#!/bin/sh
# shellcheck disable=SC2166
fail() { echo "$@" 1>&2; exit 1; }
Usage() {
    cat <<EOF
Usage: ${0##*/} outd [rel]

Grab stuff from system into outd.
EOF
}

info() {
    echo "release: $REL"
    echo "packages:"
    for p in ovmf shim-signed ; do
        v=$(dpkg-query --show --showformat='${Version}' "$p") ||
            fail "failed to get version for $p"
        echo "  $p: \"$v\""
    done
}

[ "$1" = "-h" -o "$1" = "--help" ] && { Usage; exit 0; }

[ "$1" = "--no-install" ] && install=false && shift || install=true
[ $# -ge 1 ] || fail "must give output dir"
outd="$1"
REL="$2"
if [ -z "$REL" ]; then
    REL=$(lsb_release -sc) || fail "must give rel, couldn't figure out"
fi
set --

[ -d "$outd" ] || mkdir "$outd" ||
    fail "failed to make output dir"

ovmf_version=""
# https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137
if [ "$(lsb_release -sc)" = "focal" ]; then
    ovmf_version="=0~20191122.bd85bf54-2ubuntu3"
fi

if [ "$install" = "true" ]; then
    [ "$(id -u)" = "0" ] ||
        fail "must be root for install (try sudo or --no-install)"
    apt-get update --quiet || fail "apt-get update failed."
    apt-get install --quiet \
        --assume-yes --no-install-recommends \
        ovmf${ovmfversion} shim-signed ||
        fail "failed install deps"
else
    echo "skipping install"
fi

set --
set -- "$@" \
   "/usr/share/ovmf/PkKek-1-snakeoil.pem" \
   "signing.pem|link:PkKek-1-snakeoil.pem" \
   "/usr/share/ovmf/PkKek-1-snakeoil.key" \
   "signing.key|link:PkKek-1-snakeoil.key" \
   "signing.password|text:snakeoil"

bd=/usr/share/OVMF
case "$REL" in
    jammy)
        set -- "$@" \
            "$bd/OVMF_VARS_4M.fd" \
            "$bd/OVMF_CODE_4M.secboot.fd" \
            "$bd/OVMF_VARS_4M.snakeoil.fd" \
            "ovmf-insecure-code.fd|link:OVMF_CODE_4M.secboot.fd" \
            "ovmf-insecure-vars.fd|link:OVMF_VARS_4M.fd" \
            "ovmf-secure-code.fd|link:OVMF_CODE_4M.secboot.fd" \
            "ovmf-secure-vars.fd|link:OVMF_VARS_4M.snakeoil.fd"
        ;;
    focal)
        set -- "$@" \
            "$bd/OVMF_VARS.fd" \
            "$bd/OVMF_CODE.secboot.fd" \
            "$bd/OVMF_VARS.snakeoil.fd" \
            "ovmf-insecure-code.fd|link:OVMF_CODE.secboot.fd" \
            "ovmf-insecure-vars.fd|link:OVMF_VARS.fd" \
            "ovmf-secure-code.fd|link:OVMF_CODE.secboot.fd" \
            "ovmf-secure-vars.fd|link:OVMF_VARS.snakeoil.fd"
        ;;
    *) fail "unknown release $REL";;
esac

for line in "$@"; do
    case "$line" in
        *\|*)
            target="${line%%|*}"
            src=${line#*|};;
        *)
            target=${line##*/}
            src="$line";;
    esac
    case "$src" in
        text:*)
        src=${src#text:}
            printf "%s" "$src" > "$outd/$target" || fail "failed to write $target"
            echo "wrote $target from text"
        ;;
        link:*)
            src=${src#link:}
            ln -s "$src" "$outd/$target" || fail "failed link $src -> $target"
            echo "linked $target -> $src"
        ;;
        *)
            cp "$src" "$outd/$target" || fail "failed copy $src -> $target"
            echo "copied $src to $target"
            md5sum $src $outd/$target
        ;;
    esac
done

openssl rsa -passin stdin \
    -in "$outd/signing.key" \
    -out "$outd/signing-unlocked.key" < "$outd/signing.password" ||
    fail "failed to decrypt signing key"

info > "$outd/firmware-info.yaml"
echo "wrote info to firmware-info.yaml"
