payloads/edk2: ask EDK2 to disable PCR banks unsupported by coreboot

coreboot can only extend a single PCR bank of TPM2 and this change
results in all available PCRs being extended.

This is an alternative to making coreboot extend all active PCRs.

Change-Id: I4e21ab77f191e9b36cb467cd61ad0a3e347035cb
Signed-off-by: Sergii Dmytruk <[email protected]>

payloads/external/Makefile.mk

@@ -279,7 +279,10 @@ $(obj)/UEFIPAYLOAD.fd: $(DOTCONFIG) $(IPXE_EFI)
 		CONFIG_EDK2_USE_UEFIVAR_BACKED_TPM_PPI=$(CONFIG_EDK2_USE_UEFIVAR_BACKED_TPM_PPI) \
 		CONFIG_DRIVERS_EFI_UPDATE_CAPSULES=$(CONFIG_DRIVERS_EFI_UPDATE_CAPSULES) \
 		CONFIG_DRIVERS_EFI_MAIN_FW_GUID=$(CONFIG_DRIVERS_EFI_MAIN_FW_GUID)
-
+		CONFIG_TPM_HASH_SHA1=$(CONFIG_TPM_HASH_SHA1) \
+		CONFIG_TPM_HASH_SHA256=$(CONFIG_TPM_HASH_SHA256) \
+		CONFIG_TPM_HASH_SHA384=$(CONFIG_TPM_HASH_SHA384) \
+		CONFIG_TPM_HASH_SHA512=$(CONFIG_TPM_HASH_SHA512)
 
 $(obj)/ShimmedUniversalPayload.elf: $(DOTCONFIG)
 	$(MAKE) -C payloads/external/edk2 UniversalPayload \

payloads/external/edk2/Makefile

@@ -390,6 +390,22 @@ ifneq ($(CONFIG_CPU_MAX_TEMPERATURE),)
 BUILD_STR += --pcd gDasharoSystemFeaturesTokenSpaceGuid.PcdCpuMaxTemperature=$(CONFIG_CPU_MAX_TEMPERATURE)
 endif
 endif
+# gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask = 0x0000001f
+# The tested options are mutually exclusive (and there is no option for SM3
+# 256).  See https://ticket.coreboot.org/issues/421 for the discussion about
+# supporting multiple hashes simultaneously.
+ifeq ($(CONFIG_TPM_HASH_SHA1),y)
+BUILD_STR += --pcd gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask=0x00000001
+endif
+ifeq ($(CONFIG_TPM_HASH_SHA256),y)
+BUILD_STR += --pcd gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask=0x00000002
+endif
+ifeq ($(CONFIG_TPM_HASH_SHA384),y)
+BUILD_STR += --pcd gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask=0x00000004
+endif
+ifeq ($(CONFIG_TPM_HASH_SHA512),y)
+BUILD_STR += --pcd gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask=0x00000008
+endif
 
 endif