From 62e779b5f23c561a70a6f777030cff4898dff985 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Mon, 9 Sep 2024 23:38:34 +0000 Subject: [PATCH 01/26] feat: Add notification for secure boot key check - Add script to check for sb enabled and key registration - Add script for notification - Add systemd service to run script and notify --- build_files/systemd.sh | 1 + system_files/shared/usr/bin/check-sb-key | 15 +++++++++++++++ .../usr/lib/systemd/system/sb-key-notify.service | 12 ++++++++++++ system_files/shared/usr/libexec/sb-key-notify.sh | 15 +++++++++++++++ 4 files changed, 43 insertions(+) create mode 100755 system_files/shared/usr/bin/check-sb-key create mode 100644 system_files/shared/usr/lib/systemd/system/sb-key-notify.service create mode 100644 system_files/shared/usr/libexec/sb-key-notify.sh diff --git a/build_files/systemd.sh b/build_files/systemd.sh index eab8767d980..89e69fab324 100755 --- a/build_files/systemd.sh +++ b/build_files/systemd.sh @@ -14,3 +14,4 @@ systemctl enable brew-upgrade.timer systemctl enable brew-update.timer systemctl --global enable ublue-user-setup.service systemctl --global enable podman-auto-update.timer +systemctl enable sb-key-notify.service diff --git a/system_files/shared/usr/bin/check-sb-key b/system_files/shared/usr/bin/check-sb-key new file mode 100755 index 00000000000..8d3211cd472 --- /dev/null +++ b/system_files/shared/usr/bin/check-sb-key @@ -0,0 +1,15 @@ +#!/bin/bash + +FINGERPRINT="$(openssl x509 -fingerprint -noout -in /etc/pki/akmods/certs/akmods-ublue.der | cut -c 18-)" +mokutil --list-enrolled | grep -q $FINGERPRINT +ENROLLED=$? +mokutil --sb-state | grep -q enabled +SB_ENABLED=$? + +if [[ $ENROLLED -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then + echo "Secure Boot enabled. Key missing..." + exit 1 +fi + +echo "No key enrollment needed at this time." +exit 0 \ No newline at end of file diff --git a/system_files/shared/usr/lib/systemd/system/sb-key-notify.service b/system_files/shared/usr/lib/systemd/system/sb-key-notify.service new file mode 100644 index 00000000000..e84a5430a7c --- /dev/null +++ b/system_files/shared/usr/lib/systemd/system/sb-key-notify.service @@ -0,0 +1,12 @@ +[Unit] +Description=Service to check for secure boot key enrollment and send notifications + +[Service] +ExecStart=/usr/libexec/sb-key-notify.sh + +[Install] +WantedBy=multi-user.target + +[Timer] +OnBootSec=1min +OnUnitActiveSec=3h \ No newline at end of file diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh new file mode 100644 index 00000000000..b6d28df76ac --- /dev/null +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -0,0 +1,15 @@ +#!/bin/bash +/usr/bin/check-sb-key > /dev/null + +if [[ $? -eq 1 ]]; then + USER_ID=$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user') + XDG_DIR=$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-) + /usr/bin/sudo -u \ + $USER_ID DISPLAY=:0 \ + DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \ + notify-send "WARNING" \ + "This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting may cause your system to fail to boot. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." \ + -i dialog-warning \ + -u critical \ + -a mokutil \ + --wait \ No newline at end of file From 4219f50b47c1dbdc5803d349c17323a0daefcaeb Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 18:39:05 +0000 Subject: [PATCH 02/26] Squash: refactor to single script for motd and notify-send --- system_files/shared/usr/bin/check-sb-key | 15 ------------- .../shared/usr/libexec/sb-key-notify.sh | 22 +++++++++++++++---- 2 files changed, 18 insertions(+), 19 deletions(-) delete mode 100755 system_files/shared/usr/bin/check-sb-key diff --git a/system_files/shared/usr/bin/check-sb-key b/system_files/shared/usr/bin/check-sb-key deleted file mode 100755 index 8d3211cd472..00000000000 --- a/system_files/shared/usr/bin/check-sb-key +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash - -FINGERPRINT="$(openssl x509 -fingerprint -noout -in /etc/pki/akmods/certs/akmods-ublue.der | cut -c 18-)" -mokutil --list-enrolled | grep -q $FINGERPRINT -ENROLLED=$? -mokutil --sb-state | grep -q enabled -SB_ENABLED=$? - -if [[ $ENROLLED -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then - echo "Secure Boot enabled. Key missing..." - exit 1 -fi - -echo "No key enrollment needed at this time." -exit 0 \ No newline at end of file diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index b6d28df76ac..c16e95de327 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -1,15 +1,29 @@ #!/bin/bash -/usr/bin/check-sb-key > /dev/null -if [[ $? -eq 1 ]]; then +if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run as root." >&2 + exit 1 +fi + +WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." +TIP_PATH="/usr/share/ublue-os/motd/tips/key-warning.md" + +mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der + +if [ $? -eq 1 ]; then USER_ID=$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user') XDG_DIR=$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-) /usr/bin/sudo -u \ $USER_ID DISPLAY=:0 \ DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \ notify-send "WARNING" \ - "This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting may cause your system to fail to boot. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." \ + $(echo "$WARNING_MSG" | tr -d '*') \ -i dialog-warning \ -u critical \ -a mokutil \ - --wait \ No newline at end of file + --wait + + echo "WARNING: $WARNING_MSG" > $TIP_PATH +else + rm $TIP_PATH +fi \ No newline at end of file From 4da13af84276a4e8c3d93bf84bebdc2b47a898ab Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 19:08:40 +0000 Subject: [PATCH 03/26] Add quoting --- system_files/shared/usr/libexec/sb-key-notify.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index c16e95de327..27b496ccd85 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -11,13 +11,13 @@ TIP_PATH="/usr/share/ublue-os/motd/tips/key-warning.md" mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der if [ $? -eq 1 ]; then - USER_ID=$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user') - XDG_DIR=$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-) + USER_ID="$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user')" + XDG_DIR="$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)" /usr/bin/sudo -u \ - $USER_ID DISPLAY=:0 \ + "$USER_ID DISPLAY=:0" \ DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \ notify-send "WARNING" \ - $(echo "$WARNING_MSG" | tr -d '*') \ + "$(echo "$WARNING_MSG" | tr -d '*')" \ -i dialog-warning \ -u critical \ -a mokutil \ From b75477f95d203293d51903b16cb39555ce62f80d Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 19:08:59 +0000 Subject: [PATCH 04/26] Reverse conditional --- system_files/shared/usr/libexec/sb-key-notify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 27b496ccd85..3ad0c008820 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -10,7 +10,7 @@ TIP_PATH="/usr/share/ublue-os/motd/tips/key-warning.md" mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der -if [ $? -eq 1 ]; then +if [ $? -ne 1 ]; then USER_ID="$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user')" XDG_DIR="$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)" /usr/bin/sudo -u \ From 30c1aac7ae622ee3b32fd2243884a51bb2dfeeaa Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 19:13:50 +0000 Subject: [PATCH 05/26] Fix grouping during quoting --- system_files/shared/usr/libexec/sb-key-notify.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 3ad0c008820..25fc48946e1 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -14,7 +14,8 @@ if [ $? -ne 1 ]; then USER_ID="$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user')" XDG_DIR="$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)" /usr/bin/sudo -u \ - "$USER_ID DISPLAY=:0" \ + "$USER_ID" \ + "DISPLAY=:0" \ DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \ notify-send "WARNING" \ "$(echo "$WARNING_MSG" | tr -d '*')" \ From 0cfbfc21cfc1d3138088ec03dbb7d145aa0521ed Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 19:15:43 +0000 Subject: [PATCH 06/26] Check for file before deletion --- system_files/shared/usr/libexec/sb-key-notify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 25fc48946e1..3354dc8d118 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -26,5 +26,5 @@ if [ $? -ne 1 ]; then echo "WARNING: $WARNING_MSG" > $TIP_PATH else - rm $TIP_PATH + [ -e $TIP_PATH ] && rm $TIP_PATH fi \ No newline at end of file From cfccc338c83378c7f07898167b2c9ea08f5723f1 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 19:59:11 +0000 Subject: [PATCH 07/26] Add ~ for newline sub --- system_files/shared/usr/libexec/sb-key-notify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 3354dc8d118..a84219b95c1 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -18,7 +18,7 @@ if [ $? -ne 1 ]; then "DISPLAY=:0" \ DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \ notify-send "WARNING" \ - "$(echo "$WARNING_MSG" | tr -d '*')" \ + "$(echo "$WARNING_MSG" | tr -d '*~')" \ -i dialog-warning \ -u critical \ -a mokutil \ From 64f8a61d1edcae0deaef4f382efed9afe4be1bb5 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 20:01:43 +0000 Subject: [PATCH 08/26] Clean up notify command formatting --- system_files/shared/usr/libexec/sb-key-notify.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index a84219b95c1..229fe0e32fa 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -16,8 +16,9 @@ if [ $? -ne 1 ]; then /usr/bin/sudo -u \ "$USER_ID" \ "DISPLAY=:0" \ - DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \ - notify-send "WARNING" \ + "DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus" \ + notify-send \ + "WARNING" \ "$(echo "$WARNING_MSG" | tr -d '*~')" \ -i dialog-warning \ -u critical \ From 6517ab35893fed33ace94318970c685079d6a4dc Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 21:27:19 +0000 Subject: [PATCH 09/26] Remove fq paths to some bins --- system_files/shared/usr/libexec/sb-key-notify.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 229fe0e32fa..5c16c2de998 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -11,10 +11,9 @@ TIP_PATH="/usr/share/ublue-os/motd/tips/key-warning.md" mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der if [ $? -ne 1 ]; then - USER_ID="$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user')" - XDG_DIR="$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)" - /usr/bin/sudo -u \ - "$USER_ID" \ + USER_ID="$(loginctl list-users --output=json | jq -r '.[] | .user')" + XDG_DIR="$(loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)" + sudo -u "$USER_ID" \ "DISPLAY=:0" \ "DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus" \ notify-send \ From 8c3985dcc51966ea1adfc143ee7f55bbabce7663 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 21:33:23 +0000 Subject: [PATCH 10/26] Add secure boot check --- system_files/shared/usr/libexec/sb-key-notify.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 5c16c2de998..fbc051c2eb3 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -8,9 +8,12 @@ fi WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." TIP_PATH="/usr/share/ublue-os/motd/tips/key-warning.md" +mokutil --sb-state | grep -q enabled +SB_ENABLED=$? + mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der -if [ $? -ne 1 ]; then +if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then USER_ID="$(loginctl list-users --output=json | jq -r '.[] | .user')" XDG_DIR="$(loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)" sudo -u "$USER_ID" \ From 196aaa23e90fbf44c58fcca31df8b7e4a022301f Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 11 Sep 2024 22:02:00 +0000 Subject: [PATCH 11/26] Add back ~ in message --- system_files/shared/usr/libexec/sb-key-notify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index fbc051c2eb3..e4a0f9f0df9 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -5,7 +5,7 @@ if [ "$(id -u)" -ne 0 ]; then exit 1 fi -WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." +WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys." TIP_PATH="/usr/share/ublue-os/motd/tips/key-warning.md" mokutil --sb-state | grep -q enabled From 5b9374328d87fffc3afa5c2b3006b3f1a5e5503a Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Thu, 12 Sep 2024 11:43:18 +0000 Subject: [PATCH 12/26] Move motd warning outside of tips --- .../kinoite/usr/share/ublue-os/motd/bluefin.md | 2 ++ system_files/shared/usr/libexec/sb-key-notify.sh | 6 +++--- system_files/shared/usr/libexec/ublue-motd | 11 ++++++++++- .../silverblue/usr/share/ublue-os/motd/bluefin.md | 2 ++ 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md b/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md index 614bda9d241..6f3be15a4c2 100644 --- a/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md +++ b/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md @@ -15,3 +15,5 @@ Let's trace the stars. - 󰊤 [Issues](https://issues.projectbluefin.io) - 󰈙 [Documentation](http://docs.projectbluefin.io/) - 󰊌 [Discuss](https://community.projectbluefin.io/) + +%KEY_WARN% diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index e4a0f9f0df9..7f27603be4e 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -6,7 +6,7 @@ if [ "$(id -u)" -ne 0 ]; then fi WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys." -TIP_PATH="/usr/share/ublue-os/motd/tips/key-warning.md" +KEY_WARN_FILE="/usr/share/ublue-os/motd/key-warning.md" mokutil --sb-state | grep -q enabled SB_ENABLED=$? @@ -27,7 +27,7 @@ if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then -a mokutil \ --wait - echo "WARNING: $WARNING_MSG" > $TIP_PATH + echo "WARNING: $WARNING_MSG" > $KEY_WARN_FILE else - [ -e $TIP_PATH ] && rm $TIP_PATH + [ -e $KEY_WARN_FILE ] && rm $KEY_WARN_FILE fi \ No newline at end of file diff --git a/system_files/shared/usr/libexec/ublue-motd b/system_files/shared/usr/libexec/ublue-motd index 4c77fcf1f3c..c6e754ddfa9 100755 --- a/system_files/shared/usr/libexec/ublue-motd +++ b/system_files/shared/usr/libexec/ublue-motd @@ -24,5 +24,14 @@ if [[ -f "$TIP_FILE" ]]; then TIP_ESCAPED=$(escape "$TIP") - sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" -e "s/%TIP%/$TIP_ESCAPED/g" /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 - fi + +KEY_WARN_FILE="/usr/share/ublue-os/motd/key-warning.md" +if [ -e $KEY_WARN_FILE ]; then KEY_WARN="$(echo $KEY_WARN_FILE)" +KEY_WARN_ESCAPED=$(escape "$KEY_WARN") + +sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" \ + -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" \ + -e "s/%TIP%/$TIP_ESCAPED/g" \ + -e "s/%KEY_WARN%/$KEY_WARN_ESCAPED/g" \ + /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 - diff --git a/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md b/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md index 015d17a4656..1fa56f6b37e 100644 --- a/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md +++ b/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md @@ -15,3 +15,5 @@ - 󰈙 [Documentation](http://docs.projectbluefin.io/) - 󰊌 [Discuss](https://community.projectbluefin.io/) - 󰊌 [Leave Feedback](https://feedback.projectbluefin.io) + +%KEY_WARN% From 391e55ee114813b7133a9973794450fa06e688b9 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Thu, 12 Sep 2024 11:55:26 +0000 Subject: [PATCH 13/26] Fix motd script errors --- system_files/shared/usr/libexec/ublue-motd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/ublue-motd b/system_files/shared/usr/libexec/ublue-motd index c6e754ddfa9..0157bc28507 100755 --- a/system_files/shared/usr/libexec/ublue-motd +++ b/system_files/shared/usr/libexec/ublue-motd @@ -27,7 +27,7 @@ if [[ -f "$TIP_FILE" ]]; then fi KEY_WARN_FILE="/usr/share/ublue-os/motd/key-warning.md" -if [ -e $KEY_WARN_FILE ]; then KEY_WARN="$(echo $KEY_WARN_FILE)" +[ -e $KEY_WARN_FILE ] && KEY_WARN="$(cat $KEY_WARN_FILE)" KEY_WARN_ESCAPED=$(escape "$KEY_WARN") sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" \ From 8a4965281a9a2ea741dc2a611f146f64d5bcb5d8 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Thu, 12 Sep 2024 11:56:06 +0000 Subject: [PATCH 14/26] Bold motd warning header --- system_files/shared/usr/libexec/sb-key-notify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 7f27603be4e..fe69d987cd6 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -27,7 +27,7 @@ if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then -a mokutil \ --wait - echo "WARNING: $WARNING_MSG" > $KEY_WARN_FILE + echo "**WARNING**: $WARNING_MSG" > $KEY_WARN_FILE else [ -e $KEY_WARN_FILE ] && rm $KEY_WARN_FILE fi \ No newline at end of file From aad5db42ab63b77809b58d0de1448fa71c46ee7c Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Thu, 12 Sep 2024 17:09:21 +0000 Subject: [PATCH 15/26] Fix double quoting on XDG var --- system_files/shared/usr/libexec/sb-key-notify.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index fe69d987cd6..c7caacb82a2 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -15,7 +15,7 @@ mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then USER_ID="$(loginctl list-users --output=json | jq -r '.[] | .user')" - XDG_DIR="$(loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)" + XDG_DIR=$(loginctl show-user "$USER_ID" | grep RuntimePath | cut -c 13-) sudo -u "$USER_ID" \ "DISPLAY=:0" \ "DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus" \ @@ -30,4 +30,4 @@ if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then echo "**WARNING**: $WARNING_MSG" > $KEY_WARN_FILE else [ -e $KEY_WARN_FILE ] && rm $KEY_WARN_FILE -fi \ No newline at end of file +fi From 9709836e13e8d80cff6b3adb13caffc0e99904ad Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Thu, 12 Sep 2024 20:37:58 +0000 Subject: [PATCH 16/26] check for loginctl changes --- system_files/shared/usr/libexec/sb-key-notify.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index c7caacb82a2..a2658dca372 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -14,7 +14,11 @@ SB_ENABLED=$? mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then - USER_ID="$(loginctl list-users --output=json | jq -r '.[] | .user')" + loginctl --help | grep -q "json=MODE" + if [ $? -eq 0 ]; then + JSON_ARG="--json=short" + fi + USER_ID=$(loginctl list-users --output=json $JSON_ARG | jq -r '.[] | .user') XDG_DIR=$(loginctl show-user "$USER_ID" | grep RuntimePath | cut -c 13-) sudo -u "$USER_ID" \ "DISPLAY=:0" \ From b2f921c516741f3ee07f308b961def17508940e8 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Thu, 12 Sep 2024 20:48:47 +0000 Subject: [PATCH 17/26] Fix linting --- system_files/shared/usr/libexec/sb-key-notify.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index a2658dca372..28e590ce93e 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -13,12 +13,11 @@ SB_ENABLED=$? mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der -if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then - loginctl --help | grep -q "json=MODE" - if [ $? -eq 0 ]; then +if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then + if loginctl --help | grep -q "json=MODE"; then JSON_ARG="--json=short" fi - USER_ID=$(loginctl list-users --output=json $JSON_ARG | jq -r '.[] | .user') + USER_ID=$(loginctl list-users --output=json "$JSON_ARG" | jq -r '.[] | .user') XDG_DIR=$(loginctl show-user "$USER_ID" | grep RuntimePath | cut -c 13-) sudo -u "$USER_ID" \ "DISPLAY=:0" \ From f8c31f2487d828c1e8d28f5f7b972921d33bd957 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Fri, 13 Sep 2024 01:08:14 +0000 Subject: [PATCH 18/26] Rework script check syntax --- system_files/shared/usr/libexec/sb-key-notify.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index 28e590ce93e..c69f4ef9fce 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -7,13 +7,9 @@ fi WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys." KEY_WARN_FILE="/usr/share/ublue-os/motd/key-warning.md" +KEY_DER_FILE="/etc/pki/akmods/certs/akmods-ublue.der" -mokutil --sb-state | grep -q enabled -SB_ENABLED=$? - -mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der - -if [ $? -ne 1 ] && [ $SB_ENABLED -eq 0 ]; then +if mokutil --test-key "$KEY_DER_FILE" && mokutil --sb-state | grep -q enabled; then if loginctl --help | grep -q "json=MODE"; then JSON_ARG="--json=short" fi From 1cc616014aa88e3f277de56b51cd8856899d3c1c Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Fri, 13 Sep 2024 01:09:23 +0000 Subject: [PATCH 19/26] Update sb key warning file location --- system_files/shared/usr/libexec/sb-key-notify.sh | 2 +- system_files/shared/usr/libexec/ublue-motd | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index c69f4ef9fce..f970d4498f6 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -6,7 +6,7 @@ if [ "$(id -u)" -ne 0 ]; then fi WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys." -KEY_WARN_FILE="/usr/share/ublue-os/motd/key-warning.md" +KEY_WARN_FILE="/run/user-motd-sbkey-warn.md" KEY_DER_FILE="/etc/pki/akmods/certs/akmods-ublue.der" if mokutil --test-key "$KEY_DER_FILE" && mokutil --sb-state | grep -q enabled; then diff --git a/system_files/shared/usr/libexec/ublue-motd b/system_files/shared/usr/libexec/ublue-motd index 0157bc28507..114258e486f 100755 --- a/system_files/shared/usr/libexec/ublue-motd +++ b/system_files/shared/usr/libexec/ublue-motd @@ -26,7 +26,7 @@ if [[ -f "$TIP_FILE" ]]; then fi -KEY_WARN_FILE="/usr/share/ublue-os/motd/key-warning.md" +KEY_WARN_FILE="/run/user-motd-sbkey-warn.md" [ -e $KEY_WARN_FILE ] && KEY_WARN="$(cat $KEY_WARN_FILE)" KEY_WARN_ESCAPED=$(escape "$KEY_WARN") From 880d75d34ef1d4e71cd2db1fe9b4f3842cd61936 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Fri, 13 Sep 2024 01:14:24 +0000 Subject: [PATCH 20/26] Split up checking to check for sb enabled first --- system_files/shared/usr/libexec/sb-key-notify.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index f970d4498f6..e5ef6c1055e 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -9,7 +9,15 @@ WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Un KEY_WARN_FILE="/run/user-motd-sbkey-warn.md" KEY_DER_FILE="/etc/pki/akmods/certs/akmods-ublue.der" -if mokutil --test-key "$KEY_DER_FILE" && mokutil --sb-state | grep -q enabled; then +mokutil --sb-state | grep -q enabled +SB_ENABLED=$? + +if [ $SB_ENABLED -ne 0 ]; then + echo "Secure Boot disabled. Skipping..." + exit 0 +fi + +if mokutil --test-key "$KEY_DER_FILE"; then if loginctl --help | grep -q "json=MODE"; then JSON_ARG="--json=short" fi From edd7750787bbb4cc92240b7ad28728fe915e14c3 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Fri, 13 Sep 2024 11:46:36 +0000 Subject: [PATCH 21/26] Fix json mode arg format --- system_files/shared/usr/libexec/sb-key-notify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh index e5ef6c1055e..db21221f66a 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/sb-key-notify.sh @@ -21,7 +21,7 @@ if mokutil --test-key "$KEY_DER_FILE"; then if loginctl --help | grep -q "json=MODE"; then JSON_ARG="--json=short" fi - USER_ID=$(loginctl list-users --output=json "$JSON_ARG" | jq -r '.[] | .user') + USER_ID=$(loginctl list-users --output=json ${JSON_ARG:+$JSON_ARG} | jq -r '.[] | .user') XDG_DIR=$(loginctl show-user "$USER_ID" | grep RuntimePath | cut -c 13-) sudo -u "$USER_ID" \ "DISPLAY=:0" \ From 87ddcf2e700c2a062cbe5c9ff4bb09e5ac533d17 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Sun, 15 Sep 2024 19:08:51 +0000 Subject: [PATCH 22/26] Rework notification to not be sent from systemd service --- build_files/systemd.sh | 2 +- .../etc/profile.d/sb-key-notify-autostart.sh | 6 ++++++ .../skel/.config/autostart/sb-key-notify.desktop | 10 ++++++++++ system_files/shared/usr/bin/sb-key-notify | 9 +++++++++ ...b-key-notify.service => check-sb-key.service} | 6 +----- .../{sb-key-notify.sh => check-sb-key.sh} | 16 ---------------- 6 files changed, 27 insertions(+), 22 deletions(-) create mode 100644 system_files/shared/etc/profile.d/sb-key-notify-autostart.sh create mode 100644 system_files/shared/etc/skel/.config/autostart/sb-key-notify.desktop create mode 100644 system_files/shared/usr/bin/sb-key-notify rename system_files/shared/usr/lib/systemd/system/{sb-key-notify.service => check-sb-key.service} (62%) rename system_files/shared/usr/libexec/{sb-key-notify.sh => check-sb-key.sh} (59%) diff --git a/build_files/systemd.sh b/build_files/systemd.sh index 89e69fab324..9055c3abe6e 100755 --- a/build_files/systemd.sh +++ b/build_files/systemd.sh @@ -14,4 +14,4 @@ systemctl enable brew-upgrade.timer systemctl enable brew-update.timer systemctl --global enable ublue-user-setup.service systemctl --global enable podman-auto-update.timer -systemctl enable sb-key-notify.service +systemctl enable check-sb-key.service diff --git a/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh b/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh new file mode 100644 index 00000000000..776850fd83e --- /dev/null +++ b/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh @@ -0,0 +1,6 @@ +if test "$(id -u)" -gt "0" && test -d "$HOME"; then + if test ! -e "$HOME"/.config/autostart/sb-key-notify.desktop; then + mkdir -p "$HOME"/.config/autostart + cp -f /etc/skel/.config/autostart/sb-key-notify.desktop "$HOME"/.config/autostart + fi +fi \ No newline at end of file diff --git a/system_files/shared/etc/skel/.config/autostart/sb-key-notify.desktop b/system_files/shared/etc/skel/.config/autostart/sb-key-notify.desktop new file mode 100644 index 00000000000..0d93775498e --- /dev/null +++ b/system_files/shared/etc/skel/.config/autostart/sb-key-notify.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=Secure boot Notify +Comment=Autostart secure boot key notification +Exec=/usr/bin/sb-key-notify +Icon=org.gnome.Terminal +Type=Application +Categories=Utility;System; +Name[en_US]=secure-boot-notify + + diff --git a/system_files/shared/usr/bin/sb-key-notify b/system_files/shared/usr/bin/sb-key-notify new file mode 100644 index 00000000000..75eed6f3ae4 --- /dev/null +++ b/system_files/shared/usr/bin/sb-key-notify @@ -0,0 +1,9 @@ +KEY_WARN_FILE="/run/user-motd-sbkey-warn.md" + +if [ -e $KEY_WARN_FILE ]; then + WARNING_MSG=$(cat "$KEY_WARN_FILE") + + notify-send "WARNING" "$(echo "$WARNING_MSG" | tr -d '*~')" -i dialog-warning -u critical -a mokutil --wait +else + echo "No secure boot key warning file. Skipping... +fi \ No newline at end of file diff --git a/system_files/shared/usr/lib/systemd/system/sb-key-notify.service b/system_files/shared/usr/lib/systemd/system/check-sb-key.service similarity index 62% rename from system_files/shared/usr/lib/systemd/system/sb-key-notify.service rename to system_files/shared/usr/lib/systemd/system/check-sb-key.service index e84a5430a7c..58f164bd9e3 100644 --- a/system_files/shared/usr/lib/systemd/system/sb-key-notify.service +++ b/system_files/shared/usr/lib/systemd/system/check-sb-key.service @@ -2,11 +2,7 @@ Description=Service to check for secure boot key enrollment and send notifications [Service] -ExecStart=/usr/libexec/sb-key-notify.sh +ExecStart=/usr/libexec/check-sb-key.sh [Install] WantedBy=multi-user.target - -[Timer] -OnBootSec=1min -OnUnitActiveSec=3h \ No newline at end of file diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/check-sb-key.sh similarity index 59% rename from system_files/shared/usr/libexec/sb-key-notify.sh rename to system_files/shared/usr/libexec/check-sb-key.sh index db21221f66a..e918fe177f8 100644 --- a/system_files/shared/usr/libexec/sb-key-notify.sh +++ b/system_files/shared/usr/libexec/check-sb-key.sh @@ -18,22 +18,6 @@ if [ $SB_ENABLED -ne 0 ]; then fi if mokutil --test-key "$KEY_DER_FILE"; then - if loginctl --help | grep -q "json=MODE"; then - JSON_ARG="--json=short" - fi - USER_ID=$(loginctl list-users --output=json ${JSON_ARG:+$JSON_ARG} | jq -r '.[] | .user') - XDG_DIR=$(loginctl show-user "$USER_ID" | grep RuntimePath | cut -c 13-) - sudo -u "$USER_ID" \ - "DISPLAY=:0" \ - "DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus" \ - notify-send \ - "WARNING" \ - "$(echo "$WARNING_MSG" | tr -d '*~')" \ - -i dialog-warning \ - -u critical \ - -a mokutil \ - --wait - echo "**WARNING**: $WARNING_MSG" > $KEY_WARN_FILE else [ -e $KEY_WARN_FILE ] && rm $KEY_WARN_FILE From bc88dc3902f600448b5778629fe18c15b97b80c4 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Sun, 15 Sep 2024 19:11:58 +0000 Subject: [PATCH 23/26] Update systemd service description --- system_files/shared/usr/lib/systemd/system/check-sb-key.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/lib/systemd/system/check-sb-key.service b/system_files/shared/usr/lib/systemd/system/check-sb-key.service index 58f164bd9e3..65bed2e5521 100644 --- a/system_files/shared/usr/lib/systemd/system/check-sb-key.service +++ b/system_files/shared/usr/lib/systemd/system/check-sb-key.service @@ -1,5 +1,5 @@ [Unit] -Description=Service to check for secure boot key enrollment and send notifications +Description=Service to check for secure boot key enrollment [Service] ExecStart=/usr/libexec/check-sb-key.sh From 306bab30ea5229ffae1d11a74bf2417fc1dae704 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 18 Sep 2024 12:54:39 +0000 Subject: [PATCH 24/26] Fix execute permissions --- system_files/shared/usr/bin/sb-key-notify | 0 system_files/shared/usr/libexec/check-sb-key.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 system_files/shared/usr/bin/sb-key-notify mode change 100644 => 100755 system_files/shared/usr/libexec/check-sb-key.sh diff --git a/system_files/shared/usr/bin/sb-key-notify b/system_files/shared/usr/bin/sb-key-notify old mode 100644 new mode 100755 diff --git a/system_files/shared/usr/libexec/check-sb-key.sh b/system_files/shared/usr/libexec/check-sb-key.sh old mode 100644 new mode 100755 From dbc8a6581bb152061a6a887539ef0f98665e2258 Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 18 Sep 2024 13:13:10 +0000 Subject: [PATCH 25/26] Fix linting and update script perm --- system_files/shared/etc/profile.d/sb-key-notify-autostart.sh | 2 ++ 1 file changed, 2 insertions(+) mode change 100644 => 100755 system_files/shared/etc/profile.d/sb-key-notify-autostart.sh diff --git a/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh b/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh old mode 100644 new mode 100755 index 776850fd83e..767ff2289ce --- a/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh +++ b/system_files/shared/etc/profile.d/sb-key-notify-autostart.sh @@ -1,3 +1,5 @@ +#!/usr/bin/bash + if test "$(id -u)" -gt "0" && test -d "$HOME"; then if test ! -e "$HOME"/.config/autostart/sb-key-notify.desktop; then mkdir -p "$HOME"/.config/autostart From 66103e67abba266bf45d6c867ff24941e8c894fb Mon Sep 17 00:00:00 2001 From: Jarred Wilson Date: Wed, 25 Sep 2024 10:58:36 +0000 Subject: [PATCH 26/26] Squash: add missing quote closure --- system_files/shared/usr/bin/sb-key-notify | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system_files/shared/usr/bin/sb-key-notify b/system_files/shared/usr/bin/sb-key-notify index 75eed6f3ae4..dfe69bc2efa 100755 --- a/system_files/shared/usr/bin/sb-key-notify +++ b/system_files/shared/usr/bin/sb-key-notify @@ -5,5 +5,5 @@ if [ -e $KEY_WARN_FILE ]; then notify-send "WARNING" "$(echo "$WARNING_MSG" | tr -d '*~')" -i dialog-warning -u critical -a mokutil --wait else - echo "No secure boot key warning file. Skipping... + echo "No secure boot key warning file. Skipping..." fi \ No newline at end of file