diff --git a/initrd/bin/kexec-insert-key b/initrd/bin/kexec-insert-key
index ad0fbe12..91a1c7c8 100755
--- a/initrd/bin/kexec-insert-key
+++ b/initrd/bin/kexec-insert-key
@@ -49,6 +49,7 @@ if ! kexec-unseal-key "$INITRD_DIR/secret.key"; then
 fi
 
 # Override PCR 4 so that user can't read the key
+echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
 tpmr extend -ix 4 -ic generic ||
 	die 'Unable to scramble PCR'
 
diff --git a/initrd/bin/kexec-select-boot b/initrd/bin/kexec-select-boot
index 5fc5119f..f676128f 100755
--- a/initrd/bin/kexec-select-boot
+++ b/initrd/bin/kexec-select-boot
@@ -381,6 +381,7 @@ while true; do
 	if [ "$CONFIG_TPM" = "y" ]; then
 		if [ ! -r "$TMP_KEY_DEVICES" ]; then
 			# Extend PCR4 as soon as possible
+			echo " !!!!! Extending TPM PCR 4 to prevent further secret unsealing !!!!!"
 			tpmr extend -ix 4 -ic generic ||
 				die "Failed to extend PCR 4"
 		fi