GIVE ME ALL YOUR TPM
TPM chips have been around for most of the past decade. TPM 2.0 was introduced in 2014, and most motherboards from 2016 onwards include one. TPM can be implemented in firmware too (so-called fTPM), at a slight cost to security, since some new Spectre/Meltdown-type attack could, in “theory”, be leveraged against it. Still, fTPM is good enough for Windows 11’s requirements. You might need to enable TPM via the UEFI (classic BIOS is also not supported), where it goes by so many names that Microsoft made a friendly help page (see https:// bit.ly/lxf282-mshelp-tpm2)
TPM is fully supported on Linux, and can be used to secure SSH keys (see http://blog.habets.se/2013/11/TPM-chipprotecting-SSH-keys---properly), unlock LUKS encrypted volumes (via systemd-cryptenroll or Clevis) or even make Secure Boot even securer ( https://threat.tevora.com/secureboot-tpm-2). There are separate software stacks for TPM 1.2 (TSS aka TrouSerS) and TPM 2.0 (tpm2-tools) and there’s a nice summary of both on the Arch Wiki page at https://wiki. archlinux.org/title/Trusted_Platform_Module.