This is what I do for my laptop - I build a custom GRUB image which enforces GPG signatures (including on grub.cfg) using grub-mkstandalone. This also has a built-in configuration which enforces passwords for editing boot commands. That GRUB efi image is signed by a custom secure boot key which I enroll. Kernel and initrd are signed by the gpg key (and the kernel also has to be signed by the secure boot key otherwise it won't load in this scenario).
The root FS is then encrypted using clevis to lock to the TPM PCRs (only). I use PCRs 0,2,4,7 for this. So the laptop will boot to a login screen without needing a password.
My home directory is separately encrypted and gets unlocked with the login password using pam_zfs_key. It works pretty well and I'm happy with the security for my threat model (casual theft is really my main concern).
I am very aware that my home directory stays unlocked unless I actually power down the machine though.
The root FS is then encrypted using clevis to lock to the TPM PCRs (only). I use PCRs 0,2,4,7 for this. So the laptop will boot to a login screen without needing a password.
My home directory is separately encrypted and gets unlocked with the login password using pam_zfs_key. It works pretty well and I'm happy with the security for my threat model (casual theft is really my main concern).
I am very aware that my home directory stays unlocked unless I actually power down the machine though.