Why the TPM PCRs does not consider a UEFI settings change? If someone resets CMOS, it’s undetected
In my laptop I've set up a bios password when I power on the laptop, and once I enter it the laptop starts my linux distro and decrypts the disk without asking any other password. To do this I've set up TPM to automatically decrypts the disk, if PCR are unaltered.
But now I'm playing with TPM's PCRs in order to be able to prevent that some thief who steals my laptop (which has a bios password when you power it on) to boot anything. I wanted to set a PCR to change when UEFI state changes (so also when a potential thief resets CMOS then the UEFI is reset and so removes bios password), so that my linux distro prompts decryption password and the thief can't do anything.
But I tried with PCR1 which should be related to UEFI settings, and if I change anything in UEFI setting, nothing changes. So I tried all the PCRs, and none changed if I edited the UEFI settings.
Why? Is there something I can do to block the possibility to reset CMOS and boot the laptop?
Since all this does not work and PCR does not consider BIOS/UEFI changes etc., I reflected that, instead of using TPM just to prevent asking for decryption password, I just disable SecureBoot and don't use TPM and I'll enter the decryption disk password. But instead of entering two passwords (bios boot password and decrypt disk password), I replaced the bios boot password with the bios settings password (so it asks me only when I want to access bios or want to change the boot order) and so I only have one password to enter when I power on the laptop: the disk decrypt one.
