diff --git a/pre-pivot.sh b/pre-pivot.sh
index 07d6078..fef151b 100644
--- a/pre-pivot.sh
+++ b/pre-pivot.sh
@@ -52,22 +52,26 @@ if cryptsetup isLuks --type luks2 "$datadev"; then
     luksdev=/dev/mapper/$luksname
 
     if ! [[ -b $luksdev ]]; then
-	if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
-	    udevadm settle --exit-if-exists=/dev/tpmrm0
-	    export TPM2TOOLS_TCTI_NAME=device
-	    export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
-	    
-	    if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
-		clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
-	    elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
-		clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
-	    else
-		warn "Failed to bind disk to TPM2"
-		echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin		
-	    fi
-	else
-	    clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
-	fi
+        if ! cryptsetup luksDump "$datadev" | grep -F -q clevis ; then
+            udevadm settle --exit-if-exists=/dev/tpmrm0
+            export TPM2TOOLS_TCTI_NAME=device
+            export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
+
+            if echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7"}'; then
+                clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
+            elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$datadev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
+                clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
+            else
+                warn "Failed to bind disk to TPM2"
+                echo -n "zero key" | cryptsetup open --type luks2 "$datadev" $luksname --key-file /dev/stdin
+            fi
+        else
+            clevis-luks-unlock -d "$datadev" -n "$luksname" || die "Failed to unlock $datadev"
+        fi
+        tpm2_pcrextend \
+            -T device:/dev/tpmrm0 \
+            7:sha1=f6196dd72e7fad01051cb171ed3e8a29f7217b3a,sha256=6064ec4f91ea49cce638d0b7f9013989c01cba8a62957ac96cd1976bb2e098fa 2>&1 \
+            || die "Failed to extend PCR7"
     fi
     datadev="$luksdev"
 fi
@@ -89,4 +93,4 @@ for i in passwd shadow group gshadow subuid subgid; do
     cp -a /sysroot/usr/share/factory/data/var/$i /sysroot/data/var/$i
 done
 
-chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo 
+chroot /sysroot /usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev --exclude-prefix=/run --exclude-prefix=/tmp --exclude-prefix=/etc 2>&1 | vinfo
diff --git a/prepare-root.sh b/prepare-root.sh
index ba69174..be64937 100755
--- a/prepare-root.sh
+++ b/prepare-root.sh
@@ -207,7 +207,8 @@ chroot  "$sysroot" \
 	--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
 	--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2"  \
 	--install "cryptsetup tail sort pwmake mktemp " \
-	--install "tpm2_createprimary tpm2_pcrlist tpm2_createpolicy tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
+	--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
+	--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
 	--install "strace" \
 	--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/pre-pivot.sh \
 	--include /overlay / \