From a08b34912e982a01f7bf80bf35ae009af522b43a Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Mon, 21 Mar 2022 18:02:31 +0100 Subject: [PATCH] running_under_secureboot: update for efivarfs + new mokutil behavior CONFIG_EFI_VARS is no longer available since https://salsa.debian.org/kernel-team/linux/-/commit/20146398c4599147244ed3ffc54f38d07fb8dea3 (tagged initially as debian/5.10.1-1_exp1 + shipped with kernel package 5.10.1-1~exp1 and newer, incl. 5.10.0-12-amd64 as present in current Debian/bullseye). Therefore the kernel module efivars is no longer available on more recent Debian kernel systems, but efivarfs needs to be used instead. The behavior of mokutil also seems to have changed. On systems where SecureBoot is available but not enabled, it outputs "SecureBoot disabled", while no longer returning with an exit code other than 0. On systems where Secure Boot isn't supported (e.g. in VirtualBox) it reports "This system doesn't support Secure Boot" on stderr, with exit code 255. Verified with mokutil 0.3.0+1538710437.fb6250f-1 This work was funded by Grml-Forensic. --- autoconfig.functions | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/autoconfig.functions b/autoconfig.functions index 48bf32c..e659549 100755 --- a/autoconfig.functions +++ b/autoconfig.functions @@ -549,20 +549,19 @@ running_under_secureboot() { # doesn't work as needed as it relies on /sys/firmware/efi/efivars (while # /sys/firmware/efi/vars would exist) if ! $SYSTEMD ; then - if modprobe efivars &>/dev/null ; then + if modprobe efivarfs &>/dev/null ; then mount -t efivarfs efivarfs /sys/firmware/efi/efivars fi fi - if [ -x /usr/bin/mokutil ] ; then - local secstate=$(mokutil --sb-state 2>/dev/null) # "SecureBoot enabled" - if [ -n "$secstate" ] ; then + if [[ -x "$(command -v mokutil)" ]] ; then + if mokutil --sb-state 2>/dev/null | grep -q 'SecureBoot enabled' ; then return 0 else return 1 fi else - if modprobe efivars &>/dev/null ; then + if modprobe efivarfs &>/dev/null ; then if od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data 2>/dev/null | grep -q 1 ; then return 0 else -- 2.1.4