diff options
| author | Jan Setje-Eilers <jan.setjeeilers@oracle.com> | 2023-05-16 14:31:13 -0700 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2023-12-05 13:20:00 -0500 |
| commit | b078ef274887a4cc0da64fd6668800d1e24a2871 (patch) | |
| tree | d0592257d603e4bd4060c418c15ecd9b5e9af00d | |
| parent | ea0f9dfe8ae49ead3204be4c3166b08cc96fad7e (diff) | |
| download | efi-boot-shim-b078ef274887a4cc0da64fd6668800d1e24a2871.tar.gz efi-boot-shim-b078ef274887a4cc0da64fd6668800d1e24a2871.zip | |
Always clear SbatLevel when Secure Boot is disabled
Unless an explict sbat policy is specified, always delete SbatLevel
when secure boot is disabled.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
| -rw-r--r-- | sbat.c | 14 |
1 files changed, 12 insertions, 2 deletions
@@ -434,7 +434,12 @@ set_sbat_uefi_variable(char *sbat_var_previous, char *sbat_var_latest) if (EFI_ERROR(efi_status)) { dprint("Default sbat policy: previous\n"); - sbat_var = sbat_var_previous; + if (secure_mode()) { + sbat_var = sbat_var_previous; + } else { + reset_sbat = true; + sbat_var = SBAT_VAR_ORIGINAL; + } } else { switch (sbat_policy) { case SBAT_POLICY_LATEST: @@ -458,7 +463,12 @@ set_sbat_uefi_variable(char *sbat_var_previous, char *sbat_var_latest) default: console_error(L"SBAT policy state %llu is invalid", EFI_INVALID_PARAMETER); - sbat_var = sbat_var_previous; + if (secure_mode()) { + sbat_var = sbat_var_previous; + } else { + reset_sbat = true; + sbat_var = SBAT_VAR_ORIGINAL; + } break; } } |