From: Colin Walters <walters@verbum.org>
Date: Thu, 4 Dec 2025 19:00:16 +0000 (-0500)
Subject: man: Clarify secure-boot-enroll defaults
X-Git-Tag: v259-rc3~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3c85d99c79a7ebb5256a97d07724550a9cb42d69;p=thirdparty%2Fsystemd.git

man: Clarify secure-boot-enroll defaults

Clarify in the docs that `if-safe` is the default by noting
that in the text for it, but also moving it to the first mentioned
option.

Make explicit in `man systemd-boot` that the `secure-boot-enroll`
option is specified in the `loader.conf`

Update an outdated comment in boot.c around the same.

Signed-off-by: Colin Walters <walters@verbum.org>
---

diff --git a/man/loader.conf.xml b/man/loader.conf.xml
index 56026da20d7..1e242c23601 100644
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -293,8 +293,10 @@
         <para>Controls enrollment of secure boot keys found on the ESP if the system is in setup mode:
         <variablelist>
           <varlistentry>
-            <term><option>off</option></term>
-            <listitem><para>No action is taken.</para>
+            <term><option>if-safe</option></term>
+            <listitem><para>This is the default. Same behavior as <option>manual</option>, but will try to automatically
+            enroll the key named <literal>auto</literal> if it is considered to be safe. Currently, this is only
+            the case if the system is running inside a virtual machine.</para>
 
             <xi:include href="version-info.xml" xpointer="v253"/></listitem>
           </varlistentry>
@@ -308,10 +310,8 @@
           </varlistentry>
 
           <varlistentry>
-            <term><option>if-safe</option></term>
-            <listitem><para>Same behavior as <option>manual</option>, but will try to automatically
-            enroll the key <literal>auto</literal> if it is considered to be safe. Currently, this is only
-            the case if the system is running inside a virtual machine.</para>
+            <term><option>off</option></term>
+            <listitem><para>No action is taken.</para>
 
             <xi:include href="version-info.xml" xpointer="v253"/></listitem>
           </varlistentry>
diff --git a/man/systemd-boot.xml b/man/systemd-boot.xml
index 0924b4ee887..65be783df7d 100644
--- a/man/systemd-boot.xml
+++ b/man/systemd-boot.xml
@@ -392,8 +392,9 @@
     <para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
     under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,dbx,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
     being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
-    then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
-    to force or not.</para>
+    then it might be enrolled automatically depending on the execution environment and the value of the <literal>secure-boot-enroll</literal> option.
+    See
+    <citerefentry><refentrytitle>loader.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
   </refsect1>
 
   <refsect1>
diff --git a/src/boot/boot.c b/src/boot/boot.c
index 5df8a6ed565..aa38ff18ee2 100644
--- a/src/boot/boot.c
+++ b/src/boot/boot.c
@@ -2997,9 +2997,8 @@ static void config_load_all_entries(
 
         config_add_system_entries(config);
 
-        /* Find secure boot signing keys and autoload them if configured.  Otherwise, create menu entries so
-         * that the user can load them manually.  If the secure-boot-enroll variable is set to no (the
-         * default), we do not even search for keys on the ESP */
+        /* Using the rules defined by the `secure-boot-enroll` variable, find secure boot signing keys
+         * and perform operations like autoloading them or create menu entries if configured. */
         (void) secure_boot_discover_keys(config, root_dir);
 
         if (config->n_entries == 0)