:: commit 3464a9c542355fd1ec4ec39f7cdaac546974e52b

Mintsuki <mintsuki@protonmail.com> — 2026-04-25 19:55
misc: Treat unenrolled config checksum as Secure Boot opt-out
diff --git a/ChangeLog b/ChangeLog
index af61ceb8..cfeae6db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,12 +7,14 @@
     Breaking changes:
         - Re-introduce hash verification enforcement for files loaded under
           UEFI Secure Boot (originally shipped in 11.2.0 and reverted in 11.2.1
-          pending the next major version bump). When Secure Boot is active,
-          Limine now requires an enrolled config checksum, BLAKE2B hashes on
+          pending the next major version bump). When Secure Boot is active and
+          a config checksum is enrolled, Limine now requires BLAKE2B hashes on
           all loaded file paths (with EFI chainloads exempted, as they rely on
           firmware-side Secure Boot verification, and wallpaper and font files
           silently skipped on a missing hash), unconditionally disables the
-          config editor, and forces `hash_mismatch_panic` to `yes`.
+          config editor, and forces `hash_mismatch_panic` to `yes`. Enrolling
+          a config checksum is the explicit opt-in to this hardening; without
+          one, Secure Boot enforcement is not applied.
         - The `interface_branding_colour` and `interface_help_colour` config
           options now take an `RRGGBB` hexadecimal value instead of a 0-7
           colour index. A new `interface_help_colour_bright` option has been
diff --git a/FAQ.md b/FAQ.md
index f478a226..4b06342b 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -27,10 +27,11 @@ checksum of the config file itself. The EFI executable can then get signed with
 a key added to the firmware's keychain. This prevents modifications to the
 config file (and in turn the checksums contained there) from going unnoticed.
 
-Additionally, when Limine detects that UEFI Secure Boot is active, it enforces
-that a config checksum is enrolled, that all loaded files have BLAKE2B hashes
-in their paths, and disables the config editor. See [USAGE.md](USAGE.md) for
-details.
+Additionally, when UEFI Secure Boot is active **and** a config checksum has
+been enrolled, Limine enforces that all loaded files have BLAKE2B hashes in
+their paths, and disables the config editor. Enrolling a checksum is the
+explicit opt-in to this hardening; without one, Secure Boot enforcement is
+not applied. See [USAGE.md](USAGE.md) for details.
 
 ### I do not want to have a separate FAT boot partition! What can I do?
 
diff --git a/USAGE.md b/USAGE.md
index 4783d01d..171b96ac 100644
--- a/USAGE.md
+++ b/USAGE.md
@@ -22,10 +22,11 @@ For more information see the `limine enroll-config` program and
 [the FAQ](FAQ.md).
 
 When Limine detects that UEFI Secure Boot is active (the `SecureBoot` variable
-is set and `SetupMode` is not), the following security policies are enforced:
+is set and `SetupMode` is not) **and** a config BLAKE2B checksum is enrolled
+in the Limine EFI executable, the following security policies are enforced:
 
-* The config file **must** have a BLAKE2B checksum enrolled in the Limine EFI
-  executable. If no checksum is enrolled, Limine will panic.
+* The config file is verified against the enrolled checksum on every boot.
+  Any mismatch will cause a panic.
 * All file paths (kernels, modules, DTBs, fonts, etc.) **must** have a BLAKE2B
   hash appended (e.g. `boot():/kernel#<hash>`). Loading a file without a hash
   will cause a panic. The exception is EFI chainloading, where the firmware's
@@ -35,6 +36,12 @@ is set and `SetupMode` is not), the following security policies are enforced:
 * The config editor is unconditionally disabled.
 * `hash_mismatch_panic` is forced to `yes` regardless of the config setting.
 
+If no config checksum is enrolled, Limine treats Secure Boot as inactive and
+none of the above hardening is applied. Enrolling a checksum is the explicit
+opt-in to Secure Boot enforcement; an unenrolled image can still be signed
+and booted under Secure Boot, but it provides no integrity guarantees beyond
+those of the firmware itself.
+
 ## BIOS/MBR
 In order to install Limine on a MBR device (which can just be a raw image
 file), run `limine bios-install` as such:
diff --git a/common/lib/config.c b/common/lib/config.c
index 98f15bdd..7070cd3f 100644
--- a/common/lib/config.c
+++ b/common/lib/config.c
@@ -354,11 +354,9 @@ static struct macro *macros = NULL;
 int init_config(size_t config_size) {
     config_b2sum += sizeof(CONFIG_B2SUM_SIGNATURE) - 1;
 
-    if (secure_boot_active && memcmp((void *)config_b2sum, CONFIG_B2SUM_EMPTY, 128) == 0) {
-        panic(false, "!!! SECURE BOOT IS ACTIVE BUT NO CONFIG CHECKSUM IS ENROLLED !!!");
-    }
-
-    if (memcmp((void *)config_b2sum, CONFIG_B2SUM_EMPTY, 128) != 0) {
+    if (memcmp((void *)config_b2sum, CONFIG_B2SUM_EMPTY, 128) == 0) {
+        secure_boot_active = false;
+    } else {
         editor_enabled = false;
 
         uint8_t out_buf[BLAKE2B_OUT_BYTES];
tab: 2 4 8 wrap: off on