From f4361359a372080d7112ef93005c2586a43bf9e1 Mon Sep 17 00:00:00 2001
From: Noel Miller <noelmiller@protonmail.com>
Date: Tue, 5 Mar 2024 08:57:13 -0600
Subject: [PATCH] chore: initial attempt

---
 .github/workflows/build-and-test.yml    |  3 +++
 Makefile                                | 11 +++++++++++
 action.yml                              |  9 +++++++++
 lorax_templates/secure_boot_key.tmpl.in |  9 +++++++++
 scripts/enroll-secureboot-key.sh.in     | 25 +++++++++++++++++++++++++
 xorriso/gen_input.sh.in                 | 16 ++++++++++------
 6 files changed, 67 insertions(+), 6 deletions(-)
 create mode 100644 lorax_templates/secure_boot_key.tmpl.in
 create mode 100755 scripts/enroll-secureboot-key.sh.in

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index a3b3650..79ed162 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -15,6 +15,9 @@ env:
   IMAGE_REPO: 'quay.io/fedora-ostree-desktops'
   VERSION: '39'
   VARIANT: 'Server'
+  SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
+  ENROLLMENT_PASSWORD: 'container-installer'
+
 
 jobs:
   build-container:
diff --git a/Makefile b/Makefile
index 0362032..36b228a 100644
--- a/Makefile
+++ b/Makefile
@@ -8,6 +8,8 @@ IMAGE_TAG = $(VERSION)
 VARIANT = Server
 WEB_UI = false
 REPOS = /etc/yum.repos.d/fedora.repo /etc/yum.repos.d/fedora-updates.repo
+ENROLLMENT_PASSWORD =
+SECURE_BOOT_KEY_URL =
 ADDITIONAL_TEMPLATES = ""
 ROOTFS_SIZE = 4
 
@@ -100,6 +102,15 @@ repos/%.repo: /etc/yum.repos.d/%.repo
 boot.iso: $(_LORAX_TEMPLATES) $(_REPO_FILES)
 	rm -Rf $(_BASE_DIR)/results || true
 	rm /etc/rpm/macros.image-language-conf || true
+
+	# Set the enrollment password
+	sed 's/@ENROLLMENT_PASSWORD@/$(ENROLLMENT_PASSWORD)/' $(_BASE_DIR)/scripts/enroll-secureboot-key.sh.in > $(_BASE_DIR)/scripts/enroll-secureboot-key.sh
+
+	# Download the secure boot key
+	if [ -n "$(SECURE_BOOT_KEY_URL)" ]; then\
+    curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL);\
+	fi
+
 	lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
 		--isfinal --squashfs-only --buildarch=$(ARCH) --volid=$(_VOLID) \
 		$(_LORAX_ARGS) \
diff --git a/action.yml b/action.yml
index 8cedd8d..1cbeca2 100644
--- a/action.yml
+++ b/action.yml
@@ -29,6 +29,13 @@ inputs:
     description: Enable Anaconda WebUI
     required: false
     default: "false"
+  enrollment_password:
+    description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined)
+    required: false
+    default: "container-installer"
+  secure_boot_key_url:
+    description: Secure boot key that is installed from URL location
+    required: false
   action_version:
     description: Version of the action container to run
     deprecationMessage: No longer used. github.action_ref replaces the need for this. Will be removed in a future version.
@@ -54,5 +61,7 @@ runs:
           VERSION=${{ inputs.version }} \
           IMAGE_TAG=${{ inputs.image_tag || inputs.version }} \
           WEB_UI=${{ inputs.web_ui }} \
+          ENROLLMENT_PASSWORD=${{ inputs.enrollment_password }} \
+          SECURE_BOOT_KEY_URL=${{ inputs.secure_boot_key_url }} \
           "ADDITIONAL_TEMPLATES=${{ inputs.additional_templates }}"
 
diff --git a/lorax_templates/secure_boot_key.tmpl.in b/lorax_templates/secure_boot_key.tmpl.in
new file mode 100644
index 0000000..e0c9809
--- /dev/null
+++ b/lorax_templates/secure_boot_key.tmpl.in
@@ -0,0 +1,9 @@
+append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
+append usr/share/anaconda/interactive-defaults.ks "set -m"
+append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh"
+append usr/share/anaconda/interactive-defaults.ks "%end"
+
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end"
diff --git a/scripts/enroll-secureboot-key.sh.in b/scripts/enroll-secureboot-key.sh.in
new file mode 100755
index 0000000..dd1fd4e
--- /dev/null
+++ b/scripts/enroll-secureboot-key.sh.in
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -oue pipefail
+
+readonly ENROLLMENT_PASSWORD=@ENROLLMENT_PASSWORD@
+readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
+
+if [[ ! -d "/sys/firmware/efi" ]]; then
+	echo "EFI mode not detected. Skipping key enrollment."
+	exit 0
+fi
+
+if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
+	echo "Secure boot key not provided: ${SECUREBOOT_KEY}"
+	exit 0
+fi
+
+SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
+if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
+	echo "Steam Deck hardware detected. Skipping key enrollment."
+	exit 0
+fi
+
+mokutil --timeout -1 || :
+echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :
diff --git a/xorriso/gen_input.sh.in b/xorriso/gen_input.sh.in
index b660e1b..1784390 100644
--- a/xorriso/gen_input.sh.in
+++ b/xorriso/gen_input.sh.in
@@ -5,12 +5,16 @@ echo "-outdev $(pwd)/build/deploy.iso"
 echo "-boot_image any replay"
 echo "-joliet on"
 echo "-compliance joliet_long_names"
-pushd container > /dev/null
-for file in $(find ${IMAGE_NAME}-${IMAGE_TAG})
-do
-    echo "-map $(pwd)/${file} ${file}"
-    echo "-chmod 0444 ${file}"
+if [ -f $(pwd)/sb_pubkey.der ]; then
+	echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der"
+	echo "-chmod 0444 /sb_pubkey.der"
+fi
+echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh"
+echo "-chmod 0777 enroll-secureboot-key.sh"
+pushd container >/dev/null
+for file in $(find ${IMAGE_NAME}-${IMAGE_TAG}); do
+	echo "-map $(pwd)/${file} ${file}"
+	echo "-chmod 0444 ${file}"
 done
 popd > /dev/null
 echo "-end"
-