This blog post explores a security vulnerability discovered while working with a client. The vulnerability allows an attacker to gain control of an encrypted Linux computer using Clevis and dracut software. Normally, a user would need to enter two passwords to unlock the disk encryption and log in to the system. However, this vulnerability bypasses that process by exploiting the input opportunity during the boot process. By emulating a keyboard that types faster than a human, the attacker can cause the system to give up trying to unlock the disk and grant root access. It is unclear whose fault this vulnerability is, and fixing it completely is challenging. Physical access to a computer remains difficult to secure.
https://pulsesecurity.co.nz/advisories/tpm-luks-bypass