4 files changed, 34 insertions, 17 deletions
diff --git a/man/systemd-cryptenroll.xml b/man/systemd-cryptenroll.xml
index 4a5127b02d..2aa396e300 100644
--- a/man/systemd-cryptenroll.xml
+++ b/man/systemd-cryptenroll.xml
@@ -307,6 +307,11 @@
               </row>
 
               <row>
+                <entry>13</entry>
+                <entry><citerefentry><refentrytitle>systemd-stub</refentrytitle><manvolnum>7</manvolnum></citerefentry> measures any <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> images it loads and passed to the booted kernel into this PCR.</entry>
+              </row>
+
+              <row>
                 <entry>14</entry>
                 <entry>The shim project measures its "MOK" certificates and hashes into this PCR.</entry>
               </row>
diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index df7cabcf50..1e9bb5d631 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -115,7 +115,7 @@
       images to the initrd. See
       <citerefentry><refentrytitle>systemd-sysext</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
       details on system extension images. The generated <command>cpio</command> archive containing these
-      system extension images is measured into TPM PCR 4 (if a TPM is present).</para></listitem>
+      system extension images is measured into TPM PCR 13 (if a TPM is present).</para></listitem>
 
       <listitem><para>Files <filename>/loader/credentials/*.cred</filename> are packed up in a
       <command>cpio</command> archive and placed in the <filename>/.extra/global_credentials/</filename>
@@ -197,7 +197,7 @@
 
           <row>
             <entry>System Extensions (synthesized initrd from companion files)</entry>
-            <entry>4 + 9</entry>
+            <entry>9 + 13</entry>
           </row>
         </tbody>
       </tgroup>
@@ -263,6 +263,15 @@
         formatted as decimal ASCII string (i.e. <literal>12</literal>). This variable is set if a measurement
         was successfully completed, and remains unset otherwise.</para></listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>StubPcrInitRDSysExts</varname></term>
+
+        <listitem><para>The PCR register index the systemd extensions for the initial RAM disk image, which
+        are picked up from the file system the kernel image is located on.  Formatted as decimal ASCII string
+        (i.e. <literal>13</literal>). This variable is set if a measurement was successfully completed, and
+        remains unset otherwise.</para></listitem>
+      </varlistentry>
     </variablelist>
 
     <para>Note that some of the variables above may also be set by the boot loader. The stub will only set
diff --git a/src/boot/efi/measure.h b/src/boot/efi/measure.h
index df7f04c9fb..141d44aa79 100644
--- a/src/boot/efi/measure.h
+++ b/src/boot/efi/measure.h
@@ -22,8 +22,8 @@
 #define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX
 #endif
 
-/* This TPM PCR is where most Linux infrastructure extends the initrd binary images into, and so do we. */
-#define TPM_PCR_INDEX_INITRD 4U
+/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
+#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U
 
 #if ENABLE_TPM
 
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index 1afbde3295..3b74647a18 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -182,8 +182,8 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
         char *cmdline = NULL;
         _cleanup_free_ char *cmdline_owned = NULL;
         int sections_measured = -1, parameters_measured = -1;
+        bool sysext_measured = false, m;
         EFI_STATUS err;
-        bool m;
 
         InitializeLib(image, sys_table);
         debug_hook(L"systemd-stub");
@@ -298,21 +298,24 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
                       &m) == EFI_SUCCESS)
                 parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
 
-        (void) pack_cpio(loaded_image,
-                         NULL,
-                         L".raw",
-                         ".extra/sysext",
-                         /* dir_mode= */ 0555,
-                         /* access_mode= */ 0444,
-                         /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_INITRD },
-                         /* n_tpm_pcr= */ 1,
-                         L"System extension initrd",
-                         &sysext_initrd,
-                         &sysext_initrd_size,
-                         NULL);
+        if (pack_cpio(loaded_image,
+                      NULL,
+                      L".raw",
+                      ".extra/sysext",
+                      /* dir_mode= */ 0555,
+                      /* access_mode= */ 0444,
+                      /* tpm_pcr= */ (uint32_t[]) { TPM_PCR_INDEX_INITRD_SYSEXTS },
+                      /* n_tpm_pcr= */ 1,
+                      L"System extension initrd",
+                      &sysext_initrd,
+                      &sysext_initrd_size,
+                      &m) == EFI_SUCCESS)
+                sysext_measured = m;
 
         if (parameters_measured > 0)
                 (void) efivar_set_uint_string(LOADER_GUID, L"StubPcrKernelParameters", TPM_PCR_INDEX_KERNEL_PARAMETERS, 0);
+        if (sysext_measured)
+                (void) efivar_set_uint_string(LOADER_GUID, L"StubPcrInitRDSysExts", TPM_PCR_INDEX_INITRD_SYSEXTS, 0);
 
         linux_size = szs[SECTION_LINUX];
         linux_base = POINTER_TO_PHYSICAL_ADDRESS(loaded_image->ImageBase) + addrs[SECTION_LINUX];