#!/bin/bash

## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## Copyright (C) 2023 - 2023 Friedrich Doku <friedrichdoku@gmail.com>
## See the file COPYING for copying conditions.

#set -x
set -e

error_handler() {
   local exit_code="$?"
   local last_err="$BASH_COMMAND"
   printf "%s\n" "ERROR: '$last_err' exit code '$exit_code'" >&2
   exit 1
}

trap "error_handler" ERR

is_secure_boot_enforced() {
   ## The ram-wipe package does not declare 'Depends: mokutil' in debian/control.
   ## Adding 'Depends: mokutil' would make ram-wipe only installable on systems
   ## where the mokutil package is available. Unfortunately, mokutil is
   ## unavailable for many architectures.
   if ! command -v mokutil &>/dev/null ; then
      secure_boot_status="'unknown' (mokutil is not installed.)"
      return 1
   fi

   if mokutil_output="$(mokutil --sb-state 2>&1)" ; then
      if printf "%s\n" "$mokutil_output" | grep --quiet --ignore-case --fixed-strings enabled ; then
         secure_boot_status="'enabled' (mokutil_output: '$mokutil_output')"
         return 0
      elif printf "%s\n" "$mokutil_output" | grep --quiet --ignore-case --fixed-strings disabled ; then
         secure_boot_status="'disabled' (mokutil_output: '$mokutil_output')"
         return 1
      else
         secure_boot_status="'unknown-please-report-this-minor-bug' (mokutil_output: '$mokutil_output')"
         return 2
      fi
   else
      secure_boot_status="'disabled' (mokutil_output: '$mokutil_output')"
      return 3
   fi
}

printf "%s\n" "$secure_boot_status"
