From 8f3149578aab5ac4a0bd477f3cd9add47122e65c Mon Sep 17 00:00:00 2001
From: Michael Prokop <mika@grml.org>
Date: Thu, 20 Apr 2017 12:09:55 +0200
Subject: [PATCH 1/1] Provide information about whether Secure Boot is enabled
 or not

---
 autoconfig           |  1 +
 autoconfig.functions | 21 +++++++++++++++++++++
 grml-autoconfig      |  2 ++
 3 files changed, 24 insertions(+)

diff --git a/autoconfig b/autoconfig
index 7f8e44a..5451bc2 100644
--- a/autoconfig
+++ b/autoconfig
@@ -75,6 +75,7 @@ CONFIG_NETSCRIPT='yes'        # download and run script/executable provided by b
 CONFIG_PARTCONF='yes'         # do we want partconf to work?
 CONFIG_PASSWD='yes'           # set password via bootparam passwd
 CONFIG_SCRIPTS='yes'          # execute scripts from the scripts option
+CONFIG_SECUREBOOT='yes'       # display information about secure boot
 CONFIG_SERVICES='yes'         # check for services to run, provided via bootparam
 CONFIG_STATS='yes'            # Report stats to stats server
 CONFIG_SSH='yes'              # check for bootparam ssh
diff --git a/autoconfig.functions b/autoconfig.functions
index 1c5c46b..fa75044 100755
--- a/autoconfig.functions
+++ b/autoconfig.functions
@@ -540,6 +540,27 @@ config_kernel(){
 }
 # }}}
 
+# {{{ secure boot
+config_secureboot(){
+  if [ -x /usr/bin/mokutil ] ; then
+    local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
+    if [ -n "$secstate" ] ; then
+      einfo "SecureBoot is enabled" ; eend 0
+    else
+      ewarn "SecureBoot not detected" ; eend 0
+    fi
+  else
+    if modprobe efivars &>/dev/null ; then
+      if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
+        einfo "SecureBoot is enabled" ; eend 0
+      else
+        ewarn "SecureBoot not detected" ; eend 0
+      fi
+    fi
+  fi
+}
+# }}}
+
 # {{{ timezone
 config_timezone(){
  # don't touch the files if running from harddisk:
diff --git a/grml-autoconfig b/grml-autoconfig
index 08c0ccc..47d0c7e 100755
--- a/grml-autoconfig
+++ b/grml-autoconfig
@@ -90,6 +90,8 @@ checkvalue $CONFIG_TIME && config_time
 
 checkvalue $CONFIG_KERNEL &&  config_kernel
 
+checkvalue $CONFIG_SECUREBOOT && config_secureboot
+
 checkvalue $CONFIG_TIMEZONE && config_timezone
 
 checkvalue $CONFIG_SWRAID && config_swraid
-- 
2.1.4