From 555ef92650944e5ec8ccc23d1d892e984b04afd6 Mon Sep 17 00:00:00 2001
From: Tamas K Lengyel <lengyelt@ainfosec.com>
Date: Mon, 6 Nov 2017 09:42:18 -0700
Subject: [PATCH] Measure into the TPM even if SecureBoot is off in shim_lock
 verify

Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>
---
 shim.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/shim.c b/shim.c
index 8fe70cb..51c5832 100644
--- a/shim.c
+++ b/shim.c
@@ -1809,9 +1809,6 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	loader_is_participating = 1;
 	in_protocol = 1;
 
-	if (!secure_mode())
-		goto done;
-
 	status = read_header(buffer, size, &context);
 	if (status != EFI_SUCCESS)
 		goto done;
@@ -1823,6 +1820,9 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	/* Measure the binary into the TPM */
 	tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4);
 
+	if (!secure_mode())
+		goto done;
+
 	status = verify_buffer(buffer, size, &context, sha256hash, sha1hash);
 
 done: