SHELL                             = /bin/bash
SRC_PATH                          = $(CURDIR)
BASE_PATH                        ?= $(SRC_PATH)
BOOTSTRAPPER_BINARY              ?= $(BASE_PATH)/../build/bootstrapper
DISK_MAPPER_BINARY               ?= $(BASE_PATH)/../build/disk-mapper
UPGRADE_AGENT_BINARY             ?= $(BASE_PATH)/../build/upgrade-agent
DEBUGD_BINARY                    ?= $(BASE_PATH)/../build/debugd
MEASUREMENT_READER_BINARY        ?= $(BASE_PATH)/../build/measurement-reader
PKI                              ?= $(BASE_PATH)/pki
MKOSI_EXTRA                      ?= $(BASE_PATH)/mkosi.extra
EXTRA_SEARCH_PATHS               ?=
IMAGE_VERSION                    ?= v0.0.0
DEBUG                            ?= false
AUTOLOGIN                        ?= false
AUTOLOGIN_ARGS                   := $(if $(filter true,$(AUTOLOGIN)),--autologin) # set "--autologin" if AUTOLOGIN is true
KERNEL_DEBUG_CMDLNE              := $(if $(filter true,$(DEBUG)),constellation.debug) # set "constellation.debug" if DEBUG is true
SEARCH_PATHS_PARAM               := $(if $(EXTRA_SEARCH_PATHS),--extra-search-path=$(EXTRA_SEARCH_PATHS))
export INSTALL_DEBUGD            ?= $(DEBUG)
export CONSOLE_MOTD = $(AUTOLOGIN)
-include $(CURDIR)/config.mk
csps := aws azure gcp openstack qemu
variants := aws_aws-sev-snp aws_aws-nitro-tpm azure_azure-sev-snp gcp_gcp-sev-es gcp_gcp-sev-snp openstack_qemu-vtpm qemu_qemu-vtpm
certs := $(PKI)/PK.cer $(PKI)/KEK.cer $(PKI)/db.cer

SYSTEMD_FIXED_RPMS := systemd-251.11-2.fc37.x86_64.rpm systemd-libs-251.11-2.fc37.x86_64.rpm systemd-networkd-251.11-2.fc37.x86_64.rpm systemd-pam-251.11-2.fc37.x86_64.rpm systemd-resolved-251.11-2.fc37.x86_64.rpm systemd-udev-251.11-2.fc37.x86_64.rpm
KERNEL_RPMS := kernel-6.1.45-100.constellation.fc38.x86_64.rpm kernel-core-6.1.45-100.constellation.fc38.x86_64.rpm kernel-modules-6.1.45-100.constellation.fc38.x86_64.rpm kernel-modules-core-6.1.45-100.constellation.fc38.x86_64.rpm
PREBUILD_RPMS_SYSTEMD := $(addprefix prebuilt/rpms/systemd/,$(SYSTEMD_FIXED_RPMS))
PREBUILD_RPMS_KERNEL := $(addprefix prebuilt/rpms/kernel/,$(KERNEL_RPMS))

.PHONY: all clean inject-bins $(csps) $(variants)

.NOTPARALLEL: mkosi.output.%/fedora~38/image.raw clean-%

all: $(csps)

aws: aws_aws-sev-snp aws_aws-nitro-tpm
azure: azure_azure-sev-snp
gcp: gcp_gcp-sev-es gcp_gcp-sev-snp
openstack: openstack_qemu-vtpm
qemu: qemu_qemu-vtpm

$(variants): %: mkosi.output.%/fedora~38/image.raw

prebuilt/rpms/systemd/%.rpm:
	@echo "Downloading $*"
	@mkdir -p $(@D)
	@curl -fsSL -o $@ https://kojipkgs.fedoraproject.org/packages/systemd/251.11/2.fc37/x86_64/$*.rpm

prebuilt/rpms/kernel/%.rpm:
	@echo "Downloading $*"
	@mkdir -p $(@D)
	@curl -fsSL -o $@ https://cdn.confidential.cloud/constellation/kernel/6.1.45-100.constellation/$*.rpm

mkosi.output.%/fedora~38/image.raw: inject-bins inject-certs
	rm -rf .csp/
	mkdir -p .csp/
	$(eval csp := $(firstword $(subst _, ,$*)))
	$(eval attestation_variant := $(lastword $(subst _, ,$*)))
	touch .csp/$(csp)
	mkosi \
		--image-version=$(IMAGE_VERSION) \
		$(AUTOLOGIN_ARGS) \
		--environment=INSTALL_DEBUGD \
		--environment=CONSOLE_MOTD \
		--kernel-command-line="$(KERNEL_DEBUG_CMDLNE)" \
		--kernel-command-line="constel.attestation-variant=$(attestation_variant)" \
		--kernel-command-line="constel.csp=$(csp)" \
		--output-dir=mkosi.output.$* \
		$(SEARCH_PATHS_PARAM) \
		build
	secure-boot/signed-shim.sh $@
	@if [ -n $(SUDO_UID) ] && [ -n $(SUDO_GID) ]; then \
		chown -R $(SUDO_UID):$(SUDO_GID) mkosi.output.$*; \
	fi
	rm -rf .csp/
	@echo "Image is ready: $@"

inject-bins: $(PREBUILD_RPMS_SYSTEMD) $(PREBUILD_RPMS_KERNEL)
	mkdir -p $(MKOSI_EXTRA)/usr/bin
	mkdir -p $(MKOSI_EXTRA)/usr/sbin
	cp $(UPGRADE_AGENT_BINARY) $(MKOSI_EXTRA)/usr/bin/upgrade-agent
	cp $(DISK_MAPPER_BINARY) $(MKOSI_EXTRA)/usr/sbin/disk-mapper
	cp $(MEASUREMENT_READER_BINARY) $(MKOSI_EXTRA)/usr/sbin/measurement-reader
	if [ "$(DEBUG)" = "true" ]; then \
		cp $(DEBUGD_BINARY) $(MKOSI_EXTRA)/usr/bin/debugd; \
		rm -f $(MKOSI_EXTRA)/usr/bin/bootstrapper; \
		rm -f $(MKOSI_EXTRA)/usr/bin/upgrade-agent; \
	else \
		cp $(BOOTSTRAPPER_BINARY) $(MKOSI_EXTRA)/usr/bin/bootstrapper; \
		rm -f $(MKOSI_EXTRA)/usr/bin/debugd; \
	fi

inject-certs: $(certs)
	# for auto enrollment using systemd-boot (not working yet)
	mkdir -p "$(MKOSI_EXTRA)/boot/loader/keys/auto"
	cp $(PKI)/{PK,KEK,db}.cer "$(MKOSI_EXTRA)/boot/loader/keys/auto"
	cp $(PKI)/{MicWinProPCA2011_2011-10-19,MicCorUEFCA2011_2011-06-27,MicCorKEKCA2011_2011-06-24}.crt "$(MKOSI_EXTRA)/boot/loader/keys/auto"

clean-cache:
	rm -rf mkosi.cache/*

clean-%:
	rm -rf .csp/
	mkdir -p .csp/
	touch .csp/$*
	mkosi clean
	rm -rf .csp/

clean:
	rm -rf mkosi.output.*
	rm -rf prebuilt/rpms
	rm -rf $(MKOSI_EXTRA)
	mkdir -p $(MKOSI_EXTRA)