From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 22 Mar 2022 15:30:34 +0000 (+0100)
Subject: efivars: cache ENOENT as no efi secure boot
X-Git-Tag: v251-rc1~40^2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e09ad57c6269eac8d34d5b443757dd81490922e;p=thirdparty%2Fsystemd.git

efivars: cache ENOENT as no efi secure boot

On systems lacking EFI or the SecureBoot efi var the caching of this
info didn#t work, since we'd see ENOENT when reading the var, and cache
that, which we then use as reason to retry next time.

Let's fix that and convert ENOENT to "secure boot", because that's what
it really means. All other errors are left as is (and reason to retry).
But let's add some debug logging for that case.
---

diff --git a/src/basic/efivars.c b/src/basic/efivars.c
index 7a9d1bf6412..957e73a7bf1 100644
--- a/src/basic/efivars.c
+++ b/src/basic/efivars.c
@@ -310,9 +310,17 @@ static int read_flag(const char *variable) {
 
 bool is_efi_secure_boot(void) {
         static int cache = -1;
+        int r;
 
-        if (cache < 0)
-                cache = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
+        if (cache < 0) {
+                r = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
+                if (r == -ENOENT)
+                        cache = false;
+                else if (r < 0)
+                        log_debug_errno(r, "Error reading SecureBoot EFI variable, assuming not in SecureBoot mode: %m");
+                else
+                        cache = r;
+        }
 
         return cache > 0;
 }