heads/initrd/init

#! /bin/bash
# Note this is used on legacy-flash boards that lack bash, it runs with busybox
# ash.  Calls to bash scripts must be guarded by checking config.

mknod /dev/ttyprintk c 5 3
echo "hello world" >/dev/ttyprintk

# Setup our path
export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin

# This is the very first script invoked by the Linux kernel and is
# running out of the ram disk.  There are no fileysstems mounted.
# It is important to have a way to invoke a recovery shell in case
# the boot scripts are messed up, but also important to modify the
# PCRs if this happens to prevent the TPM Disk Unlock Keys from being revealed.

# First thing it is vital to mount the /dev and other system directories
mkdir /proc /sys /dev /tmp /boot /media 2>&- 1>&-
mount /dev 2>/dev/ttyprintk
mount /proc 2>/dev/ttyprintk
mount /sys 2>/dev/ttyprintk

if [ "$CONFIG_LINUXBOOT" = "y" ]; then
	mount /sys/firmware/efi/efivars
fi

# Setup the pty pseudo filesystem
mkdir /dev/pts
mount /dev/pts 2>/dev/ttyprintk

if [ ! -r /dev/ptmx ]; then
	ln -s /dev/pts/ptmx /dev/ptmx
fi

# Needed by bash
[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
[ -e /dev/stdout ] || ln -s /proc/self/fd/1 /dev/stdout
[ -e /dev/stderr ] || ln -s /proc/self/fd/2 /dev/stderr
[ -e /dev/fd ] || ln -s /proc/self/fd /dev/fd

# Recovery shells will erase anything from here
mkdir -p /tmp/secret

# Now it is safe to print a banner
if [ -r /etc/motd ]; then
	cat /etc/motd >/dev/tty0
fi

# Load the date from the hardware clock, setting it in local time
hwclock -l -s

# When mounting a filesystem, try exFAT last, since it logs errors if the
# filesystem is not exFAT, and the errors go to the console.  Those errors are
# spurious when the medium is iso9660.  By default in our config, the only
# filesystem after exFAT is iso9660, move exFAT last.
(grep -v '^\texfat$' /proc/filesystems && echo -e '\texfat') >/etc/filesystems

# Read the system configuration parameters from build time board configuration
. /etc/config
# import global functions
. /etc/functions

# export user related content from cbfs
if [ "$CONFIG_COREBOOT" = "y" ]; then
	/bin/cbfs-init
fi

# Override CONFIG_USE_BLOB_JAIL if needed and persist via user config
if lspci -n | grep -E -q "8086:(2723|4df0)"; then
	if ! cat /etc/config.user 2>/dev/null | grep -q "USE_BLOB_JAIL"; then
		echo "CONFIG_USE_BLOB_JAIL=y" >>/etc/config.user
	fi
fi

# Override CONFIG_TPM and CONFIG_TPM2_TOOLS from /etc/config with runtime value
# determined above.
#
# Values in user config have higher priority during combining thus effectively
# changing the value for the rest of the scripts which source /tmp/config.

#Only set CONFIG_TPM and CONFIG_TPM2_TOOLS if they are not already set in /etc/config.user
if ! grep -q 'CONFIG_TPM=' /etc/config.user 2>/dev/null; then
	echo "export CONFIG_TPM=\"$CONFIG_TPM\"" >>/etc/config.user
fi
if ! grep -q 'CONFIG_TPM2_TOOLS=' /etc/config.user 2>/dev/null; then
	echo "export CONFIG_TPM2_TOOLS=\"$CONFIG_TPM2_TOOLS\"" >>/etc/config.user
fi

# CONFIG_BASIC was previously CONFIG_PUREBOOT_BASIC in the PureBoot distribution.
# Substitute it in config.user if present for backward compatibility.
sed -i -e 's/^export CONFIG_PUREBOOT_BASIC=/export CONFIG_BASIC=/g' /etc/config.user

# Combine user configuration overrides from CBFS's /etc/config.user
combine_configs
# Load the user configuration parameters from combined config
. /tmp/config

# Enable maximum debug info from here if config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
	#Output all kernel messages to console (8=debug)
	#DEBUG and TRACE calls will be in dmesg and on console
	# config.user extracted and combined from CBFS had CONFIG_DEBUG_OUTPUT=y
	TRACE_FUNC
	dmesg -n 8
	DEBUG "Full debug output enabled from this point: output both in dmesg and on console (equivalent of passing debug to kernel cmdline)"
fi

# report if we are in quiet mode, tell user measurements logs available under /tmp/debug.log
if [ "$CONFIG_QUIET_MODE" = "y" ]; then
	# check origin of quiet mode setting =y: if it is under /etc/config.user then early cbfs-init outputs are not suppressible
	# if it is under /etc/config then early cbfs-init outputs are suppressible
	if ! grep -q 'CONFIG_QUIET_MODE="y"' /etc/config.user 2>/dev/null; then
		echo "Quiet mode enabled: refer to '/tmp/debug.log' for boot measurements traces" >/dev/tty0
	else
		echo "Runtime Quiet mode: refer to '/tmp/debug.log' for additional boot measurements traces past this point" >/dev/tty0
		echo "To suppress earlier boot measurements traces, enable CONFIG_QUIET_MODE=y in your board configuration at build time." >/dev/tty0
	fi
fi

TRACE_FUNC

# make sure we have sysctl requirements
if [ ! -d /proc/sys ]; then
	warn "BUG!!! The following requirements to apply runtime kernel tweaks are missing:"
	warn "CONFIG_SYSCTL=y"
	warn "CONFIG_PROC_SYSCTL=y"
	warn "Please open an issue"
fi

if [ ! -e /proc/sys/vm/panic_on_oom ]; then
	warn "BUG!!! Requirements to setup Panic when under Out Of Memory situation through PROC_SYSCTL are missing (panic_on_oom was not enabled)"
	warn "Please open an issue"
else
	DEBUG "Applying panic_on_oom setting to sysctl"
	echo 1 >/proc/sys/vm/panic_on_oom
fi

# set CONFIG_TPM dynamically off before init if no TPM device is present
if [ ! -e /dev/tpm0 ]; then
	CONFIG_TPM='n'
	CONFIG_TPM2_TOOLS='n'
fi

#Specify whiptail background colors cues under FBWhiptail only
if [ -x /bin/fbwhiptail ]; then
	export BG_COLOR_WARNING="${CONFIG_WARNING_BG_COLOR:-"--background-gradient 0 0 0 150 125 0"}"
	export BG_COLOR_ERROR="${CONFIG_ERROR_BG_COLOR:-"--background-gradient 0 0 0 150 0 0"}"
	export BG_COLOR_MAIN_MENU="normal"
else
	export TEXT_BG_COLOR_WARNING="${CONFIG_WARNING_TEXT_BG_COLOR:-"yellow"}"
	export TEXT_BG_COLOR_ERROR="${CONFIG_ERROR_TEXT_BG_COLOR:-"red"}"
	export BG_COLOR_MAIN_MENU="normal"
fi

if [ "$CONFIG_TPM" = "y" ]; then
	# Initialize tpm2 encrypted sessions here
	tpmr startsession
fi

if [ "$CONFIG_LINUXBOOT" = "y" ]; then
	# Initialize the UEFI environment for linuxboot boards
	/bin/uefi-init
fi

# Set GPG_TTY before calling gpg in key-init
#TODO: do better then this; on dual console gpg only interacts with main console (affects Talos-2 and all whiptail variants)
export GPG_TTY=/dev/console

# Initialize gpnupg with distro/user keys and setup the keyrings
/bin/key-init

# Setup recovery serial shell
if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then
	stty -F "$CONFIG_BOOT_RECOVERY_SERIAL" 115200
	pause_recovery 'Serial console recovery shell' \
		<"$CONFIG_BOOT_RECOVERY_SERIAL" \
		>"$CONFIG_BOOT_RECOVERY_SERIAL" 2>&1 &
fi

# load USB modules for boards using a USB keyboard
if [ "$CONFIG_USB_KEYBOARD_REQUIRED" = y ] || [ "$CONFIG_USER_USB_KEYBOARD" = "y" ]; then
	enable_usb
fi

# If the user has been holding down r, enter a recovery shell
# otherwise immediately start the configured boot script.
# We don't print a prompt, since this is a near instant timeout.
read \
	-t 0.1 \
	-n 1 \
	boot_option
echo

if [ "$boot_option" = "r" ]; then
	# Start an interactive shell
	recovery 'User requested recovery shell'
	# just in case...
	exit
elif [ "$boot_option" = "o" ]; then
	# Launch OEM Factory Reset mode
	echo -e "***** Entering OEM Factory Reset mode\n" >/dev/tty0
	oem-factory-reset --mode oem
	# just in case...
	exit
fi

if [ "$CONFIG_BASIC" = "y" ]; then
	echo -e "***** BASIC mode: tamper detection disabled\n" >/dev/tty0
fi

# export firmware version
export FW_VER=$(fw_version)

# Add our boot devices into the /etc/fstab, if they are defined
# in the configuration file.
if [ ! -z "$CONFIG_BOOT_DEV" ]; then
	echo >>/etc/fstab "$CONFIG_BOOT_DEV /boot auto defaults,ro 0 0"
fi

# Set the console font if needed
setconsolefont.sh

if [ "$CONFIG_BASIC" = "y" ]; then
	CONFIG_BOOTSCRIPT=/bin/gui-init-basic
	export CONFIG_HOTPKEY=n
fi

# Perform board-specific init if present
if [ -x /bin/board-init.sh ]; then
	/bin/board-init.sh
fi

if [ ! -x "$CONFIG_BOOTSCRIPT" -a ! -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then
	recovery 'Boot script missing?  Entering recovery shell'
else
	if [ -x "$CONFIG_BOOTSCRIPT_NETWORK" ]; then
		echo '***** Network Boot:' $CONFIG_BOOTSCRIPT_NETWORK
		$CONFIG_BOOTSCRIPT_NETWORK
		echo '***** Network Boot Completed:' $CONFIG_BOOTSCRIPT_NETWORK
		# not blocking
	fi

	if [ -x "$CONFIG_BOOTSCRIPT" ]; then
		echo '***** Normal boot:' $CONFIG_BOOTSCRIPT

		if [ -x /bin/setsid ] && [ -x /bin/agetty ]; then
			for console in $CONFIG_BOOT_EXTRA_TTYS; do
				setsid agetty -aroot -l"$CONFIG_BOOTSCRIPT" "$console" linux &
			done
		fi

		#Setup a control tty so that all terminals outputs correct tty when tty is called
		exec cttyhack "$CONFIG_BOOTSCRIPT"
	else
		# wait for boot via network to occur
		pause_recovery 'Override network boot. Entering recovery shell'
	fi
fi

# We should never reach here, but just in case...
recovery 'Boot script failure?  Entering recovery shell'