From 9dfcea3c874d81b03244f40a346694b62637dc5a Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Mon, 26 Aug 2024 20:24:54 +0200
Subject: T861: op-mode: add "show secure-boot [keys]" CLI command

Support getting current system secure boot state.
In addition add optional suppor tto list all enrolled MOK (Machine Owner Keys)
in the UEFI variable store.
---
 op-mode-definitions/show-secure-boot.xml.in | 21 ++++++++++++
 src/op_mode/secure_boot.py                  | 50 +++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 op-mode-definitions/show-secure-boot.xml.in
 create mode 100755 src/op_mode/secure_boot.py

diff --git a/op-mode-definitions/show-secure-boot.xml.in b/op-mode-definitions/show-secure-boot.xml.in
new file mode 100644
index 000000000..ff731bac9
--- /dev/null
+++ b/op-mode-definitions/show-secure-boot.xml.in
@@ -0,0 +1,21 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="show">
+    <children>
+      <node name="secure-boot">
+        <properties>
+          <help>Show Secure Boot state</help>
+        </properties>
+        <command>${vyos_op_scripts_dir}/secure_boot.py show</command>
+        <children>
+          <leafNode name="keys">
+            <properties>
+              <help>Show enrolled certificates</help>
+            </properties>
+            <command>mokutil --list-enrolled</command>
+          </leafNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/src/op_mode/secure_boot.py b/src/op_mode/secure_boot.py
new file mode 100755
index 000000000..5f6390a15
--- /dev/null
+++ b/src/op_mode/secure_boot.py
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2024 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import sys
+import vyos.opmode
+
+from vyos.utils.boot import is_uefi_system
+from vyos.utils.system import get_secure_boot_state
+
+def _get_raw_data(name=None):
+    sb_data = {
+        'state' : get_secure_boot_state(),
+        'uefi' : is_uefi_system()
+    }
+    return sb_data
+
+def _get_formatted_output(raw_data):
+    if not raw_data['uefi']:
+        print('System run in legacy BIOS mode!')
+    state = 'enabled' if raw_data['state'] else 'disabled'
+    return f'SecureBoot {state}'
+
+def show(raw: bool):
+    sb_data = _get_raw_data()
+    if raw:
+        return sb_data
+    else:
+        return _get_formatted_output(sb_data)
+
+if __name__ == "__main__":
+    try:
+        res = vyos.opmode.run(sys.modules[__name__])
+        if res:
+            print(res)
+    except (ValueError, vyos.opmode.Error) as e:
+        print(e)
+        sys.exit(1)
-- 
cgit v1.2.3