tboot as described above requires your system (CPU & chipset dependencies above and beyond the TPM) to support Intel's "Trusted Execution Technology". See, e.g., http://ark.intel.com/search/advanced/?s=t&TXT=true
In either case, you end up with a record (cryptographic hash chain) of what kernel + initrd + config options in some of the TPM's PCRs (Platform Configuration Registers).
I'm not aware of any existing software to protect your FDE (full disk encryption) key by "sealing" (a TPM operation) under those PCRs (i.e., decryption impossible unless they match) and unsealing at boot time, but many of the tricky components already exist as open-source projects. See also:
http://trustedjava.sourceforge.net/
tboot as described above requires your system (CPU & chipset dependencies above and beyond the TPM) to support Intel's "Trusted Execution Technology". See, e.g., http://ark.intel.com/search/advanced/?s=t&TXT=true
In either case, you end up with a record (cryptographic hash chain) of what kernel + initrd + config options in some of the TPM's PCRs (Platform Configuration Registers).
I'm not aware of any existing software to protect your FDE (full disk encryption) key by "sealing" (a TPM operation) under those PCRs (i.e., decryption impossible unless they match) and unsealing at boot time, but many of the tricky components already exist as open-source projects. See also: http://trustedjava.sourceforge.net/