Comment 21 for bug 1980018

>It does degrade security compared to passphrase-based encryption.

So does allowing luks key retrieval from other volumes, like network, block devices, or USB keys, which have been mainstays for years. The odds someone is going to just walk off with your decryption keys when they are stored in a processor embedded tpm2 (intel Gen 8 or higher) is very very low. That usb or disk drive could easily grow legs and suffers the same vulnerabilities described above.

Ranting aside, I tried wmcelderry's patches today on a fresh 22.04 host. Looks like about 10 lines of code in two files to get the tpm2-device option working and an initramfs hook. It works well. I can reboot and watch it fetch the systemd-cryptenrolled key off the tpm2 and unlock itself. I did install the compiled systemd with tpm2 packages, but I think 22.04 has all of that working alredy so that may have been unneccesary. Thanks for putting that together

edit: Confirming this works out of the box with 22.04 with just the patches and the initramfs hook