secure-boot: tighten enrollment logic a bit regarding file sizes

It's OK the dbx file is not loaded, but let's explicitly check for that
(i.e. if the buffer is actually non-NULL), rather than the size of the
bufer, since empty files actually do exist.

Or in other words, let's not magically suppress enrollment of empty
files, but let uefi firmware handle these on their own.

Follow-up for: 57ea8012d6f0b9a3622d4a84d93020020a3aca3c

diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index 63f37318f6868984e70ee3e328399225867512c8..1a7ae637741daa2b5c34fc6ad7441c1412bd629c 100644 (file)
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -174,8 +174,9 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
                         EFI_VARIABLE_RUNTIME_ACCESS |
                         EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
 
-                if (sb_vars[i].size == 0)
+                if (!sb_vars[i].buffer)
                         continue;
+
                 err = efivar_set_raw(&sb_vars[i].vendor, sb_vars[i].name, sb_vars[i].buffer, sb_vars[i].size, sb_vars_opts);
                 if (err != EFI_SUCCESS) {
                         log_error_status(err, "Failed to write %ls secure boot variable: %m", sb_vars[i].name);