boot: stop making TPM PCR to measure kernel command line into configurable

Everyone appears to use PCR 8 for this, hence I think it's safe to
hardcode that in systemd too.

It's also documented, like here:

https://www.gnu.org/software/grub/manual/grub/html_node/Measured-Boot.html

or here:

https://github.com/rhboot/shim/blob/main/README.tpm

(And the previous name was a bit confusing, since we don't actually just
measure one thing anymore, but mutliple things into multiple PCRs...)

diff --git a/meson.build b/meson.build
index 30609f851523dbe0de4c395c432d85f5b7de86d5..1447f555215815c13ebec7ed9dddad2004937053 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -1636,8 +1636,6 @@ if get_option('efi')
 
         have = true
         conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
-
-        conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
 else
         have = false
 endif

diff --git a/meson_options.txt b/meson_options.txt
index b122f275da215c4ca332ebde5472a4233146b25d..e094d48c6ef1bf76c5866a866fe685b92d3fec79 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -416,8 +416,6 @@ option('efi-libdir', type : 'string',
        description : 'path to the EFI lib directory')
 option('efi-includedir', type : 'string', value : '/usr/include/efi',
        description : 'path to the EFI header directory')
-option('tpm-pcrindex', type : 'integer', value : 8,
-       description : 'TPM PCR register number to use')
 option('sbat-distro', type : 'string',
        description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
 option('sbat-distro-generation', type : 'integer', value : 1,

diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index 734ae56fb1912745e6282395713ec418e2c9db19..e95fe870fe32d2bafe9a3ec37602eb81867cf41f 100644 (file)
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -2349,7 +2349,7 @@ static EFI_STATUS image_start(
 
 #if ENABLE_TPM
                 /* Try to log any options to the TPM, especially to catch manually edited options */
-                err = tpm_log_event(SD_TPM_PCR,
+                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
                                     (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
                                     loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
                 if (EFI_ERROR(err))

diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
index 3ae1c2f180b987abc34620e01444d7b2b310b9a4..3fdabb2073eeecb6e426bc5d971acb7f69083d74 100644 (file)
--- a/src/boot/efi/meson.build
+++ b/src/boot/efi/meson.build
@@ -103,7 +103,6 @@ if have_gnu_efi
         efi_conf = configuration_data()
         efi_conf.set_quoted('EFI_MACHINE_TYPE_NAME', EFI_MACHINE_TYPE_NAME)
         efi_conf.set10('ENABLE_TPM', get_option('tpm'))
-        efi_conf.set('SD_TPM_PCR', get_option('tpm-pcrindex'))
 
         foreach ctype : ['color-normal', 'color-entry', 'color-highlight', 'color-edit']
                 c = get_option('efi-' + ctype).split(',')

diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index ae06599005b830bc73770a87645987563c3bf7ab..c7232332ef520257046135ec7514ef60e8eed49c 100644 (file)
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -148,7 +148,7 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
 
 #if ENABLE_TPM
                 /* Try to log any options to the TPM, especially manually edited options */
-                err = tpm_log_event(SD_TPM_PCR,
+                err = tpm_log_event(TPM_PCR_INDEX_KERNEL_PARAMETERS,
                                     (EFI_PHYSICAL_ADDRESS) (UINTN) loaded_image->LoadOptions,
                                     loaded_image->LoadOptionsSize, loaded_image->LoadOptions);
                 if (EFI_ERROR(err))