From fec32ae3f0315b231266d7fcb9090f419277138f Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Mon, 11 Nov 2024 15:32:40 -0700
Subject: [PATCH] Configure PCR pinning

Signed-off-by: Tommy <contact@tommytran.io>
---
 dom0.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/dom0.sh b/dom0.sh
index fccf816..281f141 100644
--- a/dom0.sh
+++ b/dom0.sh
@@ -17,15 +17,19 @@
 set -eu
 
 # Enabling discard and fstrim
-sudo sed -i 's/issue_discards = 0/issue_discards = 1/g' /etc/lvm/lvm.conf
+sudo sed -i 's/issue_discards = 0/issue_discards = 1/' /etc/lvm/lvm.conf
 sudo systemctl enable --now fstrim.timer
 
+sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5ct qt5-qtstyleplugins
+
+# Configure PCRs
+sudo sed -i 's/ --pcr 19//' /etc/anti-evil-maid.conf
+sudo sed -i 's/="/="--pcr 0 --pcr 1 --pcr 2 --pcr 3 --pcr 4 --pcr 5 /' /etc/anti-evil-maid.conf
+
 # Theming
 
 # After a reboot, run qt5ct and set the theme to gtk-2
 
-sudo qubes-dom0-update anti-evil-maid qubes-ctap-dom0 qt5-qtstyleplugins
-
 echo 'QT_QPA_PLATFORMTHEME=gtk2' | sudo tee -a /etc/environment
 
 # Add extra gtk theming - this is probably not necessary, but why not