feat(virtualization): enable TPM2 emulation for Secure Boot VMs

2026-04-02 04:37:28 +02:00
parent 2055863673
commit b31a5a2580
3 changed files with 21 additions and 24 deletions
--- a/roles/configuration/tasks/secure_boot/shim.yml
+++ b/roles/configuration/tasks/secure_boot/shim.yml
@@ -20,28 +20,11 @@
        - _shim_find_result.stdout | default('') | length > 0
        - _configuration_platform.grub_install | bool
      ansible.builtin.command: >-
-        cp {{ _shim_find_result.stdout_lines | first }}
+        cp /mnt{{ _shim_find_result.stdout_lines | first }}
        /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
      register: _shim_copy_result
      changed_when: _shim_copy_result.rc == 0

-    - name: Enroll Secure Boot keys via efi-updatevar
-      when: system_cfg.type == 'virtual'
-      block:
-        - name: Check if efi-updatevar is available
-          ansible.builtin.command: which efi-updatevar
-          register: _efi_updatevar_check
-          changed_when: false
-          failed_when: false
-
-        - name: Enroll default UEFI Secure Boot keys
-          when: _efi_updatevar_check.rc == 0
-          ansible.builtin.command: >-
-            {{ chroot_command }} sbctl enroll-keys --microsoft
-          register: _sb_enroll_result
-          changed_when: _sb_enroll_result.rc == 0
-          failed_when: false
-
    - name: Verify shim is present
      ansible.builtin.stat:
        path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
@@ -51,7 +34,7 @@
      ansible.builtin.debug:
        msg: >-
          Secure Boot (shim): {{
-            'shimx64.efi installed'
+            'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
            if (_shim_stat.stat.exists | default(false))
            else 'shimx64.efi not found, shim package may handle placement on first boot'
          }}