From 8c762d5359d6d00ae2ca2d9e5a4e2ae87a402cf0 Mon Sep 17 00:00:00 2001
From: Stewart Smith <stewart@linux.vnet.ibm.com>
Date: Wed, 13 Dec 2017 20:33:22 +1100
Subject: allow secure boot if not enforcing it

We check the secure boot containers no matter what, only *enforcing*
secure boot if we're booting in secure mode. This gives us an extra
layer of checking firmware is legit even when secure mode isn't enabled,
as well as being really useful for testing.

Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
---
 libstb/secureboot.c | 6 ------
 1 file changed, 6 deletions(-)

(limited to 'libstb')

diff --git a/libstb/secureboot.c b/libstb/secureboot.c
index f3a5db4..afe19fe 100644
--- a/libstb/secureboot.c
+++ b/libstb/secureboot.c
@@ -111,9 +111,6 @@ void secureboot_init(void)
 		      secure_mode ? "on" : "off");
 	}
 
-	if (!secure_mode)
-		return;
-
 	if (version == IBM_SECUREBOOT_V1 ||
 	    version == IBM_SECUREBOOT_SOFTROM) {
 
@@ -172,9 +169,6 @@ int secureboot_verify(enum resource_id id, void *buf, size_t len)
 	uint64_t log;
 	int rc = -1;
 
-	if (!secure_mode)
-		return 0;
-
 	name = flash_map_resource_name(id);
 	if (!name) {
 		prlog(PR_EMERG, "container NOT VERIFIED, resource_id=%d "
-- 
cgit v1.1