diff options
| author | Jan Janssen <medhefgo@web.de> | 2022-01-01 16:21:42 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-01-02 23:31:23 +0900 |
| commit | d9fd84fc5d829fdfb2fe6a1609850d6e2690ff1e (patch) | |
| tree | 07c3b52f969121c8ccdea80e44ded59ec2bb1565 /src/fundamental | |
| parent | 7bd3d6e35a6de8b1bf93e2fae28a64f0c7ffd2ac (diff) | |
| download | systemd-d9fd84fc5d829fdfb2fe6a1609850d6e2690ff1e.tar.gz | |
boot: Add disabled secure boot mode without setup mode
Diffstat (limited to 'src/fundamental')
| -rw-r--r-- | src/fundamental/efivars-fundamental.c | 6 | ||||
| -rw-r--r-- | src/fundamental/efivars-fundamental.h | 1 |
2 files changed, 7 insertions, 0 deletions
diff --git a/src/fundamental/efivars-fundamental.c b/src/fundamental/efivars-fundamental.c index 6e22232baa..1eaa455266 100644 --- a/src/fundamental/efivars-fundamental.c +++ b/src/fundamental/efivars-fundamental.c @@ -4,6 +4,7 @@ static const sd_char * const table[_SECURE_BOOT_MAX] = { [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"), + [SECURE_BOOT_DISABLED] = STR_C("disabled"), [SECURE_BOOT_UNKNOWN] = STR_C("unknown"), [SECURE_BOOT_AUDIT] = STR_C("audit"), [SECURE_BOOT_DEPLOYED] = STR_C("deployed"), @@ -31,6 +32,11 @@ SecureBootMode decode_secure_boot_mode( if (!secure && !deployed && !audit && setup) return SECURE_BOOT_SETUP; + /* Some firmware allows disabling secure boot while not being in + * setup mode unless the PK is cleared. */ + if (!secure && !deployed && !audit && !setup) + return SECURE_BOOT_DISABLED; + /* Well, this should not happen. */ return SECURE_BOOT_UNKNOWN; } diff --git a/src/fundamental/efivars-fundamental.h b/src/fundamental/efivars-fundamental.h index a70810a8d3..9425455465 100644 --- a/src/fundamental/efivars-fundamental.h +++ b/src/fundamental/efivars-fundamental.h @@ -19,6 +19,7 @@ typedef enum SecureBootMode { SECURE_BOOT_UNSUPPORTED, + SECURE_BOOT_DISABLED, SECURE_BOOT_UNKNOWN, SECURE_BOOT_AUDIT, SECURE_BOOT_DEPLOYED, |