man: Clarify secure-boot-enroll defaults

Clarify in the docs that `if-safe` is the default by noting
that in the text for it, but also moving it to the first mentioned
option.

Make explicit in `man systemd-boot` that the `secure-boot-enroll`
option is specified in the `loader.conf`

Update an outdated comment in boot.c around the same.

Signed-off-by: Colin Walters <walters@verbum.org>

man/loader.conf.xml

@@ -293,8 +293,10 @@
         <para>Controls enrollment of secure boot keys found on the ESP if the system is in setup mode:
         <variablelist>
           <varlistentry>
-            <term><option>off</option></term>
+            <term><option>if-safe</option></term>
-            <listitem><para>No action is taken.</para>
+            <listitem><para>This is the default. Same behavior as <option>manual</option>, but will try to automatically
+            enroll the key named <literal>auto</literal> if it is considered to be safe. Currently, this is only
+            the case if the system is running inside a virtual machine.</para>
 
             <xi:include href="version-info.xml" xpointer="v253"/></listitem>
           </varlistentry>
@@ -308,10 +310,8 @@
           </varlistentry>
 
           <varlistentry>
-            <term><option>if-safe</option></term>
+            <term><option>off</option></term>
-            <listitem><para>Same behavior as <option>manual</option>, but will try to automatically
+            <listitem><para>No action is taken.</para>
-            enroll the key <literal>auto</literal> if it is considered to be safe. Currently, this is only
-            the case if the system is running inside a virtual machine.</para>
 
             <xi:include href="version-info.xml" xpointer="v253"/></listitem>
           </varlistentry>

man/systemd-boot.xml

@@ -392,8 +392,9 @@
     <para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
     under <filename>/loader/keys/<replaceable>NAME</replaceable>/{db,dbx,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
     being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
-    then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
+    then it might be enrolled automatically depending on the execution environment and the value of the <literal>secure-boot-enroll</literal> option.
-    to force or not.</para>
+    See
+    <citerefentry><refentrytitle>loader.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
   </refsect1>
 
   <refsect1>

src/boot/boot.c

@@ -2997,9 +2997,8 @@ static void config_load_all_entries(
 
         config_add_system_entries(config);
 
-        /* Find secure boot signing keys and autoload them if configured.  Otherwise, create menu entries so
+        /* Using the rules defined by the `secure-boot-enroll` variable, find secure boot signing keys
-         * that the user can load them manually.  If the secure-boot-enroll variable is set to no (the
+         * and perform operations like autoloading them or create menu entries if configured. */
-         * default), we do not even search for keys on the ESP */
         (void) secure_boot_discover_keys(config, root_dir);
 
         if (config->n_entries == 0)