58 lines
2.0 KiB
YAML
58 lines
2.0 KiB
YAML
---
|
|
- name: Configure shim-based Secure Boot
|
|
vars:
|
|
_efi_vendor: >-
|
|
{{
|
|
"redhat" if os == "rhel"
|
|
else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
|
|
}}
|
|
block:
|
|
- name: Find shim binary in target system
|
|
ansible.builtin.command: >-
|
|
{{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
|
|
-name 'shimx64.efi*' -type f -print -quit
|
|
register: _shim_find_result
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Copy shim to EFI vendor directory
|
|
when:
|
|
- _shim_find_result.stdout | default('') | length > 0
|
|
- _configuration_platform.grub_install | bool
|
|
ansible.builtin.command: >-
|
|
cp {{ _shim_find_result.stdout_lines | first }}
|
|
/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
|
|
register: _shim_copy_result
|
|
changed_when: _shim_copy_result.rc == 0
|
|
|
|
- name: Enroll Secure Boot keys via efi-updatevar
|
|
when: system_cfg.type == 'virtual'
|
|
block:
|
|
- name: Check if efi-updatevar is available
|
|
ansible.builtin.command: which efi-updatevar
|
|
register: _efi_updatevar_check
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Enroll default UEFI Secure Boot keys
|
|
when: _efi_updatevar_check.rc == 0
|
|
ansible.builtin.command: >-
|
|
{{ chroot_command }} sbctl enroll-keys --microsoft
|
|
register: _sb_enroll_result
|
|
changed_when: _sb_enroll_result.rc == 0
|
|
failed_when: false
|
|
|
|
- name: Verify shim is present
|
|
ansible.builtin.stat:
|
|
path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
|
|
register: _shim_stat
|
|
|
|
- name: Report Secure Boot status
|
|
ansible.builtin.debug:
|
|
msg: >-
|
|
Secure Boot (shim): {{
|
|
'shimx64.efi installed'
|
|
if (_shim_stat.stat.exists | default(false))
|
|
else 'shimx64.efi not found, shim package may handle placement on first boot'
|
|
}}
|