From e1270b292697aae9abe7014cb751427814f3f757 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Wed, 17 Jun 2020 16:23:13 -0400
Subject: [PATCH] Do not seal to PCR 7

At least without secureboot, PCR 7 is not defined.

This would potentially be worth a conditional to
check on secureboot.
---
 confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh b/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh
index c5964c64..df9c857f 100644
--- a/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh
+++ b/confluent_osdeploy/el8/profiles/default/scripts/tpm_luks.sh
@@ -1,4 +1,4 @@
 #!/bin/sh
 cryptdisk=$(blkid -t TYPE="crypto_LUKS"|sed -e s/:.*//)
-clevis luks bind -f -d $cryptdisk -k - tpm2 '{"pcr_bank": "sha256", "pcr_ids": "7"}' < /etc/confluent/confluent.apikey
+clevis luks bind -f -d $cryptdisk -k - tpm2 '{}' < /etc/confluent/confluent.apikey
 cryptsetup luksRemoveKey $cryptdisk < /etc/confluent/confluent.apikey