A significant issue is being able to protect your initramfs and your cmdline options during boot while still keeping the convenience of auto-unlock. By using the TPM to handle validation, you also cut yourself out of the mix by not knowing the password. Of course this comes with the risk of hardware attacks, but there is always a risk. Current distribution implementations DO NOT, EVEN WITH SECUREBOOT ON, verify the integrity of the initramfs, which can be repacked to include malicious code that will execute during boot, potentially intercepting your LUKS key.
There have been a number of attempts to solve this problem, but the most complete appear to be Mortar (a project I head) and safeboot.devI highly recommend taking a look at either of these projects if you want be able to improve both your convenience through auto unlocking, and security through broadened scope of audit.
https://github.com/noahbliss/mortar
https://safeboot.dev
No comments yet.