feat: Add notification for secure boot key check

- Add script to check for sb enabled and key registration - Add systemd service to run script and notify
ublue-os · Sep 10, 2024 · 73df2e9 · 73df2e9
1 parent 0b49d5c
commit 73df2e9
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/build_files/systemd.sh b/build_files/systemd.sh
@@ -14,3 +14,4 @@ systemctl enable brew-upgrade.timer
 systemctl enable brew-update.timer
 systemctl --global enable ublue-user-setup.service
 systemctl --global enable podman-auto-update.timer
+systemctl enable sb-key-notify.service
diff --git a/system_files/shared/usr/bin/check-sb-key b/system_files/shared/usr/bin/check-sb-key
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+FINGERPRINT="2B:E9:91:E3:B1:B5:40:70:F4:3D:80:BB:13:EB:C6:57:E5:A3:78:0D"
+mokutil --list-enrolled | grep -q $FINGERPRINT
+ENROLLED=$?
+mokutil --sb-state | grep -q enabled
+SB_ENABLED=$?
+
+if [[ $ENROLLED -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then
+	exit 1
+fi
+
+exit 0
diff --git a/system_files/shared/usr/lib/systemd/system/sb-key-notify.service b/system_files/shared/usr/lib/systemd/system/sb-key-notify.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Service to check for secure boot key enrollment and send notifications
+
+[Service]
+ExecStart=/usr/bin/check-sb-key || notify-send 'WARNING' \
+        "This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting may cause your system to fail to boot. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." \
+        -i dialog-warning \
+        -u critical \
+        -a mokutil \
+        --wait
+
+[Install]
+WantedBy=multi-user.target
+
+[Timer]
+OnBootSec=1min
+OnUnitActiveSec=1h