WiP key to card fails with invalid time when moving keys to smartcard

- whiptail_or_die has HEIGHT 0. This doesn't show a scrolling window here which is problematic
- Adding DO_WITH_DEBUG in that specific gpg call
- switching build derivative from qemu and qemu_kvm to qemu_full to have qemu-img tool which is missing to run qemu boards

building of qemu-full failed
ceph> [  6%] Linking CXX static library ../../lib/libcls_lock_client.a
ceph> [  6%] Built target cls_lock_client
ceph> [  6%] Building CXX object src/erasure-code/shec/CMakeFiles/shec_utils.dir/ErasureCodePluginShec.cc.o
ceph> [  6%] Building C object src/erasure-code/jerasure/CMakeFiles/gf-complete_objs.dir/gf-complete/src/gf_rand.c.o
ceph> [  6%] Building C object src/erasure-code/jerasure/CMakeFiles/gf-complete_objs.dir/gf-complete/src/gf_w8.c.o
ceph> In function 'gf_w8_table_init',
ceph>     inlined from 'gf_w8_init' at /build/ceph-18.2.1/src/erasure-code/jerasure/gf-complete/src/gf_w8.c:2321:36:
ceph> /build/ceph-18.2.1/src/erasure-code/jerasure/gf-complete/src/gf_w8.c:1176:7: warning: 'scase' may be used uninitialized [8;;https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wmaybe-uninitialized-Wmaybe-uninitialized8;;]
ceph>  1176 |       switch (scase) {
ceph>       |       ^~~~~~
ceph> /build/ceph-18.2.1/src/erasure-code/jerasure/gf-complete/src/gf_w8.c: In function 'gf_w8_init':
ceph> /build/ceph-18.2.1/src/erasure-code/jerasure/gf-complete/src/gf_w8.c:1140:22: note: 'scase' was declared here
ceph>  1140 |   int a, b, c, prod, scase;
ceph>       |                      ^~~~~
ceph> [  6%] Built target gf-complete_objs
ceph> [  6%] Building CXX object src/global/CMakeFiles/libglobal_objs.dir/global_init.cc.o
ceph> [  6%] Built target erasure_code_objs
ceph> [  6%] Building CXX object src/common/options/CMakeFiles/common-options-objs.dir/ceph-exporter_options.cc.o
ceph> [  6%] Building CXX object src/common/options/CMakeFiles/common-options-objs.dir/rgw_options.cc.o
ceph> [  6%] Built target jerasure_objs
ceph> [  6%] Building CXX object src/perfglue/CMakeFiles/heap_profiler.dir/disabled_heap_profiler.cc.o
ceph> [  6%] Building CXX object src/common/CMakeFiles/common_prioritycache_obj.dir/PriorityCache.cc.o
ceph> [  6%] Built target jerasure_utils
ceph> [  6%] Building CXX object src/global/CMakeFiles/libglobal_objs.dir/pidfile.cc.o
ceph> [  7%] Building CXX object src/global/CMakeFiles/libglobal_objs.dir/signal_handler.cc.o
ceph> [  8%] Building CXX object src/mgr/CMakeFiles/mgr_cap_obj.dir/MgrCap.cc.o
ceph> [  8%] Building CXX object src/erasure-code/shec/CMakeFiles/shec_utils.dir/ErasureCodeShec.cc.o
ceph> [  8%] Building CXX object src/erasure-code/shec/CMakeFiles/shec_utils.dir/ErasureCodeShecTableCache.cc.o
ceph> [  8%] Building C object src/erasure-code/shec/CMakeFiles/shec_utils.dir/determinant.c.o
ceph> [  8%] Linking CXX static library ../../lib/libheap_profiler.a
ceph> [  8%] Built target heap_profiler
ceph> [  8%] Building CXX object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isal_crypto_accel.cc.o
ceph> [  8%] Building CXX object src/crypto/openssl/CMakeFiles/ceph_crypto_openssl.dir/openssl_crypto_accel.cc.o
ceph> [  8%] generating /build/ceph-18.2.1/build/include/tracing/bluestore.h
ceph> [  8%] Built target bluestore-tp
ceph> [  8%] Building CXX object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isal_crypto_plugin.cc.o
ceph> [  8%] Building C object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_pre.c.o
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_multibinary.asm.o
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/keyexp_128.asm.o
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/keyexp_192.asm.o
ceph> [  8%] generating /build/ceph-18.2.1/build/include/tracing/objectstore.h
ceph> [  8%] Built target objectstore-tp
ceph> [  8%] Building CXX object src/crypto/openssl/CMakeFiles/ceph_crypto_openssl.dir/openssl_crypto_plugin.cc.o
ceph> g++: fatal error: Killed signal terminated program cc1plus
ceph> compilation terminated.
ceph> make[2]: *** [src/msg/CMakeFiles/common-msg-objs.dir/build.make:90: src/msg/CMakeFiles/common-msg-objs.dir/Message.cc.o] Error 1
ceph> make[1]: *** [CMakeFiles/Makefile2:2910: src/msg/CMakeFiles/common-msg-objs.dir/all] Error 2
ceph> make[1]: *** Waiting for unfinished jobs....
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/keyexp_256.asm.o
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/keyexp_multibinary.asm.o
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_dec_128_x4_sse.asm.o
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_dec_128_x8_avx.asm.o
ceph> [  8%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_dec_192_x4_sse.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_dec_192_x8_avx.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_dec_256_x4_sse.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_dec_256_x8_avx.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_enc_128_x4_sb.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_enc_128_x8_sb.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_enc_192_x4_sb.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_enc_192_x8_sb.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_enc_256_x4_sb.asm.o
ceph> [  9%] Building ASM object src/crypto/isa-l/CMakeFiles/ceph_crypto_isal.dir/isa-l_crypto/aes/cbc_enc_256_x8_sb.asm.o
ceph> [  9%] Built target common_prioritycache_obj
ceph> [  9%] Built target libglobal_objs
ceph> [  9%] Built target common-options-objs
ceph> [  9%] Built target shec_utils
ceph> [  9%] Linking CXX shared library ../../../lib/libceph_crypto_isal.so
ceph> [  9%] Built target ceph_crypto_isal
ceph> [  9%] Linking CXX shared library ../../../lib/libceph_crypto_openssl.so
ceph> [  9%] Built target ceph_crypto_openssl
ceph> [  9%] Built target mgr_cap_obj
ceph> make: *** [Makefile:146: all] Error 2
error: builder for '/nix/store/gxpjmqm57sqlfgzx2nrlkwbb5bbyxahb-ceph-18.2.1.drv' failed with exit code 2
error: 1 dependencies of derivation '/nix/store/8hgd99r54la7hbwzqlflw5i3xnprc1iy-qemu-8.2.2.drv' failed to build
error: 1 dependencies of derivation '/nix/store/757id018h7mlvv6iqjlxdmqpihlsbph4-nix-shell-env.drv' failed to build

- Updating nix pinned package list under flake.lock with 'nix flake update'
- README.md: have consistent docker tesring + release (push) notes
- flake.nix: add gnupg so that qemu boards can call inject_gpg to inject public key in absence of flashrom+pflash support for internal flashing
- .circleci/config.yml: depend on docker v0.1.8 (qemu_full built with canokey-qemu lib support, diffoscopeMinimal and gnupg for proper qemu testing)
 - Note that this might also change since Nix is upstreaming canokey support under qemu built derivatives
Signed-off-by: Thierry Laurion <[email protected]>

.circleci/config.yml

@@ -45,7 +45,7 @@ commands:
 jobs:
   prep_env:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     steps:
@@ -111,7 +111,7 @@ jobs:
 
   build_and_persist:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -139,7 +139,7 @@ jobs:
 
   build:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -160,7 +160,7 @@ jobs:
 
   save_cache:
     docker:
-      - image: tlaurion/heads-dev-env:v0.1.6
+      - image: tlaurion/heads-dev-env:v0.1.8
     resource_class: large
     working_directory: ~/heads
     steps:

README.md

@@ -97,6 +97,10 @@ Maintenance notes on docker image
 Redo the steps above in case the flake.nix or nix.lock changes. Then publish on docker hub:
 
 ```
+docker tag linuxboot/heads:dev-env tlaurion/heads-dev-env:vx.y.z
+docker push tlaurion/heads-dev-env:vx.y.z
+#test against CircleCI in PR. Merge.
+#make last version the latest
 docker tag tlaurion/heads-dev-env:vx.y.z tlaurion/heads-dev-env:latest
 docker push tlaurion/heads-dev-env:latest
 ```

flake.nix

@@ -75,14 +75,16 @@
           canokeySupport = true; # This override enables Canokey support in QEMU, resulting in -device canokey being available.
         })
         # Packages for qemu support with Canokey integration from previous override
-        #qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker
-        qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement.
-        qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full
+        qemu_full #Heavier but contains qemu-img, kvm and everything else needed to do development cycles under docker
+        #qemu # To test make BOARD=qemu-coreboot-* boards and then call make BOARD=qemu-coreboot-* with inject_gpg statement, and then run statement.
+        #qemu_kvm # kvm additional support for qemu without all the qemu-img and everything else under qemu_full
       ] ++ [
         # Additional tools for debugging/editing/testing.
         vim # Mostly used amongst us, sorry if you'd like something else, open issue.
         swtpm # QEMU requirement to emulate tpm1/tpm2.
         dosfstools # QEMU requirement to produce valid fs to store exported public key to be fused through inject_key on qemu (so qemu flashrom emulated SPI support).
+        diffoscopeMinimal # Not sure exactly what is packed here, let's try.
+        gnupg #to inject public key inside of qemu create rom through inject_gpg target of targets/qemu.mk TODO: remove when pflash supported by flashrom
         #diffoscope #should we include it? Massive:11 GB uncompressed. Wow?!?!
       ] ++ [
         # Tools for handling binary blobs in their compressed state. (blobs/xx30/vbios_[tw]530.sh)

initrd/bin/oem-factory-reset

@@ -275,6 +275,8 @@ keytocard_subkeys_to_smartcard() {
 
     gpg_key_factory_reset
 
+    DEBUG "GPG_USER_MAIL: ${GPG_USER_MAIL}"
+
     echo "Moving subkeys to smartcard..."
     {
         echo "key 1"            #Toggle on Signature key in --edit-key mode on local keyring
@@ -297,7 +299,7 @@ keytocard_subkeys_to_smartcard() {
         echo "${ADMIN_PIN_DEF}" #Smartcard Admin PIN
         echo "key 3"            #Toggle off Authentication key
         echo "save"             #Save changes and commit to keyring
-    } | gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
+    } | DO_WITH_DEBUG gpg --expert --command-fd=0 --status-fd=1 --pinentry-mode=loopback --edit-key "${GPG_USER_MAIL}" \
         >/tmp/gpg_card_edit_output 2>&1
     if [ $? -ne 0 ]; then
         ERROR=$(cat /tmp/gpg_card_edit_output)