GHSA-WJ2J-QWCF-CFCC IncusOS has a LUKS encryption bypass due to insufficient TPM policy
The default configuration of systemd-cryptenroll as used by IncusOS through mkosi allows for an attacker with physical access to the machine to access the encrypted data without requiring any interaction by the system's owner or any tampering of Secure Boot state or kernel UKI boot image. That's...