boot: add an option to control action after SecureBoot enrollment (#36684)

This PR provides a new option for systemd-boot `secure-boot-enroll-action` which allows to configure the behavior after SecureBoot keys are enrolled. Provides the option to either reboot or power off. The current behavior is not changed, it will by default reboot as it did before. It also provides a small message about the action its going to take with a small delay so the user can read it.
2026-04-14 00:14:32 +09:00 · 2025-05-08 06:28:41 +02:00
parent f24f70343d
commit 03eae2a402
5 changed files with 82 additions and 24 deletions
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -373,6 +373,29 @@ sbvarsign --attr "${attr}" --key KEK.key --cert KEK.pem --output db.auth db db.e
        <xi:include href="version-info.xml" xpointer="v252"/></listitem>
      </varlistentry>

+      <varlistentry>
+        <term>secure-boot-enroll-action</term>
+        <listitem>
+          <para>Specifies the action to take after the automatic enrollment of secure boot keys is completed.</para>
+          <variablelist>
+            <varlistentry>
+              <term>reboot</term>
+              <listitem>
+                <para>Reboot the system after enrollment. This is the default.</para>
+              </listitem>
+            </varlistentry>
+            <varlistentry>
+              <term>shutdown</term>
+              <listitem>
+                <para>Shut down the system after enrollment.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+          <para>This option is only relevant if <literal>secure-boot-enroll</literal> is enabled.</para>
+          <xi:include href="version-info.xml" xpointer="v258"/>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>reboot-for-bitlocker</term>