On 13.08.20 10:05, AKASHI Takahiro wrote: > Under the new file-based variable implementation, the secure state > is always and falsely set to 0 (hence, the secure boot gets disabled) > after the reboot even if PK (and other signature database) has already > been enrolled in the previous boot. > > This is because the secure state is set up *before* loading non-volatile > variables' values from saved data. > > This patch fixes the order of variable initialization and secure state > initialization. > > Signed-off-by: AKASHI Takahiro <[email protected]> > Fixes: 5f7dcf079de8 ("efi_loader: UEFI variable persistence")
Thanks for the correction. Reviewed-by: Heinrich Schuchardt <[email protected]> > --- > lib/efi_loader/efi_variable.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c > index 282d542a096c..a10b9caa8b03 100644 > --- a/lib/efi_loader/efi_variable.c > +++ b/lib/efi_loader/efi_variable.c > @@ -508,10 +508,6 @@ efi_status_t efi_init_variables(void) > if (ret != EFI_SUCCESS) > return ret; > > - ret = efi_init_secure_state(); > - if (ret != EFI_SUCCESS) > - return ret; > - > if (IS_ENABLED(CONFIG_EFI_VARIABLES_PRESEED)) { > ret = efi_var_restore((struct efi_var_file *) > __efi_var_file_begin); > @@ -519,5 +515,9 @@ efi_status_t efi_init_variables(void) > log_err("Invalid EFI variable seed\n"); > } > > - return efi_var_from_file(); > + ret = efi_var_from_file(); > + if (ret != EFI_SUCCESS) > + return ret; > + > + return efi_init_secure_state(); > } >
