Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35645 )
Change subject: vboot: Fix wrong algorithm in TCPA log for BOOT_MODE ......................................................................
Patch Set 2:
The reason for this change is the following entry in the TCPA log when VBOOT is enabled on mc_bdx1 (fsp_broadwell_de) with TPM2:
PCR-0 62571891215b4efc1ceab744ce59dd0b66ea6f73 SHA256 [VBOOT: boot mode] PCR-1 a66c8c2cda246d332d0c2025b6266e1e23c89410051002f46bfad1c9265f43d0 SHA256 [VBOOT: GBB HWID]
This two PCRs claim to have the same algorithm used for hashing (SHA256) but for boot mode the entry is clear too short as it just has 20 bytes (which would be SHA1 instead of SHA256). So in this case it is just wrong that SHA256 is reported.
Yes, that needs to be fixed. That's a consequence of us passing both digest length and algorithm type as separate parameters to tpm_extend_pcr(). That doesn't make sense because those two always need to be in sync.
I'd again like to campaign for my suggestion to get rid of both of them and have the algorithm type hardcoded in Kconfig for all PCRs. That would cause the right (full 32-byte) value to be logged for PCR-0 here and would make future misconfiguration like this and others impossible.