man: Clarify secure-boot-enroll defaults

Clarify in the docs that `if-safe` is the default by noting
that in the text for it, but also moving it to the first mentioned
option.

Make explicit in `man systemd-boot` that the `secure-boot-enroll`
option is specified in the `loader.conf`

Update an outdated comment in boot.c around the same.

Signed-off-by: Colin Walters <walters@verbum.org>

diff --git a/man/loader.conf.xml b/man/loader.conf.xml
index 56026da20d7eec2978efc54948415b8862b37c2b..1e242c236012023c188f8fddcf81271d27128eac 100644 (file)
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -293,8 +293,10 @@
         <para>Controls enrollment of secure boot keys found on the ESP if the system is in setup mode:
         <variablelist>
           <varlistentry>
-            <term><option>off</option></term>
-            <listitem><para>No action is taken.</para>
+            <term><option>if-safe</option></term>
+            <listitem><para>This is the default. Same behavior as <option>manual</option>, but will try to automatically
+            enroll the key named <literal>auto</literal> if it is considered to be safe. Currently, this is only
+            the case if the system is running inside a virtual machine.</para>
 
             <xi:include href="version-info.xml" xpointer="v253"/></listitem>
           </varlistentry>
@@ -308,10 +310,8 @@
           </varlistentry>
 
           <varlistentry>
-            <term><option>if-safe</option></term>
-            <listitem><para>Same behavior as <option>manual</option>, but will try to automatically
-            enroll the key <literal>auto</literal> if it is considered to be safe. Currently, this is only
-            the case if the system is running inside a virtual machine.</para>
+            <term><option>off</option></term>
+            <listitem><para>No action is taken.</para>
 
             <xi:include href="version-info.xml" xpointer="v253"/></listitem>
           </varlistentry>

diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml
index 0924b4ee887e9defc964740b2fb17e956c1dd503..65be783df7d16461adb09165aa9f03936ac626f9 100644 (file)
--- a/man/systemd-boot.xml
+++ b/man/systemd-boot.xml
@@ -392,8 +392,9 @@
     <para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
     under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,dbx,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
     being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
-    then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
-    to force or not.</para>
+    then it might be enrolled automatically depending on the execution environment and the value of the <literal>secure-boot-enroll</literal> option.
+    See
+    <citerefentry><refentrytitle>loader.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
   </refsect1>
 
   <refsect1>

diff --git a/src/boot/boot.c b/src/boot/boot.c
index 5df8a6ed5656da0209bcf17d665d0ba053361762..aa38ff18ee260fa1eb4a3235eb4152c5de44db0a 100644 (file)
--- a/src/boot/boot.c
+++ b/src/boot/boot.c
@@ -2997,9 +2997,8 @@ static void config_load_all_entries(
 
         config_add_system_entries(config);
 
-        /* Find secure boot signing keys and autoload them if configured.  Otherwise, create menu entries so
-         * that the user can load them manually.  If the secure-boot-enroll variable is set to no (the
-         * default), we do not even search for keys on the ESP */
+        /* Using the rules defined by the `secure-boot-enroll` variable, find secure boot signing keys
+         * and perform operations like autoloading them or create menu entries if configured. */
         (void) secure_boot_discover_keys(config, root_dir);
 
         if (config->n_entries == 0)