From 22b477bff580c3530f4f131d34e99151f957a64c Mon Sep 17 00:00:00 2001
From: Mario Limonciello <mario.limonciello@amd.com>
Date: Thu, 25 Aug 2022 16:13:53 -0500
Subject: [PATCH] trivial: don't allow turning on secure boot if 3rd party CA
 is off

Turning on UEFI secure boot on Lenovo systems with 3rd party CA
turned off will cause a boot loop.
---
 libfwupdplugin/fu-bios-settings.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/libfwupdplugin/fu-bios-settings.c b/libfwupdplugin/fu-bios-settings.c
index 79811d300..fab4b3daf 100644
--- a/libfwupdplugin/fu-bios-settings.c
+++ b/libfwupdplugin/fu-bios-settings.c
@@ -409,6 +409,25 @@ fu_bios_settings_populate_read_only(FuBiosSettings *self)
 			    g_strdup(_("Enabled")));
 }
 
+static void
+fu_bios_settings_combination_fixups(FuBiosSettings *self)
+{
+	FwupdBiosSetting *thinklmi_sb = fu_bios_settings_get_attr(self, "com.thinklmi.SecureBoot");
+	FwupdBiosSetting *thinklmi_3rd =
+	    fu_bios_settings_get_attr(self, "com.thinklmi.Allow3rdPartyUEFICA");
+
+	if (thinklmi_sb != NULL && thinklmi_3rd != NULL) {
+		const gchar *val = fwupd_bios_setting_get_current_value(thinklmi_sb);
+		if (g_strcmp0(val, "Disable") == 0) {
+			g_debug("Disabling changing %s since %s is %s",
+				fwupd_bios_setting_get_name(thinklmi_sb),
+				fwupd_bios_setting_get_name(thinklmi_3rd),
+				val);
+			fwupd_bios_setting_set_read_only(thinklmi_sb, TRUE);
+		}
+	}
+}
+
 /**
  * fu_bios_settings_setup:
  * @self: a #FuBiosSettings
@@ -482,6 +501,8 @@ fu_bios_settings_setup(FuBiosSettings *self, GError **error)
 	} while (TRUE);
 	g_debug("loaded %u BIOS settings", count);
 
+	fu_bios_settings_combination_fixups(self);
+
 	return TRUE;
 }