#!/bin/sh
unsigned_version="$1"
version="$2"
abi="$3"

# sign amd64 efi kernel.efi generic --uc
while read cmd arch stype instfile flavour options
do
	[ "$arch" != "$DEB_HOST_ARCH" ] && continue

	verflav="$abi-$flavour"
	signed="SIGNED/$instfile-$verflav"

	case " $options " in
	*' --cvm '*)
		package="linux-image-$verflav-fde"
		;;
	*' --uc '*)
		package="linux-image-uc-$verflav"
		;;
	*' --fallback '*)
		package="linux-image-fb-$verflav"
		;;
	*)
		package="linux-image-$verflav"
		;;
	esac

	if grep -q "^Package: *package\$" debian/control; then
		echo "EE: $package was selected but is not present in debian/control"
		exit 1
	fi

	case " $options " in
	*' --cvm '*)
		templates=cvm
		echo "$package: adding $signed to usr/lib/linux/efi"
		echo "$signed usr/lib/linux/efi" >>"debian/$package.install"
		;;
	*' --uc '*)
		templates=uc
		echo "$package: adding $signed"
		echo "$signed boot" >>"debian/$package.install"
		case $flavour in
		*fips)
			hmac="$(dirname "$signed")/.$(basename "$signed").hmac"
			openssl sha512 -r -hmac FIPS-FTW-RHT2009 "$signed" |	\
				awk -vpkg="/boot/$(basename "$signed")"		\
					'{ printf("%s  %s\n", $1, pkg) }'	\
				> "$hmac"
			echo "$package: adding $hmac"
			echo "$hmac boot" >>"debian/$package.install"
			;;
		esac
		snapdinfo=$version/snapd-info
		echo "$package: adding $snapdinfo"
		echo "$snapdinfo boot" >>"debian/$package.install"
		;;
	*)
		templates=image
		if [ "$instfile" = "stubble.efi" ]; then
			rename=$(echo "$signed" | sed -e "s@/$instfile-@/.$instfile/vmlinuz-@")
			mkdir -p $(dirname "$rename")
			ln "$signed" "$rename"
			echo "$package: adding $signed as $rename"
			echo "$rename boot" >>"debian/$package.install"
		else
			echo "$package: adding $signed"
			echo "$signed boot" >>"debian/$package.install"
		fi
	esac

	case " $options " in
	*' --cvm '*)
		;;
	*' --uc '*)
		;;
	*' --fallback '*)
		;;
	*)
		hmac_pkg="linux-image-hmac-$verflav"
		if grep -q "^Package: *$hmac_pkg\$" debian/control; then
			hmac="$(dirname "$signed")/.$(basename "$signed").hmac"
			openssl sha512 -r -hmac FIPS-FTW-RHT2009 "$signed" |	\
				awk -vpkg="/boot/$(basename "$signed")"		\
					'{ printf("%s  %s\n", $1, pkg) }'	\
				> "$hmac"
			echo "$hmac_pkg: adding $hmac"
			echo "$hmac boot" >>"debian/$hmac_pkg.install"
		fi

		di_pkg="kernel-signed-image-$verflav-di"
		if grep -q "^Package: *$di_pkg\$" debian/control; then
			echo "$di_pkg: adding $signed"
			echo "$signed boot" >>"debian/$di_pkg.install"
		fi
		;;
	esac

	./debian/scripts/generate-depends linux-image-unsigned-$verflav $unsigned_version	\
		>>"debian/$package.substvars"

	for which in postinst postrm preinst prerm; do
		template="debian/templates/$templates.$which.in"
		script="debian/$package.$which"
		[ -e "$template" ] &&					\
		sed -e "s/@abiname@/$abi/g"				\
		    -e "s/@localversion@/-$flavour/g"			\
		    -e "s/@image-stem@/$instfile/g"			\
			<"$template" >"$script"
	done
	echo "interest linux-update-$abi-$flavour"			\
		>"debian/$package.triggers"
done <debian/package.config
