A missing semi-colon caused the firmware_measures_efibins function to
return an exit code of one, which the 0-signed-update hostapp-update
hook interpreted as "this firmware does not measure EFI binaries into
PCR 7", as opposed to zero, indicating "this firmware *does* measure EFI
binaries into PCR 7", or two, indicating "the TPM event log is
unavailable and it's impossible to tell."
Taking the wrong branch in this conditional led to an inappropriate
policy being created to seal the LUKS passphrase, which could not be
unlocked on the next boot, as in QEMU with edk2, EFI binaries *are*
measured into PCR 7.
Manual tests:
[x] HUP from legacy to PCR 7 sealing, virtualized
[x] HUP from legacy to PCR 7 sealing, real hw
[x] HUP from PCR 7 sealing to PCR 7 sealing, virtualized
[x] HUP from PCR 7 sealing to PCR 7 sealing, real hw
'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)
Manual tests:
[x] Fallback health, virtualized
Contributor checklist
Change-type
present on at least one commitSigned-off-by
is presentReviewer Guidelines