I think Heads (osresearch.net) uses security keys as a kind of substitute TPM, however that only works if you replace your - supported - PCs firmware with it.
I don’t know too much about how this works in particular, so I can’t really compare it. safeboot.dev recommends Heads where possible, which I understand is partly due to safeboot relying on proprietary firmware implementations, while Heads uses libre software for the most part. Sadly the Heads firmware only supports older models/CPUs, which afaik don’t receive (all) microcode updates, including one which weakens the IOMMU.
can’t it be done with a security key, like yubikey or similar?
I think Heads (osresearch.net) uses security keys as a kind of substitute TPM, however that only works if you replace your - supported - PCs firmware with it.
I don’t know too much about how this works in particular, so I can’t really compare it. safeboot.dev recommends Heads where possible, which I understand is partly due to safeboot relying on proprietary firmware implementations, while Heads uses libre software for the most part. Sadly the Heads firmware only supports older models/CPUs, which afaik don’t receive (all) microcode updates, including one which weakens the IOMMU.