From 3525b9c25de63954cd13d18262dfb1d8c7ddd6a7 Mon Sep 17 00:00:00 2001
From: Joel Mathew Thomas <proxy0@tutamail.com>
Date: Thu, 26 Feb 2026 02:16:38 +0530
Subject: [PATCH] Update README with TPM security recommendations

Add warning about sealing the TPM against raw PCR values
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index a2d04a1..dacd5cc 100644
--- a/README.md
+++ b/README.md
@@ -613,6 +613,7 @@ $ sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 --tpm2-public-key
 > [!WARNING]
 > It is recommended to use a pin to unlock the TPM, instead of allowing it to unlock automatically, for more security.
 > Use `--tpm2-with-pin=no` **only** if you are comfortable with TPM unlocking without user interaction (this is the default behavior).
+> Do not use `--tpm2-pcrs=11` here. This option seals the LUKS key to the current raw PCR value and will break after kernel or initramfs updates.
 
 ```
 Additional Flags