Boot chain components update can bring a change in the observed PCR values. The recent switch to 800-series certificate for signing Grub resulted in PCR7 change. The upcoming 2011 -> 2023 Microsoft certificate switch is supposed to bring another one. PCR4 is changing every time. PCR values, however, can be used to seal secrets and thus all such PCR values change must be acted upon. The proposal is to implement a mechanism where userland packages can be informed about the change.

For example, similarly to /etc/kernel/install.d/ and /usr/lib/kernel/install.d/ for the kernel, implement: /etc/bootloader/install.d and /usr/lib/bootloader/install.d hook points and call all these scripts when boot chain components (shim, grub, maybe sd-boot in the future) change. For simplicity, figuring out the new PCR values can be left to these scripts.