From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
Date: Fri, 3 May 2024 09:42:09 +0000 (+0200)
Subject: systemd-boot: Allow key enroll in AuditMode
X-Git-Tag: v256-rc2~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a23a59b324a022a0b38b5f35d01ee1b2b4edf694;p=thirdparty%2Fsystemd.git

systemd-boot: Allow key enroll in AuditMode

Since AuditMode automatically switches SetupMode on, it should be
authorized to enroll SecureBoot keys.

Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
---

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index b4decc152d0..79de121f0d2 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -2480,7 +2480,7 @@ static EFI_STATUS secure_boot_discover_keys(Config *config, EFI_FILE *root_dir)
         EFI_STATUS err;
         _cleanup_(file_closep) EFI_FILE *keys_basedir = NULL;
 
-        if (secure_boot_mode() != SECURE_BOOT_SETUP)
+        if (!IN_SET(secure_boot_mode(), SECURE_BOOT_SETUP, SECURE_BOOT_AUDIT))
                 return EFI_SUCCESS;
 
         /* the lack of a 'keys' directory is not fatal and is silently ignored */