Secure Boot & TPM2 Hardware Encryption

[tonyfarson]

First of all. You are all doing amazing work. I'm excited for Thursday's release!

Have you considered TPM2 and secure boot features for a future release? This seems like a big oversight for almost all distributions, especially in 2025. It is the single biggest reason I avoid using most distros on my daily driver laptop.

Thanks again for the outstanding work!

[git-f0x]

COSMIC is a desktop environment, not a distro, so this isn't really the place to ask this.
There's a related issue for Secure boot: pop-os/iso#284
And one for having an option to easily enroll keys in COSMIC: #2552
And one related to TPM: pop-os/pop#3423

[tonyfarson]

Thanks for the tip. I didn't think about this. I appreciate it!

[abhigyan17]

Secure Boot and TPM2 are absolutely essential for endpoint security in 2025. This is a smart direction to push for COSMIC. From a security architect perspective, TPM2 integration significantly improves the threat model by enabling measured boot and providing cryptographic attestation capabilities.

The workflow of using TPM2 for full-disk encryption is solid because it ties the encryption key to the system's boot state. If anyone modifies the firmware or bootloader, the TPM won't release the key, preventing attackers from getting access even with physical possession.

One thing worth considering is supporting remote attestation. This lets system administrators verify that a machine booted in a secure state before allowing it to connect to sensitive networks. Tools like Intel TXT paired with remote attestation platforms create a strong zero-trust foundation.

Also ensure the implementation includes secure PCR extension handling and recovery options if users need to update firmware or UEFI settings. You don't want users locked out after legitimate updates.