From e41e21084a021b9ec515b2e1cdfcf651c48ff8ca Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Mon, 3 Apr 2017 10:30:03 -0400
Subject: [PATCH] extend PCR 4 in a recovery to prevent disk key decryption
 (issue #154)

---
 initrd/bin/qubes-init | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/initrd/bin/qubes-init b/initrd/bin/qubes-init
index b059640..1a56406 100755
--- a/initrd/bin/qubes-init
+++ b/initrd/bin/qubes-init
@@ -8,7 +8,7 @@
 recovery() {
 	echo >&2 "!!!!! $@"
 	rm -f /tmp/secret.key
-	tpm extend -ix 4 -if recovery
+	tpm extend -ix 4 -ic recovery
 
 	echo >&2 "!!!!! Starting recovery shell"
 	exec /bin/ash