Secure Boot and Encrypted Device
This guide will install Arch Linux on a Secure Boot enabled drive using block level at-rest LUKS encryption with passwordless unlocking using TPM. TPM will issue an passkey if and only if Secure Boot is enabled and the system firmware has not been altered. We will also be creating a unified kernel image so that we can boot Linux directly in the EFI partition without requiring a boot loader.
We will also be creating a backup key to enable booting of the drive in case of BIOS upgrade or other event that may make TPM not serve the key. The code should obviously be stored securely elsewhere off system.