sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(cleanup): enroll Secure Boot keys in VM NVRAM after OS installation

Browse Source
This commit is contained in:
sandwich
2026-04-02 07:22:53 +02:00
committed by MORAWSKI Norbert
parent b31a5a2580
commit ce79728744
3 changed files with 43 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
roles/cleanup/tasks/libvirt.yml
View File

@@ -94,6 +94,35 @@
state: destroyed state: destroyed
failed_when: false failed_when: false
- name: Enroll Secure Boot keys in VM NVRAM
when:
- system_cfg.features.secure_boot.enabled | default(false) | bool
- os != 'archlinux'
block:
- name: Find VM NVRAM file path
ansible.builtin.shell:
cmd: >-
set -o pipefail &&
virsh -c {{ libvirt_uri | default('qemu:///system') }} dumpxml {{ hostname }}
| grep -oP '<nvram[^>]*>\K[^<]+'
executable: /bin/bash
register: _sb_nvram_path
changed_when: false
failed_when: false
- name: Enroll Secure Boot keys via virt-fw-vars
when: _sb_nvram_path.stdout | default('') | length > 0
ansible.builtin.command:
argv:
- virt-fw-vars
- --inplace
- "{{ _sb_nvram_path.stdout | trim }}"
- --enroll-redhat
- --secure-boot
register: _sb_enroll_result
changed_when: _sb_enroll_result.rc == 0
failed_when: false
- name: Start the VM - name: Start the VM
community.libvirt.virt: community.libvirt.virt:
name: "{{ hostname }}" name: "{{ hostname }}"

7
roles/configuration/tasks/encryption.yml
View File

@@ -20,11 +20,16 @@
| regex_replace('\\s+', '') | regex_replace('\\s+', '')
| regex_replace('^\\+|\\+$', '') | regex_replace('^\\+|\\+$', '')
}} }}
_sb_pcr7_safe: >-
{{
system_cfg.features.secure_boot.enabled | bool
and system_cfg.type | default('virtual') != 'virtual'
}}
luks_tpm2_pcrs: >- luks_tpm2_pcrs: >-
{{ {{
_raw_pcrs _raw_pcrs
if _raw_pcrs | length > 0 if _raw_pcrs | length > 0
else ('7' if (system_cfg.features.secure_boot.enabled | bool) else '') else ('7' if (_sb_pcr7_safe | bool) else '')
}} }}
ansible.builtin.set_fact: ansible.builtin.set_fact:
configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}" configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"

9
roles/configuration/tasks/secure_boot/shim.yml
View File

@@ -8,9 +8,14 @@
}} }}
block: block:
- name: Find shim binary in target system - name: Find shim binary in target system
ansible.builtin.command: >- ansible.builtin.shell:
cmd: >-
set -o pipefail &&
{{ chroot_command }} find /usr/lib/shim /boot/efi/EFI {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
-name 'shimx64.efi*' -type f -print -quit \( -name 'shimx64.efi.signed.latest' -o -name 'shimx64.efi.dualsigned'
-o -name 'shimx64.efi.signed' -o -name 'shimx64.efi' \)
-type f | sort -r | head -1
executable: /bin/bash
register: _shim_find_result register: _shim_find_result
changed_when: false changed_when: false
failed_when: false failed_when: false