kernel/MODSIGN-Don-t-try-secure-boot-if-EFI-runtime-is-disa.patch

From 71db1b222ecdf6cb4356f6f1e2bd45cd2f0e85e1 Mon Sep 17 00:00:00 2001
From: Laura Abbott <labbott@redhat.com>
Date: Tue, 18 Oct 2016 13:58:44 -0700
Subject: [PATCH] MODSIGN: Don't try secure boot if EFI runtime is disabled

Secure boot depends on having EFI runtime variable access. The code
does not handle a lack of runtime variables gracefully. Add a check
to just bail out of EFI runtime is disabled.

Signed-off-by: Laura Abbott <labbott@redhat.com>
---
 kernel/modsign_uefi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index a41da14..2bdaf76 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -71,6 +71,10 @@ static int __init load_uefi_certs(void)
 	if (!efi_enabled(EFI_SECURE_BOOT))
 		return 0;
 
+	/* Things blow up if efi runtime is disabled */
+	if (efi_runtime_disabled())
+		return 0;
+
 	keyring = get_system_keyring();
 	if (!keyring) {
 		pr_err("MODSIGN: Couldn't get system keyring\n");
-- 
2.7.4