feat: Add Secure Boot Support and Remove Grub Entry for Test this Med…

…ia (#28)

* chore: First pass of adding secure boot key enrollment

* feat: Add secure boot support

* feat: Removed Test this media grub entry and set default to install

* fix: simplify secureboot scripts

---------

Co-authored-by: Kyle Gospodnetich <me@kylegospodneti.ch>

Makefile

@@ -48,13 +48,19 @@ lorax_templates/%.tmpl: lorax_templates/%.tmpl.in
 # Step 2: Build boot.iso using Lorax
 boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl
 	rm -Rf $(_BASE_DIR)/results
+	sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
+	sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
+	sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg
+	sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg
+
 	lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
           --isfinal --buildarch=$(ARCH) --volid=$(_VOLID) \
           $(_LORAX_ARGS) \
           --repo /etc/yum.repos.d/fedora.repo \
           --repo /etc/yum.repos.d/fedora-updates.repo \
           --add-template $(_BASE_DIR)/lorax_templates/set_installer.tmpl \
 		  --add-template $(_BASE_DIR)/lorax_templates/configure_upgrades.tmpl \
+		  --add-template $(_BASE_DIR)/lorax_templates/secure_boot_key.tmpl \
           $(_BASE_DIR)/results/
 	mv $(_BASE_DIR)/results/images/boot.iso $(_BASE_DIR)/
 

lorax_templates/secure_boot_key.tmpl

@@ -0,0 +1,9 @@
+append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
+append usr/share/anaconda/interactive-defaults.ks "set -m"
+append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh"
+append usr/share/anaconda/interactive-defaults.ks "%end"
+
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh"
+append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end"

scripts/enroll-secureboot-key.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -oue pipefail
+
+readonly SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der"
+readonly ENROLLMENT_PASSWORD="ublue-os"
+
+if [[ ! -d "/sys/firmware/efi" ]]; then
+	echo "EFI mode not detected. Skipping key enrollment."
+	exit 0
+fi
+
+if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
+	echo "Secure boot key not found: ${SECUREBOOT_KEY}"
+	exit 1
+fi
+
+mokutil --timeout -1 || :
+echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || :

xorriso/gen_input.sh.in

@@ -5,10 +5,13 @@ echo "-outdev $(pwd)/output/@IMAGE_NAME@-@IMAGE_TAG@.iso"
 echo "-boot_image any replay"
 echo "-joliet on"
 echo "-compliance joliet_long_names"
+echo "-map $(pwd)/scripts/ublue-os-akmods-public-key.der ublue-os-akmods-public-key.der"
+echo "-chmod 0444 /ublue-os-akmods-public-key.der"
+echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh"
+echo "-chmod 0777 enroll-secureboot-key.sh"
 cd container
 for file in $(find @IMAGE_NAME@-@IMAGE_TAG@); do
 	echo "-map $(pwd)/${file} ${file}"
 	echo "-chmod 0444 ${file}"
 done
 echo "-end"
-