Hey all,
we've recently tried to upgrade a legacy image of ours from
Fedora 40 to Fedora 42, including a systemd version bump from
version 255 to version 257. This broke our PCR9 measurement
because the initrd measured into that doesn't match our
expectations anymore. The initrd section measured into PCR11
still matches, however.
This makes a632d8dd9f6cd5cf8e43862f0ea896cc571b1cab a likely
culprit of the issue, as the .osrel UKI section is now passed
as an initrd CPIO archive to the kernel. We do not use multi-
profile UKIs, so that should be the only relevant thing.
The code changes look to me like they would pass the osrel
section - packed into a CPIO archive - directly to the
kernel. We've therefore done the following in our pre-
calculation code:
// Read .osrel contents from UKI
[...]
header := &cpio.Header{
Name: "/.extra/os-release",
Mode: 0444,
Size: int64(osrelContent.Len()),
}
// Pack .osrel contents into CPIO archive with
// header, append to initrd blob and SHA256.
[...]
However, we were unable to reproduce the measurements so far,
also with different ordering.
Does anyone have a pointer to what might be wrong, or pre-
calculation code we could use as a reference?
Best,
Moritz
