TPM2 support for encrypted volumes LUKS or btrfs

[alexminder]

Does the ugrd support TPM to unseal encrypted volumes? If no, can it be implemented?

[desultory]

https://github.com/desultory/cattleguard I started working on this. I considered implementing Clevis but haven't figured out the codebase.

There are various ways this can be done, some methods requiring writing to nvram, other methods can bundle "context" within the initramfs.

NVRAM is not unlimited, and including context in the initramfs itself disrupts TPM PCR reads. There are a lot of bad ways to do this, and I personally use a Yubikey on all of my machines, so I don't have a personal reason to add this support.

If anyone wants to add it, or look into it more, I'll be happy to include it, as long as it doesn't work in some way that could potentially hurt user safety.

[desultory]

https://wiki.gentoo.org/wiki/Trusted_Platform_Module#Create_a_TPM_PCR_policy_for_data_sealing

I think I added this section for the purpose of doing this, if you want to read about the process more.