#!/bin/bash
scriptRoot="$(realpath "${BASH_SOURCE%/*}")";

# Elevate script
if [ ! "$UID" -eq 0 ]
then
    sudo bash "$BASH_SOURCE";
    bash "$scriptRoot/sign-modules.sh";
else
    # Create context directory
    contextRoot="$(mktemp -d)";
    packageName="shim.rpm";
    pushd "$contextRoot" > /dev/null;

    # Install Prerequisites
    apt install -y wget rpm2cpio efitools;

    # Download and Extract Package
    wget https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm -O "$packageName";
    rpm2archive "$packageName";
    tar -xvzf "$packageName.tgz";
    rm -f "$packageName" "$packageName.tgz";

    # Initialize variables
    src="./boot/efi/EFI/fedora";
    efiDirName="/EFI";
    bootDirName="$efiDirName/BOOT";
    microsoftDirName="$efiDirName/Microsoft/Boot";
    systemdDirName="$efiDirName/systemd";

    shimBaseName="shimx64.efi";
    mokManagerBaseName="mmx64.efi";
    keyToolBaseName="KeyTool.efi";
    shellBaseName="Shell.efi";

    defaultFileName="$bootDirName/BOOTx64.efi";
    systemdFileName="$systemdDirName/systemd-bootx64.efi";
    grubFileName="$bootDirName/grubx64.efi";
    mokManagerFileName="$bootDirName/$mokManagerBaseName";
    keyToolFileName="$systemdDirName/$keyToolBaseName";
    shellFileName="$systemdDirName/$shellBaseName";

    espPath=/boot/efi;
    bootPath="$espPath$bootDirName";
    defaultPath="$esp$defaultFileName";
    microsoftPath="$espPath$microsoftDirName";
    systemdPath="$espPath$systemdDirName/systemd-bootx64.efi";
    shellPath="$espPath$shellFileName";
    grubPath="$espPath$grubFileName";

    # Set up files
    cp "$systemdPath" "$grubPath";
    cp "$src/$shimBaseName" "$defaultPath";
    cp "$src/$mokManagerBaseName" "$bootPath";
    cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /boot/efi/EFI/systemd/;
    wget https://github.com/tianocore/edk2-archive/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi -O "$shellPath";

    {
        echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md";
        echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io";
    } > sbat.csv;

    # No idea where the `10000000` comes from...
    # Taken from https://github.com/rhboot/shim/issues/376#issuecomment-964137621
    objcopy --set-section-alignment '.sbat=512' --add-section .sbat=sbat.csv --change-section-address .sbat+10000000 "$grubPath";

    # Add boot entries
    efibootmgr --unicode --disk /dev/nvme0n1 --part 0 --create --label "Shim" --loader "$defaultFileName";

    # Configure systemd-boot
    {
        echo "timeout 4";
    } >> /boot/efi/loader/loader.conf;

    {
        echo "title MokManager";
        echo "efi   $mokManagerFileName";
    } > /boot/efi/loader/entries/MokManager.conf;

    {
        echo "title KeyTool";
        echo "efi   $keyToolFileName";
    } > /boot/efi/loader/entries/KeyTool.conf;

    {
        echo "title UEFI Shell";
        echo "efi   $shellFileName";
    } > /boot/efi/loader/entries/Shell.conf:

    # Install surface MOK
    apt install -y linux-surface-secureboot-mok;

    # Install MOK Key
    keyDir="/var/lib/shim-signed/mok";
    mkdir -p "$keyDir";
    cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf";

    openssl req -config "$keyDir/openssl.cnf" \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 36500 -outform DER \
        -keyout "$keyDir/MOK.priv" \
        -out "$keyDir/MOK.der";

    mokutil --import "$keyDir/MOK.der";

    # Remove context directory
    popd > /dev/null;
    rm -rf "$contextRoot";
fi