Check out this article: https://techrevelations.de/2019/02/04/tpm-encryption-in-fedora-linux/
It essentially comes down to installing and using the “clevis” package (a convenient front-end to the typical tools that are probably already installed on your machine) to set another LUKS slot that’s bound to your TPM. This set-up won’t require you to supply an additional password, but by sealing to certain PCRs, you should mitigate the evil maid scenario.
Clevis will allow you to bind against multiple sources, say, a tpm and a tang server. You can’t bind against a passphrase, but I consider it safe to allow my computer to potentially be booted by someone else, so long as I know that it couldn’t have been modified.
The relevant PCRs are 0 (presumably, UEFI and not BIOS), 1 (UEFI configuration), 4, 7, 8, 9 and 14 (check https://www.github.com/rhboot/shim/blob/master/README.tpm for details on the others). However, you should not necessarily seal to all of these. I had trouble with 1 and 8, where the presence of a USB or charger was enough to guarantee a fail. I’m still trying to decide which I want to seal against.
If you seal against 8 and/or 9, prepare to be rebinding after each kernel update.
From what I’ve heard, BitLocker seals against PCR 7, which is the secure boot configuration (check the link above for more details with regards to Fedora).