@@ -886,14 +886,15 @@ static int get_secure_boot(void)
/* If it fails, we don't care why. Default to secure */
if (status != EFI_SUCCESS)
- return 1;
+ return EFI_SECURE_BOOT;
if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
- if (moksbstate == 1)
- return 0;
+ if (moksbstate == 1) {
+ return EFI_MOKSBSTATE_DISABLED;
+ }
}
- return 1;
+ return EFI_SECURE_BOOT;
}
@@ -1144,11 +1144,15 @@ void __init setup_arch(char **cmdline_p)
io_delay_init();
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
- if (boot_params.secure_boot) {
+ if (boot_params.secure_boot == EFI_SECURE_BOOT) {
set_bit(EFI_SECURE_BOOT, &efi.flags);
enforce_signed_modules();
pr_info("Secure boot enabled\n");
}
+ else if (boot_params.secure_boot == EFI_MOKSBSTATE_DISABLED) {
+ boot_params.secure_boot = 0;
+ pr_info("Secure boot MOKSBState disabled\n");
+ }
#endif
/*
@@ -987,6 +987,7 @@ extern int __init efi_setup_pcdp_console(char *);
#define EFI_DBG 8 /* Print additional debug info at runtime */
#define EFI_NX_PE_DATA 9 /* Can runtime data regions be mapped non-executable? */
#define EFI_SECURE_BOOT 10 /* Are we in Secure Boot mode? */
+#define EFI_MOKSBSTATE_DISABLED 11 /* Secure boot mode disabled in the MOK */
#ifdef CONFIG_EFI
/*