From 1674c6752f44336d2d782d9af50a3d6166f42f99 Mon Sep 17 00:00:00 2001
From: Chris Rogers <rogersc@ainfosec.com>
Date: Wed, 6 Sep 2023 13:34:57 -0400
Subject: [PATCH] [ml-functions] Use acminfo to ID sinit modules

  New SINIT modules no longer have the well known fingerprint that
  starts with c22c443. Instead, we can use the acminfo tool and check
  the return code to know whether or not the module being processed
  is a SINIT.

Signed-off-by: Chris Rogers <rogersc@ainfosec.com>
---
 .../openxt-measuredlaunch/ml-functions        | 23 ++++++++-----------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions b/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions
index e47be7292b..1ed8af87be 100755
--- a/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions
+++ b/recipes-openxt/openxt-measuredlaunch/openxt-measuredlaunch/ml-functions
@@ -164,6 +164,10 @@ hash_extend() {
     rm $buffer
 }
 
+is_sinit_module() {
+    acminfo "${1}" >/dev/null 2>&1
+}
+
 # Function to calculate PCR 17
 # return 0 on success
 # return 1 on failure
@@ -262,13 +266,9 @@ pcr19() {
             cmdline=""
         fi
 
-        # ACMs have a binary fingerprint, hash first 8 bytes of every .bin file
-        # and if it matches hash of fingerprint, skip.
-        if $(echo ${module} | egrep -q -e '\.bin$|\.BIN$'); then
-            finger=$(head -c 8 ${root}/${module}|sha1sum|head -c 7)
-            if [ "$finger" = "c22c443" ]; then
-                continue
-            fi
+        # skip SINIT modules
+        if is_sinit_module ${module}; then
+            continue
         fi
 
         case ${mod_num} in
@@ -331,14 +331,11 @@ hash_modules() {
             cmdline=""
         fi
 
-        # ACMs have a binary fingerprint, hash first 8 bytes of every .bin file
-        # and if it matches hash of fingerprint, skip.
-        if $(echo ${module} | egrep -q -e '\.bin$|\.BIN$'); then
-            finger=$(head -c 8 ${root}/${module}|sha1sum|head -c 7)
-            [ "$finger" = "c22c443" ] && continue
+        # skip SINIT modules
+        if is_sinit_module ${module}; then
+            continue
         fi
 
-
         if [[ ${mod_num} -eq 0 ]]; then
             cmdline=$(echo ${cmdline} | sed -e 's/FIXME\s*//')
             hash_list=$(lcp2_mlehash --create --alg $hashalg \