#!/usr/bin/bash
set -e -o pipefail
shopt -s expand_aliases

source anti-evil-maid-lib


if ! [ $# = 0 -o $# = 1 -a "$1" = "-z" ]; then
    echo "Usage: ${0##*/} [-z]"
    exit 1
fi

if [ "$(id -ur)" != 0 ]; then
    log "This command must be run as root!"
    exit 1
fi

if [ "$(cat "$SYSFS_TPM_DIR"/owned)" != 0 ]; then
    log "You must reset/clear your TPM chip first!"
    exit 1
fi


# - take ownership of TPM

OWNERPW=$(head -c 16 /dev/random | hex)
lines=( "$OWNERPW" "$OWNERPW" )

if [ $# = 0 ]; then  # set an SRK password
    for try in 1 2 3; do
        read -s -p "Choose SRK password: "  srkpw
        echo
        read -s -p "Confirm SRK password: " srkpw2
        echo

        [ "$srkpw" != "$srkpw2" ] || break
        log "Passwords didn't match"
        [ "$try" != 3 ] || exit 1
    done
    lines+=( "$srkpw" "$srkpw" )
fi

systemctl restart tcsd

log "Taking ownership of the TPM..."
printf '%s\n' "${lines[@]}" |
notty env LC_ALL=C tpm_takeownership "$@" 2> >(grep -vF "Confirm password:" >&2)

echo "$OWNERPW" >"$TPM_OWNER_PASSWORD_FILE"


# - generate NVRAM ID

alias provisioned_id=false
if [[ $(tpm_id 2>/dev/null) == "unknown" ]]; then
    # TPM reset does not clear NVRAM, reusing old ID is fine though
    log "Creating TPM ID..."
    tpm_id_index=$(tpm_id -i)
    # create a 20-byte write-once NVRAM area
    tpm_nvdefine -i "$tpm_id_index" -s 20 -p "WRITEDEFINE|WRITEALL" \
                 --pwdo="$OWNERPW"
    # generate a random ID and write it into NVRAM
    head -c 20 /dev/random | tpm_nvwrite_stdin -i "$tpm_id_index" -s 20
    # lock the area to prevent non-owners from changing ID
    tpm_nvwrite -i "$tpm_id_index" -s 0
    alias provisioned_id=true
fi


# - create freshness token area

if checktpmnvram; then
    # delete old freshness area as the old access password is most likely lost
    # (in case it isn't, the area will simply get recreated with the same pw)
    log "Deleting old freshness token NVRAM area..."
    destroytpmnvram "$OWNERPW"
fi
log "Creating freshness token NVRAM area..."
createtpmnvram "$OWNERPW"


# - move system.dat around

if provisioned_id; then
    tpm_id=$(tpm_id)
    systemctl stop tcsd
    mkdir -p "/var/lib/tpms/$tpm_id"
    mv /var/lib/tpms/unknown/* "/var/lib/tpms/$tpm_id/"
    rm -rf /var/lib/tpms/unknown
    systemctl start tcsd
fi
