parent
8fb3174c78
commit
a7b86fd03e
5 changed files with 114 additions and 32 deletions
pkgs/rootfs
37
pkgs/rootfs/secure-boot-enroll.sh
Normal file
37
pkgs/rootfs/secure-boot-enroll.sh
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
#!/bin/bash
|
||||
set -ex -uo pipefail
|
||||
|
||||
enroll=
|
||||
for o in $(< /proc/cmdline); do
|
||||
case $o in
|
||||
patos.secureboot=*)
|
||||
enroll=${o#*=}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$enroll" ]; then
|
||||
echo 'No patos.secureboot= parameter on the kernel command line' >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
|
||||
|
||||
[ "$SETUP_MODE" = "false" -o "$enroll" != "true" ] && exit 0
|
||||
|
||||
cat <<EOL> /run/sbctl.yml
|
||||
---
|
||||
keydir: /sysroot/boot/sbctl/keys
|
||||
guid: /sysroot/boot/sbctl/GUID
|
||||
EOL
|
||||
|
||||
ESP=$(blkid --label ESP)
|
||||
|
||||
mount $ESP /sysroot/boot && \
|
||||
sbctl --config /run/sbctl.yml create-keys && \
|
||||
sbctl --config /run/sbctl.yml enroll-keys --yolo && \
|
||||
# Sign EFIs
|
||||
find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
|
||||
|
||||
umount /sysroot/boot && \
|
||||
systemctl reboot -f
|
||||
Loading…
Add table
Add a link
Reference in a new issue