Unlock LUKS encrypted rootfs using TPM during boot

I’m looking for a complete set of instructions on how to use my TPM device to unlock my rootfs on Fedora 35 Silverblue.

I’ve registered the TPM token using systemd-cryptenroll. I’ve switched to local initramfs generation using rpm-ostree initramfs --enable. I’ve also added the tpm2 libraries to my initramfs using rpm-ostree initramfs --enable --add “-I /usr/lib64/tpm2*”. Finally i edited the kernel commandline to add rd.luks.uuid=UUID=tpm2-device=auto option. After adding this option and rebooting, the systemd-cryptsetup unit fails in initramfs and I’m unable to see logs. It’s just stuck in initramfs until I reboot.

Also sidenote, I love the ease of recovering in silverblue. It is shockingly good. I just had to reboot and choose the older config from a menu.

I would recommend giving clevis a try. This is what we currently use in Fedora CoreOS thus it might work on Silverblue.