From a8d5d63dca0a78e7a98ab2d158574522aa0668cd Mon Sep 17 00:00:00 2001
From: bin456789 <bin456789@gmail.com>
Date: Fri, 22 Dec 2023 23:45:06 +0800
Subject: [PATCH] =?UTF-8?q?core:=20=E6=B7=BB=E5=8A=A0=E5=AE=89=E5=85=A8?=
 =?UTF-8?q?=E5=90=AF=E5=8A=A8=E5=88=A4=E5=AE=9A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 reinstall.sh | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/reinstall.sh b/reinstall.sh
index c2c9a01..49b8d03 100644
--- a/reinstall.sh
+++ b/reinstall.sh
@@ -803,6 +803,18 @@ is_efi() {
     fi
 }
 
+is_secure_boot_enabled() {
+    if is_efi; then
+        if is_in_windows; then
+            reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State' /v UEFISecureBootEnabled | grep 0x1 && return 0
+        else
+            # mokutil --sb-state
+            dmesg | grep -i 'Secure boot enabled' && return 0
+        fi
+    fi
+    return 1
+}
+
 is_use_grub() {
     ! { is_netboot_xyz && is_efi; }
 }
@@ -1341,15 +1353,20 @@ while true; do
     esac
 done
 
-# 不支持容器虚拟化
-assert_not_in_container
-
 # 检查目标系统名
 verify_os_name "$@"
 
 # 检查必须的参数
 verify_os_args
 
+# 不支持容器虚拟化
+assert_not_in_container
+
+# 不支持安全启动
+if is_secure_boot_enabled; then
+    error_and_exit "Not Supported with secure boot enabled."
+fi
+
 # win系统盘
 if is_in_windows; then
     c=$(echo $SYSTEMDRIVE | cut -c1)