#!/bin/sh -e

# Listing tcsd.service in anti-evil-maid-seal.service's Requires= and After=
# would cause it to always be started (even when not booting in AEM mode or
# when sealing is unnecessary) due to the way systemd evaluates conditions.
# Putting the systemctl command in ExecStartPre= is also insufficient: The user
# might want to run this script manually after changing the secret(s).

systemctl start tcsd

alias plymouth_message="plymouth message --text"
. anti-evil-maid-lib
trap 'rm -rf "$CACHE_DIR"' EXIT


# define sealing and device variables

. /etc/anti-evil-maid.conf
Z=$(tpm_z_srk)

LABEL=$LABEL_PREFIX${1-$(cat "$SUFFIX_CACHE")}
DEV=/dev/disk/by-label/$LABEL


# seal and save secret(s) to root partition

mkdir -p "$TPM_DIR/$LABEL"

SEALED=0
for ext in txt png; do
     input=$AEM_DIR/$LABEL/secret.$ext
    output=$TPM_DIR/$LABEL/secret.$ext.sealed

    if [ ! -e "$input" ]; then
        message "Absent $input"
    elif cat "$SRK_PASSWORD_CACHE" 2>/dev/null |  # ignored in a tty
         tpm_sealdata $Z $SEAL -i "$input" -o "$output"; then
        SEALED=$(($SEALED + 1))
        message "Sealed $input using $SEAL"
    else
        message "Failed $input"
    fi
done

if [ "$SEALED" = 0 ]; then
    exit 1
fi


# mount device

waitfor -b "$DEV"

if CUR_MNT=$(devtomnt "$DEV") && [ -n "$CUR_MNT" ]; then
    MNT=$CUR_MNT
else
    CUR_MNT=
    MNT=/mnt/anti-evil-maid/$LABEL
    mkdir -p "$MNT"
    mount "$DEV" "$MNT"
fi


# copy secret(s) to device

synctpms "$LABEL" "$MNT"


# unmount device

if [ -z "$CUR_MNT" ]; then
    umount "$MNT"
    if external "$DEV" && removable "$DEV"; then
        waitfor ! -b "$DEV"
    fi
fi
