#!/bin/bash

# shellcheck source=../include/dts-environment.sh
source "$DTS_ENV"
# shellcheck source=../include/dts-functions.sh
source "$DTS_FUNCS"

print_help() {
  cat <<EOF
$(basename "$0") [OPTION]...

Script that allows for verification whether firmware binary is signed with correct keys.
Options:
  -f|--file <file>          Path to firmware file for which to check key hash.
  -k|--key-hash <hash>      Expected key hash
  -v|--verbose              Enable trace output
  -h|--help                 Print this help
EOF
}

parse_args() {
  while [[ $# -gt 0 ]]; do
    case $1 in
    -v | --verbose)
      set -x
      shift
      ;;
    -h | --help)
      print_help
      exit 0
      ;;
    -f | --file)
      if [ ! -f "$2" ]; then
        error_exit "File '$2' doesn't exist"
      fi
      rom="$2"
      shift 2
      ;;
    -k | --key-hash)
      if [ -z "$2" ]; then
        error_exit "--key-hash argument cannot be empty"
      fi
      expected_hash="$2"
      shift 2
      ;;
    -*)
      print_help
      error_exit "Unknown option $1"
      ;;
    *)
      print_usage
      error_exit "Script doesn't accept any positional arguments, but got $#"
      ;;
    esac
  done
}

expected_hash=
rom="flashdump.bin"

parse_args "$@"

if [ -z "$expected_hash" ]; then
  board_config
  error_check "Failed to download board configuration."
  if [ -z "$INTEL_BTG_HASH" ]; then
    error_exit "Platform configuration is missing expected key hash.
The most likely reason is that there is no fusing binary for your platform."
  fi
  expected_hash="$INTEL_BTG_HASH"
fi
if [ ! -f "$rom" ]; then
  echo "Reading flash..."
  $FLASHROM -p "$PROGRAMMER_BIOS" --ifd -i bios -i me -i fd -r "${rom}" >>"$FLASHROM_LOG_FILE" 2>>"$ERR_LOG_FILE"
  error_check "Failed to read flash"
fi

echo "Extracting key manifest..."
bg-prov km-export "${rom}" km.bin 2>>"$ERR_LOG_FILE" >&2
error_check "Failed to export key manifest."

modulus=$(bg-prov km-show km.bin | grep "Key And Signature" -A 8 | grep Data | cut -d ' ' -f 10 | tail -c +11)
exponent=01000100

fw_key_hash="$(echo "$modulus$exponent" | awk '{gsub(/.{2}/,"& ")}1' | xxd -r -p | sha384sum | awk '{print $1}')"

if grep -q "${expected_hash}" <<<"${fw_key_hash}"; then
  echo_green "Firmware is signed with expected key hash:"
  echo_green "  ${expected_hash}"
else
  echo_red "Firmware signature doesn't match expected hash:"
  echo_red "  Expected: ${expected_hash}"
  echo_red "  Signed  : ${fw_key_hash}"
  exit 1
fi
