From d95b24bd02cf41cca9adebd95f10609d6424d2b3 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <matthew.garrett@nebula.com>
Date: Tue, 19 Nov 2013 10:09:13 -0500
Subject: [PATCH 10/74] Clarify meaning of insecure_mode

insecure_mode was intended to indicate that the user had explicity disabled
checks with mokutil, which means it wasn't the opposite of secure_mode().
Change the names to clarify this and don't show the insecure mode message
unless the user has explicitly enabled that mode.

Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
---
 replacements.c |  6 ------
 shim.c         | 12 ++++++------
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/replacements.c b/replacements.c
index bac5e5d..5ea5c32 100644
--- a/replacements.c
+++ b/replacements.c
@@ -64,13 +64,9 @@ static typeof(systab->BootServices->StartImage) system_start_image;
 static typeof(systab->BootServices->Exit) system_exit;
 static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
 
-extern UINT8 insecure_mode;
-
 void
 unhook_system_services(void)
 {
-	if (insecure_mode)
-		return;
 	systab->BootServices->Exit = system_exit;
 	systab->BootServices->StartImage = system_start_image;
 	systab->BootServices->ExitBootServices = system_exit_boot_services;
@@ -123,8 +119,6 @@ exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
 void
 hook_system_services(EFI_SYSTEM_TABLE *local_systab)
 {
-	if (insecure_mode)
-		return;
 	systab = local_systab;
 
 	/* We need to hook various calls to make this work... */
diff --git a/shim.c b/shim.c
index 9ae1936..524f5fc 100644
--- a/shim.c
+++ b/shim.c
@@ -85,7 +85,7 @@ int loader_is_participating;
 
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
 
-UINT8 insecure_mode;
+UINT8 user_insecure_mode;
 UINT8 ignore_db;
 
 typedef enum {
@@ -456,7 +456,7 @@ static BOOLEAN secure_mode (void)
 	UINT8 *Data;
 	UINT8 sb, setupmode;
 
-	if (insecure_mode)
+	if (user_insecure_mode)
 		return FALSE;
 
 	status = get_variable(L"SecureBoot", &Data, &len, global_var);
@@ -1534,7 +1534,7 @@ static EFI_STATUS check_mok_sb (void)
 	UINTN MokSBStateSize = 0;
 	UINT32 attributes;
 
-	insecure_mode = 0;
+	user_insecure_mode = 0;
 	ignore_db = 0;
 
 	status = get_variable_attr(L"MokSBState", &MokSBState, &MokSBStateSize,
@@ -1555,7 +1555,7 @@ static EFI_STATUS check_mok_sb (void)
 		status = EFI_ACCESS_DENIED;
 	} else {
 		if (*(UINT8 *)MokSBState == 1) {
-			insecure_mode = 1;
+			user_insecure_mode = 1;
 		}
 	}
 
@@ -1753,10 +1753,10 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	/*
 	 * Tell the user that we're in insecure mode if necessary
 	 */
-	if (!secure_mode()) {
+	if (user_insecure_mode) {
 		Print(L"Booting in insecure mode\n");
 		uefi_call_wrapper(BS->Stall, 1, 2000000);
-	} else {
+	} else if (secure_mode()) {
 		/*
 		 * Install our hooks for ExitBootServices() and StartImage()
 		 */
-- 
1.9.3