#!/bin/bash

[[ -v installbase ]] || source /var/tmp/install/common.sh

set_pcrs() {
  local ppv pcrs=$1
  has_tpm || return 0
  [[ -f $installbase/lukskey ]] || return 0
  ppv=$(get_dev .ppv)
  [[ $ppv ]] || return
  systemd-cryptenroll --wipe-slot tpm2 --tpm2-device auto --tpm2-pcrs "$pcrs" --unlock-key-file $installbase/lukskey "$ppv"
}

anyboot() {
  set_pcrs "2+5+7+9"
}

return 2> /dev/null || {
  anyboot
}
