From 55fe5c34cf41813fd91fff85281770da77913b68 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 7 Mar 2025 16:40:36 +0800
Subject: [PATCH 2/2] Stop the SbatLevelRT prediction if .sbatlevel not
 available

The SbatLevelRT prediction relies on the PCR4 events to locate shim.efi,
so PCR4 has to be a hard requirement.

Signed-off-by: Gary Lin <glin@suse.com>
---
 src/efi-variable.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/efi-variable.c b/src/efi-variable.c
index b70f63b..f8527cc 100644
--- a/src/efi-variable.c
+++ b/src/efi-variable.c
@@ -291,9 +291,9 @@ efi_variable_authority_get_record(const tpm_parsed_event_t *parsed, const char *
 		db_name = "MokList";
 	} else
 	if (!strcmp(var_short_name, "SbatLevel")) {
-		if (ctx->sbatlevel != NULL)
-			return efi_sbatlevel_get_record(ctx->sbatlevel);
-		return runtime_read_efi_variable(var_name);
+		if (ctx->sbatlevel == NULL)
+			fatal("No reference .sbatlevel section. Please add PCR4 into the PCR index list\n");
+		return efi_sbatlevel_get_record(ctx->sbatlevel);
 	} else {
 		/* Read as-is (this could be SbatLevel, or some other variable that's not
 		 * a signature db). */
-- 
2.43.0