From 1e994f11a4efcfb46525f0cd214837d96df985a9 Mon Sep 17 00:00:00 2001
From: Christian Svensson <blue@cmd.nu>
Date: Mon, 22 Jan 2024 21:38:10 +0100
Subject: [PATCH] kamel: replace mokutil w/ efivar (PR #14589)

---
 installer/default_platform.conf | 30 ++++++++++++++----------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/installer/default_platform.conf b/installer/default_platform.conf
index b0fbff2e1e54..47ae1e67069d 100755
--- a/installer/default_platform.conf
+++ b/installer/default_platform.conf
@@ -434,14 +434,23 @@ bootloader_menu_config()
         ${onie_bin} onie-support /tmp
         mv $onie_initrd_tmp/tmp/onie-support*.tar.bz2 $demo_mnt/$image_dir/
 
+        echo "firmware=$firmware"
         if [ "$firmware" = "uefi" ] ; then
-            secure_boot_state=$(mokutil --sb-state)
+            secure_boot_state=0
+            reg_sb_guid=""
+            ENABLED=1
+            echo "checking secure boot state"
+            reg_sb_guid=$(efivar -l | grep "SecureBoot$") || echo "Secure Boot GUID not found in efivar list"
+            echo "Secure Boot GUID=$reg_sb_guid"
+            if [ -n "$reg_sb_guid" ]; then
+                secure_boot_state=$(efivar -d --name $reg_sb_guid) || echo "Could not read Secure Boot state from efivar"
+            fi
             echo secure_boot_state=$secure_boot_state
-            if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-                echo "UEFI Secure Boot is enabled"
+            if expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
+                echo "UEFI Secure Boot is enabled - Installing shim bootloader"
                 demo_install_uefi_shim "$demo_mnt" "$blk_dev"
             else
-                echo "UEFI Secure Boot is disabled"
+                echo "UEFI Secure Boot is disabled - Installing regular grub bootloader"
                 demo_install_uefi_grub "$demo_mnt" "$blk_dev"
             fi
         else
@@ -561,7 +570,7 @@ echo "EXTRA_CMDLINE_LINUX=$extra_cmdline_linux"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX $extra_cmdline_linux"
 GRUB_CFG_LINUX_CMD=""
 GRUB_CFG_INITRD_CMD=""
-if [ "$firmware" = "uefi" ] ; then
+if [ "$firmware" = "uefi" ] &&  expr "$secure_boot_state" : '[[:digit:]]\{1,\}' >/dev/null && [ "$secure_boot_state" -eq "$ENABLED" ]; then
     # grub.cfg when BIOS is UEFI and support Secure Boot
     GRUB_CFG_LINUX_CMD="linuxefi"
     GRUB_CFG_INITRD_CMD="initrdefi"
@@ -608,17 +617,6 @@ EOF
         cp $grub_cfg $onie_initrd_tmp/$demo_mnt/grub/grub.cfg
     fi
 
-    if [ "$secure_boot_state" = "SecureBoot enabled" ]; then
-        # Secure Boot grub.cfg support
-        # Saving grub_cfg in the same place where is grubx64.efi, 
-        # this grub_cfg file will be called by first grub.cfg file from: /boot/efi/EFI/debian/grub.cfg
-        if [ -f $NVOS_BOOT_DIR/grub.cfg ]; then
-            rm $NVOS_BOOT_DIR/grub.cfg
-        fi
-
-        cp $grub_cfg $NVOS_BOOT_DIR/grub.cfg
-    fi
-
     cd /
 
     echo "Installed SONiC base image $demo_volume_label successfully"