In 328222014146f0116e0208443f3e255d0e85ef15 we have removed the signed-update hook from systems that do not have EFI in MACHINE_FEATURES. This on its own makes sense, however together with it we have also removed the runtime check for whether the running system is actually booted in UEFI mode.
This effectively means it is no longer possible to update the host OS on a device type able to boot in both UEFI and BIOS modes (intel-nuc and genericx86-64-ext) when booted in BIOS mode, as the signed-update hook is executed unconditionally and fails if the device is not running UEFI.
This patch re-adds the runtime check to only execute the hook if the system is actually booted in UEFI mode.
'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)
In 328222014146f0116e0208443f3e255d0e85ef15 we have removed the
signed-update
hook from systems that do not haveEFI
inMACHINE_FEATURES
. This on its own makes sense, however together with it we have also removed the runtime check for whether the running system is actually booted in UEFI mode.This effectively means it is no longer possible to update the host OS on a device type able to boot in both UEFI and BIOS modes (
intel-nuc
andgenericx86-64-ext
) when booted in BIOS mode, as the signed-update hook is executed unconditionally and fails if the device is not running UEFI.This patch re-adds the runtime check to only execute the hook if the system is actually booted in UEFI mode.
Contributor checklist
Change-type
present on at least one commitSigned-off-by
is presentReviewer Guidelines