diff --git a/Makefile b/Makefile index 09e90a8..56de4cc 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,11 @@ lorax_templates/%.tmpl: lorax_templates/%.tmpl.in # Step 2: Build boot.iso using Lorax boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl rm -Rf $(_BASE_DIR)/results + sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg + sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg + sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg + sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg + lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \ --isfinal --buildarch=$(ARCH) --volid=$(_VOLID) \ $(_LORAX_ARGS) \ @@ -55,6 +60,7 @@ boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades. --repo /etc/yum.repos.d/fedora-updates.repo \ --add-template $(_BASE_DIR)/lorax_templates/set_installer.tmpl \ --add-template $(_BASE_DIR)/lorax_templates/configure_upgrades.tmpl \ + --add-template $(_BASE_DIR)/lorax_templates/secure_boot_key.tmpl \ $(_BASE_DIR)/results/ mv $(_BASE_DIR)/results/images/boot.iso $(_BASE_DIR)/ diff --git a/lorax_templates/secure_boot_key.tmpl b/lorax_templates/secure_boot_key.tmpl new file mode 100644 index 0000000..e0c9809 --- /dev/null +++ b/lorax_templates/secure_boot_key.tmpl @@ -0,0 +1,9 @@ +append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot" +append usr/share/anaconda/interactive-defaults.ks "set -m" +append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh" +append usr/share/anaconda/interactive-defaults.ks "%end" + +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end" diff --git a/scripts/enroll-secureboot-key.sh b/scripts/enroll-secureboot-key.sh new file mode 100755 index 0000000..1e74f40 --- /dev/null +++ b/scripts/enroll-secureboot-key.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +set -oue pipefail + +readonly SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der" +readonly ENROLLMENT_PASSWORD="ublue-os" + +if [[ ! -d "/sys/firmware/efi" ]]; then + echo "EFI mode not detected. Skipping key enrollment." + exit 0 +fi + +if [[ ! -f "${SECUREBOOT_KEY}" ]]; then + echo "Secure boot key not found: ${SECUREBOOT_KEY}" + exit 1 +fi + +mokutil --timeout -1 || : +echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || : diff --git a/scripts/ublue-os-akmods-public-key.der b/scripts/ublue-os-akmods-public-key.der new file mode 100644 index 0000000..a2ee447 Binary files /dev/null and b/scripts/ublue-os-akmods-public-key.der differ diff --git a/xorriso/gen_input.sh.in b/xorriso/gen_input.sh.in index 76d419e..917675b 100644 --- a/xorriso/gen_input.sh.in +++ b/xorriso/gen_input.sh.in @@ -5,10 +5,13 @@ echo "-outdev $(pwd)/output/@IMAGE_NAME@-@IMAGE_TAG@.iso" echo "-boot_image any replay" echo "-joliet on" echo "-compliance joliet_long_names" +echo "-map $(pwd)/scripts/ublue-os-akmods-public-key.der ublue-os-akmods-public-key.der" +echo "-chmod 0444 /ublue-os-akmods-public-key.der" +echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh" +echo "-chmod 0777 enroll-secureboot-key.sh" cd container for file in $(find @IMAGE_NAME@-@IMAGE_TAG@); do echo "-map $(pwd)/${file} ${file}" echo "-chmod 0444 ${file}" done echo "-end" -