Add Mortar compatibility for the Secure Boot DKMS script

AgenttiX · AgenttiX · commit 6cd01ddf7dc9 · 2026-01-06T00:48:57.000+02:00
diff --git a/security/secure_boot_dkms.sh b/security/secure_boot_dkms.sh
@@ -11,15 +11,33 @@ if [ "${EUID}" -ne 0 ]; then
   exit 1
 fi
 
-echo "Configuring MOK for DKMS kernel modules."
-update-secureboot-policy --enroll-key
+if command -v mortar-compilesigninstall &> /dev/null; then
+  HAS_MORTAR=true
+else
+  HAS_MORTAR=false
+fi
+
+if [ "${HAS_MORTAR}" = "true" ]; then
+  echo "Configuring DKMS to use the Mortar MOK key."
+  sed -i 's@^# mok_signing_key=/var/lib/dkms/mok.key@mok_signing_key="/etc/mortar/private/db.key"@g; s@^# mok_certificate=/var/lib/dkms/mok.pub@mok_certificate="/etc/mortar/private/db.crt"@g' "/etc/dkms/framework.conf"
+else
+  echo "Currently enrolled MOK keys:"
+  mokutil --list-enrolled
+  echo "Configuring MOK for DKMS kernel modules."
+  update-secureboot-policy --enroll-key
+  echo "New MOK keys:"
+  mokutil --list-new
+fi
+
 echo "Updating initramfs."
 update-initramfs -u
 
-if command -v mortar-compilesigninstall &> /dev/null; then
-  echo "Mortar detected. Running mortar-compilesigninstall."
+if [ "${HAS_MORTAR}" = "true" ]; then
+  echo "Running mortar-compilesigninstall to update the EFI file."
   mortar-compilesigninstall
+  echo "DKMS MOK configuration ready. You should now reboot."
 else
   echo "Updating GRUB configuration."
   update-grub
+  echo "DKMS MOK configuration ready. You should now reboot and then input the MOK password to enroll the key."
 fi
