From b1b9d184306c805086f59400f55b11fc4cbc2350 Mon Sep 17 00:00:00 2001
From: Jarred Wilson <jarred.wilson12@gmail.com>
Date: Mon, 9 Sep 2024 23:38:34 +0000
Subject: [PATCH] feat: Add notification for secure boot key check

- Add script to check for sb enabled and key registration
- Add script for notification
- Add systemd service to run script and notify
---
 build_files/systemd.sh                            |  1 +
 system_files/shared/usr/bin/check-sb-key          | 15 +++++++++++++++
 .../usr/lib/systemd/system/sb-key-notify.service  | 12 ++++++++++++
 system_files/shared/usr/libexec/sb-key-notify.sh  | 15 +++++++++++++++
 4 files changed, 43 insertions(+)
 create mode 100755 system_files/shared/usr/bin/check-sb-key
 create mode 100644 system_files/shared/usr/lib/systemd/system/sb-key-notify.service
 create mode 100644 system_files/shared/usr/libexec/sb-key-notify.sh

diff --git a/build_files/systemd.sh b/build_files/systemd.sh
index eab8767d980..89e69fab324 100755
--- a/build_files/systemd.sh
+++ b/build_files/systemd.sh
@@ -14,3 +14,4 @@ systemctl enable brew-upgrade.timer
 systemctl enable brew-update.timer
 systemctl --global enable ublue-user-setup.service
 systemctl --global enable podman-auto-update.timer
+systemctl enable sb-key-notify.service
diff --git a/system_files/shared/usr/bin/check-sb-key b/system_files/shared/usr/bin/check-sb-key
new file mode 100755
index 00000000000..67c70584162
--- /dev/null
+++ b/system_files/shared/usr/bin/check-sb-key
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+FINGERPRINT="2B:E9:91:E3:B1:B5:40:70:F4:3D:80:BB:13:EB:C6:57:E5:A3:78:0D"
+mokutil --list-enrolled | grep -q $FINGERPRINT
+ENROLLED=$?
+mokutil --sb-state | grep -q enabled
+SB_ENABLED=$?
+
+if [[ $ENROLLED -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then
+	echo "Secure Boot enabled. Key missing..."
+	exit 1
+fi
+
+echo "No key enrollment needed at this time."
+exit 0
\ No newline at end of file
diff --git a/system_files/shared/usr/lib/systemd/system/sb-key-notify.service b/system_files/shared/usr/lib/systemd/system/sb-key-notify.service
new file mode 100644
index 00000000000..e84a5430a7c
--- /dev/null
+++ b/system_files/shared/usr/lib/systemd/system/sb-key-notify.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Service to check for secure boot key enrollment and send notifications
+
+[Service]
+ExecStart=/usr/libexec/sb-key-notify.sh
+
+[Install]
+WantedBy=multi-user.target
+
+[Timer]
+OnBootSec=1min
+OnUnitActiveSec=3h
\ No newline at end of file
diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh
new file mode 100644
index 00000000000..b6d28df76ac
--- /dev/null
+++ b/system_files/shared/usr/libexec/sb-key-notify.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+/usr/bin/check-sb-key > /dev/null
+
+if [[ $? -eq 1 ]]; then
+    USER_ID=$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user')
+    XDG_DIR=$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)
+    /usr/bin/sudo -u \
+        $USER_ID DISPLAY=:0 \
+        DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \
+        notify-send "WARNING" \
+        "This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting may cause your system to fail to boot. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." \
+        -i dialog-warning \
+        -u critical \
+        -a mokutil \
+        --wait
\ No newline at end of file