secure-boot: tighten enrollment logic a bit regarding file sizes

It's OK the dbx file is not loaded, but let's explicitly check for that (i.e. if the buffer is actually non-NULL), rather than the size of the bufer, since empty files actually do exist. Or in other words, let's not magically suppress enrollment of empty files, but let uefi firmware handle these on their own. Follow-up for: 57ea801
evverx · Apr 10, 2024 · 5538b62 · 5538b62
1 parent 6fea0f0
commit 5538b62
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
@@ -174,8 +174,9 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
                         EFI_VARIABLE_RUNTIME_ACCESS |
                         EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
 
-                if (sb_vars[i].size == 0)
+                if (!sb_vars[i].buffer)
                         continue;
+
                 err = efivar_set_raw(&sb_vars[i].vendor, sb_vars[i].name, sb_vars[i].buffer, sb_vars[i].size, sb_vars_opts);
                 if (err != EFI_SUCCESS) {
                         log_error_status(err, "Failed to write %ls secure boot variable: %m", sb_vars[i].name);