Unhook system services as we exit.

If we never find a valid thing to boot, we need to undo the weird things
we've done.

Signed-off-by: Peter Jones <pjones@redhat.com>

3 files changed, 12 insertions, 5 deletions

diff --git a/replacements.c b/replacements.c
index b05b2202..bac5e5d7 100644
--- a/replacements.c
+++ b/replacements.c
@@ -66,7 +66,7 @@ static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
 
 extern UINT8 insecure_mode;
 
-static void
+void
 unhook_system_services(void)
 {
 	if (insecure_mode)
diff --git a/replacements.h b/replacements.h
index 806c0386..5b57bc25 100644
--- a/replacements.h
+++ b/replacements.h
@@ -39,5 +39,6 @@ extern verification_method_t verification_method;
 extern int loader_is_participating;
 
 extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
+extern void unhook_system_services(void);
 
 #endif /* SHIM_REPLACEMENTS_H */
diff --git a/shim.c b/shim.c
index 502a91dd..c8759a58 100644
--- a/shim.c
+++ b/shim.c
@@ -1767,18 +1767,24 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 
 	efi_status = init_grub(image_handle);
 
+#if defined(OVERRIDE_SECURITY_POLICY)
+	/*
+	 * Clean up the security protocol hook
+	 */
+	security_policy_uninstall();
+#endif
+
 	/*
 	 * If we're back here then clean everything up before exiting
 	 */
 	uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle,
 			  &shim_lock_guid, &shim_lock_interface);
 
-#if defined(OVERRIDE_SECURITY_POLICY)
+
 	/*
-	 * Clean up the security protocol hook
+	 * Remove our hooks from system services.
 	 */
-	security_policy_uninstall();
-#endif
+	unhook_system_services();
 
 	/*
 	 * Free the space allocated for the alternative 2nd stage loader