#!/bin/bash
scriptRoot=$(realpath "${BASH_SOURCE%/*}")

# Elevate script
if [ ! "$UID" -eq 0 ]
then
    sudo bash "$BASH_SOURCE"
    bash "$scriptRoot/sign-modules.sh"
else
    # Create context directory
    workingDirectory="$(pwd)"
    contextRoot="$(mktemp -d)"
    packageName="shim.rpm"
    cd "$contextRoot"

    # Install Prerequisites
    apt install -y wget rpm2cpio efitools

    # Download and Extract Package
    wget https://kojipkgs.fedoraproject.org//vol/fedora_koji_archive02/packages/shim-signed/15/2/x86_64/shim-x64-15-2.x86_64.rpm -O "$packageName"
    rpm2archive "$packageName"
    tar -xvzf "$packageName.tgz"
    rm -f "$packageName" "$packageName.tgz"

    # Initialize variables
    src="./boot/efi/EFI/fedora"
    esp=/boot/efi
    defaultBootDir=$esp/EFI/BOOT
    microsoftBootDir=$esp/EFI/Microsoft/Boot

    systemdDirName=/EFI/systemd
    systemdFullName=$esp$systemdDirName
    systemdFile=$systemdFullName/systemd-bootx64.efi
    bootFile=$defaultBootDir/grubx64.efi

    # Set up files
    cp $systemdFile $bootFile
    cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
    cp "$src/mmx64.efi" $defaultBootDir
    cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /boot/efi/EFI/systemd/
    wget https://github.com/tianocore/edk2-archive/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi -O "$systemdFullName/Shell.efi"

    {
        echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"
        echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io"
    } > sbat.csv

    # No idea where the `10000000` comes from...
    # Taken from https://github.com/rhboot/shim/issues/376#issuecomment-964137621
    objcopy --set-section-alignment '.sbat=512' --add-section .sbat=sbat.csv --change-section-address .sbat+10000000 "$bootFile"
    
    # Add boot entries
    efibootmgr --unicode --disk /dev/nvme0n1 --part 0 --create --label "Shim" --loader /EFI/BOOT/BOOTx64.efi

    # Configure systemd-boot
    {
        echo "timeout 4"
    } >> /boot/efi/loader/loader.conf

    {
        echo "title MokManager"
        echo "efi   /EFI/BOOT/mmx64.efi"
    } > /boot/efi/loader/entries/MokManager.conf

    {
        echo "title KeyTool"
        echo "efi   /EFI/systemd/KeyTool.efi"
    } > /boot/efi/loader/entries/KeyTool.conf

    {
        echo "title UEFI Shell"
        echo "efi   /EFI/systemd/Shell.efi"
    } > /boot/efi/loader/entries/Shell.conf

    # Install surface MOK
    apt install -y linux-surface-secureboot-mok

    # Install MOK Key
    keyDir="/var/lib/shim-signed/mok"
    mkdir -p "$keyDir"
    cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf"

    openssl req -config "$keyDir/openssl.cnf" \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 36500 -outform DER \
        -keyout "$keyDir/MOK.priv" \
        -out "$keyDir/MOK.der"

    mokutil --import "$keyDir/MOK.der"

    # Remove context directory
    cd $workingDirectory
    rm -rf $contextRoot
fi