Could it be that #clevis has a bug that the following ends up failing unless the passphrase is non-empty?
sudo clevis luks bind -d /dev/nvme... tpm2 '{"pcr_ids":"1,4,5,7,9"}'
An empty passphrase can be created by the means of:
sudo cryptsetup luksChangeKey --force-password /dev/sda3
It is a totally legit configuration for NUC7CJYH, which I use for kernel testing.
Spent a fair chunk of the day digging into .deb packaging. Got the thing to build, which to be fair was no small feat in itself, HOWEVER the resulting .debs had no useful files in it - ok that should be an easy fix right?
Great now I'm running into trying to convince the dh (debhelper) system actually install the python wheel that gets built into the right place and actually put those bits into the package - and for the life of me I cannot find a good example and/or docs on this. To say it's frustrating is a bit of an understatement.
To flip this on it's side: I've had RPMs for this particular thing done 3 months ago, and didn't take nearly as long to figure out what it was trying to do.
*sigh*
Do I know any deb maintainers I can ask stupid questions of?