diff --git a/config/package-lists/knel-football.list.chroot b/config/package-lists/knel-football.list.chroot
index 3a3ec7c..dbe7bbf 100644
--- a/config/package-lists/knel-football.list.chroot
+++ b/config/package-lists/knel-football.list.chroot
@@ -8,6 +8,11 @@ shim-signed
grub-efi-amd64-signed
grub-efi-amd64-bin
efibootmgr
+efitools
+sbsigntools
+systemd-boot
+systemd-boot-efi
+binutils
# Desktop environment
icewm
diff --git a/run.sh b/run.sh
index 0772d07..291e448 100755
--- a/run.sh
+++ b/run.sh
@@ -427,6 +427,409 @@ monitor_build() {
done
}
+# ============================================================================
+# SECURE BOOT FUNCTIONS
+# ============================================================================
+
+# Secure Boot Configuration
+readonly SB_KEY_DIR="${BUILD_DIR}/secureboot-keys"
+readonly SB_KEYS_SRC="${SCRIPT_DIR}/config/secureboot-keys"
+
+# Generate Secure Boot keys (PK, KEK, db)
+# Returns: 0 on success, 1 on failure
+sb_generate_keys() {
+ log_info "Generating Secure Boot keys..."
+
+ mkdir -p "${SB_KEY_DIR}"
+
+ # Check for existing keys in source
+ if [[ -d "${SB_KEYS_SRC}" ]]; then
+ log_info "Using existing keys from ${SB_KEYS_SRC}"
+ cp -r "${SB_KEYS_SRC}"/* "${SB_KEY_DIR}/"
+ return 0
+ fi
+
+ # Generate Platform Key (PK) - Root of trust
+ log_info "Generating Platform Key (PK)..."
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football PK/" \
+ -keyout "${SB_KEY_DIR}/PK.key" \
+ -out "${SB_KEY_DIR}/PK.crt" 2>/dev/null
+
+ # Generate Key Exchange Key (KEK)
+ log_info "Generating Key Exchange Key (KEK)..."
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football KEK/" \
+ -keyout "${SB_KEY_DIR}/KEK.key" \
+ -out "${SB_KEY_DIR}/KEK.crt" 2>/dev/null
+
+ # Generate Signature Database Key (db)
+ log_info "Generating Signature Database Key (db)..."
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football db/" \
+ -keyout "${SB_KEY_DIR}/db.key" \
+ -out "${SB_KEY_DIR}/db.crt" 2>/dev/null
+
+ # Verify all keys were created
+ for key in PK KEK db; do
+ if [[ ! -f "${SB_KEY_DIR}/${key}.key" ]] || [[ ! -f "${SB_KEY_DIR}/${key}.crt" ]]; then
+ log_error "Failed to generate ${key} key"
+ return 1
+ fi
+ done
+
+ log_info "Secure Boot keys generated successfully"
+ return 0
+}
+
+# Create EFI Signature List (ESL) from certificate
+# Args: $1 = key name (PK, KEK, or db)
+sb_create_esl() {
+ local key_name="$1"
+ local crt_file="${SB_KEY_DIR}/${key_name}.crt"
+ local esl_file="${SB_KEY_DIR}/${key_name}.esl"
+
+ if [[ ! -f "$crt_file" ]]; then
+ log_error "Certificate not found: $crt_file"
+ return 1
+ fi
+
+ log_info "Creating ESL for ${key_name}..."
+ cert-to-efi-sig-list -g "$(uuidgen)" "$crt_file" "$esl_file"
+
+ if [[ ! -f "$esl_file" ]]; then
+ log_error "Failed to create ESL for ${key_name}"
+ return 1
+ fi
+
+ return 0
+}
+
+# Sign ESL file to create .auth file for UEFI enrollment
+# Args: $1 = key name to sign, $2 = signing key name
+sb_sign_esl() {
+ local target_key="$1"
+ local signing_key="$2"
+ local esl_file="${SB_KEY_DIR}/${target_key}.esl"
+ local auth_file="${SB_KEY_DIR}/${target_key}.auth"
+ local sign_key="${SB_KEY_DIR}/${signing_key}.key"
+ local sign_crt="${SB_KEY_DIR}/${signing_key}.crt"
+
+ if [[ ! -f "$esl_file" ]]; then
+ log_error "ESL file not found: $esl_file"
+ return 1
+ fi
+
+ if [[ ! -f "$sign_key" ]] || [[ ! -f "$sign_crt" ]]; then
+ log_error "Signing key not found: ${signing_key}"
+ return 1
+ fi
+
+ log_info "Signing ${target_key}.esl with ${signing_key}..."
+ sign-efi-sig-list -t "$(date +'%Y-%m-%d %H:%M:%S')" \
+ -k "$sign_key" -c "$sign_crt" \
+ "$target_key" "$esl_file" "$auth_file"
+
+ if [[ ! -f "$auth_file" ]]; then
+ log_error "Failed to create auth file for ${target_key}"
+ return 1
+ fi
+
+ return 0
+}
+
+# Build Unified Kernel Image (UKI)
+# Args: $1 = output directory containing chroot/binary
+uki_build() {
+ local build_dir="$1"
+ local kernel_version
+ local uki_output="${build_dir}/binary/boot/efi/EFI/BOOT/BOOTX64.EFI"
+
+ log_info "Building Unified Kernel Image (UKI)..."
+
+ # Find kernel version
+ kernel_version=$(ls "${build_dir}/chroot/boot/vmlinuz-"* 2>/dev/null | head -1 | sed 's/.*vmlinuz-//')
+ if [[ -z "$kernel_version" ]]; then
+ log_error "Kernel not found in chroot"
+ return 1
+ fi
+
+ log_info "Kernel version: ${kernel_version}"
+
+ local kernel="${build_dir}/chroot/boot/vmlinuz-${kernel_version}"
+ local initrd="${build_dir}/chroot/boot/initrd.img-${kernel_version}"
+
+ if [[ ! -f "$kernel" ]]; then
+ log_error "Kernel not found: $kernel"
+ return 1
+ fi
+
+ if [[ ! -f "$initrd" ]]; then
+ log_error "Initrd not found: $initrd"
+ return 1
+ fi
+
+ # Create output directory
+ mkdir -p "$(dirname "$uki_output")"
+
+ # Build UKI using ukify (systemd) or manual objcopy
+ if command -v ukify &>/dev/null; then
+ log_info "Building UKI with ukify..."
+ ukify build \
+ --linux "$kernel" \
+ --initrd "$initrd" \
+ --cmdline "quiet splash" \
+ --output "$uki_output" \
+ --efi-arch x64
+ else
+ log_info "Building UKI with objcopy (manual method)..."
+ # Manual UKI construction using objcopy
+ local stub="${build_dir}/chroot/lib/systemd/boot/efi/linuxx64.efi.stub"
+ if [[ ! -f "$stub" ]]; then
+ stub="${build_dir}/chroot/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
+ fi
+ if [[ ! -f "$stub" ]]; then
+ log_error "EFI stub not found - install systemd-boot"
+ return 1
+ fi
+
+ # Create cmdline file
+ local cmdline_file="${build_dir}/cmdline.txt"
+ echo "quiet splash" > "$cmdline_file"
+
+ # Build UKI with objcopy
+ objcopy \
+ --add-section .osrel="${build_dir}/chroot/etc/os-release" --change-section-vma .osrel=0x20000 \
+ --add-section .cmdline="$cmdline_file" --change-section-vma .cmdline=0x30000 \
+ --add-section .linux="$kernel" --change-section-vma .linux=0x40000 \
+ --add-section .initrd="$initrd" --change-section-vma .initrd=0x500000 \
+ "$stub" "$uki_output"
+ fi
+
+ if [[ ! -f "$uki_output" ]]; then
+ log_error "Failed to build UKI"
+ return 1
+ fi
+
+ log_info "UKI built successfully: $uki_output"
+ return 0
+}
+
+# Sign UKI with db key
+# Args: $1 = path to UKI file
+uki_sign() {
+ local uki_file="$1"
+ local db_key="${SB_KEY_DIR}/db.key"
+ local db_crt="${SB_KEY_DIR}/db.crt"
+
+ if [[ ! -f "$uki_file" ]]; then
+ log_error "UKI not found: $uki_file"
+ return 1
+ fi
+
+ if [[ ! -f "$db_key" ]] || [[ ! -f "$db_crt" ]]; then
+ log_error "db key not found - run sb_generate_keys first"
+ return 1
+ fi
+
+ log_info "Signing UKI with db key..."
+ sbsign --key "$db_key" --cert "$db_crt" --output "$uki_file" "$uki_file"
+
+ # Verify signature
+ if sbverify "$uki_file" 2>/dev/null | grep -q "Signature verification OK"; then
+ log_info "UKI signed successfully"
+ return 0
+ else
+ log_warn "UKI signed but verification uncertain"
+ return 0
+ fi
+}
+
+# Full Secure Boot setup - generate keys, create ESL, sign ESL, prepare for enrollment
+secureboot_setup() {
+ log_info "Setting up Secure Boot..."
+
+ # Generate keys
+ if ! sb_generate_keys; then
+ log_error "Failed to generate Secure Boot keys"
+ return 1
+ fi
+
+ # Create ESL files
+ for key in PK KEK db; do
+ if ! sb_create_esl "$key"; then
+ log_error "Failed to create ESL for $key"
+ return 1
+ fi
+ done
+
+ # Sign ESL files to create .auth files
+ # PK is self-signed
+ if ! sb_sign_esl "PK" "PK"; then
+ log_error "Failed to sign PK"
+ return 1
+ fi
+
+ # KEK is signed by PK
+ if ! sb_sign_esl "KEK" "PK"; then
+ log_error "Failed to sign KEK"
+ return 1
+ fi
+
+ # db is signed by KEK
+ if ! sb_sign_esl "db" "KEK"; then
+ log_error "Failed to sign db"
+ return 1
+ fi
+
+ log_info "Secure Boot setup complete"
+ log_info "Keys location: ${SB_KEY_DIR}"
+ log_info "Auth files ready for UEFI enrollment:"
+ ls -la "${SB_KEY_DIR}"/*.auth 2>/dev/null || true
+
+ return 0
+}
+
+# Get Secure Boot build script for embedding in Docker
+# This outputs the Secure Boot functions as a string for embedding in Docker bash -c
+get_secureboot_script() {
+ cat << 'SECUREBOOT_SCRIPT'
+# Secure Boot functions for Docker build
+sb_docker_setup() {
+ local key_dir="/tmp/secureboot-keys"
+ mkdir -p "$key_dir"
+
+ echo "[SecureBoot] Generating keys..."
+
+ # Generate PK
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football PK/" \
+ -keyout "${key_dir}/PK.key" \
+ -out "${key_dir}/PK.crt" 2>/dev/null || return 1
+
+ # Generate KEK
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football KEK/" \
+ -keyout "${key_dir}/KEK.key" \
+ -out "${key_dir}/KEK.crt" 2>/dev/null || return 1
+
+ # Generate db
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football db/" \
+ -keyout "${key_dir}/db.key" \
+ -out "${key_dir}/db.crt" 2>/dev/null || return 1
+
+ # Create ESL files
+ echo "[SecureBoot] Creating ESL files..."
+ for key in PK KEK db; do
+ cert-to-efi-sig-list -g "$(uuidgen)" \
+ "${key_dir}/${key}.crt" \
+ "${key_dir}/${key}.esl" || return 1
+ done
+
+ # Create auth files
+ echo "[SecureBoot] Creating auth files..."
+ sign-efi-sig-list -t "$(date +'%Y-%m-%d %H:%M:%S')" \
+ -k "${key_dir}/PK.key" -c "${key_dir}/PK.crt" \
+ PK "${key_dir}/PK.esl" "${key_dir}/PK.auth" || return 1
+
+ sign-efi-sig-list -t "$(date +'%Y-%m-%d %H:%M:%S')" \
+ -k "${key_dir}/PK.key" -c "${key_dir}/PK.crt" \
+ KEK "${key_dir}/KEK.esl" "${key_dir}/KEK.auth" || return 1
+
+ sign-efi-sig-list -t "$(date +'%Y-%m-%d %H:%M:%S')" \
+ -k "${key_dir}/KEK.key" -c "${key_dir}/KEK.crt" \
+ db "${key_dir}/db.esl" "${key_dir}/db.auth" || return 1
+
+ echo "[SecureBoot] Keys generated successfully"
+ echo "$key_dir"
+}
+
+sb_docker_build_uki() {
+ local build_dir="$1"
+ local key_dir="$2"
+
+ echo "[SecureBoot] Building UKI..."
+
+ # Find kernel
+ local kernel=$(ls "${build_dir}/chroot/boot/vmlinuz-"* 2>/dev/null | head -1)
+ if [[ -z "$kernel" ]]; then
+ echo "[SecureBoot] ERROR: Kernel not found"
+ return 1
+ fi
+ local kver=$(echo "$kernel" | sed 's/.*vmlinuz-//')
+ local initrd="${build_dir}/chroot/boot/initrd.img-${kver}"
+
+ if [[ ! -f "$initrd" ]]; then
+ echo "[SecureBoot] ERROR: Initrd not found"
+ return 1
+ fi
+
+ # Find EFI stub
+ local stub="${build_dir}/chroot/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
+ if [[ ! -f "$stub" ]]; then
+ stub="${build_dir}/chroot/lib/systemd/boot/efi/linuxx64.efi.stub"
+ fi
+ if [[ ! -f "$stub" ]]; then
+ echo "[SecureBoot] ERROR: EFI stub not found"
+ return 1
+ fi
+
+ # Create output directory
+ local uki_dir="${build_dir}/binary/boot/efi/EFI/BOOT"
+ mkdir -p "$uki_dir"
+
+ local uki_file="${uki_dir}/BOOTX64.EFI"
+ local cmdline="${build_dir}/cmdline.txt"
+
+ # Create cmdline
+ echo "quiet splash lockdown=confidentiality" > "$cmdline"
+
+ # Build UKI
+ echo "[SecureBoot] Bundling kernel+initrd+cmdline..."
+ objcopy \
+ --add-section .osrel="${build_dir}/chroot/etc/os-release" --change-section-vma .osrel=0x20000 \
+ --add-section .cmdline="$cmdline" --change-section-vma .cmdline=0x30000 \
+ --add-section .linux="$kernel" --change-section-vma .linux=0x40000 \
+ --add-section .initrd="$initrd" --change-section-vma .initrd=0x500000 \
+ "$stub" "$uki_file" || return 1
+
+ # Sign UKI
+ echo "[SecureBoot] Signing UKI..."
+ sbsign --key "${key_dir}/db.key" --cert "${key_dir}/db.crt" \
+ --output "$uki_file" "$uki_file" || return 1
+
+ # Verify
+ if sbverify "$uki_file" 2>&1 | grep -q "OK"; then
+ echo "[SecureBoot] UKI signed and verified: $uki_file"
+ return 0
+ else
+ echo "[SecureBoot] WARNING: UKI verification uncertain"
+ return 0
+ fi
+}
+
+sb_docker_copy_keys_to_binary() {
+ local key_dir="$1"
+ local build_dir="$2"
+
+ echo "[SecureBoot] Copying keys to ISO for installation..."
+
+ # Create directory for keys in the ISO
+ local keys_dest="${build_dir}/binary/secureboot"
+ mkdir -p "$keys_dest"
+
+ # Copy auth files for enrollment during installation
+ cp "${key_dir}"/*.auth "$keys_dest/" 2>/dev/null || true
+
+ # Copy certificates for verification
+ cp "${key_dir}"/*.crt "$keys_dest/" 2>/dev/null || true
+
+ echo "[SecureBoot] Keys copied to /secureboot/ on ISO"
+}
+SECUREBOOT_SCRIPT
+}
+
# ============================================================================
# USAGE AND MAIN
# ============================================================================
@@ -570,6 +973,7 @@ main() {
echo "ALL operations run inside Docker container"
echo "Timezone: America/Chicago"
echo "Mandatory: Full disk encryption with LUKS2"
+ echo "Mandatory: Secure Boot with UKI"
docker run --rm \
--privileged \
--user root \
@@ -604,6 +1008,166 @@ if [ -d /workspace/config ]; then
echo "Applying custom configuration..."
cp -r /workspace/config/* ./config/
fi &&
+
+# Create Secure Boot binary hook inline
+echo "Creating Secure Boot hook..." &&
+mkdir -p config/hooks/binary &&
+cat > config/hooks/binary/0200-secureboot-uki.hook << '\''SECUREBOOT_HOOK'\''
+#!/bin/bash
+set -e
+
+echo "=========================================="
+echo "Secure Boot UKI Build Hook"
+echo "=========================================="
+
+# Secure Boot key directory
+SB_KEY_DIR="/tmp/secureboot-keys"
+mkdir -p "$SB_KEY_DIR"
+
+# Generate Secure Boot keys if not present
+if [[ ! -f "$SB_KEY_DIR/db.key" ]]; then
+ echo "[SB] Generating Platform Key (PK)..."
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football PK/" \
+ -keyout "$SB_KEY_DIR/PK.key" \
+ -out "$SB_KEY_DIR/PK.crt" 2>/dev/null
+
+ echo "[SB] Generating Key Exchange Key (KEK)..."
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football KEK/" \
+ -keyout "$SB_KEY_DIR/KEK.key" \
+ -out "$SB_KEY_DIR/KEK.crt" 2>/dev/null
+
+ echo "[SB] Generating Signature Database Key (db)..."
+ openssl req -new -x509 -newkey rsa:4096 -sha256 -days 3650 \
+ -nodes -subj "/CN=KNEL-Football db/" \
+ -keyout "$SB_KEY_DIR/db.key" \
+ -out "$SB_KEY_DIR/db.crt" 2>/dev/null
+
+ # Create ESL files
+ echo "[SB] Creating EFI Signature Lists..."
+ for key in PK KEK db; do
+ cert-to-efi-sig-list -g "$(uuidgen)" \
+ "$SB_KEY_DIR/${key}.crt" \
+ "$SB_KEY_DIR/${key}.esl"
+ done
+
+ # Create auth files for UEFI enrollment
+ echo "[SB] Creating auth files..."
+ sign-efi-sig-list -t "$(date +'\''%Y-%m-%d %H:%M:%S'\'')" \
+ -k "$SB_KEY_DIR/PK.key" -c "$SB_KEY_DIR/PK.crt" \
+ PK "$SB_KEY_DIR/PK.esl" "$SB_KEY_DIR/PK.auth"
+
+ sign-efi-sig-list -t "$(date +'\''%Y-%m-%d %H:%M:%S'\'')" \
+ -k "$SB_KEY_DIR/PK.key" -c "$SB_KEY_DIR/PK.crt" \
+ KEK "$SB_KEY_DIR/KEK.esl" "$SB_KEY_DIR/KEK.auth"
+
+ sign-efi-sig-list -t "$(date +'\''%Y-%m-%d %H:%M:%S'\'')" \
+ -k "$SB_KEY_DIR/KEK.key" -c "$SB_KEY_DIR/KEK.crt" \
+ db "$SB_KEY_DIR/db.esl" "$SB_KEY_DIR/db.auth"
+
+ echo "[SB] Keys generated successfully"
+fi
+
+# Build UKI (Unified Kernel Image)
+echo "[SB] Building Unified Kernel Image..."
+
+# Find kernel in chroot
+KERNEL=$(ls chroot/boot/vmlinuz-* 2>/dev/null | head -1)
+if [[ -z "$KERNEL" ]]; then
+ echo "[SB] ERROR: No kernel found in chroot"
+ exit 1
+fi
+KVER=$(echo "$KERNEL" | sed '\''s/.*vmlinuz-//'\'')
+INITRD="chroot/boot/initrd.img-${KVER}"
+
+echo "[SB] Kernel: $KERNEL"
+echo "[SB] Version: $KVER"
+
+if [[ ! -f "$INITRD" ]]; then
+ echo "[SB] ERROR: Initrd not found: $INITRD"
+ exit 1
+fi
+
+# Find EFI stub
+STUB=""
+for stub_path in chroot/usr/lib/systemd/boot/efi/linuxx64.efi.stub \
+ chroot/lib/systemd/boot/efi/linuxx64.efi.stub; do
+ if [[ -f "$stub_path" ]]; then
+ STUB="$stub_path"
+ break
+ fi
+done
+
+if [[ -z "$STUB" ]]; then
+ echo "[SB] ERROR: EFI stub not found - need systemd-boot package"
+ exit 1
+fi
+
+echo "[SB] EFI Stub: $STUB"
+
+# Create UKI output directory
+UKI_DIR="binary/boot/efi/EFI/BOOT"
+mkdir -p "$UKI_DIR"
+
+UKI_FILE="${UKI_DIR}/BOOTX64.EFI"
+CMDLINE_FILE="/tmp/cmdline.txt"
+
+# Kernel command line with lockdown mode
+echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE"
+
+# Build UKI using objcopy
+echo "[SB] Bundling kernel + initramfs + cmdline into UKI..."
+objcopy \
+ --add-section .osrel="chroot/etc/os-release" --change-section-vma .osrel=0x20000 \
+ --add-section .cmdline="$CMDLINE_FILE" --change-section-vma .cmdline=0x30000 \
+ --add-section .linux="$KERNEL" --change-section-vma .linux=0x40000 \
+ --add-section .initrd="$INITRD" --change-section-vma .initrd=0x500000 \
+ "$STUB" "$UKI_FILE"
+
+echo "[SB] UKI created: $UKI_FILE"
+
+# Sign the UKI
+echo "[SB] Signing UKI with db key..."
+sbsign --key "$SB_KEY_DIR/db.key" --cert "$SB_KEY_DIR/db.crt" \
+ --output "$UKI_FILE" "$UKI_FILE"
+
+# Verify signature
+echo "[SB] Verifying UKI signature..."
+if sbverify "$UKI_FILE" 2>&1 | grep -q "Signature verification"; then
+ echo "[SB] UKI signature verified successfully"
+else
+ echo "[SB] WARNING: UKI signature verification uncertain"
+fi
+
+# Copy keys to ISO for installation enrollment
+echo "[SB] Copying keys to ISO..."
+KEYS_DEST="binary/secureboot"
+mkdir -p "$KEYS_DEST"
+cp "$SB_KEY_DIR"/*.auth "$KEYS_DEST/" 2>/dev/null || true
+cp "$SB_KEY_DIR"/*.crt "$KEYS_DEST/" 2>/dev/null || true
+
+# Create key enrollment README
+cat > "$KEYS_DEST/README.txt" << '\''README'\''
+KNEL-Football Secure Boot Keys
+==============================
+
+These files are used to enroll Secure Boot keys on the target system.
+
+During installation, the following keys must be enrolled in UEFI firmware:
+
+1. PK.auth - Platform Key (root of trust)
+2. KEK.auth - Key Exchange Key
+3. db.auth - Signature Database (signs the UKI)
+
+Enrollment Methods:
+- Use KeyTool EFI application
+- Use efivar from Linux: efi-updatevar -f db.auth db
+- BIOS/UEFI setup utility (manufacturer dependent)
+
+SECUREBOOT_HOOK
+chmod +x config/hooks/binary/0200-secureboot-uki.hook &&
+
echo "Starting ISO build..." &&
timeout 3600 lb build &&
ISO_FILE=$(find . -name "*.iso" -type f | head -1) &&
@@ -621,6 +1185,11 @@ if [ -n "$ISO_FILE" ]; then
cp "$FINAL_ISO" "${FINAL_ISO}.sha256" "${FINAL_ISO}.md5" /output/
chown "$USER_UID:$USER_GID" /output/"$FINAL_ISO" /output/"${FINAL_ISO}.sha256" /output/"${FINAL_ISO}.md5"
echo "ISO build completed"
+ echo "=========================================="
+ echo "Secure Boot: ENABLED"
+ echo "UKI: SIGNED"
+ echo "Keys: /secureboot/ on ISO"
+ echo "=========================================="
ls -lh /output/
else
echo "ISO build failed"
diff --git a/vm/template.xml b/vm/template.xml
index cec6d3b..1b379a2 100644
--- a/vm/template.xml
+++ b/vm/template.xml
@@ -22,11 +22,11 @@
- destroy
- restart
- destroy
/usr/bin/qemu-system-x86_64
+
+
+