#!/bin/sh
#------------------------------------------------------------------
#
# act2check - Load and verify ACT2 device
#
# Feb 2016 Joel Aller - Move/ported from S07preinit
#          Bill Barnett - Initial commit
#
# Copyright (c) 2016 by cisco Systems, Inc.
# All rights reserved.
#------------------------------------------------------------------
#set -x
CISCO_BINDIR="/usr/cisco/bin"
source /etc/reboot_reason.sh
source /usr/cisco/bin/pid_format_check.sh

. /usr/bin/modulefunc.sh

if [ -f $CISCO_BINDIR/gpio.sh ]; then
    . $CISCO_BINDIR/gpio.sh
fi

cookie_model=$cookie_pid_model
ap_class="`cat /MERAKI_BOARD`"

if [ -d /usr/bin/mfg ] || [ -f /var/platform/proto_noact2_prog ] ||
   [ ! -f /etc/.production ]; then
    # Should not reboot even if hw in non-authentic:
    #   - MFG image. Fresh board may not have ACT2 programmed yet
    #   - Protos that still have no ACT2 programmed
    #   - DEV build image
    reboot_required=false
else
    reboot_required=true
fi

case "$ap_class" in
  barbados)
    ;;
  corsica)
    # no ACT2 chip on Corsica and Hydra
    exit 0
    ;;
  mallorca)
    case "$cookie_model" in
      AP1542D|AP1542I|AP1542E2|AP1542E4|AP1815M|AP1840I|CBW240AC)
        # reset ACT2 if needed
        ;;
      *)
        # other models don't have ACT2
        exit 0
        ;;
    esac
    ;;
  entr17)
    # no ACT2 chip by default
    exit 0
    ;;
 axel-mvl)
    echo 80 > /sys/class/gpio/export
    echo out > /sys/class/gpio/gpio80/direction
    echo 0 > /sys/class/gpio/gpio80/value
    sleep 1
    echo 1 > /sys/class/gpio/gpio80/value
    sleep 2
    ;;
  axel-qca)
    # reset the chip to make sure it is clean state
    remove_gpio "2"
    rm -f $GPIO_DIR/act2_reset

    setup_gpio "2" "out" "act2_reset"
    echo 0 > $GPIO_DIR/act2_reset
    sleep 1
    echo 1 > $GPIO_DIR/act2_reset
    ;;
  axel-bcm)
    # reset the chip to make sure it is clean state
    remove_gpio "439"
    rm -f $GPIO_DIR/act2_reset

    setup_gpio "439" "out" "act2_reset"
    echo 0 > $GPIO_DIR/act2_reset
    sleep 1
    echo 1 > $GPIO_DIR/act2_reset
    ;;
  ax-bcm32)
    # reset the chip to make sure it is clean state
    remove_gpio "406"
    rm -f $GPIO_DIR/act2_reset

    setup_gpio "406" "out" "act2_reset"
    echo 0 > $GPIO_DIR/act2_reset
    sleep 1
    echo 1 > $GPIO_DIR/act2_reset
    ;;
  *)
    # default as no ACT2
    exit 0
    ;;
esac

if [ "$(pidof cisco_shell)" ] ; then
  kill -STOP `pidof cisco_shell`
fi

modload /lib/modules/act2_driver.ko
modrm  /lib/modules/act2_driver.ko

verified=true
if [ -e /usr/sbin/act2_verify ]; then
    /usr/sbin/act2_verify
    if [ $? == 0 ]; then
        verified=false
    fi
fi

if [ $verified == false ]; then
    echo
    echo "(ACT2Boot) Hardware is NOT Cisco (c) authentic :-("

    if [ $reboot_required == true ]; then
        echo "System will reboot in 10 seconds ..."
        sleep 10
        echo "... rebooting now!"
        reboot -r $BOOT_REASON_NON_PROD_RESET
        sleep 60 # hold on boot and wait for reboot to happen
    else
        # reenable console
        if [ "$(pidof cisco_shell)" ] ; then
            kill -CONT `pidof cisco_shell`
        fi
    fi
else
    echo
    echo "(ACT2Boot) Hardware is Cisco (c) authentic :-)"
    echo
    # reenable console
    if [ "$(pidof cisco_shell)" ] ; then
        kill -CONT `pidof cisco_shell`
    fi

    # If we are here, we have verified the ACT2
    # Use the act2_crypto_util to seed /dev/urandom
    # We use the ACT2 TRBG to fill /storage/random_seed
    # Later in S10Boot, /storage/random_seed is copied into /dev/urandom
    # It is OK to do this on every boot.
    if [ -e  /usr/sbin/act2_crypto_util ]; then
        echo Seeding /dev/urandom from ACT2
        /usr/sbin/act2_crypto_util get_trand /storage/random_seed
        echo Reading ACT2 SUDI certificates
        mkdir -p /tmp/sudi_certs
        /usr/sbin/act2_crypto_util show_rsa_cert /tmp/sudi_certs/sudi-rsa-cert.der
        /usr/sbin/act2_crypto_util show_rsa_chain /tmp/sudi_certs/sudi-rsa
        /usr/sbin/act2_crypto_util show_ecc_cert /tmp/sudi_certs/sudi-ecc-cert.der
        /usr/sbin/act2_crypto_util show_ecc_chain /tmp/sudi_certs/sudi-ecc
        /usr/sbin/act2_crypto_util show_harsa_cert /tmp/sudi_certs/sudi-harsa-cert.der
        /usr/sbin/act2_crypto_util show_harsa_chain /tmp/sudi_certs/sudi-harsa
    fi
fi

# find out if LSC is enabled, this information is used by modules
# that can't access meraki config during system init
capwap_cfg_file=/storage/base_capwap_cfg_info
if [ -r $capwap_cfg_file ]; then
    lsc_enabled=`grep lsc_enable $capwap_cfg_file | cut -d" " -f2`
    if [ "$lsc_enabled" == "true" ]; then
        mkdir -p /tmp/lsc
        echo 1 > /tmp/lsc/lsc_enabled
    fi
fi

case "$ap_class" in
  axel-mvl)
    mkdir -p /tmp/certs
    echo 1 > /tmp/certs/load_sw_sudi
    ;;
  axel-qca)
    mkdir -p /tmp/certs
    echo 1 > /tmp/certs/load_sw_sudi
    ;;
  axel-bcm)
    mkdir -p /tmp/certs
    echo 1 > /tmp/certs/load_sw_sudi
    ;;
  ax-bcm32)
    mkdir -p /tmp/certs
    echo 1 > /tmp/certs/load_sw_sudi
    ;;
  *)
    exit 0
    ;;
esac

echo
echo "ACT2 Check passed"
echo
exit 0
