devices+=("$luks_device")
@@ -69,10 +71,11 @@ test_luks_passphrase() {
 	done </tmp/luks_devices.txt
 
 	if [ ${#valid_luks_devices[@]} -eq 0 ]; then
+		DEBUG "No valid LUKS devices found with the provided passphrase"
 		return 1
 	fi
 
-	# Export the valid LUKS devices
+	DEBUG "Valid LUKS devices found: ${valid_luks_devices[*]}"
 	export LUKS="${valid_luks_devices[*]}"
 	return 0
 }
@@ -80,6 +83,7 @@ test_luks_passphrase() {
 # Confirm with the user to use all unlockable LUKS partitions
 confirm_luks_partitions() {
 	TRACE_FUNC
+	DEBUG "Confirming with the user to use all unlockable LUKS partitions"
 	MSG="The following LUKS partitions can be unlocked:\n\n${LUKS}\n\nDo you want to use all of these partitions?"
 	if [ -x /bin/whiptail ]; then
 		if ! whiptail --title "Confirm LUKS Partitions" --yesno "$MSG" 0 80; then
@@ -92,6 +96,7 @@ confirm_luks_partitions() {
 			die "User aborted the operation"
 		fi
 	fi
+	DEBUG "User confirmed LUKS partitions: $LUKS"
 }
 
 # Main function to prompt for passphrase, test it, and confirm partitions

From ea5d948819c2feb6679d79fa7774d0538673119a Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 3 Apr 2025 13:00:49 -0400
Subject: [PATCH 2/4] oem-factory-reset: GPG Comment is required in current
 code base, not optional. Change Questionnaire and validate size properly

Fixes https://github.com/linuxboot/heads/issues/1949

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/bin/oem-factory-reset | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 22f1bba5..916c2d6b 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -1164,13 +1164,13 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
 			}
 		done
 
-		echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):"
-		read -r GPG_USER_COMMENT
-		while [[ ${#GPG_USER_COMMENT} -gt 60 ]]; do
-			{
-				echo -e "\nEnter Comment (Optional, to distinguish this key from others with same previous attributes. Must be smaller then 60 characters):"
-				read -r GPG_USER_COMMENT
-			}
+		echo -e "\nEnter Comment (Required: Use this to distinguish this key from others, e.g., its purpose or usage context. Must be 1-60 characters):"
+		while true; do
+			read -r GPG_USER_COMMENT
+			if [[ ${#GPG_USER_COMMENT} -ge 1 && ${#GPG_USER_COMMENT} -le 60 ]]; then
+				break
+			fi
+			echo -e "\nComment must be 1-60 characters long. Please try again:"
 		done
 	fi
 

From 4fbd4e7506bd19f98a80f5b858dd837f6cf436f5 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 3 Apr 2025 15:03:58 -0400
Subject: [PATCH 3/4] oem-factory-reset: In memory GPG keygen + keys copy to
 card not calling reset_nk3_secret_app, so HOTP PIN not set to GPG PIN when
 that feature is used (not really used it seems)

Fixes https://github.com/linuxboot/heads/issues/1951

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/bin/oem-factory-reset | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 916c2d6b..255858ee 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -1284,6 +1284,8 @@ gpg --list-keys >/dev/null 2>&1
 
 #Generate keys in memory and copy to smartcard
 if [ "$GPG_GEN_KEY_IN_MEMORY" = "y" ]; then
+	# Reset Nitrokey 3 Secrets app before generating keys in memory
+	reset_nk3_secret_app
 	if [ "$GPG_ALGO" == "RSA" ]; then
 		# Generate GPG master key
 		generate_inmemory_RSA_master_and_subkeys

From 3692a41e90bae7748ed1399a453547b1cf41a90e Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 3 Apr 2025 15:46:56 -0400
Subject: [PATCH 4/4] codebase: make sure same exact vocabulary is used TPM
 Owner Password, GPG User PIN, GPG Admin PIN, Secrets app PIN

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/bin/kexec-select-boot | 2 +-
 initrd/bin/oem-factory-reset | 8 ++++----
 initrd/bin/tpmr              | 2 +-
 initrd/etc/functions         | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot
index 6a0edc6a..cc128324 100755
--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@@ -75,7 +75,7 @@ if [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 		warn "Hash of TPM2 primary key handle does not exist"
 		warn "Please rebuild the TPM2 primary key handle hash by setting a default OS to boot."
 		warn "Select Options-> Boot Options -> Show OS Boot Menu -> <Pick OS> -> Make default"
-		#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM owner pass), resign, boot
+		#TODO: Simplify/Automatize TPM2 firmware upgrade process. Today: upgrade, reboot, reseal(type TPM Owner Password), resign, boot
 		default_failed="y"
 		DEBUG "Hash of TPM2 primary key handle does not exist under $PRIMHASH_FILE"
 	fi
diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 255858ee..48b52d58 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -152,13 +152,13 @@ mount_boot() {
 reset_nk3_secret_app() {
 	TRACE_FUNC
 
-	# Reset Nitrokey 3 Secrets app with $ADMIN_PIN (default 12345678, or customised)
+	# Reset Nitrokey 3 Secrets app PIN with $ADMIN_PIN (default 12345678, or customised)
 	if lsusb | grep -q "20a0:42b2" && [ -x /bin/hotp_verification ]; then
 		echo
-		warn "Resetting Nitrokey 3's Secrets App with PIN. Physical presence (touch) will be required"
+		warn "Resetting Nitrokey 3's Secrets app with PIN. Physical presence (touch) will be required"
 		# TODO: change message when https://github.com/Nitrokey/nitrokey-hotp-verification/issues/41 is fixed
 		# Reset Nitrokey 3 secret app with PIN
-		# Do 3 attempts to reset Nitrokey 3 Secrets App if return code is 3 (no touch)
+		# Do 3 attempts to reset Nitrokey 3 Secrets app if return code is 3 (no touch)
 		for attempt in 1 2 3; do
 			if /bin/hotp_verification reset "${ADMIN_PIN}"; then
 				echo
@@ -168,7 +168,7 @@ reset_nk3_secret_app() {
 				if [ $error_code -eq 3 ] && [ $attempt -lt 3 ]; then
 					whiptail --msgbox "Nitrokey 3 requires physical presence: touch the dongle when requested" $HEIGHT $WIDTH --title "Nk3 cecrets app reset attempt: $attempt/3"
 				else
-					whiptail_error_die "Nitrokey 3's secrets app reset failed with error:$error_code. Contact Nitrokey support"
+					whiptail_error_die "Nitrokey 3's Secrets app reset failed with error:$error_code. Contact Nitrokey support"
 				fi
 			fi
 		done
diff --git a/initrd/bin/tpmr b/initrd/bin/tpmr
index 756050e7..73293379 100755
--- a/initrd/bin/tpmr
+++ b/initrd/bin/tpmr
@@ -302,7 +302,7 @@ tpm2_counter_inc() {
 
 tpm1_counter_create() {
 	TRACE_FUNC
-	# tpmr handles the TPM owner password (from cache or prompt), but all
+	# tpmr handles the TPM Owner Password (from cache or prompt), but all
 	# other parameters for TPM1 are passed directly, and TPM2 mimics the
 	# TPM1 interface.
 	prompt_tpm_owner_password
diff --git a/initrd/etc/functions b/initrd/etc/functions
index 61fb34fe..ccc15dd8 100644
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@@ -83,7 +83,7 @@ confirm_gpg_card() {
 
 	#TODO: ideally, we ask for confirmation only once per boot session
 	#TODO: even change logic here to try first and then ask user to confirm if not found
-	#TODO: or ask GPG user PIN once and cache it for the rest of the boot session for reusal
+	#TODO: or ask GPG User PIN once and cache it for the rest of the boot session for reusal
 	# This is getting in the way of unattended stuff and GPG prompts are confusing anyway, hide them from user.
 
 	TRACE_FUNC