On Thu, 2019-03-07 at 14:50 -0800, Matthew Garrett wrote: > On Thu, Mar 7, 2019 at 2:48 PM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > I added this last attempt because I'm seeing this on my laptop, with > > some older, buggy firmware. > > Is the issue that it gives incorrect results on the first read, or is > the issue that it gives incorrect results before ExitBootServices() is > called? If the former then we should read twice in the boot stub, if > the latter then we should figure out a way to do this immediately > after ExitBootServices() instead. Detecting the secure boot mode isn't the problem. On boot, I am seeing "EFI stub: UEFI Secure Boot is enabled", but setup_arch() emits "Secure boot could not be determined". In efi_main() the secure_boot mode is initially unset, so efi_get_secureboot() is called. efi_get_secureboot() returns the secure_boot mode correctly as enabled. The problem seems to be in saving the secure_boot mode for later use. Mimi
