Stop measuring for SHA1 TPM bank

author Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 27 Mar 2024 08:23:17 +0000 (09:23 +0100)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 27 Mar 2024 09:47:42 +0000 (10:47 +0100)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 27 Mar 2024 08:23:17 +0000 (09:23 +0100)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 27 Mar 2024 09:47:42 +0000 (10:47 +0100)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index d5472c93d68661f741f734c07beef826f8b26a31..75dd77701af6ca40dfdfadb799d4fd13279f68c0 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1981,6 +1981,9 @@ def build_uki(
          "--output", output,
          "--efi-arch", arch,
          "--uname", kver,
+        # SHA1 might be disabled in OpenSSL depending on the distro so we opt to not sign for SHA1 to avoid having to
+        # manage a bunch of configuration to re-enable SHA1.
+        "--pcr-banks", "sha256,sha384,sha512",
      ]
  
      mounts = [
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 27 Mar 2024 08:23:17 +0000 (09:23 +0100)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 27 Mar 2024 09:47:42 +0000 (10:47 +0100)