fix: Disable secure boot by default (#399)

Dockerfile

@@ -1,5 +1,5 @@
 FROM scratch
-COPY --from=qemux/qemu-docker:4.23 / /
+COPY --from=qemux/qemu-docker:4.24 / /
 
 ARG DEBCONF_NOWARNINGS "yes"
 ARG DEBIAN_FRONTEND "noninteractive"
@@ -7,6 +7,7 @@ ARG DEBCONF_NONINTERACTIVE_SEEN "true"
 
 RUN apt-get update && \
     apt-get --no-install-recommends -y install \
+        bc \
         curl \
         7zip \
         wsdd \

src/install.sh

@@ -250,8 +250,9 @@ finishInstall() {
     rm -f "$STORAGE/windows.old"
   fi
 
+  # Enable secure boot + TPM on manual installs as Win11 requires
   if [[ "$MANUAL" == [Yy1]* ]] || [[ "$aborted" == [Yy1]* ]]; then
-    [[ "${DETECTED,,}" == "win11"* ]] && TPM="Y"
+    [[ "${DETECTED,,}" == "win11"* ]] && BOOT_MODE="windows_secure"
   fi
 
   rm -rf "$TMP"
@@ -1084,9 +1085,7 @@ buildImage() {
   return 0
 }
 
-######################################
+bootWindows() {
-
-if ! startInstall; then
 
   if [ -f "$STORAGE/windows.old" ]; then
     MACHINE=$(<"$STORAGE/windows.old")
@@ -1094,7 +1093,39 @@ if ! startInstall; then
     BOOT_MODE="windows_legacy"
   fi
 
+  local creation="1.10"
+  local minimal="2.14"
+
+  if [ -f "$STORAGE/windows.ver" ]; then
+    creation=$(<"$STORAGE/windows.ver")
+    [[ "${creation}" != *"."* ]] && creation="$minimal"
+  fi
+
+  # Force secure boot on installs created prior to v2.14
+  if (( $(echo "$creation < $minimal" | bc -l) )); then
+    if [[ "${BOOT_MODE,,}" == "windows" ]]; then
+      BOOT_MODE="windows_secure"
+      if [ -f "$STORAGE/windows.rom" ] && [ ! -f "$STORAGE/$BOOT_MODE.rom" ]; then
+        mv "$STORAGE/windows.rom" "$STORAGE/$BOOT_MODE.rom"
+      fi
+      if [ -f "$STORAGE/windows.vars" ] && [ ! -f "$STORAGE/$BOOT_MODE.vars" ]; then
+        mv "$STORAGE/windows.vars" "$STORAGE/$BOOT_MODE.vars"
+      fi
+    fi
+  fi
+
   rm -rf "$TMP"
+
+  return 0
+}
+
+######################################
+
+if ! startInstall; then
+  if ! bootWindows; then
+    error "Failed to boot Windows!"
+    exit 68
+  fi
   return 0
 fi