[arianvanp]

systemd-boot measures the bootloader, initramfs, kernel and kernel-params state into the PCR registers of your TPM. SecureBoot state is also measured.

You can configure through systemd-enroll to configure the TPM to only unlock the cryptokey if those measurements are consistent.

If somebody changes your systemd binary in the initramfs; this causes the TPM PCR register to change; and will cause the system to not be able to decrypt the stage-2 rootfs

[nickik]

Do you have a good tutorial for all these processes? This is something I thought would be awesome for a while, but there are a lot of moving parts. I also thought all the hardware was not yet support to do all of this.