From 2cacb1572971b50923c9844e19e48bcc9e139a15 Mon Sep 17 00:00:00 2001
From: Kyle Rankin <kyle.rankin@puri.sm>
Date: Tue, 19 Jun 2018 13:03:01 -0700
Subject: [PATCH] Add back TPM config counter section to gui-init

The section in gui-init that modifies the Heads TPM counter when signing
config was accidentally removed. This change adds that section back.
---
 initrd/bin/gui-init | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
index 27654cdc..aaa47da8 100755
--- a/initrd/bin/gui-init
+++ b/initrd/bin/gui-init
@@ -75,7 +75,12 @@ update_checksums()
     # We don't need them after the user decides to sign
     rm -f /boot/kexec_package_trigger*
 
-    kexec-sign-config -p /boot \
+    # sign and auto-roll config counter
+    extparam=
+    if [ "$CONFIG_TPM" = "y" ]; then
+      extparam=-u
+    fi
+    kexec-sign-config -p /boot $extparam \
     || die "Failed to sign default config"
 
     # switch back to ro mode