WiP: gpg2 2.2.21 LTS upgrade (gnupg toolstack)

[tlaurion]

It builds for all boards but cannot be injected for librem_mini: https://app.circleci.com/pipelines/github/tlaurion/heads/524/workflows/1605502b-5125-40de-8896-05a5d69086a5/jobs/568

librem_mini/util/cbfstool/cbfstool librem_mini/coreboot.pre.tmp add-payload -f ../../build/librem_mini/bzImage -n fallback/payload  -c none  -r COREBOOT   -C "intel_iommu=igfx_off quiet loglevel=2" -I "../../build/librem_mini/initrd.cpio.xz"
E: Could not add [../../build/librem_mini/bzImage, 7154226 bytes (6986 KB)@0x0]; too big?
E: Failed to add '../../build/librem_mini/bzImage' into ROM image.
E: Failed while operating on 'COREBOOT' region!
E: The image will be left unmodified.
make[1]: *** [Makefile.inc:1020: librem_mini/coreboot.pre] Error 1
rm librem_mini/util/cbfstool/fmd_parser.c librem_mini/util/cbfstool/fmd_scanner.c
make[1]: Leaving directory '/root/project/build/coreboot-4.12'

@MrChromebox #590 ? Can some kernel modules be removed, support for some changed?

Other boards CI built was successful https://app.circleci.com/pipelines/github/tlaurion/heads/525/workflows/0b48848e-9c14-49c1-971d-c4c3e5d297c4/jobs/569

No reproducibility testing was done. First step addressing #777.

[MrChromebox]

@tlaurion I'll be increasing the BIOS region (and CBFS size) on the Mini from 8M to 13.5M so space shouldn't be an issue going forward

[tlaurion]

@MrChromebox let me know and point PR back to here, since this CI passing will depend on librem_mini having CBFS region upgraded.

[tlaurion]

got it

[tlaurion]

So now. The problem to resolve, now that we have enough space to upgrade gpg toolstack for all officially supported boards without causing regression, is to fix #764. Wrapping my head around the problem.

EDIT: this explains the problem.
In my own understanding, it seems that redirection of output works when from terminal, where it doesn't work from script without a console:

@alex-nitrokey
Though the GnuPG commands are output which was not the case in the past. This is why I believe that updating gpg2 could be the cause here.

EDIT2: this is what needs to be checked: #764 (comment)

[MrChromebox]

@tlaurion checked out this PR and tested on top of my current Purism branch (essentially master + my pending PRs), and no issues with key generation via OEM reset, subsequent verification via a Librem key, or re-signing /boot checksums on either a Librem 13v4 or Librem Mini

[tlaurion]

@MrChromebox : this is an happy surprise.

[MrChromebox]

@tlaurion all of these tests were using kernel 5.4.69, not that it should make a difference

[tlaurion]

Tested https://app.circleci.com/pipelines/github/tlaurion/heads/545/workflows/ec55885e-b642-45e4-b96a-582f95c465e8/jobs/593 x230-hotp-verification with OEM factory reset (which should also be shown when no public key is found in ROM in GPG options menu.)