#!/bin/bash

# Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# This script modifies a base image to act as a recovery installer.
# If no kernel image is supplied, it will build a devkeys signed recovery
# kernel.  Alternatively, a signed recovery kernel can be used to
# create a Chromium OS recovery image.

SCRIPT_ROOT=$(dirname $(readlink -f "$0"))
. "${SCRIPT_ROOT}/build_library/build_common.sh" || exit 1
. "${SCRIPT_ROOT}/build_library/disk_layout_util.sh" || exit 1

# Default recovery kernel name.
RECOVERY_KERNEL_NAME=recovery_vmlinuz.image

DEFINE_string board "$DEFAULT_BOARD" \
  "board for which the image was built" \
  b
DEFINE_integer statefulfs_sectors 4096 \
  "number of free sectors in stateful filesystem when minimizing"
DEFINE_string kernel_image "" \
  "path to a pre-built recovery kernel"
DEFINE_string kernel_outfile "" \
  "emit recovery kernel to path/file ($RECOVERY_KERNEL_NAME if empty)"
DEFINE_string image "" \
  "source image to use ($CHROMEOS_IMAGE_NAME if empty)"
DEFINE_string to "" \
  "emit recovery image to path/file ($CHROMEOS_RECOVERY_IMAGE_NAME if empty)"
DEFINE_boolean kernel_image_only $FLAGS_FALSE \
  "only emit recovery kernel"
DEFINE_boolean sync_keys $FLAGS_TRUE \
  "update install kernel with the vblock from stateful"
DEFINE_boolean minimize_image $FLAGS_TRUE \
  "create a minimized recovery image from source image"
DEFINE_boolean modify_in_place $FLAGS_FALSE \
  "modify source image in place"
DEFINE_integer jobs -1 \
  "how many packages to build in parallel at maximum" \
  j
DEFINE_string build_root "/build" \
  "root location for board sysroots"
DEFINE_string keys_dir "${VBOOT_DEVKEYS_DIR}" \
  "directory containing the signing keys"
DEFINE_boolean verbose $FLAGS_FALSE \
  "log all commands to stdout" v
DEFINE_boolean decrypt_stateful $FLAGS_FALSE \
  "request a decryption of the stateful partition (implies --nominimize_image)"
DEFINE_string enable_serial "" \
  "Enable serial output (same as build_kernel_image.sh). Example: ttyS0"

# Parse command line
FLAGS "$@" || exit 1
eval set -- "${FLAGS_ARGV}"

# Only now can we die on error.  shflags functions leak non-zero error codes,
# so will die prematurely if 'switch_to_strict_mode' is specified before now.
switch_to_strict_mode

if [ $FLAGS_verbose -eq $FLAGS_TRUE ]; then
  # Make debugging with -v easy.
  set -x
fi

# We need space for copying decrypted files to the recovery image, so force
# --nominimize_image when using --decrypt_stateful.
if [ $FLAGS_decrypt_stateful -eq $FLAGS_TRUE ]; then
  FLAGS_minimize_image=$FLAGS_FALSE
fi

# Load board options.
. "${BUILD_LIBRARY_DIR}/board_options.sh" || exit 1
EMERGE_BOARD_CMD="emerge-$BOARD"

# Files to preserve from original stateful, if minimize_image is true.
# If minimize_image is false, everything is always preserved.
WHITELIST="vmlinuz_hd.vblock unencrypted/import_extensions"

get_install_vblock() {
  # If it exists, we need to copy the vblock over to stateful
  # This is the real vblock and not the recovery vblock.
  local partition_num_state=$(get_image_partition_number "${FLAGS_image}" \
    "STATE")
  IMAGE_DEV=$(loopback_partscan "${FLAGS_image}")
  local stateful_mnt=$(mktemp -d)
  local out=$(mktemp)

  set +e
  sudo mount ${IMAGE_DEV}p${partition_num_state} $stateful_mnt
  sudo cp "$stateful_mnt/vmlinuz_hd.vblock"  "$out"
  sudo chown $USER "$out"

  safe_umount "$stateful_mnt"
  sudo losetup -d ${IMAGE_DEV}
  rmdir "$stateful_mnt"
  switch_to_strict_mode
  echo "$out"
}

calculate_kernel_hash() {
  local img="$1"

  local partition_num_kern_a kern_offset kern_size kern_tmp

  partition_num_kern_a="$(get_image_partition_number "${img}" "KERN-A")"
  kern_offset="$(partoffset "${img}" "${partition_num_kern_a}")"
  kern_size="$(partsize "${img}" "${partition_num_kern_a}")"
  kern_tmp=$(mktemp)

  dd if="${FLAGS_image}" bs=512 count="${kern_size}" \
     skip="${kern_offset}" of="${kern_tmp}" 1>&2
  # We're going to use the real signing block.
  if [[ "${FLAGS_sync_keys}" -eq "${FLAGS_TRUE}" ]]; then
    dd if="${INSTALL_VBLOCK}" of="${kern_tmp}" conv=notrunc 1>&2
  fi
  sha256sum "${kern_tmp}" | cut -f1 -d' '
  rm "${kern_tmp}"
}

create_recovery_kernel_image() {
  local sysroot="$FACTORY_ROOT"
  local vmlinuz="$sysroot/boot/vmlinuz"

  local enable_rootfs_verification_flag=--noenable_rootfs_verification
  if grep -q enable_rootfs_verification "${IMAGE_DIR}/boot.desc"; then
    enable_rootfs_verification_flag=--enable_rootfs_verification
  fi

  # Tie the installed recovery kernel to the final kernel.  If we don't
  # do this, a normal recovery image could be used to drop an unsigned
  # kernel on without a key-change check.
  # Doing this here means that the kernel and initramfs creation can
  # be done independently from the image to be modified as long as the
  # chromeos-recovery interfaces are the same.  It allows for the signer
  # to just compute the new hash and update the kernel command line during
  # recovery image generation.  (Alternately, it means an image can be created,
  # modified for recovery, then passed to a signer which can then sign both
  # partitions appropriately without needing any external dependencies.)

  local kern_hash
  kern_hash="$(calculate_kernel_hash "${FLAGS_image}")"

  # TODO(wad) add FLAGS_boot_args support too.
  ${SCRIPTS_DIR}/build_kernel_image.sh \
    --board="${FLAGS_board}" \
    --arch="${ARCH}" \
    --to="$RECOVERY_KERNEL_IMAGE" \
    --vmlinuz="$vmlinuz" \
    --working_dir="${IMAGE_DIR}" \
    --boot_args="noinitrd panic=60 cros_recovery kern_b_hash=$kern_hash" \
    --enable_serial="${FLAGS_enable_serial}" \
    --keep_work \
    --keys_dir="${FLAGS_keys_dir}" \
    ${enable_rootfs_verification_flag} \
    --public="recovery_key.vbpubk" \
    --private="recovery_kernel_data_key.vbprivk" \
    --keyblock="recovery_kernel.keyblock" 1>&2 || die "build_kernel_image"
}

update_efi_partition() {
  # Update the EFI System Partition configuration so that the kern_hash check
  # passes.
  RECOVERY_DEV=$(loopback_partscan "${RECOVERY_IMAGE}")
  local partition_num_efi_system=$(get_image_partition_number \
    "${RECOVERY_IMAGE}" "EFI-SYSTEM")

  local efi_size kern_hash
  efi_size=$(partsize "${RECOVERY_IMAGE}" "${partition_num_efi_system}")
  kern_hash="$(calculate_kernel_hash "${RECOVERY_IMAGE}")"

  if [[ ${efi_size} -ne 0 ]]; then
    local efi_dir=$(mktemp -d)
    sudo mount ${RECOVERY_DEV}p${partition_num_efi_system} "${efi_dir}"

    sudo sed  -i -e "s/cros_legacy/cros_legacy kern_b_hash=$kern_hash/g" \
      "$efi_dir/syslinux/usb.A.cfg" || true
    # This will leave the hash in the kernel for all boots, but that should be
    # safe.
    sudo sed  -i -e "s/cros_efi/cros_efi kern_b_hash=$kern_hash/g" \
      "$efi_dir/efi/boot/grub.cfg" || true
    safe_umount "$efi_dir"
    rmdir "$efi_dir"
  fi
  sudo losetup -d "${RECOVERY_DEV}"
}

install_recovery_kernel() {
  local partition_num_kern_a=$(get_image_partition_number "${RECOVERY_IMAGE}" \
    "KERN-A")
  local kern_a_offset=$(partoffset "$RECOVERY_IMAGE" "${partition_num_kern_a}")
  local kern_a_size=$(partsize "$RECOVERY_IMAGE" "${partition_num_kern_a}")

  local partition_num_kern_b=$(get_image_partition_number "${RECOVERY_IMAGE}" \
    "KERN-B")
  local kern_b_offset=$(partoffset "$RECOVERY_IMAGE" "${partition_num_kern_b}")
  local kern_b_size=$(partsize "$RECOVERY_IMAGE" "${partition_num_kern_b}")

  if [ $kern_b_size -eq 1 ]; then
    echo "Image was created with no KERN-B partition reserved!" 1>&2
    echo "Cannot proceed." 1>&2
    return 1
  fi

  # We're going to use the real signing block.
  if [ $FLAGS_sync_keys -eq $FLAGS_TRUE ]; then
    dd if="$INSTALL_VBLOCK" of="$RECOVERY_IMAGE" bs=512 \
       seek=$kern_b_offset \
       conv=notrunc
  fi

  local kernel_img_bytes
  kernel_img_bytes="$(stat -c %s "${RECOVERY_KERNEL_IMAGE}")"
  if [[ "${kernel_img_bytes}" -gt "$(( kern_a_size * 512 ))" ]]; then
    die "Kernel image is larger than $(( kern_a_size * 512 / 1048576 )) MiB."
  fi

  # Install the recovery kernel as primary.
  dd if="$RECOVERY_KERNEL_IMAGE" of="$RECOVERY_IMAGE" bs=512 \
     seek=$kern_a_offset \
     count=$kern_a_size \
     conv=notrunc
  # Force all of the file writes to complete, in case it's necessary for
  # crbug.com/954188
  sync

  # Set the 'Success' flag to 1 (to prevent the firmware from updating
  # the 'Tries' flag).
  sudo $GPT add -i "${partition_num_kern_a}" -S 1 "$RECOVERY_IMAGE"

  # Repeat for the legacy bioses.
  # Replace vmlinuz.A with the recovery version we built.
  # TODO(wad): Extract the $RECOVERY_KERNEL_IMAGE and grab vmlinuz from there.
  local sysroot="$FACTORY_ROOT"
  local vmlinuz="$sysroot/boot/vmlinuz"
  local failed=0

  if [ "$ARCH" = "x86" ]; then
    RECOVERY_DEV=$(loopback_partscan "${RECOVERY_IMAGE}")
    # There is no syslinux on ARM, so this copy only makes sense for x86.
    set +e
    local partition_num_efi_system=$(get_image_partition_number \
      "${RECOVERY_IMAGE}" "EFI-SYSTEM")
    local esp_mnt=$(mktemp -d)
    sudo mount ${RECOVERY_DEV}p${partition_num_efi_system} "$esp_mnt"
    sudo cp "$vmlinuz" "$esp_mnt/syslinux/vmlinuz.A" || failed=1
    safe_umount "$esp_mnt"
    rmdir "$esp_mnt"
    sudo losetup -d ${RECOVERY_DEV}
    switch_to_strict_mode
  fi

  if [ $failed -eq 1 ]; then
    echo "Failed to copy recovery kernel to ESP"
    return 1
  fi
  return 0
}

find_sectors_needed() {
  # Find the minimum disk sectors needed for a file system to hold a list of
  # files or directories.
  local base_dir="$1"
  local file_list="$2"

  # Calculate space needed by the files we'll be copying, plus
  # a reservation for recovery logs or other runtime data.
  local in_use=$(cd "${base_dir}"
                 du -s -B512 ${file_list} |
                   awk '{ sum += $1 } END { print sum }')
  local sectors_needed=$(( in_use + FLAGS_statefulfs_sectors ))

  # Add 10% overhead for the FS, rounded down.  There's some
  # empirical justification for this number, but at heart, it's a
  # wild guess.
  echo $(( sectors_needed + sectors_needed / 10 ))
}

# Copy the given list of files from old stateful partition to new stateful
# partition.
# Args:
#  $1: source image filename
#  $2: destination image filename
copy_stateful() {
  local src_img="$1"
  local dst_img="$2"

  local old_stateful_offset old_stateful_mnt sectors_needed
  local small_stateful new_stateful_mnt

  # Mount the old stateful partition so we can copy selected values
  # off of it.
  local partition_num_state
  partition_num_state=$(get_image_partition_number "${dst_img}" "STATE")
  old_stateful_mnt=$(mktemp -d)

  IMAGE_DEV=$(loopback_partscan "${src_img}")
  sudo mount "${IMAGE_DEV}p${partition_num_state}" "${old_stateful_mnt}"

  sectors_needed="$(cgpt show -i "${partition_num_state}" -n -s "${dst_img}")"

  # Rebuild the image with stateful partition sized by sectors_needed.
  small_stateful=$(mktemp)
  dd if=/dev/zero of="${small_stateful}" bs=512 \
    count="${sectors_needed}" 1>&2
  trap "rm ${small_stateful}; sudo losetup -d ${IMAGE_DEV} || true; cleanup" \
    EXIT

  # Don't bother with ext3 for such a small image.
  /sbin/mkfs.ext2 -F -b 4096 "${small_stateful}" 1>&2

  # If it exists, we need to copy the vblock over to stateful
  # This is the real vblock and not the recovery vblock.
  new_stateful_mnt=$(mktemp -d)

  # Force all of the file writes to complete, in case it's necessary for
  # crbug.com/954188
  sync
  sudo mount -o loop $small_stateful $new_stateful_mnt

  # Create the directories that are going to be needed below. With correct
  # permissions and ownership.
  sudo mkdir --mode=755 "${new_stateful_mnt}/unencrypted"

  # Copy over any files that need to be preserved.
  for name in ${WHITELIST}; do
    if [ -e "${old_stateful_mnt}/${name}" ]; then
      sudo cp -a "${old_stateful_mnt}/${name}" "${new_stateful_mnt}/${name}"
    fi
  done

  # Cleanup everything.
  safe_umount "$old_stateful_mnt"
  safe_umount "$new_stateful_mnt"
  rmdir "$old_stateful_mnt"
  rmdir "$new_stateful_mnt"
  sudo losetup -d ${IMAGE_DEV}
  trap cleanup EXIT
  switch_to_strict_mode

  local dst_start
  dst_start="$(cgpt show -i "${partition_num_state}" -b "${dst_img}")"
  dd if="${small_stateful}" of="${dst_img}" conv=notrunc bs=512 \
    seek="${dst_start}" count="${sectors_needed}" status=none
  rm "${small_stateful}"
  return 0
}

# Calculates the number of sectors required for stateful partition.
# or returns the source stateful partition size if --minimize_image not present.
calculate_stateful_blocks() {
  local partition_num_state
  partition_num_state="$(get_image_partition_number "${FLAGS_image}" "STATE")"

  # If --minimize_image not present, use the partition size from source image,
  # (not recovery image, it's hard-coded to 2MiB).
  if [[ "${FLAGS_minimize_image}" -eq "${FLAGS_FALSE}" ]]; then
    cgpt show -i "${partition_num_state}" -n -s "${FLAGS_image}"
    return 0
  fi

  local old_stateful_mnt
  old_stateful_mnt="$(mktemp -d)"

  IMAGE_DEV=$(loopback_partscan "${FLAGS_image}")
  sudo mount "${IMAGE_DEV}p${partition_num_state}" "${old_stateful_mnt}"

  # Print the minimum number of sectors needed.
  find_sectors_needed "${old_stateful_mnt}" "${WHITELIST}"

  # Cleanup everything.
  safe_umount "${old_stateful_mnt}"
  rmdir "${old_stateful_mnt}"
  sudo losetup -d "${IMAGE_DEV}"

  return 0
}

# Creates an empty image using the recovery layout and calculated stateful size.
create_image() {
  local dst_img="$1"

  local stateful_blocks
  stateful_blocks="$(calculate_stateful_blocks)"

  # Remove dst_img first otherwise build_gpt_image won't create a new one
  # with correct layout.
  rm -f "${dst_img}"

  # Build the partition table.
  local partition_script_path
  partition_script_path="$(dirname "${dst_img}")/partition_script.sh"
  write_partition_script recovery "${partition_script_path}" \
    "STATE:=$(( stateful_blocks * 512 ))"
  run_partition_script "${dst_img}" "${partition_script_path}"
}

# Copy the partitions one by one from source image to destination image,
# except that KERN-A is moved to KERN-B.
# Args:
#  $1: source image filename
#  $2: destination image filename
copy_partitions() {
  local src_img="$1"
  local dst_img="$2"

  local part=0
  while :; do
    : $(( part += 1 ))
    local src_start
    src_start="$(cgpt show -i "${part}" -b "${src_img}")"
    if [[ "${src_start}" -eq 0 ]]; then
      # No more partitions to copy.
      break
    fi

    # Load source partition details.
    local size label
    size="$(cgpt show -i "${part}" -s "${src_img}")"
    label="$(cgpt show -i "${part}" -l "${src_img}")"
    if [[ "${size}" -eq 0 ]]; then
      continue
    fi

    local dst_part="${part}"
    # Move KERN-A to KERN-B.
    if [[ ${label} == 'KERN-A' ]]; then
      dst_part="$(get_image_partition_number "${dst_img}" 'KERN-B')"
    fi

    local dst_start dst_size
    dst_start="$(cgpt show -i "${dst_part}" -b "${dst_img}")"
    dst_size="$(cgpt show -i "${dst_part}" -s "${dst_img}")"

    if [[ "${label}" == 'STATE' && \
          "${FLAGS_minimize_image}" -eq "${FLAGS_TRUE}" ]]; then
      copy_stateful "${src_img}" "${dst_img}"
    elif [[ ${label} == 'KERN-B' ]]; then
      : # Skip KERN-B.
    else
      # Copy other partition as-is.
      if [[ "${size}" -gt "${dst_size}" ]]; then
        die "Partition #${part} larger than the destination partition"
      fi
      dd if="${src_img}" of="${dst_img}" conv=notrunc bs=512 \
         skip="${src_start}" seek="${dst_start}" count="${size}" \
         status=none
      sync
    fi
  done
  return 0
}

cleanup() {
  set +e
  if [[ -n "${RECOVERY_DEV}" ]]; then
    sudo losetup -d "${RECOVERY_DEV}"
  fi
  if [[ -n "${IMAGE_DEV}" ]]; then
    sudo losetup -d "${IMAGE_DEV}"
  fi
  if [[ "${FLAGS_image}" != "${RECOVERY_IMAGE}" ]]; then
    rm "${RECOVERY_IMAGE}"
  fi
  rm "${INSTALL_VBLOCK}"
}


# Main process begins here.
set -u

# No image was provided, use standard latest image path.
if [ -z "$FLAGS_image" ]; then
  FLAGS_image="${IMAGES_DIR}/${BOARD}/latest/${CHROMEOS_IMAGE_NAME}"
fi

# Turn path into an absolute path.
FLAGS_image=$(readlink -f "$FLAGS_image")

# Abort early if we can't find the image.
if [ ! -f "$FLAGS_image" ]; then
  die_notrace "Image not found: $FLAGS_image"
fi

IMAGE_DIR="$(dirname "$FLAGS_image")"
IMAGE_NAME="$(basename "$FLAGS_image")"
RECOVERY_IMAGE="${FLAGS_to:-$IMAGE_DIR/$CHROMEOS_RECOVERY_IMAGE_NAME}"
RECOVERY_KERNEL_IMAGE=\
"${FLAGS_kernel_outfile:-$IMAGE_DIR/$RECOVERY_KERNEL_NAME}"
STATEFUL_DIR="$IMAGE_DIR/stateful_partition"
SCRIPTS_DIR=${SCRIPT_ROOT}
RECOVERY_DEV=""
IMAGE_DEV=""

if [ $FLAGS_kernel_image_only -eq $FLAGS_TRUE -a \
     -n "$FLAGS_kernel_image" ]; then
  die_notrace "Cannot use --kernel_image_only with --kernel_image"
fi

echo "Creating recovery image from ${FLAGS_image}"

INSTALL_VBLOCK=$(get_install_vblock)
if [ -z "$INSTALL_VBLOCK" ]; then
  die "Could not copy the vblock from stateful."
fi

FACTORY_ROOT="${BOARD_ROOT}/factory-root"

if [ -z "${FLAGS_kernel_image}" ]; then
  # Build the recovery kernel.
  RECOVERY_KERNEL_FLAGS="recovery_ramfs tpm i2cdev vfat kernel_compress_xz"
  RECOVERY_KERNEL_FLAGS="${RECOVERY_KERNEL_FLAGS} -kernel_afdo"
  USE="${USE} ${RECOVERY_KERNEL_FLAGS}" emerge_custom_kernel "$FACTORY_ROOT" ||
    die "Cannot emerge custom kernel"
  create_recovery_kernel_image
  echo "Recovery kernel created at $RECOVERY_KERNEL_IMAGE"
else
  RECOVERY_KERNEL_IMAGE="$FLAGS_kernel_image"
fi

if [ $FLAGS_kernel_image_only -eq $FLAGS_TRUE ]; then
  echo "Kernel emitted. Stopping there."
  rm "$INSTALL_VBLOCK"
  exit 0
fi

trap cleanup EXIT

if [[ "${FLAGS_modify_in_place}" -eq "${FLAGS_TRUE}" ]]; then
  # Implement in-place modification by creating a temp image and copy it back
  # to the source image path later.
  RECOVERY_IMAGE="$(mktemp)"
fi
create_image "${RECOVERY_IMAGE}"
copy_partitions "${FLAGS_image}" "${RECOVERY_IMAGE}"
sync

if [ $FLAGS_decrypt_stateful -eq $FLAGS_TRUE ]; then
  stateful_mnt=$(mktemp -d)
  RECOVERY_DEV=$(loopback_partscan "${RECOVERY_IMAGE}")
  partition_num_state=$(get_image_partition_number \
    "${RECOVERY_IMAGE}" "STATE")
  sudo mount ${RECOVERY_DEV}p${partition_num_state} "${stateful_mnt}"
  echo -n "1" | sudo tee "${stateful_mnt}"/decrypt_stateful >/dev/null
  sudo umount "$stateful_mnt"
  rmdir "$stateful_mnt"
  sudo losetup -d ${RECOVERY_DEV}
fi

install_recovery_kernel
update_efi_partition

if [[ "${FLAGS_modify_in_place}" -eq "${FLAGS_TRUE}" ]]; then
  mv "${RECOVERY_IMAGE}" "${FLAGS_image}"
fi

echo "Recovery image created at $RECOVERY_IMAGE"
command_completed
trap - EXIT