tpm-pcr-registry: document systemd extending PCR 7 with leave-initrd by src-up · Pull Request #209 · uapi-group/specifications · GitHub
Skip to content

tpm-pcr-registry: document systemd extending PCR 7 with leave-initrd#209

Closed
src-up wants to merge 1 commit into
uapi-group:mainfrom
src-up:pcr7-leave-initrd
Closed

tpm-pcr-registry: document systemd extending PCR 7 with leave-initrd#209
src-up wants to merge 1 commit into
uapi-group:mainfrom
src-up:pcr7-leave-initrd

Conversation

@src-up

@src-up src-up commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

PCR7 is only extended on leave-initrd, so it differs in the main
OS. This enables distinguishing initrd vs OS when sealing keys to PCR7
(e.g. for systemd-repart-created volumes).

Since systemd/systemd#40914

…barrier

Since systemd/systemd#40914

Do not extend PCR7 on enter-initrd, so PCR7 in the initrd stays equal to
the firmware value and existing PCR7-only sealed disks still unseal
there.
@keszybz

keszybz commented Jun 29, 2026

Copy link
Copy Markdown
Member

@keszybz keszybz closed this Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Development

Successfully merging this pull request may close these issues.

2 participants