For the literally dozen of people who care about the intersection of TPM remote attestation, kexec, Windows, and Bitlocker: LinuxBoot can receive the BitLocker key from the remote attestation server, which is passed to the kexec'ed Windows boot loader via a UEFI ramdisk, so there is no clear-text on the disk, not even an EFI System Partition.
@th hang on a sec; 'kexec'ed windows boot loader' ?! htf are you kexecig a windows boot loader
@penguin42 `kexec_load()` takes a memory map of segments and doesn't care about the actual file format (although the `kexec` tool does, since it has to build that map). In this case I'm actually `kexec`'ing a special build of edk2 called `UefiPayloadPkg` that then loads the windows boot loader from a ramdisk rather than the real disk.
@th So that's linuxboot->kexec->UefiPayloadPkg->windows boot loader? 'fun'
If you're running bitlocker in windows, are any of those components actually updating the tpm?