#!/bin/bash

## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -x

set -e

while :
do
   case $1 in
   --debug)
      debug="true"
      shift
      ;;
   --non-interactive)
      continue_debug="y"
      shift
      ;;
   --vm)
      kernel_config="hardened-vm-kernel"
      shift
      ;;
   --host)
      kernel_config="hardened-host-kernel"
      shift
      ;;
   --)
      shift
      break
      ;;
   -*)
      echo "ERROR: Not a valid option." >&2
      exit 1
      ;;
   *)
      break
      ;;
   esac
done

if [ "$kernel_config" = "" ]; then
   echo "ERROR: You need to add either --vm or --host parameter." >&2
   exit 1
fi

MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

## example MYDIR:
## /usr/share/hardened-kernel

## example MYDIR:
## /home/travis/build/Whonix/hardened-kernel/usr/share/hardened-kernel

## Debugging.
whoami
env
true "CI: $CI"

## TODO: do not use networking as per https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/214
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/267
"$MYDIR/download"

## TODO: auto detect from files in folder /usr/src/hardened-kernel/files
version="4.19.122"

## Location similar to DKMS.
## DKMS uses /var/lib/dkms/pkg-name/build/.
working_folder="/var/lib/hardened-kernel/${kernel_config}"
rm -r -f "$working_folder"
mkdir -p "$working_folder"
chmod o-rwx "$working_folder"

source_folder="/usr/src/hardened-kernel/files"

## TODO
mkdir -p "$source_folder"

extracted_linux_kernel_sources_folder="${working_folder}/linux-${version}/"

## Debugging.
ls "$source_folder"
ls "$working_folder"

## Sanity tests.
test -r "${source_folder}/linux-${version}.tar.xz"
test -r "${source_folder}/linux-hardened-${version}.a.patch"

tar -xf "${source_folder}/linux-${version}.tar.xz" -C "$working_folder"

## Debugging.
ls "$extracted_linux_kernel_sources_folder"

cat "${source_folder}/linux-hardened-${version}.a.patch" | patch --silent -p1 -d "$extracted_linux_kernel_sources_folder"

cp "${MYDIR}/${kernel_config}" "$extracted_linux_kernel_sources_folder/.config"

## Sanity test.
diff "${MYDIR}/${kernel_config}" "$extracted_linux_kernel_sources_folder/.config"

if [ "$CI" = "true" ]; then
   true "Sanity test. 'make oldconfig' should not modify '.config'."
   true "https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/317"
   make oldconfig -C "$extracted_linux_kernel_sources_folder"
   diff "${MYDIR}/${kernel_config}" "$extracted_linux_kernel_sources_folder/.config"
fi

if [ "$debug" = "true" ]; then
   if [ "${continue_debug,,}" = "y" ]; then
      true
   else
      ## read requires stdin. Otherwise would fail if stdin is not connected.
      read -r -p "WARNING: You have configured to build your kernel with debugging enabled. This can severely worsen security. Continue? (y/n) " continue_debug
      if [ ! "${continue_debug,,}" = "y" ]; then
         echo "You have selected to not continue. Exiting."
         exit
      fi
   fi

   cat "${MYDIR}/debugging-config" >> "$extracted_linux_kernel_sources_folder/.config"
   if [ "${kernel_config}" = "hardened-host-kernel" ]; then
     cat "${MYDIR}/debugging-config-host" >> "$extracted_linux_kernel_sources_folder/.config"
   fi
   make oldconfig -C "$extracted_linux_kernel_sources_folder"
fi

make deb-pkg -j "$(($(nproc) + 1))" -C "$extracted_linux_kernel_sources_folder"

## Debugging.
ls "$working_folder"
