#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# shellcheck disable=SC2154,SC2312

guard_sourcing || return "${ERR_GUARD_SRCE}"

#######################################
# Guard against accidental inclusion of CISS Secure Boot private keys.
# Globals:
#   ERR_UNCRITICAL
#   VAR_HANDLER_BUILD_DIR
# Arguments:
#   None
# Returns:
#   0: on success
#   ERR_UNCRITICAL: on failure
#######################################
secureboot_profile_guard_private_keys() {
  declare -a guard_roots=(
    "${VAR_HANDLER_BUILD_DIR}/binary"
    "${VAR_HANDLER_BUILD_DIR}/chroot"
    "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
    "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
    "${VAR_HANDLER_BUILD_DIR}/config/includes.installer"
  )
  declare guard_root=""
  declare private_file=""

  for guard_root in "${guard_roots[@]}"; do

    if [[ ! -d "${guard_root}" ]]; then
      continue
    fi

    while IFS= read -r -d '' private_file; do

      printf "\e[91m❌ Refusing private Secure Boot key inside build artifact path: '%s'. \e[0m\n" "${private_file}" >&2
      return "${ERR_UNCRITICAL}"

    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)

  done

  return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f secureboot_profile_guard_private_keys

#######################################
# Apply the selected Secure Boot profile after repository files were copied into the live-build config.
# Globals:
#   BASH_SOURCE
#   ERR_ARG_MSMTCH
#   ERR_UNCRITICAL
#   VAR_ARCHITECTURE
#   VAR_CISS_SECUREBOOT_PROFILE
#   VAR_HANDLER_BUILD_DIR
#   VAR_WORKDIR
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
secureboot_profile_apply() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE,,}"
  declare hooks_dir="${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
  declare build_uki_hook="${hooks_dir}/zzzz_ciss_build_uki.hook.binary"
  declare install_uki_hook="${hooks_dir}/9910-ciss-install-uki-into-efi-img.hook.binary"
  declare secureboot_dir="${VAR_WORKDIR}/ciss.secureboot"
  declare secureboot_key="${secureboot_dir}/private/ciss-efi-image.key"
  declare secureboot_cert="${secureboot_dir}/public/ciss-efi-image.crt"

  printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"

  case "${profile}" in
    debian-shim | ciss-uki)
      ;;
    *)
      printf "\e[91m❌ Unsupported Secure Boot profile: '%s'. \e[0m\n" "${profile}" >&2
      return "${ERR_ARG_MSMTCH}"
      ;;
  esac

  declare -gx VAR_CISS_SECUREBOOT_PROFILE="${profile}"
  declare -gx VAR_CISS_SECUREBOOT_DIR="${secureboot_dir}"
  declare -gx VAR_CISS_SECUREBOOT_EFI_KEY="${secureboot_key}"
  declare -gx VAR_CISS_SECUREBOOT_EFI_CERT="${secureboot_cert}"

  if [[ "${profile}" == "debian-shim" ]]; then

    rm -f -- "${build_uki_hook}" "${install_uki_hook}"
    printf "\e[92m✅ Secure Boot profile: debian-shim. Custom CISS UKI hooks disabled. \e[0m\n"
    printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
    return 0

  fi

  if [[ "${VAR_ARCHITECTURE,,}" != "amd64" ]]; then

    printf "\e[91m❌ Secure Boot profile 'ciss-uki' currently targets amd64/BOOTX64.EFI only. Got: '%s'. \e[0m\n" "${VAR_ARCHITECTURE}" >&2
    return "${ERR_ARG_MSMTCH}"

  fi

  install -d -m 0755 "${secureboot_dir}/public" "${secureboot_dir}/manifests" "${secureboot_dir}/uki"
  install -d -m 0700 "${secureboot_dir}/private"

  if [[ ! -f "${secureboot_key}" ]]; then

    printf "\e[91m❌ Missing CISS Secure Boot EFI signing key: '%s'. \e[0m\n" "${secureboot_key}" >&2
    return "${ERR_UNCRITICAL}"

  fi

  if [[ ! -f "${secureboot_cert}" ]]; then

    printf "\e[91m❌ Missing CISS Secure Boot EFI signing certificate: '%s'. \e[0m\n" "${secureboot_cert}" >&2
    return "${ERR_UNCRITICAL}"

  fi

  secureboot_profile_guard_private_keys

  chmod 0755 "${build_uki_hook}" "${install_uki_hook}"

  printf "\e[92m❌ Secure Boot profile: ciss-uki. Custom UKI hooks enabled. \e[0m\n"
  printf "\e[92m❌ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

  return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f secureboot_profile_apply
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh