Install shim_lock protocol even when SecureBoot is off

Currently the shim_lock protocol is only installed when SecureBoot is enabled.
However, having Verify just measure into the TPM without SecureBoot is a useful
feature.

Signed-off-by: Tamas K Lengyel <lengyelt@ainfosec.com>

shim.c

@@ -2742,9 +2742,6 @@ install_shim_protocols(void)
 	SHIM_LOCK *shim_lock;
 	EFI_STATUS efi_status;
 
-	if (!secure_mode())
-		return EFI_SUCCESS;
-
 	/*
 	 * Did another instance of shim earlier already install the
 	 * protocol? If so, get rid of it.
@@ -2778,6 +2775,9 @@ install_shim_protocols(void)
 		return efi_status;
 	}
 
+	if (!secure_mode())
+		return EFI_SUCCESS;
+
 #if defined(OVERRIDE_SECURITY_POLICY)
 	/*
 	 * Install the security protocol hook
@@ -2793,6 +2793,12 @@ uninstall_shim_protocols(void)
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
 
+	/*
+	 * If we're back here then clean everything up before exiting
+	 */
+	uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle,
+			  &shim_lock_guid, &shim_lock_interface);
+
 	if (!secure_mode())
 		return;
 
@@ -2802,18 +2808,11 @@ uninstall_shim_protocols(void)
 	 */
 	security_policy_uninstall();
 #endif
-
-	/*
-	 * If we're back here then clean everything up before exiting
-	 */
-	uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle,
-			  &shim_lock_guid, &shim_lock_interface);
 }
 
 EFI_STATUS
 shim_init(void)
 {
-	EFI_STATUS status = EFI_SUCCESS;
 	setup_console(1);
 	setup_verbosity();
 	dprinta(shim_version);
@@ -2834,19 +2833,20 @@ shim_init(void)
 
 		hook_exit(systab);
 
-		status = install_shim_protocols();
 	}
-	return status;
+
+	return install_shim_protocols();
 }
 
 void
 shim_fini(void)
 {
+	/*
+	 * Remove our protocols
+	 */
+	uninstall_shim_protocols();
+
 	if (secure_mode()) {
-		/*
-		 * Remove our protocols
-		 */
-		uninstall_shim_protocols();
 
 		/*
 		 * Remove our hooks from system services.