From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 3 Nov 2025 08:00:41 +0000 (+0100)
Subject: Add support for nvindex-based additional PCRs for TPM2, aka "NvPCRs"  (#39463)
X-Git-Tag: v259-rc1~183
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f62d20b73006edc092715f7996e8a390b8310d0;p=thirdparty%2Fsystemd.git

Add support for nvindex-based additional PCRs for TPM2, aka "NvPCRs"  (#39463)

This is based on the code from #33276, but is cleaned up, and goes for a
modified approach:

the original PR allocated nvindexes fully dynamically, and that created
big headaches, because the assignments needed to be propagated into the
early boot process, and that meant stuffing them as sidecards to the
boot UKIs.

The TCG then offered us a fixed nvindex range assigned to us, and
happily said yes to that, but since then the discussion stalled, we
couldn't get any answer from TCG on this anymore.

This code uses the range that was hinted to us to use, but not
officially assigned to us by default, but makes it build time
configurable so that downstreams can change this.

(This does *not* make it runtime configurable, because that's really
hard, because of the early boot issue again).

This PR comes with a CI test and full docs. And I think this is really a
version should that be merged.

Fixes: https://github.com/systemd/systemd/issues/29877
---

8f62d20b73006edc092715f7996e8a390b8310d0