TPM auto-unlock might be more trouble that it’s worth at this point.
You can put the root partition into a LUKS volume and have grub ask the passphrase for it (which includes the initramfs image) on cold boot.
All other LUKS volumes can be decrypted by keys inside the initramfs, it also means you do not need to enter a passphrase when hot rebooting using kexec:
Do note you need a key to unlock the root partition even though you entered the passphrase for it as the boot process needs to remount the root fs when the initramfs is done doing its thing.