GPG2 required changes for key and trustdb generation and inclusion in rom

.ash_history: add examples to generate keys and otrust in rom
flash-gui: export otrust and import it in rom
key-init: import otrust.txt if present to supress warning about user public key being untrusted

initrd/.ash_history

@@ -1,14 +1,17 @@
-mount /dev/sda1 /boot
+#remove invalid kexec_* signed files
-mount -o remount,rw /boot
+mount /dev/sda1 /boot && mount -o remount,rw /boot && rm /boot/kexec* && mount -o remount,ro /boot
-rm /boot/kexec_*
+#Generate keys from GPG smartcard: 
-mount-usb
+mount-usb && gpg --home=/.gnupg/ --card-edit
-mkdir -p /media/gpg_keys
+#Copy generated public key, private_subkey, trustdb and artifacts to external media for backup: 
-gpg --home=/media/gpg_keys --card-edit
+mount -o remount,rw /media && mkdir -p /media/gpg_keys; gpg --export-secret-keys --armor email@address.com > /media/gpg_keys/private.key && gpg --export --armor email@address.com  > /media/gpg_keys/public.key && gpg --export-ownertrust > /media/gpg_keys/otrust.txt && cp -r ./.gnupg/* /media/gpg_keys/ 2> /dev/null
-gpg --home=/media/gpg_keys --export --armor e@mail.address > /media/gpg_keys/public.key
+#Insert public key and trustdb export into reproducible rom:
-gpg --home=/media/gpg_keys --export-secret-keys --armor e@mail.address > /media/gpg_keys/private.key
+cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key && cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/otrust.txt" -f /media/gpg_keys/otrust.txt
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/public.key" -f /media/gpg_keys/public.key
+#Flush changes to external media: 
-cbfs -o /media/coreboot.rom -a "heads/initrd/.gnupg/keys/private.key" -f /media/gpg_keys/private.key
+mount -o,remount ro /media
-mount -o remount,ro /media
+#Flash modified reproducible rom with inserted public key and trustdb export from precedent step. Flushes actual rom's keys (-c: clean):
-flash.sh /media/coreboot.com
+flash.sh -c /media/coreboot.rom
+#Attest integrity of firmware as it is
+seal-totp
+#Verify Intel ME state:
 cbmem --console | grep '^ME'
 cbmem --console | less

initrd/bin/flash-gui.sh

@@ -143,12 +143,18 @@ while true; do
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/pubring.kbx"
           fi
           cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/pubring.kbx" -f /.gnupg/pubring.kbx
-
+          
+          #TODO: Remove this? Not useful in GPG2
           if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/trustdb.gpg") then
             cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/trustdb.gpg"
           fi
           cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/trustdb.gpg" -f /.gnupg/trustdb.gpg
 
+          if (cbfs -o /tmp/gpg-gui.rom -l | grep -q "heads/initrd/.gnupg/otrust.txt") then
+            cbfs -o /tmp/gpg-gui.rom -d "heads/initrd/.gnupg/otrust.txt"
+          fi
+          cbfs -o /tmp/gpg-gui.rom -a "heads/initrd/.gnupg/otrust.txt" -f /.gnupg/otrust.txt
+
           if (whiptail --title 'Flash ROM?' \
               --yesno "This will replace your old ROM with $ROM\n\nDo you want to proceed?" 16 90) then
             /bin/flash.sh /tmp/gpg-gui.rom

initrd/bin/key-init

@@ -5,7 +5,12 @@ set -e -o pipefail
 # Post processing of keys
 
 # Import user's keys
-gpg --import /.gnupg/keys/* 2>/dev/null || true
+gpg --import /.gnupg/keys/*.key 2>/dev/null || true
+
+#Import trustdb if it exists
+if [ -s /.gnupg/keys/otrust.txt ]; then
+  gpg --import-ownertrust /.gnupg/keys/otrust.txt
+fi
 
 # Import trusted distro keys allowed for ISO signing
 gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true