From: Lennart Poettering <lennart@amutable.com>
Date: Wed, 11 Feb 2026 12:13:00 +0000 (+0100)
Subject: tpm2-setup: introduce nvpcr for measuring Verity images
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8485bba53d82a0852318fa4ce3bd76ac291cd418;p=thirdparty%2Fsystemd.git

tpm2-setup: introduce nvpcr for measuring Verity images

I thnk it's crucial we start to measure Verity images as we activate
them, so that the event log has a full trace of the compisition of the
system. hence let's introduce a new NvPCR for this purpse, under the
name "verity".
---

diff --git a/src/tpm2-setup/meson.build b/src/tpm2-setup/meson.build
index 9814fe10056..a862e7239cc 100644
--- a/src/tpm2-setup/meson.build
+++ b/src/tpm2-setup/meson.build
@@ -31,12 +31,12 @@ executables += [
                         'HAVE_TPM2',
                 ],
         },
-
 ]
 
 if conf.get('ENABLE_BOOTLOADER') == 1 and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_TPM2') == 1
         nvpcrs = [ 'cryptsetup',
-                   'hardware' ]
+                   'hardware',
+                   'verity']
         foreach n : nvpcrs
                 custom_target(
                         input : 'nvpcr/' + n + '.nvpcr.in',
diff --git a/src/tpm2-setup/nvpcr/verity.nvpcr.in b/src/tpm2-setup/nvpcr/verity.nvpcr.in
new file mode 100644
index 00000000000..b4fb62bd762
--- /dev/null
+++ b/src/tpm2-setup/nvpcr/verity.nvpcr.in
@@ -0,0 +1,5 @@
+{
+    "name" : "verity",
+    "algorithm" : "sha256",
+    "nvIndex" : {{TPM2_NVPCR_BASE + 2}}
+}