From b5985fef03884596dc1d7e2bc3dbc0d9040731da Mon Sep 17 00:00:00 2001
From: Jonathon Hall <jonathon.hall@puri.sm>
Date: Tue, 7 Mar 2023 10:18:56 -0500
Subject: [PATCH] kexec-seal-key: Reset PCR 23 before precomputing with it

Precomputation relies on PCR 23 being 0 initially, so reset it in case
it isn't.

Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
---
 initrd/bin/kexec-seal-key | 1 +
 1 file changed, 1 insertion(+)

diff --git a/initrd/bin/kexec-seal-key b/initrd/bin/kexec-seal-key
index fa4ce373..13544eef 100755
--- a/initrd/bin/kexec-seal-key
+++ b/initrd/bin/kexec-seal-key
@@ -182,6 +182,7 @@ elif [ "$CONFIG_TPM2_TOOLS" = "y" ]; then
 		dd if=/dev/zero bs=32 count=1 >> "$pcrf"
 	fi
 	# Use pcr 23 to precompute the value for pcr 6
+	tpm2 pcrreset 23
 	tpmr extend -ix 23 -if /tmp/luksDump.txt
 	tpm2 pcrread -o /dev/stderr sha256:23 2>&1 >/dev/console | cat >> "$pcrf"
 	# goal is to validate that what is in pcr 23 is at pcr 6 at unseal