Use TPM to retrieve LUKS whole disk encryption key


I am working on a POC comparing Linux and Windows at my current place of business. One of the main goals here is to match up the two operating systems feature for feature. I am using Tumbleweed (couldn’t get the display driver to work on the base model we order under Leap; technically would want to use Leap for this) on a Dell Latitude E7470.

A primary feature utilized in the current Windows AD world is BitLocker, which provides whole disk encryption utilizing the TPM.

Now I have been able to implement whole disk encryption utilizing LVM/LUKS with a password prompt but would like to bring this one step closer to matching the BitLocker feature in utilizing the TPM to supply the PCRs as a key to LUKS.

I have been trying to follow this guide:

I have been able to take ownership of the TPM, add the PCRS hash to the LUKS volume, extract the initrd (was caught for a while using gzip till finally figured out it was xz) and think I found that sbin/cryptroot-ask is the equivilant of setup/local-top/cryptroot but I am at a loss as to what part of the sh script to change in order to pass the md5sum from /sys/class/tpm/tpm0/devices/pcsr to cryptsetup to unlock the partition.

I have been out of the BSD/Linux world for quite a bit and may need a refresher on sh/bash but if anyone can point me in the right direction here I would love to hear it.

My basic questions are:

Is the steps in the guide implementable with openSUSE? If so, any help on the correct script syntax for cryptroot-ask?
Is there a better way to achieve using TPM to supply the key to luks encryption? Something I missed in research?

Thanks in advance.