[lostmsu]

It is about full disk encryption with automatic unlock during boot. One needs to make TPM dependent on a successful secure boot to allow access to decryption. The boot completes no problem, but the TPM entry that controls access needs to be manually recreated with each new kernel update.

See https://gist.github.com/jdoss/777e8b52c8d88eb87467935769c98a... , the bit "then auto volume decryption on your next reboot will fail". This makes sense.

[mjg59]

Using anything other than PCR 7 is going to make it very fragile, yes - I have no idea why that doc is recommending using PCR 4 as well.

[lostmsu]

To defend against an attacker with physical access to an offline machine you need to verify anything that the attacker can overwrite without the encryption key. Aren't bootloader and kernel on the writable unencrypted partition?

[mjg59]

If you have secure boot enabled, how does the attacker replace the kernel or bootloader?

[lostmsu]

Pull the drive out, insert it into his machine, replace, then insert it back.

[mjg59]

And now the signature doesn't match, so the system doesn't boot

[lostmsu]

Which signature?