From b0c45eef59b87a748c34a2737099435b8c27aa38 Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Mon, 26 Jan 2026 09:54:56 +0100
Subject: [PATCH] Don't force secure boot measurement for TPM disk encryption

---
 roles/lmn_encrypt/tasks/tpm2.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/lmn_encrypt/tasks/tpm2.yml b/roles/lmn_encrypt/tasks/tpm2.yml
index 50a989f..432ce2f 100644
--- a/roles/lmn_encrypt/tasks/tpm2.yml
+++ b/roles/lmn_encrypt/tasks/tpm2.yml
@@ -32,7 +32,7 @@
     cmd: >
       systemd-run -P --wait
       -p SetCredential=cryptenroll.passphrase:{{ encrypt_passphrase | default(encrypt_passphrase_initial) }}
-      systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 {{ encrypt_device }} --wipe-slot=tpm2
+      systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="" {{ encrypt_device }} --wipe-slot=tpm2
   no_log: true
   when: "'tpm2' not in encrypt_slots_result.stdout"