From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 27 Mar 2024 08:23:17 +0000 (+0100)
Subject: Stop measuring for SHA1 TPM bank
X-Git-Tag: v23~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d44e0f8eaa9bc4837d27bbbb55969f2fa5187897;p=thirdparty%2Fmkosi.git

Stop measuring for SHA1 TPM bank

Let's avoid having to deal with openssl configuration to re-enable
SHA1 support by not measuring for the SHA1 TPM bank.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index d5472c93d..75dd77701 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -1981,6 +1981,9 @@ def build_uki(
         "--output", output,
         "--efi-arch", arch,
         "--uname", kver,
+        # SHA1 might be disabled in OpenSSL depending on the distro so we opt to not sign for SHA1 to avoid having to
+        # manage a bunch of configuration to re-enable SHA1.
+        "--pcr-banks", "sha256,sha384,sha512",
     ]
 
     mounts = [