diff --git a/man/systemd-stub.xml b/man/systemd-stub.xml
index 21b79cd35f..4cbf9cde85 100644
--- a/man/systemd-stub.xml
+++ b/man/systemd-stub.xml
@@ -63,6 +63,9 @@
A compiled binary DeviceTree will be looked for in the .dtb PE
section.
+ Kernel version information, i.e. the output of uname -r for the
+ kernel included in the UKI, in the .uname PE section.
+
The kernel command line to pass to the invoked kernel will be looked for in the
.cmdline PE section.
@@ -391,7 +394,7 @@
io.systemd.stub.kernel-cmdline-extra
If set, the value of this string is added to the list of kernel command line
- arguments that are passed to the kernel.
+ arguments that are measured in PCR12 and passed to the kernel.
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index eb4bd77ac3..c8bbd36f3c 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -277,11 +277,17 @@ static EFI_STATUS run(EFI_HANDLE image) {
mangle_stub_cmdline(cmdline);
}
- /* SMBIOS strings are measured in PCR1, so we do not re-measure these command line extensions. */
const char *extra = smbios_find_oem_string("io.systemd.stub.kernel-cmdline-extra");
if (extra) {
_cleanup_free_ char16_t *tmp = TAKE_PTR(cmdline), *extra16 = xstr8_to_16(extra);
cmdline = xasprintf("%ls %ls", tmp, extra16);
+
+ /* SMBIOS strings are measured in PCR1, but we also want to measure them in our specific
+ * PCR12, as firmware-owned PCRs are very difficult to use as they'll contain unpredictable
+ * measurements that are not under control of the machine owner. */
+ m = false;
+ (void) tpm_log_load_options(extra16, &m);
+ parameters_measured = parameters_measured < 0 ? m : (parameters_measured && m);
}
export_variables(loaded_image);