Looking into viability of adding support for TPM-backed encryption of /config data

Various factors to consider:

• Which PCRs to require to ensure hardware/software integrity (End user configurable?)
• Handling failed config decryption on boot (Fallback config?)