pcrlock: process components outside of location window properly

So far, when we tried to match a component to eent log entries we
skipped those components if they were outside of our location window.
That however is too aggressive, since it means any components that are
already in the logs, but outside of the location window will be
considered unrecognized in the logs, and thus removed from the PCR
policy.

Change things around: always try to match up all components, regardless
if inside the location window or outside, but then make it non-fatal we
can't find a component outside of the location window.

Fixes: #36079

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 298015a15f4573239d76e0557d604df10a9001db..9926720127c66cb6860494189398fa65d94810fe 100644 (file)
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -1946,15 +1946,6 @@ static int event_log_map_components(EventLog *el) {
                 unsigned n_matching = 0, n_empty = 0;
                 EventLogComponent *c = *cc;
 
-                if (arg_location_end && strcmp(c->id, arg_location_end) > 0) {
-                        n_skipped++;
-
-                        if (!strextend_with_separator(&skipped_ids, ", ", c->id))
-                                return log_oom();
-
-                        continue;
-                }
-
                 assert(c->n_variants > 0);
 
                 FOREACH_ARRAY(ii, c->variants, c->n_variants) {
@@ -1978,20 +1969,33 @@ static int event_log_map_components(EventLog *el) {
                 }
 
                 if (n_matching + n_empty == 0) {
+                        bool skip = true;
 
                         if (arg_location_start && strcmp(c->id, arg_location_start) >= 0)
                                 log_info("Didn't find component '%s' in event log, assuming system hasn't reached it yet.", c->id);
-                        else {
+                        else if (arg_location_end && strcmp(c->id, arg_location_end) > 0) {
+                                log_info("Didn't find component '%s' in event log, but irrelevant for location window, ignoring.", c->id);
+                        } else {
                                 log_notice("Couldn't find component '%s' in event log.", c->id);
                                 el->n_missing_components++;
                                 el->missing_component_pcrs |= event_log_component_pcrs(c);
+
+                                skip = false;
                         }
+
+                        if (skip) {
+                                n_skipped++;
+
+                                if (!strextend_with_separator(&skipped_ids, ", ", c->id))
+                                        return log_oom();
+                        }
+
                 } else if (n_matching > 1)
                         log_debug("Found %u possible variants of component '%s' in event log (%s). Proceeding.", n_matching, c->id, matching_ids);
         }
 
         if (n_skipped > 0)
-                log_notice("Skipped %u components after location '%s' (%s).", n_skipped, arg_location_end, skipped_ids);
+                log_notice("Skipped %u components (%s).", n_skipped, skipped_ids);
         if (el->n_missing_components > 0)
                 log_notice("Unable to recognize %zu components in event log.", el->n_missing_components);