Fix PCR banks

author Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 27 Mar 2024 09:59:52 +0000 (10:59 +0100)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 27 Mar 2024 10:44:12 +0000 (11:44 +0100)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 27 Mar 2024 09:59:52 +0000 (10:59 +0100)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 27 Mar 2024 10:44:12 +0000 (11:44 +0100)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index 75dd77701af6ca40dfdfadb799d4fd13279f68c0..b9b738e73ff90089af846d77649e6ec1a5f669e6 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1981,9 +1981,6 @@ def build_uki(
          "--output", output,
          "--efi-arch", arch,
          "--uname", kver,
-        # SHA1 might be disabled in OpenSSL depending on the distro so we opt to not sign for SHA1 to avoid having to
-        # manage a bunch of configuration to re-enable SHA1.
-        "--pcr-banks", "sha256,sha384,sha512",
      ]
  
      mounts = [
@@ -2028,7 +2025,9 @@ def build_uki(
          if want_signed_pcrs(context.config):
              cmd += [
                  "--pcr-private-key", context.config.secure_boot_key,
-                "--pcr-banks", "sha1,sha256",
+                # SHA1 might be disabled in OpenSSL depending on the distro so we opt to not sign for SHA1 to avoid
+                # having to manage a bunch of configuration to re-enable SHA1.
+                "--pcr-banks", "sha256",
              ]
              if context.config.secure_boot_key.exists():
                  mounts += [Mount(context.config.secure_boot_key, context.config.secure_boot_key)]
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 27 Mar 2024 09:59:52 +0000 (10:59 +0100)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 27 Mar 2024 10:44:12 +0000 (11:44 +0100)