PureBoot should not complain as long as the private key signing the files is the same as what PureBoot is expecting. The TPM’s PCRs does not store measurements of hashes for partitions, at least with PureBoot.
I think that’s a good news because if TPM starts measuring /boot, things will become complicated. /boot is already signed with a gpg key. As long as firmware is intact, you just need to check whether /boot is properly signed.
Complexity results from entangling two or more things. If TPM entangles firmware and /boot, then things become complex.
1 Like