efivars: cache ENOENT as no efi secure boot

On systems lacking EFI or the SecureBoot efi var the caching of this
info didn#t work, since we'd see ENOENT when reading the var, and cache
that, which we then use as reason to retry next time.

Let's fix that and convert ENOENT to "secure boot", because that's what
it really means. All other errors are left as is (and reason to retry).
But let's add some debug logging for that case.

diff --git a/src/basic/efivars.c b/src/basic/efivars.c
index 7a9d1bf6412c023c9edc7772d8a756a3d1b31ccb..957e73a7bf11a4b00484c66ee822dc55f461821a 100644 (file)
--- a/src/basic/efivars.c
+++ b/src/basic/efivars.c
@@ -310,9 +310,17 @@ static int read_flag(const char *variable) {
 
 bool is_efi_secure_boot(void) {
         static int cache = -1;
+        int r;
 
-        if (cache < 0)
-                cache = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
+        if (cache < 0) {
+                r = read_flag(EFI_GLOBAL_VARIABLE(SecureBoot));
+                if (r == -ENOENT)
+                        cache = false;
+                else if (r < 0)
+                        log_debug_errno(r, "Error reading SecureBoot EFI variable, assuming not in SecureBoot mode: %m");
+                else
+                        cache = r;
+        }
 
         return cache > 0;
 }