Systemd version 252 has been released. As usual, the list of changes is
long. It includes a new systemd-measure tool for the calculation of PCR
values and a bunch of infrastructure to use the result for disk encryption:
Net effect: if you boot a properly prepared kernel, TPM-bound disk
encryption now defaults to be locked to kernels which carry PCR
signatures from the same key pair. Example: if a hypothetical distro
FooOS prepares its UKIs like this, TPM-based disk encryption is now –
by default – bound to only FooOS kernels, and encrypted volumes bound
to the TPM cannot be unlocked on kernels from other sources.
There’s a lot more; see the announcement for all of the details.
Source: LWN.net – Systemd 252 released