On Sa, 25.05.24 13:23, Andrei Borzenkov (arvidjaar@xxxxxxxxx) wrote: > These are PCRs for which you intend to provide signed policy. These PCRs > must be listed in JSON file that is given to systemd-cryptsetup as > tpm2-signature= parameter. The only PCR for which there is systemd tool to > compute it is PCR 11. You should be able to add other PCRs to this JSON file > and it should work, but you will need to compute the values yourself. > > Unfortunately, this is yet another case where systemd pretends to be generic > while in reality it is not. Hmm, where do we pretend anything? We give you a tool to predict/sign the measurements for PCR 11 because we can just do that from the UKI. For other PCRs it's a very different story however. (And we do provide a tool for that too nowadays btw, i.e. systemd-pcrlock). Lennart -- Lennart Poettering, Berlin