debian/patches/shim-before-loadimage: Use direct verification first

before LoadImage.  Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.

1 files changed, 18 insertions, 18 deletions

diff --git a/shim.c b/shim.c
index 6ba33526..256369b7 100644
--- a/shim.c
+++ b/shim.c
@@ -879,39 +879,39 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle)
 		goto done;
 	}
 
-	efi_status = uefi_call_wrapper(BS->LoadImage, 6, FALSE, image_handle,
-				       grubpath, NULL, 0, &grub_handle);
-
-
-	if (efi_status == EFI_SUCCESS) {
-		/* Image validates - start it */
-		Print(L"Starting file via StartImage\n");
-		efi_status = uefi_call_wrapper(BS->StartImage, 3, grub_handle, NULL,
-					       NULL);
-		uefi_call_wrapper(BS->UnloadImage, 1, grub_handle);
-		goto done;
-	}
-
 	efi_status = load_grub(li, &data, &datasize, PathName);
 
 	if (efi_status != EFI_SUCCESS) {
 		Print(L"Failed to load grub\n");
-		goto done;
+		goto load_image_fallback;
 	}
 
 	CopyMem(&li_bak, li, sizeof(li_bak));
 
 	efi_status = handle_grub(data, datasize, li);
 
-	if (efi_status != EFI_SUCCESS) {
-		Print(L"Failed to load grub\n");
+	if (efi_status == EFI_SUCCESS) {
+		efi_status = uefi_call_wrapper(entry_point, 3, image_handle, systab);
 		CopyMem(li, &li_bak, sizeof(li_bak));
 		goto done;
 	}
 
-	efi_status = uefi_call_wrapper(entry_point, 3, image_handle, systab);
-
+	Print(L"Failed to load grub\n");
 	CopyMem(li, &li_bak, sizeof(li_bak));
+
+load_image_fallback:
+	efi_status = uefi_call_wrapper(BS->LoadImage, 6, FALSE, image_handle,
+				       grubpath, NULL, 0, &grub_handle);
+
+
+	if (efi_status == EFI_SUCCESS) {
+		/* Image validates - start it */
+		Print(L"Starting file via StartImage\n");
+		efi_status = uefi_call_wrapper(BS->StartImage, 3, grub_handle, NULL,
+					       NULL);
+		uefi_call_wrapper(BS->UnloadImage, 1, grub_handle);
+	}
+
 done:
 
 	return efi_status;