condition: add new conditon ConditionSecurity=uefi-secureboot

We have the detector call for this anyway, and it's useful for
conditioning out dbxtool.service, hence let's add this tiny new option.

man/systemd.unit.xml

@@ -1107,15 +1107,13 @@
         kernels into older versions provided by distributions. Hence, this check is inherently unportable and should
         not be used for units which may be used on different distributions.</para>
 
-        <para><varname>ConditionSecurity=</varname> may be used to
+        <para><varname>ConditionSecurity=</varname> may be used to check
-        check whether the given security module is enabled on the
+        whether the given security technology is enabled on the
         system. Currently, the recognized values are
-        <varname>selinux</varname>,
+        <varname>selinux</varname>, <varname>apparmor</varname>,
-        <varname>apparmor</varname>,
+        <varname>tomoyo</varname>, <varname>ima</varname>,
-        <varname>tomoyo</varname>,
+        <varname>smack</varname>, <varname>audit</varname> and
-        <varname>ima</varname>,
+        <varname>uefi-secureboot</varname>. The test may be negated by
-        <varname>smack</varname> and
-        <varname>audit</varname>. The test may be negated by
         prepending an exclamation mark.</para>
 
         <para><varname>ConditionCapability=</varname> may be used to

src/shared/condition.c

@@ -21,6 +21,7 @@
 #include "cap-list.h"
 #include "cgroup-util.h"
 #include "condition.h"
+#include "efivars.h"
 #include "extract-word.h"
 #include "fd-util.h"
 #include "fileio.h"
@@ -376,6 +377,8 @@ static int condition_test_security(Condition *c) {
                 return use_ima();
         if (streq(c->parameter, "tomoyo"))
                 return mac_tomoyo_use();
+        if (streq(c->parameter, "uefi-secureboot"))
+                return is_efi_secure_boot();
 
         return false;
 }