Gitiles
Code Review Sign In
review.coreboot.org / coreboot / 4129c2614c2bb774b7d43a7cfc12130121f90c55^! / . / src / security / vboot / vboot_logic.c
commit4129c2614c2bb774b7d43a7cfc12130121f90c55[log] [tgz]
authorSergii Dmytruk <sergii.dmytruk@3mdeb.com>Mon Oct 24 01:17:41 2022 +0300
committerYu-Ping Wu <yupingso@google.com>Mon Apr 10 04:01:08 2023 +0000
treedbfc12ffe61a518e31bd4274ba185d3678dadcf4
parent7143e96f65ee83be8be7f19bbffd8e621bfbf5b2 [diff] [blame]
security/tpm: make usage of PCRs configurable via Kconfig

At this moment, only GBB flags are moved from PCR-0 to PCR-1 when
vboot-compatibility is not enabled.

Change-Id: Ib3a192d902072f6f8d415c2952a36522b5bf09f9
Ticket: https://ticket.coreboot.org/issues/424
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/68750
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Michał Żygowski <michal.zygowski@3mdeb.com>

diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index a72ea87..650a420 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c

@@ -184,8 +184,8 @@
 
 static uint32_t extend_pcrs(struct vb2_context *ctx)
 {
-	return vboot_extend_pcr(ctx, 0, BOOT_MODE_PCR) ||
-		   vboot_extend_pcr(ctx, 1, HWID_DIGEST_PCR);
+	return vboot_extend_pcr(ctx, CONFIG_PCR_BOOT_MODE, BOOT_MODE_PCR) ||
+		   vboot_extend_pcr(ctx, CONFIG_PCR_HWID, HWID_DIGEST_PCR);
 }
 
 #define EC_EFS_BOOT_MODE_VERIFIED_RW	0x00