From 5538b62f59f126d5a1761697417ff5cd7e2c77b1 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 9 Apr 2024 12:39:28 +0200
Subject: [PATCH] secure-boot: tighten enrollment logic a bit regarding file
 sizes

It's OK the dbx file is not loaded, but let's explicitly check for that
(i.e. if the buffer is actually non-NULL), rather than the size of the
bufer, since empty files actually do exist.

Or in other words, let's not magically suppress enrollment of empty
files, but let uefi firmware handle these on their own.

Follow-up for: 57ea8012d6f0b9a3622d4a84d93020020a3aca3c
---
 src/boot/efi/secure-boot.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/boot/efi/secure-boot.c b/src/boot/efi/secure-boot.c
index 63f37318f6868..1a7ae637741da 100644
--- a/src/boot/efi/secure-boot.c
+++ b/src/boot/efi/secure-boot.c
@@ -174,8 +174,9 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path, bool
                         EFI_VARIABLE_RUNTIME_ACCESS |
                         EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS;
 
-                if (sb_vars[i].size == 0)
+                if (!sb_vars[i].buffer)
                         continue;
+
                 err = efivar_set_raw(&sb_vars[i].vendor, sb_vars[i].name, sb_vars[i].buffer, sb_vars[i].size, sb_vars_opts);
                 if (err != EFI_SUCCESS) {
                         log_error_status(err, "Failed to write %ls secure boot variable: %m", sb_vars[i].name);