From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 9 Apr 2024 10:39:28 +0000 (+0200)
Subject: secure-boot: tighten enrollment logic a bit regarding file sizes
X-Git-Tag: v256-rc1~240
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5538b62f59f126d5a1761697417ff5cd7e2c77b1;p=thirdparty%2Fsystemd.git

secure-boot: tighten enrollment logic a bit regarding file sizes

It's OK the dbx file is not loaded, but let's explicitly check for that
(i.e. if the buffer is actually non-NULL), rather than the size of the
bufer, since empty files actually do exist.

Or in other words, let's not magically suppress enrollment of empty
files, but let uefi firmware handle these on their own.

Follow-up for: 57ea8012d6f0b9a3622d4a84d93020020a3aca3c
---

diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index 63f37318f68..1a7ae637741 100644
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -174,8 +174,9 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
                         EFI_VARIABLE_RUNTIME_ACCESS |
                         EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
 
-                if (sb_vars[i].size == 0)
+                if (!sb_vars[i].buffer)
                         continue;
+
                 err = efivar_set_raw(&sb_vars[i].vendor, sb_vars[i].name, sb_vars[i].buffer, sb_vars[i].size, sb_vars_opts);
                 if (err != EFI_SUCCESS) {
                         log_error_status(err, "Failed to write %ls secure boot variable: %m", sb_vars[i].name);