On 28/06/2022 09:26, Daniel P. Berrangé wrote:
What SecureBoot does is to provide a mechanism to assert that
what has booted matches the original install, and securely tie that
condition to the release of secrets for example to LUKS key.
No, it doesn't. It just blocks the ability to load unsigned code.
TPM 2.0 provides a boot chain verification mechanism.
--
Sincerely,
Vitaly Zaitsev (vitaly(a)easycoding.org)