diff --git a/src/security/vboot/tpm_common.c b/src/security/vboot/tpm_common.c
index 783392c76d..7fb2a9d3c5 100644
--- a/src/security/vboot/tpm_common.c
+++ b/src/security/vboot/tpm_common.c
@@ -31,15 +31,30 @@ vb2_error_t vboot_extend_pcr(struct vb2_context *ctx, int pcr,
 	if (size < TPM_PCR_MINIMUM_DIGEST_SIZE)
 		return VB2_ERROR_UNKNOWN;
 
+	/*
+	 * On TPM 1.2, all PCRs are intended for use with SHA1. We truncate our
+	 * SHA256 HWID hash to 20 bytes to make it fit. On TPM 2.0, we always
+	 * want to use the SHA256 banks, even for the boot mode which is
+	 * technically a SHA1 value for historical reasons. vboot has already
+	 * zero-extended the buffer to 32 bytes for us, so we just take it like
+	 * that and pretend it's a SHA256. In practice, this means we never care
+	 * about the (*size) value returned from vboot (which indicates how many
+	 * significant bytes vboot wrote, although it always extends zeroes up
+	 * to the end of the buffer), we always use a hardcoded size instead.
+	 */
+	_Static_assert(sizeof(buffer) >= VB2_SHA256_DIGEST_SIZE,
+		       "Buffer needs to be able to fit at least a SHA256");
+	enum vb2_hash_algorithm algo = CONFIG(TPM1) ? VB2_HASH_SHA1 : VB2_HASH_SHA256;
+
 	switch (which_digest) {
 	/* SHA1 of (devmode|recmode|keyblock) bits */
 	case BOOT_MODE_PCR:
-		return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer, size,
+		return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
 				      TPM_PCR_BOOT_MODE);
 	 /* SHA256 of HWID */
 	case HWID_DIGEST_PCR:
-		return tpm_extend_pcr(pcr, VB2_HASH_SHA256, buffer,
-					  size, TPM_PCR_GBB_HWID_NAME);
+		return tpm_extend_pcr(pcr, algo, buffer, vb2_digest_size(algo),
+				      TPM_PCR_GBB_HWID_NAME);
 	default:
 		return VB2_ERROR_UNKNOWN;
 	}