shim/backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch

From b078ef274887a4cc0da64fd6668800d1e24a2871 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Tue, 16 May 2023 14:31:13 -0700
Subject: [PATCH] Always clear SbatLevel when Secure Boot is disabled

Unless an explict sbat policy is specified, always delete SbatLevel
when secure boot is disabled.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 sbat.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sbat.c b/sbat.c
index a08c5b2..42a3346 100644
--- a/sbat.c
+++ b/sbat.c
@@ -423,7 +423,12 @@ set_sbat_uefi_variable(void)
 				       &attributes);
 	if (EFI_ERROR(efi_status)) {
 		dprint("Default sbat policy: previous\n");
-		sbat_var = sbat_var_previous;
+		if (secure_mode()) {
+		    sbat_var = sbat_var_previous;
+		} else {
+		    reset_sbat = true;
+		    sbat_var = SBAT_VAR_ORIGINAL;
+		}
 	} else {
 		switch (*sbat_policy) {
 			case SBAT_POLICY_LATEST:
@@ -449,7 +454,12 @@ set_sbat_uefi_variable(void)
 			default:
 				console_error(L"SBAT policy state %llu is invalid",
 					      EFI_INVALID_PARAMETER);
-				sbat_var = sbat_var_previous;
+				if (secure_mode()) {
+				    sbat_var = sbat_var_previous;
+				} else {
+				    reset_sbat = true;
+				    sbat_var = SBAT_VAR_ORIGINAL;
+				}
 				clear_sbat_policy();
 				break;
 		}
-- 
2.33.0
Backport patch from upstream (cherry picked from commit 65d0919c62bdfa8a40ba21cf33d80413f92f25a6) 2024-03-25 18:38:45 +08:00			`From b078ef274887a4cc0da64fd6668800d1e24a2871 Mon Sep 17 00:00:00 2001`
			`From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>`
			`Date: Tue, 16 May 2023 14:31:13 -0700`
			`Subject: [PATCH] Always clear SbatLevel when Secure Boot is disabled`

			`Unless an explict sbat policy is specified, always delete SbatLevel`
			`when secure boot is disabled.`

			`Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>`
			`---`
			`sbat.c \| 14 ++++++++++++--`
			`1 file changed, 12 insertions(+), 2 deletions(-)`

			`diff --git a/sbat.c b/sbat.c`
			`index a08c5b2..42a3346 100644`
			`--- a/sbat.c`
			`+++ b/sbat.c`
			`@@ -423,7 +423,12 @@ set_sbat_uefi_variable(void)`
			`&attributes);`
			`if (EFI_ERROR(efi_status)) {`
			`dprint("Default sbat policy: previous\n");`
			`- sbat_var = sbat_var_previous;`
			`+ if (secure_mode()) {`
			`+ sbat_var = sbat_var_previous;`
			`+ } else {`
			`+ reset_sbat = true;`
			`+ sbat_var = SBAT_VAR_ORIGINAL;`
			`+ }`
			`} else {`
			`switch (*sbat_policy) {`
			`case SBAT_POLICY_LATEST:`
			`@@ -449,7 +454,12 @@ set_sbat_uefi_variable(void)`
			`default:`
			`console_error(L"SBAT policy state %llu is invalid",`
			`EFI_INVALID_PARAMETER);`
			`- sbat_var = sbat_var_previous;`
			`+ if (secure_mode()) {`
			`+ sbat_var = sbat_var_previous;`
			`+ } else {`
			`+ reset_sbat = true;`
			`+ sbat_var = SBAT_VAR_ORIGINAL;`
			`+ }`
			`clear_sbat_policy();`
			`break;`
			`}`
			`--`
			`2.33.0`