In my laptop I've set up a bios pw when I power on the laptop, and once I enter it the laptop starts my linux distro and decrypts the disk without asking any other password. To do this I've set up TPM to automatically decrypts the disk, if PCR are unaltered.
But now I'm playing with TPM's PCRs in order to be able to prevent that some thief who steals my laptop (which has a bios password when you power it on) to boot anything. I wanted to set a PCR to change when UEFI state changes (so also when a potential thief resets CMOS so resets the UEFI and so removes bios password), so that my linux distro prompts decryption pw and thief can't do anything.
But I tried with PCR1 which should be related to UEFI settings, and if I change anything in UEFI setting, nothing changes. So I tried ALL THE PCRs, and none change if I edit the UEFI settings. Why? Is there something I can do to block the possibility to reset CMOS and boot the laptop?
EDIT: Since all this does not work and PCR does not consider BIOS/UEFI changes etc.................... I reflected that, instead of using TPM just to prevent asking for decryption password, I just disable SecureBoot and don't use TPM and I'll enter the decryption disk password. BUT instead of entering two passwordws (bios boot pw and decrypt disk pw), I replaced the bios boot pw with the bios SETTING pw (so it asks me ONLY when I want to access bios or want to change the boot order) and so I ONLY HAVE ONE pw to enter when I power on the laptop: the disk decrypt one :)