WiP: staging changes, refusing to fight against tools helping me, formatting changed. sign after tpm-reset now to work around primary handle issue.

Signed-off-by: Thierry Laurion <insurgo@riseup.net>

initrd/bin/kexec-select-boot

@@ -115,15 +115,18 @@ verify_global_hashes() {
 verify_rollback_counter() {
 	TRACE_FUNC
 	TPM_COUNTER=$(grep counter $TMP_ROLLBACK_FILE | cut -d- -f2)
+
+	DEBUG "TPM_COUNTER: $TPM_COUNTER found in $TMP_ROLLBACK_FILE"
+
 	if [ -z "$TPM_COUNTER" ]; then
 		die "$TMP_ROLLBACK_FILE: TPM counter not found?"
 	fi
 
-	read_tpm_counter $TPM_COUNTER > /dev/null 2>&1 ||
+	read_tpm_counter $TPM_COUNTER >/dev/null 2>&1 ||
 		die "Failed to read TPM counter"
 
 	sha256sum -c $TMP_ROLLBACK_FILE ||
-		die "Invalid TPM counter state"
+		die "Invalid TPM counter state. TPM Reset required"
 
 	valid_rollback="y"
 }
@@ -268,7 +271,7 @@ default_select() {
 
 	if [ "$CONFIG_BASIC" != "y" ]; then
 		# Enforce that default option hashes are valid
-		echo "+++ Checking verified default boot hash file "
+		LOG "+++ Checking verified default boot hash file "
 		# Check the hashes of all the files
 		if (cd $bootdir && sha256sum -c "$TMP_DEFAULT_HASH_FILE" >/tmp/hash_output); then
 			echo "+++ Verified default boot hashes "

initrd/bin/kexec-sign-config

@@ -10,10 +10,13 @@ rollback="n"
 update="n"
 while getopts "p:c:ur" arg; do
 	case $arg in
-		p) paramsdir="$OPTARG" ;;
-		c) counter="$OPTARG"; rollback="y" ;;
-		u) update="y" ;;
-		r) rollback="y" ;;
+	p) paramsdir="$OPTARG" ;;
+	c)
+		counter="$OPTARG"
+		rollback="y"
+		;;
+	u) update="y" ;;
+	r) rollback="y" ;;
 	esac
 done
 
@@ -34,14 +37,14 @@ mount -o remount,rw /boot
 if [ "$update" = "y" ]; then
 	(
 		cd /boot
-		find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
+		find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum >/boot/kexec_hashes.txt
 		if [ -e /boot/kexec_default_hashes.txt ]; then
 			DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
-			echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
+			echo $DEFAULT_FILES | xargs sha256sum >/boot/kexec_default_hashes.txt
 		fi
 
 		#also save the file & directory structure to detect added files
-		print_tree > /boot/kexec_tree.txt
+		print_tree >/boot/kexec_tree.txt
 	)
 	[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
 
@@ -55,23 +58,23 @@ if [ "$rollback" = "y" ]; then
 
 	if [ -n "$counter" ]; then
 		# use existing counter
-		read_tpm_counter $counter \
-		|| die "$paramsdir: Unable to read tpm counter '$counter'"
+		read_tpm_counter $counter >/dev/null 2>&1 ||
+			die "$paramsdir: Unable to read tpm counter '$counter'"
 	else
 		# increment counter
-		check_tpm_counter $rollback_file \
-		|| die "$paramsdir: Unable to find/create tpm counter"
+		check_tpm_counter $rollback_file >/dev/null 2>&1 ||
+			die "$paramsdir: Unable to find/create tpm counter"
 		counter="$TPM_COUNTER"
 
-		increment_tpm_counter $counter \
-		|| die "$paramsdir: Unable to increment tpm counter"
+		increment_tpm_counter $counter >/dev/null 2>&1 ||
+			die "$paramsdir: Unable to increment tpm counter"
 	fi
 
-	sha256sum /tmp/counter-$counter > $rollback_file \
-	|| die "$paramsdir: Unable to create rollback file"
+	sha256sum /tmp/counter-$counter >$rollback_file ||
+		die "$paramsdir: Unable to create rollback file"
 fi
 
-param_files=`find $paramsdir/kexec*.txt`
+param_files=$(find $paramsdir/kexec*.txt)
 if [ -z "$param_files" ]; then
 	die "$paramsdir: No kexec parameter files to sign"
 fi
@@ -80,8 +83,8 @@ for tries in 1 2 3; do
 	if sha256sum $param_files | gpg \
 		--detach-sign \
 		-a \
-		> $paramsdir/kexec.sig \
-	; then
+		>$paramsdir/kexec.sig \
+		; then
 		# successful - update the validated params
 		check_config $paramsdir
 

initrd/bin/oem-factory-reset

@@ -547,7 +547,7 @@ gpg_key_factory_reset() {
 
 	#enable usb storage
 	enable_usb
-	
+
 	# Factory reset GPG card
 	echo "GPG factory reset of USB Security dongle's OpenPGP smartcard..."
 	{

initrd/bin/seal-hotpkey

@@ -65,6 +65,10 @@ mount_boot || exit 1
 counter_value=1
 
 enable_usb
+
+# Make sure no conflicting GPG related services are running, gpg-agent will respawn
+killall gpg-agent scdaemon >/dev/null 2>&1
+
 # While making sure the key is inserted, capture the status so we can check how
 # many PIN attempts remain
 if ! hotp_token_info="$(hotp_verification info)"; then
@@ -162,8 +166,8 @@ if [ "$admin_pin_status" -ne 0 ]; then
 	fi
 else
 	# remind user to change admin password
-	warn "Weak OEM default PINs are under use to enforce remote attestation/encryption/signature operations" 
-	warn "$CONFIG_BRAND_NAME security is compromised until the ownership of this device is re-established by changing secrets by non-default values" 
+	warn "Weak OEM default PINs are under use to enforce remote attestation/encryption/signature operations"
+	warn "$CONFIG_BRAND_NAME security is compromised until the ownership of this device is re-established by changing secrets by non-default values"
 	warn "You must change current default secrets through 'Options -> OEM Factory Reset/Re-Ownership' menu and not accept the default options"
 	warn "You will be asked to answer a questionnaire to re-own your device and USB security dongles with new secrets"
 fi

initrd/bin/tpmr

@@ -651,7 +651,7 @@ tpm1_unseal() {
 		-sz "$sealed_size" \
 		-of "$sealed_file" ||
 		die "Unable to read sealed file from TPM NVRAM"
-		# TODO: Cannot log + exit instead of dying!?!
+	# TODO: Cannot log + exit instead of dying!?!
 
 	PASS_ARGS=()
 	if [ "$pass" ]; then

initrd/etc/ash_functions

@@ -75,6 +75,13 @@ preserve_rom() {
 }
 
 confirm_gpg_card() {
+
+	#TODO: ideally, we ask for confirmation only once per boot session
+	#TODO: even change logic here to try first and then ask user to confirm if not found
+	#TODO: or ask GPG user PIN once and cache it for the rest of the boot session for reusal
+	# This is getting in the way of unattended stuff and GPG prompts are confusing anyway, hide them from user.
+	
+
 	TRACE "Under /etc/ash_functions:confirm_gpg_card"
 	#Skip prompts if we are currently using a known GPG key material Thumb drive backup and keys are unlocked pinentry
 	#TODO: probably export CONFIG_GPG_KEY_BACKUP_IN_USE but not under /etc/user.config?