Make sure we default to assuming we're locked down.

If "SecureBoot" exists but "SetupMode" does not, assume "SetupMode" says we're not in Setup Mode. Signed-off-by: Peter Jones <pjones@redhat.com>
author: Peter Jones <pjones@redhat.com> 2014-06-25 10:55:56 -0400
committer: Peter Jones <pjones@redhat.com> 2014-06-25 10:55:56 -0400
commit: 9ea3d9b401ed73ae95b60e6b566f9293af3ac4d7 (patch)
tree: 9a6c818be0a99eb80d7ce165cb31b90ecae4eb04 /shim.c
parent: 7a72592b75879542e9ebd808868f83a78bdfbbc6 (diff)
download: efi-boot-shim-9ea3d9b401ed73ae95b60e6b566f9293af3ac4d7.tar.gz
efi-boot-shim-9ea3d9b401ed73ae95b60e6b566f9293af3ac4d7.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/shim.c b/shim.c
index 14fb601c..fe73ec1a 100644
--- a/shim.c
+++ b/shim.c
@@ -484,7 +484,13 @@ static BOOLEAN secure_mode (void)
 		return FALSE;
 	}
 
-	if (variable_is_setupmode() == 1) {
+	/* If we /do/ have "SecureBoot", but /don't/ have "SetupMode",
+	 * then the implementation is bad, but we assume that secure boot is
+	 * enabled according to the status of "SecureBoot".  If we have both
+	 * of them, then "SetupMode" may tell us additional data, and we need
+	 * to consider it.
+	 */
+	if (variable_is_setupmode(0) == 1) {
 		if (verbose && !in_protocol)
 			console_notify(L"Platform is in setup mode");
 		return FALSE;
author	Peter Jones <pjones@redhat.com>	2014-06-25 10:55:56 -0400
committer	Peter Jones <pjones@redhat.com>	2014-06-25 10:55:56 -0400
commit	9ea3d9b401ed73ae95b60e6b566f9293af3ac4d7 (patch)
tree	9a6c818be0a99eb80d7ce165cb31b90ecae4eb04 /shim.c
parent	7a72592b75879542e9ebd808868f83a78bdfbbc6 (diff)
download	efi-boot-shim-9ea3d9b401ed73ae95b60e6b566f9293af3ac4d7.tar.gz efi-boot-shim-9ea3d9b401ed73ae95b60e6b566f9293af3ac4d7.zip