| 15 May 2023 |
 GenericNerdyUsername | What do I do if I want to update the dbx? | 20:39:15 |
| GenericNerdyUsername | * What do I do if I want to update the dbx, but have a key sealed against PCR7? | 20:40:34 |
| GenericNerdyUsername | * idk if this is more of a question for https://matrix.to/#/#secure-boot:nixos.org, but https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/ says PCR 7 changes when UEFI SecureBoot mode is enabled/disabled, or firmware certificates (PK, KEK, db, dbx, …) are updated. | 20:40:43 |
| GenericNerdyUsername | Or rather, how do I prevent this being a problem in the future? | 20:41:06 |
| GenericNerdyUsername | (Im setting up full disk encryption with the key stored in the tpm) | 20:41:18 |
 Julian Stecklina (Old) | As long as you have another key to unlock the volume and reenroll its key, you should be fine | 21:41:09 |
 baloo | https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf#page=158 :) | 21:43:28 |
| baloo | just add another layer of crypto | 21:44:26 |
