trust machine keyring (MoK) by default

Debian always trusted keys in MoK by default. Upstream made it conditional on
a new EFI variable being set. To keep backward compatibility skip this check.

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name trust-machine-keyring-by-default.patch

diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index 7aaed7950b6e3673fdb734ea1b13fa3db516cf76..416da7b788a43f1c61b0b2a5dce3fc6d337a2ea0 100644 (file)
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -69,8 +69,7 @@ bool __init trust_moklist(void)
        if (!initialized) {
                initialized = true;
 
-               if (uefi_check_trust_mok_keys())
-                       trust_mok = true;
+               trust_mok = true;
        }
 
        return trust_mok;