diff --git a/packages/static/kairos-overlay-files/collection.yaml b/packages/static/kairos-overlay-files/collection.yaml index 02e3543..282bcf6 100644 --- a/packages/static/kairos-overlay-files/collection.yaml +++ b/packages/static/kairos-overlay-files/collection.yaml @@ -1,4 +1,4 @@ packages: - name: "kairos-overlay-files" category: "static" - version: "1.5.1" + version: "1.6.0" diff --git a/packages/static/kairos-overlay-files/files/system/oem/08_efi_assessment.yaml b/packages/static/kairos-overlay-files/files/system/oem/08_efi_assessment.yaml new file mode 100644 index 0000000..bf79b33 --- /dev/null +++ b/packages/static/kairos-overlay-files/files/system/oem/08_efi_assessment.yaml @@ -0,0 +1,33 @@ +name: "Enable EFI assessment" +stages: + initramfs: + - name: "Override systemd-boot services to enable RW on /efi partition" + if: '([ -e "/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ] || [ -e "/usr/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ]) && [ -e "/run/cos/uki_boot_mode" ]' + files: + - path: /etc/systemd/system/systemd-bless-boot.service.d/override.conf + permissions: 0644 + owner: 0 + group: 0 + content: | + [Service] + # Allow RW on /efi partition + ExecStartPre=mount -o remount,rw /efi + # Remove the assessment suffix from loader.conf if any + ExecStartPost=sed -i -E 's/(default\s+)*\+[0-9]+(-[0-9]+)?(\.conf)/\1\3/' /efi/loader/loader.conf + # Revert back to RO on /efi partition + ExecStartPost=mount -o remount,ro /efi + - path: /etc/systemd/system/systemd-boot-random-seed.service.d/override.conf + permissions: 0644 + owner: 0 + group: 0 + content: | + [Service] + # Allow RW on /efi partition + ExecStartPre=mount -o remount,rw /efi + # Revert back to RO on /efi partition + ExecStartPost=mount -o remount,ro /efi + - name: "Enable boot assessment" + if: '([ -e "/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ] || [ -e "/usr/sbin/systemctl" ]) && [ -e "/run/cos/uki_boot_mode" ]' + systemctl: + enable: + - name: "systemd-bless-boot"