Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/35645 )
Change subject: vboot: Fix wrong algorithm in TCPA log for BOOT_MODE ......................................................................
Patch Set 2: Code-Review-1
Sorry, we needed to change this for correctness (and can't let you change it back). See my comments in CB:33252 for explanation.
We need both vboot PCRs to use the same PCR bank (SHA256 for TPM 2.0). It's true that the data you get is only a SHA1 hash, but it is zero extended and you need to treat it like a SHA256 hash. This is how vboot has always done it and how all our userspace tools expect it, so we don't want to change it now.
The whole implementation in tpm_extend_pcr() is still a mess in that it gets passed an algorithm and a length and uses that for the TCPA log but not for actual TPM communication. That needs to be cleaned up so they at least both work on the same data. Like I mentioned in CB:33252, I think the best way to clean it up would be to remove the algorithm type (and therefore maybe also the digest length) parameter completely and just use a hardcoded hash algorithm (possibly selected by Kconfig) for both TPM communication and TCPA log. Using multiple algorithm banks at once on TPM 2.0 is just super confusing with little practical benefit in my opinion, so I think it would be better if we just don't allow that at all.