#!/bin/bash
# SPDX-License-Identifier: MIT
# SPDX-FileCopyrightText: Copyright 2024 SUSE LLC
# SPDX-FileCopyrightText: Copyright 2024 Richard Brown

set -euo pipefail

# Setup logging
exec 3>&1 4>&2
trap 'exec 2>&4 1>&3' 0 1 2 3
exec 1>>/var/log/aeon-check.log 2>&1

boo1234234() {
    # Problem: boo1234234 and related bugs. TPM2 enrolments failing because PCR0 invalidated by firmware updates.
    # Solution: Stop measuring PCR0 and update-predictions with the reduced PCR list

    # Only run if fde-tools is configured
    if test -e /etc/sysconfig/fde-tools ; then
        . /etc/sysconfig/fde-tools

        if [ "${FDE_SEAL_PCR_LIST}" = "0,4,5,7,9" ]; then
            echo "boo1234234 detected - PCR0 measured for TPM FDE sealing - correcting"
            echo "FDE_SEAL_PCR_LIST=4,5,7,9" > /etc/sysconfig/fde-tools
            sdbootutil -v update-predictions
            echo "boo1234234 corrected"
        fi
    fi
}

boo1243182() {
    # Problem: Aeon should be using Zypp's single RPM transaction backend
    # Solution: Add 'techpreview.ZYPP_SINGLE_RPMTRANS=1' to zypp.conf 

    if ! grep -qxF 'techpreview.ZYPP_SINGLE_RPMTRANS=1' /etc/zypp/zypp.conf ; then
         echo 'boo1243182 detected - Not using ZYPP_SINGLE_RPMTRANS - correcting'
         echo 'techpreview.ZYPP_SINGLE_RPMTRANS=1' >> /etc/zypp/zypp.conf
         echo 'boo1243182 corrected'
    fi
}

boo1246605() {
    # Problem: Aeon should have 'ro=vfs' as a mount attribute for / in /etc/fstab
    # Solution: Add 'ro=vfs' as a mount attribute for / in /etc/fstab
    if gawk '$2 == "/" && $4 != "compress=zstd:1,ro=vfs"' /etc/fstab | grep -q / ; then
        echo 'boo1246605 detected - fstab not using ro=vfs for / - correcting'
        gawk -i inplace '$2 == "/" && $4 != "compress=zstd:1,ro=vfs" { $4 = "compress=zstd:1,ro=vfs" } { print $0 }' /etc/fstab
        echo 'boo1246605 corrected'
    fi
}

# Active fixes executed in order of importance
boo1246605
boo1243182
boo1234234
