sbat policy: make our policy change actions symbolic

There are a couple of places where the code we've got right now just
uses integers to decode one of our MoK variables.  That's bad.

This patch replaces those with symbolic names.

Signed-off-by: Peter Jones <pjones@redhat.com>

2 files changed, 17 insertions, 3 deletions

diff --git a/include/sbat.h b/include/sbat.h
index eb01ee89..904880de 100644
--- a/include/sbat.h
+++ b/include/sbat.h
@@ -63,6 +63,10 @@
 #define SBAT_POLICY L"SbatPolicy"
 #define SBAT_POLICY8 "SbatPolicy"
 
+#define SBAT_POLICY_LATEST	1
+#define SBAT_POLICY_PREVIOUS	2
+#define SBAT_POLICY_RESET	3
+
 extern UINTN _sbat, _esbat;
 
 struct sbat_var_entry {
diff --git a/sbat.c b/sbat.c
index 461d4859..1bc34b88 100644
--- a/sbat.c
+++ b/sbat.c
@@ -353,15 +353,15 @@ set_sbat_uefi_variable(void)
 		sbat_var = SBAT_VAR_PREVIOUS;
 	} else {
 		switch (*sbat_policy) {
-			case 1:
+			case SBAT_POLICY_LATEST:
 				dprint("Custom sbat policy: latest\n");
 				sbat_var = SBAT_VAR_LATEST;
 				break;
-			case 2:
+			case SBAT_POLICY_PREVIOUS:
 				dprint("Custom sbat policy: previous\n");
 				sbat_var = SBAT_VAR_PREVIOUS;
 				break;
-			case 3:
+			case SBAT_POLICY_RESET:
 				if (secure_mode()) {
 					console_print(L"Cannot reset SBAT policy: Secure Boot is enabled.\n");
 					sbat_var = SBAT_VAR_PREVIOUS;
@@ -374,6 +374,16 @@ set_sbat_uefi_variable(void)
 				if (EFI_ERROR(efi_status))
 					console_error(L"Could not reset SBAT Policy",
 						      efi_status);
+				break;
+			default:
+				console_error(L"SBAT policy state %llu is invalid",
+					      EFI_INVALID_PARAMETER);
+				efi_status = del_variable(SBAT_POLICY, SHIM_LOCK_GUID);
+				if (EFI_ERROR(efi_status))
+					console_error(L"Could not reset SBAT Policy",
+						      efi_status);
+				sbat_var = SBAT_VAR_PREVIOUS;
+				break;
 		}
 	}