I want to restrict all USB boot media from my system, except for a certain USB boot drive that I declare secure via a certain key.
Is this possible using UEFI/Secure Boot/TPM? Maybe via TPM? TPM gets a private key and checks if public key on USB boot drive is valid?
It's a Debian Linux system.
It depends. Your firmware may allow you to enroll certain signing keys for secure boot, and you could sign your existing OS plus the bootable material on the flash drive, and nothing else. However, you'd have to be able to remove the pre-set keys, which you may or may not be able to do, depending on the firmware.
Most firmware also allows you to set a supervisor password and prevent booting external drives without it. If you did that, then you wouldn't be able to boot your flash drive, but you'd be able to log in as the supervisor and modify the boot settings, which you'd presumably avoid unless it were the special drive.
