feat(just): add check-sb-key recipe for Secure Boot status

[hanthor]

Adds a ujust check-sb-key command that reports Secure Boot status, MOK enrollment, and kernel signature verification.

Closes #13

Summary by CodeRabbit

• New Features
  • Added a command to check Secure Boot configuration and status. On EFI systems it reports Secure Boot state, MOK enrollment, and kernel signature information; on non‑EFI systems it reports that Secure Boot does not apply.

[coderabbitai]

Warning

Review limit reached

@hanthor, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 49 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 75d5ce60-36f6-46ce-8fdd-c996f1a5396e

📥 Commits

Reviewing files that changed from the base of the PR and between f09e3ec and 8f6ac31.

📒 Files selected for processing (1)

• system_files/bluefin/usr/share/ublue-os/just/system.just

📝 Walkthrough

Walkthrough

New check-sb-key ujust recipe added that checks EFI presence and reports Secure Boot status using available system utilities (mokutil, efivar, sbverify), with appropriate fallback behavior for non-EFI systems.

Changes

Secure Boot Status Check Recipe

Layer / File(s)	Summary
check-sb-key recipe with EFI and tool detection system_files/bluefin/usr/share/ublue-os/just/system.just	New recipe detects EFI systems and conditionally reports Secure Boot status (via mokutil or efivar), MOK enrollment (via mokutil), and kernel signature data (via sbverify), with fallback messaging for non-EFI systems.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A clever command hops into place,
To check Secure Boot's rightful space,
It queries mokutil and efivar too,
Peeks kernels with sbverify's view,
Hooray—keys and signatures made true!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and clearly describes the main change: adding a new ujust recipe for checking Secure Boot key status.
Description check	✅ Passed	The description concisely explains the functionality added (Secure Boot status, MOK enrollment, kernel signature verification) and references the closed issue.
Linked Issues check	✅ Passed	The PR implements the missing check-sb-key command as required by issue #13, providing Secure Boot status, MOK enrollment reporting, and kernel signature verification.
Out of Scope Changes check	✅ Passed	All changes are scoped to the check-sb-key recipe addition in the system.just file, directly addressing the requirement to add the missing command.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/issue-13-check-sb-key

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@system_files/bluefin/usr/share/ublue-os/just/system.just`:
- Around line 127-132: The current code runs inside the if command -v sbverify
check so the fallback message "sbverify not available (install sbsigntools)" is
misleading when sbverify --list /boot/vmlinuz-$(uname -r) fails; update the
failure branch so it reports that sbverify could not list signatures for
/boot/vmlinuz-$(uname -r) (mention possible causes like missing kernel file or
permission issues) and include the actual sbverify stderr/output instead of
suggesting installation; locate the block using the command -v sbverify check
and the sbverify --list invocation to implement this clearer error message and
surface the real error details.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 5710312f-1005-4afe-8b5e-0b46e9578bc9

📥 Commits

Reviewing files that changed from the base of the PR and between d28b37e and eda2410.

📒 Files selected for processing (1)

• system_files/bluefin/usr/share/ublue-os/just/system.just

[castrojo]

Reviewed. LGTM — clean, defensive Secure Boot status recipe.

• Gracefully handles non-EFI systems (/sys/firmware/efi check), missing mokutil, and missing EFI var files
• Falls back to raw EFI var read when mokutil is absent — good belt-and-suspenders
• sbverify --list call is non-fatal on failure, which is correct (kernel file location varies)
• Scoped to [group('System')] — consistent with the rest of system.just

CI green. ✅ Approved.