CONFIG_EFI_VARS is no longer available since
https://salsa.debian.org/kernel-team/linux/-/commit/
20146398c4599147244ed3ffc54f38d07fb8dea3
(tagged initially as debian/5.10.1-1_exp1 + shipped with kernel package
5.10.1-1~exp1 and newer, incl. 5.10.0-12-amd64 as present in current
Debian/bullseye). Therefore the kernel module efivars is no longer
available on more recent Debian kernel systems, but efivarfs
needs to be used instead.
The behavior of mokutil also seems to have changed. On systems where
SecureBoot is available but not enabled, it outputs "SecureBoot
disabled", while no longer returning with an exit code other than 0.
On systems where Secure Boot isn't supported (e.g. in VirtualBox) it
reports "This system doesn't support Secure Boot" on stderr, with exit
code 255.
Verified with mokutil 0.3.0+
1538710437.fb6250f-1
This work was funded by Grml-Forensic.
# doesn't work as needed as it relies on /sys/firmware/efi/efivars (while
# /sys/firmware/efi/vars would exist)
if ! $SYSTEMD ; then
- if modprobe efivars &>/dev/null ; then
+ if modprobe efivarfs &>/dev/null ; then
mount -t efivarfs efivarfs /sys/firmware/efi/efivars
fi
fi
- if [ -x /usr/bin/mokutil ] ; then
- local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled"
- if [ -n "$secstate" ] ; then
+ if [[ -x "$(command -v mokutil)" ]] ; then
+ if mokutil --sb-state 2>/dev/null | grep -q 'SecureBoot enabled' ; then
return 0
else
return 1
fi
else
- if modprobe efivars &>/dev/null ; then
+ if modprobe efivarfs &>/dev/null ; then
if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then
return 0
else