I observed on nitokey.com, “The integrity of the TPM, the firmware and the operating system is effectively checked by a separate Nitrokey USB key.”
Can the system be configured to check the integrity (e.g. shasum) of an entire volume (not just specific system files)? If so, how does one configure this?
For context we may consider an example where I wish to boot from a live OS that is installed on a read-only volume so that the hash of the whole volume will not change.