[PATCH] securebootcert: change fail to warning when MS UEFI CA not found in DB

[Ivan Hu]

Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
---
 src/uefi/securebootcert/securebootcert.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
index e814aa9..add328a 100644
--- a/src/uefi/securebootcert/securebootcert.c
+++ b/src/uefi/securebootcert/securebootcert.c
@@ -245,9 +245,15 @@ static void securebootcert_data_base(fwts_framework *fw, fwts_uefi_var *var, cha
 	fwts_log_info_verbatum(fw, "Check Microsoft UEFI CA certificate presence in %s", varname);
 	if (check_sigdb_presence(var->data, var->datalen, ms_uefi_ca_2011_key, ms_uefi_ca_2011_key_len))
 		fwts_passed(fw, "MS UEFI CA 2011 key check passed.");
-	else
-		fwts_failed(fw, LOG_LEVEL_HIGH, "SecureBootMSCertNotFound",
-			"The Microsoft UEFI CA certificate not found .");
+	else {
+		fwts_warning(fw, "The Microsoft UEFI CA certificate not found.");
+		fwts_advice(fw,
+			"Most Linux distributions use shim as a first stage "
+			"bootloader which was signed by Microsoft UEFI CA. "
+			"Without Microsoft UEFI CA certificate in DB, the "
+			"system might not be able to boot up with secure boot "
+			"enabled on these distributions.");		
+	}
 }
 
 static void securebootcert_key_ex_key(fwts_framework *fw, fwts_uefi_var *var, char *varname)
-- 
1.9.1