46 lines
1.6 KiB
YAML
46 lines
1.6 KiB
YAML
---
|
|
- name: Configure shim-based Secure Boot
|
|
vars:
|
|
_efi_vendor: >-
|
|
{{
|
|
"redhat" if os == "rhel"
|
|
else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
|
|
}}
|
|
block:
|
|
- name: Find shim binary in target system
|
|
ansible.builtin.shell:
|
|
cmd: >-
|
|
set -o pipefail &&
|
|
{{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
|
|
\( -name 'shimx64.efi.signed.latest' -o -name 'shimx64.efi.dualsigned'
|
|
-o -name 'shimx64.efi.signed' -o -name 'shimx64.efi' \)
|
|
-type f | sort -r | head -1
|
|
executable: /bin/bash
|
|
register: _shim_find_result
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Copy shim to EFI vendor directory
|
|
when:
|
|
- _shim_find_result.stdout | default('') | length > 0
|
|
- _configuration_platform.grub_install | bool
|
|
ansible.builtin.command: >-
|
|
cp /mnt{{ _shim_find_result.stdout_lines | first }}
|
|
/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
|
|
register: _shim_copy_result
|
|
changed_when: _shim_copy_result.rc == 0
|
|
|
|
- name: Verify shim is present
|
|
ansible.builtin.stat:
|
|
path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
|
|
register: _shim_stat
|
|
|
|
- name: Report Secure Boot status
|
|
ansible.builtin.debug:
|
|
msg: >-
|
|
Secure Boot (shim): {{
|
|
'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
|
|
if (_shim_stat.stat.exists | default(false))
|
|
else 'shimx64.efi not found, shim package may handle placement on first boot'
|
|
}}
|