:: commit bca7c4a79671439739d3efb422ae77aec4d43890
protos/linux_risc: Document need for the linux,uefi-secure-boot property
diff --git a/common/protos/linux_risc.c b/common/protos/linux_risc.c
index 226a8e0b..59571e66 100644
--- a/common/protos/linux_risc.c
+++ b/common/protos/linux_risc.c
@@ -180,7 +180,11 @@ void *prepare_device_tree_blob(char *config, char *cmdline) {
panic(true, "linux: failed to set UEFI memory map descriptor version: '%s'", fdt_strerror(ret));
}
- // TODO(qookie): Figure out whether secure boot is actually enabled.
+ // This property is not required by mainline Linux, but is required by
+ // Debian (and derivative) kernels, because Debian has a patch that adds
+ // this flag, and the existing logic that deals with it will just outright
+ // fail if any of the properties is missing. We don't care about Debian's
+ // hardening or whatever, so just always report that secure boot is off.
ret = fdt_set_chosen_uint32(dtb, "linux,uefi-secure-boot", 0);
if (ret < 0) {
panic(true, "linux: failed to set UEFI secure boot state: '%s'", fdt_strerror(ret));
