#!/bin/bash
#
# openmamba secure boot setup script
#
# Copyright (c) 2024 by Silvan Calarco <silvan.calarco@mambasoft.it>
# Released under the terms of the GNU GPL License v3

# Requires: sbsigntools shim-signed efibootmgr

# Sample chroot mount:
# sudo mount -o bind /dev /mnt/sda2/dev
# sudo mount -o bind /sys /mnt/sda2/sys
# sudo mount -o bind /proc /mnt/sda2/proc
# sudo mount -o bind /run /mnt/sda2/run
# sudo mount -o bind /mnt/sda1 /mnt/sda2/boot/efi
# sudo mount -o bind /sys/firmware/efi/efivars /mnt/sda2/sys/firmware/efi/efivars/

SECUREBOOT_ENABLED=`xxd -p -l4 -s1 /sys/firmware/efi/efivars/SecureBoot-* 2>/dev/null`

QUIET=

[ "$1" = "-q" ] && QUIET=1

[ "$QUIET" ] || echo "Secure boot setup script for openmamba"

[ $UID -eq 0 ] || {
   echo "This script must be run as root; exiting."
   exit 1
}

[ "$SECUREBOOT_ENABLED" == "00000001" ] || {
   [ "$QUIET" ] || echo "Secure Boot is not enabled; exiting."
   exit 0
}

EFIDIR=/boot/efi/
EFILABEL="openmamba"
CERTDIR="/var/lib/sb-setup/mok"
BOOTDEV=`findmnt -fno SOURCE /boot/efi`

# Setup MAchine Owner Key folder
[ -e ${CERTDIR} ] || mkdir -p ${CERTDIR}

# Sign EFI image for secure boot
[ -e ${CERTDIR}/MOK.cer ] || {
   [ "$QUIET" ] || echo "Creating Machine Owner Key and certificates"
   openssl req -newkey rsa:2048 -nodes -keyout ${CERTDIR}/MOK.key -new -x509 -sha256 \
      -days 3650 -subj "/CN=${EFILABEL} Machine Owner Key/" -out ${CERTDIR}/MOK.crt
   openssl x509 -outform DER -in ${CERTDIR}/MOK.crt -out ${CERTDIR}/MOK.cer
}

#grub-mkimage -o ${EFIDIR}/grubx64.efi -O x86_64-efi -p /boot/grub \

[ "$QUIET" ] || echo "Create EFI grub image"
grub-install --target=x86_64-efi --efi-directory=${EFIDIR} --bootloader-id="${EFILABEL}" \
   --sbat /usr/share/grub/sbat.csv --recheck \
   --modules="all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \
   fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \
   iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \
   memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \
   play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \
   smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo"

[ "$QUIET" ] || echo "Signing EFI grub image for Secure Boot"
sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${EFIDIR}/EFI/${EFILABEL}/grubx64.efi ${EFIDIR}//EFI/${EFILABEL}/grubx64.efi

for k in /boot/vmlinuz-*; do
    echo "Signing $k for Secure Boot"
    # Remove a previous signature if present
    sbattach --remove ${k} 2>/dev/null
    sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${k} ${k}
done

[ "$QUIET" ] || echo "Copying MOK.cer into ${EFIDIR}/EFI/${EFILABEL}/"
cp ${CERTDIR}/MOK.cer ${EFIDIR}/EFI/${EFILABEL}/

# Install shim-signed
[ "$QUIET" ] || echo "Installing shim images on ${EFIDIR}/EFI/${EFILABEL}"
cp /usr/share/shim-signed/shimx64.efi ${EFIDIR}/EFI/${EFILABEL}/
cp /usr/share/shim-signed/mmx64.efi ${EFIDIR}/EFI/${EFILABEL}/

# Create EFI bootmanager entry for shimx64
[ "$QUIET" ] || echo "Configuring /EFI/${EFILABEL}/shimx64.efi for boot"
efibootmgr -q -c -d ${BOOTDEV} -L "${EFILABEL}" -l "/EFI/${EFILABEL}/shimx64.efi"

[ "$QUIET" ] || echo "Done."
