Include tpm2 support in the image

[stenwt]

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

In order to use systemd-cryptenroll against a tpm2 module on Fedora Silverblue (as of 36), a user must layer tpm2-tools and run this command:
rpm-ostree initramfs --enable --arg=--force-add --arg=tpm2-tss before doing the enrollment

Describe the solution you'd like
A clear and concise description of what you want to happen.

If tpm2-tools was included in the rpm-ostree image and support for tpm2-tss was included by default in the initramfs, a user could jump straight to the systemd-cryptenroll step. Fedora could even offer to enable it during the install process.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

We could continue doing the above manually- I'm also raising this issue to document the required steps.

Additional context
Add any other context or screenshots about the feature request here.

[Plamper]

This would be a great feature indeed, but I believe you still would have to rebuild the initramfs at least once after you changed your /etc/crypttab, because the UUID of the drives have to be present in the initramfs. (Which would be wiped with every new image) So just adding that to the base-image wouldn't work AFAIK.

[sahensley]

It appears that on Silverblue 38 (as of 2023-06-17), the following packages are installed on the base rpm-ostree:
tpm2-tools-5.5-3.fc38.x86_64
tpm2-tss-4.0.1-3.fc38.x86_64

I was able to enroll my via systemd-cryptenroll using a method similar to the Fedora Magazine article.

Regenerating initramfs is still needed but the packages are available now.

[travier]

We should figure out why those modules are not enabled by default in our initramfs:

• systemd-pcrphase
• tpm2-tss

Other instances of this:

• TPM2 unlocking not supported #561
• https://gitlab.com/fedora/bootc/base-images/-/commit/ff46f764500e557270b5097a7bdf4b21c154403c
• Add TPM2 systemd-cryptenroll to Tips and Tricks silverblue-docs#176

[travier]

Thanks for the report. This issue is now tracked in https://gitlab.com/fedora/ostree/sig/-/issues/33 thus I'll close this one.