From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Wed, 23 Jul 2025 09:11:34 +0000 (+0100)
Subject: stub: check if security override is available before using it
X-Git-Tag: v258-rc1~4^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F38295%2Fhead;p=thirdparty%2Fsystemd.git

stub: check if security override is available before using it

Avoids fallback that requires it if it is not available. Can
be dropped once support for shim < 16 is no longer needed

Follow-up for 23d56ae890f8e7c8e29ef51e05494e445725d3ff
---

diff --git a/src/boot/linux.c b/src/boot/linux.c
index 655d151481b..d1317a3106c 100644
--- a/src/boot/linux.c
+++ b/src/boot/linux.c
@@ -169,7 +169,7 @@ EFI_STATUS linux_exec(
          *
          * See https://github.com/rhboot/shim/blob/main/README.md#shim-loader-protocol
          */
-        if (secure_boot_enabled() && (shim_loader_available() || shim_loaded()))
+        if (secure_boot_enabled() && (shim_loader_available() || (shim_loaded() && security_override_available())))
                 return load_via_boot_services(
                                 parent,
                                 parent_loaded_image,
diff --git a/src/boot/secure-boot.c b/src/boot/secure-boot.c
index 883e8487e47..dd3757aa5cc 100644
--- a/src/boot/secure-boot.c
+++ b/src/boot/secure-boot.c
@@ -262,6 +262,7 @@ static EFIAPI EFI_STATUS security2_hook(
  * of their spec. But there is little else we can do to circumvent secure boot short of implementing our own
  * PE loader. We could replace the firmware instances with our own instance using
  * ReinstallProtocolInterface(), but some firmware will still use the old ones. */
+// TODO: now that there is a custom PE loader, this can be dropped once shim < v16 is no longer supported.
 void install_security_override(security_validator_t validator, const void *validator_ctx) {
         EFI_STATUS err;
 
@@ -292,6 +293,14 @@ void install_security_override(security_validator_t validator, const void *valid
         }
 }
 
+bool security_override_available(void) {
+        EFI_SECURITY_ARCH_PROTOCOL *security;
+        EFI_SECURITY2_ARCH_PROTOCOL *security2;
+
+        return BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY_ARCH_PROTOCOL), NULL, (void **) &security) == EFI_SUCCESS &&
+               BS->LocateProtocol(MAKE_GUID_PTR(EFI_SECURITY2_ARCH_PROTOCOL), NULL, (void **) &security2) == EFI_SUCCESS;
+}
+
 void uninstall_security_override(void) {
         if (security_override.original_hook)
                 security_override.security->FileAuthenticationState = security_override.original_hook;
diff --git a/src/boot/secure-boot.h b/src/boot/secure-boot.h
index da5eccb6157..12f764c8a40 100644
--- a/src/boot/secure-boot.h
+++ b/src/boot/secure-boot.h
@@ -31,6 +31,7 @@ typedef bool (*security_validator_t)(
 
 void install_security_override(security_validator_t validator, const void *validator_ctx);
 void uninstall_security_override(void);
+bool security_override_available(void);
 
 const char* secure_boot_enroll_to_string(secure_boot_enroll e) _const_;
 const char* secure_boot_enroll_action_to_string(secure_boot_enroll_action e) _const_;