Skip to content

Commit 52e51f1

Browse files
Ard BiesheuvelIngo Molnar
authored andcommitted
efi/libstub: Treat missing SecureBoot variable as Secure Boot disabled
The newly refactored code that infers the firmware's Secure Boot state prints the following error when the EFI variable 'SecureBoot' does not exist: EFI stub: ERROR: Could not determine UEFI Secure Boot status. However, this variable is only guaranteed to be defined on a system that is Secure Boot capable to begin with, and so it is not an error if it is missing. So report Secure Boot as being disabled in this case, without printing any error messages. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Matt Fleming <matt@codeblueprint.co.uk> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/1488395076-29712-2-git-send-email-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
1 parent 4977ab6 commit 52e51f1

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

drivers/firmware/efi/libstub/secureboot.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,8 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
4545
size = sizeof(secboot);
4646
status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
4747
NULL, &size, &secboot);
48+
if (status == EFI_NOT_FOUND)
49+
return efi_secureboot_mode_disabled;
4850
if (status != EFI_SUCCESS)
4951
goto out_efi_err;
5052

@@ -78,7 +80,5 @@ enum efi_secureboot_mode efi_get_secureboot(efi_system_table_t *sys_table_arg)
7880

7981
out_efi_err:
8082
pr_efi_err(sys_table_arg, "Could not determine UEFI Secure Boot status.\n");
81-
if (status == EFI_NOT_FOUND)
82-
return efi_secureboot_mode_disabled;
8383
return efi_secureboot_mode_unknown;
8484
}

0 commit comments

Comments
 (0)