boot: stop making TPM PCR to measure kernel command line into configu…

…rable Everyone appears to use PCR 8 for this, hence I think it's safe to hardcode that in systemd too. It's also documented, like here: https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html or here: https://github.com/rhboot/shim/blob/main/README.tpm (And the previous name was a bit confusing, since we don't actually just measure one thing anymore, but mutliple things into multiple PCRs...)
systemd · Sep 23, 2021 · faacf18 · faacf18 · xnox · Feb 25, 2022
1 parent 845707a
commit faacf18
Show file tree

Hide file tree

Showing 5 changed files with 2 additions and 7 deletions.
diff --git a/meson.build b/meson.build
@@ -1636,8 +1636,6 @@ if get_option('efi')
 
         have = true
         conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
-
-        conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
 else
         have = false
 endif

diff --git a/meson_options.txt b/meson_options.txt
@@ -416,8 +416,6 @@ option('efi-libdir', type : 'string',
        description : 'path to the EFI lib directory')
 option('efi-includedir', type : 'string', value : '/usr/include/efi',
        description : 'path to the EFI header directory')
-option('tpm-pcrindex', type : 'integer', value : 8,
-       description : 'TPM PCR register number to use')
 option('sbat-distro', type : 'string',
        description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
 option('sbat-distro-generation', type : 'integer', value : 1,

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
@@ -2349,7 +2349,7 @@ static EFI_STATUS image_start(
 
 #if ENABLE_TPM
                 /* Try to log any options to the TPM, especially to catch manually edited options */
-                err = tpm_log_event(SD_TPM_PCR,
+                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
                                     (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
                                     loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
                 if (EFI_ERROR(err))

diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
@@ -103,7 +103,6 @@ if have_gnu_efi
         efi_conf = configuration_data()
         efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
         efi_conf.set10('ENABLE_TPM', get_option('tpm'))
-        efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
 
         foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit']
                 c = get_option('efi-' + ctype).split(',')

diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
@@ -148,7 +148,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
 
 #if ENABLE_TPM
                 /* Try to log any options to the TPM, especially manually edited options */
-                err = tpm_log_event(SD_TPM_PCR,
+                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
                                     (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
                                     loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
                 if (EFI_ERROR(err))