Update PCR state with the state of the firmware keyblock flags too.

firmware/lib/vboot_firmware.c

Index: firmware/lib/vboot_firmware.c
diff --git a/firmware/lib/vboot_firmware.c b/firmware/lib/vboot_firmware.c
index 2f358522a92c2cb5c4956d3ce1bea2369b1cbda6..0b1222424e6eeb3a8bdf13d1db3756a08208ad68 100644
--- a/firmware/lib/vboot_firmware.c
+++ b/firmware/lib/vboot_firmware.c
@@ -9,6 +9,7 @@
 #include "gbb_header.h"
 #include "load_firmware_fw.h"
 #include "rollback_index.h"
+#include "tpm_bootmode.h"
 #include "utility.h"
 #include "vboot_common.h"
 #include "vboot_nvstorage.h"
@@ -51,6 +52,7 @@ int LoadFirmware(LoadFirmwareParams* params) {
   uint64_t lowest_version = 0xFFFFFFFF;
   uint32_t status;
   int good_index = -1;
+  int boot_fw_keyblock_flags = 0;
   int is_dev;
   int index;
   int i;
@@ -251,6 +253,9 @@ int LoadFirmware(LoadFirmwareParams* params) {
        * this firmware.  That's the one we'll boot. */
       good_index = index;
       params->firmware_index = index;
+      /* Since we now know which firmware to boot, we can update the
+       * bootable firmware key block mode. */
+      boot_fw_keyblock_flags = key_block->key_block_flags;
 
       /* If the good firmware's key version is the same as the tpm,
        * then the TPM doesn't need updating; we can stop now.
@@ -261,6 +266,19 @@ int LoadFirmware(LoadFirmwareParams* params) {
     }
   }
 
+  /* At this point, we have a good idea of how we are going to boot. Update the
+   * TPM with this state information.
+   */
+  status = SetTPMBootModeState(is_dev, 0, boot_fw_keyblock_flags);
+  if (0 != status) {
+    VBDEBUG(("Unable to update the TPM with boot mode information.\n"));
+    if (status == TPM_E_MUST_REBOOT)
+      retval = LOAD_FIRMWARE_REBOOT;
+    else
+      recovery = VBNV_RECOVERY_RO_TPM_ERROR;
+    goto LoadFirmwareExit;
+  }
+
   /* Free internal data */
   Free(lfi);
   params->load_firmware_internal = NULL;