I thought I was clear enough that my concern was mostly related to the default install.
If it's something someone has to go through an effort to activate it won't be imposed casually by third parties.
Though you seem to be suggesting that it's a useful system security feature. It is not. If your system is compromiseable without trusted boot it will be just as vulnerable with it.
Iff linux and much of the userspace were redesigned you _might_ be able to use it to detect rootkits, but even then its unlikely to help... Attackers already aren't rebooting your systems into new kernels for rootkit purposes: They usually use intentionally exposed features (or bugs) to add code to the kernel without rebooting. ... so TPM would attest to you that it booted your trusted kernel but it wouldn't matter.