aibrahem

Besides power management, this is one of my biggest bit peeves with Linux distributions now.

I don't understand why there isn't a single distribution that offers a full Secure Boot implementation or LUKS Encryption with a password sealed by the TPM out of the box.

Also, there seems to be a lot of misconception about what Secure Boot does, unlike what the name implies, Secure Boot doesn't inherently provide any extra security or protection. It's just a mechanism to sign the software running on the system.

To make the most out of Secure Boot the distributions would need to sign and lock the boot-loader, kernel, and initrd, Then they could seal the LUKS encryption passphrase using the TPM, so if anybody tries to run any unauthorized software, they wouldn't be able to access the data on the drive.

It would be very similar to what windows does with bit locker; your hard-drive is automatically decrypted on system boot without entering any passwords.

xvilka
There is - Heads[1].

[1] https://github.com/osresearch/heads