boot: Add disabled secure boot mode without setup mode

diff --git a/src/fundamental/efivars-fundamental.c b/src/fundamental/efivars-fundamental.c
index 6e22232baa063da937d7ae35f36bae4d015813c4..1eaa45526646ef58afdfe1f34604339daf96e6d7 100644 (file)
--- a/src/fundamental/efivars-fundamental.c
+++ b/src/fundamental/efivars-fundamental.c
@@ -4,6 +4,7 @@
 
 static const sd_char * const table[_SECURE_BOOT_MAX] = {
         [SECURE_BOOT_UNSUPPORTED] = STR_C("unsupported"),
+        [SECURE_BOOT_DISABLED]    = STR_C("disabled"),
         [SECURE_BOOT_UNKNOWN]     = STR_C("unknown"),
         [SECURE_BOOT_AUDIT]       = STR_C("audit"),
         [SECURE_BOOT_DEPLOYED]    = STR_C("deployed"),
@@ -31,6 +32,11 @@ SecureBootMode decode_secure_boot_mode(
         if (!secure && !deployed && !audit && setup)
                 return SECURE_BOOT_SETUP;
 
+        /* Some firmware allows disabling secure boot while not being in
+         * setup mode unless the PK is cleared. */
+        if (!secure && !deployed && !audit && !setup)
+                return SECURE_BOOT_DISABLED;
+
         /* Well, this should not happen. */
         return SECURE_BOOT_UNKNOWN;
 }

diff --git a/src/fundamental/efivars-fundamental.h b/src/fundamental/efivars-fundamental.h
index a70810a8d3678bcf8b718190ab4586acadd379b7..94254554652573bac9f4cf8fced2703c1d26d392 100644 (file)
--- a/src/fundamental/efivars-fundamental.h
+++ b/src/fundamental/efivars-fundamental.h
@@ -19,6 +19,7 @@
 
 typedef enum SecureBootMode {
         SECURE_BOOT_UNSUPPORTED,
+        SECURE_BOOT_DISABLED,
         SECURE_BOOT_UNKNOWN,
         SECURE_BOOT_AUDIT,
         SECURE_BOOT_DEPLOYED,