From 8e4840643c89d557da4f5892fd4c58e558427510 Mon Sep 17 00:00:00 2001
From: qoijjj <129108030+qoijjj@users.noreply.github.com>
Date: Mon, 19 Aug 2024 15:23:15 -0700
Subject: [PATCH] feat: use PCR 14 as well for tpm2 unlock

---
 build/ublue-os-luks/luks-enable-tpm2-autounlock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/ublue-os-luks/luks-enable-tpm2-autounlock b/build/ublue-os-luks/luks-enable-tpm2-autounlock
index aacc064f..183dbdfb 100755
--- a/build/ublue-os-luks/luks-enable-tpm2-autounlock
+++ b/build/ublue-os-luks/luks-enable-tpm2-autounlock
@@ -13,7 +13,7 @@ echo "This script uses systemd-cryptenroll to enable TPM2 auto-unlock."
 echo "You can review systemd-cryptenroll's manpage for more information."
 echo "This script will modify your system."
 echo "It will enable TPM2 auto-unlock of your LUKS partition for your root device!"
-echo "It will bind to PCR 7 only which is tied to your secureboot state."
+echo "It will bind to PCR 7 and 14 which is tied to your secureboot and moklist state."
 read -p "Are you sure are good with this and want to enable TPM2 auto-unlock? " -n 1 -r
 echo
 if [[ ! $REPLY =~ ^[Yy]$ ]]; then
@@ -75,7 +75,7 @@ fi
 
 ## Run crypt enroll
 echo "Enrolling TPM2 unlock requires your existing LUKS2 unlock password"
-systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 "$SET_PIN_ARG" "$CRYPT_DISK"
+systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7+14 "$SET_PIN_ARG" "$CRYPT_DISK"
 
 
 if lsinitrd 2>&1 | grep -q tpm2-tss > /dev/null; then