>All the primitives to make this work reasonably are there, OS and firmware vendors just aren't using them.
To be precise, both Windows (according to the article) and Linux+systemd (since systemd v251) support letting the user specify a TPM PIN and then use parameter encryption. But yes, both make it optional.
To be precise, both Windows (according to the article) and Linux+systemd (since systemd v251) support letting the user specify a TPM PIN and then use parameter encryption. But yes, both make it optional.