From e02bb35a160d3b0fec07adbfb2f730031173e180 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 10 Mar 2021 15:48:28 -0500
Subject: shim: simplify sbat self-check logic.

There's no reason to do the work to set an initial SBAT variable twice,
or to do it /after/ the self check.

This changes it to do it once, before the self check, and then only
raise an error if we're in secure mode.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 shim.c | 37 +++++++++++++++----------------------
 1 file changed, 15 insertions(+), 22 deletions(-)

diff --git a/shim.c b/shim.c
index ad01a07f..56a4a3a2 100644
--- a/shim.c
+++ b/shim.c
@@ -1908,6 +1908,16 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	 */
 	debug_hook();
 
+	efi_status = set_sbat_uefi_variable();
+	if (EFI_ERROR(efi_status) && secure_mode()) {
+		perror(L"SBAT variable initialization failed\n");
+		msg = SET_SBAT;
+		goto die;
+	} else if (EFI_ERROR(efi_status)) {
+		dprint(L"SBAT variable initialization failed: %r\n",
+		       efi_status);
+	}
+
 	if (secure_mode()) {
 		char *sbat_start = (char *)&_sbat;
 		char *sbat_end = (char *)&_esbat;
@@ -1915,38 +1925,21 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		INIT_LIST_HEAD(&sbat_var);
 		efi_status = parse_sbat_var(&sbat_var);
 		if (EFI_ERROR(efi_status)) {
-			efi_status = set_sbat_uefi_variable();
-			if (efi_status == EFI_INVALID_PARAMETER) {
-				perror(L"SBAT variable initialization failed\n");
-				msg = SET_SBAT;
-				goto die;
-			}
-			efi_status = parse_sbat_var(&sbat_var);
-			if (EFI_ERROR(efi_status)) {
-				perror(L"Parsing SBAT variable failed: %r\n",
-					efi_status);
-				msg = IMPORT_SBAT;
-				goto die;
-			}
+			perror(L"Parsing SBAT variable failed: %r\n",
+				efi_status);
+			msg = IMPORT_SBAT;
+			goto die;
 		}
 
 		efi_status = handle_sbat(sbat_start, sbat_end - sbat_start);
 		if (EFI_ERROR(efi_status)) {
 			perror(L"Verifiying shim SBAT data failed: %r\n",
 			       efi_status);
-			msg = SBAT_SELF_CHECK;;
+			msg = SBAT_SELF_CHECK;
 			goto die;
 		}
 	}
 
-	efi_status = set_sbat_uefi_variable();
-	if (efi_status == EFI_INVALID_PARAMETER) {
-		perror(L"SBAT variable initialization failed\n");
-		msg = SET_SBAT;
-		if (secure_mode())
-                        goto die;
-	}
-
 	init_openssl();
 
 	/*
-- 
cgit v1.2.3