Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an motd warning when ublue's keys are not enrolled #1651

Closed
castrojo opened this issue Sep 5, 2024 · 4 comments · Fixed by #1661
Closed

Add an motd warning when ublue's keys are not enrolled #1651

castrojo opened this issue Sep 5, 2024 · 4 comments · Fixed by #1661
Labels
enhancement New feature or request

Comments

@castrojo
Copy link
Member

castrojo commented Sep 5, 2024

We need to run this for a while in the MOTD and do a corresponding announcement on the forums. Let's block bringing fsync to stable. It'd help avoid situations like this: #1636

WARNING: This machine has secure boot turned on but you haven't enrolled Universal Blue's keys, follow <link>
@jardon
Copy link
Contributor

jardon commented Sep 7, 2024

So there would need to be a script that does the following pseudo code:

if secure_boot_enabled && key_not_imported
-> output message to terminal
- -> write file

I'm new here so I don't know all the constraints with the ublue stack, but I'm assuming writing to /etc/motd or /etc/motd.d/ is not possible. If not, maybe there's a solution with editing the user's .bashrc

I'm just spitballin`

@KyleGospo
Copy link
Member

KyleGospo commented Sep 8, 2024

@jardon For development you can do sudo rpm-ostree usroverlay so you can edit your local file.

There's an existing check for the image being out of date that throws a "check engine light", that can be found here:
https://github.com/ublue-os/bluefin/blob/main/system_files/shared/usr/libexec/ublue-motd#L22

I would add another check like this and make the existing one an elif, use mokutil --list-enrolled to test for the key.

jardon added a commit to jardon/bluefin that referenced this issue Sep 8, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 8, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 8, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 8, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 8, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
jardon added a commit to jardon/bluefin that referenced this issue Sep 9, 2024
- Add logic to check for SB enrollment and keys
- Update motd template
@hanthor
Copy link

hanthor commented Oct 25, 2024

The script's "good" state is reported to systemd as a failure:

systemctl status check-sb-key.service 
× check-sb-key.service - Service to check for secure boot key enrollment
     Loaded: loaded (/usr/lib/systemd/system/check-sb-key.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Fri 2024-10-25 16:56:40 IST; 4h 57min ago
   Duration: 87ms
 Invocation: 7f68ae1f16c44fc9868af9e9e32ebe92
    Process: 1594 ExecStart=/usr/libexec/check-sb-key.sh (code=exited, status=1/FAILURE)
   Main PID: 1594 (code=exited, status=1/FAILURE)
   Mem peak: 2.1M
        CPU: 14ms

Oct 25 16:56:40  systemd[1]: Started check-sb-key.service - Service to check for secure boot key enrollment.
Oct 25 16:56:40  check-sb-key.sh[1617]: /etc/pki/akmods/certs/akmods-ublue.der is already enrolled
Oct 25 16:56:40  systemd[1]: check-sb-key.service: Main process exited, code=exited, status=1/FAILURE
Oct 25 16:56:40  systemd[1]: check-sb-key.service: Failed with result 'exit-code'.

@breml
Copy link

breml commented Dec 24, 2024

@castrojo I also see the scripts "good" state being reported as systemd failure. I think this is a bug in the script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
5 participants