#!/bin/sh
#===============================================================================
#
#  trustfence-initramfs-init
#
#  Copyright (C) 2016 by Digi International Inc.
#  All rights reserved.
#
#  This program is free software; you can redistribute it and/or modify it
#  under the terms of the GNU General Public License version 2 as published by
#  the Free Software Foundation.
#
#
#  !Description: Init script for Trustfence initramfs
#
#===============================================================================

export PATH=/bin:/sbin:/usr/bin:/usr/sbin

mkdir -p /proc /sys /dev
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t devtmpfs devtmpfs /dev

# Set kernel console loglevel
LOGLEVEL="$(sysctl -n kernel.printk)"
sysctl -q -w kernel.printk=4

# Launch 'rngd' to feed random data to kernel entropy pool
mkdir -p /var/run && rngd

for arg in $(cat /proc/cmdline); do
	case "${arg}" in
		init=*|rescue=1|root=*) eval ${arg};;
	esac
done

# Jump to a rescue shell if requested
if [ -n "${rescue}" ]; then
	# Expand console and respawn if exited
	while true; do
		setsid cttyhack sh -l
		sleep 1
	done
fi

# Translate "PARTUUID=..." to real device
root="$(findfs ${root})"

# Open LUKS encrypted device
TMP_KEYFILE="$(mktemp keyfile.XXXXXX)"
trustfence-tool -f ${TMP_KEYFILE}
if cryptsetup --key-file ${TMP_KEYFILE} open --type luks ${root} cryptroot; then
	# Reset root variable to the decrypted mapped device
	root="/dev/mapper/cryptroot"
fi
wipe -cfs ${TMP_KEYFILE}

# Mount mapped device
mkdir -p /newroot
FSTYPE="$(blkid ${root} | sed -e 's,.*TYPE="\([^"]\+\)".*,\1,g')"
mount ${FSTYPE:+-t ${FSTYPE}} ${root} /newroot

#
# Clean-up and do the switch_root to the final rootfs
#
# - explicit kill 'rngd' daemon so it doesn't leak to the final rootfs
# - restore previous kernel console loglevel
# - umount virtual filesystems
#
pkill -9 rngd
[ -n "${LOGLEVEL}" ] && sysctl -q -w kernel.printk="${LOGLEVEL}"
mount --move /dev /newroot/dev
umount /sys /proc
exec switch_root /newroot ${init:-/sbin/init}
