feat: Add Secure Boot Support and Remove Grub Entry for Test this Media (#28)

* chore: First pass of adding secure boot key enrollment * feat: Add secure boot support * feat: Removed Test this media grub entry and set default to install * fix: simplify secureboot scripts --------- Co-authored-by: Kyle Gospodnetich <me@kylegospodneti.ch>
2024-02-23 12:10:17 -06:00 · 2024-02-23 12:10:17 -06:00 · bf4d1368fc
parent c6b30c9210
commit bf4d1368fc
5 changed files with 38 additions and 1 deletions
--- a/6
+++ b/6
@ -48,6 +48,11 @@ lorax_templates/%.tmpl: lorax_templates/%.tmpl.in
 # Step 2: Build boot.iso using Lorax
 boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl
 	rm -Rf $(_BASE_DIR)/results
+	sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
+	sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
+	sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
+	sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
+
 	lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
          --isfinal --buildarch=$(ARCH) --volid=$(_VOLID) \
          $(_LORAX_ARGS) \
@ -55,6 +60,7 @@ boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.
          --repo /etc/yum.repos.d/fedora-updates.repo \
          --add-template $(_BASE_DIR)/lorax_templates/set_installer.tmpl \
 		  --add-template $(_BASE_DIR)/lorax_templates/configure_upgrades.tmpl \
+		  --add-template $(_BASE_DIR)/lorax_templates/secure_boot_key.tmpl \
          $(_BASE_DIR)/results/
 	mv $(_BASE_DIR)/results/images/boot.iso $(_BASE_DIR)/

--- a/lorax_templates/secure_boot_key.tmpl
+++ b/lorax_templates/secure_boot_key.tmpl
@ -0,0 +1,9 @@
+append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
+append usr/share/anaconda/interactive-defaults.ks "set -m"
+append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh"
+append usr/share/anaconda/interactive-defaults.ks "%end"
+
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end"
--- a/scripts/enroll-secureboot-key.sh
+++ b/scripts/enroll-secureboot-key.sh
@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -oue pipefail
+
+readonly SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der"
+readonly ENROLLMENT_PASSWORD="ublue-os"
+
+if [[ ! -d "/sys/firmware/efi" ]]; then
+	echo "EFI mode not detected. Skipping key enrollment."
+	exit 0
+fi
+
+if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
+	echo "Secure boot key not found: ${SECUREBOOT_KEY}"
+	exit 1
+fi
+
+mokutil --timeout -1 || :
+echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :
--- a/scripts/ublue-os-akmods-public-key.der
+++ b/scripts/ublue-os-akmods-public-key.der
--- a/xorriso/gen_input.sh.in
+++ b/xorriso/gen_input.sh.in
@ -5,10 +5,13 @@ echo "-outdev $(pwd)/output/@IMAGE_NAME@-@IMAGE_TAG@.iso"
 echo "-boot_image any replay"
 echo "-joliet on"
 echo "-compliance joliet_long_names"
+echo "-map $(pwd)/scripts/ublue-os-akmods-public-key.der ublue-os-akmods-public-key.der"
+echo "-chmod 0444 /ublue-os-akmods-public-key.der"
+echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh"
+echo "-chmod 0777 enroll-secureboot-key.sh"
 cd container
 for file in $(find @IMAGE_NAME@-@IMAGE_TAG@); do
 	echo "-map $(pwd)/${file} ${file}"
 	echo "-chmod 0444 ${file}"
 done
 echo "-end"
-