From f5a3e197512428a14925376345215fcc79f73c8b Mon Sep 17 00:00:00 2001
From: Eric Hameleers <alien@slackware.com>
Date: Mon, 8 Nov 2021 09:18:14 +0100
Subject: liveslak: add Secure Boot support to all 64bit ISOs

Read the updates in the README for more background and guidance.

User notice:
  As a one-time action the very first time you boot a Secure Boot enabled
  liveslak ISO, you will have to enroll the liveslak certificate
  (/EFI/BOOT/liveslak.der) with which the Slackware boot-up binaries
  (grub and kernel) were signed into your computer's MOK (Machine Owner Key
  database).
  This enrollment request will show on-screen during initial boot,
  just follow the prompts to 'enroll from disk'. Afterwards the computer
  will reboot and from then on, your liveslak will boot without any
  user intervention on your Secure Boot computer.

Note:
  liveslak uses Fedora's initial boot loader (the 'shim') which
  has been signed by Microsoft. In future we may get our own
  signed shim for liveslak and/or Slackware, but don't hold your breath.
---
 grub.tpl | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'grub.tpl')

diff --git a/grub.tpl b/grub.tpl
index ead3a36..82ecf32 100644
--- a/grub.tpl
+++ b/grub.tpl
@@ -22,6 +22,12 @@ if [ -z "$sl_locale" ]; then
   export sl_locale
 fi
 
+# Check whether we are in a Secure Boot scenario:
+if [ "x$lockdown" != "x" ]; then
+  set check_signatures=enforce
+  export check_signatures
+fi
+
 # Determine whether we can show a graphical themed menu:
 insmod font
 if loadfont $prefix/theme/dejavusansmono12.pf2 ; then
-- 
cgit v1.2.3