#!/bin/sh

tpm_decrypt() {
    tpm2-abrmd --allow-root > /dev/null 2>&1 || true &

    local diskKeyPath="/etc/deepin/disk_key/"

    # 获取支持的tpm2算法列表
    local tpm2_algs=$(cat "${diskKeyPath}tpm2_algs.txt")
    #echo "tpm2_algs is : ${tpm2_algs}"
    local tpm2_pcr_banks=$(cat "${diskKeyPath}tpm2_pcr_banks.txt")
    #echo "tpm2_pcr_banks is : ${tpm2_pcr_banks}"

    local tpm2Alg=""
    local primaryKeyAlg="rsa"
    local primaryHashAlg=""
    local pcr="23"
    local pcrBank=""
    local pinKey=""

    # 检测是否支持国密算法
    if [ -n "$(echo ${tpm2_algs} | grep 'aes:1' || echo '')" ]; then
        tpm2Alg="aes"
    elif [ -n "$(echo ${tpm2_algs} | grep 'sm4:1' || echo '')" ]; then
        tpm2Alg="sm4"
        primaryKeyAlg="sm4"
        pinKey="123456UOS"
    else
        tpm2Alg=${tpm2_algs%%:*}
        tpm2Alg=$(echo -n "${tpm2Alg}" | tr -d ' ')
    fi

    # 设置pcrbank
    if [ -n "$(echo ${tpm2_pcr_banks} | grep 'sha256:1' || echo '')" ]; then
        primaryHashAlg="sha256"
        pcrBank="sha256"
    elif [ -n "$(echo ${tpm2_pcr_banks} | grep 'sm3_256:1' || echo '')" ]; then
        primaryHashAlg="sm3_256"
        pcrBank="sm3_256"
    else
        pcrBank=${tpm2_pcr_banks%%:*}
        pcrBank=$(echo -n "${pcrBank}" | tr -d ' ')
        primaryHashAlg=${pcrBank}
    fi

    # 清除tpm2的lockout状态
    tpm2_dictionarylockout -c  > /dev/null 2>&1
    tpm2_createprimary -C o -g ${primaryHashAlg} -G ${primaryKeyAlg} -c primary.ctx > /dev/null 2>&1
    tpm2_load -C primary.ctx -u ${diskKeyPath}key.pub -r ${diskKeyPath}key.priv -n key.name -c key.ctx > /dev/null 2>&1
    tpm2_startauthsession --policy-session -S session.dat -g ${primaryHashAlg} -G ${tpm2Alg} > /dev/null 2>&1
    tpm2_pcrread ${pcrBank}:${pcr} -o pcr_val.bin > /dev/null 2>&1
    tpm2_policypcr -S session.dat -l ${pcrBank}:${pcr} -f pcr_val.bin > /dev/null 2>&1
    tpm2_policypassword -S session.dat -L policy.dat > /dev/null 2>&1
    if [ -n "$pinKey" ]; then
        tpm2_encryptdecrypt -Q --iv ${diskKeyPath}iv.bin -c key.ctx -d -o plain.out ${diskKeyPath}cipher.out  -p"session:session.dat+${pinKey}" > /dev/null 2>&1
    else
        tpm2_encryptdecrypt -Q --iv ${diskKeyPath}iv.bin -c key.ctx -d -o plain.out ${diskKeyPath}cipher.out  -p"session:session.dat" > /dev/null 2>&1
    fi

    tpm2_flushcontext session.dat > /dev/null 2>&1

    echo "$(ps | grep 'tpm2-abrmd --allow-root$' | awk '{print $2}')" | xargs -I {} kill -9 {} > /dev/null 2>&1 || true
}

## 优先使用tpm解密
if [ ! -e plain.out ]; then
    tpm_decrypt
fi

if [ -e doneFourth ]; then
    /lib/cryptsetup/askpass "Please unlock disk luks_crypt : "
    exit
else
    if [ -e doneThird ]; then
        touch doneFourth
    elif [ -e doneSecond ]; then
        touch doneThird
    elif [ -e doneFirst ]; then
        touch doneSecond
    else
        touch doneFirst
    fi

    printf "%s" "$(cat plain.out)"
    exit
fi