TPMs can be extracted with physical access

Sure, but IIRC, they’d still need my PIN (for TPM+PIN through cryptenroll). I don’t think it’s possible to do TPM backed encryption without a PIN on Linux.

EDIT: Oh wait, you can… Why anyone would is beyond me though.

This sounds like a lenovo machine. Or something with a similar MOK enrollment process.

I forget the exact process, but I recall needing to reset the secureboot keys in “install mode” or something, then it would allow me to perform the MOK enrollment. If secureboot is greyed out in the BIOS it is never linux’s fault. That’s a manufacturer issue.

Apparently, some models of Lenovo don’t even enable MOK enrolment and lock it down entirely. Meaning that you’d need to sign with Microsofts keys, not your own. The only way to do this is to be a high-up microsoft employee OR use a pre-provided SHIM from the distribution.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Using_a_signed_boot_loader

For that case, Ubuntu and Fedora are better because, per the Ubuntu documentation they do this by default.

On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical’s UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.

Once you have secureboot working on Ubuntu or Fedora, you could likely follow these steps to enable TPM+PIN - https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module

There might be some differences as far as kernel module loading and ensuring you’re using the right tooling for your distro, but most importantly, the bones of the process are the same.

OH! And if you aren’t getting the secureboot option in the installer UI, that could be due to booting the install media in “legacy” or “MBR” mode. Gotta ensure it’s in UEFI mode.

EDIT: One more important bit, you’ll need to be using the latest nvidia drivers with the nvidia-open modules. Otherwise you’ll need to additionally sign your driver blobs and taint your kernel. Nvidia-Open is finally “default” as of the latest driver, but this might differ on a per-distro basis.

Yeah, no kidding. The same systemd that enables the very things OP is trying to enable…

systemdboot + sbctl + systemd-cryptenroll and voila. TPM backed disk encryption with a PIN or FIDO2 token.

AFAIK this should be doable in Ubuntu, it just requires some command-line-fu.

Last I heard the Fedora installer was aiming to better support this type of thing - not so sure about Ubuntu.

Hahah, good luck. Proton Drive is really terrible. I can’t even upload a single 1GB file through the service.

Well, I mean, most corps trying to shoehorn AI into things are using Cloud implementations of the various “AI” solutions.

What, pay for our own datacenter? Nah.

Just import openai and add “the AI” that way. 🤦‍♂️

Fair, and I think I’d have gone that direction if it wasn’t a slack channel where everyone was invited to, and then questioned if they decided to leave. It was also a very noisy channel where it was disrupting my work.

I didn’t just throw this into some channel in which I wasn’t invited or anything. I actually felt like I wasn’t allowed to leave, which is why other NDs privately thanked me afterwards.

I can ignore the ignorable, but if you’re going to hunt me down if I ignore it (like they were doing), then I needed to speak up in order for it to stop.

Typically I do just what you’ve described, just kinda ignore it.