@cynicalsecurity I'm reasonably experienced with security things, yet figuring out how to configure UEFI SecureBoot to use my own signing keys (stored in a Yubikey) and to seal the LUKS decryption key in a TPM v2.0 has taken me the better part of a week.
@th well, considering I have been asked to set up 2FA for macOS using Yubikey and have had to answer “no can do” after weeks of effort… I understand.
There needs to be a concerted effort to improve security by improving design.
Byzantine artwork is beautiful but it is to be observed and enjoyed, not used… so far TPM is Byzantine artwork, a marvellously complicated admirable concoction of no practical use whatsoever.