Add firstboot.sh
This commit is contained in:
parent
4bfb24316f
commit
74d3631b69
34
firstboot.sh
Normal file
34
firstboot.sh
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
set -euo pipefail
|
||||||
|
source /root/install/.env || true
|
||||||
|
|
||||||
|
log() { echo "[firstboot] $*"; }
|
||||||
|
|
||||||
|
log "Starting Secure Boot setup"
|
||||||
|
|
||||||
|
if [[ "${SECUREBOOT_ENABLE}" == true ]]; then
|
||||||
|
mkdir -p "${SECUREBOOT_KEY_DIR}"
|
||||||
|
cd "${SECUREBOOT_KEY_DIR}"
|
||||||
|
|
||||||
|
if ! sbctl status &>/dev/null; then
|
||||||
|
log "Initialising sbctl and creating keys"
|
||||||
|
sbctl create-keys
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Signing boot binaries"
|
||||||
|
sbctl sign -s /boot/EFI/Linux/*.efi || true
|
||||||
|
sbctl sign -s /boot/EFI/BOOT/*.efi || true
|
||||||
|
|
||||||
|
log "Verifying signatures"
|
||||||
|
sbctl verify
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "${TPM2_ENABLE}" == true ]]; then
|
||||||
|
log "Re-enrolling TPM2 after Secure Boot enabled"
|
||||||
|
systemd-cryptenroll --tpm2-device=auto /dev/disk/by-partlabel/"Linux LUKS" || true
|
||||||
|
fi
|
||||||
|
|
||||||
|
log "Disabling firstboot service"
|
||||||
|
systemctl disable firstboot.service
|
||||||
|
|
||||||
|
log "Secure boot setup complete"
|
||||||
Loading…
Reference in New Issue
Block a user