Firmware (possibly with shim)systemd-bootunified kernel(includes initrd)TPM2/usr/ FSroot FS/home/ FSswapsysext #1sysext #2 …credential #1credential #2 …SecureBoot validatesdittoValidates via Verity/PKCS#7 signatureDecrypts+Authenticatesvia TPM2 SecretPins via root hashLUKS unlocks via TPM2 secretLUKS unlocks via TPM2 secretdittodittoditto