#!/bin/ash
# First thing it is vital to mount the /dev and other system directories
mkdir /proc /sys /dev /tmp /boot 2>&- 1>&-
mount -t devtmpfs none /dev
mount -t proc none /proc
mount -t sysfs none /sys

# Setup our path
export PATH=/sbin:/bin

# Now it is safe to print a banner
if [ -r /etc/motd ]; then
	cat /etc/motd
fi

# Load the date from the hardware clock, setting it in local time
hwclock -l -s

# Read the system configuration parameters
. /config

if [ -z "$CONFIG_TIMEOUT" ]; then
	CONFIG_TIMEOUT=10
fi

while true; do
	boot_option=

	# Verify the user's TPM secret
	echo "TPM TOTP:"
	if ! unsealtotp.sh ; then
		echo '!!!!!'
		echo '!!!!! TPM TOTP secret not found.'
		echo '!!!!! This firmware can not be trusted.'
		echo '!!!!! Entering recovery shell'
		echo '!!!!!'
		tpm extend -ix 4 -ic "tpm-failure"
		exec /bin/ash
	fi

	# Secret decrypted ok, so prompt for a next step
	read \
		-t "$CONFIG_TIMEOUT" \
		-p "Enter for normal boot or 'r' for recovery shell: " \
		-n 1 \
		boot_option

	if [ "$boot_option" = "r" ]; then
		# Start an interactive shell
		echo '***** Starting recovery shell'
		tpm extend -ix 4 -ic "recovery"
		exec /bin/ash
	fi

	if [ "$boot_option" = "" ]; then
		if [ ! -x "$CONFIG_BOOTSCRIPT" ]; then
			echo '!!!!! Boot script missing?  Entering recovery shell'
			tpm extend -ix 4 -ic "boot-failure"
			exec /bin/ash
		fi

		echo '***** Normal boot'
		tpm extend -ix 4 -ic "normal-boot"
		exec "$CONFIG_BOOTSCRIPT"
	fi
done