#!/bin/sh
# Save these options to be the persistent default
set -e -o pipefail
. /etc/functions

while getopts "b:d:p:i:" arg; do
	case $arg in
		b) bootdir="$OPTARG" ;;
		d) paramsdev="$OPTARG" ;;
		p) paramsdir="$OPTARG" ;;
		i) index="$OPTARG" ;;
	esac
done

if [ -z "$bootdir" -o -z "$index" ]; then
	die "Usage: $0 -b /boot -i menu_option "
fi

if [ -z "$paramsdev" ]; then
	paramsdev="$bootdir"
fi

if [ -z "$paramsdir" ]; then
	paramsdir="$bootdir"
fi

bootdir="${bootdir%%/}"
paramsdev="${paramsdev%%/}"
paramsdir="${paramsdir%%/}"

TMP_MENU_FILE="/tmp/kexec/kexec_menu.txt"
ENTRY_FILE="$paramsdir/kexec_default.$index.txt"
HASH_FILE="$paramsdir/kexec_default_hashes.txt"

if [ ! -r "$TMP_MENU_FILE" ]; then
	die "No menu options available, please run kexec-select-boot"
fi

entry=`head -n $index $TMP_MENU_FILE | tail -1`
if [ -z "$entry" ]; then
	die "Invalid menu index $index"
fi

KEY_DEVICE_FILE="$paramsdir/kexec_key_devices.txt"
if [ ! -r "$KEY_DEVICE_FILE" ]; then
	read \
		-n 1 \
		-p "Do you wish to add a disk encryption to the TPM [y/N]: " \
		add_key_confirm
	echo

	if [ "$add_key_confirm" = "y" \
		-o "$add_key_confirm" = "Y" ] \
	; then
		read \
			-p "Encrypted LVM group? (e.g. qubes_dom0 or blank): " \
			lvm_volume_group

		read \
			-p "Encrypted devices? (e.g. /dev/sda2 or blank): " \
			key_devices

		save_key_params="-s -p $paramsdev"
		if [ -n "$lvm_volume_group" ]; then
			save_key_params="$save_key_params -l $lvm_volume_group $key_devices"
		else
			save_key_params="$save_key_params $key_devices"
		fi
		echo "Running kexec-save-key with params: $save_key_params"
		kexec-save-key $save_key_params \
		|| die "Failed to save the disk key"
	fi
fi

# try to switch to rw mode
mount -o rw,remount $paramsdev

if [ ! -d $paramsdir ]; then
	mkdir -p $paramsdir \
	|| die "Failed to create params directory"
fi
rm "$paramsdir/kexec_default.*.txt" 2>/dev/null || true
echo "$entry" > $ENTRY_FILE
cd $bootdir && kexec-boot -b "$bootdir" -e "$entry" -f | \
	xargs sha256sum > $HASH_FILE \
|| die "Failed to create hashes of boot files"
if [ ! -r $ENTRY_FILE -o ! -r $HASH_FILE ]; then
	die "Failed to write default config"
fi

# sign and auto-roll config counter
kexec-sign-config -p $paramsdir -u \
|| die "Failed to sign default config"

# switch back to ro mode
mount -o ro,remount $paramsdev