PXI

Trusted Platform Module (TPM) Support for NI Controllers

For the instructions, you might need to google yourself. E.g How to Encrypt Hard Disk (partition) using LUKS in Linux | GoLinuxCloud

"NI Linux Real-Time is a standard distribution for embedded systems that can be used on various hardware platforms. It includes standard components like the Linux kernel with the PREEMPT_RT patch, the GRUB bootloader program and the OPKG package manager.(Page 3)"

Further looked into using GRUB Bootloader with a TPM in the archlinux link provided below states, "Implementing Secure Boot

There are certain conditions making for an ideal setup of Secure boot:

1. UEFI considered mostly trusted (despite having some well known criticisms and vulnerabilities[1]) and necessarily protected by a strong password
2. Default manufacturer/third party keys are not in use, as they have been shown to weaken the security model of Secure Boot by a great margin[2]
3. UEFI directly loads a user-signed EFISTUB-compatible unified kernel image (no boot manager), including microcode (if applicable) and initramfs so as to maintain throughout the boot process the chain of trust established by Secure Boot and reduce the attack surface
4. Use of full drive encryption, so that the tools and files involved in the kernel image creation and signing process cannot be accessed and tampered with by someone having physical access to the machine.
5. Some further improvements may be obtained by using a TPM, although tooling and support makes this harder to implement.
6. Using the GRUB bootloader requires extra steps before enabling secure boot, see GRUB#Secure Boot support for details."

https://www.ni.com/pdf/support/us/ni_linux_real-time_security_user_guide.pdf

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

https://github.com/ni/linux

https://wiki.linuxfoundation.org/realtime/documentation/howto/applications/preemptrt_setup

Based on the below links, NI uses the "Linux Kernel (27.04.2017)" for the OS (page 3 of the PDF below) with the PREMPT_RT patchset (27.04.2017 for Real-time solution).  

"NI Linux Real-Time is a standard distribution for embedded systems that can be used on various hardware platforms. It includes standard components like the Linux kernel with the PREEMPT_RT patch, the GRUB bootloader program and the OPKG package manager.(Page 3)"

Further looked into using GRUB Bootloader with a TPM in the archlinux link provided below states, "Implementing Secure Boot

There are certain conditions making for an ideal setup of Secure boot:

1. UEFI considered mostly trusted (despite having some well known criticisms and vulnerabilities[1]) and necessarily protected by a strong password
2. Default manufacturer/third party keys are not in use, as they have been shown to weaken the security model of Secure Boot by a great margin[2]
3. UEFI directly loads a user-signed EFISTUB-compatible unified kernel image (no boot manager), including microcode (if applicable) and initramfs so as to maintain throughout the boot process the chain of trust established by Secure Boot and reduce the attack surface
4. Use of full drive encryption, so that the tools and files involved in the kernel image creation and signing process cannot be accessed and tampered with by someone having physical access to the machine.
5. Some further improvements may be obtained by using a TPM, although tooling and support makes this harder to implement.
6. Using the GRUB bootloader requires extra steps before enabling secure boot, see GRUB#Secure Boot support for details."

----------------------------------------------------------------

What I am wondering is, "Will the Linux Kernel allow for GRUB Loader to perform a secure boot and access the TPM 2.0?"

References:

https://www.ni.com/pdf/support/us/ni_linux_real-time_security_user_guide.pdf

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

https://github.com/ni/linux

https://wiki.linuxfoundation.org/realtime/documentation/howto/applications/preemptrt_setup