build-container-installer/scripts/enroll-secureboot-key.sh.in

#!/bin/sh

set -oue pipefail

readonly ENROLLMENT_PASSWORD=@ENROLLMENT_PASSWORD@
readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"

if [[ ! -d "/sys/firmware/efi" ]]; then
	echo "EFI mode not detected. Skipping key enrollment."
	exit 0
fi

if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
	echo "Secure boot key not provided: ${SECUREBOOT_KEY}"
	exit 0
fi

SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
	echo "Steam Deck hardware detected. Skipping key enrollment."
	exit 0
fi

mokutil --timeout -1 || :
echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :