The zbook 15u g6 under test measures “Calling EFI Application from Boot Option” into PCR4 before EV_SEPARATOR as per the TCG spec Section 7.2.4. This breaks forward sealing.
We can fix the problem by replacing
in the forward function of seal-system.
However this would break current systems which do not currently measure that string before extending ev_separator. We could attempt to calc the existing boot modules the 'old' way and if we don't get our current PCR4 value, attempt this 'new' way. If written extensibly we could then also use that for other platform quirks or behavior. (think if a new platform decided that ev_sep was 0xffffffff)