Secure Boot Updates (New UKI features available for configuration)

Not so sure if is really meaningful progress but some updates related to secure boot design
https://lwn.net/Articles/1001730/

The good part:

the TPM PCRs could be used either to lock a disk-encryption key to only be used on kernels signed by a particular OS vendor, or to lock a disk-encryption key to specific local things, such as the firmware version, available hardware, etc. Now, with systemd 257, the user can configure both these kinds of requirements at once.

Physical access to the device remain at this point corruptible:

The feature is not without flaws, however. TPMs don’t have a native way to combine the two different kinds of policy. So the system uses two separate keys that are each protected by different policies in the TPM, and then concatenates them to form the disk-encryption key. Theoretically, an attacker with hardware access could boot once with the correct OS (but incorrect hardware or firmware, such as adding a debugging device to dump the key once the TPM reveals it), and once with the correct hardware but a corrupted OS, and then combine the two keys to unlock the device.

@phnx I flagged this post “off-topic” because in the past I think was discussed that secure boot is not a privacy requirement to recommend distros and this is more of a security topic.

Please let me know if going forward this topic should be treated as privacy relevant since the thread was updated to “privacy”.