ukify: Only run systemd-measure after adding all sections

We were running systemd-measure before adding the sbat section,
let's fix that.

Also make sure we only pass --linux to systemd-measure once instead
of twice.

Author: DaanDeMeyer

src/ukify/ukify.py

@@ -792,23 +792,29 @@ def make_uki(opts):
     for section in opts.sections:
         uki.add_section(section)
 
-    # PCR measurement and signing
-
-    call_systemd_measure(uki, linux, opts=opts)
-
-    # UKI or addon creation - addons don't use the stub so we add SBAT manually
-
     if linux is not None:
         # Merge the .sbat sections from stub, kernel and parameter, so that revocation can be done on either.
         uki.add_section(Section.create('.sbat', merge_sbat([opts.stub, linux], opts.sbat), measure=True))
-        uki.add_section(Section.create('.linux', linux, measure=True))
     else:
+        # Addons don't use the stub so we add SBAT manually
         if not opts.sbat:
             opts.sbat = ["""sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
 uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html
 """]
         uki.add_section(Section.create('.sbat', merge_sbat([], opts.sbat), measure=False))
 
+    # PCR measurement and signing
+
+    # We pass in the contents for .linux separately because we need them to do the measurement but can't add
+    # the section yet because we want .linux to be the last section. Make sure any other sections are added
+    # before this function is called.
+    call_systemd_measure(uki, linux, opts=opts)
+
+    # UKI creation
+
+    if linux is not None:
+        uki.add_section(Section.create('.linux', linux, measure=True))
+
     if sign_args_present:
         unsigned = tempfile.NamedTemporaryFile(prefix='uki')
         unsigned_output = unsigned.name