Bug 2141380

systemd-cryptsetup volume unlock with a key sealed to TPM doesn't work by default:

# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0 /dev/vdb2
New TPM2 token enrolled as key slot 0.
# /usr/lib/systemd/systemd-cryptsetup attach encroot /dev/vdb2 - tpm2-device=/dev/tpm0
Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/vdb2.
🔐 Please enter passphrase for disk encroot:

(no password request is expected at this point!)

and it isn't clear what's wrong. strace gives the answer:

2423  openat(AT_FDCWD, "/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

the plugin is found in 'devel' subpackage and after installing it everything works as expected:

# /usr/lib/systemd/systemd-cryptsetup attach encroot /dev/vdb2 - tpm2-device=/dev/tpm0
# (no password request)

This library, however, has nothing to do with 'development', it's a normal production thing. Please consider moving it from '-devel' to '-udev' (where /usr/lib/systemd/systemd-cryptsetup is currently located)

P.S. Fedora seems to package cryptsetup tokens correctly, i.e:
$ rpm -qpl systemd-udev-251.8-586.fc37.aarch64.rpm  | grep cryptsetup-token
/usr/lib64/cryptsetup/libcryptsetup-token-systemd-fido2.so
/usr/lib64/cryptsetup/libcryptsetup-token-systemd-pkcs11.so
/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so