> After boot I can verify my stack by comparing a TOTP code generated by my Yubikey with one generated by the TPM.
But if you're not sure whether the system booted cleanly, then it might be compromised. If it's compromised couldn't your tools simply lie about the codes generated by both the TPM and the Yubikey so that they always match?