#!/bin/bash
if [ -e /dev/.union/ ]; then
    exit 0
fi

config_dir=/etc/encrypted_storage
plain_key="$config_dir"/temp_plain_key
sealed_key="$config_dir"/sealed_key

target_dev=/home/secret_dev 
is_format=$config_dir/format
mapper_dev_name=secret
mapper_dev_path=/dev/mapper/$mapper_dev_name

mapper_mnt_dir=/home/mapper_secret_dir

case "$1" in 
	clean)
		logger -t "encrypt-storage" "All will be cleaned!"
		umount $mapper_dev_path &> /dev/null
		cryptsetup luksClose $mapper_dev_name 
		rm -f $mapper_dev_path
		rm -f $is_format
		rm -f $sealed_key
		ls $config_dir | grep loop | xargs losetup -d &> /dev/null
		rm -f $config_dir/loop*
		rm -fr $mapper_mnt_dir
		logger -t "encrypt-storage" "Cleaned!"
		exit 0
		;;
	start)
		echo -n "Starting encrypt-storage:  "
		if [ -e $mapper_dev_path ]; then
			mount | grep $mapper_dev_path &> /dev/null
			if [ "$?" == "0" ]; then
				logger -t "encrypt-storage" "encrypt-storage has been started"
				echo "[ OK ]"
				exit 0
			fi
		fi
		;;
	stop)
		umount $mapper_dev_path &> /dev/null
		cryptsetup luksClose $mapper_dev_name 
		ls $config_dir | grep loop | xargs losetup -d &> /dev/null
		echo "Stopping encrypt-storage:  [ OK ]"
		exit 0
		;;
	restart)
		echo -n "Restarting encrypt-storage:  "
		umount $mapper_dev_path &> /dev/null
		#cryptsetup luksClose $mapper_dev_name  &> /dev/null
		ls $config_dir | grep loop | xargs losetup -d &> /dev/null
		;;
	*)
		echo "Encrypt storage setup"
		echo "Usage: $0 {start|stop|restart|clean}"
		exit 0
		;;
esac

cryptsetup luksClose $mapper_dev_name &> /dev/null

#check tpm ownership
for i in 1 2 3; do
	sleep $i
	tpm_sanitycheck -q -o && break
done
if [ "$?" != "0" ]; then
	logger -t "encrypt-storage" "Timeout, TPM is NOT owned!"
	echo "TPM is not owned. [ SKIP ]"
	exit 0
fi

#check the tcsd
pgrep tcsd &>/dev/null && { sleep 1; pgrep tcsd &>/dev/null; }
if [ "$?" != "0" ]; then
	logger -t "encrypt-storage" "tcsd is NOT running!"
	echo "[ SKIP ]"
	exit 0

else
	logger -t "encrypt-storage" "tcsd is running!"
fi

#create etc dir
mkdir -p $config_dir

if [ ! -f $sealed_key ]; then
	#create the plain_key
	dd if=/dev/urandom of=$plain_key bs=1 count=32

	#get the sealed key
	cat $plain_key | tpm_sealdata -z -p 4 -p 5 -p 8 -o $sealed_key

	if [ ! -f "$sealed_key" ]; then
		logger -t "encrypt-storage" "we can NOT get a sealed key!"
		echo "[ FAIL ]"
		exit -1
	else
		rm -f $plain_key
	fi
fi


#removing the restrictions
ulimit -Hl unlimited
ulimit -Sl unlimited


dev=`losetup -f`
logger -t "encrypt-storage" We will use $dev

lo_dev=$config_dir/${dev##*/}


if [ ! -f "$target_dev" ]; then
	dd if=/dev/zero of=$target_dev bs=1M count=10
	rm -f $is_format
	need_format="yes"
fi

losetup $dev $target_dev
touch $lo_dev

if [ $? != "0" ]; then
	logger -t "encrypt-storage" "losetup failed!"
	echo "[ FAIL ]"
	exit -1
fi

tpm_unsealdata -z -i $sealed_key > /dev/null

if [ $? != "0" ]; then
	logger -t "encrypt-storage" "can NOT unseal the key!"
	losetup -d $dev
	echo "[ FAIL ]"
	exit -1
fi


#format the device
if [ ! -f $is_format ]; then
	logger -t "encrypt-storage" "We will Format the device ..."
	tpm_unsealdata -z -i $sealed_key | cryptsetup luksFormat --key-file=- $dev 

	if [ $? != "0" ]; then
		logger -t "encrypt-storage" "can NOT Format the device!"
		losetup -d $dev
		echo "[ FAIL ]"
		exit -1
	else
		logger -t "encrypt-storage" "Format succeed!"
		touch $is_format
	fi

fi


logger -t "encrypt-storage" "We will Open this device ..."
tpm_unsealdata -z -i $sealed_key | cryptsetup luksOpen --key-file=- $dev $mapper_dev_name

if [ ! -e "$mapper_dev_path" ]; then
	logger -t "encrypt-storage" "can NOT get the mapper device! $mapper_dev_path"
	losetup -d $dev
	echo "[ FAIL ]"
	exit -1

else

	logger -t "encrypt-storage" "Open succeed!"
fi


mkdir -p $mapper_mnt_dir
umount $mapper_mnt_dir  &> /dev/null 

if [ "x$need_format" = "xyes" ]; then
	mkfs.ext3 $mapper_dev_path &> /dev/null
fi
mount -t ext3 $mapper_dev_path $mapper_mnt_dir

logger -t "encrypt-storage" "Mount succeed!"

echo "[ OK ]"

