We use pulsar-8 based Linux with encrypted root file system. The LUKS key is protected by TPM, using cryptfs-tpm2 package. The key is sealed with a policy, preventing using it when PCR7 is different from the expected one.
The change in PCR7 is caused by some change in new version of shim (12+git0+5202f80c32). I was not able to determine what exactly caused it. As a workaround I had to downgrade shim version back to the version from pulsar-8 (11+git0+0fe4a80e9c).
Resealing the key under new policy would only be a part of the solution, because we have other key materials, for which changing the policy is not possible.
So, the question is, which change in shim caused PCR7 change and if there is a way to have the same PCR7 value with the new version of shim?
We use pulsar-8 based Linux with encrypted root file system. The LUKS key is protected by TPM, using cryptfs-tpm2 package. The key is sealed with a policy, preventing using it when PCR7 is different from the expected one.
The change in PCR7 is caused by some change in new version of shim (12+git0+5202f80c32). I was not able to determine what exactly caused it. As a workaround I had to downgrade shim version back to the version from pulsar-8 (11+git0+0fe4a80e9c).
Resealing the key under new policy would only be a part of the solution, because we have other key materials, for which changing the policy is not possible.
So, the question is, which change in shim caused PCR7 change and if there is a way to have the same PCR7 value with the new version of shim?