If I may suggest something if you have TPM version 2 use sha256 everywhere. And you can expand the PCRs list to cover more stuff. I'm using PCRs 0 to 8 (or 9? Can't check now) so any hardware configuration change is apparent during boot.
Another useful package is sbupdate [0] that not only signs kernel for SecureBoot but additionally makes it possible to boot the kernel directly from UEFI firmware bypassing the need for bootloader (be it grub or systemd boot). Once setup it just works!
