What is the status of UEFI?

[realtime-neil]

I followed your link to "UEFI support of TrustedGRUB2" (Rohde-Schwarz/TrustedGRUB2#15) and found a mention of Matthew's Garrett's fork of grub. What does this patchset mean for linux-luks-tpm-boot? What, if anything, does "vanilla" grub lack for the support of UEFI, TPM, and SecureBoot?

[morbitzer]

What is needed for UEFI support in this project is a GRUB that supports UEFI as well as TPM. (SecureBoot is not needed). And it needs to perform the measurement of the next stage in the boot processes.
I never had a look at the mentioned fork of GRUB. However, if it supports UEFI and TPM, and performs the necessary measurements, you should be fine.
I'll be happy to hear if it worked out for you!

[realtime-neil]

@morbitzer thanks very much for your comments, I do appreciate it. I'll be delving into this in the next few months and will report back with any success.

[tom-wegener]

Hey @realtime-neil did it work with the fork of grub from Matthew Garrett or is it a bit more complicated?

[realtime-neil]

@tom-wegener it was more complicated than I could have imagined. On a brighter note, it looks like systemd recently grew the ability to enroll LUKS2 keys in a TPM2, so I'll probably be using that in the future.

http://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html

[tom-wegener]

Ahh, sad but thanks anyways for your reply.
(I also looked into it and it looked great but sadly it is not the systemd-version I have access to.)
I also looked a bit into https://github.com/noahbliss/mortar which looks quite promising. If you want, I could smhw report back if I test it?