#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu

###########################################################################################
# 3.8.0. Functions - installation - setup grub                                            #
###########################################################################################

###########################################################################################
# Installation and setup of the GRUB2 (backported) version.
# The backported version MUST be installed for LUKS2 '/boot' encryption.
# Globals:
#   ERR_UNSUPPT_TABLE
#   MODULE_ERR
#   MODULE_TXT
#   RECIPE_FIRMWARE
#   RECIPE_TABLE
#   TARGET
#   grub_background_enable
#   grub_background_path
#   grub_bootdev
#   grub_force
#   grub_latest
#   grub_prober
#   grub_skip
# Arguments:
#   None
###########################################################################################
3_8_0_functions_installation_setup_grub() {
  declare -g -x MODULE_ERR="3_8_0_functions_installation_setup_grub"
  declare -g -x MODULE_TXT="Setup GRUB"
  do_show_header "${MODULE_TXT}"

  if [[ ${grub_skip,,} == "false" ]]; then

    # Install GRUB2 package
    if [[ ${grub_latest,,} == "true" ]]; then

      # Install the GRUB2 backported version from the Bookworm backports repository.
      do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common
      do_log "info" "true" "Command: 'apt-get install -y -t bookworm-backports grub2 grub2-common' executed in: '${TARGET}'."

    else

      # Install the GRUB2 stable version.
      do_in_target "${TARGET}" apt-get install -y grub2 grub2-common
      do_log "info" "true" "Command: 'apt-get install -y grub2 grub2-common' executed in: '${TARGET}'."

    fi

    # Install grub on the specific device.
    if [[ ${grub_force-efi-extra-removable,,} == "false" ]]; then

      if [[ ${RECIPE_TABLE,,} == "gpt" && ${RECIPE_FIRMWARE,,} == "uefi" ]]; then

        do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt"
        do_in_target "${TARGET}" update-grub

        do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
        do_log "info" "false" "Command: 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt\"' executed in: '${TARGET}'."

      elif [[ ${RECIPE_TABLE,,} == "gpt" && ${RECIPE_FIRMWARE,,} == "bios"  ]]; then

        do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --recheck "${grub_bootdev}"
        do_in_target "${TARGET}" update-grub

        do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
        do_log "info" "false" "Command: 'grub-install --target=i386-pc --boot-directory=/boot --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt\" --recheck ${grub_bootdev}' executed in: '${TARGET}'."

      elif [[ ${RECIPE_TABLE,,} == "msdos" && ${RECIPE_FIRMWARE,,} == "uefi" ]]; then

        do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos"
        do_in_target "${TARGET}" update-grub

        do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
        do_log "info" "false" "Command: 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos\"' executed in: '${TARGET}'."

      elif [[ ${RECIPE_TABLE,,} == "msdos" && ${RECIPE_FIRMWARE,,} == "bios" ]]; then

        do_in_target "${TARGET}" grub-install --target=i386-pc --boot-directory=/boot --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos" --recheck "${grub_bootdev}"
        do_in_target "${TARGET}" update-grub

        do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
        do_log "info" "false" "Command: 'grub-install --target=i386-pc --boot-directory=/boot --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_msdos\" --recheck ${grub_bootdev}' executed in: '${TARGET}'."

      else

        do_log "emergency" "false" "Unsupported partition table: '${RECIPE_TABLE,,}' and / or firmware: '${RECIPE_FIRMWARE,,}'."
        exit "${ERR_UNSUPPT_TABLE}"

      fi

    elif [[ ${grub_force-efi-extra-removable,,} == "true" ]]; then

      if [[ ${RECIPE_TABLE,,} == "gpt" && ${RECIPE_FIRMWARE,,} == "uefi" ]]; then

        do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --force-extra-removable
        do_in_target "${TARGET}" update-grub

        do_log "info" "false" "Partition table: '${RECIPE_TABLE,,}' | Firmware: '${RECIPE_FIRMWARE,,}'."
        do_log "info" "false" "Command: 'grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --modules=\"btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt\" --force-extra-removable' executed in: '${TARGET}'."

      else

        do_log "emergency" "false" "Unsupported combination of partition table: '${RECIPE_TABLE,,}' and setting:  grub_force-efi-extra-removable '${grub_force-efi-extra-removable,,}'."
        exit "${ERR_UNSUPPT_TABLE}"

      fi

    fi

    # Enable booting from LUKS encrypted devices by default.
    cat << EOF >> "${TARGET}"/etc/default/grub

# Enable booting from LUKS encrypted devices by default.
GRUB_ENABLE_CRYPTODISK=y

EOF

    do_in_target "${TARGET}" update-grub
    do_log "info" "false" "Booting from LUKS encrypted devices by default enabled, executed in: '${TARGET}'."

    # Install a boot menu background.
    if [[ ${grub_background_enable,,} == "true" ]]; then

      declare BACKGROUND
      BACKGROUND=$(basename "${grub_background_path}")
      cp "${grub_background_path}" "${TARGET}"/etc/default/grub.d/"${BACKGROUND}"
      chmod 0640 "${TARGET}"/etc/default/grub.d/"${BACKGROUND}"
      cat << EOF >> "${TARGET}"/etc/default/grub
# Enable boot menu background.
GRUB_BACKGROUND="/etc/default/grub.d/${BACKGROUND}"

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'vbeinfo'
GRUB_GFXMODE=1920x1080,1280x1024,800x600
GRUB_GFXPAYLOAD_LINUX=keep

EOF

      do_in_target "${TARGET}" update-grub
      do_log "info" "false" "Boot menu background enabled, executed in: '${TARGET}'."

    fi

    # Change GRUB OS detection configuration accordingly.
    if [[ ${grub_prober,,} == "true" ]]; then

      cat << EOF >> "${TARGET}"/etc/default/grub
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=false

EOF

      do_in_target "${TARGET}" update-grub
      do_log "info" "false" "GRUB OS detection configuration changed: 'GRUB_DISABLE_OS_PROBER=false' executed in: '${TARGET}'."

    elif [[ ${grub_prober,,} == "false" ]]; then

      cat << EOF >> "${TARGET}"/etc/default/grub
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=true

EOF

      do_in_target "${TARGET}" update-grub
      do_log "info" "false" "GRUB OS detection configuration changed: 'GRUB_DISABLE_OS_PROBER=true' executed in: '${TARGET}'."

    fi

  elif [[ ${grub_skip,,} == "true" ]]; then

    do_log "info" "false" "GRUB2 setup skipped."

  fi

  do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh: