Merge pull request #5879 from freedomofpress/secureboot_check

Added mokutil check to detect SecureBoot status before installing
freedomofpress · Mar 30, 2021 · e6fd7fe · e6fd7fe
2 parents 480cf77 + 9ec39d8
commit e6fd7fe
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
@@ -22,10 +22,26 @@
       https://github.com/freedomofpress/securedrop/issues/4058
 
 - name: Install python and packages required by installer
-  raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core
+  raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core mokutil
   register: _apt_install_prereqs_results
   changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in _apt_install_prereqs_results.stdout"
 
+- name: Check SecureBoot status
+  command: mokutil --sb-state
+  changed_when: false
+  failed_when: false # results inspected below
+  register: _mokutil_results
+
+- name: Verify that SecureBoot is not enabled
+  assert:
+    that:
+      - "'SecureBoot enabled' not in _mokutil_results.stdout"
+      - "'SecureBoot enabled' not in _mokutil_results.stderr"
+    fail_msg: >-
+      SecureBoot is enabled. SecureDrop cannot be installed, as it uses a
+      custom kernel that is not signed. Please disable SecureBoot on the
+      target servers and try again.
+
 - name: Remove cloud-init
   apt:
     name: cloud-init