I am looking for a way to implement a trusted boot using a firmware TPM2.0 on Arch Linux. I am using TPM2.0-TSS, and tpm2-tools, however I cannot find a way to do this with tpm2-tools, as I do not believe it allows me to make any changes to the PCRs. I have been looking into tboot, but am a little confused if it will work with my TPM.
Is there any way I can use tpm2-tools to implement a trusted boot? If not, are there any alternative solutions? Any help would be appreciated!
The tpm2-tools does not provide trusted boot by itself. It provides tools to play with the TPM.
What you are looking for is really either DRTM or SRTM (Dynamic, Static Root of Trust for Measurement). As you pointed out, tpm2-tools won't change the PCRs but both SRTM and DRTM have this capability. They feed the PCRs in the TPM.
DRTM is typically the best way to go and this means the tboot software. There's many tutorial to get tboot running. At the end, what you'll be looking for is for PCRs 17 to 20 to be filled.
I suggest reading this answer and kernel.org doc.
