…gpg2

…lly work, tools and libs updated to latest versions

…ty is used to enter passphrase. Else, gpg complaints of not being able to open /dev/tty, even though GPG_TTY environmenent variable is forced in init

…lled; trying to get console tty from the tty returns "no console". NEEDs BETTER FIX.

…hub.com/tlaurion/heads into gpg2

…lly work, tools and libs updated to latest versions

…ty is used to enter passphrase. Else, gpg complaints of not being able to open /dev/tty, even though GPG_TTY environmenent variable is forced in init

…lled; trying to get console tty from the tty returns "no console". NEEDs BETTER FIX.

…init

To help with onboarding new users to Heads, this change will detect when
Heads does not have any keys in its keyring and will guide the user
through adding a key to the running BIOS. It's important that this
happen *before* guiding them through setting up an initial TOTP/HOTP
secret because adding a GPG key changes the BIOS, so the user would have
to generate TOTP/HOTP secrets 2x unless we handle the keyring case
first.

In addition to this change I've simplified the main menu so that the
majority of the options appear under an 'advanced' menu.

gpg2 needs GPG_TTY set to function properly.  We set it in /init so it
is inherited by all children.  The call to $(tty) must be after /dev and
(preferably) /dev/pts are mounted.

Signed-off-by: Jason Andryuk <jandryuk@gmail.com>

We want to catch the missing GPG keyring error regardless of TPM failure
or even in the case of a system without a TPM at all so we need to move
that section up above the TPM check.

The Librem coreboot is labeled with the current version and is visible
from dmidecode and is supposed to reflect the current version of
coreboot, however it was out of date and reflected 4.7 when Heads has
moved on to 4.8.1.

I've also added a simple change to further simplify onboarding by
warning users who have Librem Key configured when they boot without it
being inserted.

…t system

file selection code duplicated into gui-init

…o adding key and otrust output after GPG card key generation.

…s instead of luksDump.

/initrd/bin/gui-init:
-inclusion of cryptsetup-reencrypt code
-WiP: Onboarding menu enforced by /boot/oem file being present
--State of onboarding progress is appended in that file.

-tpm ownership added into ownership process
-cryptsetup forced to change password on slot0. Learned my lesson: not specifying it makes cryptsetup writes the new password into slot 1, leaving slot 0 empty. As a result, the luksKillslot done by setting a new default wiped out the recovery password, making the Luks container without any key to unlock it.

Removing cryptsetup Whital yessno menu for a textbox. Was misleading to the user.
We want the user to not have any choice but continue the onboarding process until it's done.

TODO: move gpg2 code from /etc/functions to gui-init.

… non empty.

check_onboarding_progress inserts "onboarding" when it first checks checks that file.
Afterward, the C (Continue Ownership) is triggered when the /boot/oem file is found unempty.

check_onboarding_progress checks for status updates being inserted in /boot/oem and selects the proper menu until all unboarding is done.
In successive stages, the user is invited to:
Rencrypt LUKS container with a new key and Recovery passphrase
Factory reset it's GPG card, own it, genrate keys and insert public and trusdb export into reflashed rom.
TPM/HOTP reownership and sealing. (Might not be needed)

New menus are provided:
R: Reencrypt LUKS container and change it's password
F: Factory reset GPG card

…eyring_detection-reown_hardware

…can grow LUKS container if needed from recovery shell

…t for qt5

…ction-reown_hardware' of github.com:tlaurion/heads into x230_FBWhiptail_GPG2_clean_LibremKey-empty_keyring_detection-reown_hardware

…IOS" option when no GPG key is found into rom.

…ing. Switching back to 30 90, which is used everywhere else.