This session will be part case-study, part open-floor discussion, and part cry for help.

Aeon Desktop, as part of its efforts to be a user-friendly, tinker-free, Linux desktop that "just works" has implemented Full Disk Encryption, deployed as an image. When installed on capable hardware, TPM measurements provide strong boot integrity checking. This session will give a brief overview of how Aeon has implemented this, lessons learned, and challenges still to be tackled.

This will lead to some discussions points, including - how best to handle hardware that is incapable of strong boot checks? - how to improve the story surrounding recovery keys and the storing of them? - how to improve the input and use of recovery keys? - how to best reduce/minimise false invalidations of boot integrity checks? (ie. Which TPM Registers make most sense for Desktop vs Server usecases)

Finally, the talk will encourage attendees to help implement any discussed solutions, in ways that can be easily consumed by not only Aeon but other similar projects.