build_library/grub.cfg: Enable TPM module by default

For binding a secret to the OS we need TPM PCRs that measure the kernel and boot configuration. Used for: flatcar/flatcar-website#317
flatcar · Apr 9, 2024 · fcbc143 · fcbc143
1 parent 385b929
commit fcbc143
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/build_library/grub.cfg b/build_library/grub.cfg
@@ -6,6 +6,8 @@ set prefix=($root)/flatcar/grub
 # Load any and all video drivers.
 # Required under UEFI to boot Linux with a working console.
 insmod all_video
+# Load the TPM2 module to measure the boot code path and files into PCR 8+9
+insmod tpm
 
 # Default menuentry id and boot timeout
 set default="flatcar"

diff --git a/changelog/changes/2024-04-09-grub-tpm.md b/changelog/changes/2024-04-09-grub-tpm.md
@@ -0,0 +1 @@
+- Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI