feat: use PCR 14 as well for tpm2 unlock

ublue-os · Aug 19, 2024 · 8e48406 · 8e48406
1 parent ed22efb
commit 8e48406
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/build/ublue-os-luks/luks-enable-tpm2-autounlock b/build/ublue-os-luks/luks-enable-tpm2-autounlock
@@ -13,7 +13,7 @@ echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
 echo "You can review systemd-cryptenroll's manpage for more information."
 echo "This script will modify your system."
 echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
-echo "It will bind to PCR 7 only which is tied to your secureboot state."
+echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
 read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@@ -75,7 +75,7 @@ fi
 
 ## Run crypt enroll
 echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$SET_PIN_ARG" "$CRYPT_DISK"
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 "$SET_PIN_ARG" "$CRYPT_DISK"
 
 
 if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then