Use HOTP TPM counter instead of Heads when signing, if present

TPM v1.2 has a limitation in that only a single monotonic counter can be
incremented between reboots [1]. So in the event we are using HOTP
monotonic counters, we need to reference those for the Heads rollback
counter when we update file signatures in /boot, otherwise the increment
stage at kexec-sign-config will fail since at each boot, the HOTP
monotonic counter has already been incremented.

[1] https://projects.csail.mit.edu/tc/tpmj/UsersGuide.html#inccounter

initrd/bin/gui-init

@@ -78,7 +78,14 @@ update_checksums()
     # sign and auto-roll config counter
     extparam=
     if [ "$CONFIG_TPM" = "y" ]; then
-      extparam=-u
+      if [ -x /bin/libremkey_hotp_verification ]; then
+        check_tpm_counter /boot/kexec_hotp_counter hotp \
+        || die "Unable to find/create TPM counter"
+        counter="$TPM_COUNTER"
+        extparam="-c $counter"
+      else
+        extparam=-u
+      fi
     fi
     kexec-sign-config -p /boot $extparam \
     || die "Failed to sign default config"
@@ -241,9 +248,6 @@ while true; do
       || die "Unable to find/create tpm counter"
       counter="$TPM_COUNTER"
 
-      increment_tpm_counter $counter \
-      || die "Unable to increment tpm counter"
-
       sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
       || die "Unable to create rollback file"
       mount -o ro,remount /boot