From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 31 Jul 2023 19:35:02 +0000 (+0200)
Subject: ukify: Only run systemd-measure after adding all sections
X-Git-Tag: v255-rc1~846
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d713104abef503708451a8efd88a7f5a78418f91;p=thirdparty%2Fsystemd.git

ukify: Only run systemd-measure after adding all sections

We were running systemd-measure before adding the sbat section,
let's fix that.

Also make sure we only pass --linux to systemd-measure once instead
of twice.
---

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index 49317fbf784..8324942f992 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -792,23 +792,29 @@ def make_uki(opts):
     for section in opts.sections:
         uki.add_section(section)
 
-    # PCR measurement and signing
-
-    call_systemd_measure(uki, linux, opts=opts)
-
-    # UKI or addon creation - addons don't use the stub so we add SBAT manually
-
     if linux is not None:
         # Merge the .sbat sections from stub, kernel and parameter, so that revocation can be done on either.
         uki.add_section(Section.create('.sbat', merge_sbat([opts.stub, linux], opts.sbat), measure=True))
-        uki.add_section(Section.create('.linux', linux, measure=True))
     else:
+        # Addons don't use the stub so we add SBAT manually
         if not opts.sbat:
             opts.sbat = ["""sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
 uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html
 """]
         uki.add_section(Section.create('.sbat', merge_sbat([], opts.sbat), measure=False))
 
+    # PCR measurement and signing
+
+    # We pass in the contents for .linux separately because we need them to do the measurement but can't add
+    # the section yet because we want .linux to be the last section. Make sure any other sections are added
+    # before this function is called.
+    call_systemd_measure(uki, linux, opts=opts)
+
+    # UKI creation
+
+    if linux is not None:
+        uki.add_section(Section.create('.linux', linux, measure=True))
+
     if sign_args_present:
         unsigned = tempfile.NamedTemporaryFile(prefix='uki')
         unsigned_output = unsigned.name