From b078ef274887a4cc0da64fd6668800d1e24a2871 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Tue, 16 May 2023 14:31:13 -0700
Subject: [PATCH] Always clear SbatLevel when Secure Boot is disabled

Unless an explict sbat policy is specified, always delete SbatLevel
when secure boot is disabled.

Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
 sbat.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/sbat.c b/sbat.c
index f1d6e98..cdf4e93 100644
--- a/sbat.c
+++ b/sbat.c
@@ -412,7 +412,12 @@ set_sbat_uefi_variable(void)
 				       &attributes);
 	if (EFI_ERROR(efi_status)) {
 		dprint("Default sbat policy: previous\n");
-		sbat_var = SBAT_VAR_PREVIOUS;
+		if (secure_mode()) {
+		    sbat_var = SBAT_VAR_PREVIOUS;
+		} else {
+		    reset_sbat = true;
+		    sbat_var = SBAT_VAR_ORIGINAL;
+		}
 	} else {
 		switch (*sbat_policy) {
 			case SBAT_POLICY_LATEST:
@@ -438,7 +443,12 @@ set_sbat_uefi_variable(void)
 			default:
 				console_error(L"SBAT policy state %llu is invalid",
 					      EFI_INVALID_PARAMETER);
-				sbat_var = SBAT_VAR_PREVIOUS;
+				if (secure_mode()) {
+				    sbat_var = SBAT_VAR_PREVIOUS;
+				} else {
+				    reset_sbat = true;
+				    sbat_var = SBAT_VAR_ORIGINAL;
+				}
 				clear_sbat_policy();
 				break;
 		}
-- 
2.33.0