From b0e26818dcfcdf459719d388b460f374f2b3530f Mon Sep 17 00:00:00 2001
From: Kay Sievers <kay@vrfy.org>
Date: Thu, 21 Feb 2013 16:21:45 +0100
Subject: [PATCH] setup: skip EFI variable setup when secure boot is active

---
 src/setup/efivars.c | 22 ++++++++++++++++++++++
 src/setup/efivars.h |  1 +
 src/setup/setup.c   |  7 +++++--
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/src/setup/efivars.c b/src/setup/efivars.c
index 277058c..ff20aed 100644
--- a/src/setup/efivars.c
+++ b/src/setup/efivars.c
@@ -40,6 +40,28 @@ bool is_efi_boot(void) {
         return access("/sys/firmware/efi", F_OK) >= 0;
 }
 
+int is_efi_secure_boot(void) {
+        int r;
+        void *v;
+        size_t s;
+        uint8_t b;
+
+        r = efi_get_variable(EFI_VENDOR_GLOBAL, "SecureBoot", &v, &s);
+        if (r < 0)
+                return r;
+        b = *(uint8_t *)s;
+
+        if (s != 1) {
+                r = -EINVAL;
+                goto finish;
+        }
+
+        r = b > 0;
+finish:
+        free(v);
+        return r;
+}
+
 int efi_get_variable(
                 const uint8_t vendor[16],
                 const char *name,
diff --git a/src/setup/efivars.h b/src/setup/efivars.h
index d54be9f..83984ac 100644
--- a/src/setup/efivars.h
+++ b/src/setup/efivars.h
@@ -30,6 +30,7 @@
 #define EFI_VARIABLE_RUNTIME_ACCESS     0x0000000000000004
 
 bool is_efi_boot(void);
+int is_efi_secure_boot(void);
 int efi_get_variable(const uint8_t vendor[16], const char *name, void **value, size_t *size);
 int efi_set_variable( const uint8_t vendor[16], const char *name, const void *value, size_t size);
 int efi_get_variable_string(const uint8_t vendor[16], const char *name, char **p);
diff --git a/src/setup/setup.c b/src/setup/setup.c
index 7d23422..9f71bb7 100644
--- a/src/setup/setup.c
+++ b/src/setup/setup.c
@@ -963,7 +963,7 @@ static int install_variables(const char *esp_path,
         int r;
 
         if (!is_efi_boot()) {
-                fprintf(stderr, "Not booted with EFI, skipping EFI variable checks.\n");
+                fprintf(stderr, "Not booted with EFI, skipping EFI variable setup.\n");
                 return 0;
         }
 
@@ -1000,7 +1000,10 @@ static int install_variables(const char *esp_path,
                 }
                 fprintf(stderr, "Created EFI boot entry \"Linux Boot Manager\".\n");
         }
-        insert_into_order(slot, first);
+        if (is_efi_secure_boot() <= 0)
+                insert_into_order(slot, first);
+        else
+                fprintf(stderr, "EFI Secure Boot is active, skipping EFI boot order registration.\n");
 
 finish:
         free(p);
-- 
2.7.4