Add reset command for nitrokey 3

[sosthene-nitrokey]

Close #42

./hotp_verification reset

Is a noop on a device other than NK3. On an NK3, reset the secrets app and thus the HOTP code.

[nestire]

I get this with a nitrokey pro 2 or nitrokey storage attached, same binary works with an nk3

-rwxr-xr-x 1 user user 55K Nov 27 10:54 hotp_verification
sha256sum hotp_verification
86c94ed1bc0cfb43b3dc2b423b74a56ef80f356fc0aa83915a82ef04651c2862  hotp_verification
[user@work nitrokey-hotp-verification (nk3-reset)]$ ./hotp_verification reset
HOTP code verification application, version 1.6

Segmentation fault (core dumped)
[user@work nitrokey-hotp-verification (nk3-reset)]$ 

[tlaurion]

@sosthene-nitrokey ping linuxboot/heads#1866 (comment)

[tlaurion]

Ideally, hotp_verification reset would accept a parameter here, which would be the secret app PIN.

Otherwise as can be seen under linuxboot/heads@07f3710, it requires an additional step which would be PIN change, but we don't have a PIN here, since we just reset :)

I still think, as said under #36 (comment) that changing PIN is not really important to Heads use case since we reset. What is important is setting a secret app PIN at moment of oem factory reset/re-ownership.

Need:

• hotp_verification reset DESIRED_SECRET_APP_PIN

Originally posted by @tlaurion in #42 (comment)

[sosthene-nitrokey]

Yes, I'm on it, just waiting for the devices I need to reproduce and debug the segfaults, they're on their way.

[tlaurion]

Ideally, hotp_verification reset would accept a parameter here, which would be the secret app PIN.

Otherwise as can be seen under linuxboot/heads@07f3710, it requires an additional step which would be PIN change, but we don't have a PIN here, since we just reset :)

I still think, as said under #36 (comment) that changing PIN is not really important to Heads use case since we reset. What is important is setting a secret app PIN at moment of oem factory reset/re-ownership.

Need:

• hotp_verification reset DESIRED_SECRET_APP_PIN

Originally posted by @tlaurion in #42 (comment)

@sosthene-nitrokey ack please.

[tlaurion]

Reasoning exerpt:

TLDR...... hotp-verification should

• Either set a default secret app pin and offer pin change so re-ownership can change it just like before as part of re-ownership for <nk3 (GPG Admin PIN for <nk3 is nk3 secret app PIN for nk3. Regression as of today, best practices not followed, reinventing the wheel with weaker process was chosen as of today)
• have hotp_verification reset SECRET_APP_PIN requiring a pin if none set by default
• Have hotp_verification reset set a default PIN, which if we don't plan to reinvent the wheel should be equivalent to gpg Admin PIN which is 12345678.

Originally posted by @tlaurion in linuxboot/heads#1866 (comment)

Its implementation choices. Second option chosen in present PR, either is good, but one needed to be implemented.
Note that physical presence still needed, but once instead of twice (changing PIN would also require physical presence, right? until #41 implemented in firmware version bump).

As soon as a commit provided without regression, I can easily adapt WiP code under linuxboot/heads#1850, specifically part related to present PR change under nk3 related secret app reset needed under oem-factory-reset as self-review comment at linuxboot/heads#1850 (comment)