From eca4e341769d0bd97b73dab15376242214abbfda Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Thu, 12 Dec 2024 17:03:47 -0500
Subject: [PATCH] WiP: staging changes

Attacking nv index next for TPM nvram read in prod_quiet testing

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/bin/gui-init          | 4 +++-
 initrd/bin/oem-factory-reset | 4 ++--
 initrd/etc/functions         | 4 ++--
 modules/hotp-verification    | 2 +-
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
index 9e94c30e..c9ee5d45 100755
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@@ -571,7 +571,7 @@ reset_tpm()
       # now that the TPM is reset, remove invalid TPM counter files
       mount_boot
       mount -o rw,remount /boot
-      warn "Removing rollback and primary handle hash under /boot"
+      LOG "Removing rollback and primary handle hash under /boot"
       rm -f /boot/kexec_rollback.txt
       rm -f /boot/kexec_primhdl_hash.txt
 
@@ -585,6 +585,8 @@ reset_tpm()
 
       sha256sum /tmp/counter-$counter > /boot/kexec_rollback.txt \
       || die "Unable to create rollback file"
+
+	  warn "boot content has been modified, please update the checksums and sign the files from Options -> Update checksums and sign all files in /boot"
       mount -o ro,remount /boot
 
       generate_totp_hotp "$tpm_owner_password"
diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index a4096153..58ab1e59 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -1288,7 +1288,7 @@ else
 	#Reset Nitrokey 3 secret app
 	reset_nk3_secret_app
 	#Generate GPG key and subkeys on smartcard only
-	echo -e "\nResetting USB Security dongle's OpenPGP smartcard with GPG...\n(this will take around 3 minutes...)\n"
+	echo -e "\nResetting USB Security dongle's OpenPGP smartcard with GPG...\n(this may take up to 3 minutes...)\n"
 	gpg_key_factory_reset
 	generate_OEM_gpg_keys
 fi
@@ -1353,7 +1353,7 @@ else
 	#We are not running in QEMU, so flash the key to ROM
 
 	## flash generated key to ROM
-	echo -e "\nReading current firmware...\n(this will take a minute or two)\n"
+	echo -e "\nReading current firmware...\n(this may take up to two minutes...)\n"
 	/bin/flash.sh -r /tmp/oem-setup.rom >/dev/null 2>/tmp/error
 	if [ ! -s /tmp/oem-setup.rom ]; then
 		ERROR=$(tail -n 1 /tmp/error | fold -s)
diff --git a/initrd/etc/functions b/initrd/etc/functions
index f6438ae7..e6cd706f 100755
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@@ -368,7 +368,7 @@ check_tpm_counter() {
 	if [ -r "$1" ]; then
 		TPM_COUNTER=$(grep counter- "$1" | cut -d- -f2)
 	else
-		warn "$1 does not exist; creating new TPM counter"
+		LOG "$1 does not exist; creating new TPM counter"
 		tpmr counter_create \
 			-pwdc '' \
 			-la $LABEL |
@@ -384,7 +384,7 @@ check_tpm_counter() {
 
 read_tpm_counter() {
 	TRACE_FUNC
-	tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" ||
+	tpmr counter_read -ix "$1" | tee "/tmp/counter-$1" > /dev/null 2>&1 ||
 		die "Counter read failed"
 }
 
diff --git a/modules/hotp-verification b/modules/hotp-verification
index 5bd1650a..d9511d2a 100644
--- a/modules/hotp-verification
+++ b/modules/hotp-verification
@@ -7,7 +7,7 @@ hotp-verification_version := e6cf719d67a811356eecff69769fa1dbce47f953
 hotp-verification_dir := hotp-verification-$(hotp-verification_version)
 hotp-verification_tar := nitrokey-hotp-verification-$(hotp-verification_version).tar.gz
 hotp-verification_url := https://github.com/Nitrokey/nitrokey-hotp-verification/archive/$(hotp-verification_version).tar.gz
-hotp-verification_hash := 1095640fdae77938ce2d2ce294c7ecb8c27b77060975af8d838b6fd056ed5068
+hotp-verification_hash := 3c8b44e4d9a1f7454269f76102f32de6ed9de19ab0cf7119747eb97377c66a84
 
 hotp-verification_target := \
 	$(MAKE_JOBS) \