TPM2 modules are now widely available due to Microsoft mandating them for Windows 10 logo certification, and next year will be a requirement for Windows Server. They are essential for device edge and IoT. Add the ability to auto enroll credentials into a TPM2 if the required components are available in the install. Support doing this via both the UX and kickstart. The software components are: clevis, clevis-luks, clevis-dracut, clevis-systemd and soon clevis-pin-tpm2 (new component required for some usecases with secureboot). There requires to be a TPM2 module at /dev/tpmX and the TPM2 kernel resource manager will be used if available (/dev/tpmrmX).
Created attachment 1712674 [details] anaconda-ks-tpm2.cfg I'm attaching an example kickstart file that finds a LUKS volume and binds it to the clevis tpm2 pin. The heuristic to find the LUKS volume is not nice but at least should give an idea of the functionality that is needed for this RFE.