From d509eac503a06ffa1ba00eee4ace12a2fee9656b Mon Sep 17 00:00:00 2001 From: Brian Fjeldstad Date: Fri, 20 Mar 2026 19:37:26 +0000 Subject: [PATCH] pcrlock predict uses sort order to predict, so addons need to load between uki (650-*) and uki .linux (660-*) --- crates/osutils/src/pcrlock.rs | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/crates/osutils/src/pcrlock.rs b/crates/osutils/src/pcrlock.rs index 30dc95147..91fb9cca4 100644 --- a/crates/osutils/src/pcrlock.rs +++ b/crates/osutils/src/pcrlock.rs @@ -50,15 +50,16 @@ const BOOT_LOADER_CODE_SDBOOT_PCRLOCK_DIR: &str = "640-boot-loader-code-sdboot.p /// into PCR 4, const UKI_PCRLOCK_DIR: &str = "650-uki.pcrlock.d"; +/// `/var/lib/pcrlock.d/655-uki-addons-.pcrlock.d`, where `lock-pe` measures the UKI addons binaries, as recorded +/// into PCR 4. This needs to occur between 650-* and 660-* as the addons are loaded between the uki and the uki .linux +/// section. +const UKI_ADDONS_PCRLOCK_DIR_PREFIX: &str = "655-uki-addons-"; +const UKI_ADDONS_PCRLOCK_DIR_SUFFIX: &str = ".pcrlock.d"; + /// `/var/lib/pcrlock.d/660-boot-loader-code-uki.pcrlock.d`, where `lock-pe` measures the .linux /// section of the UKI binary, as recorded into PCR 4 following Microsoft's Authenticode hash spec, const BOOT_LOADER_CODE_UKI_PCRLOCK_DIR: &str = "660-boot-loader-code-uki.pcrlock.d"; -/// `/var/lib/pcrlock.d/670-uki-addons-.pcrlock.d`, where `lock-pe` measures the UKI addons binaries, as recorded -/// into PCR 4. -const UKI_ADDONS_PCRLOCK_DIR_PREFIX: &str = "670-uki-addons-"; -const UKI_ADDONS_PCRLOCK_DIR_SUFFIX: &str = ".pcrlock.d"; - #[derive(Debug, Deserialize)] struct PcrValue { pcr: Pcr,