diff --git a/README.tpm b/README.tpm
index 261bcd0..b7314f1 100644
--- a/README.tpm
+++ b/README.tpm
@@ -3,6 +3,8 @@ The following PCRs are extended by shim:
 PCR4:
 - the Authenticode hash of the binary being loaded will be extended into
   PCR4 before SB verification.
+- the hash of any binary for which Verify is called through the shim_lock
+  protocol
 
 PCR7:
 - Any certificate in one of our certificate databases that matches a binary
diff --git a/shim.c b/shim.c
index 2ab3dfe..8fe70cb 100644
--- a/shim.c
+++ b/shim.c
@@ -1820,7 +1820,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
 	if (status != EFI_SUCCESS)
 		goto done;
 
+	/* Measure the binary into the TPM */
+	tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4);
+
 	status = verify_buffer(buffer, size, &context, sha256hash, sha1hash);
+
 done:
 	in_protocol = 0;
 	return status;