ublue-os · jardon · Sep 9, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -14,3 +14,4 @@ systemctl enable brew-upgrade.timer
 systemctl enable brew-update.timer
 systemctl --global enable ublue-user-setup.service
 systemctl --global enable podman-auto-update.timer
+systemctl enable sb-key-notify.service
@@ -15,3 +15,5 @@ Let's trace the stars.
 - 󰊤 [Issues](https://issues.projectbluefin.io)
 - 󰈙 [Documentation](http://docs.projectbluefin.io/)
 - 󰊌 [Discuss](https://community.projectbluefin.io/)
+
+%KEY_WARN%
diff --git a/system_files/shared/usr/lib/systemd/system/sb-key-notify.service b/system_files/shared/usr/lib/systemd/system/sb-key-notify.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Service to check for secure boot key enrollment and send notifications
+
+[Service]
+ExecStart=/usr/libexec/sb-key-notify.sh
+
+[Install]
+WantedBy=multi-user.target
+
+[Timer]
+OnBootSec=1min
+OnUnitActiveSec=3h
diff --git a/system_files/shared/usr/libexec/sb-key-notify.sh b/system_files/shared/usr/libexec/sb-key-notify.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+if [ "$(id -u)" -ne 0 ]; then
+  echo "This script must be run as root." >&2
+  exit 1
+fi
+
+WARNING_MSG="This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this link https://docs.projectbluefin.io/introduction#secure-boot ~for instructions on how to enroll the keys."
+KEY_WARN_FILE="/run/user-motd-sbkey-warn.md"
+KEY_DER_FILE="/etc/pki/akmods/certs/akmods-ublue.der"
+
+mokutil --sb-state | grep -q enabled
+SB_ENABLED=$?
+
+if [ $SB_ENABLED -ne 0 ]; then
+    echo "Secure Boot disabled. Skipping..."
+    exit 0
+fi
+
+if mokutil --test-key "$KEY_DER_FILE"; then 
+    if loginctl --help | grep -q "json=MODE"; then
+        JSON_ARG="--json=short"
+    fi
+    USER_ID=$(loginctl list-users --output=json ${JSON_ARG:+$JSON_ARG} | jq -r '.[] | .user')
+    XDG_DIR=$(loginctl show-user "$USER_ID" | grep RuntimePath | cut -c 13-)
+    sudo -u "$USER_ID" \
+        "DISPLAY=:0" \
+        "DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus" \
+        notify-send \
+        "WARNING" \
+        "$(echo "$WARNING_MSG" | tr -d '*~')" \
+        -i dialog-warning \
+        -u critical \
+        -a mokutil \
+        --wait
+
+    echo "**WARNING**: $WARNING_MSG" > $KEY_WARN_FILE
+else
+    [ -e $KEY_WARN_FILE ] && rm $KEY_WARN_FILE
+fi
@@ -24,5 +24,14 @@ if [[ -f "$TIP_FILE" ]]; then
 
 	TIP_ESCAPED=$(escape "$TIP")
 
-	sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" -e "s/%TIP%/$TIP_ESCAPED/g" /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 -
 fi
+
+KEY_WARN_FILE="/run/user-motd-sbkey-warn.md"
+[ -e $KEY_WARN_FILE ] && KEY_WARN="$(cat $KEY_WARN_FILE)"
+KEY_WARN_ESCAPED=$(escape "$KEY_WARN")
+
+sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" \
+	-e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" \
+	-e "s/%TIP%/$TIP_ESCAPED/g" \
+	-e "s/%KEY_WARN%/$KEY_WARN_ESCAPED/g" \
+	/usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 -
@@ -15,3 +15,5 @@
 - 󰈙 [Documentation](http://docs.projectbluefin.io/)
 - 󰊌 [Discuss](https://community.projectbluefin.io/)
 - 󰊌 [Leave Feedback](https://feedback.projectbluefin.io)
+
+%KEY_WARN%