feat: Add notification for secure boot key check #1661
Conversation
jardon
force-pushed
the
key-dbus-notify
branch
11 times, most recently
from
4f3bbac
to
e826c08
Compare
dosubot
bot
added
size:S
jardon
force-pushed
the
key-dbus-notify
branch
from
e826c08
to
b1b9d18
Compare
- Add script to check for sb enabled and key registration - Add script for notification - Add systemd service to run script and notify
jardon
force-pushed
the
key-dbus-notify
branch
from
b1b9d18
to
62e779b
Compare
|
@jardon a comment I make to most contributors... once you start getting feedback on PRs, please don't force push. Doing so erases history of comments and their relevance which makes it harder to track the history of change. We squash merge most/all PRs in the ublue-os repos, so cleaning up commits is not a concern. Thanks! |
dosubot
bot
added
size:M
|
Ok we good on this one? Last call! |
i'm actively testing, but i don't think this service works as expected. |
| fi | ||
| USER_ID=$(loginctl list-users --output=json ${JSON_ARG:+$JSON_ARG} | jq -r '.[] | .user') | ||
| XDG_DIR=$(loginctl show-user "$USER_ID" | grep RuntimePath | cut -c 13-) | ||
| sudo -u "$USER_ID" \ |
There was a problem hiding this comment.
This sudo notify-send doesn't work when run from a root systemd service as setup here.
You can test this in a VM by writing the script to /usr/local/sbin/sb-key-notify.sh and the service to /etc/systemd/system/sb-key-notify.service and make sure you change the path for the script in the service file..
Then, systemctl daemon-reload and systemctl enable sb-key-notify ... reboot and/or simply systemctl start sb-key-notify... nothing happens.
I haven't dug deep into why this fails, but there's a more direct approach which is more what I meant to suggest when I suggested a service.
What I'd do is keep all the testing for if secure boot is enabled and if the key is enrolled or not in a script like this... but the script would be sbkey-missing-check.sh or something... and if the conditions warrant a notification, write a file to /run/sbkey-missing-notify.
Then we need this notify-send command NOT with the sudo, to run as the user, and that should get setup with a profile.d/skel combo of script and .desktop file, similar to how we do for the bluefin-firstboot feature.
There was a problem hiding this comment.
I'm curious why it doesnt work for you. I've tested it in my environment and it works great. Could you check the output of the service?
I had things more split up beforehand. I'm open to seeing what that looks like to implement it using a desktop file, but I'm a little puzzled how we got here.
There was a problem hiding this comment.
more specificially:
bash -x /path/to/scriptThere was a problem hiding this comment.
I'm curious why it doesnt work for you. I've tested it in my environment and it works great. Could you check the output of the service?
I set this up again on Bluefin:GTS (like i referenced in my comment on the Timer section). My sb-key-notify.service is installed in /etc and the sb-key-notify.sh is in /usr/local/sbin
I did see the notification popup when running systemctl start sb-key-notify on this setup, however... upon a reboot.
This is the output from the service:
journalctl --boot -u sb-key-notify
Sep 15 13:07:53 fedora systemd[1]: Started sb-key-notify.service - Service to check for secure boot key enrollment and send notifications.
Sep 15 13:07:53 fedora sb-key-notify.sh[2952]: /etc/pki/akmods/certs/akmods-ublue.der is not enrolled
Sep 15 13:07:53 fedora loginctl[3023]: Failed to look up user : No such process
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: usage: sudo -h | -K | -k | -V
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: usage: sudo -v [-ABkNnS] [-g group] [-h host] [-p prompt] [-u user]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: usage: sudo -l [-ABkNnS] [-g group] [-h host] [-p prompt] [-U user]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: [-u user] [command [arg ...]]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: usage: sudo [-ABbEHkNnPS] [-r role] [-t type] [-C num] [-D directory]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: [-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: [-u user] [VAR=value] [-i | -s] [command [arg ...]]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: usage: sudo -e [-ABkNnS] [-r role] [-t type] [-C num] [-D directory]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: [-g group] [-h host] [-p prompt] [-R directory] [-T timeout]
Sep 15 13:07:53 fedora sb-key-notify.sh[3051]: [-u user] file ...
Sep 15 13:07:53 fedora systemd[1]: sb-key-notify.service: Deactivated successfully.
Edit: for the record, i get the same behavior when testing on bluefin:stable (Fedora 40)
There was a problem hiding this comment.
more context:
❯ systemctl cat sb-key-notify.service
# /etc/systemd/system/sb-key-notify.service
[Unit]
Description=Service to check for secure boot key enrollment and send notifications
[Service]
ExecStart=/usr/local/sbin/sb-key-notify.sh
[Install]
WantedBy=multi-user.target
[Timer]
OnBootSec=1min
OnUnitActiveSec=3h
# /usr/lib/systemd/system/service.d/10-timeout-abort.conf
# This file is part of the systemd package.
# See https://fedoraproject.org/wiki/Changes/Shorter_Shutdown_Timer.
#
# To facilitate debugging when a service fails to stop cleanly,
# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
# the time allotted. This will cause the service to be terminated with SIGABRT
# and a coredump to be generated.
#
# To undo this configuration change, create a mask file:
# sudo mkdir -p /etc/systemd/system/service.d
# sudo ln -sv /dev/null /etc/systemd/system/service.d/10-timeout-abort.conf
[Service]
TimeoutStopFailureMode=abort
There was a problem hiding this comment.
can you post the output of
bash -x /usr/local/sbin/sb-key-notify.sh, please?
I can, and I will, but I've told you your script works, I do get a notification if running systemctl start sb-key-notify while already logged in.
The problem is notification from the script upon a boot. I'm not sure if you missed where i showed journal output with the failure.
There was a problem hiding this comment.
root in ~
❯ bash -x /usr/local/sbin/sb-key-notify.sh
++ id -u
+ '[' 0 -ne 0 ']'
+ WARNING_MSG='This machine has secure boot turned on, but you haven'\''t enrolled Universal Blue'\''s keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys.'
+ KEY_WARN_FILE=/run/user-motd-sbkey-warn.md
+ KEY_DER_FILE=/etc/pki/akmods/certs/akmods-ublue.der
+ mokutil --sb-state
+ grep -q enabled
+ SB_ENABLED=0
+ '[' 0 -ne 0 ']'
+ mokutil --test-key /etc/pki/akmods/certs/akmods-ublue.der
/etc/pki/akmods/certs/akmods-ublue.der is not enrolled
+ loginctl --help
+ grep -q json=MODE
++ loginctl list-users --output=json
++ jq -r '.[] | .user'
+ USER_ID=bsherman
++ loginctl show-user bsherman
++ grep RuntimePath
++ cut -c 13-
+ XDG_DIR=/run/user/1000
++ echo 'This machine has secure boot turned on, but you haven'\''t enrolled Universal Blue'\''s keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys.'
++ tr -d '*~'
+ sudo -u bsherman DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus notify-send WARNING 'This machine has secure boot turned on, but you haven'\''t enrolled Universal Blue'\''s keys. Failing to enroll these before rebooting may cause your system to fail to boot. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys.' -i dialog-warning -u critical -a mokutil --wait
+ echo '**WARNING**: This machine has secure boot turned on, but you haven'\''t enrolled Universal Blue'\''s keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys.'
There was a problem hiding this comment.
oh i misunderstood. ya so on boot, there is no user logged in so loginctl doesn't list a user to pass to the sudo command. ill look into another solution then
There was a problem hiding this comment.
oh i misunderstood. ya so on boot, there is no user logged in so loginctl doesn't list a user to pass to the sudo command. ill look into another solution then
yes, sorry it wasn't more clear.
There was a problem hiding this comment.
oh i misunderstood. ya so on boot, there is no user logged in so loginctl doesn't list a user to pass to the sudo command. ill look into another solution then
This is why I proposed writing a state file from the service, and then having the user's login process (eg, autostart .desktop file) look for that file and run the notification. Then it would work for ANY user who logs in.
system_files/shared/usr/lib/systemd/system/sb-key-notify.service
Outdated
Show resolved
Hide resolved
|
If anyone wants to test this in a secure boot enabled environment, rebase onto |
Thank you for sticking with this PR! But also, thanks for going the extra mile and giving us a rebasable image for testing; that's excellent! |
Closes #1651