#!/bin/bash

## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

source /usr/libexec/helper-scripts/get_colors.sh

check_secure_boot() {
   local mokutil_output link_cli link_gui MSG reason
   if [ "$silent" -ge "4" ]; then
      true "silent is $silent. Skipping $FUNCNAME."
      return 0
   fi

   link_cli="https://www.kicksecure.com/wiki/Secure_Boot"
   link_gui="<a href=\"$link_cli\">Secure Boot</a>"

   if [ -f '/usr/share/qubes/marker-vm' ]; then
      reason="Qubes detected.<br/>
Qubes issue: <a href=https://github.com/QubesOS/qubes-issues/issues/5241>https://github.com/QubesOS/qubes-issues/issues/5241</a>"
   else
      reason="Not booted in EFI mode."
   fi

   if ! [ -d /sys/firmware/efi ]; then
      true "Secure Boot test: Unavailable. Reason: $reason"
      if [ "$verbose" -ge "1" ]; then
         MSG="<p>$link_gui: <font color=\"orange\">Unavailable</font> <br/>Reason: $reason"
         $output_x ${output_opts[@]} --messagex --typex "info" --message "$MSG"

         MSG="Secure Boot: ${yellow}Unavailable${nocolor} Reason: $reason
See also: $link_cli"
         $output_cli ${output_opts[@]} --messagecli --typecli "info" --message "$MSG"
      fi
      return 0
   fi

   if mokutil_output="$(leaprun mokutil-sb-state 2>&1)"; then
      secure_boot_status_enabled=true
      if [[ "${mokutil_output}" = *enabled* ]]; then
         MSG="<p>$link_gui: <font color=\"green\">Enabled</font></p>"
         $output_x ${output_opts[@]} --messagex --typex "info" --message "$MSG"

         MSG="Secure Boot: ${green}Enabled${nocolor}
See also: $link_cli"
         $output_cli ${output_opts[@]} --messagecli --typecli "info" --message "$MSG"
      elif [[ "${mokutil_output}" = *disabled* ]]; then
         MSG="<p>$link_gui: <font color=\"orange\">Disabled</font></p>"
         $output_x ${output_opts[@]} --messagex --typex "info" --message "$MSG"

         MSG="Secure Boot: ${yellow}Disabled${nocolor}
See also: $link_cli"
         $output_cli ${output_opts[@]} --messagecli --typecli "info" --message "$MSG"
      else
         MSG="<p>$link_gui: <font color=\"orange\">Unknown</font></p>"
         $output_x ${output_opts[@]} --messagex --typex "info" --message "$MSG"

         MSG="Secure Boot: ${yellow}Unknown${nocolor}
See also: $link_cli"
         $output_cli ${output_opts[@]} --messagecli --typecli "info" --message "$MSG"
      fi
   else
      ## Not exiting with non-zero exit code until there is full verified boot and
      ## booting without Microsoft's key in the UEFI root of trust.
      #EXIT_CODE="1"

      MSG="<p>$link_gui: <font color=\"orange\">Disabled</font>"
      $output_x ${output_opts[@]} --messagex --typex "info" --message "$MSG"

      MSG="Secure Boot: ${yellow}Disabled${nocolor}
See also: $link_cli"
      $output_cli ${output_opts[@]} --messagecli --typecli "info" --message "$MSG"
   fi
}