From 19cd15cf969b16f1458b38046af405d4b589e28d Mon Sep 17 00:00:00 2001
From: alex-nitrokey <alex@nitrokey.com>
Date: Tue, 30 Jun 2020 19:16:10 +0200
Subject: [PATCH 1/3] Remove gnupg pubkey export in oem-factory-reset

Since #758 is merged, users have a option to export GnuPG pubkey if
necessary. Thus, we they do not need to insert a USB drive during
factory reset. Until now the whole process failed just because a user
did not provide a USB drive instead.

This shall be fixed by this commit
---
 initrd/bin/oem-factory-reset | 23 +++--------------------
 1 file changed, 3 insertions(+), 20 deletions(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index f0707a0c..594b0b2a 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -311,21 +311,11 @@ if [ "$prompt_output" == "y" \
 	};done
 fi
 
-## sanity check the USB, GPG key, and boot device before proceeding further
-
-# mount USB, then remount rw
-echo -e "\nChecking for USB media...\n"
-# ensure /media not mounted
-umount /media 2>/dev/null
-# mount-usb will detect and prompt if no USB inserted
-if ! mount-usb rw 2>/tmp/error; then
-    ERROR=$(tail -n 1 /tmp/error)
-    whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}"
-fi
+## sanity check the GPG key, and boot device before proceeding further
 
 # ensure GPG key connected
 echo -e "\nChecking for GPG Key...\n"
-# USB kernel modules already loaded via mount-usb
+enable_usb
 if ! gpg --card-status >/dev/null 2>&1 ; then
     whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry."
     if ! gpg --card-status >/dev/null 2>/tmp/error ; then
@@ -381,19 +371,12 @@ if [ "$CUSTOM_PASS" != "" ]; then
   ADMIN_PIN_DEF=$CUSTOM_PASS
 fi
 
-## export generated key to USB
-echo -e "\nExporting generated key to USB...\n"
 # export pubkey to file
+echo -e "\nExporting generated key...\n"
 if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
     ERROR=$(tail -n 1 /tmp/error)
     whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
 fi
-# copy to USB
-if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then
-    ERROR=$(tail -n 1 /tmp/error)
-    whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR"
-fi
-umount /media 2>/dev/null
 
 ## flash generated key to ROM
 echo -e "\nReading current firmware...\n(this will take a minute or two)\n"

From 43971dc029ddbdb2e89339a8ecf8e9ae387f41af Mon Sep 17 00:00:00 2001
From: Alexander Paetzelt <techge+github@posteo.net>
Date: Tue, 7 Jul 2020 10:32:22 +0200
Subject: [PATCH 2/3] Make export to USB drive an option

---
 initrd/bin/oem-factory-reset | 57 +++++++++++++++++++++++++++++-------
 1 file changed, 46 insertions(+), 11 deletions(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 594b0b2a..2840aabe 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -24,6 +24,7 @@ GPG_USER_NAME="OEM Key"
 GPG_KEY_NAME=`date +%Y%m%d%H%M%S`
 GPG_USER_MAIL="oem-${GPG_KEY_NAME}@example.com"
 GPG_USER_COMMENT="OEM-generated key"
+
 ## External files sourced
 
 . /etc/functions
@@ -311,16 +312,41 @@ if [ "$prompt_output" == "y" \
 	};done
 fi
 
-## sanity check the GPG key, and boot device before proceeding further
+## sanity check the USB, GPG key, and boot device before proceeding further
 
-# ensure GPG key connected
-echo -e "\nChecking for GPG Key...\n"
-enable_usb
+# Prompt to insert USB drive if desired
+echo -e -n "Would you like to export your public key to an USB drive? [y/N]: "
+read -n 1 prompt_output
+echo
+if [ "$prompt_output" == "y" \
+  -o "$prompt_output" == "Y" ] \
+; then
+    GPG_EXPORT=1
+    # mount USB, then remount rw
+    echo -e "\nPlease insert an USB drive and hit enter.\n"
+    read
+    echo -e "\nChecking for USB media...\n"
+    # ensure /media not mounted
+    umount /media 2>/dev/null
+    # mount-usb will detect and prompt if no USB inserted
+    if ! mount-usb rw 2>/tmp/error; then
+        ERROR=$(tail -n 1 /tmp/error)
+        whiptail_error_die "Unable to mount USB on /media:\n\n${ERROR}"
+    fi
+else
+    GPG_EXPORT=0
+    # needed for USB Security dongle below and is ensured via mount-usb in case of GPG_EXPORT=1
+    enable_usb
+fi
+
+# ensure USB Security Dongle connected
+echo -e "\nChecking for USB Security Dongle...\n"
+# USB kernel modules already loaded via mount-usb
 if ! gpg --card-status >/dev/null 2>&1 ; then
-    whiptail_error "Can't access GPG Key; remove and reinsert, then press Enter to retry."
+    whiptail_error "Can't access USB Security Dongle; \nPlease remove and reinsert, then press Enter."
     if ! gpg --card-status >/dev/null 2>/tmp/error ; then
         ERROR=$(tail -n 1 /tmp/error)
-        whiptail_error_die "Unable to detect GPG Key:\n\n${ERROR}"
+        whiptail_error_die "Unable to detect USB Security Dongle:\n\n${ERROR}"
     fi
 fi
 
@@ -371,11 +397,20 @@ if [ "$CUSTOM_PASS" != "" ]; then
   ADMIN_PIN_DEF=$CUSTOM_PASS
 fi
 
-# export pubkey to file
-echo -e "\nExporting generated key...\n"
-if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
-    ERROR=$(tail -n 1 /tmp/error)
-    whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
+## export generated key to USB
+if [ $GPG_EXPORT -ne 0 ]; then
+    echo -e "\nExporting generated key to USB...\n"
+    # export pubkey to file
+    if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
+        ERROR=$(tail -n 1 /tmp/error)
+        whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
+    fi
+    # copy to USB
+    if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then
+        ERROR=$(tail -n 1 /tmp/error)
+        whiptail_error_die "Key export error: unable to copy ${GPG_GEN_KEY}.asc to /media:\n\n$ERROR"
+    fi
+    umount /media 2>/dev/null
 fi
 
 ## flash generated key to ROM

From 6fe409aaf34fb689d7f72e5040e5a8ec47ef4215 Mon Sep 17 00:00:00 2001
From: Alexander Paetzelt <techge+github@posteo.net>
Date: Tue, 7 Jul 2020 11:16:18 +0200
Subject: [PATCH 3/3] Still need the exported pubkey file

---
 initrd/bin/oem-factory-reset | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index 2840aabe..0f873e25 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -397,14 +397,15 @@ if [ "$CUSTOM_PASS" != "" ]; then
   ADMIN_PIN_DEF=$CUSTOM_PASS
 fi
 
-## export generated key to USB
+# export pubkey to file
+if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
+    ERROR=$(tail -n 1 /tmp/error)
+    whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
+fi
+
+## export pubkey to USB
 if [ $GPG_EXPORT -ne 0 ]; then
     echo -e "\nExporting generated key to USB...\n"
-    # export pubkey to file
-    if ! gpg --export --armor $GPG_GEN_KEY > "${PUBKEY}" 2>/tmp/error ; then
-        ERROR=$(tail -n 1 /tmp/error)
-        whiptail_error_die "GPG Key gpg export to file failed!\n\n$ERROR"
-    fi
     # copy to USB
     if ! cp "${PUBKEY}" "/media/${GPG_GEN_KEY}.asc" 2>/tmp/error ; then
         ERROR=$(tail -n 1 /tmp/error)