Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add package with secure boot public signing key #107

Merged
merged 2 commits into from
Dec 31, 2023
+16 −0
Merged

feat: add package with secure boot public signing key #107

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
210a6a3
feat: add package with secure boot public signing key
bsherman Dec 30, 2023
e2c3195
docs: add SecureBoot info to README
bsherman Dec 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ Users may use [distrobox](https://github.com/89luca89/distrobox) to run images o

It's a good idea to become familar with the [Fedora CoreOS Documentation](https://docs.fedoraproject.org/en-US/fedora-coreos/) as well as the [CoreOS rpm-ostree docs](https://coreos.github.io/rpm-ostree/). Note especially, this image is only possible due to [ostree native containers](https://coreos.github.io/rpm-ostree/container/).


### Sanoid/Syncoid

sanoid/syncoid is a great tool for manual and automated snapshot/transfer of ZFS datasets. However, there is not a current stable RPM, rather they provide [instructions on installing via git](https://github.com/jimsalterjrs/sanoid/blob/master/INSTALL.md#centos).
Expand Down Expand Up @@ -163,6 +164,19 @@ If you do forget to specify the mountpoint, or you need to change the mountpoint
# zfs set mountpoint=/var/tank tank
```


### SecureBoot

For those wishing to use the `nvidia` image with a pre-build kmod AND run SecureBoot, the kmod will not be loaded by the kernel until the public signing key has been imported as a MOK (Machine-Owner Key).

Do so like this:
```bash
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
```

The utility will prompt for a password. The password will be used to verify this key is the one you meant to import, after rebooting and entering the UEFI MOK import utility.


## How to Install

### Prerequsites
Expand Down
1 change: 1 addition & 0 deletions main/Containerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ ARG NVIDIA_TAG="${NVIDIA_TAG}"
ARG ZFS_TAG="${ZFS_TAG}"
ARG KMOD_SRC="${KMOD_SRC:-ghcr.io/ublue-os/ucore-kmods:${COREOS_VERSION}}"

COPY --from=${KMOD_SRC} /rpms/kmods/*.rpm /tmp/rpms/
COPY --from=${KMOD_SRC} /rpms/kmods/nvidia/*.rpm /tmp/rpms/nvidia/
COPY --from=${KMOD_SRC} /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/

Expand Down
1 change: 1 addition & 0 deletions main/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ sed -i 's@enabled=1@enabled=0@g' /etc/yum.repos.d/fedora-cisco-openh264.repo
# inspect to see what RPMS we copied in
find /tmp/rpms/

rpm-ostree install /tmp/rpms/ublue-os-ucore-addons-*.rpm

## CONDITIONAL: install ZFS (and sanoid deps)
if [[ "-zfs" == "${ZFS_TAG}" ]]; then
Expand Down
Loading