feat(virtualization): enable TPM2 emulation for Secure Boot VMs

2026-04-02 04:37:28 +02:00
parent 2055863673
commit b31a5a2580
3 changed files with 21 additions and 24 deletions
--- a/roles/configuration/tasks/bootloader.yml
+++ b/roles/configuration/tasks/bootloader.yml
@@ -103,3 +103,17 @@
      ansible.builtin.command: "{{ chroot_command }} /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg"
      register: configuration_grub_result
      changed_when: configuration_grub_result.rc == 0
+
+    - name: Rebuild GRUB as standalone EFI for Secure Boot
+      when:
+        - system_cfg.features.secure_boot.enabled | default(false) | bool
+        - os == 'archlinux'
+      ansible.builtin.command: >-
+        {{ chroot_command }} grub-mkstandalone
+        -d /usr/lib/grub/x86_64-efi
+        -O x86_64-efi
+        --disable-shim-lock
+        -o {{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grubx64.efi
+        boot/grub/grub.cfg=/boot/grub/grub.cfg
+      register: _grub_standalone_result
+      changed_when: _grub_standalone_result.rc == 0
--- a/roles/configuration/tasks/secure_boot/shim.yml
+++ b/roles/configuration/tasks/secure_boot/shim.yml
@@ -20,28 +20,11 @@
        - _shim_find_result.stdout | default('') | length > 0
        - _configuration_platform.grub_install | bool
      ansible.builtin.command: >-
-        cp {{ _shim_find_result.stdout_lines | first }}
+        cp /mnt{{ _shim_find_result.stdout_lines | first }}
        /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
      register: _shim_copy_result
      changed_when: _shim_copy_result.rc == 0

-    - name: Enroll Secure Boot keys via efi-updatevar
-      when: system_cfg.type == 'virtual'
-      block:
-        - name: Check if efi-updatevar is available
-          ansible.builtin.command: which efi-updatevar
-          register: _efi_updatevar_check
-          changed_when: false
-          failed_when: false
-
-        - name: Enroll default UEFI Secure Boot keys
-          when: _efi_updatevar_check.rc == 0
-          ansible.builtin.command: >-
-            {{ chroot_command }} sbctl enroll-keys --microsoft
-          register: _sb_enroll_result
-          changed_when: _sb_enroll_result.rc == 0
-          failed_when: false
-
    - name: Verify shim is present
      ansible.builtin.stat:
        path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
@@ -51,7 +34,7 @@
      ansible.builtin.debug:
        msg: >-
          Secure Boot (shim): {{
-            'shimx64.efi installed'
+            'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
            if (_shim_stat.stat.exists | default(false))
            else 'shimx64.efi not found, shim package may handle placement on first boot'
          }}
--- a/roles/virtualization/defaults/main.yml
+++ b/roles/virtualization/defaults/main.yml
@@ -22,10 +22,10 @@ virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd

 virtualization_tpm2_enabled: >-
  {{
-    (system_cfg.luks.enabled | bool)
-    and (system_cfg.luks.auto | bool)
-    and (
-      (system_cfg.luks.method | lower)
-      == 'tpm2'
+    (
+      (system_cfg.luks.enabled | bool)
+      and (system_cfg.luks.auto | bool)
+      and (system_cfg.luks.method | lower == 'tpm2')
    )
+    or (system_cfg.features.secure_boot.enabled | default(false) | bool)
  }}