From 2055863673fa579a9f534c23a85ec9723e4d31cb Mon Sep 17 00:00:00 2001
From: sandwich <sandwich@archworks.co>
Date: Thu, 2 Apr 2026 04:37:03 +0200
Subject: [PATCH] feat(configuration): auto-bind PCR 7 when Secure Boot and FDE
 are both enabled

---
 roles/configuration/tasks/encryption.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml
index 6226cd0..ceb5f5c 100644
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -8,7 +8,7 @@
   block:
     - name: Set LUKS configuration facts
       vars:
-        luks_tpm2_pcrs: >-
+        _raw_pcrs: >-
           {{
             (
               system_cfg.luks.tpm2.pcrs
@@ -20,6 +20,12 @@
             | regex_replace('\\s+', '')
             | regex_replace('^\\+|\\+$', '')
           }}
+        luks_tpm2_pcrs: >-
+          {{
+            _raw_pcrs
+            if _raw_pcrs | length > 0
+            else ('7' if (system_cfg.features.secure_boot.enabled | bool) else '')
+          }}
       ansible.builtin.set_fact:
         configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
         configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"