TPM 2 policy is more flexible than that, maybe too flexible.

Posted Jan 9, 2025 18:07 UTC (Thu) by nullcast (guest, #175381)
Parent article: Systemd takes steps toward a more secure boot process

"TPMs don't have a native way to combine the two different kinds of policy."

Is this because it's trying to be TPM 1.2 friendly? Because it seems patently false for TPM 2.0 given stuff like policy ors, and the ability to accept any policy signed by the same key.