add optional clevis-based unlock support in initrd

[romenskiy2012]

This PR adds optional clevis support for TPM2-backed LUKS unlock in initrd.

The series introduces a clevis feature and updates the luks handler to try
clevis unlock before falling back to the existing interactive password prompt.

If clevis is not present or unlock fails, the current behavior is preserved.

[legionus]

@romenskiy2012 Please, add features/clevis/README.md file describing the feature and how to use it, and include a link to the clevis project.

Upstream is https://github.com/latchset/clevis ?

[romenskiy2012]

Yes of course.

[legionus]

@romenskiy2012 Why do I need to add /usr/lib64/libtss2-tcti-device.so.0 separately?
Doesn't anyone link to this library?

This code is very sensitive. If the soname changes, it will simply stop working. Libraries are usually copied via binary dependencies or through PUT_FEATURE_LIBS because they may not necessarily be located in /usr/lib64.

[romenskiy2012]

I completely agree with you, I suggest such a less fragile option.

[legionus]

@romenskiy2012 Again, why not PUT_FEATURE_LIBS or PUT_FEATURE_OPTIONAL_LIBS ?

Something like that (not tested!):

PUT_FEATURE_LIBS += libtss2-tcti-device.so.0

Your manual path traversal will not work on ubuntu.

$ grep ^ID= /etc/os-release 
ID=ubuntu

$ ls -lad /usr/lib/x86_64-linux-gnu /usr/lib64/ld-linux-x86-64.so.2 
drwxr-xr-x 8 root root 4096 Jan 13 02:11 /usr/lib/x86_64-linux-gnu
lrwxrwxrwx 1 root root   44 Sep 17  2025 /usr/lib64/ld-linux-x86-64.so.2 -> ../lib/x86_64-linux-gnu/ld-linux-x86-64.so.2

[romenskiy2012]

Thanks for PUT_FEATURE_LIBS
I couldn't find it in the documentation.
I've checked and it works fine.

[legionus]

@romenskiy2012 Thanks! Everything looks good now.

But for the record, PUT_FEATURE_LIBS is documented here:

https://github.com/osboot/make-initrd/wiki/NewFeature#rulesmk

and in the Documentation/NewFeature.md