From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 27 Mar 2024 09:59:52 +0000 (+0100)
Subject: Fix PCR banks
X-Git-Tag: v23~56
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf915ab431c8d44c78fc24ddb4e9396cd8682fb8;p=thirdparty%2Fmkosi.git

Fix PCR banks

Fixes: d44e0f8eaa9bc4837d27bbbb55969f2fa5187897
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 75dd77701..b9b738e73 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1981,9 +1981,6 @@ def build_uki(
         "--output", output,
         "--efi-arch", arch,
         "--uname", kver,
-        # SHA1 might be disabled in OpenSSL depending on the distro so we opt to not sign for SHA1 to avoid having to
-        # manage a bunch of configuration to re-enable SHA1.
-        "--pcr-banks", "sha256,sha384,sha512",
     ]
 
     mounts = [
@@ -2028,7 +2025,9 @@ def build_uki(
         if want_signed_pcrs(context.config):
             cmd += [
                 "--pcr-private-key", context.config.secure_boot_key,
-                "--pcr-banks", "sha1,sha256",
+                # SHA1 might be disabled in OpenSSL depending on the distro so we opt to not sign for SHA1 to avoid
+                # having to manage a bunch of configuration to re-enable SHA1.
+                "--pcr-banks", "sha256",
             ]
             if context.config.secure_boot_key.exists():
                 mounts += [Mount(context.config.secure_boot_key, context.config.secure_boot_key)]