#!/bin/sh

# lh_binary_encryption(1) - encrypts rootfs
# Copyright (C) 2006-2007 Daniel Baumann <daniel@debian.org>
#
# live-helper comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
# This is free software, and you are welcome to redistribute it
# under certain conditions; see COPYING for details.

set -e

# Including common functions
LH_BASE="${LH_BASE:-/usr/share/live-helper}"

for FUNCTION in "${LH_BASE}"/functions/*.sh
do
	. "${FUNCTION}"
done

# Setting static variables
DESCRIPTION="encrypts rootfs"
HELP=""
USAGE="${PROGRAM} [--force]"

Arguments "${@}"

# Reading configuration files
Read_conffile config/common
Read_conffile config/bootstrap
Read_conffile config/chroot
Read_conffile config/binary
Read_conffile config/source
Read_conffile "${LH_CONFIG}"
Set_defaults

if [ -z "${LH_ENCRYPTION}" ]
then
	exit 0
fi

Echo_message "Begin encrypting root filesystem image..."

# Requiring stage file
Require_stagefile .stage/bootstrap
Require_stagefile .stage/binary_rootfs

# Checking stage file
Check_stagefile .stage/binary_encryption

# Checking lock file
Check_lockfile .lock

# Creating lock file
Create_lockfile .lock

case "${LH_INITRAMFS}" in
	casper)
		INITFS="casper"
		;;

	live-initramfs)
		INITFS="live"
		;;
esac

case "${LH_CHROOT_FILESYSTEM}" in
	ext2)
		ROOTFS="ext2"
		;;

	jffs2)
		Echo_warning "encryption not yet supported on jffs2 filesystem."
		exit 0
		;;

	plain)
		Echo_warning "encryption not supported on plain filesystem."
		exit 0
		;;

	squashfs)
		ROOTFS="squashfs"
		;;
esac

# Checking depends
Check_package chroot/usr/bin/aespipe aespipe

# Restoring cache
Restore_cache cache/packages_binary

# Installing depends
Install_package

case "${LH_CHROOT_BUILD}" in
	enabled)
		# Moving image
		mv binary/${INITFS}/filesystem.${LH_CHROOT_FILESYSTEM} chroot

echo "Encrypting binary/${INITFS}/filesystem.${ROOTFS} with ${LH_ENCRYPTION}..."

cat >> chroot/encrypt.sh << EOF
while true
do
	cat filesystem.${ROOTFS} | aespipe -e ${LH_ENCRYPTION} -T > filesystem.${ROOTFS}.tmp && mv filesystem.${ROOTFS}.tmp filesystem.${ROOTFS} && break

	echo -n "Something went wrong... Retry? [YES/no] "

	read ANSWER

	if [ "no" = "${ANSWER}" ]
	then
		unset ANSWER
		break
	fi
done
EOF

		Chroot "sh encrypt.sh"

		# Move image
		mv chroot/filesystem.${LH_CHROOT_FILESYSTEM} binary/${INITFS}
		rm -f chroot/encrypt.sh
		;;

	disabled)
		while true
		do
			cat binary/${INITFS}/filesystem.${ROOTFS} | aespipe -e ${LH_ENCRYPTION} -T > binary/${INITFS}/filesystem.${ROOTFS}.tmp && mv binary/${INITFS}/filesystem.${ROOTFS}.tmp binary/${INITFS}/filesystem.${ROOTFS} && break

			echo -n "Something went wrong... Retry? [YES/no] "

			read ANSWER

			if [ "no" = "${ANSWER}" ]
			then
				unset ANSWER
				break
			fi
		done
		;;
esac

# Saving cache
Save_cache cache/packages_binary

# Removing depends
Remove_package

# Creating stage file
Create_stagefile .stage/binary_encryption