running_under_secureboot: update for efivarfs + new mokutil behavior

CONFIG_EFI_VARS is no longer available since
https://salsa.debian.org/kernel-team/linux/-/commit/20146398c4599147244ed3ffc54f38d07fb8dea3
(tagged initially as debian/5.10.1-1_exp1 + shipped with kernel package
5.10.1-1~exp1 and newer, incl. 5.10.0-12-amd64 as present in current
Debian/bullseye). Therefore the kernel module efivars is no longer
available on more recent Debian kernel systems, but efivarfs
needs to be used instead.

The behavior of mokutil also seems to have changed. On systems where
SecureBoot is available but not enabled, it outputs "SecureBoot
disabled", while no longer returning with an exit code other than 0.
On systems where Secure Boot isn't supported (e.g. in VirtualBox) it
reports "This system doesn't support Secure Boot" on stderr, with exit
code 255.

Verified with mokutil 0.3.0+1538710437.fb6250f-1

This work was funded by Grml-Forensic.

diff --git a/autoconfig.functions b/autoconfig.functions
index 48bf32c..e659549 100755 (executable)
--- a/autoconfig.functions
+++ b/autoconfig.functions
@@ -549,20 +549,19 @@ running_under_secureboot() {
   # doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
   # /sys/firmware/efi/vars would exist)
   if ! $SYSTEMD ; then
-    if modprobe efivars &>/dev/null ; then
+    if modprobe efivarfs &>/dev/null ; then
       mount -t efivarfs efivarfs /sys/firmware/efi/efivars
     fi
   fi
 
-  if [ -x /usr/bin/mokutil ] ; then
-    local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
-    if [ -n "$secstate" ] ; then
+  if [[ -x "$(command -v mokutil)" ]] ; then
+    if mokutil --sb-state 2>/dev/null | grep -q 'SecureBoot enabled' ; then
       return 0
     else
       return 1
     fi
   else
-    if modprobe efivars &>/dev/null ; then
+    if modprobe efivarfs &>/dev/null ; then
       if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
         return 0
       else