Hi,
A much better approach is to install a TPM-generated key in the
TPM’s
NVRAM, with a policy that only allows the key to be used once a trusted
operating system has booted. That can be used as a trust anchor even
without support from buggy UEFI firmware.
Side note: measuring kernel + initrd happens using UEFI firmware services.
(once the kernel is up'n'running it will use its own tpm drivers instead
of depending on the firmware services).
Furthermore, measured boot allows tying e.g. LUKS keys to a
combination of the actual OS booted and a passphrase needed to unlock
the TPM. This allows the TPM’s protection against brute-force attacks
to be used.
You also want protect the initrd against modifications to make sure an
attacker can't sniff your passphrase. Unified kernels help here too
because the initrd for a given kernel has a fixed and known hash.
take care,
Gerd