sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(virtualization): enable TPM2 emulation for Secure Boot VMs

Browse Source
This commit is contained in:
sandwich
2026-04-02 04:37:28 +02:00
committed by MORAWSKI Norbert
parent 2055863673
commit b31a5a2580
3 changed files with 21 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
roles/configuration/tasks/bootloader.yml
View File

@@ -103,3 +103,17 @@
ansible.builtin.command: "{{ chroot_command }} /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg" ansible.builtin.command: "{{ chroot_command }} /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg"
register: configuration_grub_result register: configuration_grub_result
changed_when: configuration_grub_result.rc == 0 changed_when: configuration_grub_result.rc == 0
- name: Rebuild GRUB as standalone EFI for Secure Boot
when:
- system_cfg.features.secure_boot.enabled | default(false) | bool
- os == 'archlinux'
ansible.builtin.command: >-
{{ chroot_command }} grub-mkstandalone
-d /usr/lib/grub/x86_64-efi
-O x86_64-efi
--disable-shim-lock
-o {{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grubx64.efi
boot/grub/grub.cfg=/boot/grub/grub.cfg
register: _grub_standalone_result
changed_when: _grub_standalone_result.rc == 0

21
roles/configuration/tasks/secure_boot/shim.yml
View File

@@ -20,28 +20,11 @@
- _shim_find_result.stdout | default('') | length > 0 - _shim_find_result.stdout | default('') | length > 0
- _configuration_platform.grub_install | bool - _configuration_platform.grub_install | bool
ansible.builtin.command: >- ansible.builtin.command: >-
cp {{ _shim_find_result.stdout_lines | first }} cp /mnt{{ _shim_find_result.stdout_lines | first }}
/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
register: _shim_copy_result register: _shim_copy_result
changed_when: _shim_copy_result.rc == 0 changed_when: _shim_copy_result.rc == 0
- name: Enroll Secure Boot keys via efi-updatevar
when: system_cfg.type == 'virtual'
block:
- name: Check if efi-updatevar is available
ansible.builtin.command: which efi-updatevar
register: _efi_updatevar_check
changed_when: false
failed_when: false
- name: Enroll default UEFI Secure Boot keys
when: _efi_updatevar_check.rc == 0
ansible.builtin.command: >-
{{ chroot_command }} sbctl enroll-keys --microsoft
register: _sb_enroll_result
changed_when: _sb_enroll_result.rc == 0
failed_when: false
- name: Verify shim is present - name: Verify shim is present
ansible.builtin.stat: ansible.builtin.stat:
path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi" path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
@@ -51,7 +34,7 @@
ansible.builtin.debug: ansible.builtin.debug:
msg: >- msg: >-
Secure Boot (shim): {{ Secure Boot (shim): {{
'shimx64.efi installed' 'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
if (_shim_stat.stat.exists | default(false)) if (_shim_stat.stat.exists | default(false))
else 'shimx64.efi not found, shim package may handle placement on first boot' else 'shimx64.efi not found, shim package may handle placement on first boot'
}} }}

10
roles/virtualization/defaults/main.yml
View File

@@ -22,10 +22,10 @@ virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd
virtualization_tpm2_enabled: >- virtualization_tpm2_enabled: >-
{{ {{
(system_cfg.luks.enabled | bool) (
and (system_cfg.luks.auto | bool) (system_cfg.luks.enabled | bool)
and ( and (system_cfg.luks.auto | bool)
(system_cfg.luks.method | lower) and (system_cfg.luks.method | lower == 'tpm2')
== 'tpm2'
) )
or (system_cfg.features.secure_boot.enabled | default(false) | bool)
}} }}