Comment by ahepp
Doing secure boot properly is kind of difficult. There are a bunch of TPM measurement registers for various bits and bobs (kernel, initramfs, cmdline, lots more). Using UKIs simplifies it a lot, but it’s not trivial to do right at the moment.
Secure Boot and TPM are separate things. The current Secure Boot policy gets measured by the TPM but that's about it.