stub: check if security override is available before using it

Avoids fallback that requires it if it is not available. Can
be dropped once support for shim < 16 is no longer needed

Follow-up for 23d56ae890f8e7c8e29ef51e05494e445725d3ff

diff --git a/src/boot/linux.c b/src/boot/linux.c
index 655d151481bae9f5ff793d9a7153cc845097ddb0..d1317a3106c745e67fbd09bd681f5785bbf6f5c4 100644 (file)
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@@ -169,7 +169,7 @@ EFI_STATUS linux_exec(
          *
          * See https://github.com/rhboot/shim/blob/main/README.md#shim-loader-protocol
          */
-        if (secure_boot_enabled() && (shim_loader_available() || shim_loaded()))
+        if (secure_boot_enabled() && (shim_loader_available() || (shim_loaded() && security_override_available())))
                 return load_via_boot_services(
                                 parent,
                                 parent_loaded_image,

diff --git a/src/boot/secure-boot.c b/src/boot/secure-boot.c
index 883e8487e479d77b64dee8c3187f6317b4a5b7e0..dd3757aa5ccf1aba26016cfb3db6751d1c393e88 100644 (file)
--- a/src/boot/secure-boot.c
+++ b/src/boot/secure-boot.c
@@ -262,6 +262,7 @@ static EFIAPI EFI_STATUS security2_hook(
  * of their spec. But there is little else we can do to circumvent secure boot short of implementing our own
  * PE loader. We could replace the firmware instances with our own instance using
  * ReinstallProtocolInterface(), but some firmware will still use the old ones. */
+// TODO: now that there is a custom PE loader, this can be dropped once shim < v16 is no longer supported.
 void install_security_override(security_validator_t validator, const void *validator_ctx) {
         EFI_STATUS err;
 
@@ -292,6 +293,14 @@ void install_security_override(security_validator_t validator, const void *valid
         }
 }
 
+bool security_override_available(void) {
+        EFI_SECURITY_ARCH_PROTOCOL *security;
+        EFI_SECURITY2_ARCH_PROTOCOL *security2;
+
+        return BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY_ARCH_PROTOCOL), NULL, (void **) &security) == EFI_SUCCESS &&
+               BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY2_ARCH_PROTOCOL), NULL, (void **) &security2) == EFI_SUCCESS;
+}
+
 void uninstall_security_override(void) {
         if (security_override.original_hook)
                 security_override.security->FileAuthenticationState = security_override.original_hook;

diff --git a/src/boot/secure-boot.h b/src/boot/secure-boot.h
index da5eccb6157bc9c05e823dd2e4b5ae25f11abd93..12f764c8a40fb9a21a655157dc04012a00118e78 100644 (file)
--- a/src/boot/secure-boot.h
+++ b/src/boot/secure-boot.h
@@ -31,6 +31,7 @@ typedef bool (*security_validator_t)(
 
 void install_security_override(security_validator_t validator, const void *validator_ctx);
 void uninstall_security_override(void);
+bool security_override_available(void);
 
 const char* secure_boot_enroll_to_string(secure_boot_enroll e) _const_;
 const char* secure_boot_enroll_action_to_string(secure_boot_enroll_action e) _const_;