From 834d32efa8519808e04bd08cde928eadad301b26 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Tue, 9 Apr 2024 16:55:47 +0900
Subject: [PATCH] build_library/grub.cfg: Enable TPM module by default

For binding a secret to the OS we need TPM PCRs that measure the kernel
and boot configuration (UEFI). Used for:
https://github.com/flatcar/flatcar-website/pull/317
---
 build_library/grub_install.sh            | 4 ++--
 changelog/changes/2024-04-09-grub-tpm.md | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 changelog/changes/2024-04-09-grub-tpm.md

diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh
index 71600591402..db83d614a1a 100755
--- a/build_library/grub_install.sh
+++ b/build_library/grub_install.sh
@@ -60,7 +60,7 @@ case "${FLAGS_target}" in
         CORE_NAME="core.img"
         ;;
     x86_64-efi)
-        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
+        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm )
         CORE_NAME="core.efi"
         SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
         ;;
@@ -68,7 +68,7 @@ case "${FLAGS_target}" in
         CORE_NAME="core.elf"
         ;;
     arm64-efi)
-        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp )
+        CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp tpm )
         CORE_NAME="core.efi"
         BOARD_GRUB=1
         SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" )
diff --git a/changelog/changes/2024-04-09-grub-tpm.md b/changelog/changes/2024-04-09-grub-tpm.md
new file mode 100644
index 00000000000..8d60073fa4a
--- /dev/null
+++ b/changelog/changes/2024-04-09-grub-tpm.md
@@ -0,0 +1 @@
+- Enabled the GRUB TPM2 module to measure the boot code path and files into PCR 8+9 in UEFI ([scripts#1861](https://github.com/flatcar/scripts/pull/1861))