Update lock.go (#316)

kairos-io · May 21, 2024 · 1d16082 · 1d16082
1 parent 665d247
commit 1d16082
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/pkg/lib/lock.go b/pkg/lib/lock.go
@@ -89,7 +89,8 @@ func Luksify(label, version string, tpm bool) (string, error) {
 		// Files are generated by systemd automatically and are extracted from the UKI binary directly
 		// public pem cert -> .pcrpkey section fo the elf file
 		// signatures -> .pcrsig section of the elf file
-		args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device=auto", part}
+		// leave --tpm2-pcrs= to an empty value so it doesnt bind to a single measure
+		args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-public-key-pcrs=11", "--tpm2-pcrs=", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device-key=/run/systemd/tpm2-srk-public-key.tpm2b_public", part}
 		cmd := exec.Command("systemd-cryptenroll", args...)
 		cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
 		cmd.Stdout = os.Stdout