ACK: [PATCH] securebootcert: change fail to warning when MS UEFI CA not found in DB
Colin Ian King
colin.king at canonical.com
Tue Sep 15 08:43:23 UTC 2015
On 15/09/15 08:24, Ivan Hu wrote:
> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
> ---
> src/uefi/securebootcert/securebootcert.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
> index e814aa9..add328a 100644
> --- a/src/uefi/securebootcert/securebootcert.c
> +++ b/src/uefi/securebootcert/securebootcert.c
> @@ -245,9 +245,15 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
> fwts_log_info_verbatum(fw, "Check Microsoft UEFI CA certificate presence in %s", varname);
> if (check_sigdb_presence(var->data, var->datalen, ms_uefi_ca_2011_key, ms_uefi_ca_2011_key_len))
> fwts_passed(fw, "MS UEFI CA 2011 key check passed.");
> - else
> - fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootMSCertNotFound",
> - "The Microsoft UEFI CA certificate not found .");
> + else {
> + fwts_warning(fw, "The Microsoft UEFI CA certificate not found.");
> + fwts_advice(fw,
> + "Most Linux distributions use shim as a first stage "
> + "bootloader which was signed by Microsoft UEFI CA. "
> + "Without Microsoft UEFI CA certificate in DB, the "
> + "system might not be able to boot up with secure boot "
> + "enabled on these distributions.");
> + }
> }
>
> static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname)
>
Thanks for adding the advice too.
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the fwts-devel
mailing list