Hi! Thank you for pointing that out. That is indeed a huge gap I haven't thought of.

The crux of the problem is that the signed kernel/initrd image will happily transfer control over to any potentially untrusted root partition as long as the user enters the correct password for the partition.

The way I would fix this hole is to verify the root partition before transfering control over to it. One way to do it is to:

1. Create a file with some random secret on the root partition (readable only by root).

2. Hash the secret with a cryptographically secure hash and store the hash value in the initrd.

3. During boot, verify that hash of the file on the decrypted partition matches the one on stored in the initrd. Refuse to boot if the hash does not match.

This way, an attacker cannot replace the LUKS partition with a different one because the attacker do not know the random secret encrypted inside the partition.

Thanks again for mentioning this! I'll add a note in the article so future readers are aware of this issue.

P.S. If you want to append some value to the PCR during initrd, you can as well. You'll just need to store the original values to the ramdisk during boot so you can use the original values when you want to seal a new secret into the TPM. I'm not sure of the commands to do that though.