The current implementation ensures that, once CRTM is initialized in an early stage (let's say verstage), the rest of the stages are trustworthy as they are measured into a PCR _before_ they will be executed. So now you just need to make sure that the SPI flash contents until that early stage and including are trustworthy and the rest of the stages is now captured by the measurement.
Moving this "root of trust" into the latest stage (ramstage) by just replaying the TCPA log into the PCRs there leads to the situation that now all the stages until ramstage and including are not trustworthy anymore as one can change the code to just mimic the needed PCR values.
Maybe someone uses current measured boot in a slightly different manner than it used to be used in a pure VBOOT environment, without a strict RO partition in the flash and have a different way of ensuring the trust of the flash contents (I remember that eltan did something like this, see [1]). In this situation it is way more easier to ensure the integrity of just bootblock and verstage instead of checking all the stages.
[1] https://www.youtube.com/watch?v=D4oQjcP6AVI&list=PLiWdJ1SEk1_A5lAhz6jnqsDAPenYBW8_r&index=13
Patch set 63:Code-Review -1
To view, visit change 35077. To unsubscribe, or for help writing mail filters, visit settings.