From 237750c27fb818878e415d990a5a5fe7442e40e0 Mon Sep 17 00:00:00 2001
From: Alberto Planas <aplanas@suse.com>
Date: Tue, 12 Nov 2024 16:26:34 +0100
Subject: [PATCH] In virtual environment drop PCR0

Signed-off-by: Alberto Planas <aplanas@suse.com>
---
 sdbootutil | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sdbootutil b/sdbootutil
index 93d7f35..2ad4806 100755
--- a/sdbootutil
+++ b/sdbootutil
@@ -2539,10 +2539,16 @@ enroll()
 	# system status
 	if [ "$arg_method" = "tpm2" ] || [ "$arg_method" = "tpm2+pin" ]; then
 		if [ -z "${FDE_SEAL_PCR_LIST}" ]; then
+			if systemd-detect-virt -q; then
+				echo "Virtualized systemd detected ($(systemd-detect-virt)). Dropping PCR0"
+				FDE_SEAL_PCR_LIST=""
+			else
+				FDE_SEAL_PCR_LIST="0,"
+			fi
 			if is_sdboot; then
-				FDE_SEAL_PCR_LIST="0,2,4,7,9"
+				FDE_SEAL_PCR_LIST+="2,4,7,9"
 			elif is_grub2_bls; then
-				FDE_SEAL_PCR_LIST="0,2,4,7,8,9"
+				FDE_SEAL_PCR_LIST+="2,4,7,8,9"
 			else
 				err "Bootloader not detected"
 			fi