From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 28 Sep 2023 08:33:00 +0000 (+0200)
Subject: bootctl: report if have been booted with a measured UKI
X-Git-Tag: v255-rc1~402^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fa1f3aec334eb17aa0283e10d2067d8e03063de4;p=thirdparty%2Fsystemd.git

bootctl: report if have been booted with a measured UKI

Just expose the result of efi_measured_uki() to the user.
---

diff --git a/src/boot/bootctl-status.c b/src/boot/bootctl-status.c
index a6520e07197..73893dee69e 100644
--- a/src/boot/bootctl-status.c
+++ b/src/boot/bootctl-status.c
@@ -420,6 +420,16 @@ int verb_status(int argc, char *argv[], void *userdata) {
                        (s & TPM2_SUPPORT_DRIVER) ? "driver only, firmware unavailable" : "no",
                        ansi_normal());
 
+                k = efi_measured_uki(LOG_DEBUG);
+                if (k > 0)
+                        printf("  Measured UKI: %syes%s\n", ansi_highlight_green(), ansi_normal());
+                else if (k == 0)
+                        printf("  Measured UKI: no\n");
+                else {
+                        errno = -k;
+                        printf("  Measured UKI: %sfailed%s (%m)\n", ansi_highlight_red(), ansi_normal());
+                }
+
                 k = efi_get_reboot_to_firmware();
                 if (k > 0)
                         printf("  Boot into FW: %sactive%s\n", ansi_highlight_yellow(), ansi_normal());