Expose pcrs for uki encryption (#603)

internal/agent/hooks/kcrypt_uki.go

@@ -92,7 +92,7 @@ func (k KcryptUKI) Run(c config.Config, spec v1.Spec) error {
 	for _, p := range append([]string{constants.OEMLabel, constants.PersistentLabel}, c.Install.Encrypt...) {
 		c.Logger.Infof("Encrypting %s", p)
 		_ = os.Setenv("SYSTEMD_LOG_LEVEL", "debug")
-		err := kcrypt.LuksifyMeasurements(p, []string{"11"}, []string{}, c.Logger.Logger)
+		err := kcrypt.LuksifyMeasurements(p, c.BindPublicPCRs, c.BindPCRs, c.Logger.Logger)
 		_ = os.Unsetenv("SYSTEMD_LOG_LEVEL")
 		if err != nil {
 			c.Logger.Errorf("could not encrypt partition: %s", err)

pkg/config/config.go

@@ -155,6 +155,8 @@ type Config struct {
 	SquashFsCompressionConfig []string              `yaml:"squash-compression,omitempty" mapstructure:"squash-compression"`
 	SquashFsNoCompression     bool                  `yaml:"squash-no-compression,omitempty" mapstructure:"squash-no-compression"`
 	UkiMaxEntries             int                   `yaml:"uki-max-entries,omitempty" mapstructure:"uki-max-entries"`
+	BindPCRs                  []string              `yaml:"bind-pcrs,omitempty" mapstructure:"bind-pcrs"`
+	BindPublicPCRs            []string              `yaml:"bind-public-pcrs,omitempty" mapstructure:"bind-public-pcrs"`
 }
 
 // WriteInstallState writes the state.yaml file to the given state and recovery paths

pkg/config/config_test.go

@@ -94,7 +94,7 @@ func structFieldsContainedInOtherStruct(left, right interface{}) {
 		leftFieldName := leftTypes.Field(i).Name
 		if leftTypes.Field(i).IsExported() {
 			It(fmt.Sprintf("Checks that the new schema contians the field %s", leftFieldName), func() {
-				if leftFieldName == "Source" || leftFieldName == "NoUsers" {
+				if leftFieldName == "Source" || leftFieldName == "NoUsers" || leftFieldName == "BindPublicPCRs" || leftFieldName == "BindPCRs" {
 					Skip("Schema not updated yet")
 				}
 				Expect(