Mark Rutland <mark.rutland@xxxxxxx> wrote: > > + boot_params->secure_boot = (efi_get_secureboot(sys_table) == 1); > > In the arm stub's efi_entry(), we fail-safe, and assume secure boot for any > non-zero status (including errors). e.g. Okay, given what Matthew said: A conforming implementation that supports secure boot should always return those variables without error. If they're not present (which is valid for x86 systems - many predate the feature) then assuming Secure Boot is disabled is correct. The question of what to do in the event of other errors is more open, but it wouldn't surprise me if there are implementations that return non-spec errors for missing variables under certain circumstances. I think I have to assume the default to be that secure boot is *not* enabled in the case of one of the variables we need to check is not being present. As for getting other errors, I think we have to assume a buggy BIOS. In this case, I would also go with assuming we're not in secure boot. Another possibility is to punt the decision and make it compile-time configurable. David -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html