#!/usr/bin/bash


#
# Copyright 2014-2024 Senderek Web Security, Ireland. All rights reserved.
#                <https://senderek.ie/opensource/secureboot2>
#
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

#
# Author:       Ralf Senderek <innovation@senderek.ie>
#
# license:      GNU General Public License version 3 or later
# description:  replaces the current file system with aa new encrypted file system 
# processname:  secureboot-replace
# config:       none
# date:         7/5/2024
#


ROOT=/usr/lib/secureboot
BASE=$ROOT
FILE=$ROOT/securefilesystem
RET=0
ACTIVE="no"

NAME=secure
NEW=$ROOT/${NAME}.NEW
OLD=$ROOT/${NAME}.OLD


replace(){
     echo "REPLACING NEW ..."
     ls -l $FILE
     ls -l $NEW
     if [ -f $NEW ]; then
          echo
          echo "Replace $FILE with $NEW ?"
          echo -n "Continue ? [yes/no] : "
          read REPLY
          if [ x$REPLY != "xyes" ]; then
                echo "Aborting ..."
                exit 1
          fi
          if [ -f $OLD ]; then
	      echo
              ls -l $OLD
	      echo "Delete old backup file $OLD ?"
              echo -n "Continue ? [yes/no] : "
              read REPLY
              if [ x$REPLY != "xyes" ]; then
                   echo "Aborting ..."
                   exit 1
	      fi
	      rm $OLD
	   fi   
	   mv $FILE $OLD
	   mv $NEW $FILE
	   chmod 600 $OLD $FILE
     else
          echo "No new filesystem found to replace."
     fi

}

rollback () {
     echo "ROLLING BACK ..."
     ls -l $FILE
     ls -l $OLD
     if [ -f $OLD ]; then
          echo
          echo "Rolling back to $OLD ?"
          echo -n "Continue ? [yes/no] : "
          read REPLY
          if [ x$REPLY != "xyes" ]; then
                echo "Aborting ..."
                exit 1
          fi
	  mv $FILE $NEW
	  mv $OLD $FILE
	  chmod 600 $NEW $FILE
     else
          echo "No new filesystem found to replace."
     fi
}

if [  -b /dev/mapper/$NAME ]; then
     /usr/lib/secureboot/secureboot2 stop
     if [ $? != 0 ] ; then
          echo "Cannot stop the busy secure filesystem. Exiting ..."
	  echo 
	  echo "If you have user home directories in /secure you cannot replace"
	  echo "a secure filesystem while users are logged in."
	  echo "Please go into single user mode first."
	  echo "You can use the following commands as root."
	  echo "All other users are logged out."
	  echo
	  echo "init 1"
	  echo "/usr/lib/secureboot/secureboot-replace"
	  echo "init 5"
	  echo
	  exit 2
     else
          ACTIVE="yes"
     fi
fi

# secure filesystem is stopped

if [ $# -gt 1 ]; then
     echo "usage: secureboot-replace [--rollback]"
     if [ $ACTIVE = "yes" ]; then
          /usr/lib/secureboot/secureboot2 start
     fi
     exit 2
else
     if [ $# -gt 0 ]; then
          if [ $1 = "--rollback" ] ; then
               # rollback
	       rollback
	       RET=$?
	  else
               echo "usage: secureboot-replace [--rollback]"
 	  fi     
          if [ $ACTIVE = "yes" ]; then
               /usr/lib/secureboot/secureboot2 start
          fi
     else
          # replace default
	  replace
	  RET=$?
          if [ $ACTIVE = "yes" ]; then
               /usr/lib/secureboot/secureboot2 start
          fi
     fi
     exit $RET
fi

exit $RET
#################################################################

