boot: stop making TPM PCR to measure kernel command line into configurable

Everyone appears to use PCR 8 for this, hence I think it's safe to hardcode that in systemd too. It's also documented, like here: https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html or here: https://github.com/rhboot/shim/blob/main/README.tpm (And the previous name was a bit confusing, since we don't actually just measure one thing anymore, but mutliple things into multiple PCRs...)
2024-12-23 17:34:00 +03:00 · 2021-09-20 15:10:33 +02:00 · 2021-09-20 15:10:33 +02:00 · faacf1807e
commit faacf1807e
parent 845707aae2
5 changed files with 2 additions and 7 deletions
--- a/meson.build
+++ b/meson.build
@ -1636,8 +1636,6 @@ if get_option('efi')

        have = true
        conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
-
-        conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
 else
        have = false
 endif
--- a/meson_options.txt
+++ b/meson_options.txt
@ -416,8 +416,6 @@ option('efi-libdir', type : 'string',
       description : 'path to the EFI lib directory')
 option('efi-includedir', type : 'string', value : '/usr/include/efi',
       description : 'path to the EFI header directory')
-option('tpm-pcrindex', type : 'integer', value : 8,
-       description : 'TPM PCR register number to use')
 option('sbat-distro', type : 'string',
       description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
 option('sbat-distro-generation', type : 'integer', value : 1,
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@ -2349,7 +2349,7 @@ static EFI_STATUS image_start(

 #if ENABLE_TPM
                /* Try to log any options to the TPM, especially to catch manually edited options */
-                err = tpm_log_event(SD_TPM_PCR,
+                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
                                    (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
                                    loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
                if (EFI_ERROR(err))
--- a/src/boot/efi/meson.build
+++ b/src/boot/efi/meson.build
@ -103,7 +103,6 @@ if have_gnu_efi
        efi_conf = configuration_data()
        efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
        efi_conf.set10('ENABLE_TPM', get_option('tpm'))
-        efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))

        foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit']
                c = get_option('efi-' + ctype).split(',')
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@ -148,7 +148,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {

 #if ENABLE_TPM
                /* Try to log any options to the TPM, especially manually edited options */
-                err = tpm_log_event(SD_TPM_PCR,
+                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
                                    (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
                                    loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
                if (EFI_ERROR(err))