lib/security: hard_lockdown flag to stop runtime disable of signed boot

[petitboot] / lib / security / gpg.c

diff --git a/lib/security/gpg.c b/lib/security/gpg.c
index 761d6ced1bb986d6dccffd2fc01e3a3e9f42437f..aae85aa06e1084fbf365f537b8003bfee3b098b9 100644 (file)
--- a/lib/security/gpg.c
+++ b/lib/security/gpg.c
@@ -354,8 +354,10 @@ int lockdown_status() {
        /* assume most restrictive lockdown type */
        int ret = PB_LOCKDOWN_SIGN;
 
+#if !defined(HARD_LOCKDOWN)
        if (access(LOCKDOWN_FILE, F_OK) == -1)
                return PB_LOCKDOWN_NONE;
+#endif
 
        /* determine lockdown type */
        FILE *authorized_signatures_handle = NULL;