#!/bin/sh
# softperfect-ramdisk-mok-setup — walk the user through generating a
# Machine Owner Key, telling DKMS to sign the RAM Disk kernel module
# with it, and staging the public key for enrolment. After reboot +
# MokManager enrolment, the kernel module loads under Secure Boot.

set -e

KEY_DIR=/var/lib/softperfect-ramdisk
PRIV=${KEY_DIR}/mok.priv
CERT=${KEY_DIR}/mok.der
DKMS_FRAMEWORK=/etc/dkms/framework.conf.d/sprd-sb-sign.conf

if [ "$(id -u)" -ne 0 ]; then
	echo "softperfect-ramdisk-mok-setup must run as root." >&2
	echo "Try: sudo softperfect-ramdisk-mok-setup" >&2
	exit 1
fi

case "$(mokutil --sb-state 2>/dev/null)" in
*"SecureBoot enabled"*) ;;
*)
	echo "Secure Boot is not enabled on this system — no setup needed."
	echo "The RAM Disk kernel module will load without any extra steps."
	exit 0
	;;
esac

cat <<EOF
SoftPerfect RAM Disk — Secure Boot setup wizard

This will generate a Machine Owner Key (MOK), configure DKMS to sign
the RAM Disk kernel module with it, and stage the public key for
enrolment in your firmware.

The process takes two reboots:

  1. The key is staged for enrolment (now).
  2. Reboot. Your firmware shows a blue "MOK management" screen — pick
     "Enrol MOK" and enter the password you'll be asked for in a moment.
  3. Reboot again. The RAM Disk kernel module loads, ramdiskd starts.

EOF

printf "Continue? [y/N] "
read -r REPLY
case "$REPLY" in
[Yy]*) ;;
*) echo "Aborted."; exit 0 ;;
esac

mkdir -p "$KEY_DIR"
chmod 700 "$KEY_DIR"

if [ ! -f "$PRIV" ] || [ ! -f "$CERT" ]; then
	echo "Generating a 2048-bit RSA signing key (10-year validity)..."
	openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 \
		-outform DER -keyout "$PRIV" -out "$CERT" \
		-subj "/CN=SoftPerfect RAM Disk DKMS module signing key/" \
		>/dev/null
	chmod 600 "$PRIV"
fi

cat > "$DKMS_FRAMEWORK" <<EOF
# Auto-generated by softperfect-ramdisk-mok-setup.
# DKMS picks up these paths when (re)building modules under Secure Boot.
mok_signing_key="${PRIV}"
mok_certificate="${CERT}"
EOF
chmod 644 "$DKMS_FRAMEWORK"

echo
echo "Re-building the RAM Disk kernel module so it picks up the signature..."
dkms remove -m sprd -v 1.0 --all >/dev/null 2>&1 || true
dkms install -m sprd -v 1.0 2>&1 | sed 's/^/dkms: /'

if mokutil --test-key "$CERT" 2>/dev/null | grep -q "already enrolled"; then
	echo
	echo "Public key is already enrolled — skipping mokutil --import."
	echo "If the module still fails to load, reboot or run dkms install again."
else
	echo
	echo "Staging the public key for enrolment."
	echo "Pick any password — you'll type this once on the MokManager screen"
	echo "after reboot. It's used once and then discarded."
	echo
	mokutil --import "$CERT"
fi

cat <<EOF

Setup staged. Next steps:

  1. Reboot.
  2. On the blue "MOK management" screen, choose "Enrol MOK", then
     "Continue", then enter the password you just set.
  3. After enrolment your machine reboots again. The RAM Disk kernel
     module then loads automatically and ramdiskd starts.

If you cancel enrolment on the MokManager screen, the module won't
load — re-run this wizard to stage a fresh import.
EOF
