From 5eee5aa296ce388dd6ccc9c856af2a0b45584520 Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Sat, 26 Jan 2019 12:20:31 -0500
Subject: [PATCH] GPG2 required changes for key and trustdb generation and
 inclusion in rom .ash_history: add examples to generate keys and otrust in
 rom flash-gui: export otrust and import it in rom key-init: import otrust.txt
 if present to supress warning about user public key being untrusted

---
 initrd/.ash_history     | 27 +++++++++++++++------------
 initrd/bin/flash-gui.sh |  8 +++++++-
 initrd/bin/key-init     |  7 ++++++-
 3 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/initrd/.ash_history b/initrd/.ash_history
index d7acdebe..99690053 100644
--- a/initrd/.ash_history
+++ b/initrd/.ash_history
@@ -1,14 +1,17 @@
-mount /dev/sda1 /boot
-mount -o remount,rw /boot
-rm /boot/kexec_*
-mount-usb
-mkdir -p /media/gpg_keys
-gpg --home=/media/gpg_keys --card-edit
-gpg --home=/media/gpg_keys --export --armor e@mail.address > /media/gpg_keys/public.key
-gpg --home=/media/gpg_keys --export-secret-keys --armor e@mail.address > /media/gpg_keys/private.key
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/private.key" -f /media/gpg_keys/private.key
-mount -o remount,ro /media
-flash.sh /media/coreboot.com
+#remove invalid kexec_* signed files
+mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
+#Generate keys from GPG smartcard: 
+mount-usb && gpg --home=/.gnupg/ --card-edit
+#Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 
+mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com  > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null
+#Insert public key and trustdb export into reproducible rom:
+cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt
+#Flush changes to external media: 
+mount -o,remount ro /media
+#Flash modified reproducible rom with inserted public key and trustdb export from precedent step. Flushes actual rom's keys (-c: clean):
+flash.sh -c /media/coreboot.rom
+#Attest integrity of firmware as it is
+seal-totp
+#Verify Intel ME state:
 cbmem --console | grep '^ME'
 cbmem --console | less
diff --git a/initrd/bin/flash-gui.sh b/initrd/bin/flash-gui.sh
index 7a7ec46a..6c121746 100755
--- a/initrd/bin/flash-gui.sh
+++ b/initrd/bin/flash-gui.sh
@@ -143,12 +143,18 @@ while true; do
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
           fi
           cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
-
+          
+          #TODO: Remove this? Not useful in GPG2
           if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
           fi
           cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
 
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
+          fi
+          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/otrust.txt" -f /.gnupg/otrust.txt
+
           if (whiptail --title 'Flash ROM?' \
               --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
             /bin/flash.sh /tmp/gpg-gui.rom
diff --git a/initrd/bin/key-init b/initrd/bin/key-init
index f59d302e..545a774f 100755
--- a/initrd/bin/key-init
+++ b/initrd/bin/key-init
@@ -5,7 +5,12 @@ set -e -o pipefail
 # Post processing of keys
 
 # Import user's keys
-gpg --import /.gnupg/keys/* 2>/dev/null || true
+gpg --import /.gnupg/keys/*.key 2>/dev/null || true
+
+#Import trustdb if it exists
+if [ -s /.gnupg/keys/otrust.txt ]; then
+  gpg --import-ownertrust /.gnupg/keys/otrust.txt
+fi
 
 # Import trusted distro keys allowed for ISO signing
 gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true