From 95b58ed32ea66de6a13735aad47a96bd714cb6be Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 3 Jul 2025 13:50:46 +0200
Subject: [PATCH] pcrlock: process components outside of location window
 properly

So far, when we tried to match a component to eent log entries we
skipped those components if they were outside of our location window.
That however is too aggressive, since it means any components that are
already in the logs, but outside of the location window will be
considered unrecognized in the logs, and thus removed from the PCR
policy.

Change things around: always try to match up all components, regardless
if inside the location window or outside, but then make it non-fatal we
can't find a component outside of the location window.

Fixes: #36079
---
 src/pcrlock/pcrlock.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/pcrlock/pcrlock.c b/src/pcrlock/pcrlock.c
index 298015a15f4..9926720127c 100644
--- a/src/pcrlock/pcrlock.c
+++ b/src/pcrlock/pcrlock.c
@@ -1946,15 +1946,6 @@ static int event_log_map_components(EventLog *el) {
                 unsigned n_matching = 0, n_empty = 0;
                 EventLogComponent *c = *cc;
 
-                if (arg_location_end && strcmp(c->id, arg_location_end) > 0) {
-                        n_skipped++;
-
-                        if (!strextend_with_separator(&skipped_ids, ", ", c->id))
-                                return log_oom();
-
-                        continue;
-                }
-
                 assert(c->n_variants > 0);
 
                 FOREACH_ARRAY(ii, c->variants, c->n_variants) {
@@ -1978,20 +1969,33 @@ static int event_log_map_components(EventLog *el) {
                 }
 
                 if (n_matching + n_empty == 0) {
+                        bool skip = true;
 
                         if (arg_location_start && strcmp(c->id, arg_location_start) >= 0)
                                 log_info("Didn't find component '%s' in event log, assuming system hasn't reached it yet.", c->id);
-                        else {
+                        else if (arg_location_end && strcmp(c->id, arg_location_end) > 0) {
+                                log_info("Didn't find component '%s' in event log, but irrelevant for location window, ignoring.", c->id);
+                        } else {
                                 log_notice("Couldn't find component '%s' in event log.", c->id);
                                 el->n_missing_components++;
                                 el->missing_component_pcrs |= event_log_component_pcrs(c);
+
+                                skip = false;
                         }
+
+                        if (skip) {
+                                n_skipped++;
+
+                                if (!strextend_with_separator(&skipped_ids, ", ", c->id))
+                                        return log_oom();
+                        }
+
                 } else if (n_matching > 1)
                         log_debug("Found %u possible variants of component '%s' in event log (%s). Proceeding.", n_matching, c->id, matching_ids);
         }
 
         if (n_skipped > 0)
-                log_notice("Skipped %u components after location '%s' (%s).", n_skipped, arg_location_end, skipped_ids);
+                log_notice("Skipped %u components (%s).", n_skipped, skipped_ids);
         if (el->n_missing_components > 0)
                 log_notice("Unable to recognize %zu components in event log.", el->n_missing_components);
 
-- 
2.47.3