From 868b3721159ee615a1b774645d610a13b5827e5e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 31 Oct 2013 16:08:32 +0800
Subject: [PATCH 40/74] Check the secure variables with the lib functions

There are functions defined in lib to check the secure variables.
Use the functions to shun the duplicate code.

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>

Conflicts:
	shim.c
---
 lib/variables.c | 14 ++++++++++----
 shim.c          | 32 ++------------------------------
 2 files changed, 12 insertions(+), 34 deletions(-)

diff --git a/lib/variables.c b/lib/variables.c
index 3a9735e..4c64d7e 100644
--- a/lib/variables.c
+++ b/lib/variables.c
@@ -284,9 +284,12 @@ variable_is_setupmode(void)
 	/* set to 1 because we return true if SetupMode doesn't exist */
 	UINT8 SetupMode = 1;
 	UINTN DataSize = sizeof(SetupMode);
+	EFI_STATUS status;
 
-	uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL,
-			  &DataSize, &SetupMode);
+	status = uefi_call_wrapper(RT->GetVariable, 5, L"SetupMode", &GV_GUID, NULL,
+				   &DataSize, &SetupMode);
+	if (EFI_ERROR(status))
+		return 1;
 
 	return SetupMode;
 }
@@ -297,10 +300,13 @@ variable_is_secureboot(void)
 	/* return false if variable doesn't exist */
 	UINT8 SecureBoot = 0;
 	UINTN DataSize;
+	EFI_STATUS status;
 
 	DataSize = sizeof(SecureBoot);
-	uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL,
-			  &DataSize, &SecureBoot);
+	status = uefi_call_wrapper(RT->GetVariable, 5, L"SecureBoot", &GV_GUID, NULL,
+				   &DataSize, &SecureBoot);
+	if (EFI_ERROR(status))
+		return 0;
 
 	return SecureBoot;
 }
diff --git a/shim.c b/shim.c
index 210e778..14fb601 100644
--- a/shim.c
+++ b/shim.c
@@ -475,44 +475,16 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert,
 
 static BOOLEAN secure_mode (void)
 {
-	EFI_STATUS status;
-	EFI_GUID global_var = EFI_GLOBAL_VARIABLE;
-	UINTN len;
-	UINT8 *Data;
-	UINT8 sb, setupmode;
-
 	if (user_insecure_mode)
 		return FALSE;
 
-	status = get_variable(L"SecureBoot", &Data, &len, global_var);
-	if (status != EFI_SUCCESS) {
+	if (variable_is_secureboot() != 1) {
 		if (verbose && !in_protocol)
 			console_notify(L"Secure boot not enabled");
 		return FALSE;
 	}
-	sb = *Data;
-	FreePool(Data);
-
-	if (sb != 1) {
-		if (verbose && !in_protocol)
-			console_notify(L"Secure boot not enabled");
-		return FALSE;
-	}
-
-	/* If we /do/ have "SecureBoot", but /don't/ have "SetupMode",
-	 * then the implementation is bad, but we assume that secure boot is
-	 * enabled according to the status of "SecureBoot".  If we have both
-	 * of them, then "SetupMode" may tell us additional data, and we need
-	 * to consider it.
-	 */
-	status = get_variable(L"SetupMode", &Data, &len, global_var);
-	if (status != EFI_SUCCESS)
-		return TRUE;
-
-	setupmode = *Data;
-	FreePool(Data);
 
-	if (setupmode == 1) {
+	if (variable_is_setupmode() == 1) {
 		if (verbose && !in_protocol)
 			console_notify(L"Platform is in setup mode");
 		return FALSE;
-- 
1.9.3