bool __nokaslr;
 
-static int efi_secureboot_enabled(efi_system_table_t *sys_table_arg)
+static int efi_get_secureboot(efi_system_table_t *sys_table_arg)
 {
        static efi_guid_t const var_guid = EFI_GLOBAL_VARIABLE_GUID;
        static efi_char16_t const var_name[] = {
                return val;
        case EFI_NOT_FOUND:
                return 0;
+       case EFI_DEVICE_ERROR:
+               return -EIO;
+       case EFI_SECURITY_VIOLATION:
+               return -EACCES;
        default:
-               return 1;
+               return -EINVAL;
        }
 }
 
        efi_guid_t loaded_image_proto = LOADED_IMAGE_PROTOCOL_GUID;
        unsigned long reserve_addr = 0;
        unsigned long reserve_size = 0;
+       int secure_boot = 0;
 
        /* Check if we were booted by the EFI firmware */
        if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)
        if (status != EFI_SUCCESS)
                pr_efi_err(sys_table, "Failed to parse EFI cmdline options\n");
 
+       secure_boot = efi_get_secureboot(sys_table);
+       if (secure_boot > 0)
+               pr_efi(sys_table, "UEFI Secure Boot is enabled.\n");
+
+       if (secure_boot < 0) {
+               pr_efi_err(sys_table,
+                       "could not determine UEFI Secure Boot status.\n");
+       }
+
        /*
         * Unauthenticated device tree data is a security hazard, so
         * ignore 'dtb=' unless UEFI Secure Boot is disabled.
         */
-       if (efi_secureboot_enabled(sys_table)) {
-               pr_efi(sys_table, "UEFI Secure Boot is enabled.\n");
+       if (secure_boot != 0 && strstr(cmdline_ptr, "dtb=")) {
+               pr_efi(sys_table, "Ignoring DTB from command line.\n");
        } else {
                status = handle_cmdline_files(sys_table, image, cmdline_ptr,
                                              "dtb=",