bug: pcrlock predict uses sort order to predict, so addons need to load between uki (650-*) and uki .linux (660-*)

[bfjelds]

🔍 Description

systemd-pcrlock predict depends on the pcrlock.d folder sort order to match the measurement order.

Using 670-uki-addons-* as a pcrlock.d folder name misordered the component. This only repro's on baremetal because we have SecureBoot enabled in VM tests (in which case, the uki .linux section is not measured).

systemd-pcrlock log dumps the events in order, where the uki add-on (670-*) is loaded after the uki (650-*) and before the uki .linux section (660-*):

root@trident-usrverity-testimg [ ~ ]# /usr/lib/systemd/systemd-pcrlock log
( . . . )
PCR   PCRNAME            EVENT                         MATCH SHA256                                                           F/U COMPONENT                               DESCRIPTION                                                                                                                                                                                                                                             
( . . . )
  4 █ boot-loader-code   efi-boot-services-application     - SHA F   650-uki                                 File: \EFI\Linux\vmlinuz-100-azla0.efi
  4 █ boot-loader-code   efi-boot-services-application     - SHA F   670-uki-addons-vmlinuz-6.6.126.1-1.azl3 File: \EFI\Linux\vmlinuz-100-azla0.efi.extra.d\vmlinuz-6.6.126.1-1.azl3.addon.efi
( . . . )
  4 █ boot-loader-code   efi-boot-services-application     - SHA F   660-boot-loader-code-uki                Raw: . . .
( . . . )

systemd-pcrlock list-components shows the sort order that predict uses, where the uki addon is used after both the uki and uki .linux section:

root@trident-usrverity-testimg [ ~ ]# /usr/lib/systemd/systemd-pcrlock list-components --pcr 4
ID                                      VARIANTS
( . . . )
650-uki                                 /var/lib/pcrlock.d/650-uki.pcrlock.d/generated-0.pcrlock
660-boot-loader-code-uki                /var/lib/pcrlock.d/660-boot-loader-code-uki.pcrlock.d/generated-0.pcrlock
670-uki-addons-vmlinuz-6.6.126.1-1.azl3 /var/lib/pcrlock.d/670-uki-addons-vmlinuz-6.6.126.1-1.azl3.pcrlock.d/generated-0.pcrlock
( . . . )

The fix is to change the pcrlock folder name to sit between uki (650) and uki .linux (660).

Verified on baremetal manually, vm tests still succeed: https://dev.azure.com/mariner-org/ECF/_build/results?buildId=1074120&view=results

[Copilot]

Pull request overview

Adjusts the pcrlock.d component naming used for UKI add-ons so systemd-pcrlock predict’s lexicographic sort order matches the real TPM measurement order on bare metal.

Changes:

• Renames the UKI add-ons .pcrlock.d directory prefix from 670-uki-addons- to 655-uki-addons- to ensure it sorts between 650-* (UKI) and 660-* (UKI .linux section).