boot: Follow-up fixes for #20255

man/loader.conf.xml

@@ -248,9 +248,9 @@
         and <filename>PK.esl</filename>. Note that these files need to be authenticated UEFI variables. See
         below for an example of how to generate them from regular X.509 keys.</para>
 
-        <programlisting>uuid=$(systemd-id128 new --)
+        <programlisting>uuid=$(systemd-id128 new --uuid)
 for key in PK KEK db; do
-  openssl req -new -x509 -subj "/CN=${key}/ -keyout "${key}.key" -out "${key}.crt"
+  openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
   openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
   cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.tmp"
 done

src/boot/efi/boot.c

@@ -2690,8 +2690,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
                 /* if auto enrollment is activated, we try to load keys for the given entry. */
                 if (entry->type == LOADER_SECURE_BOOT_KEYS && config.secure_boot_enroll != ENROLL_OFF) {
                         err = secure_boot_enroll_at(root_dir, entry->path);
-                        if (err == EFI_SUCCESS)
-                                return EFI_SUCCESS;
+                        if (err != EFI_SUCCESS)
+                                return err;
                         continue;
                 }
 

src/boot/efi/secure-boot.c

@@ -43,7 +43,7 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path) {
 
         clear_screen(COLOR_NORMAL);
 
-        Print(L"Enrolling secure boot keys from directory: \\loader\\keys\\%s\n"
+        Print(L"Enrolling secure boot keys from directory: %s\n"
               L"Warning: Enrolling custom Secure Boot keys might soft-brick your machine!\n",
               path);