diff --git a/pkg/lib/lock.go b/pkg/lib/lock.go
index 4a691db..33502c2 100644
--- a/pkg/lib/lock.go
+++ b/pkg/lib/lock.go
@@ -71,8 +71,13 @@ func Luksify(label, version string, tpm bool) (string, error) {
 		return "", err
 	}
 	if tpm {
-		// Enroll PCR values as an unlock method
-		args := []string{"--tpm2-device=auto", "--tpm2-pcrs=7+8+9", part}
+		// Enroll PCR policy as a keyslot
+		// We pass the current signature of the booted system to confirm that we would be able to unlock with the current booted system
+		// That checks the policy against the signatures and fails if a UKI with those signatures wont be able to unlock the device
+		// Files are generated by systemd automatically and are extracted from the UKI binary directly
+		// public pem cert -> .pcrpkey section fo the elf file
+		// signatures -> .pcrsig section of the elf file
+		args := []string{"--tpm2-public-key=/run/systemd/tpm2-pcr-public-key.pem", "--tpm2-signature=/run/systemd/tpm2-pcr-signature.json", "--tpm2-device=auto", part}
 		cmd := exec.Command("systemd-cryptenroll", args...)
 		cmd.Env = append(cmd.Env, fmt.Sprintf("PASSWORD=%s", pass)) // cannot pass it via stdin
 		cmd.Stdout = os.Stdout