From 4b94a6e5c3f87fa07276cab1b53516d1c43b4994 Mon Sep 17 00:00:00 2001
From: Mikhail Malyshev <mikem@zededa.com>
Date: Fri, 20 Jan 2023 14:21:34 +0000
Subject: [PATCH] Improve key sealing code

 - fix incorrect algorithm used. SHA256 is now used
 - Add PCR 14 to the list

Signed-off-by: Mikhail Malyshev <mikem@zededa.com>
---
 pkg/pillar/evetpm/tpm.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/pillar/evetpm/tpm.go b/pkg/pillar/evetpm/tpm.go
index ceedcaceb7..33ccfef33c 100644
--- a/pkg/pillar/evetpm/tpm.go
+++ b/pkg/pillar/evetpm/tpm.go
@@ -93,7 +93,7 @@ var (
 	pcrBank256Status = PCRBank256StatusUnknown
 
 	//DiskKeySealingPCRs represents PCRs that we use for sealing
-	DiskKeySealingPCRs = tpm2.PCRSelection{Hash: tpm2.AlgSHA1, PCRs: []int{0, 1, 2, 3, 4, 6, 7, 8, 9, 13}}
+	DiskKeySealingPCRs = tpm2.PCRSelection{Hash: tpm2.AlgSHA256, PCRs: []int{0, 1, 2, 3, 4, 6, 7, 8, 9, 13, 14}}
 )
 
 //SealedKeyType holds different types of sealed key