grub2 in Tumbleweed includes patches to unlock LUKS container using TPM measurements. It is advertised as fully supported by ALP: https://documentation.suse.com/alp/all/single-html/alp/index.html#alp-post-d... --><-- If the D-Installer detects a TPM 2.0 chip and UEFI Secure Boot, it will create a secondary LUKS key. On the first boot, ALP will use the TPM to protect this key and configure the GRUB 2 boot loader to automatically unwrap the key. --><-- The problem is, due to the fact that kernel command line is in encrypted grub.cfg it cannot be included in measurements used to unlock LUKS container where grub.cfg is located. And grub2 will pass unsealed key to initrd so kernel will also automatically unlock root. Which provides for trivial bypass by booting with init=/bin/sh This auto-unlock really can be used only of modification of kernel command line is prohibited, i.e. either grub.cfg is password protected or grub does not forward key to kernel and instead systemd-cryptenroll is used with at least PCR 9 that measures current kernel command line and so prevents this bypass.