#!/bin/bash
echo "[+] Installing GRUB 2 Security...";
echo "[i] Use --force to regenerate the signing key; clears ALL root's GPG keys!";
echo "[i] Use --no-pwd-prompt to use the hash for the GRUB user 'root' provided by grub.d.my.7z";
echo "[?] WARNING Make sure the current GRUB version does not have any bugs with gpg before installing, use CTRL+C to quit, enter to continue:";
read;
sudo cp bin/* /bin/ -f;
sudo cp initramfs-tools-hooks/* /etc/initramfs-tools/hooks/ -f;
sudo cp local-sbin/* /usr/local/sbin/ -f;
sudo cp kernel-hooks/* /etc/kernel/ -fr;
sudo cp lib-systemd-system-sleep/* /usr/lib/systemd/system-sleep/ -f;
sudo 7za x -o/etc grub.d.my.7z -y;
sudo chmod +x /etc/grub.d/*;
if [[ "$1" != "--no-pwd-prompt" ]] && [[ "$2" != "--no-pwd-prompt" ]]; then
  echo "[i] Please enter your password TWICE pressing ENTER (RETURN) after EACH entry.";
  echo "[i] There is no visible output.";
  gphash=$(grub-mkpasswd-pbkdf2 -c 10000 | awk '/grub.pbkdf/{print$NF}' | sed -e 's:\.:\\\.:g');
  if ! [ -z $gphash ] && [ -f /etc/grub.d/00_header ]; then
    echo "[+] Setting GRUB Password...";
    sudo sed -i "s/.*password_pbkdf2 root grub\.pbkdf2.*/password_pbkdf2 root $gphash/" /etc/grub.d/00_header;
  else
    echo "[*] Using grub.d.my.7z hash for GRUB user 'root'!";
  fi;
else
  echo "[*] Using grub.d.my.7z hash for GRUB user 'root'!";
fi;
sudo cp sbat /root/sbat -f;
sudo cp stop_timeout.conf /etc/systemd/system.conf.d/60_custom.conf -f;
sudo systemctl daemon-reload;
if [[ "$1" == "--force" ]] || [[ "$2" == "--force" ]]; then
  echo "[?] WARNING Clearing previous gpg keys in root, use CTRL+C to quit, enter to continue:";
  read;
  sudo rm -f /root/pubkey;
  sudo rm -rf /root/.gnupg;
fi;
if sudo [ ! -f /root/pubkey ]; then
  sudo gpg --batch --passphrase '' --quick-gen-key root@localhost rsa3072 default;
  sudo gpg --export -o /root/pubkey;
fi;
sudo cp /root/pubkey /boot/pubkey -f;
sudo cp gpg.conf /root/.gnupg/gpg.conf -f;
sudo cp gpg-agent.conf /root/.gnupg/gpg-agent.conf -f;
sudo grub-update;
echo "[+] Complete!";