Merge pull request #22 from electroniceel/efi-secure-boot

Check if EFI secure boot is enabled
This commit is contained in:
Neil Hanlon 2021-05-31 20:30:52 -04:00 committed by GitHub
commit de8c952285
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -101,7 +101,7 @@ bin_check() {
cat arch sort uniq rmdir rm head cat arch sort uniq rmdir rm head
) )
if [[ $update_efi ]]; then if [[ $update_efi ]]; then
bins+=(findmnt grub2-mkconfig efibootmgr) bins+=(findmnt grub2-mkconfig efibootmgr grep mokutil)
fi fi
for bin in "${bins[@]}"; do for bin in "${bins[@]}"; do
if ! type "$bin" >/dev/null 2>&1; then if ! type "$bin" >/dev/null 2>&1; then
@ -212,6 +212,13 @@ collect_system_info () {
exit_message "Can't find EFI mount. No EFI boot detected." exit_message "Can't find EFI mount. No EFI boot detected."
fi fi
# check if EFI secure boot is enabled
if [[ $update_efi ]]; then
if mokutil --sb-state 2>&1 | grep -q "SecureBoot enabled"; then
exit_message "EFI Secure Boot is enabled but Rocky Linux doesn't provide a signed shim yet. Disable EFI Secure Boot and reboot."
fi
fi
# Don't enable these module streams, even if they are enabled in the source # Don't enable these module streams, even if they are enabled in the source
# distro. # distro.
declare -g -a module_excludes declare -g -a module_excludes