You always need something to live outside of your main disk encryption.
Now you have the choice to use grub for this or linux itself.
In either case both can be modified to do arbitrary things and corrupt later stages.
To prevent this you use secure boot, and if you want to do it right a custom platform key.
So now you either pack the Linux kernel initramfs etc into a single blob and sign it or do something similar with grub.
In both cases you should have a similar secure system.
But in my experience GRUB's functionalities in this area are not very nice to use and lead to slow boot.
On the other hand directly booting the signed linux blob without a bootloader is fast and smooth, but exposes what is in you initramfs, which normally doesn't matter.
systemd-boot measures the bootloader, initramfs, kernel and kernel-params state into the PCR registers of your TPM. SecureBoot state is also measured.
You can configure through systemd-enroll to configure the TPM to only unlock the cryptokey if those measurements are consistent.
If somebody changes your systemd binary in the initramfs; this causes the TPM PCR register to change; and will cause the system to not be able to decrypt the stage-2 rootfs
Do you have a good tutorial for all these processes? This is something I thought would be awesome for a while, but there are a lot of moving parts. I also thought all the hardware was not yet support to do all of this.
Indeed. LUKS key on tpm2 with secure boot with /boot on encrypted seems anything but easy to setup. I also complicate things by making everything apart from efi on zfs.
Now you have the choice to use grub for this or linux itself.
In either case both can be modified to do arbitrary things and corrupt later stages.
To prevent this you use secure boot, and if you want to do it right a custom platform key.
So now you either pack the Linux kernel initramfs etc into a single blob and sign it or do something similar with grub.
In both cases you should have a similar secure system.
But in my experience GRUB's functionalities in this area are not very nice to use and lead to slow boot.
On the other hand directly booting the signed linux blob without a bootloader is fast and smooth, but exposes what is in you initramfs, which normally doesn't matter.