TPMs can be used to record the state of the boot process, and that information can in turn be used to restrict access to secrets (such as disk encryption keys) in order to protect them against a compromised boot environment. Unfortunately this is easier said than done in Linux environments, as kernels are updated frequently and ramdisks are generated at install time. Keeping track of the expected values and ensuring that secrets aren't locked away from users becomes massively more difficult.
Thankfully, there is hope. A Microsoft-authored specification combines UEFI Secure Boot with TPM-based measured boot to reduce the number of individual measurements, making the problem much simpler. But the initramfs remains a problem. This presentation will cover the use of PCR 7 to provide TPM-based security without fragility, and propose solutions for handling trustworthy initramfs images.
