man: Clarify secure-boot-enroll defaults

Clarify in the docs that `if-safe` is the default by noting that in the text for it, but also moving it to the first mentioned option. Make explicit in `man systemd-boot` that the `secure-boot-enroll` option is specified in the `loader.conf` Update an outdated comment in boot.c around the same. Signed-off-by: Colin Walters <walters@verbum.org>
2026-04-14 00:14:32 +09:00 · 2025-12-04 14:00:16 -05:00
parent eb98ddd8b8
commit 3c85d99c79
3 changed files with 11 additions and 11 deletions
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -293,8 +293,10 @@
        <para>Controls enrollment of secure boot keys found on the ESP if the system is in setup mode:
        <variablelist>
          <varlistentry>
-            <term><option>off</option></term>
-            <listitem><para>No action is taken.</para>
+            <term><option>if-safe</option></term>
+            <listitem><para>This is the default. Same behavior as <option>manual</option>, but will try to automatically
+            enroll the key named <literal>auto</literal> if it is considered to be safe. Currently, this is only
+            the case if the system is running inside a virtual machine.</para>

            <xi:include href="version-info.xml" xpointer="v253"/></listitem>
          </varlistentry>
@@ -308,10 +310,8 @@
          </varlistentry>

          <varlistentry>
-            <term><option>if-safe</option></term>
-            <listitem><para>Same behavior as <option>manual</option>, but will try to automatically
-            enroll the key <literal>auto</literal> if it is considered to be safe. Currently, this is only
-            the case if the system is running inside a virtual machine.</para>
+            <term><option>off</option></term>
+            <listitem><para>No action is taken.</para>

            <xi:include href="version-info.xml" xpointer="v253"/></listitem>
          </varlistentry>
--- a/man/systemd-boot.xml
+++ b/man/systemd-boot.xml
@@ -392,8 +392,9 @@
    <para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
    under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,dbx,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
    being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
-    then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
-    to force or not.</para>
+    then it might be enrolled automatically depending on the execution environment and the value of the <literal>secure-boot-enroll</literal> option.
+    See
+    <citerefentry><refentrytitle>loader.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
  </refsect1>

  <refsect1>