feat: Install secure boot/akmod key on all images (#88)

ublue-os · Jan 11, 2024 · 40925bb · 40925bb
1 parent 066c98f
commit 40925bb
Show file tree

Hide file tree

Showing 7 changed files with 6 additions and 6 deletions.
diff --git a/installer/kickstart/enroll-secureboot-key.sh b/installer/kickstart/enroll-secureboot-key.sh
@@ -15,4 +15,4 @@ if [[ ! -f "${SECUREBOOT_KEY}" ]]; then
     exit 1
 fi
 
-echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" ||:
+echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" --timeout -1 ||:
diff --git a/installer/kickstart/post-install-nvidia.sh → installer/kickstart/post-install.sh b/installer/kickstart/post-install-nvidia.sh → installer/kickstart/post-install.sh
@@ -4,5 +4,4 @@ set -oue pipefail
 
 source /run/install/repo/kickstart/ublue-os-env-vars
 
-/run/install/repo/kickstart/enroll-secureboot-key.sh "${SECUREBOOT_KEY_OLD}" "${ENROLLMENT_PASSWORD}"
 /run/install/repo/kickstart/enroll-secureboot-key.sh "${SECUREBOOT_KEY}" "${ENROLLMENT_PASSWORD}"
diff --git a/installer/kickstart/ublue-os-deck.ks b/installer/kickstart/ublue-os-deck.ks
@@ -4,7 +4,8 @@
 
 %include /tmp/ks-urls.txt
 
-bootloader --append="amd_pstate=active amd_iommu=off amdgpu.gttsize=8128 spi_amd.speed_dev=1 initcall_blacklist=simpledrm_platform_driver_init rd.luks.options=discard"
+bootloader --append="amd_iommu=off amdgpu.gttsize=8128 spi_amd.speed_dev=1 rd.luks.options=discard"
 
 %post --logfile=/root/ks-post.log --erroronfail --nochroot
+%ksappend /run/install/repo/kickstart/post-install.sh
 %end
diff --git a/installer/kickstart/ublue-os-env-vars b/installer/kickstart/ublue-os-env-vars
@@ -1,4 +1,3 @@
-SECUREBOOT_KEY_OLD="/run/install/repo/ublue-os-nvidia-public-key.der"
 SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der"
 # Not a secure password, but needed for scripted key enrollment
 ENROLLMENT_PASSWORD="ublue-os"
diff --git a/installer/kickstart/ublue-os-nvidia.ks b/installer/kickstart/ublue-os-nvidia.ks
@@ -7,5 +7,5 @@
 bootloader --append="rd.driver.blacklist=nouveau modprobe.blacklist=nouveau nvidia-drm.modeset=1 rd.luks.options=discard"
 
 %post --logfile=/root/ks-post.log --erroronfail --nochroot
-%ksappend /run/install/repo/kickstart/post-install-nvidia.sh
+%ksappend /run/install/repo/kickstart/post-install.sh
 %end
diff --git a/installer/kickstart/ublue-os.ks b/installer/kickstart/ublue-os.ks
@@ -6,5 +6,6 @@
 
 bootloader --append="rd.luks.options=discard"
 
-%post --logfile=/root/ks-post.log --erroronfail
+%post --logfile=/root/ks-post.log --erroronfail --nochroot
+%ksappend /run/install/repo/kickstart/post-install.sh
 %end
diff --git a/installer/securebootkeys/ublue-os-nvidia-public-key.der b/installer/securebootkeys/ublue-os-nvidia-public-key.der
-Original file line number
+Diff line change
@@ Expand Up / @@ -15,4 +15,4 @@ if [[ ! -f "${SECUREBOOT_KEY}" ]]; then @@
         exit 1
     fi
-    echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" ||:
+    echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" --timeout -1 ||:
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,5 +4,4 @@ set -oue pipefail

		source /run/install/repo/kickstart/ublue-os-env-vars

		/run/install/repo/kickstart/enroll-secureboot-key.sh "${SECUREBOOT_KEY_OLD}" "${ENROLLMENT_PASSWORD}"
		/run/install/repo/kickstart/enroll-secureboot-key.sh "${SECUREBOOT_KEY}" "${ENROLLMENT_PASSWORD}"