Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix:[#1651] Add MOTD message for SB keys #1656

Closed
wants to merge 2 commits into from
Closed

fix:[#1651] Add MOTD message for SB keys #1656

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
04016c3
fix:[#1651] Add MOTD message for SB keys
jardon Sep 8, 2024
ebae0ed
Merge branch 'main' into key-motd
jardon Sep 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions system_files/kinoite/usr/share/ublue-os/motd/bluefin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,5 @@ Let's trace the stars.
- 󰊤 [Issues](https://issues.projectbluefin.io)
- 󰈙 [Documentation](http://docs.projectbluefin.io/)
- 󰊌 [Discuss](https://community.projectbluefin.io/)

%KEY_WARN%
14 changes: 13 additions & 1 deletion system_files/shared/usr/libexec/ublue-motd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,18 @@ if [[ -f "$TIP_FILE" ]]; then
fi

TIP_ESCAPED=$(escape "$TIP")
fi

# check for secure boot key
KEY_WARN=""
FINGERPRINT="2B:E9:91:E3:B1:B5:40:70:F4:3D:80:BB:13:EB:C6:57:E5:A3:78:0D"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if we want to hard code the fingerprint or read it from the cert on-image?

openssl x509 -fingerprint -noout -in /etc/pki/akmods/certs/akmods-ublue.der

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a good suggestion. ive implemented this in the notify-send PR

mokutil --list-enrolled | grep -q $FINGERPRINT
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this actually works.

Example:

$ FINGERPRINT="2B:E9:91:E3:B1:B5:40:70:F4:3D:80:BB:13:EB:C6:57:E5:A3:78:0D"
$ mokutil --list-enrolled |grep $FINGERPRINT

Notice there is no output because the grep match failed...

I think you want something like this:

$ mokutil --list-enrolled --verbose-listing|grep -i $FINGERPRINT
SHA1 Fingerprint: 2b:e9:91:e3:b1:b5:40:70:f4:3d:80:bb:13:eb:c6:57:e5:a3:78:0d

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it does work, but not by comparing output. when grep fails to find a match, it gives an exit code of 1. so this just compares the exit code to see if it matches or not.

I've tested it in a VM and it works well. if there's a better option, I'm open to changing it

Copy link
Contributor

@bsherman bsherman Sep 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand the grep -q usage, my point is it will always think the key is not enrolled because of the output from mokutil --list-enrolled vs mokutil --list-enrolled --verbose-listing

$ mokutil --list-enrolled 
2bb010e24d fedoraca
2be991e3b1 ublue kernel

The output above will never have the fingerprint contents.

Adding --verbose-listing does add the fingerprint output to the listing, however, with a lowercased fingerprint, which won't match what you have here.

$ mokutil --list-enrolled --verbose-listing|grep -i sha1
SHA1 Fingerprint: 2b:b0:10:e2:4d:94:c6:32:24:58:89:ba:aa:9e:d0:f3:d5:ef:1f:68
SHA1 Fingerprint: 2b:e9:91:e3:b1:b5:40:70:f4:3d:80:bb:13:eb:c6:57:e5:a3:78:0d

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thats not what the included mokutil command produces

mokutil --list-enrolled | grep Finger
SHA1 Fingerprint: 2b:b0:10:e2:4d:94:c6:32:24:58:89:ba:aa:9e:d0:f3:d5:ef:1f:68
SHA1 Fingerprint: 2b:e9:91:e3:b1:b5:40:70:f4:3d:80:bb:13:eb:c6:57:e5:a3:78:0d

Copy link
Contributor

@bsherman bsherman Sep 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

$ which mokutil
/usr/bin/mokutil

$ `which mokutil` --version
0.7.1

$ /usr/bin/mokutil --list-enrolled | grep Finger

Does Bluefin somehow modify mokutil default behavior?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if there's a version of mokutil where --list-enrolled does show fingerprint, does --verbose-listing not work?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jardon and I discovered in a side chat that the difference here is Fedora 39 has mokutil version 0.6.0 and Fedora 40 has version 0.7.1.

And the outputs differ.

ENROLLED=$?
mokutil --sb-state | grep -q enabled
SB_ENABLED=$?

sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" -e "s/%TIP%/$TIP_ESCAPED/g" /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 -
if [[ $ENROLLED -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then
KEY_WARN="**WARNING**: This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this [link](https://docs.projectbluefin.io/introduction#secure-boot) ~for instructions on how to enroll the keys."
fi

sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" -e "s/%TIP%/$TIP_ESCAPED/g" -e "s|%KEY_WARN%|$KEY_WARN|g" /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 -
2 changes: 2 additions & 0 deletions system_files/silverblue/usr/share/ublue-os/motd/bluefin.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,5 @@
- 󰈙 [Documentation](http://docs.projectbluefin.io/)
- 󰊌 [Discuss](https://community.projectbluefin.io/)
- 󰊌 [Leave Feedback](https://feedback.projectbluefin.io)

%KEY_WARN%
Loading