From e60015f574024584e43d1b3b245551e864aa8c4d Mon Sep 17 00:00:00 2001
From: Julian Andres Klode <julian.klode@canonical.com>
Date: Tue, 21 Nov 2023 18:09:59 +0100
Subject: [PATCH] efi: Set shim_lock_enabled even if validation is disabled

If validation has been disabled via MokSbState, secure boot on the
firmware is still enabled, and the kernel fails to boot.

This is a bit hacky, because shim_lock is not *fully* enabled, but
it triggers the right code paths.

Ultimately, all this will be resolved by shim gaining it's own image
loading and starting protocol, so this is more a temporary workaround.

Fixes: 6425c12cd (efi: Fallback to legacy mode if shim is loaded on x86 archs)

Cc: Peter Jones <pjones@redhat.com>
Cc: Michael Chang <mchang@suse.com>
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/kern/efi/sb.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 60550a6da..8d3e41360 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -95,6 +95,14 @@ grub_efi_get_secureboot (void)
   if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
     {
       secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
+      /*
+       * TODO: Replace this all with shim's LoadImage protocol, delegating policy to it.
+       *
+       * We need to set shim_lock_enabled here because we disabled secure boot
+       * validation *inside* shim but not in the firmware, so we set this variable
+       * here to trigger that code path, whereas the actual verifier is not enabled.
+       */
+      shim_lock_enabled = true;
       goto out;
     }
 
-- 
2.47.2