diff --git a/build_files/systemd.sh b/build_files/systemd.sh index eab8767d980..9055c3abe6e 100755 --- a/build_files/systemd.sh +++ b/build_files/systemd.sh @@ -14,3 +14,4 @@ systemctl enable brew-upgrade.timer systemctl enable brew-update.timer systemctl --global enable ublue-user-setup.service systemctl --global enable podman-auto-update.timer +systemctl enable check-sb-key.service diff --git a/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md b/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md index 614bda9d241..6f3be15a4c2 100644 --- a/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md +++ b/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md @@ -15,3 +15,5 @@ Let's trace the stars. - 󰊤 [Issues](https://issues.projectbluefin.io) - 󰈙 [Documentation](http://docs.projectbluefin.io/) - 󰊌 [Discuss](https://community.projectbluefin.io/) + +%KEY_WARN% diff --git a/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh b/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh new file mode 100755 index 00000000000..767ff2289ce --- /dev/null +++ b/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh @@ -0,0 +1,8 @@ +#!/usr/bin/bash + +if test "$(id -u)" -gt "0" && test -d "$HOME"; then + if test ! -e "$HOME"/.config/autostart/sb-key-notify.desktop; then + mkdir -p "$HOME"/.config/autostart + cp -f /etc/skel/.config/autostart/sb-key-notify.desktop "$HOME"/.config/autostart + fi +fi \ No newline at end of file diff --git a/system_files/shared/etc/skel/.config/autostart/sb-key-notify.desktop b/system_files/shared/etc/skel/.config/autostart/sb-key-notify.desktop new file mode 100644 index 00000000000..0d93775498e --- /dev/null +++ b/system_files/shared/etc/skel/.config/autostart/sb-key-notify.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=Secure boot Notify +Comment=Autostart secure boot key notification +Exec=/usr/bin/sb-key-notify +Icon=org.gnome.Terminal +Type=Application +Categories=Utility;System; +Name[en_US]=secure-boot-notify + + diff --git a/system_files/shared/usr/bin/sb-key-notify b/system_files/shared/usr/bin/sb-key-notify new file mode 100755 index 00000000000..dfe69bc2efa --- /dev/null +++ b/system_files/shared/usr/bin/sb-key-notify @@ -0,0 +1,9 @@ +KEY_WARN_FILE="/run/user-motd-sbkey-warn.md" + +if [ -e $KEY_WARN_FILE ]; then + WARNING_MSG=$(cat "$KEY_WARN_FILE") + + notify-send "WARNING" "$(echo "$WARNING_MSG" | tr -d '*~')" -i dialog-warning -u critical -a mokutil --wait +else + echo "No secure boot key warning file. Skipping..." +fi \ No newline at end of file diff --git a/system_files/shared/usr/lib/systemd/system/check-sb-key.service b/system_files/shared/usr/lib/systemd/system/check-sb-key.service new file mode 100644 index 00000000000..65bed2e5521 --- /dev/null +++ b/system_files/shared/usr/lib/systemd/system/check-sb-key.service @@ -0,0 +1,8 @@ +[Unit] +Description=Service to check for secure boot key enrollment + +[Service] +ExecStart=/usr/libexec/check-sb-key.sh + +[Install] +WantedBy=multi-user.target diff --git a/system_files/shared/usr/libexec/check-sb-key.sh b/system_files/shared/usr/libexec/check-sb-key.sh new file mode 100755 index 00000000000..e918fe177f8 --- /dev/null +++ b/system_files/shared/usr/libexec/check-sb-key.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run as root." >&2 + exit 1 +fi + +WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys." +KEY_WARN_FILE="/run/user-motd-sbkey-warn.md" +KEY_DER_FILE="/etc/pki/akmods/certs/akmods-ublue.der" + +mokutil --sb-state | grep -q enabled +SB_ENABLED=$? + +if [ $SB_ENABLED -ne 0 ]; then + echo "Secure Boot disabled. Skipping..." + exit 0 +fi + +if mokutil --test-key "$KEY_DER_FILE"; then + echo "**WARNING**: $WARNING_MSG" > $KEY_WARN_FILE +else + [ -e $KEY_WARN_FILE ] && rm $KEY_WARN_FILE +fi diff --git a/system_files/shared/usr/libexec/ublue-motd b/system_files/shared/usr/libexec/ublue-motd index 4c77fcf1f3c..114258e486f 100755 --- a/system_files/shared/usr/libexec/ublue-motd +++ b/system_files/shared/usr/libexec/ublue-motd @@ -24,5 +24,14 @@ if [[ -f "$TIP_FILE" ]]; then TIP_ESCAPED=$(escape "$TIP") - sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" -e "s/%TIP%/$TIP_ESCAPED/g" /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 - fi + +KEY_WARN_FILE="/run/user-motd-sbkey-warn.md" +[ -e $KEY_WARN_FILE ] && KEY_WARN="$(cat $KEY_WARN_FILE)" +KEY_WARN_ESCAPED=$(escape "$KEY_WARN") + +sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" \ + -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" \ + -e "s/%TIP%/$TIP_ESCAPED/g" \ + -e "s/%KEY_WARN%/$KEY_WARN_ESCAPED/g" \ + /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 - diff --git a/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md b/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md index 015d17a4656..1fa56f6b37e 100644 --- a/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md +++ b/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md @@ -15,3 +15,5 @@ - 󰈙 [Documentation](http://docs.projectbluefin.io/) - 󰊌 [Discuss](https://community.projectbluefin.io/) - 󰊌 [Leave Feedback](https://feedback.projectbluefin.io) + +%KEY_WARN%