build_library/grub.cfg: Enable TPM module by default

For binding a secret to the OS we need TPM PCRs that measure the kernel and boot configuration (UEFI). Used for: flatcar/flatcar-website#317
flatcar · Apr 9, 2024 · ff2d7a8 · ff2d7a8
1 parent 385b929
commit ff2d7a8
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
@@ -60,15 +60,15 @@ case "${FLAGS_target}" in
         CORE_NAME="core.img"
         ;;
     x86_64-efi)
-        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
+        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm )
         CORE_NAME="core.efi"
         SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
         ;;
     x86_64-xen)
         CORE_NAME="core.elf"
         ;;
     arm64-efi)
-        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
+        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm )
         CORE_NAME="core.efi"
         BOARD_GRUB=1
         SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )

diff --git a/changelog/changes/2024-04-09-grub-tpm.md b/changelog/changes/2024-04-09-grub-tpm.md
@@ -0,0 +1 @@
+- Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI ([scripts#1861](https://github.com/flatcar/scripts/pull/1861))