35 lines
820 B
Bash
35 lines
820 B
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
source /root/install/.env || true
|
|
|
|
log() { echo "[firstboot] $*"; }
|
|
|
|
log "Starting Secure Boot setup"
|
|
|
|
if [[ "${SECUREBOOT_ENABLE}" == true ]]; then
|
|
mkdir -p "${SECUREBOOT_KEY_DIR}"
|
|
cd "${SECUREBOOT_KEY_DIR}"
|
|
|
|
if ! sbctl status &>/dev/null; then
|
|
log "Initialising sbctl and creating keys"
|
|
sbctl create-keys
|
|
fi
|
|
|
|
log "Signing boot binaries"
|
|
sbctl sign -s /boot/EFI/Linux/*.efi || true
|
|
sbctl sign -s /boot/EFI/BOOT/*.efi || true
|
|
|
|
log "Verifying signatures"
|
|
sbctl verify
|
|
fi
|
|
|
|
if [[ "${TPM2_ENABLE}" == true ]]; then
|
|
log "Re-enrolling TPM2 after Secure Boot enabled"
|
|
systemd-cryptenroll --tpm2-device=auto /dev/disk/by-partlabel/"Linux LUKS" || true
|
|
fi
|
|
|
|
log "Disabling firstboot service"
|
|
systemctl disable firstboot.service
|
|
|
|
log "Secure boot setup complete"
|