PCR[14] is changing after the first reboot

PCR14 gets updated after EVE is rebooted for the first time so if the user creates PCR template just after onboarding it become invalid. The reason for this is #2917 measure-config container MUST be run after the last change to /config partition is committed Signed-off-by: Mikhail Malyshev <mikem@zededa.com>
lf-edge · Feb 1, 2023 · 058d375 · 058d375
1 parent ba96f47
commit 058d375
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/images/rootfs.yml.in b/images/rootfs.yml.in
@@ -36,15 +36,16 @@ onboot:
   # kdump goes strictly after storage-init
   - name: kdump
     image: KDUMP_TAG
-  - name: measure-config
-    image: MEASURE_CONFIG_TAG
   # If you change the order of pillar-onboot don't forget to
   # change /containers/onboot/006-pillar-onboot/lower in pkg/mkimage-raw-efi accordingly:
   # 006-pillar-onboot must follow the order number of pillar-onboot
   # onboot part of pillar to prepare services to start
   - name: pillar-onboot
     image: PILLAR_TAG
     command: ["/opt/zededa/bin/onboot.sh"]
+  # measure-config must be executed after any other container that changes /config
+  - name: measure-config
+    image: MEASURE_CONFIG_TAG    
 services:
   - name: newlogd
     image: NEWLOGD_TAG