Only run MokManager if asked or a security violation occurs.

Don't run MokManager on any random error from start_image(second_stage); only try it if it /is/ the second stage, or if start_image gave us EFI_SECURITY_VIOLATION. Signed-off-by: Peter Jones <pjones@redhat.com>
2025-08-13 21:35:15 +00:00 · 2015-06-04 10:19:30 -04:00 · 2015-06-04 10:19:30 -04:00 · 0b394a9480
commit 0b394a9480
parent 929b5b762b
1 changed files with 12 additions and 5 deletions
--- a/shim.c
+++ b/shim.c
@ -1673,14 +1673,21 @@ done:
 EFI_STATUS init_grub(EFI_HANDLE image_handle)
 {
 	EFI_STATUS efi_status;
+	int use_fb = should_use_fallback(image_handle);

-	if (should_use_fallback(image_handle))
-		efi_status = start_image(image_handle, FALLBACK);
-	else
-		efi_status = start_image(image_handle, second_stage);
+	efi_status = start_image(image_handle, use_fb ? FALLBACK :second_stage);

-	if (efi_status != EFI_SUCCESS)
+	if (efi_status == EFI_SECURITY_VIOLATION) {
 		efi_status = start_image(image_handle, MOK_MANAGER);
+		if (efi_status != EFI_SUCCESS) {
+			Print(L"start_image() returned %r\n", efi_status);
+			uefi_call_wrapper(BS->Stall, 1, 2000000);
+			return efi_status;
+		}
+
+		efi_status = start_image(image_handle,
+					 use_fb ? FALLBACK : second_stage);
+	}

 	Print(L"start_image() returned %r\n", efi_status);
 	uefi_call_wrapper(BS->Stall, 1, 2000000);