From 8485bba53d82a0852318fa4ce3bd76ac291cd418 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@amutable.com>
Date: Wed, 11 Feb 2026 13:13:00 +0100
Subject: [PATCH] tpm2-setup: introduce nvpcr for measuring Verity images

I thnk it's crucial we start to measure Verity images as we activate
them, so that the event log has a full trace of the compisition of the
system. hence let's introduce a new NvPCR for this purpse, under the
name "verity".
---
 src/tpm2-setup/meson.build           | 4 ++--
 src/tpm2-setup/nvpcr/verity.nvpcr.in | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 src/tpm2-setup/nvpcr/verity.nvpcr.in

diff --git a/src/tpm2-setup/meson.build b/src/tpm2-setup/meson.build
index 9814fe10056..a862e7239cc 100644
--- a/src/tpm2-setup/meson.build
+++ b/src/tpm2-setup/meson.build
@@ -31,12 +31,12 @@ executables += [
                         'HAVE_TPM2',
                 ],
         },
-
 ]
 
 if conf.get('ENABLE_BOOTLOADER') == 1 and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_TPM2') == 1
         nvpcrs = [ 'cryptsetup',
-                   'hardware' ]
+                   'hardware',
+                   'verity']
         foreach n : nvpcrs
                 custom_target(
                         input : 'nvpcr/' + n + '.nvpcr.in',
diff --git a/src/tpm2-setup/nvpcr/verity.nvpcr.in b/src/tpm2-setup/nvpcr/verity.nvpcr.in
new file mode 100644
index 00000000000..b4fb62bd762
--- /dev/null
+++ b/src/tpm2-setup/nvpcr/verity.nvpcr.in
@@ -0,0 +1,5 @@
+{
+    "name" : "verity",
+    "algorithm" : "sha256",
+    "nvIndex" : {{TPM2_NVPCR_BASE + 2}}
+}
-- 
2.47.3