Move GPG check outside TPM failure

We want to catch the missing GPG keyring error regardless of TPM failure
or even in the case of a system without a TPM at all so we need to move
that section up above the TPM check.

initrd/bin/gui-init

@@ -109,26 +109,29 @@ while true; do
   MAIN_MENU_OPTIONS=""
   MAIN_MENU_BG_COLOR=""
   unset totp_confirm
-  # update the TOTP code every thirty seconds
-  date=`date "+%Y-%m-%d %H:%M:%S"`
-  seconds=`date "+%s"`
-  half=`expr \( $seconds % 60 \) / 30`
-  if [ "$CONFIG_TPM" = n ]; then
-    TOTP="NO TPM"
-  elif [ "$half" != "$last_half" ]; then
-    last_half=$half;
-    TOTP=`unseal-totp`
-    if [ $? -ne 0 ]; then
-      # detect whether any GPG keys exist in the keyring, if not, initialize that first
-      GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
-      if [ $GPG_KEY_COUNT -eq 0 ]; then
-        whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \
-          --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted, you should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one public key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
-          'f' ' Add a GPG key to the running BIOS' \
-          'i' ' Ignore error and continue to default boot menu' \
-          'x' ' Exit to recovery shell' \
-          2>/tmp/whiptail || recovery "GUI menu failed"
-      else
+  # detect whether any GPG keys exist in the keyring, if not, initialize that first
+  GPG_KEY_COUNT=`gpg -k 2>/dev/null | wc -l`
+  if [ $GPG_KEY_COUNT -eq 0 ]; then
+    whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: GPG keyring empty!" \
+      --menu "ERROR: Heads couldn't find any GPG keys in your keyring.\n\nIf this is the first time the system has booted, you should add a public GPG key to the BIOS now.\n\nIf you just reflashed a new BIOS, you'll need to add at least one public key to the keyring.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
+      'f' ' Add a GPG key to the running BIOS' \
+      'i' ' Ignore error and continue to default boot menu' \
+      'x' ' Exit to recovery shell' \
+      2>/tmp/whiptail || recovery "GUI menu failed"
+
+      totp_confirm=$(cat /tmp/whiptail)
+  fi
+  if [ "$totp_confirm" = "i" -o -z "$totp_confirm" ]; then
+    # update the TOTP code every thirty seconds
+    date=`date "+%Y-%m-%d %H:%M:%S"`
+    seconds=`date "+%s"`
+    half=`expr \( $seconds % 60 \) / 30`
+    if [ "$CONFIG_TPM" = n ]; then
+      TOTP="NO TPM"
+    elif [ "$half" != "$last_half" ]; then
+      last_half=$half;
+      TOTP=`unseal-totp`
+      if [ $? -ne 0 ]; then
         whiptail $CONFIG_ERROR_BG_COLOR --clear --title "ERROR: TOTP Generation Failed!" \
           --menu "ERROR: Heads couldn't generate the TOTP code.\n\nIf this is the first time the system has booted, you should reset the TPM\nand set your own password\n\nIf you just reflashed your BIOS, you'll need to generate a new TOTP secret.\n\nIf you have not just reflashed your BIOS, THIS COULD INDICATE TAMPERING!\n\nHow would you like to proceed?" 30 90 4 \
           'g' ' Generate new TOTP/HOTP secret' \
@@ -136,8 +139,9 @@ while true; do
           'p' ' Reset the TPM' \
           'x' ' Exit to recovery shell' \
           2>/tmp/whiptail || recovery "GUI menu failed"
+
+        totp_confirm=$(cat /tmp/whiptail)
       fi
-      totp_confirm=$(cat /tmp/whiptail)
     fi
   fi