From 57e06dcc99f0a8c30404343ed156a4ed636b4144 Mon Sep 17 00:00:00 2001
From: JMARyA <jmarya@hydrar.de>
Date: Wed, 9 Apr 2025 11:49:09 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=A9=B9=20fix=20secure=20boot?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/install/mod.rs      |  5 +++--
 src/install/security.rs | 16 ++++++++++++----
 src/main.rs             |  3 ++-
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/install/mod.rs b/src/install/mod.rs
index 50e7c7f..d9f8980 100644
--- a/src/install/mod.rs
+++ b/src/install/mod.rs
@@ -18,7 +18,7 @@ use gpu::setup_video_drivers;
 use kernel::setup_mkinitcpio;
 use navos::setup_navos;
 use ollama::setup_ollama;
-use security::{setup_secure_boot, setup_tpm_unlock};
+use security::{has_secure_boot, setup_secure_boot, setup_tpm_unlock};
 use skel::setup_skel;
 use ssh::setup_ssh;
 use user::setup_users;
@@ -190,7 +190,8 @@ pub fn install_mnt(conf: InstallConfig, bare: bool) {
     setup_fstrim();
     setup_bootloader();
     setup_mkinitcpio(&conf.drive);
-    if bare {
+
+    if bare && has_secure_boot() {
         setup_secure_boot();
     }
 
diff --git a/src/install/security.rs b/src/install/security.rs
index e063e78..ef88881 100644
--- a/src/install/security.rs
+++ b/src/install/security.rs
@@ -4,7 +4,7 @@ use yansi::{Color, Paint};
 
 use crate::{
     config::DriveConfig,
-    linux::{arch_chroot, install_file, run_command, systemd_service_enable},
+    linux::{arch_chroot, install_file, run_command, run_command_noerr, systemd_service_enable},
     pkg::install_pkgs,
 };
 
@@ -49,12 +49,20 @@ pub fn setup_tpm_unlock(conf: &DriveConfig) {
 
 // SECURE BOOT
 
-pub fn ensure_secure_boot() {
-    let (stdout, _) = run_command(&["sbctl", "status"], None, false);
+pub fn has_secure_boot() -> bool {
+    let (stdout, _) = run_command_noerr(&["sbctl", "status"], None, false);
     let binding = stdout.lines().collect::<Vec<&str>>();
     let status = binding.get(1).unwrap();
 
-    if !status.contains("Setup Mode") || !status.contains("Enabled") {
+    if status.contains("Setup Mode") || status.contains("Enabled") {
+        return true;
+    }
+
+    false
+}
+
+pub fn ensure_secure_boot() {
+    if !has_secure_boot() {
         println!(
             "{}",
             "[!] Secure Boot is not in Setup Mode".paint(Color::Red)
diff --git a/src/main.rs b/src/main.rs
index 2f097c7..e6d0d92 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -53,7 +53,8 @@ fn main() {
                 std::process::exit(1);
             }
 
-            ensure_secure_boot();
+            // TODO : make secure boot configurable
+            //ensure_secure_boot();
 
             let config_file: &String = install_args.get_one("config").unwrap();
             let force = install_args.get_flag("force");