boot: split out TPM PCR defines into header file we can share between userspace and kernel space

2 files changed, 25 insertions, 0 deletions

diff --git a/src/fundamental/meson.build b/src/fundamental/meson.build
index 2ec4a28433..a4383f6a27 100644
--- a/src/fundamental/meson.build
+++ b/src/fundamental/meson.build
@@ -8,6 +8,7 @@ fundamental_headers = files(
         'macro-fundamental.h',
         'sha256.h',
         'string-util-fundamental.h',
+        'tpm-pcr.h',
 )
 
 # for sd-boot
diff --git a/src/fundamental/tpm-pcr.h b/src/fundamental/tpm-pcr.h
new file mode 100644
index 0000000000..6e8b25934b
--- /dev/null
+++ b/src/fundamental/tpm-pcr.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+/* The various TPM PCRs we measure into from sd-stub and sd-boot. */
+
+/* This TPM PCR is where we extend the sd-stub "payloads" into, before using them. i.e. the kernel ELF image,
+ * embedded initrd, and so on. In contrast to PCR 4 (which also contains this data, given the whole
+ * surrounding PE image is measured into it) this should be reasonably pre-calculatable, because it *only*
+ * consists of static data from the kernel PE image. */
+#define TPM_PCR_INDEX_KERNEL_IMAGE 11U
+
+/* This TPM PCR is where sd-stub extends the kernel command line and any passed credentials into. */
+#define TPM_PCR_INDEX_KERNEL_PARAMETERS 12U
+
+/* sd-stub used to write the kernel command line/credentials into PCR 8, in systemd <= 250. Let's provide for
+ * some compatibility. (Remove in 2023!) */
+#if EFI_TPM_PCR_COMPAT
+#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT 8U
+#else
+#define TPM_PCR_INDEX_KERNEL_PARAMETERS_COMPAT UINT32_MAX
+#endif
+
+/* This TPM PCR is where we extend the initrd sysext images into which we pass to the booted kernel */
+#define TPM_PCR_INDEX_INITRD_SYSEXTS 13U