From: Jan Janssen <medhefgo@web.de>
Date: Sat, 1 Jan 2022 15:21:42 +0000 (+0100)
Subject: boot: Add disabled secure boot mode without setup mode
X-Git-Tag: v251-rc1~616
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9fd84fc5d829fdfb2fe6a1609850d6e2690ff1e;p=thirdparty%2Fsystemd.git

boot: Add disabled secure boot mode without setup mode
---

diff --git a/src/fundamental/efivars-fundamental.c b/src/fundamental/efivars-fundamental.c
index 6e22232baa0..1eaa4552664 100644
--- a/src/fundamental/efivars-fundamental.c
+++ b/src/fundamental/efivars-fundamental.c
@@ -4,6 +4,7 @@
 
 static const sd_char * const table[_SECURE_BOOT_MAX] = {
         [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"),
+        [SECURE_BOOT_DISABLED]    = STR_C("disabled"),
         [SECURE_BOOT_UNKNOWN]     = STR_C("unknown"),
         [SECURE_BOOT_AUDIT]       = STR_C("audit"),
         [SECURE_BOOT_DEPLOYED]    = STR_C("deployed"),
@@ -31,6 +32,11 @@ SecureBootMode decode_secure_boot_mode(
         if (!secure && !deployed && !audit && setup)
                 return SECURE_BOOT_SETUP;
 
+        /* Some firmware allows disabling secure boot while not being in
+         * setup mode unless the PK is cleared. */
+        if (!secure && !deployed && !audit && !setup)
+                return SECURE_BOOT_DISABLED;
+
         /* Well, this should not happen. */
         return SECURE_BOOT_UNKNOWN;
 }
diff --git a/src/fundamental/efivars-fundamental.h b/src/fundamental/efivars-fundamental.h
index a70810a8d36..94254554652 100644
--- a/src/fundamental/efivars-fundamental.h
+++ b/src/fundamental/efivars-fundamental.h
@@ -19,6 +19,7 @@
 
 typedef enum SecureBootMode {
         SECURE_BOOT_UNSUPPORTED,
+        SECURE_BOOT_DISABLED,
         SECURE_BOOT_UNKNOWN,
         SECURE_BOOT_AUDIT,
         SECURE_BOOT_DEPLOYED,