From 50dac4a735f7fa50bdfb6070ba493156575bf022 Mon Sep 17 00:00:00 2001
From: Electronic Eel <eel@electroniceel.org>
Date: Mon, 31 May 2021 17:06:31 +0200
Subject: [PATCH] Check if EFI secure boot is enabled and notify user to
 disable it in this case.

---
 migrate2rocky.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/migrate2rocky.sh b/migrate2rocky.sh
index d4a0e52..e213446 100644
--- a/migrate2rocky.sh
+++ b/migrate2rocky.sh
@@ -98,7 +98,7 @@ bin_check() {
 	cat arch sort uniq rmdir rm head
     )
     if [[ $update_efi ]]; then
-	bins+=(findmnt grub2-mkconfig efibootmgr)
+	bins+=(findmnt grub2-mkconfig efibootmgr grep mokutil)
     fi
     for bin in "${bins[@]}"; do
 	if ! type "$bin" >/dev/null 2>&1; then
@@ -209,6 +209,13 @@ collect_system_info () {
 	    exit_message "Can't find EFI mount.  No EFI  boot detected."
     fi
 
+    # check if EFI secure boot is enabled
+    if [[ $update_efi ]]; then
+	if mokutil --sb-state 2>&1 | grep -q "SecureBoot enabled"; then
+	    exit_message "EFI Secure Boot is enabled but Rocky Linux doesn't provide a signed shim yet. Disable EFI Secure Boot and reboot."
+	fi
+    fi
+
     # Don't enable these module streams, even if they are enabled in the source
     # distro.
     declare -g -a module_excludes