From 6b2d22d7c0478a3a0623ba4e1e90bfa75f2ed2bd Mon Sep 17 00:00:00 2001
From: Jarred Wilson <jarred.wilson12@gmail.com>
Date: Sun, 8 Sep 2024 20:50:24 +0000
Subject: [PATCH] fix:[#1651] Add MOTD message for SB keys

- Add logic to check for SB enrollment and keys
- Update motd template
---
 .../kinoite/usr/share/ublue-os/motd/bluefin.md     |  2 ++
 system_files/shared/usr/libexec/ublue-motd         | 14 +++++++++++++-
 .../silverblue/usr/share/ublue-os/motd/bluefin.md  |  2 ++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md b/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md
index 614bda9d241..6f3be15a4c2 100644
--- a/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md
+++ b/system_files/kinoite/usr/share/ublue-os/motd/bluefin.md
@@ -15,3 +15,5 @@ Let's trace the stars.
 - 󰊤 [Issues](https://issues.projectbluefin.io)
 - 󰈙 [Documentation](http://docs.projectbluefin.io/)
 - 󰊌 [Discuss](https://community.projectbluefin.io/)
+
+%KEY_WARN%
diff --git a/system_files/shared/usr/libexec/ublue-motd b/system_files/shared/usr/libexec/ublue-motd
index 4c77fcf1f3c..4870693418c 100755
--- a/system_files/shared/usr/libexec/ublue-motd
+++ b/system_files/shared/usr/libexec/ublue-motd
@@ -23,6 +23,18 @@ if [[ -f "$TIP_FILE" ]]; then
 	fi
 
 	TIP_ESCAPED=$(escape "$TIP")
+fi
+
+# check for secure boot key
+KEY_WARN=""
+FINGERPRINT="2B:E9:91:E3:B1:B5:40:70:F4:3D:80:BB:13:EB:C6:57:E5:A3:78:0D"
+mokutil --list-enrolled | grep -q $FINGERPRINT
+ENROLLED=$?
+mokutil --sb-state | grep -q enabled
+SB_ENABLED=$?
 
-	sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" -e "s/%TIP%/$TIP_ESCAPED/g" /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 -
+if [[ $ENROLL -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then
+	KEY_WARN="**WARNING**: This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting **may cause your system to fail to boot**. Follow this [link](https://docs.projectbluefin.io/introduction#secure-boot) for instructions on how to enroll the keys."
 fi
+
+sed -e "s/%IMAGE_NAME%/$IMAGE_NAME_ESCAPED/g" -e "s/%IMAGE_TAG%/$IMAGE_TAG_ESCAPED/g" -e "s/%TIP%/$TIP_ESCAPED/g" -e "s|%KEY_WARN%|$KEY_WARN|g" /usr/share/ublue-os/motd/bluefin.md | tr '~' '\n' | /usr/bin/glow -s auto -w 78 -
diff --git a/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md b/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md
index 015d17a4656..119db38cd0b 100644
--- a/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md
+++ b/system_files/silverblue/usr/share/ublue-os/motd/bluefin.md
@@ -15,3 +15,5 @@
 - 󰈙 [Documentation](http://docs.projectbluefin.io/)
 - 󰊌 [Discuss](https://community.projectbluefin.io/)
 - 󰊌 [Leave Feedback](https://feedback.projectbluefin.io)
+
+    %KEY_WARN%