I am trying to learn more about trusted boot / trusted platform modules and I understand about Platform Configuration Register (PCR) values being a measurement of a 'good' configuration signed by a key locked from access within the TPM chip.
What I don't understand is how these initial 'good' states are set within the PCR values. Is it a case of a signing authority allows the bios vendor or bootloader / kernel maintainer to sign off a release and its 'good' measurements or is it something recorded during first boot of a machine?
Also how are these PCRs populated and recognised as 'good' if someone upgrades kernel, is it again a signing authority, or does the PCRs need to be reset and good configurations set again?
Apologies if there are holes in my understandings here, trying to get a grip on a fairly complex topic.