Description
We can tell the MSI nonsense behaviour status by checking
hexdump -X /sys/firmware/efi/efivars/SecureBootSetup-7b59104a-c00d-4158-87ff-f04d6396a915.
I have documented the format below. The annoying part is that we need to differentiate somehow between newer and older firmware as they have a slightly different format and the same output could mean two different things. Thank you, MSI.
If done properly this should be better than the current checks as we can tell what the users have set.
Format
"Secure Boot Preset" firmware
07
00
00
00
XX - Secure Boot
XX - Secure Boot Mode
XX - Provision Factory Keys
00
XX - Secure Boot Preset
00
00
"Image Execution Policy" firmware
07
00
00
00
XX - Secure Boot
XX - Secure Boot Mode
XX - Provision Factory Keys
00
XX - Option ROM
XX - Removable Media
XX - Fixed Media
Options
Secure Boot
00 - Off
01 - On
Secure Boot Mode
00 - Standard
01 - Custom
Provision Factory Keys
00 - Off
01 - On
Secure Boot Preset
00 - Hardware/OS Compatibility
05 - Maximum Security
Option ROM/Removable Media/Fixed Media
00 - Always Execute
01 - Always Deny
02 - Allow Execute
03 - Defer Execute
04 - Deny Execute
05 - Query User