Bump Dasharo Coreboot / hotp-verification; fix nitropad-nxx ec-powerdown

[daringer]

This is the upstream relevant part of Nitrokey's next release for the Nitropads, it consists of three parts:

1. update Dasharo Coreboot to the most recent version (1.7.2)

• all previous coreboot patches are now upstreamed and removed
• added a minimal-change patch to switch available S-states based on model during compile-time
• fixes: ns50 v2.3 suspend causes freeze on resume Nitrokey/heads#29 (suspend compatibility improved, see below)
• fixes: [nitropad-nx] igfx not properly working, reports llvm-pipe Nitrokey/heads#25 (see tests below)
• fixes: Integrate noise reduction feature from Dasharo Nitrokey/heads#32 (part of the dasharo coreboot bump)

2. fix watchdog-based powerdown for nitropad-nxx

• fixes: [nitropad-nx] watchdog-based poweroff/reboot not triggered correctly Nitrokey/heads#24

3. updates hotp-verification to obey Nitrokey 3's extended security model

• older hotp-verification versions + NK3 v1.6 will not allow overwriting the HOTP secret, workaround: delete it manually using nitropy
• using this hotp-verification version the HOTP secret is first removed before setting it again during HOTP regeneration
• this change is fully backwards compatible with any previously working tokens

Test Results

First round of tests was done for t430-hotp-max, nitropad-nv41, nitropad-ns50:

• QubesOS / ubuntu regular boot + installation
• splash screen visible
• flashing using the build-time-provided .zip
• suspend ns50 (S0ix) -> QubesOS (not ok/expected), Ubuntu (ok)
• suspend nv41 (S3) -> QubesOS (ok), Ubuntu (ok)
• igfx availability (nv41/ns50) inside Ubuntu (ok)
• igfx availability (nv41/ns50) inside QubesOS (4.1.2) still llvm-pipe, works with QubesOS 4.2
• branding and vendor reconfiguration works as expected (site-local)
• Nitrokey 3 HOTP with firmware <v1.6 & >=v1.6

We plan for another round of testing early in January, once these tests confirm the listed ones - I'll change the PR to be ready-for-review.

[tlaurion]

@JonathonHall-Purism time to test hotp for regression and approve?

[tlaurion]

Tested without regression

• Untested_w530-hotp-maximized (new main machine)

[daringer]

At this point we cannot get rid of the SMMSTORE - Dasharo introduces reading from it here: This means that currently any Dasharo build is implicitly depending on SMMSTORE (even if it's not explicitly set in the configs, it will be pulled in via EDK2). Removing this might be possible, but is quite a bigger changeset which we would have to introduce and I cannot oversee currently if this would introduce regressions of some kind.

[daringer]

We also did another full test iteration today, fully confirmed what is written in "Test Results" in the initial post

[JonathonHall-Purism]

Tested Librem 14 + Librem Key, looks good to me. Thanks @daringer