SBAT Policy latest should be a one-shot

Since booting from removable media can be hard to detect,
setting a persistent latest SBAT policy is risky in a typical
client system. This changes latest to be a one-shot operation
that could be set at the time of an OS update if desired.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>

1 files changed, 13 insertions, 8 deletions

diff --git a/sbat.c b/sbat.c
index 637df5ec..9b872082 100644
--- a/sbat.c
+++ b/sbat.c
@@ -369,6 +369,16 @@ preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes,
 	return false;
 }
 
+static void
+clear_sbat_policy()
+{
+	EFI_STATUS efi_status = EFI_SUCCESS;
+
+	efi_status = del_variable(SBAT_POLICY, SHIM_LOCK_GUID);
+	if (EFI_ERROR(efi_status))
+		console_error(L"Could not reset SBAT Policy", efi_status);
+}
+
 EFI_STATUS
 set_sbat_uefi_variable(void)
 {
@@ -394,6 +404,7 @@ set_sbat_uefi_variable(void)
 			case SBAT_POLICY_LATEST:
 				dprint("Custom sbat policy: latest\n");
 				sbat_var = SBAT_VAR_LATEST;
+				clear_sbat_policy();
 				break;
 			case SBAT_POLICY_PREVIOUS:
 				dprint("Custom sbat policy: previous\n");
@@ -408,19 +419,13 @@ set_sbat_uefi_variable(void)
 					reset_sbat = true;
 					sbat_var = SBAT_VAR_ORIGINAL;
 				}
-				efi_status = del_variable(SBAT_POLICY, SHIM_LOCK_GUID);
-				if (EFI_ERROR(efi_status))
-					console_error(L"Could not reset SBAT Policy",
-						      efi_status);
+				clear_sbat_policy();
 				break;
 			default:
 				console_error(L"SBAT policy state %llu is invalid",
 					      EFI_INVALID_PARAMETER);
-				efi_status = del_variable(SBAT_POLICY, SHIM_LOCK_GUID);
-				if (EFI_ERROR(efi_status))
-					console_error(L"Could not reset SBAT Policy",
-						      efi_status);
 				sbat_var = SBAT_VAR_PREVIOUS;
+				clear_sbat_policy();
 				break;
 		}
 	}