oem-factory-reset: prmompt only for GPG User PIN when needed, warn users when no backup/when having only in-memory keygen backup without smartcard.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/bin/oem-factory-reset

@@ -872,20 +872,28 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
         -o "$prompt_output" == "Y" ] \
         ; then
         GPG_GEN_KEY_IN_MEMORY=1
-        echo "Master key and subkeys will be generated in memory, backed up to dedicated LUKS container and then subkeys"
+        echo " ++++ Master key and subkeys will be generated in memory, backed up to dedicated LUKS container +++"
         echo -e -n "Would you like in-memory generated subkeys to be copied to USB Security Dongle' smartcard?\n (Highly recommended so the smartcard is used on daily basis and backup is kept safe, but not required) [Y/n]: "
         read -n 1 prompt_output
         echo
         if [ "$prompt_output" == "n" \
             -o "$prompt_output" == "N" ]; then
+            warn "Subkeys will NOT be copied to USB Security Dongle' smartcard."
+            warn "Your GPG key material backup thumb drive should be cloned to a second thumb drive for redundancy for production environements"
             GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=0
         else
+            echo "++++ Subkeys will be copied to USB Security Dongle' smartcard ++++"
+            warn "Please keep your GPG key material backup thumb drive safe"
             GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=1
         fi
     else
+        warn "GPG key material will be generated on USB Security Dongle' smartcard without backup"
         GPG_GEN_KEY_IN_MEMORY=0
     fi
 
+
+    # Dynamic messages to be given to user in terms of security components that will be applied
+    #  based on previous answers
     CUSTOM_PASS_AFFECTED_COMPONENTS="\n"
     # Adapt message to be given to user in terms of security components that will be applied.
     if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" -o -n "$luks_new_Disk_Recovery_Key_passphrase" ]; then
@@ -895,10 +903,14 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
         CUSTOM_PASS_AFFECTED_COMPONENTS+="TPM Owner Password\n"
     fi
     if [ "$GPG_GEN_KEY_IN_MEMORY" = "1" ]; then
-        CUSTOM_PASS_AFFECTED_COMPONENTS+="GPG Key material backup passphrase\n"
+        CUSTOM_PASS_AFFECTED_COMPONENTS+="GPG Key material backup passphrase (Same a GPG Admin PIN)\n"
     fi
     CUSTOM_PASS_AFFECTED_COMPONENTS+="GPG Admin PIN\n"
-    CUSTOM_PASS_AFFECTED_COMPONENTS+="GPG User PIN\n"
+    # Only show GPG User PIN as affected component if GPG_GEN_KEY_IN_MEMORY=0 or GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=1
+    if [ "$GPG_GEN_KEY_IN_MEMORY" = "0" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "1" ]; then
+        CUSTOM_PASS_AFFECTED_COMPONENTS+="GPG User PIN\n"
+    fi
+
 
     # Inform user of security components affected for the following prompts
     echo -e "The following security components will be provisioned with defaults or chosen PINs/passwords:
@@ -921,7 +933,7 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
         USER_PIN=${CUSTOM_SINGLE_PASS}
         ADMIN_PIN=${CUSTOM_SINGLE_PASS}
 
-        # Only set if user said desired. Matches rest of logic
+        # Only set if user said desired
         if [ -n "$luks_new_Disk_Recovery_Key_passphrase_desired" ]; then
             luks_new_Disk_Recovery_Key_passphrase=${CUSTOM_SINGLE_PASS}
         fi
@@ -944,11 +956,16 @@ if [ "$use_defaults" == "n" -o "$use_defaults" == "N" ]; then
                 echo -e -n "Enter desired GPG Admin PIN: "
                 read ADMIN_PIN
             done
-            while [[ ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt 64 ]]; do
-                echo -e -n "\nThis PIN should be between 8 to 64 characters in length.\n"
-                echo -e -n "Enter desired GPG User PIN: "
-                read USER_PIN
-            done
+            #USER PIN not required in case of GPG_GEN_KEY_IN_MEMORY=1 while GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=0
+            # That is, if keys were NOT generated in memory (on smartcard only) or 
+            #  if keys were generated in memory but are to be moved from local keyring to smartcard
+            if [ "$GPG_GEN_KEY_IN_MEMORY" = "0" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "1" ]; then
+                while [[ ${#USER_PIN} -lt 8 ]] || [[ ${#USER_PIN} -gt $MAX_HOTP_GPG_PIN_LENGTH ]]; do
+                    echo -e -n "\nThis PIN should be between 8 to $MAX_HOTP_GPG_PIN_LENGTH characters in length.\n"
+                    echo -e -n "Enter desired GPG User PIN: "
+                    read USER_PIN
+                done
+            fi
             echo
         fi
     fi
@@ -1136,7 +1153,7 @@ fi
 
 #Applying custom GPG PINs to the smartcard if they were provided
 if [ -z "GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "1" ]; then
-    #Only apply smartcard PIN change if smartcard only or if keytocard op is expected
+    #Only apply smartcard PIN change if smartcard only or if keytocard op is expected next
     if [ "${USER_PIN}" != "" -o "${ADMIN_PIN}" != "" ]; then
         echo -e "\nChanging default GPG Admin PIN\n"
         gpg_key_change_pin "3" "${ADMIN_PIN_DEF}" "${ADMIN_PIN}"
@@ -1177,6 +1194,8 @@ fi
 # We check for qemu-* instead of ^qemu- because CONFIG_BOARD_NAME could be renamed to UNTESTED-qemu-* in a probable future
 if [[ "$CONFIG_BOARD_NAME" == qemu-* ]]; then
     warn "Skipping flash of GPG key to ROM because we are running in QEMU without internal flashing support."
+    warn "Please review boards/qemu*/qemu*.md documentation to extract public key from raw disk and inject at build time"
+    warn "Also review boards/qemu*/qemu*.config to tweak CONFIG_* options you might want to turn on/off manually at build time"
 else
     #We are not running in QEMU, so flash the key to ROM
 
@@ -1237,9 +1256,12 @@ if [ "$CONFIG_TPM" = "y" ]; then
     passphrases+="TPM Owner Password: ${TPM_PASS}\n"
 fi
 
-#GPG PINs are in output inconditionally
+#GPG PINs output
 passphrases+="GPG Admin PIN: ${ADMIN_PIN}\n"
-passphrases+="GPG User PIN: ${USER_PIN}\n"
+#USER PIN not required in case of GPG_GEN_KEY_IN_MEMORY=1 while GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD=0
+if [ "$GPG_GEN_KEY_IN_MEMORY" = "0" -o "$GPG_GEN_KEY_IN_MEMORY_COPY_TO_SMARTCARD" = "1" ]; then
+    passphrases+="GPG User PIN: ${USER_PIN}\n"
+fi
 
 #If user decided to generate keys in memory, we add the thumb drive passphrase
 if [ "$GPG_GEN_KEY_IN_MEMORY" == "1" ]; then