37 lines
854 B
Bash
37 lines
854 B
Bash
#!/bin/bash
|
|
set -ex -uo pipefail
|
|
|
|
enroll=
|
|
for o in $(< /proc/cmdline); do
|
|
case $o in
|
|
patos.secureboot=*)
|
|
enroll=${o#*=}
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ -z "$enroll" ]; then
|
|
echo 'No patos.secureboot= parameter on the kernel command line' >&2
|
|
exit 0
|
|
fi
|
|
|
|
SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
|
|
|
|
[ "$SETUP_MODE" = "false" -o "$enroll" != "true" ] && exit 0
|
|
|
|
cat <<EOL> /run/sbctl.yml
|
|
---
|
|
keydir: /sysroot/boot/sbctl/keys
|
|
guid: /sysroot/boot/sbctl/GUID
|
|
EOL
|
|
|
|
ESP=$(blkid --label ESP)
|
|
|
|
mount $ESP /sysroot/boot && \
|
|
sbctl --config /run/sbctl.yml create-keys && \
|
|
sbctl --config /run/sbctl.yml enroll-keys --yolo && \
|
|
# Sign EFIs
|
|
find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
|
|
|
|
umount /sysroot/boot && \
|
|
systemctl reboot -f
|