Some additional potential uses of the “trusted boot” and TPM that may work on OpenSuse:
Strongswan seems to use the TPM for storing it’s x509 private key for ipsec (VPN connection) potentially making it possible to make that key impossible to decrypt unless selected vital files are intact. And Strongswan is available in OpenSuse. Only works with TPM 2.0.
Also Kerberos can use the Linux kernel keyring for it’s authentication keys, and since “trusted keys” in that keyring are encrypted by TPM if available I guess it should be possible to have such keys “sealed” by IMA/EVM hashing of selected system files.